Hi Everyone,
An exceptionally busy stretch on every front.
In June I ran a workshop for Armenian journalists, an event organised together with Poland's Department of Strategic Communication and Countering International Disinformation (part of the Polish Ministry of Foreign Affairs). Important timing for them. I wanted to strengthen their work against Russian disinformation, and we went through different techniques and methods, with examples pulled straight from my own casework. The best part was the journalists constantly challenging me with questions, pushing me to actually help them find something live.
We are also very close to publishing three cross border investigations built together with OCCRP. One of them already dropped this week. Two more are still coming, I cannot wait. The hardest part? On the Polish angle, preparing the data and information so it holds up under international fact checking.
King of Gambling just went live, and I'm one of the authors on it from Frontstory's side. A joint investigation by OCCRP, Frontstory.pl, TVN24, and the investigative portals NGL.media (Ukraine) and CIReN (Cyprus), it follows one of Europe's biggest betting moguls — a man who left his trace across Turkey, Ukraine, and Poland before he was finally caught in Spain. We established that the "IT company" he presented as his own was actually running telemarketing for blacklisted online gambling sites. His whole fortune traces back to those casinos, and those casinos are exactly what set the international criminal investigations in motion.
Read the full investigation here:
OCCRP (English) | NGL.media (Ukrainian angle) | Frontstory (Polish)

Credit: Turgut Denizgil, CIReN (Cyprus)
Let's check what's been happening in the world.
Cybersecurity News
Poland Busts SIM-Swap Gang Behind Millions in Crypto Theft: Poland's CBZC arrested four members of an organized group over SIM-swap attacks, crypto theft, and money laundering, with FBI and HSI support. They breached telecom partners' infrastructure to hijack victims' numbers and drain exchange accounts, laundering tens of millions of zlotys. Find out more
Interpol "Hackathon" Surfaces Trafficking on Subscription Platforms: Operation CyberProtect III (19-22 May), co-organized by INTERPOL and the OSCE, brought officers from seven European countries together to target subscription content platforms used for trafficking and exploitation, identifying 34 cases, 18 suspect profiles, and 27 potential victims. Find out more
Vulnerabilities & Exploits & Hacks
Malicious npm Package Leaks Its Own GitHub Token - and Targeted Claude Users: OX Security found "mouse5212-super-formatter," an npm infostealer that exfiltrates files to an attacker repo but a hardcoded GitHub token let researchers trace the thefts in real time. Find out more
FROST - Websites Track Open Tabs and Apps via SSD Timing: Researchers from Graz University of Technology and Liebherr described a side-channel that tracks open tabs and running apps via browser-measured SSD activity, abusing the OPFS API in Chrome, Firefox, and Safari with ~89% accuracy for sites and ~96% for apps. Find out more
Threat Hunting & Malware
Vidar Adds Chrome ABE Bypass via APC Injection: Gen Threat Labs documented Vidar using process forking, memory scanning, and APC injection to pull Chrome's master decryption key from live memory, bypassing Application-Bound Encryption while dodging code-injection detection. Find out more
Other News
Microsoft Tests Auto-Isolation in Defender for Endpoint: Microsoft is testing a capability that automatically isolates compromised endpoints to block lateral movement, keeping them cut from the network but connected to the Defender service for monitoring. Find out more
Acquisition
Accenture to Buy Dragos, runZero, and NetRise in ~$4.2B OT Cyber Deal: Accenture is acquiring a majority stake in Dragos plus full ownership of runZero and NetRise (~$4.2bn, closing Aug/Sept), making the $4.175B combined business the most valued OT cybersecurity company in history. Find out more
CEO Robert M. Lee: "I will remain CEO. Dragos will remain the standalone and independent company it's always been." Asked "Will Dragos still be Dragos?", he answers: "Yes. And then some." Dragos (CEO note)
Separately, Cisco will acquire identity-security firm WideField Security to boost Splunk's agentic AI. Cisco
📰Reports
Espionage & Counterintelligence
Egypt's Covert Drone War in Sudan: Egypt has secretly run drone strikes on Sudan's Rapid Support Forces for months from a hidden desert airbase. Find out more
FATF June 2026 Plenary - Grey List Shifts: Iraq and Bosnia and Herzegovina join the grey list, Algeria and Namibia leave, and the blacklist stays put. Find out more
CIA-Linked Firm Resold Clearview AI Licenses to US Special Forces: A Virginia firm with ex-CIA/NSA founders brokered facial-recognition licenses to the Green Berets' parent command. Find out more
Dutch Intelligence Broke the Rules on Bulk Data - Including Hacked Leaks: Oversight found the AIVD and MIVD unlawfully processed bulk datasets on millions, some pulled straight from hacker leaks. Find out more
Lithuania Ordered to Pay for CIA Black-Site Detention: Strasbourg ruled Lithuania must compensate a detainee held at a secret CIA prison on its soil two decades ago. Find out more
SOCMINT
"Children for Sale on Vinted" - Anatomy of a Viral Trafficking Hoax: In June 2026, screenshots from Vinted (a Lithuania-based secondhand marketplace app) spread across X, TikTok, and German and French social media, showing plush toys priced at €4,000-30,000 with "age," "gender," and "size" fields — framed as coded child-trafficking ads. Snopes, fact-checker Mimikama, and Vinted found no evidence of trafficking; one viral "seller" of a €20,000 remote turned out to be a 17-year-old posing as a trafficker to "catch pedos." The panic echoes the debunked 2020 "Wayfairgate" hoax, and police in Frankfurt and Hesse now call the posts fakes, warning that resharing screenshots only hampers real moderation and investigations.

