Hi Everyone,

At first, I wasn’t sure what this issue would focus on—but as the week progressed, a theme naturally emerged. It began with my reading a report on double standards in Meta’s ad policies, followed by reading an investigation exploring the link between Facebook Ads, AI-generated content, and child abuse— which was carried out by one of the participants in the Cyber Investigations Training Course, we’re currently attending through May. Last week, during the course, we covered techniques for investigating websites and uncovering connections between digital ads and threat actor networks. Meanwhile, other participant showed how tool like Burp Suite can be used to analyze websites and expose malware hidden in advertising infrastructure.

Until recently, I thought of ads mostly in terms of analyzing them through Facebook or Google’s ad libraries—and that was it. Now I understand that ads can be a powerful (and dangerous) tool in cyber operations, social engineering, and disinformation.

Cybersecurity News

• Who hasn’t received at least one suspicious phone call from a +44 number in recent weeks? Many Poles have reported such calls, often followed by WhatsApp messages encouraging them to respond. The scam starts with small payouts for simple tasks like liking items on Allegro to build trust, then escalates—victims are eventually asked to send larger sums with promises of high returns. According to CERT Orange Polska, some individuals have lost up to 20,000 PLN through this well-crafted social engineering scheme.

• ​In its 2025 Annual Threat Assessment, the Australian Security Intelligence Organisation (ASIO) reported that espionage and foreign interference have reached unprecedented levels, with at least three foreign governments plotting to harm individuals residing in Australia, including a foiled assassination attempt against a human rights activist.

Vulnerabilities & Exploits & Hacks

• Cozy Bear's Wine-Tasting Phishing Lures: Russian APT29 (Cozy Bear) is once again targeting European diplomats with fake wine-tasting invitations, deploying new malware variants like GRAPELOADER and WINELOADER. Find out more.

• Chameleon Ads Bypass Meta Moderation: Scammers are using deceptive ad tactics that change content after approval to promote fraudulent schemes like crypto scams, effectively evading Meta’s moderation systems. Find out more.

Threat Hunting & Malware

• Ad-Jacked WordPress Sites Used for Profit: Cybercriminals are injecting malicious Google AdSense code into compromised WordPress websites, secretly monetizing traffic and redirecting users—often without site owners’ knowledge. Find out more.

Learning

Malvertising—short for malicious advertising—is a tactic where cybercriminals hijack (take over without permission) ad accounts, like Google Ads, to display fake or harmful ads that trick users into downloading malware, sharing sensitive data, or making fraudulent payments.

📰 Reports

• Report Meta Ads PAY-TO-PLAY: Meta's community (double) standards on explicit content ads. Report.

• Doppelgänger 2.0: Russia’s paid propaganda machine targets Poland’s 2025 election on X. Report created by Alliance4Europe and Debunk.org. Report.

Espionage & Counterintelligence

• Rome's Intelligence Hub: Italy becomes a temporary hub for European intelligence chiefs and secret mediation missions involving Russia, the U.S., and African juntas. Find out more.

• North Korea targets Irish tech: Undercover North Korean operatives infiltrate Ireland’s tech sector to raise funds for nuclear weapons development. Find out more.

• Dutch Researcher Screening: The Dutch government will screen around 8,000 researchers annually to prevent espionage involving sensitive technologies. Find out more.

• Faraday bags for EU lawmakers: During visits to Hungary, MEPs were given signal-blocking Faraday pouches to shield devices from surveillance. Find out more.

• Serbian passports for Russian elites: An investigation reveals how Serbia’s citizenship law grants Russian elites indirect access to the EU despite sanctions. Find out more.

Platform Failures & Digital Safety

• The Hidden power behind a Global Adult platform (recognizable black-and-orange logo): A report by Canadian investigative journalist Nora T. Lamontagne, co-author of the book L’Empire du Sexe, reveals how a widely recognized adult content site — which recorded nearly 1.5 billion visits in January 2024 alone — remains under the control of the same core ownership group, known as the "Bro Club," despite multiple company name changes and ongoing legal scrutiny. Persistent issues with moderation, allegations of trafficking, and a lack of transparency are detailed in a new interview on investigace.cz. (in Czech)

• AI-Generated Abuse Content Evades Meta’s Filters: An investigation for Núcleo (an independent Brazilian newsroom) led by Sofia Schurig from the Pulitzer Center — (and a participant of the Cyber Investigations Training Course that I’m currently attending) — uncovered 14 Instagram accounts that linked to subscription platforms hosting both AI-generated and real child abuse material. These accounts bypassed Meta’s safety systems and featured content depicting minors in sexualized contexts, blending childlike faces with adult bodies.

