Section 256 of the Criminal Code criminalises espionage only when it is directed against the Austrian state. So if a Russian, Chinese or Iranian officer sits in a Viennese café and tasks a contact to collect on the IAEA, surveil a dissident who fled here precisely because she thought the Republic would protect her, or lift material from an OSCE delegation, none of that is a crime under Austrian law. The targeted state can complain. The targeted institution can withdraw cooperation. Austria itself has nothing to charge.

This is what produces the “spy capital” cliché. The figure people quote is 7,000 hostile officers operating in this city. It comes from the Austrian Center for Intelligence and Security Studies and is several years old. I have my doubts about that level of precision, since counting people whose entire job is not being counted is a strange exercise. But the structural fact the number gestures at is real, and any allied service will tell you the same thing about Vienna without much prompting.

On 9 March, the Justice Ministry circulated a draft bill that finally moves to close §256. Falter obtained the text and reported on 3 April. Bloomberg followed the same morning. The draft is now sitting with the ÖVP-NEOS coalition partners.

The headline change is a new §319a, criminalising espionage against international organisations headquartered in Austria, with prison terms of six months to five years. The IAEA, UNOV, the OSCE, the EU Agency for Fundamental Rights, all of them become protected. Operating against them from Austrian soil becomes a domestic offence rather than a diplomatic embarrassment that the Foreign Ministry has to manage privately.

That is the part everyone is writing about. The two changes underneath it are more interesting.

The first widens the legal concept of Nachteil der Republik, detriment to the Republic. Under the draft, the conduct does not have to actually harm Austria. It is enough that it is capable of endangering the country’s reputation, security or prosperity. So espionage against another EU member state, conducted from here, becomes prosecutable on the theory that hosting it could damage Austria’s relations with the partner. This shifts the offence from a results-based crime toward something closer to abstract endangerment. The Constitutional Court has historically not been comfortable with that kind of construction, and the provision will end up there sooner or later.

The second targets what the trade calls disposable agents. These are the low-skilled people, often very young, recruited through Telegram or Signal to do small, discrete tasks. Photograph a building. Drop a package. Walk behind a target for an afternoon. The Bulgarian cell that worked through Jan Marsalek and was convicted in London last year relied heavily on this model, including in Vienna. Under current law, prosecuting them was awkward, because their individual contribution was small and their knowledge of the wider operation was usually genuine ignorance. The draft makes participation itself the offence, including for volunteers.

The political pressure behind all of this is coming, very specifically, from one courtroom on Landesgerichtsstrasse.

The Ott trial

The trial of Egisto Ott opened on 22 January. Ott is a former officer of the BVT, the domestic intelligence service that was dissolved after the 2018 raid that, more than anything else, destroyed Austria’s standing inside the European intelligence community for most of the next decade. The indictment runs to 172 pages. The headline charge, which is what makes this politically explosive rather than just embarrassing, is supporting a foreign intelligence service to the detriment of Austria.

Prosecutors say Ott pulled large volumes of personal and operational data from national and international police databases between 2015 and 2021, kept some of it in a private Gmail account, and passed it through Marsalek, the fugitive Wirecard COO who has been in Russia since 2020. The list of alleged products is bad. Addresses of Russian dissidents living in Austria. Phone metadata of senior interior ministry staff. At one point in 2022, a laptop containing classified EU electronic security hardware that ended up with Russian intelligence.

The allegation that should make any journalist in this region uncomfortable is that Ott provided Marsalek with the Vienna address of Christo Grozev, the Bellingcat investigator who has spent years exposing GRU operations from Salisbury to Berlin. Marsalek arranged for the apartment to be broken into. Grozev eventually left Austria after being told the threat to him was credible. Anna Thalhammer at Profil, who has been writing on Ott and Marsalek for years, is a witness in the trial and has described being a target of disinformation and physical surveillance in this city.

The personal details are not the point. The point is that the same investigation that produced Ott’s arrest also surfaced what the Bulgarian cell had been doing in Vienna for months, and almost none of it was prosecutable here. That is the political fact that finally moved the bill.

Two things missing from the conversation

The first is operational capacity. Writing §319a into the Criminal Code is one parliamentary vote. Building the kind of counter-intelligence service that can actually make a §319a case against a foreign professional working under official or commercial cover in Vienna is several budget cycles, at minimum.

The DSN took over from the BVT in late 2021 and is still rebuilding. Sylvia Mayer started as the first female DSN director on 1 January. Allied services I have spoken to over the past two years tend to describe the DSN as analytically competent and operationally thin, and the gap between those two things is exactly where §319a cases live. I am not saying nothing will happen. I am saying that for the first two or three years after this passes, the cases that get charged will probably look like the Bulgarian one, meaning they will fall into Austria’s lap because someone else made the original arrests.

