Today, on what marks the 58th day of protests against the new Georgian government, an interesting turn of events caused Tblisi’s bus system to suspend fares.
According to city officials, the transit system sustained a suspected cyberattack. Audio recordings were unexpectedly played from payment machines on public buses and vans.
The recordings played the national anthems of Georgia and the EU. Spliced in were clips from former Parliament Speaker, Zviad Gamsakhurdia’s 1991 independence speech, as well as late Georgian Prime Minister, Zurab Zhvania’s famous 1999 quote, “I am Georgian and therefore I am European.”
Also included were recordings of statements by Georgian Dream founder, Bidzina Ivanishvili, which contained a campaign pledge to apologize to South Ossetians for the 2008 war, as well as a controversial 2022 speech by now-President Mikheil Kavelashvili, where tells detractors that their “mothers can get fucked”.
The recording ends with English chants of, “Glory to Georgia! Glory to Ukraine!”, and “Fuck Russia!”
Georgia is currently grappling with political unrest as tensions between pro-European and pro-Russian forces shape its future. Recent protests in Tbilisi have demonstrated frustration with the ruling Georgian Dream party, accused of aligning too closely with Moscow and stalling the country’s European Union aspirations.
“Tbilisi City Hall has begun an investigation into a suspected cyberattack on the public transport system this morning. Ticket machines played the EU anthem as well as anti-Georgian Dream and pro-EU slogans before being briefly shut down,” says OC Media
“Since public transport payment devices play protest audio recordings uninterruptedly, Tbilisi City Hall states the devices will be disconnected and transportation will in the meantime be free. Traffic disruption would be better but not paying into the regime budget is good too.”–Marika Mikiashvili of Georgia’s დროა! (Droa) party via Twitter
Tblisi’s City Hall attributed the issue to a fault in the payment devices, managed by Bank of Georgia contractors, MS+ and Azri.
The system was restored by early afternoon. Tbilisi Mayor, Kakha Kaladze, called for an investigation into a root cause. The Interior Ministry initiated an investigation under Georgia’s cybercrimes code.
The responsible party for the recordings remains unidentified. To be honest, that’s a little surprising, as hacktivism events like this tend to have groups scrambling to take responsibility.

It’s notable that there have been at least five relatively serious data breaches claimed against Georgian entities since the beginning of December. Initial access could have been achieved through these means.
If attackers obtained credentials or infrastructure details during these breaches, they could potentially infiltrate the system by exploiting shared networks or poorly segmented infrastructure. However, municipal networks typically separate critical systems like transit to minimize the risk of cross-exploitation, making this a less straightforward possibility.

The more likely scenario involves localized attacks targeting the transit payment machines, directly. They usually run on embedded systems, which can be more vulnerable to physical tampering or remote exploitation through Wi-Fi or network endpoints.
If the devices were outdated, unpatched, or used default credentials, attackers may have had an easier time injecting audio files.