For Polish fellows 

A KidsAlert mobile app - Kinga (Linkedin, Instagram), President of the Prospołeczna.org Foundation and Founder of the BezpieczneDziecko.org (Safe Child), is developing the KidsAlert mobile app—a tool that will notify parents about dangerous online trends and threats, regardless of whether they are currently being covered by the media or trending on platforms like TikTok or Instagram. Kinga’s team was the first to uncover several dangerous online challenges, including the 2024 Halloween case involving sharp objects hidden in candy, as well as lesser-known but equally harmful trends like the "paracetamol challenge" and the "play with fire challenge." Her mission is to build an independent alert system that gives parents real-time support in protecting their children online.

The fundraising campaign to build the app is ongoing—only 5,000 PLN is still needed. Let’s help make it happen! 🙌 Link to the fundraiser.

SOCMINT

This week, I attended a TikTok briefing focused on the platform’s efforts to support election integrity and platform safety ahead of Poland’s 2025 presidential election. As part of this, TikTok highlighted their Global Policy for Government, Politician, and Political Party Accounts (GPPA), which places specific restrictions on political actors using the platform.

Key restrictions include:

• No political advertising

• Monetization features disabled (e.g., gifting, tipping, Creator Fund)

• Campaign fundraising prohibited

You can read more in TikTok’s official GPPA policy.

🗣️ During the briefing, TikTok emphasized that they do not position themselves as a traditional social media platform, but rather as an entertainment platform — comparable to Netflix.

Platform Ad Updates

Meta Expands Threads Ads to All Advertisers
Meta has opened up ad access on Threads to all eligible advertisers worldwide, as part of a broader push to strengthen brand–user engagement.

OpenAI Plans to Introduce Ads in ChatGPT by 2026
Despite earlier concerns about ad-driven content, OpenAI is preparing to monetize free users of ChatGPT through native advertising by 2026.

Other Social Media Developments

Snapchat Boosts Anti-Exploitation Tools
Snapchat expands its Know2Protect initiative with new educational and protective features aimed at preventing child sexual exploitation on the platform.

YouTube Experiments with Blurred Thumbnails for Sensitive Searches
YouTube is testing blurred thumbnails in search results for queries commonly associated with adult content, aiming to improve user safety and experience.

OSINT

Tools

• Deepfake Database: A growing collection of known deepfakes, useful for research, verification, and training detection models.

• Craig’s Guide investigating digital ad libraries: A practical resource by Craig from Digital Investigator, offering techniques and frameworks for analyzing digital threats.

• Search Whisperer Beta by Henk van Ess: An AI-powered search assistant that transforms vague Google queries into precise, operator-enhanced searches using multiple LLMs—helping you cut through SEO noise and find high-quality results in under 37 seconds. The tool & how to use it.

Google Updates

• Google to Retire All Country-Specific Domains: Google has announced it is phasing out all country code top-level domains (ccTLDs), such as google.de, and google.it, as part of a global shift toward a unified domain strategy. Read more.

Darknet

• Sam Bent spotted that breachforums[.]sx is a fake site - the clearnet version was taken down, supposedly due to an 'electricity issue' with the provider — but the .onion version is still online.

Upcoming CyberSec / OSINT Events

Free events

• Gathering Evidence and Documents in Conflict and War Zones – A MENA Case Study
  A free webinar on May 6 at 10:00 AM EDT organized by the GIJN will explore methods for collecting evidence in conflict zones, with live translation into Arabic and French. Register here.

• Deep Fake It 'til You Make It: Social Engineering in the New Age, Mandiant session
  On May 8 at 2:30 AM CEST, this 45-minute session will cover how deepfakes are increasingly used in modern social engineering attacks. Register here.

• The International Investigative Interviewing Research Group (iIIRG) will host a free live webinar on May 13, 2025, titled “The Use of Technology in Investigative Interviewing”, presented in collaboration with ImpleMéndez, as part of their “In Conversation” series. Register here.

Free Courses

• Preventing Online Child Exploitation with Financial Intelligence
  This free, self-paced course by ACAMS offers an overview of how financial data and OSINT techniques can be used to combat online child abuse, including real case studies and cryptoasset tracking. More info here.

• Ending Illegal Wildlife Trade — A Comprehensive Overview
  Offered in collaboration with WWF and other global partners, this self-paced training covers the financial risks and red flags associated with the illegal wildlife trade. More info here.

Paid

• EACA Crime Analysis Conference 2025: Taking place in Treviso, Italy from October 27 to 29. More info here.

🙃Bonus

A new initiative, OSINT JOURNO, is dedicated to providing cutting-edge Open Source Intelligence (OSINT) tools, resources, and educational content to empower individuals and organizations in the ever-evolving fields of investigative journalism and intelligence. It’s a global community with a special focus on India — check out their website and LinkedIn for more.