The second is press freedom. The widened Nachteil der Republik language is broad enough that I can already see a future prosecutor reaching for it against a journalist who publishes material the government finds awkward, particularly anything connected to allied state operations on Austrian soil. I want a clear source-protection carve-out in the final text. Falter’s reporting did not mention one. The Justice Ministry will presumably say existing media protections apply. In practice they do not always apply, especially when the story embarrasses a partner government.

What this actually changes

It changes what the prosecutor can charge once a case has been built. That is a real change.

It does not change the geographic and institutional facts that make Vienna useful in the first place. It does not change the diplomatic immunities attached to the several thousand accredited foreign personnel in this city. It does not change the political reality that the FPÖ, currently leading in the polls, has spent the better part of a decade benefiting from the absence of pressure on this question and has every interest in the new law being enforced as gently as possible if and when they are in government.

The Ott verdict is the test, not the law. If a jury sitting through 172 pages of evidence and ninety witnesses cannot bring itself to convict a former officer on the espionage count, the new statute will not matter, because no prosecutor will want to be the one to bring the next case. If they do convict, the Republic will have signalled, for the first time in a long time, that it is prepared to treat espionage on its territory as the serious matter it has always been.

The attacker, İsa Aras Mersinli, also died. He turned the gun on himself.

In the hours that followed, investigators began working through his digital life. What they found was not a mystery. It was a map, drawn in plain sight, that nobody had thought to read.

A Profile Picture as a Manifesto

Mersinli’s WhatsApp profile picture was a photo of Elliot Rodger.

For those unfamiliar with the name: Rodger was a 22-year-old who, in May 2014, killed six people in Isla Vista, California before taking his own life. Before the attack, he uploaded videos explaining his motivations and left behind a 137-page document he called his manifesto. He had become, in the years since, an icon in online communities built around male grievance, rejection, and the glorification of mass violence. He is arguably the most influential figure in the so-called “incel” subculture that has since been linked to multiple attacks across North America and Europe.

A teenager in southern Turkey had put this man’s face as his public-facing identity. He had done it voluntarily. He had done it where anyone who knew him could see it.

His computer also contained a document, dated April 11, 2026, four days before the attack, describing what he was planning to do.

The Turkish Prosecution’s Office confirmed the attack was premeditated. There was no spontaneity here. There was a timeline, a target, and a model.

The Telegram Layer

The attack in Kahramanmaraş did not happen in isolation. The same week, another school in Şanlıurfa was targeted. And in the immediate aftermath, a Telegram group called “C31K,” with approximately 100,000 members, began circulating messages celebrating the attackers and posting specific schools, dates, and locations as the next targets.

Turkish authorities identified 591 social media accounts spreading what they described as disinformation and provocation. Cybercrime units opened investigations. The group had previously been connected to two separate murder cases in Turkey.

This is a pattern that European security analysts should be paying very close attention to.

What we are seeing is not just copycat violence driven by media coverage. It is something more structured: online communities that actively cultivate the mythology of mass attackers, offer belonging to isolated and radicalized young people, and then, after an attack, use it as recruitment material and operational inspiration for the next one. The digital infrastructure of this ecosystem runs primarily through encrypted messaging platforms, gaming communities, and fringe imageboards, most of which operate with minimal oversight.

The Incel Pipeline and Its European Reach

The incel phenomenon is not a Turkish story. It is not an American one either. Since Rodger’s 2014 attack, the ideological framework he helped define has been cited in mass casualty events in Canada, the United Kingdom, Germany, and Finland. In 2018, a van attack in Toronto killed ten people. In 2021, a man in Plymouth, England killed five. In both cases, investigators found significant engagement with incel forums and, in particular, with content venerating Elliot Rodger specifically.

What connects Kahramanmaraş to Plymouth to Toronto is not geography. It is an online ecosystem that operates without borders and targets young men who feel, for whatever reason, invisible and powerless.

In Mersinli’s case, the behavioral indicators were present. Teachers described him as withdrawn and increasingly isolated. He was reportedly spending large amounts of time online. His social media profile displayed an open tribute to a foreign mass killer. His computer contained a pre-attack document. None of this triggered a formal intervention.

What Monitoring Actually Means

There is a legitimate debate in Europe about the limits of social media surveillance, and it is a debate worth having. The GDPR framework, fundamental rights law, and democratic principles all impose real constraints on how states can monitor private communications. Those constraints exist for good reason.

But what happened in Kahramanmaraş was not a question of encrypted messages or private channels. Mersinli’s profile picture was visible to anyone who had his contact. His behavioral isolation was observable to teachers and classmates. The warning signs were not hidden. They were unread.

This is where the conversation about monitoring needs to be more precise. The choice is not between mass surveillance and willful blindness. There is a middle space that involves:

Training educators and school counselors to recognize the specific behavioral and digital markers associated with radicalization toward mass violence. A student who idolizes a foreign school shooter is not simply “troubled.” That is a specific and documented warning sign with its own established literature.

Building structured reporting pathways between schools and threat assessment teams. Several European countries, including Germany and the Netherlands, have developed multi-agency behavioral threat assessment programs modeled on the US Secret Service’s work in this area. These programs work when they are actually resourced and integrated into school environments.

