Hi Everyone,

May has been incredibly busy for me 🤠 (the first month like this since the beginning of the year), but I genuinely enjoy everything that’s going on - more on that in the next issue, along with a few highlights :)

As you’re receiving this email, the first round of the presidential elections is taking place in Poland, an important moment for us.

Let’s take a look at what’s been happening over the past two weeks.

Cybersecurity News

• NATO’s Locked Shields 2025: Poland & France Dominate Cyber Defense Exercise

  Thousands of cyber experts from NATO and partner nations joined forces in Estonia for Locked Shields 2025, the world’s largest and most advanced live-fire cyber defense exercise. Organized by NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE), this annual event brings together technical experts, legal advisors, and policy-makers to simulate defending critical infrastructure during massive, real-time cyberattacks.

  This year’s edition involved nearly 4,000 participants from 41 countries. 17 blue teams were tasked with defending over 8,000 virtual systems, hosted on a cyber range operated by the CR14 Foundation, against thousands of highly complex attacks. New challenges included threats related to quantum computing and AI.

  Poland teamed up with France—and together they crushed it, finishing 2nd overall and being the best team in terms of defending against Red Team attacks. Huge congrats to the Polish cyber team (I know a few of you are reading this newsletter 👀)!

  The success of #BT06 would not have been possible without the strong leadership of the Polish Cyberspace Defence Forces (Wojska Obrony Cyberprzestrzeni). Find out more.

• Vatican CyberVolunteers Defend the Holy See: Since 2022, a volunteer group known as the Vatican CyberVolunteers has been quietly working behind the scenes to defend the Vatican from digital threats. Composed of up to 90 cybersecurity professionals from around the world, the group has been helping to repel increasing cyberattacks targeting the Holy See. Find out more.

• Become Italy’s Agent 007: Italy’s secret services have launched a national campaign to recruit cyber talent. The government is calling on experts in cybersecurity, OSINT & SOCMINT, and telecoms to apply before June 10, 2025, to join the intelligence ranks. Find out more. (in Italian)

Vulnerabilities & Exploits & Hacks

• Zip Bombs Weaponized Against Bots: Defenders are fighting bots with clever tricks—like zip bombs. These small files explode into huge ones when opened, crashing automated scripts. A 10MB file can expand to 10GB, overwhelming malicious bots. Find out more.

  Microsoft Copilot AI Leaks Passwords: A new warning highlights a security flaw in Microsoft’s AI Copilot. Misconfigured access settings allowed the tool to retrieve restricted password data, exposing risks in AI-powered enterprise software. Find out more.

Threat Hunting & Malware

• The Man who accidentally stopped WannaCry: MalwareTech, a previously anonymous researcher, unintentionally halted the global WannaCry ransomware attack. His action made headlines—but also revealed his identity and changed his life forever. Find out more in a DarknetDiares podcast.

Learning

TryHackMe has shared that they've been working on a new certification, set to launch on May 20th. Spoiler alert: it’s going to be the Jr Penetration Tester (PT1) — the badge was leaked earlier on Credly.

📰 Reports

• Storm-1516 (Operation False Façade): Russian influence operations reach maturity — Report by VIGINUM (France’s agency for foreign information manipulation and interference). They previously revealed the Portal Kombat / Prawda Network operation in 2024.

• Beyond Operation Doppelgänger: Inside the Social Design Agency — Report by Swedish Psychological Defence Agency.

• Impact of the Digital Services Act: A Facebook case study — Report by NATO StratCom COE.

• Poland Country Election Risk Assessment 2025 — Report by Alliance4Europe.

Espionage & Counterintelligence

• Russian Guest Researcher exposed: Norwegian PST reveals how guest researcher Mikhail Mikushin was unmasked as a Russian spy. Find out more. (in Norwegian)

• Iran’s Oil Smuggling Shell Game: A Tehran-based company tied to Iran’s army used fake firms to sell sanctioned oil in Asia, including dealings with a Netherlands-based business. Find out more.

• Surovikin in Algeria: Former Russian invasion commander Sergei Surovikin, missing from public view since 2023, now reportedly operates in Algeria. Find out more.

• Iranian Spy Infrastructure Disguised as German Modeling Agency: Palo Alto Networks’ Unit 42 reveals covert Iranian infrastructure posing as a modeling agency. Find out more.

• Canada needs a Foreign Human Intelligence Service. Find out more.

Missing People

It’s great that initiatives like the TraceLabs OSINT competition exist (a 4-hour event focused on finding missing people online). They teach valuable skills, but real life is often more complex. I’ve been involved in two missing persons cases. One person had been missing for two weeks; the other was a cold case, missing for several months in a different country. In second case based on my research, analysis, and scenario predictions, we were able to locate the person. Stories like these always move me deeply and remind me why this topic matters.

Child Alert – Europe / AMBER Alert – USA, Canada, Mexico

This week, across Poland, many of us received an sms - RCB alert about a missing teenager — she was thankfully found the next day. This was a Child Alert, a system designed to rapidly spread information about missing children whose life or health is in immediate danger. The Child Alert system has been active in Poland since November 2013 and aims to quickly share alerts through media, the internet, outdoor advertising like digital signs at bus stops, train stations, airports, and even on electronic road signs.