The Real Vinted Loophole - Vapes Disguised as Pens for Minors (PL): Separately from the hoax, a genuine grey-market trade runs on Polish Vinted: sellers list a cheap pen at an inflated price (€60-150), with the main photo showing a pen while later photos reveal a disposable vape. Codes like "30k" or "45k" signal puff counts, blurred photos dodge moderation, and buyers are typically minors. Remote e-cigarette sale is banned in Poland (fines up to 200,000 zł).
Meta & TikTok Pixels Harvest Payment-Page Data: A JScrambler report found Meta and TikTok tracking pixels exfiltrate sensitive data well beyond ad attribution, with Meta's "Automatic Events" capturing cardholder names and the last four card digits by default — sometimes before consent banners apply. Find out more
Surveillance
Leonardo's Seaspray Radar Chosen for Australian Border Surveillance: Leonardo's Seaspray AESA radar was selected for airborne ISR for Australia's Department of Home Affairs and Border Force, via Metrea. It detects tracks at hundreds of nautical miles, with a Small Target Mode for low-signature objects like small boats or people in the water. Find out more
Privacy
Proton Mail Now Sends and Receives Gmail Inside the App: Proton announced (May 28) that users can connect Gmail inside Proton Mail to import and receive new mail and send from their Gmail address, with trackers, ads, and spam stripped. Proton frames it as a transition tool, since Google can still read mail landing in the Gmail account. Find out more
Mullvad Co-Founder's Political Donation Sparks Privacy-Community Debate: Flamman reported (June 26) that Mullvad co-founder Daniel Berntsson personally donated ~5M SEK (~$500k) about 72% of its 2025 income to the populist Örebro Party, whose leader backs large-scale "remigration." Mullvad called it "a private matter, not part of Mullvad's mission." Find out more
AI
Anthropic Introduces Age Verification: Starting next month, some Claude users will have to provide a government-ID scan and a face image or recording, handled by Persona (the same vendor Discord dropped after user pushback). Changes take effect July 8. Find out more
Estonia to Issue IDs to AI Bots: The government will assign national personal ID numbers to AI agents that replace a human in official work, backed by PM Kristen Michal and the new Government AI Council. Find out more
OSINT Section
Tip - GitHub OPSEC Mistake by Threat Actors (via @0x6rss): When a threat actor uploads malware via the GitHub web interface, the commit author email may be tied to their account. Pull
GET /repos/<user>/<repo>/commits → commit.author.email, or append.patchto the commit URL and read theFrom:header — only works if "Keep my email addresses private" is disabled.

Tip - Fingerprint Threat-Actor Infrastructure by Favicon Hash: A favicon is the tiny icon a site loads in the browser tab. Attackers often reuse the same favicon across phishing pages and C2 panels, so hashing it lets you correlate related infrastructure in Shodan, pivot with
http.favicon.hash:<hash>to surface every host serving the same icon. Validate hits against SSL certs, headers, and titles, since some CMSs ship default favicons.
