Hi Everyone,

The newsletter is back and I've missed it more than I expected.

This edition features a guest I'm genuinely excited about. I've been following The Coalition of Cyber Investigators for a while now, quietly curious about the heavy lifting they do behind the scenes.

Our guest is Neal Ysart (co-founder of the Coalition of Cyber Investigators and founder of MacNeal-LCB & Partners Inc.). A former Scotland Yard officer with 16 years in law enforcement, Neal pioneered internet investigations and set several legal precedents. After his police career, he led 140+ investigators at a global bank and held senior forensic roles at three of the Big Four accounting firms across 30+ jurisdictions.

His insights on why OSINT is no longer just a "niche tool" are a must-read. You'll find his full section further down.

But first, let's get into the news.

Cybersecurity News

  • Substack Breach - 700K Users Exposed: Newsletter platform Substack disclosed a security incident (breach occurred October 2025, discovered February 3, 2026) that exposed email addresses, phone numbers, and internal metadata for approximately 663,000–697,000 users. Find out more

  • Claude Code Security just dropped. Cybersecurity stocks are having a moment. Does this mean the end for junior pentester / SOC roles?

    https://x.com/cryptorover/status/2025052192479068575

Vulnerabilities & Exploits & Hacks

  • PromptSpy - First Android Malware Using Generative AI at Runtime: Researchers discovered PromptSpy, described as the first known Android malware to leverage Gemini AI during execution for runtime persistence. Find out more

  • Operation Drago - €0.01 for a Suite at the Ritz: A 20-year-old from Tenerife exploited a payment flow vulnerability to stay at Madrid's Mandarin Oriental Ritz for one euro cent per night and exposed himself by posting the stays on Instagram under his real name. Find out more

Threat Hunting & Malware

  • MITRE ATLAS x OpenClaw: MITRE published an ATLAS investigation mapping OpenClaw-specific attack techniques to standardized TTPs. Read the report

  • CERT-EU Publishes CTI Framework: A reference document for classifying and prioritizing malicious cyber activity targeting EU institutions published openly to invite peer feedback. Read the framework

Other

  • Alice (formerly ActiveFence) - New Name, Expanded Focus: ActiveFence rebranded as Alice, pivoting toward AI model security after a decade protecting 7 of the world's 10 largest AI foundation models and 3 billion+ users in the shadows. Find out more

  • DIA Consolidates OSINT and Media Exploitation Units: Two DIA organizations merged into the new National Digital Exploitation and Open Source Center (NDOC), with AI and machine learning at the core. Find out more

📰Reports

  • Spies Among Us FOI Sweden: 70 convicted spies across 20 European countries (2008–2024). GRU is the most prolific recruiter (17 cases). Spy typologies expanded from 5 to 10. Read report

  • Latvian State Security Service (VDD) Annual Report 2025: Russia's intelligence and security services continued to pose the biggest threat to Latvia's national security. Read the full PDF

  • Estonian Foreign Intelligence Service Annual Report 2026: The EFIS published its International Security and Estonia 2026 report on February 10th. Available in English and an essential read for anyone tracking Russian threat activity. Read report

    • 💬 Estonian investigative journalist Holger Roonemaa compared both Baltic reports side by side and the contrast is striking: Latvia's SAB reads as factual and measured, while Estonia's VLA goes deep with specific, granular intelligence including ~100 GRU officers running procurement cover operations, a new Kremlin concept called the Baltic–Scandinavian Macro-region (BSM) covering 9 countries from Estonia to Germany, and Russia's planned deployment of 190 unmanned systems battalions across all military branches simultaneously. If you only read one intelligence report this year, make it the Estonian one. Full breakdown

Espionage & Counterintelligence

  • Russia's NATO UAV Espionage Campaign in Europe: Russian intelligence is actively targeting NATO unmanned systems across Europe. In Portugal, a 23-year-old has been charged with espionage and attempting to sell stolen NATO military data to the Russian Embassy in Lisbon. Find out more

  • Russia's Global Influence Machine Exposed: Leaked internal documents reveal a network of ~90 political consultants under SVR control running disinformation campaigns across 30+ countries, with a budget of nearly $7.3 million for January–October 2024 alone.Investigation | Agent identities

