Suspected Listening Devices Found in Slovak Arts Fund Offices: What Organisations Should Do Next
Employees at Slovakia’s Arts Support Fund reportedly discovered suspected listening devices in several offices, prompting police and prosecutorial involvement.
According to local reporting, one object was initially found while an employee was dealing with a computer problem. Similar devices were then reportedly discovered elsewhere on the premises. The objects and associated recordings were said to have been handed to the police, while the Bratislava I District Prosecutor’s Office confirmed that an investigator had been assigned to the matter.
Claims have been made about who may have been responsible and why the equipment was allegedly installed. Those allegations remain disputed and have not been established through a concluded investigation.
For organisations, the wider lesson is clear: discovering a suspected surveillance device is not simply an IT or facilities issue. The initial response may determine whether evidence is preserved, whether additional devices are identified and whether the organisation can establish the possible extent of the compromise.
What has been reported in Slovakia?
The reported devices were found at the Arts Support Fund, a Slovak public institution supporting artistic activity, culture and the creative industries.
Employees reportedly believed that the equipment may have been capable of recording private conversations. The matter was referred to the authorities and remained at a preliminary investigative stage at the time of publication.
Until the equipment has been examined properly, it is important to distinguish between:
- An object believed to be a listening device;
- A confirmed recording or transmitting device;
- A device shown to have been operational;
- Evidence identifying who installed it;
- Evidence establishing motive.
The appearance and location of an object may raise serious concerns, but they do not answer every technical or evidential question.
What should an organisation do immediately?
The instinctive reaction may be to remove the object, switch it off or dismantle it. That can damage or destroy evidence.
A suspected surveillance device may contain:
- Fingerprints or other trace material;
- Stored recordings;
- A memory card;
- Subscriber or network information;
- Serial numbers;
- Evidence of its power source;
- Information about when it was installed;
- Connections to other equipment.
Unless there is an immediate safety risk, the object should remain in place until advice has been obtained from law enforcement and a suitably qualified technical-security specialist.
The organisation should then:
- Restrict access to the affected room.
- Record the date, time and circumstances of the discovery.
- Photograph the object in position without handling it.
- Preserve access-control, visitor and contractor records.
- Secure relevant CCTV footage before it is overwritten.
- Avoid cleaning, moving furniture or disturbing nearby equipment.
- Stop sensitive conversations in the affected area.
- Notify a small, need-to-know internal response team.
- Contact the appropriate law-enforcement authority.
- Seek advice from a professional TSCM provider.
The response should be managed discreetly. Broad internal discussion may alert whoever installed the device, particularly where an insider threat is possible.
Do not discuss the discovery in the affected area
Finding one suspected device does not establish that it is the only one present.
Additional risks may include:
- Other recording devices in the same room;
- Equipment in adjoining offices;
- Compromised meeting rooms;
- Modified telephones or conferencing systems;
- Hidden cameras;
- Devices using local storage rather than live transmission;
- Hard-wired equipment connected to the building;
- Network-connected devices carrying audio or data.
Sensitive conversations about the response should therefore take place in a separate, assessed location.
Potentially compromised office telephones, video-conferencing systems and local communications equipment should not be used to coordinate the investigation until the risk has been considered.
Why one discovered device may indicate a wider compromise
A visible device may represent only one part of the surveillance activity.
Some equipment transmits continuously. Other devices record locally, communicate intermittently or remain inactive until triggered. A basic radio-frequency scan may therefore fail to identify every threat.
A wider examination may need to consider:
- The affected office;
- Adjacent rooms;
- Meeting and boardrooms;
- Furniture and fixtures;
- Power outlets and adapters;
- Telephones and conferencing equipment;
- Ceiling and service spaces;
- Network and telecommunications infrastructure;
- Relevant vehicles, where the threat may extend beyond the premises.
The scope should be based on the organisation’s risk profile, the location of the discovery and the information that may have been exposed.
For a fuller explanation of the technical process, read What Is a Bug Sweep (TSCM)? Your Essential Guide to Counter-Surveillance and Protecting Privacy.
Preserve access and digital records
A covert device normally requires physical access, technical access or both.
Potentially relevant records may include:
- Employee access-card logs;
- Visitor and contractor records;
- Cleaning and maintenance schedules;
- Key-control information;
- CCTV recordings;
- IT-support visits;
- Furniture installation records;
- Building or electrical work;
- Dates when the office was unoccupied;
- Records of lost or duplicated keys.