Tools
OpenCheck adds New Zealand Companies Office: OpenCheck now lets anyone run due-diligence checks on 4,000+ New Zealand entities holding a Legal Entity Identifier, showing linked individuals, historical timelines, and cross-entity flags free via the Beneficial Ownership Data Standard.
ThreatWhere: Threat-intelligence/geolocation tool.
Seerist: Threat-and-risk intelligence platform (access-restricted/paid).
Google Updates
Fake Google npm Account Spreads Credential Harvester - Also Targeted Claude Code: An npm account squatted the @withgoogle scope to impersonate Google's Stitch AI tool, publishing a credential harvester that collects secrets from git, GitHub CLI, SSH keys, npm, Docker and explicitly prioritized Claude Code as its first collector. Find out more
reCAPTCHA May Ask for Hand Gestures: Google introduced hand-gesture verification for reCAPTCHA, analyzing short videos of a user's hand and extracting 21 hand-knuckle coordinates. Google says the videos aren't tied to identity, no audio is recorded, and footage is deleted after verification. Find out more

shared.image.missing_image
Apple updates
Apple Brings Hide My Email and Sign in with Apple Under One Domain: Apple will unify the email domains used by Sign in with Apple and iCloud+ Hide My Email under a shared domain, private[.]icloud[.]com, later this summer. Some users criticized the change, worried websites could block registrations using the new Hide My Email domain. Find out more
Darkweb
"DaddyBiden" - Fake Adderall Laced with Meth, and the OSINT Trail That Cracked It: US investigators allege darknet vendor "DaddyBiden" ran ~4,600 sales on Abacus Market and TorZon selling "Pressed Adderall" that lab tests showed was meth; the DEA and USPIS linked defendant Peter Lam via postal surveillance, phone-location, and Apple/Google account data. Charges are unproven.
DarkForums Reclaims a Clearnet Domain: DarkForums which absorbed much of BreachForums' user base after its 2025 collapse announced it regained the clearnet domain darkforums[.]su, calling it the platform's original address. The .su domain actually went live in March 2026 during a migration to Russian ccTLDs, so this is recovery of one rotating domain, not the earliest one.
Upcoming CyberSec / OSINT Events
Free
Webinars Programme
CTI CON - Cyber Threat Intelligence Community: An invite-only, practitioner-led community for people in cyber threat intelligence to share research, compare methods, and learn from peers without vendor noise. One focused session each month, held under the Chatham House Rule, with no recordings or vendor pitches. Request invite
Cyber in Motion - OSINT Digital Hide-and-Seek: An online workshop and competition where participants build and solve their own OSINT challenges in teams. 23 July, 3:30-5:30am EDT (registrations close July 20). Find out more
Onsite
US OSINT Symposium: The inaugural US edition, building on the Australian OSINT Symposium. August 6, Washington, DC. Find out more
35th Annual AIPIO Intelligence Conference 2026: Australia's intelligence-profession conference. Aug 26-28, Melbourne, in-person. Find out more
CTFs
ATHENA CTF 2026: A 24-hour Jeopardy CTF spanning real-world challenges, solo or AI-assisted. Sat 18 – Sun 19 July (online). Find out more
‼ DIVER OSINT CTF 2026: Real-world, region-neutral OSINT challenges in English and Japanese (note: July this year, not June). Sat 25 – Sun 26 July (online). Find out more
Paid
FactFinder OSINT Summit (Gisela Perez de Acha & Haley Willis): Four sessions on war and conflict OSINT accountability in Ukraine, civilians in Gaza, cartels on social media, disinformation in Iran. $99. July 13-16. Register
Unmasking Bulletproof Hosting (ACS WA): An OSINT deep dive into tracing the ownership and networks behind "bulletproof" hosting providers, via a real-world case study. Tue 21 July, 5:30-7:30pm AWST, Victoria Park (Perth). Register
Digital Investigations Conference - Vienna: Computer-forensics, eDiscovery, and OSINT conference (keynotes + vendor sessions + Lab Track). Oct 15 (pre-conference training Oct 14), Arcotel, Vienna. Details
CFP
SANS DFIR Summit 2026 - Call for Presentations (extended): SANS is seeking talks on DFIR, threat hunting, and ransomware & cyber extortion research, tools, case studies, and lessons learned. The Summit runs 15-16 October in Arlington, VA. Submit by Monday, July 13, 5pm ET. Find out more
Found this helpful? Forward it to someone who’d enjoy it.

