Hi Everyone,

After a short break, the newsletter is back… with a Special Guest!

How can one LinkedIn DM create a great connection? A few years ago, Riccardo reached out to me to be one of the first beta testers of his OSINT tool. Later, we met at the coolest underground cybersecurity event in Strasbourg, France. Now, after a few years, I’m excited to host him here.

Riccardo Tani is a Co-Founder of Ricta Technologies Srl, a boutique cybersecurity firm based in Bucharest, renowned for delivering next-generation OSINT and web forensics platforms. With over 20 years of experience in cyber-physical security operations, cyber threat intelligence, and digital forensics, Riccardo began his career as a Digital Forensics Expert Witness before transitioning into SOC management and DFIR (Digital Forensics and Incident Response) team building.

Over the past decade, Riccardo has pioneered advancements in OSINT and web forensics, creating innovative tools like Eviquire and Forsint. He is also dedicated to mentoring future digital investigators and supports the community by offering free licenses to academic institutions and NGOs to enhance online intelligence and forensic workflows.

One of the readers of this newsletter he’s been with it since Day 0, back when the idea for this project was just beginning to take shape—recently wrote to me:

How come it changed from VN to VM?

And he’s right 😄 When I was moving the newsletter over to Beehiiv, it got messed up a bit. The label should definitely be VN, as in Vanish Notes. The next ones will be corrected.

If you spot anything else I could improve, don’t hesitate to let me know!

Cybersecurity News

• What’s going on with clickbait news - 16 mln data leak? This isn't actually a new data breach - it's a compilation of old stolen credentials from infostealer malware that was temporarily exposed online. The leaked data appears to be previously circulated credentials collected over years from various infostealers, data breaches, and credential stuffing attacks, then repackaged into a single database that cybersecurity researchers discovered briefly exposed on the internet. Basic security steps: Check if your credentials appear in breaches using services like Have I Been Pwned and enable two-factor authentication on all accounts. Find out more.

• IntelBroker Saga: US authorities charged British national Kai Logan West, aka “IntelBroker,” for data breaches causing $25 million in damages. He was arrested in France in February 2025 and awaits extradition to the US for trial.

  IntelBroker’s arrest was followed by several others, including four individuals ShinyHunters, Hollow, Noct, and Depressed linked to the ShinyHunters hacker group. Both IntelBroker and members of ShinyHunters were involved in administering and moderating the cybercrime and data breach forum BreachForums. Read here How the FBI Tracked Down IntelBroker. Read the DOJ indictment PDF on IntelBroker case.

  • Spotted breachforums clones: kittyforums[.]wiki and darkforums[.]st

Vulnerabilities & Exploits & Hacks

• Slovenia sticky situation: Slovenian authorities discovered brand-new USB sticks distributed to government institutions were preloaded with malware, prompting a halt in their use and raising cybersecurity alerts. Find out more.

• WeChat leak: The researchers discovered a massive 631GB unsecured database containing around 4 billion records, mainly involving Chinese users. Find out more.

Threat Hunting & Malware

• North Korean Malware Campaign: Hackers deploy malware using weaponized Calendly and Google Meet links. Find out more.

Acquisition & Funding

• Cellebrite has acquired Corellium for $200M. The two will jointly launch a new tool enabling virtual iPhone hacking. Find out more.

• Tadaweb, an open-source intelligence company, raised $20M to expand its Small Data OS for defense, national security, public safety, and corporate security across the US and EU. Investor statement.

📰 Reports

• Iran–Israel Cyber Conflict: Escalation and Strategic Impacts by Tesseract Intelligence / CTI Team; reporting period: June 10–20, 2025. Report.

• Intelligence and Strategic Communication from NATO StratCom COE. Report.

Espionage & Counterintelligence

• Iran-linked espionage arrests in Cyprus and Greece: Two men of Azerbaijani origin were separately detained—one in Cyprus, a UK national accused of surveilling RAF Akrotiri, and another in Greece, caught near a NATO base with Polish documents. Authorities are investigating potential connections between the two cases.

• Israel reinstates OSINT unit Hatzav in IDF intelligence: The Israeli military brings back its open-source intelligence division to strengthen information gathering. Find out more.

• Putin signs decree for national intelligence-sharing platform: The Kremlin moves to centralize communication through a new multifunctional state messaging system. Find out more. (.ru)

• Sweden considers radical intelligence overhaul: A high-level review urges sweeping changes to improve Sweden’s intelligence capabilities including OSINT. Find out more.

• Spain passes controversial Intelligence Law: The new legislation allows authorities to intercept communications without prior judicial approval. Find out more. 

Additional info

• Telegram Groups Involved in Israel–Iran Cyber Conflict: A curated list of Telegram groups carrying out cyber activities in the Israel–Iran conflict. Compiled by fastfire, the creator of DeepDarkCTI.  See the GitHub list.

• Iran-Related Telegram Channels & Groups: Originally compiled on June 13, 2025, by the CEO of Telemetry Data Labs. The list is now open for public contributions. Open Google Doc: Iran_AOR Channels_Groups

SOCMINT

Nothing interesting this time:(

OSINT Guest Section

Welcome to the fascinating world of Web Forensics. Let’s begin by defining Web Forensics as the process of uncovering and interpreting online data. The main goal is to preserve evidence in its most original form. In many cases, this is a natural continuation of OSINT investigations, where part of the collected intelligence may eventually be used as evidence in a court of law.

By the time legal proceedings begin—or even by the time an investigator realizes that intelligence needs to be treated as evidence—that data may no longer be available for proper forensic acquisition. This highlights the critical importance of collecting web evidence correctly from the very first moment.

The methods for collecting web evidence have evolved alongside the internet itself. During the Web 1.0 era, when much of the internet was publicly accessible simply by loading a URL, the Internet Archive (https://archive.org/), active since 1996, was by far the most well-known tool for acquiring web evidence.

With the rise of Web 2.0 and Web 3.0, the digital landscape shifted towards authenticated websites, social media platforms, intranet sites, and other systems where a single click was no longer enough to access the content. As a result, web evidence acquisition had to evolve to include the ability to browse multiple pages before reaching the target content suitable for forensic preservation.

Consequently, new generations of tools emerged, introducing not only live acquisition capabilities but also various formats: desktop applications, browser extensions, and SaaS-based acquisition platforms.

When selecting a web forensic tool, it’s crucial to consider your country’s legal framework and the broader best practices in digital evidence collection.

It is essential to verify whether the tool ensures:

• Proof of integrity (evidence hash),

• Chronological record and proof of existence (timestamp),

• Proof of authenticity (raw network traffic dump and TLS session keys).

Desktop Web Forensics applications are the most complete and ideal solutions for all types of acquisitions—including, for example, days long social media captures involving auto-scrolling, comment and reply expansion, video recording, and full network traffic capture. These tools are also the only ones capable of ensuring the confidentiality of an ongoing investigation.

Web Forensics SaaS acquisition services are highly practical, as they require no software installation and typically guarantee both the integrity and authenticity of the evidence. However, due to limited cloud computing resources, they are not well-suited for long-running acquisitions. Additionally, in many jurisdictions, their use may raise concerns about data privacy and confidentiality.

Browser extensions, on the other hand, are only capable of ensuring the integrity of the evidence. In many countries, this limitation renders the evidence inadmissible in court or insufficient when challenged by opposing legal experts.

To clarify further: due to inherent security limitations, browser extensions cannot guarantee the authenticity of the captured evidence. They lack the ability to store and verify raw network traffic and cannot record the full acquisition session, including video and metadata.

An attacker using a MITM (Man-in-the-Middle) proxy can alter website content in real time, and a browser extension may forensically capture this forged content without any mechanism to detect or prove tampering.

Browser extensions often provide a false sense of security. Investigators may believe they are producing court-admissible evidence, yet fail to offer the technical elements required for expert verification. Extensions do not capture network traffic, and the resulting evidence may be nothing more than a hashed screenshot.

While generating a hash and timestamp of a screenshot can prove that a specific file has not been altered, it does not prove the authenticity of the content itself.

It’s also worth emphasizing a commonly overlooked fact: browser extensions can pose significant security threats. Their activity is invisible to the user, and they can compromise not only the investigation but also the investigator’s real identity.