The Child Alert procedure is rare and only activated under strict conditions — this was just the seventh time it's been used in Poland since its launch. In this case, even Czech police were involved, monitoring border crossings to prevent the girl from being taken out of the country.

To activate a Child Alert, several criteria must be met:

• The missing person must be under 18.

• Legal guardians must give consent to initiate the alert.

• There must be evidence suggesting that the child’s life or health is at risk — for example, in cases of abduction or other threats.

• Crucially, authorities must suspect — with supporting evidence — that the child may be a crime victim or in immediate danger, such as being kidnapped or taken abroad.

All six previous Child Alerts in Poland ended positively: three involved children taken abroad who were found, and three were cases within Poland.

When I received the SMS, I noticed the official police website with basic information about the missing child was overloaded and inaccessible. I immediately checked Facebook, where I found more photos of the girl by searching posts, and people were sharing sightings — for example, CCTV images from train stations. But it’s important to remember that social media can also be full of misinformation, false leads, and incorrect reports during such cases.

This was the first time that we ever received such an sms alert. I started wondering why we hadn’t received similar alerts in previous such cases. One possible reason may be due to the creation of the website gdziejestes.org, launched by the parents of a child who went missing in 2023. They advocated for changes in the system, including:

• Full use of the Child Alert system and Activating RCB (Government Safety Alert) notifications in selected regions for any case that meets the criteria

The organization “Gdzie jesteś?” called this a historic moment.

Polish police always verify every report before launching a Child Alert to confirm the level of danger. Here is an article (in Polish) explaining why the alert was used in this particular case.

SOCMINT

Most recently, a Reuters photograph circulated of former National Security Adviser Mike Waltz using Signal in conjunction with an app called TM SGNL.

The Signal Clone crisis
TM SGNL, developed by Israeli firm TeleMessage (now owned by U.S.-based Smarsh), was marketed as a secure Signal-based messaging app with compliance archiving but actually stored messages in plaintext, undermining true encryption. The controversy grew after American Oversight revealed that former Trump officials used TM SGNL for official communications. This month hackers exploited a vulnerability (CVE-2025-47729) to access sensitive logs, including messages from these officials, prompting CISA to add the flaw to its Known Exploited Vulnerabilities catalog and mandate federal fixes by June 2. Unlike Signal’s end-to-end encryption, TM SGNL’s central archiving exposed users to surveillance and breaches, violating the core trust in Signal’s security.

OSINT

Tools

• Face Search Arrests – A facial recognition tool (US) that finds matching mugshots from an arrest records database.

• Silvertgosint – Telegram OSINT tool that automates message harvesting from target users via API access. Bonus: pulls metadata from public groups. GitHub

• onionengine.com – Search engine for sites in the .onion domain zone. Works without the Tor browser.

Google Updates

• Google Advanced Protection Update: Google has expanded its Advanced Protection Program to offer enhanced, phishing-resistant security for mobile devices. The update includes automatic enrollment for high-risk users (like journalists, activists, and political figures) and stronger safeguards against malware, risky downloads, and unauthorized app access. Covered services include Gmail, Google Drive, Chrome, Google Play, and Google Account login.

Darknet

• 4chan Operator Unmasked – Leakd reveals the identity of a key 4chan admin. Read more

Upcoming CyberSec / OSINT Events

Free

• Women4Cyber Denmark CTF with Trend Micro. A CTF (Capture the Flag) event on May 21, 2025 from 4:00–9:00 PM CEST. Hosted online and at Trend Micro’s office in Ballerup, Denmark. A chance to train skills in alert investigation and threat detection. Register here.

• Mapping Manipulation: How the FIMI Exposure Matrix Sharpens Attribution and Reveals Connections. A webinar on May 22, 2025 at 2:30 PM (online). The session explores how the FIMI Matrix helps reveal online influence operations. Register here.

  • I already explained what is the FIMI framework and other to analyze disinformation - VN#013

• The Fifth Annual GNET Conference
  An in-person event in London in June 2025 28-29, hosted by the Global Network on Extremism and Technology. Event page here.

• Hunchly + Maltego: Live Session & Q&A on May 28th at 10:00AM ET. Hunchly acquisition by Maltego. Online event. More info here.

• Ahead of the AI Misinformation Curve: Let’s Talk Visual AI. A webinar on May 30, 2025 from 2:00–3:30 PM CEST. Register here.

• DIVER OSINT CTF 2025
  "DIVER OSINT CTF 2025 7-8.06" は2025年6月7日（土）～8日（日）で開催します。競技時間は24時間、1チームあたり最大6名のチーム戦です。
  One of the toughest OSINT competitions, running for 24 hours online. Looking for a team or happy to create one. More info.

Paid

• DATAHARVEST, May 22–25, 2025 in Mechelen, Belgium

• Summer School on Misinformation, Disinformation and Hate Speech
  A paid hybrid event from June 30–July 4, 2025, organized by UNICRI (United Nations Interregional Crime and Justice Research Institute). Held in Rome and online, it covers strategies for countering digital hate, disinformation. More info here.

If you’ll be at Dataharvest or GNET in London — DM me, let’s meet!

🙃Bonus

Angie put together a free guide to help folks searching for jobs in intelligence.
It includes key search terms, career paths, job boards, useful resources, and networking links. Honestly, it's the best list I've read so far. (docs)