Newag’s Impuls trains — one of Poland’s most widely deployed modern regional train families — began locking up in 2022 when sent to independent maintenance, disabled by software embedded in the onboard computers to trigger at rival repair yards.

Koleje Dolnośląskie, a regional operator in Lower Silesia, sent four Impuls electric multiple units to independent maintenance firm SPS for scheduled servicing in spring 2022. The trains would not restart after the work was completed.

SPS eventually engaged Dragon Sector, a Polish cybersecurity group, which reverse-engineered the onboard software and found GPS-triggered lockout code targeting the locations of independent repair facilities — including one that had not yet been built.

How the lockout code worked

The Impuls 45WE is a standard-gauge regional EMU running across Poland’s busiest suburban and regional corridors. Its onboard computers manage traction, braking and door systems. They also, Dragon Sector found, contained code that had no place in any maintenance manual.

The lockout conditions operated in two ways. The first combined a prolonged stop with GPS data confirming the train’s location within the boundaries of an independent repair yard.

The second was independent of location: a train would also disable itself after being stationary for more than ten days — a threshold Dragon Sector assessed as intended to flag maintenance activity, but which also triggered on trains parked in operator sheds with no servicing taking place.

The GPS coordinates embedded in the code were not generic. Dragon Sector identified at least seven targeted facilities, including the Bydgoszcz site of Pesa — a competing Polish rolling stock manufacturer. One set of coordinates pointed to an SPS facility that had not yet been constructed when the software was written.

Additional triggers locked trains if a replaced component carried a serial number not approved by Newag, or after reaching one million kilometres — the threshold at which mandatory heavy maintenance falls due under Polish regulations, and at which operators are most likely to seek competitive servicing bids.

The discovery

SPS had won the maintenance contract for eleven Impuls units belonging to Koleje Dolnośląskie after submitting a bid approximately EUR 700,000 lower than Newag’s, according to Dragon Sector’s account of the procurement.

When the first trains failed to restart after servicing in spring 2022, SPS faced contractual penalties from Koleje Dolnośląskie that Dragon Sector reported as eventually reaching 2 million zloty — approximately EUR 462,000. The trains showed no fault indication. The diagnostic systems reported nothing wrong.

An SPS engineer ran a Google search for Polish hackers. He found Dragon Sector.

Three members of the group began working through the onboard software. The process took months. What they found was not a bug or a corrupted system. It was deliberate conditional logic: rules written to produce failures under defined circumstances, with the circumstances defined by the location and identity of whoever was doing the maintenance.

Dragon Sector eventually analysed 30 trains across five operators — Koleje Dolnośląskie, Koleje Mazowieckie, SKM Warszawa, WKD and Polregio. Twenty-four carried software locks. The group developed a tool to remove them.

The scale of the unlocking operation revealed something else. Polregio, Poland’s largest regional passenger operator, disclosed it had been paying Newag approximately EUR 23,000 per train to restore functionality. The process took Newag technicians around ten minutes.

Newag’s response

Newag denied the allegations from the outset. The company said the failures were caused by SPS malpractice. It suggested Dragon Sector had inserted the lockout code itself. It stated that its trains had never contained such software. It demanded that Poland’s Internal Security Agency place under surveillance everyone who attended the conference where Dragon Sector presented its findings.

The findings were presented publicly on 5 December 2023 at the OhMyH@ck conference in Warsaw, and again at the 37th Chaos Communication Congress in Hamburg on 27 December. CERT Polska, the national cybersecurity authority, assessed Dragon Sector’s conclusions as trustworthy.

Poland’s Internal Security Agency had in fact submitted a case to the prosecutor’s office in Nowy Sącz — Newag’s home city — as early as October 2022. The office initially downplayed the matter.

After the public disclosure, the investigation was transferred to the regional prosecutor in Kraków, where it proceeds under articles of the Polish Penal Code covering computer sabotage and fraud.

The Polish parliament convened three committee hearings between January and March 2024. Newag representatives attended but did not explain how the lockout code came to be present in trains across five operators and multiple production batches.

Newag filed civil suits in two courts. In Warsaw, it is seeking PLN 6,453,000 — approximately EUR 1.5 million — for copyright infringement and unlawful competition. In Gdańsk, it is seeking PLN 5,100,000 — approximately EUR 1.2 million — for unlawful competition and infringement of personal rights.

The first hearing at the District Court of Warsaw was held on 28 August 2024. At that hearing, Newag conceded that Dragon Sector had not modified the software on the trains. The lawsuit continues on the basis of unauthorised access and analysis.

What the case means for rail maintenance

The Newag case is not the first time a manufacturer has used software to restrict independent repair. In the United States, agricultural equipment maker John Deere has deployed similar mechanisms under digital copyright law to prevent farmers from servicing their own machinery.

The Volkswagen emissions scandal involved software written to produce different outputs under test conditions than under normal operation — manipulation embedded in systems that regulators had no routine means of inspecting.

What distinguishes the Newag case in a rail context is the direct operational consequence. Trains did not pass or fail an emissions test differently. They stopped running. Passengers were stranded. Operators faced penalties for failures they could not diagnose and had not caused.

The European rail maintenance market operates on the assumption that operators can use competitive servicing providers. Framework contracts, public procurement rules and rolling stock lease structures are built around that assumption.

Software that disables a train when it enters a rival’s facility works against the market structure that procurement law is designed to protect. The Polish antitrust authority opened its own investigation alongside the criminal proceedings.

No verdict has been issued in the civil case as of May 2026.

Newag today

The legal proceedings have not disrupted Newag’s commercial position. In May 2024, PKP Intercity awarded the manufacturer a contract worth PLN 3.36 billion — approximately EUR 800 million — for 35 hybrid dual-mode multiple units, the largest single order in the company’s history.

In January 2026, Newag and Siemens Mobility signed a memorandum of understanding to cooperate on high-speed rolling stock for the Polish market. The MoU followed PKP Intercity’s launch of a tender for up to 55 trains capable of operating at 320 km/h.

Newag and Siemens have worked together for fifteen years, beginning with the Warsaw Metro Inspiro contract in 2011. Newag does not currently manufacture high-speed trains. The civil case remains before the Warsaw court.