Digital material may also be relevant, including:
- Wi-Fi and network logs;
- Telephone-system records;
- Unfamiliar devices identified on internal networks;
- Bluetooth connection histories;
- Relevant email or messaging communications;
- Evidence that confidential information became known unexpectedly.
Records should be preserved before routine deletion or overwriting occurs.
Unplanned system resets, network changes or internal searches may remove useful evidence. Digital preservation should therefore be coordinated with legal, security and technical advisers.
What does a professional TSCM examination involve?
Technical Surveillance Countermeasures, commonly called a bug sweep, involves more than walking through a room with a consumer detector.
A proportionate examination may combine several methods.
Physical inspection
Furniture, fixtures, sockets, telephones, conferencing systems, cabling and ordinary-looking objects may be examined for signs of alteration or concealed equipment.
Radio-frequency analysis
The surrounding radio environment may be assessed to identify and analyse unusual transmissions.
Legitimate offices contain many normal signals, so detection requires informed interpretation rather than simply identifying radio activity.
Electronic-device detection
Specialist equipment may assist in locating electronic components, including some devices that are switched off or not transmitting.
Any findings must be assessed in context because legitimate electronic components may produce similar responses.
Infrastructure examination
Telephone, network, electrical and building systems may be inspected for unauthorised connections, modified components or evidence of tampering.
A credible examination should conclude with documented findings, identified limitations and proportionate recommendations. It should not offer an unsupported guarantee that a room is permanently secure.
Learn more about Conflict International’s Counter-Surveillance and Bug Sweep Services.
Coordinate with law enforcement
Where criminal surveillance is suspected, law enforcement should normally be contacted promptly.
The authorities may be able to:
- Secure the device and maintain evidential continuity;
- Arrange forensic examination;
- Obtain records through statutory powers;
- Interview relevant individuals;
- Examine access, opportunity and motive;
- Connect the discovery with other reported offences.
A private TSCM examination does not replace a police investigation.
Where the authorities are already involved, any technical examination should be coordinated with them to avoid disturbing evidence or interfering with investigative activity.
Avoid premature allegations
Discovering a suspected device does not automatically identify the installer.
Reliable attribution may require evidence relating to:
- Access to the premises;
- Ownership or purchase of the equipment;
- Fingerprints or forensic traces;
- Stored recordings;
- Network or subscriber information;
- Communications between relevant parties;
- Opportunity and motive;
- Connections with similar incidents.
Organisations should avoid publicly accusing an employee, former employee, contractor or outside party without a proper evidential basis.
Premature attribution can expose the organisation to legal and reputational risk while also compromising the investigation.
Consider what information may have been exposed
The location of the suspected device may indicate which conversations could have been vulnerable.
The organisation should establish:
- Who used the room;
- Which meetings took place there;
- What dates may be relevant;
- Whether clients or third parties attended;
- What commercial or strategic information was discussed;
- Whether privileged legal conversations occurred;
- Whether personal or employment information was discussed.
This is not an assumption that every conversation was recorded.
It is an impact-assessment exercise that helps the organisation prioritise legal, regulatory, security and communication decisions while the equipment is examined.
When should an organisation seek specialist support?
A professional TSCM examination may be appropriate where:
- A suspected device has been discovered;
- Confidential information appears to be reaching an unauthorised party;
- There has been unexplained access to sensitive rooms;
- An insider threat is suspected;
- Important negotiations, litigation or restructuring are under way;
- Senior executives or public figures may be targeted;
- Highly valuable intellectual property is discussed on site;
- The premises were recently occupied or accessed by third parties.
The response should be proportionate to the risk and supported by strong physical, digital and procedural security.
How Conflict International can assist
Conflict International provides discreet Technical Surveillance Countermeasures for corporate offices, professional premises, residences, vehicles and other sensitive environments.
Depending on the circumstances, our work may include:
- Threat assessment and sweep planning;
- Physical and technical examination;
- Radio-frequency analysis;
- Electronic-device detection;
- Inspection of furniture, fixtures and infrastructure;
- Assessment of telecommunications and network environments;
- Evidence recording and reporting;
- Recommendations to reduce future risk;
- Coordination with legal advisers or law enforcement, where appropriate.
A TSCM examination cannot by itself establish who installed a device or why. Its purpose is to identify technical threats, assess the possible extent of a compromise and provide reliable findings for further investigative or legal decisions.
Where a suspected device has already been discovered, avoid handling it and seek immediate professional and law-enforcement advice.
If you have discovered a suspected surveillance device or have concerns about covert monitoring, contact Conflict International in confidence to discuss the appropriate next steps.