  • Lower Saxony Labels AfD "Extremist": The state's intelligence service has officially classified the AfD as a "confirmed right-wing extremist organization." This upgrade grants authorities broad powers to use informants, wiretap communications, and monitor the party's activities around the clock. Find out more

  • Greece & France - China's MSS Goes After NATO Personnel: A Hellenic Air Force colonel confessed to passing classified information to China after a CIA tip-off. French authorities also arrested four people collecting military intelligence from Airbnb apartments in Gironde. Find out more

  • Russia uses the Orthodox Church as an Africa Foothold: The Russian Orthodox Church expanded from one country to 34 in Africa between 2022–2025, using religion and culture as influence vectors alongside Africa Corps (former Wagner, now GRU). Meduza

SOCMINT

  • X declares War on Bots: If a human is not tapping the screen, the account and all associated accounts will be suspended even for experimentation. Scraping tools and monitoring scripts are all at risk. Adapt to the API or get banned. Find out more

  • Instagram's Anonymous Mode: A new paid tier would let users browse Stories without the poster knowing, plus access to audience lists and follower data. A layer of attribution investigators have relied on for years disappears behind a paywall. Find out more

  • X becomes a Trading Floor: "Smart Cashtags" let users click $BTC and see live price charts with a direct buy option without leaving the app. X is simultaneously a news source, market manipulation vector, and payment infrastructure. Find out more

AI

🦞 The Thing Everyone Is Talking About: Clawdbot → Moltbot → OpenClaw

If your timeline is suddenly full of red lobster memes and talk of "AI with hands," here is the quick breakdown of the chaos.

What is OpenClaw? It’s not just another chatbot, it’s a free, open-source AI agent that actually does things. Running locally on your computer, it connects to apps like WhatsApp or Discord to autonomously book flights, manage your calendar, and write code. Unlike ChatGPT, it has persistent memory, meaning it learns your habits over months. It’s essentially a real-world JARVIS.

Why the three names in the meme? The project’s evolution is a wild tech thriller:

  1. Clawdbot: Launched in Nov 2025 as a riff on Anthropic’s Claude. It hit 100k+ GitHub stars in 3 days before Anthropic’s legal team stepped in.

  2. Moltbot: Creator Peter Steinberger rebranded it (lobsters molt to grow), but "handle snipers" grabbed the old username to launch a fake $16M crypto token that crashed to zero instantly.

  3. OpenClaw: The final, stable name under an independent foundation. Steinberger just announced he’s joining OpenAI, but the project lives on.

The "Black Mirror" Twist: An OpenClaw agent named "Clawd Clawderberg" autonomously built Moltbook - a social network exclusively for AI agents. No humans allowed. Within days, 1.5 million bots were posting, arguing, and upvoting each other in a digital echo chamber.

Safety first: Before giving a digital lobster the keys to your life, check out this tool by Astrix Security. It helps you scan and monitor OpenClaw’s permissions and security footprint: Astrix Footprint Scanner.

OSINT Guest Section

By Neal Ysart | Co-founder of the Coalition of Cyber Investigators

Paul Wright and I co-founded the Coalition of Cyber Investigators as a think tank to bridge the gap between OSINT, cybercrime investigations, and digital forensics. However, we quickly began receiving requests for commercial work and are now busy with numerous investigations and projects.

The Standards Gap: We see the rapid growth of OSINT mirroring the evolution of digital forensics several decades ago. Back then, forensics was a new field finding its feet; today, OSINT faces the same lack of globally accepted standards and certifications. This is a significant risk. Without uniform procedures, two investigators can reach different conclusions from the same data - a major liability in court. A core part of our mission is advocating for clear, universal standards to ensure investigations are reliable and legally robust.

Tech Built for Investigators We also spend time working with solution providers to ensure their technology meets the needs of a working investigator:

  • Forensic OSINT: Provides the most effective forensic screen capture solution we have encountered, prioritizing evidential integrity from day one.

  • Tesari AI: We’re partnering with them to develop an OSINT co-pilot that integrates evidentiary safeguards. Unlike generic AI, it ensures the human investigator remains the ultimate authority over the evidence.