To raise awareness about this threat, we developed a simple but effective tool to demonstrate how a Chromium-based browser can display manipulated content if the investigator is identified (by using DevTools or Extension Fingerprint):
Try it yourself at whoami.forsint.com using your investigative browser.

It is important to distinguish Web Forensics from Browser Forensics or Cloud Forensics.
Each discipline serves a different purpose and requires its own methodology and tools. (Learn more in our free course).

These considerations led me, over a decade ago, to develop my first web forensic browser as a desktop application—rather than taking the faster and easier route of building a browser extension.
Although it was significantly more difficult and came with countless challenges, I have never regretted that decision.

As we often say: "A forensically acquired fake news is still fake news."

At ricta.io, we aim to deliver best-in-class web forensics and virtual HUMINT customisable solutions, while also supporting the wider community and raising awareness around this critical field.

We also offer free licenses of all our software (Bricobrowser.com, Eviquire.com, Forsint.com) to universities and NGOs.

Feel free to connect with me on LinkedIn.
Or follow our Ricta Technologies Srl on Linkedin page.

Google Updates

• Historical Street View Comes to Google Earth: Google has introduced historical Street View imagery to Google Earth, allowing users to explore the past in a new way.

  • 20 Years of Google Earth: Favorite Moments. See the timeline.

Darknet

• Russian Darknet Market Launches Memecoin: A Russian darknet marketplace has launched MoriCoin, a memecoin built on the Solana blockchain. Read more.

• Operation Deep Sentinel: Major Takedown of Darknet Market - Archetyp, one of the world’s largest and longest-operating darknet drug markets. Europol press release.

Upcoming CyberSec / OSINT Events

Free

• Using Languages in OSINT – Free 2h Webinar by i-intelligence
  Skip Schiphorst, Vytenis B., Paolo Walcher will share how to apply Chinese, Russian, Arabic in online investigations.

  Date: July 1, 09:00–11:00 CET, Webinar Info

• Iran–North Korea Cooperation – CSIS Webinar
  A strategic overview of Iran-North Korea ties, hosted by the Center for Strategic & International Studies.
  Date: July 1, 09:30–10:15 EDT, Event Details

• OSINT Playdate – Organized by OSINT Switzerland & CYREN ZH
  Informal OSINT meetup and hands-on session in Zürich.
  Date: July 4, 15:00–17:00 CEST, Event Info

• DFIR Summit Solutions Track – SANS (Free Track Only)
  Free digital forensics track featuring Domenica Crognale.
  Date: July 25, Summit Info

Training

• Digital Security for Journalists in Times of Crisis — online and open to everyone

  Organized by the Knight Center for Journalism in the Americas and the Global Investigative Journalism Network (GIJN).

  Date: July 7 – August 3, 2025, Training info

• Next-IJ Cross-Border Investigative Training Program, online
  Topics: Following the money, tracking assets, uncovering hidden ownership, handling data legally, and using Aleph & DATACROS.
  Dates: 2nd round: July 18 | 3rd round: September 20
  Application deadline for July session: July 2, Training info
  Open to investigative/data journalists with relevant experience.
  Requirements: CV, 1-3 work samples, completed application form.

  • I participated this week and it was jam packed, highly recommended!

CTFs

• Junior.Crypt.2025 CTF organized by Yanka Kupala State University of Grodno, Belarus. The official languages of the CTF are Russian and English.
  Date: Tue, 1 July 2025, 08:00 UTC – Thu, 3 July 2025, 08:00 UTC
  Official website.

• European Cybersecurity Challenge 2025 – Poland Qualifier
  CERT Poland is organizing national qualifiers for the European Cybersecurity Challenge, held annually under ENISA’s supervision.
  For participants aged 14–25.
  Qualifier dates: 4–6 July CEST. This year, the finals will be hosted by Poland.
  More info.

• GenCyS CTF an event powered by UST Global.
  First round (online): 2 August 2025, GenCyS 2025 CTF

🙃Bonus

• Kamil Bojarski’s talk at CyCon 2025, organized by NATO Cooperative Cyber Defence Centre of Excellence. Watch it here.