Private chats and photos of celebrities and influencers were exposed after a suspected stalkerware setup left a database open, revealing sensitive messages and files.

Almost 800 Hungarian government email addresses and associated passwords are circulating online, revealing basic vulnerabilities in the security protocols of ministries involved in classified and sensitive work.

A Bellingcat analysis of breach data shows that 12 out of the government’s 13 ministries have been affected, which in some cases have exposed the confidential information of military personnel and civil servants posted abroad. 

Among those affected were a senior military officer responsible for information security, a counter terrorism coordinator in the foreign affairs department, and an employee whose role was to identify hybrid threats against the country.

The revelations come as Hungarians head to the polls this Sunday to decide if Viktor Orbán, leader of the right-wing populist party Fidesz and the country’s longest-serving prime minister, will be elected to a fifth consecutive term.

This is not the first time that deficiencies in the Hungarian government’s IT security have been revealed. In 2022, ahead of Hungary’s last election, Direkt36 reported that Russia’s intelligence services had gained access to the computer network of the Hungarian foreign ministry, including its internal communications channels.

It said Russian cyber attacks against the Hungarian government had been occurring for at least a decade and extended to the foreign ministry’s encrypted network for transmitting classified data and confidential diplomatic documents.

At the time, the foreign ministry denied it had been hacked. But in 2024, news outlet 444 published a letter that had been sent from Hungary’s National Security Service to the foreign ministry six months before the cyberattack was first reported. The letter linked the attacks to Russia and described more than 4,000 workstations and 930 servers as “unreliable”.

As part of this new analysis, Bellingcat identified a total of 795 unique email and password combinations among thousands of search results for Hungarian government domains in breach databases. Key departments that handle the country’s governance, defence, foreign affairs and finances were the worst affected.

The analysis does not include central government agencies that operate under the government’s official ministries and use separate domains, such as the tax and customs administration or the police – meaning breaches affecting government employees could be even more widespread.

The findings are not evidence of high-tech infiltration of Hungarian government systems. Instead, our analysis indicates that the breaches are more likely the result of poor digital hygiene. In many cases, staff used simple passwords along with their government email addresses for what appear to be non-work-related matters, such as signing up to dating, music, sport and food websites.

Some government workers used easy-to-guess passwords such as variations of the word “Password” or the number sequence “1234567”. One employee whose credentials were exposed in the 2012 LinkedIn hack used the password “linkedinlinkedin”. Another, in the defence ministry, used their surname. One leaked password from an employee in the foreign affairs ministry was “embassy13hungary”. 

Multiple breaches also contained phone numbers, addresses, dates of birth, usernames and IP addresses – data that, when exposed, could pose security risks.  

Additionally, a search of breach databases showed instances where computers have been infected with malware designed to steal login credentials. These records show that 97 machines across Hungarian government departments had been compromised, with stealer logs from as recently as last month found in the data.

Bellingcat contacted the Hungarian government’s spokesperson and the Prime Minister’s office, but did not receive a response.

The Weakest Link: Searching Breach Data

Breach databases are large collections of credentials harvested from previous cyber incidents. These databases can be searched by domain to identify email addresses belonging to a specific organisation, company or government. 

Bellingcat used Darkside, a paid service by District 4 Labs, to search the main email domains assigned to each of the Hungarian government’s 13 ministries. 

In total, 795 breaches containing government emails and associated passwords were identified. But most – 641 breaches – were linked to just four central institutions. 

In the examples detailed below, staff have been anonymised. However, Bellingcat has confirmed these accounts are genuine by cross-checking the employees named in the breaches against media reports and online profiles, such as LinkedIn.  

Ministry of Interior – this “super-ministry” oversees everything from health and education to the police, immigration, disaster management and local government 

Bellingcat identified 170 sets of emails and passwords linked to the domain used by the ministry in charge of domestic affairs. Passwords used by staff in this department included “Arsenal” and “Paprika”. Some used passwords that contained only three or four letters. We traced these accounts to professional profiles and government web pages listing both junior and senior staff.

One senior official in the prison service used the password “adolf”. After it appeared in breach databases the password was changed twice – first to a five-digit number and then to what appeared to be the name for a pet dog. The passwords were subsequently breached again. Bellingcat identified this employee through several instances of their name and email address being listed on public-facing documentation, including a press release celebrating an award for outstanding professional work.  

Ministry of Defence – responsible for national defence policy and directing the country’s defence forces

The credentials of staff working for the Ministry of Defence were found in 120 compromised records. This includes a 2023 breach of NATO’s eLearning services which resulted in 42 records containing emails, passwords and phone numbers becoming public.

The breaches peaked in 2021 but continued up to 2026. Included in the data were stealer logs, indicating that machines within the department may have been infected. 

Military personnel from junior ranks to command positions were identified. A Brigadier General used a common six letter nickname, based on his own, to sign up to a film festival. A Colonel specialising in “information security” took inspiration from an English football manager for his password: “FrankLampard”. A district director used the password “123456aA”, while a high-ranking member of Hungary’s delegation to NATO used a password that translates in English to “cute”. 

Ministry of Foreign Affairs and Trade – responsible for international relations, Hungarian embassies and consulates operate under the direction of the department

The credentials of current and former foreign affairs personnel have been exposed in dozens of data breaches from 2011 to February 2026. In total, there were 107 email and password combinations linked to this government ministry. 

Among the staff affected was a deputy head of mission, consuls, diplomats and communications personnel posted in Europe, the Americas and the Middle East. These include a counter terrorism coordinator, an EU spokesperson, and an individual whose role was to identify hybrid threats to Hungary.

Although the breaches peaked in 2020, with emails being found in 42 separate breaches indexed by Darkside, MFA emails have been circulated, often with passwords, in 36 separate breaches since the beginning of 2024. The most recent breaches were in 2026.  

Simple passwords appear to have left Hungary’s foreign affairs ministry vulnerable. In some cases, employees used a password that consisted of their own name and a two digit number. Others appeared to take inspiration from pop culture: “porsche911”, “frogger” and “Batman2013” are examples of real passwords used by staff.

Ministry of National Economy – oversees economic policy and financial strategy, including budget preparation and reducing national debt

Bellingcat’s analysis shows that staff in the Ministry for National Economy suffered 99 breaches. The Ministry of Finance, which was merged into this department in 2025, had suffered 145 breaches.

Among the breached data were the credentials of a deputy state secretary, who used the password “snoopy”. Other staff members used their date of birth or the word “Jelszo” – the Hungarian word for password.

A senior advisor who currently works in the ministry had their credentials breached four times using four different passwords, including “Kurvaanyad1” (roughly translated to “your mother is a wh**e”).

Cybersecurity Not Taken Seriously

Szabolcs Dull, a political analyst and the former editor-in-chief of the independent Hungarian news websites Index and Telex, said the government had failed to prioritise data security. 

“It’s clear from the data breaches that have come to light that government agencies did not take data security seriously,” he said. 

“This suspicion arose even when Russian hackers breached the foreign ministry’s IT system. That is why I believe Hungarian politicians and the public will interpret this new information as a continuation and confirmation of the Russian hacking story.”

Dull added that he was not aware of any investigation having been launched following the 2022 revelations of the Russian hack.

Kata Kincső Bárdos, a cybersecurity expert in Hungary, said it was difficult to understand why stricter controls would not be consistently enforced in government environments handling sensitive data.

She said governments should not only apply baseline rules for passwords – such as that staff use long, unique passwords and multi-factor authentication (MFA) – but also continuously monitor for compromised credentials and suspicious access patterns.

“Without MFA, systems become significantly more vulnerable to common attack methods such as phishing and credential stuffing,” she said. “A single compromised password can provide immediate access to internal systems.” 

Bárdos added that unauthorised access to government systems should automatically trigger incident response procedures, investigation and containment measures.

“It is also important to note that targeting lower-level employees is a well-documented and common tactic,” she said. “Attackers frequently gain initial access through phishing or weak credentials and then move laterally within systems.”

---

Bellingcat’s Ross Higgins and investigative journalist Eva Vajda contributed to this article.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post ‘Snoopy’, ‘Adolf’ and ‘Password’: The Hungarian Government Passwords Exposed Online appeared first on bellingcat.

The conversation around cyber risk in the UK has shifted. It is no longer confined to domestic networks, internal systems, or even direct attacks on British infrastructure. The weak link sits thousands of miles away, embedded within third-party vendors, logistics partners, and digital dependencies across the Middle East. This growing exposure has created a new layer of Middle East supply chain risk, one that is proving difficult to monitor and even harder to control. 

Recent warnings from the UK’s National Cyber Security Centre (NCSC) noted that organizations are not just facing isolated incidents, but a widening threat landscape where geopolitical tensions, hacktivism, and supply chain interdependencies intersect. The result is a sharp rise in UK business supply chain threats, particularly those that exploit indirect access points. 

A Threat That Travels Through the Supply Chain 

The most concerning aspect of today’s cyber environment is how attacks propagate. Threat actors are no longer required to breach a UK-based system directly. Instead, they can compromise a supplier, disrupt a regional service provider, or exploit a shared platform operating in the Middle East. 

This is where the Middle East supply chain disruption in the UK becomes a critical concern. Organizations with operations, vendors, or infrastructure in the region are now exposed to “collateral cyber risk”. Attacks that are not aimed at them specifically but still affect their operations. 

At the same time, pro-Russian hacktivist groups have intensified their campaigns. Since March 2022, groups such as NoName057(16) have targeted NATO-aligned countries using distributed denial-of-service (DDoS) attacks. These attacks are not financially motivated; they are ideological, designed to disrupt services and undermine confidence. 

Their methods are relatively less technical but highly effective on scale. By leveraging publicly distributed tools and coordinating through online communities, they can overwhelm services, take down websites, and degrade operational systems. This pattern has already contributed to a rise in supply chain cyberattack scenarios in the UK, where disruption spreads across interconnected systems. 

Why the Middle East Supply Chain Risk Matters More Than Ever 

While the direct cyber threat from nation-states like Iran to the UK remains under constant assessment, the indirect risk is already evident. The ongoing instability in the Middle East has increased the likelihood of cyber spillover, where regional conflicts trigger digital consequences beyond their borders. 

For UK organizations, this translates into heightened UK supply chain security risks, particularly in sectors reliant on international logistics, energy infrastructure, or outsourced technology services. The issue is not just connectivity, it’s dependency. Many UK businesses rely on third-party providers for critical operations, from cloud hosting to industrial control systems.  

If those providers are affected by cyber incidents or operational disruptions in the Middle East, the downstream impact can be immediate. 

The Evolution of Attack Tactics 

Modern attacks are evolving in both intent and execution. Traditional cybercrime focused on financial gain, ransomware, fraud, and data theft. Today’s threat actors are driven by political alignment, using disruption as a weapon. 

DDoS attacks, in particular, have become a preferred tactic. They are relatively easy to execute, difficult to attribute, and capable of causing significant operational damage. The NCSC has repeatedly warned that UK organizations must strengthen their defenses against these attacks, especially as they become more frequent and coordinated. 

What makes this more complex is the growing overlap between IT and operational technology (OT). Many attacks now target systems that control physical processes, energy grids, transport networks, and manufacturing systems. This convergence expands the potential impact of a successful breach. 

Building Resilience Against Distributed Threats 

Addressing Middle East supply chain risk requires more than perimeter security. It demands a shift in how organizations think about resilience. 

• Understand the Full-Service Chain: Every service has multiple pressure points where resources can be exhausted. Organizations need to map these dependencies, both internal and external, and identify where attacks are most likely to occur. 

• Strengthen Upstream Defenses: Internet service providers and third-party platforms play a crucial role in mitigating attacks before they reach core systems. Businesses should evaluate what protections are already in place and where additional safeguards, such as content delivery networks or dedicated DDoS mitigation services, are needed. 

• Design for Scalability: Systems must be able to absorb unexpected surges in traffic. Cloud-native architectures offer a clear advantage here, allowing dynamic scaling during an attack. However, even private infrastructure can be adapted with sufficient planning and spare capacity. 

• Plan for Degraded Operations: No system is immune. The goal should not be absolute prevention, but controlled failure. Services should be able to continue operating at reduced capacity, maintaining critical functionality even during an attack. 

The Role of Monitoring and Threat Intelligence 

Improved visibility is essential in tackling UK business supply chain threats. Increased monitoring, however, comes with its own challenges: more alerts, more noise, and greater demand for security teams. 

Organizations are being encouraged to adopt proactive threat hunting, rather than relying solely on automated detection. This includes: 

• Analyzing log data to identify anomalies. 

• Monitoring traffic patterns across both cloud and on-premises systems. 

• Using external attack surface management tools to uncover vulnerabilities. 

• Simulating attacks to test detection and response capabilities. 

For operational technology (OT) environments, this level of monitoring becomes even more important. Unlike traditional IT systems, OT networks tend to operate with highly predictable traffic patterns. Even minor deviations can indicate a potential compromise, especially in the context of a supply chain cyber-attack UK scenario where attackers exploit trusted connections. 

To operationalize this level of visibility at scale, organizations are turning to platforms like Cyble, which combine threat intelligence with real-time monitoring. By correlating external threat signals, such as dark web activity, emerging vulnerabilities, and attacker infrastructure, with internal telemetry, such platforms help security teams prioritize what matters.  

This is particularly valuable when dealing with Middle East supply chain disruption in the UK, where early indicators often surface outside traditional security boundaries. As UK supply chain security risks continue to expand, organizations need more than visibility; they need context, speed, and the ability to act decisively. Platforms like Cyble are designed to bridge that gap, enabling teams to detect, correlate, and respond to threats before they cascade across the supply chain. 

For organizations navigating UK business supply chain threats and rising Middle East supply chain risk, now is the time to move beyond reactive defense. Book a demo with Cyble to see how AI-driven threat intelligence can help identify hidden risks, strengthen monitoring, and stay ahead of supply chain cyber threats. 

References:

• https://www.ncsc.gov.uk/news/pro-russia-hacktivist-activity-continues-to-target-uk-organisations 

• https://www.ncsc.gov.uk/collection/how-to-prepare-and-plan-your-organisations-response-to-severe-cyber-threat-a-guide-for-cni/activity-2-increase-situational-awareness/2-1-increase-monitoring-of-threats-and-network-activity 

• https://www.ncsc.gov.uk/collection/how-to-prepare-and-plan-your-organisations-response-to-severe-cyber-threat-a-guide-for-cni/activity-3-harden-defences/3-1-undertake-immediate-tactical-measures-to-reduce-threat-exposure 

• https://www.ncsc.gov.uk/news/ncsc-advises-uk-organisations-take-action-following-conflict-in-middle-east 

• https://www.gov.uk/government/publications/cyber-security-longitudinal-survey-wave-five-results 

The post UK Businesses Are Being Targeted Through Their Middle East Supply Chains — What to Do Now appeared first on Cyble.

ShinyHunters claims it breached European Commission systems, leaking 350GB of data. Officials are investigating, with no independent verification yet.

The Netherlands’ largest newspaper, De Telegraaf, recently published an interview with a woman claiming to organise her own evacuation flights from Dubai, selling seats at €1,600 (US$ 1850) each. Four days later, her photo was removed from the article, though the interview remained.

Bellingcat has found that the original image not only includes artefacts commonly associated with generative AI, but that the flights referenced in the article do not appear to exist.

The story came at a time when thousands of Dutch people were reportedly seeking urgent ways to leave the region following Iranian missile and drone strikes across the Gulf in retaliation for US-Israeli strikes.

Published on De Telegraaf’s website on March 5, the headline reads: “Dutch people in the Middle East feel abandoned by the government: We just rented a plane ourselves.”

The Dutch minister of foreign affairs was confronted with this headline during a television interview, in which he described ongoing efforts by the Dutch government to repatriate citizens to the Netherlands.

The article features interviews with several Dutch people struggling to leave Dubai and Abu Dhabi, including Tamara Harema. Under the subheading “Dutch people hire their own plane”, Harema says she was “rebooked five times by Emirates” and that the official repatriation flights organised by the Dutch government were not ‘taking off’.

As part of a group, she says, they are organising buses and have hired an Airbus A321 to fly home. Harema is quoted as saying: “The first plane is already full, so we’re organising a second flight. Stranded travellers can contact us.”

However, several discrepancies in Harema’s photo, published in the original article, suggest it was AI-generated. No trace of a person matching Harema’s face or profile could be found, and flight-tracking data suggests no such plane took off.

The Photo

In the image below, the world’s tallest structure, Burj Khalifa, can be seen through the window overlooking the Dubai skyline. Each side of the tower is unique, with platforms that protrude at different heights and in different directions. It also contains several mechanical floors, which appear as dark bands in the photo.

By cross-checking the height of the visible platforms together with the location of the mechanical floors, it’s possible to determine that Harema’s hotel room faces north-west, towards the Burj Khalifa’s south-east-facing facade.

Several discrepancies are visible when comparing Harema’s photo with other images of the building, including an upper mechanical floor appearing higher than in other images and the absence of the water feature at the base of the building.

To establish whether Harema’s photo could have been taken several years earlier, Google Street View imagery was analysed from 2013 onwards. No match could be found when comparing the arrangement of buildings at the base of the Burj Khalifa.

Several other irregularities, as shown below, including the hotel room furniture and details of Harema’s clothing and jewellery, also suggest it may have been AI-generated.

Fully Booked Airbus A321

Regarding whether the plane existed, Harema says in her interview that buses have already been arranged to collect passengers from two locations in Dubai on Saturday, March 7, after which a 232-seater Airbus A321 will depart from Muscat, Oman, for the Netherlands.

The article notes the cost is €1,600 (US$ 1850) per person, without detours. “Although we read that a Dutch repatriation flight costs €600, just try getting on such a flight,” says Harema.

According to Flightradar24, multiple A321s departed Muscat on March 7 and 8, but none bound for the Netherlands. The only aircraft that did arrive in Amsterdam from Muscat were either government-organised repatriation flights or scheduled Oman Air services, none of which were Airbus A321s.

Two Airbus A321s were recorded on the ground at Muscat Airport on March 7. One, belonging to Gulf Air, later departed for Rome via Riyadh March 8. The other, operated by SalamAir, had been flying routes between Oman and Bangladesh until March 3, but has since remained in Muscat.

After contacting De Telegraaf, an explanation for the photo’s removal was added at the bottom of the article, stating that the photo did “likely not meet our journalistic guidelines.”

The newspaper’s deputy editor-in-chief, Joost de Haas, added:

“Regarding the quoted Tamara Harema, the editors contacted her after Mr. Chizki Loonstein—a long-standing source for one of our reporters—informed us about attempts to charter a plane. Mr Loonstein informed us that Ms Harema stayed in Dubai and could tell us more about it. This led to messages from which several quotes from Harema were extracted, as reproduced in the relevant passage of the article.”

A search for Loonstein led to a six-month-old report from another Dutch newspaper, NRC, which claimed that Loonstein, a lawyer, emigrated to Dubai after his legal company went bankrupt, leaving his clients, victims of fraud, worse off.

Contacted for comment, Loonstein confirmed that he knew Harema and had shared her contact details in “an app group” in relation to a flight from Muscat to Amsterdam. After this contact, Bellingcat sent him the photo of Harema to confirm her identity and asked him to share Harema’s contact details. In response, Loonstein refused to provide further comment. 

---

Merel Zoet and Claire Press contributed to this report.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post AI Used to Promote Non-Existent Evacuation Flights From the Middle East appeared first on bellingcat.

When the mysterious operator of an internet archiving-service decided to silence a curious Finnish blogger, they didn’t just send a stroppy email - they allegedly weaponised their own CAPTCHA page to launch a DDoS attack, threatened to invent an entirely new genre of AI porn, and tampered with parts of their own archive to smear the blogger's name. In this episode, we unravel how a website designed to preserve history may have trashed its own credibility - and how Wikipedia responded when trust went out the window. Plus a ransomware gang shoots itself in the foot with a classic case of buffoonery, accidentally corrupting the very keys victims would need to decrypt their data. When even the criminals can’t unlock your files, what happens next? All this, a surprisingly zen Pick of the Week, and a gloriously splenetic rant against web forms, on episode 456 of the award-winning "Smashing Security" podcast, with cybersecurity veteran and keynote speaker Graham Cluley and special guest Paul Ducklin.

In the tiny town of Krasnopillia in rural Ukraine, the stillness of the night is shattered by the whine of a Russian drone. Seconds later, a community hospital bursts into flames. Sparks and debris rain down across the skeletons of trees as the fire sends plumes of smoke into the pitch-black sky.

Dozens of people are evacuated, according to local media reports – but as rescuers respond, in what appears to be a double-tap strike, Russian forces hit a shelter where more than 20 patients are huddled, including some with limited mobility. 

The strike in March 2025 comes just hours after a larger regional hospital in the northeastern Sumy governorate is targeted, decimating the primary health facilities serving the small town of Krasnopillia, whose prewar population was around 7,700. Healthcare services for the town “practically ceased” in the wake of the strikes, Olena Pryima, a local school director, told Bellingcat in a phone interview. 

“[The Russians] destroy the infrastructure so that people do not have the opportunity to live and exist normally. You cannot consult a doctor, nothing,” she said. “And now these people who remain, God forbid, the ambulance will not go there, just because the security situation does not allow it.”

Her own school was among the many buildings destroyed in Russian strikes, and she says it has been impossible to rebuild amid the ongoing war. “We try to heat some accommodations, in spite of everything … especially since this winter is very difficult,” Pryima said. “But we are not talking about rebuilding at all now. We have hope; we are collecting some documents [such as testimonies and damage assessments], since this will end someday – and then we can rebuild something.”

For the past four years, Bellingcat has been documenting and verifying incidents such as these, chronicling the extensive damage to civilian life and infrastructure after the onset of Russia’s full invasion which began in February 2022.  

In over 2,500 cases of civilian harm that we have verified – the vast majority of which occurred on Ukrainian territory, although dozens also took place in Russia – more than 1,100 residential structures were hit. Hundreds of other civilian sites such as schools, playgrounds, fire stations, hospitals, churches, cultural centres, museums, businesses and farms have been impacted too. 

Our data – which includes cases that Bellingcat researchers were able to definitively geolocate using open source evidence, and does not reflect the full extent of civilian harm across Ukraine – pinpoints more than 300 attacks on schools or childcare facilities, 170 hits on healthcare or humanitarian sites, and four dozen incidents targeting food and related infrastructure. 

While many attacks were clustered around four main cities – Kharkiv, Donetsk, Kherson and Kyiv – we documented strikes across all areas of the country. Of the weapons that could be identified through available open source information, cluster munitions were used in more than 100 cases. 

Cluster munitions, which are banned in more than 100 countries (but not Russia or Ukraine), have killed more than 1,200 people since the war began, with Ukraine recording the highest number of annual casualties worldwide from these weapons in 2024 for the third consecutive year, according to the Landmine and Cluster Munition Monitor. 

Bellingcat and members of its volunteer community logged all verified incidents of civilian harm on an interactive TimeMap over a four-year period spanning February 2022 to December 2025. The map is no longer being updated, but it remains online as an archive (and can be seen below). 

An interactive map detailing incidents of civilian harm between February 2022 and December 2025.

Since Russia’s invasion four years ago, the civilian toll in Ukraine has been stark, with around 15,000 killed – including more than 750 children – and 40,600 injured, according to a January 2026 report by the Office of the United Nations High Commissioner for Human Rights. 

An analysis last year by Armed Conflict Location and Event Data (ACLED) found that Russia followed “a persistent pattern of targeting of populated areas … often indiscriminate, other times more deliberate”. 

ACLED’s data for the period of February 2022 to late January 2026 highlights thousands of residential strikes across Ukraine, along with more than 750 attacks on healthcare facilities, 1,200 on educational sites, and 2,400 on energy infrastructure. A February 2025 World Bank report says it will take more than US$500bn to rebuild Ukraine. 

These numbers tell only part of the story. While much global media attention has focused on the politics of the Russia-Ukraine war, or highlighted strikes on large urban centres, civilians in remote rural villages have suffered outsized impacts from the destruction of schools, hospitals and cultural institutions – the key threads tying their communities together.

In Verkhna Syrovatka, a small village in Sumy of around 3,800 people, images from the scene of shelling in May 2025 revealed a massive hole in the community’s blue-roofed cultural house. Inside the facility, which once served as a place for rehearsals, children’s classes and folk ensembles, photographs and trophies could be seen amid piles of splintered wood and cracked concrete.

The village’s only school was also impacted, with many of its windows blown out, forcing classes to move online. This devastation reflects a countrywide trend, as UNICEF reports that Ukrainian children are falling behind in core subjects such as reading, maths and science.

Incidents of civilian harm recorder by Bellingcat in Verkhna Syrovatka. Readers can click or tap the dots to learn more about each incident.

Further south, the village of Opytne in the Donetsk region is gradually being erased, amid a series of Russian attacks dating back more than a decade to the 2014 occupation of the Crimean Peninsula. 

The village has changed hands repeatedly in recent years. In December 2022, drone footage revealed large-scale destruction of its residential area, including a medical office, music school and church. According to media reports, perhaps only half a dozen residents remain out of more than 1,000 who lived in the village a decade ago.

Image left shows the village of Opytne in 2021, before Russia’s full invasion (Credit: Airbus/Google Earth Pro). Image right shows the village of Opytne in 2024 (Credit: Maxar/Google Earth Pro).

A couple of months later, in February 2023 in Dvorichna, a rural settlement in the Kharkiv region, Russian forces launched another double-tap strike: as first responders searched for survivors from an earlier attack on the village council building, several emergency vehicles were hit. 

Located just south of the Russian border, Dvorichna has been occupied on and off since 2022. As a result, the village, whose population was roughly 3,500 four years ago, is estimated to house only 80 residents today.

Across Ukraine, the catalogue of horrors is endless. In Pravdyne, a small village in the Kherson region, the prewar population of more than 1,000 people was reported to have dwindled to fewer than 200 by late 2022. Corpses showing signs of torture have been exhumed from garden beds; in one case, residents reportedly buried the bodies of Ukrainian soldiers under slabs of slate to prevent dogs from reaching them. 

Incidents of civilian harm recorder by Bellingcat in Pravdyne. Readers can click or tap the dots to learn more about each incident.

In Sumy Oblast, Russian drone and missile attacks have forced residents to flee homes they inhabited for half a century. In the village of Hroza in northeastern Ukraine, one-fifth of the population died in a single attack while attending the funeral of a soldier, according to local officials.

What may never be calculated are the impacts this brutal conflict will have on future generations.

Incidents of civilian harm recorder by Bellingcat in Hroza. Readers can click or tap the dots to learn more about each incident.

Back in Krasnopillia, the local school director, Pryima says residents have tried hard to stay in what she calls “the zone of resilience”, but it has been a struggle.

“It’s very scary to fall asleep, because you don’t know if you’ll wake up in the morning,” she said, noting that residents live in constant fear of the drones that fly overhead, keenly aware that a bomb may drop at any moment. 

For Ukrainian children, the effects have been especially dire.

“Those children, before the full-scale invasion, were carefree, cheerful – what children should be,” Pryima said. “Those children are no longer there.” 

---

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post How Russia’s War Has Devastated Civilian Life in Ukraine appeared first on bellingcat.

Russian Luch “inspector” satellites are suspected of shadowing European GEO spacecraft, raising fears of interception, jamming, and orbital risk.

The post European Officials Warn of Russian Satellites Intercepting Communications appeared first on TechRepublic.

This sweeping update introduces measures to identify and potentially exclude "high-risk" third countries and companies across 18 essential sectors.

The post EU’s New Cybersecurity Act Could Ban High-Risk Suppliers appeared first on TechRepublic.

Russian state has tolerated parallel probiv market for its convenience but now Ukrainian spies are exploiting it

Russia is scrambling to rein in the country’s sprawling illicit market for leaked personal data, a shadowy ecosystem long exploited by investigative journalists, police and criminal groups.

For more than a decade, Russia’s so-called probiv market – a term derived from the verb “to pierce” or “to punch into a search bar” – has operated as a parallel information economy built on a network of corrupt officials, traffic police, bank employees and low-level security staff willing to sell access to restricted government or corporate databases.

Continue reading...

© Photograph: Alexander Zemlianichenko/AP

© Photograph: Alexander Zemlianichenko/AP

© Photograph: Alexander Zemlianichenko/AP

ASEC Blog publishes Ransom & Dark Web Issues Week 4, December 2025           Denmark points to Russia-linked actors as behind destructive attacks on water facilities and large-scale pre- and post-election DDoS campaigns Customer data of a Japanese automaker leaked following a breach at a U.S. software provider involved as a partner […]

Last month, in the dead of a cold Autumn night, residents in the Ukrainian town of Balakliia were woken by the sound of two massive explosions.

Social media footage showed apartments ablaze, balconies obliterated and a deep crater smouldering in a parking lot.

Three people were killed and 13 injured in the November 17 attack, Ukraine’s State Emergency Services (SES) said. Four of those injured were children, the SES added. A kindergarten, situated just over a hundred metres from one of the impact sites, was also reported to have suffered damage.

Since the beginning of the full-scale invasion of Ukraine, schools, educational facilities and spaces used by children have repeatedly been damaged in strikes or closed because of them.  

According to the United Nation’s agency for children, UNICEF, many schools remain closed or continue to be disrupted by air raid alarms. Almost one million children have also been forced to study online, UNICEF states.

Balakliia lies in Kharkiv Oblast in the north east of Ukraine. Another Russian strike carried out there earlier in November caused damage near the town’s main square. Located just over 100 metres away was a high school and not far from that a local theatre school. While neither of those facilities appeared to be directly damaged, many other educational institutions have not been so lucky.

Educational Facilities in the Firing Line

A Ukrainian government website (saveschools.in.ua) has been tracking the number of kindergartens, high schools, colleges and universities that have been damaged and destroyed across the country.

At time of publication 3,676 educational facilities have been damaged nationwide and 394 destroyed, according to saveschools.in.ua.

These trends are reflected in social media data collected by Bellingcat.

Since the start of Russia’s full-scale invasion, Bellingcat has been gathering and verifying social media footage showing incidents of civilian harm. 

More than 2,500 incidents have been identified during this period, including attacks on hospitals, power stations, residential buildings and cultural sites. The full dataset is public and can be found here. But this is likely just a fraction of the damage caused across Ukraine as the data only captures incidents recorded and published on social media channels that have been verified.

Amongst this dataset are more than 200 cases of educational facilities that have been damaged or destroyed.

In September this year, for example, social media footage captured the moment a Russian drone hit an administrative building at Kharkiv’s National University of Pharmacy.

As far  back as July 2022, a school for the visually impaired in eastern Kharkiv was hit by Russian rockets, leaving windows smashed and classrooms burned out.

Just a few months before that, footage posted online appeared to show the remains of a missile that hit a school in the town of Merefa, situated around 30 kilometres to the southeast of Kharkiv.

Kharkiv’s Youth Bears Burden

More educational facilities have been damaged or destroyed in Kharkiv Oblast than in any other territory currently held by Ukraine, according to Bellingcat’s dataset and saveschools.in.ua statistics.

In Kharkiv city and its surrounding areas, Bellingcat found and archived footage of at least 26 schools, kindergartens, colleges or universities that have been damaged and destroyed since Russia’s full-scale invasion. A further 36 strikes that impacted areas around educational facilities in Kharkiv but did not directly hit them were also verified and archived by Bellingcat.

Sustained attacks on educational facilities as well as widespread disruption to studies caused by the war are having a lasting impact on Ukraine’s young people, children’s rights groups say. 

A report from Save the Children earlier this year detailed how attacks on educational facilities had doubled in Ukraine over the course of 2024. The same report found that parents were scared to send their children to school and that many children were being forced to resort to online learning at home.

A 2024 report from UNICEF has found Ukrainian children are falling behind children in other countries across all/multiple subjects including  reading, maths and science.

In Balakliia, journalists from Agence France-Presse (AFP) bureaus in Paris and Kharkiv spoke to teenage student Bohdan Levchykov who said he studies at home and seldom leaves the house. Levchykov also spoke about the impact of losing his father in the early months of the war.

About an hour’s drive to the northwest, in the town of Khorocheve, a psychologist with the non-profit Voices of Children , Maryna Dudbyk, told AFP that the ongoing war means that everyone is living under stress. 

“This has a huge impact on children’s emotional state,” she said.

“We diagnose a lot of fear and anxiety among children. Adolescents suffer from self-harm, suicidal thoughts, and the loss of loved ones.”

Beyond Schools

Other facilities, beyond schools, regularly enjoyed by children have also been impacted by the war, compounding the challenges young people face.

Bellingcat’s dataset found 28 incidents where swimming pools, parks, football pitches, bowling alleys or museums had been impacted in and around Kharkiv. A further 16 incidents were recorded in areas surrounding such facilities. The below interactive shows (in red) incidents where educational or recreational facilities used by young people have been impacted by Russian strikes in and around Kharkiv. The other markers in the map (in purple) detail additional civilian harm incidents Bellingcat has been able to verify. A wider dataset of showing incidents that have impacted areas surrounding educational and recreational facilities can be found here.

One video from March this year showed young men playing football scrambling for cover as a drone can be heard overhead before an explosion can be seen.

Although Ukraine’s policymakers are facing many challenges as Russia’s invasion of Ukraine approaches its fifth year,  the mental health of the country’s youth is on their minds.

Oksana Zbitnieva, head of the Interministerial Coordination Center for Mental Health told AFP that “130,000 frontline health professionals—nurses, pediatricians, family doctors—have received certified training as part of a WHO mental health program.” 

Meanwhile, more than 300 “resilience centres” welcome children and parents across the country, with three hundred more expected to be built next year, according to Ukrainian Social Affairs Minister Denys Uliutine. 

New concepts are also being tested and tried.

In Kharkiv, underground schools – located beneath the streets of the city – are being set up to help bring children back into the classroom.

City authorities told AFP there would be 10 underground schools operational by the end of 2025.

At a school visited by AFP, a rotating system allows it to continue offering children in-person education, even if only for a limited time, each week. The school enables every  child to attend  half a day of their class in-person each week. When the  child returns home they continue their education via remote classes, while another student comes into school for their half day spot. This allows the school to accommodate 1,400 children, including on weekends. 

Yet recent events in Kharkiv highlight that normal life is far from returning, despite recent peace efforts.

At the end of October, a kindergarten in the west of the city was struck by a Russian drone.

Footage from the scene showed panicked parents and disoriented children being carried from away by emergency workers as smoke billowed from the kindergarten.

Despite the scale of the destruction visible in social media footage, only one person (an adult male) was reported to have died during this strike.

For many youngsters in Ukraine, there may be no reclaiming the childhood that war has taken from them.

But Bohdan Levchykov in Balakliia believes there are still things to look forward to.

He told AFP about  the friends he had made online   – including one named Lana who lives more than 400km away in the city of Dnipro- and his  hopes of  meeting them in real life one day.

“I’ve talked about it with my mother,” he told AFP. 

“Maybe our parents can arrange something for us to meet,” he said hopefully.

---

Eoghan Macguire, Youri van der Weide and Logan Williams contributed to this report for Bellingcat as did Stéphanie Ladel and Olivia Gresham from Bellingcat’s Volunteer Community.

Boris Bachorz reported and conducted interviews for AFP with the help of Natalia Yermak.

A version of this story can be found on the website of the Central European Digital Media Observatory (CEDMO) website.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Twitter here and Mastodon here.

The post How Russia’s Invasion is Impacting Ukraine’s Youth appeared first on bellingcat.

Content warning: This article contains descriptions of non-consensual sexual imagery.

Depending on which of his social media profiles you were looking at, Mark Resan was either a marketing lead at Google or working for a dental implant company, a human resources company and a business software firm – all at the same time.           

But a Bellingcat investigation has found that the Hungarian national is the key figure behind, and the likely owner of, at least two deepfake porn websites – RefacePorn and DeepfakePorn – that until recently were selling paid subscriptions. 

There is no question about the nature of these websites. RefacePorn’s landing page shows an explicit video of a woman performing a sexual act. As the video plays, her face is replaced with a variety of other women’s faces. The text above declares: “Face swap deepfake porn. Upload your face!” 

Deepfake porn sites such as these, which use artificial intelligence to create sexually explicit images and videos – usually without the consent of those whose faces or bodies are featured – have proliferated at an alarming rate in recent years. The impact on victims has been described as “life-shattering”, with the mental health effects similar to those reported by victims of sexual assault. 

While the technology to make these synthetic images is not new, the rise of mainstream AI image generator tools and “Nudify” apps has made it more widely available to people without deep technical expertise. Earlier this year, New Zealand MP Laura McClure held up an AI-generated nude of herself in parliament, describing how it took her less than five minutes to create after a quick Google search. 

A 2024 study by the My Image My Choice campaign found that there was a 1,780 percent increase in sexually explicit deepfakes last year compared to 2019. Almost all (99 percent) of victims were women, according to a 2023 study by Security Hero. 

The creation of such images and videos is now illegal in a few countries, including the US and the UK, but legislation has not caught up in many others, and the owners of platforms that enable this content often face no repercussions. In May 2024, the EU passed a directive which mandates that member states – including Hungary, where Resan resides – criminalise the creation and distribution of non-consensual sexual deepfakes by June 2027. 

Alexios Mantzarlis, co-founder of Indicator, a news site that focuses on digital deception, said his publication estimates that deepfake porn sites likely make millions of dollars a year. 

“The incentive system will continue to exist until the tools become too toxic to handle for domain hosts and content delivery networks,” added Mantzarlis, who is also the director of the Security, Trust and Safety Initiative at Cornell Tech.

All Roads Lead to Resan

Bellingcat’s investigation into RefacePorn and DeepfakePorn – which spanned corporate registries, domain name registrations, payment redirect sites, website code and leaked data – led us back to Resan. 

By simulating the purchase of subscriptions on these websites, Bellingcat was led through a series of redirects to a payments dashboard by Peerwallet, a payment processor that recorded more than US$331,000 in sales from July 2024 to August 2025 by Dorocron LLP. Dorocron is a Canadian-registered company whose main – if not sole – source of income appeared to be from paid subscriptions to these sites. The real amount is likely higher, as this was just one of several payment processors the websites have used.

Dorocron LLP did not respond to multiple requests for comment via email, and calls to the number listed on sites that had the company’s details in their legal information sections went unanswered.

Resan is the only person who appears to have been publicly associated with Dorocron LLP, and he is also the sole director of a UK-registered company, Facitic Ltd, that registered the domain of RefacePorn. Resan did not respond to multiple requests for comment sent via email over the past two weeks. Multiple emails and phone calls to Facitic Ltd also went unanswered.

However, days after we first reached out to Resan, his LinkedIn and X profiles were deleted, and his previously public Facebook profile was either deleted or made private. Both RefacePorn and DeepfakePorn also became inaccessible, displaying an error message that said “this site can’t be reached”. 

Archives of RefacePorn and DeepfakePorn, which were previously available on the Internet Archive’s Wayback Machine, have also now been excluded from the archive. The Internet Archive told Bellingcat it processed exclusion requests submitted by someone with rights to both sites on Dec. 5. 

Following the Money

Like other websites Bellingcat has investigated, RefacePorn’s ownership was hidden behind a network of website domains, fake websites used to redirect payments, and international business registries. 

Using the tool DNSlytics, we examined the Google tag history on RefacePorn and found a tag that was also used on DeepfakePorn, as well as a website called facitic.com. 

Google Analytics tags are small pieces of unique code that developers can place in the backend of a website to track its analytics. Each code is unique to a specific user, who can use the same tag across multiple websites. 

Both RefacePorn and DeepfakePorn offer tiered subscription packages with similar names and prices based on the number of deepfakes that could be generated and the level of support. 

When simulating a purchase of one of these packages – without actually completing payment – on DeepfakePorn, we received a link to make a payment hosted through the domain “remakerai.me”. Similarly, a mock purchase on RefacePorn pointed us to a payment link on “airemaker.me”. Bellingcat has observed the use of redirects, which can be used to obscure payments, by other deepfake porn sites. Many payment processors, including Paypal and Stripe, have restrictions on buying or selling sexually oriented online content.

Graphic: Galen Reich

The redirected payment links hosted on airemaker.me and remakerai.me offered several payment options including Paypal, credit cards and cryptocurrencies. Bellingcat selected the credit card option, and in both cases was emailed a link to complete the purchase on a payment platform called Peerwallet. This email included a link to the seller’s profile, Dorocron LLP. 

This profile showed the funds received by the seller, which totalled more than $331,000 as of August 2025. This income was related to 16,264 sales. According to this dashboard, Dorocron LLP had been a member of Peerwallet since July 22, 2024, meaning these sales all occurred over the past year.

RefacePorn has been active since at least May 2022, according to promotional posts by an Instagram account with the username “Dorocron2323” and the account name “Hassler Mark”. Social media accounts for RefacePorn were also created on X and Facebook in May 2022.

While the transactions on Peerwallet were not broken down by domain, two were the payment redirect sites for the deepfake porn sites we investigated. Bellingcat’s review of the 21 “approved domains” listed on this profile found no evidence that payments were ever accepted through the other sites. 

Short-lived, “disposable” domains are known to be used by bad actors to evade detection, presenting a moving target for payment processors and authorities. As of publication, both airemaker.me and remakerai.me are no longer accessible. But in the course of the investigation, we observed RefacePorn and DeepfakePorn’s payment links redirecting to other third-party sites, before the sites went offline.

Of the 21 domains on Dorocron LLP’s Peerwallet profile, only two were still accessible as of the end of November, with the rest either down due to expired domains or server issues, displaying generic domain parking pages, or requiring a login to view. Though almost all of the sites had their registration information redacted, Resan was listed as the most recent registrant for one of the expired domains.

The two sites still accessible listed a variety of products, including eBooks and digital products. Both had almost identical products and templates, and listed Dorocron LLP under their company information in their footers. 

Bellingcat tried to check out items on each of the sites, and in both cases was prompted to log in. It was, however, impossible to register an account, and when we tried with an active email address we were redirected to a login page saying that the email address was “unknown”. 

Archived screengrabs of some of the sites that now have expired domains or require a login to view showed that many of them followed the same format, selling eBooks and video courses with “resell rights”.

Peerwallet told Bellingcat in September that Dorocron LLP was “not approved” to sell deepfake porn, and that it was looking into the issue. However, when Bellingcat asked for an update in November, Peerwallet appeared to have closed down. Emails to the payment processor’s founder have also gone unanswered. 

The Man Behind the Screen

Dorocron LLP was registered in British Columbia, Canada in March 2022. We were unable to verify if Resan’s name was on the corporate records as information on company owners or directors in British Columbia is restricted to law enforcement and other officials. 

However, Resan’s name has been used to register at least 13 sites alongside an email bearing  Dorocron’s name from as far back as 2013, nine years before Dorocron was registered in Canada. The earliest domain registration, from 2013, included the name of a now-dissolved UK-registered company called “Webnaser LTD”, whose registration documents also cite Resan as the sole director. 

A leak found on data breach site Intelx.io shows that an almost identical password (with different capitalisation of some letters) was used to log into this “dorocron” Gmail account and a Netflix account associated with Resan’s personal email address. This password was also used to log into web domain registry GoDaddy using RefacePorn’s support email address. 

Leaked passwords on Intelx.io revealed another link between Resan and DeepfakePorn: an email with the username “resanmark” was used to log into DeepfakePorn’s website, with a password containing his birth year. In all, we found four unique passwords that were reused between Resan’s personal emails, the Dorocron emails, and a support email for RefacePorn. These four passwords include either Resan’s name or the date or year of his birth. 

Resan also posted two job listings from his now-deleted LinkedIn account about a year ago, for a full-stack web developer and a WordPress developer at Dorocron LLP. In the web developer listing, he described the company as “developing and applying revolutionary AI technologies” and said the job would have “high wages”. We could not find any other individual with a public association to Dorocron LLP on LinkedIn or elsewhere.

Aside from his links to Dorocron LLP, Resan is also the sole director and person with significant control of Facitic Ltd, a UK-registered company which was listed as the registrant for RefacePorn. 

Using DomainTools, we were able to see the historical registrant information in a WHOIS lookup of the site’s domain registration. When we checked this in August 2025, we were able to see that, as of June 2025, Facitic Ltd was the registered owner of RefacePorn. This information was later redacted – as it is for other sites linked to Resan such as DeepfakePorn. 

ICANN, which regulates websites, requires domain name providers to verify the accuracy of their customers’ details, including the registrant's name and contact details. Such details are publicly visible by default, but can be anonymised using paid privacy services. 

The UK registration for Facitic Ltd lists Resan’s country of residence as Dubai, while the registration for another UK company he registered – which was also listed as the owner of some of the now-expired approved domains on Dorocron LLP’s Peerwallet profile – states that he resides in Cyprus. Meanwhile, Resan’s social media accounts stated that he lives in Hungary. On Peerwallet’s dashboard, the primary user of Dorocron is listed as being based in Hungary. 

It is unclear if Resan actually holds positions in any of the six companies he listed himself as working at on his Facebook and LinkedIn profiles. Bellingcat has reached out to these companies to check, but has not received any replies as of publication. 

Some of the connections Bellingcat found between RefacePorn and Mark Resan:

On Nov. 10, 2025, a few weeks before we contacted him, Resan applied for Facitic Ltd to be struck off the UK companies register. Based on Resan’s filings, Facitic Ltd was incorporated with an initial capital of £100 in January 2024, and there has been no recorded change in its accounts since. 

This comes as UK regulator Ofcom cracks down on websites associated with UK businesses offering AI-powered nudify services. On Oct. 23, Ofcom imposed a £50,000 fine on UK-registered company Itai Tech Ltd, which has been linked to some of the biggest deepfake pornography sites in the world, for failing to prevent children from accessing pornographic content. 

It is unclear what triggered Resan to file to dissolve the company, and he did not respond to Bellingcat’s query about this. 

Small Sites, Big Harm

The websites linked to Resan are not among the largest in the deepfake porn industry. A similar but much larger site that Bellingcat has investigated, MrDeepFakes, received millions of visits each month. Bellingcat and its partners Tjekdet, Politiken and CBC exposed the site’s key administrator David Do in May, with MrDeepFakes going offline after we reached out to Do for comment. 

In comparison, RefacePorn and DeepfakePorn received about 91,000 and 154,000 visits in October, according to digital marketing platform SemRush. But their smaller size does not mean they can’t cause significant harm. 

Mantzarlis, of the news site Indicator, said there were “smaller players” taking bigger risks around regulation, such as “Crush AI”, a group of Chinese-owned apps that bypassed Meta’s moderation rules to run 25,000 ads on Facebook and Instagram before the social media giant sued them. 

“These smaller players are often the ones that are more actively trying to stand out on social media to catch up with the bigger ones,” Mantzarlis said.

In the course of our investigation, we ran tests using the free features on RefacePorn to determine if there were any restrictions on images that could be uploaded on the website. 

Without actually generating the content, we uploaded AI-generated images of adult women and underage girls. Unlike on other websites we have tested, which have added the bare minimum of checks to prevent uploading images depicting children, there was no restriction or evidence of age-related safeguards on RefacePorn. 

While there aren’t laws in Hungary explicitly prohibiting deepfake porn, the possession, creation and distribution of sexually explicit images of minors is illegal. 

“As the more established websites come under sustained regulatory pressure and others get litigated into oblivion, the minnows are ready to try and capture market share,” Mantzarlis said. 

And while some sites such as RefacePorn and DeepfakePorn may fold in the face of public scrutiny, others continue to operate, unchecked and easily accessible, online. 

“These websites are eminently replaceable and there's no reason to believe that there is any form of ‘brand loyalty’,” Mantzarlis said. “Perpetrators are going to search for ‘nudify’ or click on an ad and go to whatever tool does the job.”

---

Melissa Zhu contributed to this report.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here and Mastodon here.

The post Profiting From Exploitation: How We Found the Man Behind Two Deepfake Porn Sites appeared first on bellingcat.

A joint investigation by Bellingcat and Lloyd’s List has identified Saudi Arabia as the newest country to import grain directly from a Western-sanctioned port in occupied Crimea, as Russia attempts to secure recognition of the Ukrainian territory via a US-led peace plan.

Satellite imagery and Automated Identification System (AIS) data from Lloyd’s List Intelligence shows the bulk carrier Krasnodar (IMO: 9296781) sailed from Avlita Grain Terminal in Sevastopol to Saudi Arabia on two occasions between September and November 2025. Bellingcat confirmed Krasnodar’s journeys ended at Saudi Arabia’s King Abdullah Port in September and the Port of Jazan in November.

These journeys show that Saudi Arabia has joined buyers in Iran, Syria, Egypt, Turkey, Venezuela and Houthi-controlled territories in Yemen who are willing to accept what the Ukrainian government describes as “stolen” grain. 

After leaving Jazan, Krasnodar returned to the Black Sea via the Bosphorus on November 23.

It stopped transmitting AIS for a third time on November 24 for nine days and has been intermittently transmitting data since.

Krasnodar was again captured in satellite imagery docked at the Avlita terminal in Sevastopol on November 26. 

Petrokhleb-Kuban Denies Visiting Avlita Terminal

Documents accessed on Russia’s federal registry indicate the vessel is leased by Russian firm Petrokhleb-Kuban, a major player in Russian and international grain markets. 

Petrokhleb Kuban told Bellingcat it “categorically denies any allegations of involvement in the theft of grain from Ukrainian regions”.

It added that Petrokhleb-Kuban does not export grain from the Avlita terminal to any country.

“Petrokhleb-Kuban does not operate at the port of Avlita and does not ship grain from there. All grain shipped by Petrokhleb-Kuban is produced by Russian farmers,” a spokesperson said. 

“The vessel Krasnodar follows all widely accepted safety protocols and does not disable its AIS while on passage. The AIS signal in the Black Sea is being jammed by the military due to the ongoing conflict between Russia and Ukraine.”

The spokesperson also said the vessel Krasnodar was loading barley at the port of Kavkaz, “as confirmed by bills of lading and port clearance.”

AIS interference is rampant in the Black Sea, however, instances of jamming typically do not last more than a couple of days. Further, third-party disruptions impact all vessels in one area indiscriminately. 

Bellingcat reviewed the AIS traces of vessels sailing near Krasnodar. In both voyages, Krasnodar was the only vessel in that area that stopped transmitting AIS data for that period of time.  

Bellingcat also checked available Planet Labs PBC and Sentinel-2 satellite imagery covering the grain terminal in Port Kavkaz during the two periods of August and October where Krasnodar has absent or unreliable AIS coverage and found no vessels matching the length of the Krasnodar.

Bellingcat identified Krasnodar in Avlita terminal on three occasions, by cross referencing satellite images of Krasnodar and recent images and video of the ship. Krasnodar was last detected at Avlita terminal in satellite imagery on November 26, again with its AIS switched off.  Krasnodar’s chimney is navy blue in colour, except for a white band on the left, right, and front side of the chimney. The ship’s other features – five grey hatches, four grey cranes, a red deck, a green floor on the bridge, all visually match known images of the ship.

Finally, the ship’s measurements (a total length of 183 metre according to Russia’s shipping registry) matches what we see in satellite images.

Visual Comparison: Images of Krasnodar at Avlita Terminal and other recent images of Krasnodar

The Krasnodar has a dark blue (midnight navy blue) chimney with a white band that runs around the sides and the front of the chimney, leaving the back completely blue.

The life boats are immediately to the left and right of the bridge. The boats can also be seen in satellite imagery from Saudi Arabia. The image below shows Krasnodar in Jazan.

Satellite imagery also clearly shows the colour of deck (dull red), the floor colour of the bridge (green), the colour of the hatches and the cranes (grey). All of that, as well as the chimney (navy blue with white) can be matched with satellite imagery from Sevastopol that show Krasnodar docked at the Avlita grain terminal.

Five grey hatches and a red deck. The image on the left is from Jazan (November 6). The image on the right is from Sevastopol (October 8).

If we zoom in on the bridge, we can also see that the shape and the colour (grey) of the top of the bridge are also a visual match. 

The chimney is not very clearly visible in the image from Jazan but it is clear that the chimney is dark in colour. The image from Sevastopol shows a dark blue chimney with a white band, which was also visible in images and video of Krasnodar.

We see red on the hull, below the water line, in the Sevastopol satellite image. You can also see it in the image from when the ship transited the Bosphorus. The rest of the hull is dark.

There are no live or historic sanctions on Krasnodar, according to Lloyd’s List Intelligence data.

Saudi Arabia Joins List of Importers of Russia’s Smuggled Grain

Krasnodar’s voyages from Sevastopol to Saudi Arabia demonstrate that Russia is continuing to expand its grain exports from occupied Crimea to new markets as it negotiates to end the war in Ukraine.

Crimea’s occupied ports have become important assets for Moscow, having evolved into key logistics hubs for dark grain exports over the course of the war.

Prior to the full-scale invasion of Ukraine in 2022, the ports in occupied Crimea were used for the small-scale export of grain and scrap metal, mostly to Syria and Turkey.

The occupation of additional territory in Donetsk and Zaporizhia enabled Russia to establish a new supply route, resulting in more grain being shipped south to Crimea for export to international markets.

The Port of Sevastopol and the Avlita grain terminal remain under European, UK and US sanctions. While no UN sanctions specifically target the port, a majority of UN member states have passed resolutions condemning Russia’s invasion of Ukraine and its occupation of Crimea since 2024. 

Ukraine has repeatedly tried to dissuade countries from purchasing shipments loaded with what it describes as “stolen” grain from occupied regions.

In 2023, Iran received its first grain shipments from Sevastopol. In 2024, it was joined by Venezuela, Libya, Egypt and the Houthis, which control territory in Yemen. Last month, Bellingcat revealed that the bulk carrier Irtysh (IMO: 9664976) delivered grain from the Crimean port of Sevastopol to the Houthi-controlled port of Saleef in Yemen despite Western Sanctions. 

Bellingcat and other news outlets have identified a total of eight countries that have imported grain directly from occupied Crimea.

While Saudi Arabia is the latest direct importer from Sevastopol, it is unclear if authorities are aware of the origin of the cargo. 

The grain shipments follow a similar pattern to Russia’s shadow fleet, which moves sanctioned oil barrels. In both cases steps are taken to disguise the origin of the cargo and port of loading.

Most ships calling to Crimea disable their AIS transponders, which is considered a deceptive shipping practice, and fraudulent documents are issued. 

Alona Shkrum, First Deputy Minister for Development of Communities and Territories of Ukraine, told Bellingcat that Ukraine was closely monitoring Russian exports from occupied territories. She said Ukraine had discussed the issue with Saudi Arabia on the sidelines of recent talks at the International Maritime Organisation Assembly.

She told Bellingcat that Ukraine had “received assurances that Saudi authorities are actively counteracting the risks posed by shadow fleet operations and other violations of international maritime law.” 

She added that Ukraine would continue to work with partners to identify and sanction vessels involved in the illegal export of grain from occupied territories. 

Bellingcat contacted both the Saudi Arabian Ministry of Foreign Affairs and the Russian Ministry of Foreign Affairs; neither responded to requests for comment. 

US-Russia Peace Plan and Ownership of Ukraine’s Ports

The US-Russia 28-point peace proposal includes the recognition of Crimea, Luhansk and Donetsk as “de facto” Russian. Ownership of Crimea and the occupied territories bordering the Sea of Azov is critical for securing shipping routes to and from Russia, and these ports play a vital role in supporting economic growth in the region. 

However, the impact of ceding control of this region and the port of Sevastopol to Russia is not mentioned in either the original US draft plan or subsequent amended versions.

Ian Ralby, chief executive of the maritime and resource security consultancy I.R. Consilium said while it was a high priority for Ukraine to ensure access to the grain market through the Black Sea is preserved, Russia is continuing to try to expand its global access to ports. 

“We see that there is a resurgence in Russia’s efforts on port access.”

“As the prospect of potential peace begins to loom, even though it seems to be much farther off than many would want, there is likely to be a renewed focus on the key strategic assets that matter for the future, and the ports have to be foremost among them.” 

---

Bridget Diakun, Yörük Işık, Youri van der Weide, Peter Barth and Galen Reich contributed to this report.

Cover image: Planet Lab image shows Krasnodar docked at Jazan City, Saudi Arabia on November 6. Credit: Planet Labs PBC.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Twitter here and Mastodon here.

The post Russia’s Smuggled Grain Finds New Market in Saudi Arabia appeared first on bellingcat.

The post From School to Battlefield to Grave<span id="hide-colon">:</span> <span class="subtitle">How Russian Cossacks drive young people to war</span> appeared first on bellingcat.

An investigation by Bellingcat has identified yet another Russian-flagged bulk carrier, Irtysh (IMO: 9664976), operating in defiance of Western sanctions by exporting grain from occupied Crimea to Houthi-controlled Yemen. 

Following the same pattern of deceptive methods used by other vessels involved in what Ukraine describes as “grain theft,” Irtysh disabled its location tracking en route to and from the Port of Sevastopol. The vessel also made a mandatory stop in Djibouti for inspection by the United Nations Verification and Inspection Mechanism (UNVIM) for Yemen before sailing on to the Port of Saleef, Yemen. 

The majority of UN member states have repeatedly voted against Russia’s invasion of Ukraine. UNVIM told Bellingcat: “As a UN mandated body UNVIM does not have the authority to block shipments based on unilateral national or regional sanctions.” They added: “The UNVIM mandate is limited to verifying compliance with the UN Security Council resolutions related to Yemen.”

However, experts have previously highlighted to Bellingcat that even with the limitations of that remit the fact that grain shipments from occupied Ukrainian territories are passing through UN inspection mechanism creates an awkward situation.

Bellingcat mapped Irtysh’s journey by combining Automated Identification System (AIS) data from Lloyd’s List Intelligence and satellite analysis. During the investigation, two additional vessels were also identified with their tracking systems disabled while loading grain in Sevastopol: Matros Pozynich (IMO: 9573816) and Zafar (IMO: 9720263).

Just over a month after Irtysh was first seen loading grain at the Port of Sevastopol, Bellingcat identified another Russian vessel, Matros Pozynich, at the same berth. Previously identified by CNN in 2022 for exporting grain from occupied Ukraine, and by Bellingcat the following year, the vessel was docked at the Avlita grain terminal on Sept. 20.

Two days later, Matros Pozynich switched its AIS back on before sailing through the Bosphorus Strait, just as Irtysh had. With its hull sitting low in the water, the vessel was photographed passing through Turkish waters seemingly fully laden.

After calling at Djibouti, likely for inspection by UNVIM, AIS data shows the bulk carrier departing for Saleef, Yemen, on Oct. 8. At time of publication, Matros Pozynich remains in anchorage off the Port of Saleef, Yemen.

A third vessel, also previously implicated for smuggling grain, Zafar, was captured by satellite imagery with its AIS turned off at the Port of Sevastopol from Sept. 23.

At the time of publication, Zafar had not sailed to Yemen via Djibouti. Instead, it was anchored off the Port of Alexandria, Egypt – another known location for offloading grain from occupied Ukraine, according to OCCRP reporting.

“Grain Theft”

Ukraine has repeatedly tried to dissuade countries from purchasing shipments loaded with what it describes as stolen grain from occupied regions. 

The Port of Sevastopol and the Avlita grain terminal remain under European, UK and US sanctions. While no UN sanctions specifically target the port, a majority of UN member states have passed resolutions condemning Russia’s invasion of Ukraine and of its occupation of Crimea since 2024. 

Both Irtysh and Matros Pozynich delivered grain to the Houti-controlled Port of Saleef via Djibouti – the UNVIM inspection point for Yemen. After ten years of war, the UNHCR reports that tens of thousands of people in Yemen are living in famine-like conditions, with a further five million people experiencing food insecurity.

UNVIM confirmed to Bellingcat that the Irtysh was inspected “in line with UNVIM operational protocols” on Sept. 7 and cleared by the Saudi-led coalition Evacuation and Humanitarian Operations Cell (EHOC) – a body entirely separate from the UN – on Sept. 8.

Asked whether UNVIM was aware the vessel had picked up grain from a port under Western sanctions, the agency replied: “The UNVIM mandate is limited to verifying compliance with the UN Security Council resolutions related to Yemen. Unilateral national sanctions or measures beyond that scope are outside the UNVIM mandate.”

Neither the Russian government nor its foreign ministry responded to requests for comment.

---

Yörük Işık, Bridget Diakun, Peter Barth, Galen Reich, Claire Press and Merel Zoet contributed to this report.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Twitter here and Mastodon here.

The post Russia’s Grain Smuggling Fleet Continues Undeterred appeared first on bellingcat.

To stay up to date on our latest investigations, join Bellingcat’s new WhatsApp channel here.

Editor’s note: Vladislav Gillung officially changed his name to Vladislav Romanov in his twenties. Although the first recorded use of him as Romanov is from the period between 2020 and 2022, we will refer to him as such throughout most of the story for consistency.

---

In September 2019, a 21-year-old man named Vladislav Gillung registered as a candidate for Russia’s municipal elections in the city of St. Petersburg.

Tweets by the former campaign leader for the anti-corruption activist and opposition candidate, Alexei Navalny, show that Gillung was attempting to run as part of the movement opposing Russian president, Vladimir Putin. 

The local electoral committee refused his candidacy. However, only weeks later, he seemed to have switched sides as he attended an event for the pro-Putin United Russia party.

Vladislav Gillung has since changed his name to Vladislav Romanov and became close to Rusich, a neo-Nazi paramilitary group that is under western sanctions. Rusich members have been accused of, and co-founder Yan Petrovsky convicted of, war crimes. 

An investigation by Bellingcat has tracked Romanov from these early days in St. Petersburg, finding that he appears to have assisted in Rusich’s fundraising and business activities. He has even been pictured near the front line in eastern Ukraine.

Romanov’s bank number has appeared in Rusich’s calls for donations. On top of this, he is listed as the person selling Rusich merchandise on a Russian webstore.

The money Rusich makes in these ventures helps fund its operations, according to experts Bellingcat spoke to.

When Bellingcat reached out to Romanov via email, he said that he joined Navalny’s movement because he “wanted to go into politics and represent the interests of society”. He also acknowledged helping run Rusich’s online store but denied working for the group. “I don’t work with Rusich. They just asked someone with experience and education to take over their store, and I helped them out without pay. I don’t see anything special about it,” Romanov said. There is no suggestion that he has been directly involved in the violent activities other members of the group have been accused of or found guilty of, nor has he been placed under international sanctions or been accused in any criminal cases related to the group.

Denis Mikhailov, a Navalny campaign leader for the 2019 municipal elections, said that he recalled Romanov. Mikhailov told Bellingcat that Romanov was a “reserved and well-mannered guy”, who “always listened more than he talked”.

But it soon became apparent after the elections that their views differed on a number of subjects. “We talked about Ukraine, and he expressed that he sympathises with the so-called LPR/DPR,” breakaway regions of Luhansk and Donetsk in eastern Ukraine, Mikhailov said.

Mikhailov has since left Russia as pressure on those connected to the now deceased Navalny (who was poisoned by Russian secret service agents in 2020 and died in prison in 2024) has increased. He was not aware that Romanov had moved towards United Russia, but he said he was not entirely surprised by this turn of events. “I don’t remember [Romanov’s] exact words, but, in addition to the topic of Ukraine, he said something about Putin’s system being the only way to build a political career.”

When asked why he left the opposition movement, Romanov told Bellingcat that he “became very disappointed in the ideas of Navalny and his team”, because they worked “to destabilise Russia”.

Just two months after the 2019 municipal elections, Romanov was pictured at an event where the branding of the youth wing of the United Russia party was clearly visible.

Romanov told Bellingcat that he “used to be a member of both the youth wing and the United Russia party itself”. 

“I haven’t been a member for three years now, as politics no longer interests me. I prefer my profession” as a businessman, he said.

The people he posed with at the event included Monika Pakhomi, a council member of St. Petersburg’s Izmailovskoe district. According to the council’s website and VK page, Pakhomi was awarded a medal for her work supporting the occupation of Ukraine by the regional All-Russia People’s Front – an organisation under European Union sanctions. Pakhomi did not respond to requests for comment.

This image allowed Bellingcat to search for and identify further pictures of Romanov available online.

One image posted to Twitter, now known as X, showed him armed and alongside prominent Rusich fighters, including Yan Petrovsky (who has been convicted of war crimes by a Finnish court) and the Russian nationalist politician, chairman of the Rodina party, Alexey Zhuravlev (currently under international sanctions), in the formerly occupied city of Izyum in eastern Ukraine. Bellingcat had previously reported on Zhuravlev’s trip to Izyum without realising that Romanov had accompanied him there.

When Bellingcat asked him about the trip, Romanov said that he spent two days with Alexey Zhuravlev in Izyum, “to deliver humanitarian aid to the residents”, and the “LPR [Luhansk People’s Republic] fighters gave Alexey and me automatic weapons for a couple of photos, and we took pictures as a souvenir”.

He added that selection for the trip was handled by his university in conjunction with the Youth Parliament of the State Duma of the Russian Federation, which is why Zhuravlev was there.” Bellingcat sought to confirm this with Romanov’s university, the St.Petersburg State University of Economics, but did not receive a response before publication. 

When asked if he ever fought in Ukraine, Romanov said: “I never fought due to lack of training.” He also claimed that he “never joined Rusich”.

“Unfortunately, I have no military skills, so even if I wanted to join, I couldn’t. I’m just a businessman,” he said in messages over email.

Rusich’s Merchandise Man

Rusich is a paramilitary group that has been an active force in Russia’s war in Ukraine. Several of its fighters have been involved in Wagner operations in places like Syria, Libya, and the Central African Republic.

One former commander and founding member, Yan Petrovsky, has been convicted of war crimes by a Finnish court and another, Alexey Milchakov, has been implicated in war crimes.

The organisation and its leaders are under international sanctions, and so are some of its cryptocurrency wallets, but many people associated with Rusich are still largely unknown to the public. Vladislav Romanov was – until now – one of those it appears has been operating behind the scenes. 

In the early days of Russia’s full-scale invasion of Ukraine, the group claimed to Meduza that it had an IT and a Financial department that organised fundraisers and donations from supporters and was also active in cybercrime.

On April 2, 2024, Rusich posted a message on Telegram stating that it was funded solely through organised fundraising and advertising.

Yet they now also sell their own products as well, including protein powders, key chains and Alexey Milchakov sticker packs.

Jonathan Deer, who has researched Rusich at the New America think tank, told Bellingcat it was common for Rusich to say, “‘We need XYZ and we need it in this amount. We are requesting that you either donate the item itself or donate to us at this card number’”. Though this still happens, Deer thinks calls for donations have become less frequent.

Rusich runs its own site to assist with merchandise operations, but it uses Ozon.ru, a Russian webshop, as well. The seller on the Rusich Ozon page is listed as Vladislav Konstaninovich Romanov, with goods shipped from St. Petersburg.

Bellingcat looked for this name online and found four individuals in a leaked Alfa-Bank database (Alfa-Bank is one of the largest private banks in Russia, currently under EU and US sanctions).

One of these individuals was the owner of a card number ending in 1073. This same card number, it transpires, appeared in messages from an old Rusich Telegram channel. Although that channel no longer exists, some messages were archived on TGStat, a web-based analytics tool for Telegram, such as this one from 2022.

In the messages, benefactors were instructed to donate using crypto or to just transfer money to the Alfa-Bank card number that matched Romanov’s (ending in 1073).

A message on September 9, 2022, stated Rusich had collected 900,000 Rubles (at that time US $14,805). Two days later, they claimed to have received 1.2 million Rubles (then $19,740). Both messages list Romanov’s Alfa-Bank account as the place where donations should be sent.

It is not possible to know for sure what Rusich spent the money on. But the September 9 message did say the unit needed a wide variety of equipment.

The fact that an account listing Romanov’s details appears to be handling money for Rusich suggests he is not just a “grunt”, said Deer of New America. Other open source information gathered by Bellingcat, meanwhile, tied his name to further revenue generating projects.

Phone Numbers and Contact Books

On June 9, 2025, the Rusich Telegram channel instructed people to contact an account named “rozzkr” for ad-related inquiries. Similarly, messages sent to the Rusich Telegram channel receive an automated response asking those who want to advertise with them to contact rozzkr, their “manager”. Rozzkr appears to be connected to one of Romanov’s phone numbers, which ends in 0663, and was visible in several leaked databases.

According to the 2022 Yandex Food data leak, for example, a Yandex Food account with this name and number was used in December 2021.

The rozzkr Telegram account itself contains little detail. It includes a first name that consists only of numbers, an anonymised profile picture and a seemingly random location. The account owner also added a standard message for all empty chats: an image of Alexey Milchakov in camouflage uniform and some accompanying text that says it costs 100,000 Rubles to place an ad in their Telegram channel.

Price information from the rozzkr account is consistent with what Rusich posted on Jan. 27, 2024, where they said the money would be used for the group’s needs.

Romanov told Bellingcat that the number ending in 0663 was “indeed an old phone number registered” to him. But he said that in “around 2017-2018”  one of his “acquaintances” asked to borrow his SIM card to register a work Telegram account. “Judging by everything, this is the one,” he said, adding that he didn’t know that “this number was still active” and that he had no idea “who currently owns the @rozzkr account on Telegram”. Bellingcat tried to call the number and it did now appear to be inactive.

Romanov did not share who he gave the SIM card to or detail why or how the phone number continued to be used in his name after 2018.

Other leaks also show a Vladislav Konstantovich Romanov provided the same phone number to a Russian courier service (CDEK) in 2021 and 2022.

Interestingly, Bellingcat also noticed on the Sherlock Telegram bot that another number linked to the rozzkr account was used for mobile banking by someone named Vladislav Konstantinovich R – this aligns with Romanov’s first name, patronymic and the first letter of his surname.

Bellingcat asked Romanov about the second number linked to the account and called the number itself. The number appeared to now be disconnected and Romanov did not respond to further questions about this before publication.

Leaked data from ZAGS (ЗАГС), Russia’s civil registration, shows that Gillung legally changed his name to Romanov. Romanov said his parents divorced in his childhood and that Gillung is his mother’s surname. He decided to take on his father’s surname “as is customary in Russia”.

Romanov can also be directly linked to Rusich-leader, Alexey Milchakov, through a phone number both appeared to use at least once.

Milchakov shows up multiple times in a data leak from the courier service, CDEK, often using a phone number ending in 386. The same number also appears with two other names in the CDEK leak: Anton Yakovlev and Vladislav Konstantinovich Gillung (Romanov’s previous legal name).

Romanov told Bellingcat that “Alexey [Milchakov], an old acquaintance of mine, once asked me to pick up a parcel for him when he was away.”

A Facebook leak shows that Milchakov used that number to create his now-deleted Facebook page.

People using Numbuster and GetContact, meanwhile, tagged the same phone number as belonging to Milchakov.

Contact book apps like these harvest data from users’ phones and have been used in many investigations, such as Bellingcat’s Berlin Tiergarten assassination investigation (where Numbuster and GetContact were used) and the investigation into the death of Colombian protestor, Lucas Villa (where TrueCaller was used).

In Numbuster, one of Romanov’s phone numbers (ending in 663 and that he used for his Yandex Food account) is tagged as “Vlad United Russia St. Petersburg Youth Politics”.

Asked how he met Milchakov, Romanov claimed that they met at a gun shop in St. Petersburg when he was buying his hunting rifle.

Bellingcat contacted Rusich before publication to ask about the details in this story but did not receive a response.

---

Aiganysh Aidarbekova contributed to this report for Bellingcat.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Twitter here and Mastodon here.

The post How a Former Political Hopeful Helps Russian Neo-Nazi Group Rusich Sell its Online Merch appeared first on bellingcat.

This article is the result of a collaboration with The Sunday Times. To stay up to date on our latest investigations, join Bellingcat’s new WhatsApp channel here.

An Australian pilot who recently died when his small plane crashed in South America during a failed drug run has links to an alleged Kinahan cartel associate who is facing charges over the importation of a multimillion dollar cocaine shipment to Western Australia.

The body of former Melbourne stockbroker Timothy James Clark was reportedly found at the wreckage of his single-engine Sling 4 in Brazil’s north-east on September 14, along with about 200kg of cocaine.

Local media said Clark was the sole occupant of the aircraft, which had been fitted with additional fuel tanks and appeared to have its transponder turned off.

Melbourne newspaper The Age reported on Thursday that Clark’s failed mission in South America was not his “first rodeo” and quoted a confidential source who alleged that the 46-year-old had been involved in a drug smuggling operation in Western Australia last year.

The Australian Federal Police (AFP) charged German businessman Oliver Andreas Herrmann and Melbourne man Hamish Falconer with trafficking a commercial quantity of a controlled drug in December after a search of their hotel rooms uncovered 200kg of cocaine, packed in suitcases in single one-kilogram blocks, along with night vision goggles, aviation equipment and a hardware cryptocurrency wallet.

Herrmann had allegedly met a “small aircraft” at the remote Overlander Airstrip the day before his arrest. The AFP has not disclosed the make and model of the aircraft but said it had not seized an aircraft as part of its investigation.

Investigators estimated the street value of the drugs to be AUD $65 million and said an “organised crime syndicate” was likely responsible for the scheme.

In March, Bellingcat published an open source analysis of Herrmann’s online footprint and traced the champion marathon runner and international businessman to locations associated with the US-sanctioned Kinahan Organised Crime Group.

It followed reporting by our publishing partner The Sunday Times, which revealed that Herrmann had “close financial ties” to Christy Kinahan, the 68-year-old founder of the eponymous international drug cartel. Herrmann had no previously known links to organised crime. 

Bellingcat has now uncovered evidence linking alleged Kinahan cartel associate Herrmann to Timothy Clark, the Australian who was killed when his plane crashed in Brazil two weeks ago.  

Using online tools that consolidate publicly available information and reverse image searches, Bellingcat found more than a dozen accounts registered to Clark across social media platforms, travel websites and review platforms.

This open source review shows that the Australian pilot – who used the moniker “The Broker” on X and Instagram – documented his travels to more than 20 countries across Africa, South America, Europe and Asia over the past decade.

Clark frequently used Tripadvisor to post reviews, including about chartering a catamaran in Bali and the VIP service at a Saint-Tropez bar where he spent €5,500 on “ultra topshelf” drinks.

Clark was also an associate of Oliver Herrmann; the German businessman’s Facebook profile shows he was “friends” with the Australian pilot. And a 2018 restaurant review posted by Clark included a photo that shows the pair dining together in the Zimbabwean capital of Harare. 

The filename of the photo is dated March 2, the same day that Herrmann logged a run in Harare on the fitness app, Strava. In the same week, Clark posted a review for a Harare bar close to where Herrmann recorded another GPS-tracked run on the same day.    

Herrmann, an acclaimed runner who won the 2016 Munich Marathon, logged more than 2,500 activities across dozens of countries on Strava between 2013 and 2023. His use of the fitness app provided an extensive overview of his travels during that period. 

Corporate records show Herrmann has been involved at senior levels with companies active in the fields of fintech, mining and consulting.

Like Christy Kinahan, Clark had an active Google Maps profile where he posted reviews, photos and ratings. His profile used the alias “John Smithe”, but Clark is pictured in one of the images posted by the account and his real name is used in a reply from one of the venues, confirming it belongs to him.

Clark also left Tripadvisor reviews for two Zimbabwean venues – the Amanzi Lodge and Thetford Estate – which Christy Kinahan later attended, according to the cartel leader’s own Google Maps profile.

Clark, who lived in South Africa before his death, was also just one of eight X followers of Adam Wood, a known associate of Christy Kinahan in Africa.

South African news outlet City Press reported last week that Clark also operated a second aircraft for “legitimate” flights, a Beechcraft King Air 350 with Malawi registration number 7Q-YAO.

Bellingcat previously revealed that this aircraft was purchased in the US by an Indonesian company linked to Oliver Herrmann’s partner. It was then flown to Southern Africa by a ferry pilot who had also piloted a Pilatus PC-12 previously associated with a Kinahan-linked company.

Clark posted a Google review for a business at Lanseria Airport in Johannesburg on the same day in April 2024 that the Beechcraft King Air 350 landed there, according to tracking data from ADS-B Exchange.

The Sunday Times reports today that the Sling 4 kit-plane piloted by Clark had been heavily modified for transatlantic flights. A source told the newspaper that Clark replaced the engine at least once in Brazil, indicating he was continuously flying it long-haul, and may have fitted a third engine due to the number of flying hours he was accumulating. 

Clark’s plane crashed about an 11-hour flight from the Amazon basin, a region that has become a major trafficking route for cocaine bound for Europe, the drug’s fastest-expanding market. 

Tonnes of the drug flow from neighbouring Peru and Colombia, moving through the Amazon before being shipped to Europe and Africa.

The Sunday Times said Clark and Herrmann’s alleged activities suggested the Kinahan cartel had opened new smuggling routes for smaller shipments following a succession of seizures of cocaine consignments by police forces across Europe. 

Oliver Herrmann, who has no known convictions, has not yet entered a plea. His case is listed for a committal mention in Perth Magistrates Court on October 10.

---

Peter Barth, Connor Plunkett, Beau Donelly and John Mooney contributed to this article.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here and Mastodon here. With the unpredictability of social media algorithms making it harder for news outlets to reach audiences consistently, we have also started a WhatsApp channel that you can join to stay updated on our stories.

The post Australian Cocaine Pilot Killed in Brazil Plane Crash Linked to Kinahan Drug Cartel appeared first on bellingcat.

This story was produced in partnership with Agence France-Presse (AFP).

In a field near the small town of Bezymenne in southern Ukraine, Viktoria Shynkar carefully picks out a narrow path through the overgrown grass in front of her. 

This small corridor of farmland in Mykolaiv Oblast will be checked for the presence of landmines and explosive ordnance. 

If clear, Shynkar – a 36-year-old who worked as a hairdresser before Russia’s full-scale invasion in February 2022 – will move forward and create another space of the same size.

While she enjoys spending her days outside, it remains painstaking and dangerous work.

Shynkar and her colleagues, who work for the demining charity the Halo Trust, uncovered 243 TM-62 Soviet-designed anti-tank mines left by the Russian army in a neighbouring field.

A chunky and intimidating 32-centimetres in diameter and 13-cm-wide, the TM-62 contains 7.5 kilos of TNT and can puncture a tank if triggered. 

The presence of landmines and other unexploded ordnance is a significant issue in Ukraine, impacting civilians and Ukraine’s agricultural industry – a major employer and source of income to the country.

Data Challenges

Numerous bodies have sought to calculate the impact of landmines on Ukraine since the onset of Russia’s full invasion.

Established by the Ministry of Defence, the country’s National Mine Action Centre (NMAC) has produced a map that highlights areas it confirms as hazardous, are suspected of being hazardous as well as those that have been cleared or checked for hazards. It can be seen here and in the image below.

The information is collated from over 80 demining groups operating in the country, which employ people like Shynkar. They collect data from the field and share it with the NMAC who upload it to this map made using the IMSMA platform produced by the Geneva International Centre for Humanitarian Demining.

Yet the data the NMAC map contains, while significant, is only partial. 

For example, it only creates a picture for the Ukrainian side of the front line, and just parts of it at that, with an area 20 kilometres from the frontline inaccessible to demining groups. Those same demining groups are also not operating in Russian-controlled regions, making the overall picture even less clear.

Furthermore, just because an area may be noted as not being impacted in landmine datasets doesn’t mean that it is not at risk from mines or other explosive ordnance that may not have detonated on impact. Some may simply not have been found yet.

Waiting for Demining Groups To Visit

This is a concern for Ihor Kniazev, a farmer from the town of Dovhen’ke in Kharkiv Oblast. He complains to AFP that he has been waiting a long time for demining groups to visit. “Every year, they promise ‘tomorrow, tomorrow, we will clear all the fields’,” he says.

Kniazev says that he undertook the dangerous task of clearing his own fields with a metal detector. “Everyone clears mines themselves, absolutely everyone,” he insists. He even says that he ran over a mine in his tractor and was lucky not to be injured.

An interactive map shows the area around Dovhen’ke overlaid with data from Ukraine’s National Mine Action Centre (NMAC). Areas shaded red depict confirmed hazardous areas, according to NMAC data. Areas shaded yellow depict suspected hazardous areas, according to NMAC data. Data source here. Areas coloured light green on the map depict agricultural land as defined by Ukraine’s Ministry of Agriculture crop map tool. Data source here. Map credit: Logan Williams and Galen Reich/Bellingcat.

While Kniazev found that his land was indeed contaminated, his predicament highlights an important issue in demining in Ukraine and for farmers returning to areas that were previously occupied or near lines of contact.

While some areas are clearly identified as being mined, there remains uncertainty around those that are only suspected of being mined.

Several experts AFP and Bellingcat spoke to warned of the economic damage that could arise from suspicions that turn out to be incorrect. As a 2024 UN Development Programme report stated, areas suspected of being contaminated but not actually contaminated are either left alone or subjected to the same lengthy clearance process at what can be significant cost.

Such land could otherwise be used to grow crops and help reestablish returning farmers. Ukraine remains a huge food exporter despite the war, ensuring the issue is significant beyond its borders.

Some farmers AFP spoke to highlighted the complexity of trying to figure out which areas were contaminated and which were not.

When Detectors Become Useless

In the town of Kamyanka in Kharkiv Oblast, Victor and Larisa Sysenko talk about their gratitude to a team from the Fondation Suisse de Déminage (FSD) who helped clear their land with the help of a specialist demining machine. “There were lots of explosions under that machine,” recalled Larisa. 

Many of the mines were PFM-1 anti-personnel mines, which are more sensitive than anti-tank mines and can be deadly if stepped on by people. The Sysenkos have also had to deal with the danger of unexploded shells, remnants of a Ukrainian assault on retreating Russian troops in 2022 that remained burrowed in the soft soil without exploding.

However, in a selection of other fields nearby, it was a different story as FSD deminers found only three explosive remnants after a long and time-consuming search. 

One of the FSD team told AFP that the metal contamination in these fields was “so immense that our detectors became useless, constantly beeping”. Of the thousands of metal fragments detected, the vast majority proved non-explosive.

An interactive map shows the area around Kamyanka overlaid with data from Ukraine’s National Mine Action Centre (NMAC). Areas shaded red depict confirmed hazardous areas, according to NMAC data. Areas shaded yellow depict suspected hazardous areas, according to NMAC data. Data source here. Areas coloured light green on the map depict agricultural land as defined by Ukraine’s Ministry of Agriculture crop map tool. Data source here. Map credit: Logan Williams and Galen Reich/Bellingcat.

A few hundred miles to the west in the town of Korobchyne, Mykola Pereverzev describes building a remote-controlled tractor to try and activate all of the mines laid in around 200 hectares of fields present there.

Pereverzev, who works for an agricultural firm, describes the tractor being blown up and building another as the first was beyond repair.

The land is eventually being used again, and Pereverzev is putting down herbicides in the soil to sow sunflowers. 

But doubts remain about what may lie beneath.

“Soldiers have the saying that you can pass through one place normally five times, and blow up on the sixth time. Even professionals blow up, so what about us? We are just an agriculture company,” he says.

An interactive map shows the area around Korobchyne overlaid with data from Ukraine’s National Mine Action Centre (NMAC). Areas shaded red depict confirmed hazardous areas, according to NMAC data. Areas shaded yellow depict suspected hazardous areas, according to NMAC data. Data source here. Areas coloured light green on the map depict agricultural land as defined by Ukraine’s Ministry of Agriculture crop map tool. Data source here. Map credit: Logan Williams and Galen Reich/Bellingcat.

Falling Exports

Unsurprisingly, Ukraine’s agricultural exports have been severely impacted since the onset of Russia’s full invasion.

The country’s Agriculture Minister, Vitaliy Koval, told AFP that “grain production has dropped from 84 million tons in 2021 to 56 million tons.”.

He continued: “Ukraine has 42 million hectares of agricultural land, including arable land. On paper, we can cultivate 32 million hectares. But available, non-contaminated, non-occupied land? 24 million hectares.”

“When we come to Brussels (to prepare Ukraine’s future EU membership), they show us an infographic saying we have 42 million hectares. But the reality, unfortunately, is 24 million,” Koval said. 

Not all of this is down to the presence of landmines or explosive ordnance, of course. Other factors also contribute to agricultural output. These include land being located in areas of ongoing fighting, farm equipment being destroyed or farmers joining the armed forces, fleeing to safety or not returning.

Yet landmines remain a significant part of the mix.

Koval’s office stated that just over 123,000 km² of land still needs to be assessed for the presence of landmines or explosives. That is a huge area, almost the same size as Greece, much of which remains inaccessible along the 1,500 km frontline. 

In terms of agricultural areas that are accessible and have been assessed thus far, however, 14,200 hectares was defined by the Ministry of Agriculture as being contaminated. As of May 2025, 11,800 hectares of this area had been cleared, the ministry said.

To be clear, though, these figures don’t take into account areas that remain suspected of being contaminated or the large frontline area that is currently inaccessible to demining groups, all of which will need to be assessed at some point in the future. If Ukraine was to withdraw from the Ottawa Convention on anti-personnel mines, as it said it would last week, this likely would add another layer of complexity to future demining efforts. Russia never signed the 1997 convention and several of Ukraine’s neighbors have recently signaled they may leave the treaty as well.

Making Choices

Paul Heslop is Programme Manager for Mine Action at the UN Development Programme in Ukraine. Like all experts who were interviewed for this article, he is cautious about making precise estimations as to the scale of the landmine issue given the length of the frontline and the many unknowns that remain in a country at war.

Yet he acknowledges to AFP that it is significant, with likely millions of mines or unexploded shells in the ground in Ukraine.

But he adds that by organising and being strategic about which areas are prioritised for assessment, land that is of the most importance can potentially be put back to productive use first. 

The most contaminated land will fall within the area closest to the frontline, he told AFP. Just beyond that, there is still an area that is still significantly impacted, although less intensely, he adds. Within this area “you have got critical infrastructure, bridges, power lines, power plants … transformers, schools, hospitals. They need to be cleared first,” he says.

By way of example, Heslop points to farming areas north of Kyiv or between the Ukrainian capital and Kharkiv that were occupied in the early days of the war. “A lot of that land has now been assessed as not contaminated … or the areas that were contaminated have now been cleared.”

Still, some areas – especially along the current front line area – will be being assessed for a long time, he acknowledges.

Pete Smith is another prominent hand in the demining game. 

He oversees the work of the Halo Trust and their 1,500 staff in Ukraine. Like Heslop, he recognises the scale of the challenge, suggesting Ukraine may be the most mined country in the world. But he also sees hope in new technological solutions that may quicken the pace of demining. 

Speaking to AFP, he said: “We are able to innovate and bring technology such as satellite imagery, drone imagery, all helping us just to drill down to identify where those pockets of concentration of landmines and explosive ordnance are.”

He describes analysts looking at drone and satellite images “pixel by pixel” to locate mines and employing AI algorithms to aid the search. Yet while enthused by such developments, Smith adds: “It’s not an industrial process yet.” 

“We’re getting low-level benefits,” he adds. “But I think it is that area where we will continue to grow.”

For the time being, those out in the field, like Viktoria Shynkar, will continue the job of demining Ukraine.

As of May 31, 2025, she had been with the Halo Trust for a year. It’s a position she feels comfortable in despite the danger that comes with the job.

“Not once have I regretted [taking on the work], not at all,” she says. “I like the job very much. Because there are many good people here, and I feel like I’m resting at work.”

On top of that, the impact of what she is doing gives her satisfaction.

“There’s a lot of contamination … and farmers can’t work, can’t grow crops,” she says. 

“We really need this, so I want to help however I can, so that our country can prosper.”

---

Eoghan Macguire, Gyula Csák, Logan Williams and Galen Reich contributed to this report for Bellingcat.

Boris Bachorz reported for AFP with contributions from Yulia Surkova, Kseniia Tomchik and Oleksii Obolensky.

Editor’s note: This article was updated on July 2, 2025, to include the name of the Fondation Suisse de Déminage.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Twitter here and Mastodon here.

The post Ukraine’s Contaminated Land: Clearing Landmines With Rakes, Tractors and Drones appeared first on bellingcat.