Beyond Investigations: Managing Risk One of the most exciting developments is harnessing OSINT to manage operational risk. We’ve published a range of beginner guides at coalitioncyber.com covering everything from law firms and family offices to HR, recruitment, and sustainability reporting.

The Bottom Line OSINT is no longer just a niche tool; it is a fundamental requirement for modern investigations and risk management. Our goal is to ensure that as the field grows, the standards and tools underpinning it are fit for purpose, not a liability.

Follow Neal and his work: LinkedIn | Coalition of Cyber Investigators | MacNeal-LCB & Partners Inc.

Disinformation Toolkit

  • Get Bad News: A serious game that puts you in the shoes of a disinformation tycoon. It’s a brilliant way to train your "BS detector" by learning how fake news spreads.

  • Is That Factual: A go-to resource for verifying news reliability and identifying biased sources before you share them.

Regional Shifts

  • New Syrian Currency Design: On January 1, 2026, Syria introduced a newly redesigned banknote series, reordering the currency by removing two zeros to simplify transactions. The new designs replace political portraits of the Assad family with national agricultural motifs.

Google Updates

  • Google's AI Made the Deepfake. Google's AI Couldn't Spot It. Three AI-altered photos of Jeffrey Epstein "alive in Tel Aviv" went viral all made with Google's AI. Journalist Henk van Ess fed the same fake to four Google tools: three failed, only Gemini with SynthID flagged it correctly. Full investigation

  • Google translate running Gemini and It can be Jailbroken: Translate's "Advanced" mode runs Gemini 1.5 Pro for certain languages and can be prompt-injected to answer questions instead of translating. Excluded from Google's bug bounty program. Source | Writeup

  • Remove Your SSN and Passport from Google Search: "Results About You" now detects ID numbers on indexed pages with a direct removal flow. Catch: it doesn't erase the data from the internet. Find out more

Darkweb

  • Incognito Market Operator: Rui-Siang Lin sentenced to 30 years for operating Incognito Market $105 million in drug sales before closing in March 2024. Find out more

  • Kingdom Market Co-Creator Pleads Guilty: Alan Bill, 33, Bratislava pleaded guilty to involvement in Kingdom Market (March 2021 – December 2023). Sentencing: May 5, 2026. Find out more

  • TorZon Becomes New Darknet Leader: Following Abacus Market’s 2025 collapse, TorZon has emerged as the dominant marketplace in early 2026 with 15,000+ listings, while Russian Market leads in stolen credentials. Find out more

Upcoming CyberSec / OSINT Events

Free

Webinars

  • Analysis of Criminal Networks in Python (IACA): Free webinar covering co-offending network analysis from raw police data to social network visualization using NetworkX and PyViz. No prior Python or SNA knowledge required. March 5, 2026 | 12:00 PM ET. Register

CTF & Challenges

  • Want to build your own CTF Writeup? Shiba's guide walks through the full process like challenge structure, sourcing real data responsibly, and avoiding common design pitfalls. Read the guide

Freemium

  • SANS OSINT Summit 2026: March 16 (Summit) + March 17–22 (Training) | Washington D.C. Find out more

  • TASM (Terrorism and Social Media) Conference 2026: June 16–18 | Swansea University, UK. 30+ sessions, 100+ speakers. Early-bird until February 28. Secure your spot

On Demand & Training

  • Fact Check & OSINT Review (EBU) Format: Newsletter & Video EBU Spotlight's latest review covering verification techniques and new OSINT insights. View

  • Blockchain Intelligence for CSAM Investigators (TRM Labs): Free learning path like dark web patterns, cross-chain laundering, evidentiary narratives. Developed by former FBI, IRS-CI, HSI, and USSS investigators. On-demand. Get started

  • [Training] Introduction to Investigative Journalism (GIJN x iMEdD): Free, 10-session online course for journalists with 5+ years of experience but little investigative background. 20 spots, mentorship included. Application deadline: March 6, 2026. Apply here.

Found this helpful? Forward it to someone who’d enjoy it.

Keep Reading

© 2026 Alicja's OSINT Newsletter.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv