Hi Everyone,

I hope you're all having a great weekend!

This week, I attended the InCyber Forum 2025 in Lille, France, where I focused mainly on OSINT Day. It was a fantastic experience, and I must say, the French OSINT community is incredible 😍 and I know some of them are reading this newsletter. More details you can found below in the OSINT section.

I also have an exciting announcement: At the beginning of May, I'll be hosting my first open webinar, where we'll explore critical topics like common business mistakes & industrial espionage, sanctions evasion, and Russian disinformation. This is in partnership with a Canadian company KeyNorth Professional Services Group Inc.

The KeyNorth team has over a decade of wide-ranging experience dealing with complex and sensitive investigative matters and in providing solutions for law enforcement, corporations, the legal community, trustees in bankruptcy and government at all levels. They also offer comprehensive OSINT training for all skill levels and also has an OSINT newsletter.

The webinar will take place on May 8th, 2025, from 12:00 PM – 1:00 PM EST | 6:00 PM – 7:00 PM CET. Register: Link

Now, let's take a look at what has happened in the past weeks! This newsletter will be a bit longer than usual because there was so much interesting information to cover..

Cybersecurity News

• For the past week or two, I’ve seen numerous

  posts on LinkedIn about how Polish people have spotted fake candidates during interviews and haven't seen any article about it issue yet..

  • The issue has been ongoing since around 2018 but became more intense in the second half of 2024, when North Korean IT workers, using fake identities, began securing remote jobs. As U.S. authorities increased their control over these activities, North Korean IT workers redirected their focus to European companies. These schemes have expanded globally, with a notable concentration on European companies after the U.S. crackdown. According to Google's security teams, at least 12 fake personas connected to the Pyongyang regime were identified targeting Europe's defense and government sectors. These workers use deceptive tactics, such as creating fake identities tailored for the European job market, and have become increasingly involved in extortion operations against larger organizations. DTEX also reports a rise in accidental hires of North Korean IT workers, with some gaining privileged access to sensitive corporate data and systems. The problem is much larger than people realize, primarily impacting large corporations with constant IT hiring needs or startups lacking proper hiring procedures and seeking cheap labor.

  

  • This phenomenon is on the rise, with LinkedIn's posts from recruiters in the Polish market indicating that many candidates applying for remote developer roles, likely from China or North Korea, present strong resumes but raise suspicions during interviews. While their CVs list real companies and legitimate projects, they struggle with technical questions and provide vague or fabricated responses. For example, some candidates give fictional names for colleagues or supervisors, and one even left the meeting to check LinkedIn. When asked about professors or local areas, they quickly Google answers. Red flags include delayed responses, suggesting they’re searching online or using tools like ChatGPT, and signs of reading from a screen. In some cases, recruiters discovered that the face on the screen was a deepfake generated by AI.

    

    • There are voices of similar incidents happening in the Czech Republic, but due to the tight timeline for this issue, I haven't had enough time to explore it fully. However, if I receive any updates, I will share them.

Vulnerabilities & Exploits & Hacks

• NFC Cloning Scams: The Russian bank VTB has warned users about NFC card-cloning spyware being installed on devices, which targets fraudulent transactions. This scam is likely to spread to the EU and US in the coming months. Find out more. (.ru)

• CS2 Phishing Campaigns: Silent Push has identified a phishing campaign targeting CounterStrike 2 players and other video game users. Find out more.

• Russian Broker seeks Telegram exploits for $4 mln: A Russian zero-day broker is offering up to $4 million for Telegram exploits that would grant complete control over the app. Find out more.

Threat Hunting & Malware

• Hunters International preparing to shut down: The ransomware group Hunters International is closing down its operation and transitioning to a new name, "World Leaks," focusing on extortion only, with a new tool for classifying stolen data. Find out more.

• Australian Kaspersky ban triggered by detection in Gov Agency Supply Chain: The Australian federal government banned Kaspersky Lab software after detecting its use in the supply chain of one government agency.
  Find out more.

• North Korea Cyber Offensive: North Korea has set up "Research Center 227" to develop AI-powered hacking tools aimed at neutralizing Western cybersecurity systems and stealing information. Find out more.

📰 Reports

• [US] The Office of the Director of National Intelligence has published its Annual Threat Assessment (ATA) 2025.

• CERT Poland has released its Annual Report 2024 (available in Polish).

Espionage & Counterintelligence

• Greek Intelligence Service Expands Cybersecurity Team: ​Greece's National Intelligence Service (EYP) plans to recruit 310 new employees by 2025, including cybersecurity experts and field agents, as part of its modernization efforts, which also involve establishing an Intelligence and Counterintelligence Academy. The EYP has a controversial image in Greece because of the 2022 Predatorgate surveillance scandal. Find out more.

• Italian Government denies illegal use of Spyware: Despite allegations of targeting journalists and activists with spyware, the Italian government maintains that its surveillance activities comply with legal standards. Find out more.

• New Pegasus Spyware victims identified: The Balkan Investigative Reporting Network reveals that two Serbian journalists were targeted with Pegasus spyware last month, raising concerns about press freedom. Find out more.​

• Iranian Ships' possible Espionage mission in Antwerp: Investigations suggest that Iranian vessels may have docked in Antwerp as part of a covert espionage operation. Find out more (Follow the money).

• Evidence of Russia's Secret nuclear base in Belarus: A seemingly innocuous photograph from September 2024 has emerged as evidence pointing to the existence of a secret Russian nuclear base in Belarus. Find out more.​

Other notable events

• Papua New Guinea blocks Facebook to curb Harmful Content: The Papua New Guinea government has temporarily blocked Facebook to fight misinformation, hate speech, and explicit content under the Anti-Terrorism Act 2024. ​

• Local Language Disinformation amplifies authoritarian influence: Disinformation in local languages is being used to spread authoritarian influence, especially in Northern Nigeria, fueling political unrest and undermining trust in governance.

SOCMINT

• Trump announced on Friday that he will again postpone enforcement of the TikTok sale-or-ban law for 75 days. The delay comes after Trump’s tariff announcement derailed a deal that had been set to transfer control of the app’s US operations to American ownership, a source familiar with the deal told CNN.

• OSINT Canada's Facebook tool creates Google dorks in the search engine, allowing you to gather information from Facebook.

OSINT

OSINT Day'2025

During the OSINT track at the forum, a range of interesting presentations were given, covering topics such as the complexities of forged documents, the role of OSINT in law enforcement, and the importance of OSINT in combating disinformation. Other topics included the application of OSINT in the pharmaceutical industry, investigations related to Russia, the Wagner Group, and Africa. Geospatial techniques related to the war in Ukraine, detecting AI-generated content, and OSINT opportunities in countering disinformation were also discussed. Most presentations were in French, with simultaneous translation available.

Among various presentations, there was also a GEOINT Challenge, prepared by Sofie Santos. My writeup.

Stephanie from OSINT-FR is seeking volunteers to collaborate on Europol's "Trace an Object" program – Stop Child Abuse. If you want to use your skills to make the world a better place, this is the perfect opportunity. The OSINT-FR team is French, but with AI translation tools, language shouldn't be a barrier to working effectively. You can join through their discord server.

French OSINT communities

• ​OSINT-FR is a global community dedicated to Open Source Intelligence (OSINT), bringing together enthusiasts and professionals from various backgrounds to share knowledge and collaborate on investigations. Founded in January 2019 by Hugo Benoist and Sylvain Hajri (Epieos), the group offers resources such as a Discord server, workshops, meetings etc.

• Projet FOX is a group focused on promoting intelligence techniques and their application to crises and armed conflicts. Founded in late 2020, the group operates a public Discord server where members can participate in investigations, share knowledge, and collaborate on OSINT-related projects. ​

• Open Facto is a community focused on OSINT, geopolitics, and cybersecurity, providing a platform for members to discuss current events, share insights, and collaborate on research projects.​

• Osint4fun is a community dedicated to OSINT enthusiasts, offering a space to share knowledge, discuss techniques, and collaborate on various OSINT/ GEOINT challenges and investigations.​

• Oscar Zulu is a group focused on OSINT and cybersecurity. They organise the CTFs, previous one.

• AEGE - Le réseau d'experts en intelligence économique is a professional network dedicated to economic intelligence, strategic analysis, and cybersecurity. It brings together over 3,500 members — alumni and students of the École de Guerre Économique — to exchange knowledge, collaborate on research, and advance expertise in fields such as OSINT, risk analysis, influence operations, and industrial security.

Google Updates

• Android 16 introduces Advanced Protection Mode: Google's upcoming Android 16 will feature Advanced Protection Mode (AAPM), designed to enhance device security for high-risk users by consolidating multiple security settings into a single, user-friendly option. ​

• Gmail Enhances Email Security with End-to-End Encryption for Gmail, allowing enterprise users (Google Workspace) to send encrypted emails without the need for additional software or certificate exchanges.

• Sec-Gemini v1, a new experimental AI model focused on advancing cybersecurity AI frontiers. Sec-Gemini v1 outperforms other models on key cybersecurity benchmarks as a result of its advanced integration of Google Threat Intelligence (GTI), OSV, and other key data sources.

Darknet

• Global Crackdown on 'KidFlix' Child Exploitation platform: A coordinated international operation has dismantled 'KidFlix,' one of the largest dark web platforms for child sexual exploitation, which had amassed nearly 2 million users since its inception in 2021. The operation resulted in 79 arrests across 36 countries, including 16in Spain, and led to the seizure of approximately 3,000 electronic devices. The platform hosted around 91,000 unique videos, totaling over 6,200 hours of content. ​

• Biuro Informacji Kredytowej launches Darknet Monitoring: Since early April, Poland's BIK has introduced a darknet monitoring service. If BIK detects a client's data on the darknet, the client immediately receives an SMS notification, enhancing protection against identity theft and fraud.

• Bitcoin Returns to Darknet Marketplaces: Following Binance's delisting of Monero, many Darknet marketplaces are turning back to Bitcoin, despite its transparency issues and ease of tracking.

Upcoming CyberSec / OSINT Events

Free

• OSINT Combine CTF Challenge - A Walk on the Wild Side
  Join the OSINT Combine’s Capture The Flag (CTF) challenge from April 1 to April 30, 2025. This event focuses on environment-themed challenges and aims to enhance skills in geolocation, SOCMINT, and environmental research.
  Join the challenge: Link

• OSINT Webinar: Understanding the Efficacy of Using Breached Records, Infostealer Logs, Ransomware Leaks
  Aidan Raney (you may know him from his great OSINT tips posts) is hosting a webinar on April 9, 2025, at 12:00 PM MST.Register: Link

• Live OSINT Webinar – Tracking FSB Operatives
  OSINT Industries’ webinar on April 9, 2025, will explore how Russian FSB operatives are tracked using real-world OSINT workflows. The event will take place at 3:00 PM UK / 10:00 AM EST via Zoom. Register: Link

Paid

• Trace Labs Global OSINT Search Party CTF – 19th April 2025
  Join for $20: Link

🙃Bonus

DFIR Report Seeking Volunteer Analysts: The DFIR Report is inviting applications for Volunteer Analysts to analyze simulated intrusion artifacts. Applicants should submit their analysis reports in PDF format by April 20, 2025.  Dive into the details on their GitHub repository.

Their next Public Solo CTF is on June 7 from 16:30 to 20:30 UTC for $9.99 (check it here)—you can choose between Splunk and Elastic, and I took part in December 2024; it was very tough at first, but I learned a lot working with Splunk.