Monitoring open-source digital signals without requiring access to private communications. What Mersinli displayed on his profile was open-source. A school or a social worker or a platform flagging system could theoretically have caught it. The question is whether any of those systems were in place or whether anyone was looking.

Engaging platform providers on incel content specifically. The Telegram group that celebrated the Kahramanmaraş attack had 100,000 members and had already been linked to two previous murders. That it continued to operate until this moment is a failure of platform governance, not an intelligence gap.

The Copycat Problem Is Structural

One of the more uncomfortable findings in mass violence research is that extensive media coverage of attackers, particularly sympathetic or fascinated coverage that focuses on the attacker’s psychology and background, demonstrably increases the probability of subsequent attacks. The so-called “contagion effect” has been documented in peer-reviewed research for decades.

Online communities have essentially weaponized this effect. They do not just report on attacks. They archive them, analyze them, build personas around the perpetrators, and actively market them as role models to young men who are already vulnerable. Elliot Rodger has been dead for twelve years. He has, in that time, inspired more violence than he carried out himself.

Mersinli did not invent his frame of reference. Someone, or more likely some community, handed it to him. That community is still operating. It has 100,000 members in a single Telegram group in Turkey alone.

What Europe Should Be Doing Differently

The EU’s Digital Services Act, fully in force since 2024, creates obligations for very large online platforms to assess and mitigate systemic risks, including risks to public security. Mass violence glorification communities of 100,000 members on major messaging platforms are, by any reasonable reading, a systemic risk. Whether the DSA’s enforcement mechanisms are being applied to this specific category of content with any seriousness is an open question.

At the national level, the more practical gap is in threat assessment capacity at the local level. National intelligence services are not positioned to monitor every isolated teenager in every European school. But schools, social services, and local police can be. They need better tools, better training, and better coordination structures to do it.

The UK’s Channel program, Germany’s VERA-2 radicalization assessment tool, and the Netherlands’ integrated approach to neighborhood-level threat assessment all represent the kind of infrastructure that can catch individuals before they cross a threshold. The precondition is that people in daily contact with at-risk youth know what they are looking for.

A boy who puts Elliot Rodger on his profile picture is telling you something. The question is whether anyone in his environment had been taught to hear it.

A Note on What This Is Not

This is not a case where better surveillance technology would have made the difference. It is not a case for reading teenagers’ private messages or expanding state access to encrypted communications. The signals that Mersinli sent were not encrypted. They were in plain view on a platform billions of people use every day.

What failed was human awareness, institutional training, and platform responsibility. Those are solvable problems, and solving them does not require trading privacy for security. It requires investment, coordination, and a clearer-eyed understanding of how radicalization toward mass violence actually works in 2026.

Criminal profiling has always rested on one core assumption: criminals are creatures of habit. They leave behavioral signatures. They escalate predictably. Their psychology leaks through their methods. For decades, this held up well enough. The FBI’s Behavioral Analysis Unit built an entire discipline around reading crime scenes like psychological fingerprints, classifying offenders as organized or disorganized, mapping modus operandi against personality types, and predicting the next move based on the last one.

Then AI entered the equation. Not as a tool for investigators, but as a tool for criminals. And it didn’t just make crime easier. It fundamentally altered who commits crime, how they behave while doing it, and what traces they leave behind. That shift is quietly dismantling the foundations of classical profiling.

The Old Rules

Traditional profiling works on a set of behavioral axioms. Behavior reflects personality. Crime scenes tell stories about the offender’s psychology. Signature behaviors, those acts unnecessary for completing the crime but driven by deep psychological needs, remain consistent across offenses. Modus operandi evolves as the offender learns, but the core emotional drivers stay stable.

These principles gave investigators a framework: analyze the scene, read the behavior, build a psychological sketch, narrow the suspect pool. It was never perfect. FBI internal data suggested profiling contributed to solving roughly 17% of cases where it was applied. Academic reviews have been even less generous. But as a supplementary tool alongside forensic evidence and traditional detective work, it had value.

The problem is that every one of these axioms assumes the offender is acting from their own psychology, with their own skills, under their own operational limitations. AI has removed those constraints.

The New Criminal Doesn’t Fit the Old Mold

Consider what AI has done to the barrier of entry for sophisticated crime. Voice cloning now requires 20 to 30 seconds of audio. Convincing deepfake video can be produced in under an hour using freely available tools. Dark LLMs and jailbreak-as-a-service platforms generate phishing campaigns, social engineering scripts, and even malware with minimal technical knowledge required from the operator.

This is the first major break from classical profiling logic. The old model assumed a correlation between crime sophistication and offender capability. An organized crime scene implied an intelligent, socially competent, methodical individual. A well-crafted social engineering attack suggested experience, psychological insight, and confidence. AI has severed that link entirely. A teenager with a laptop can now execute attacks that would have previously required a team of experienced operatives.

The Trend Micro research team documented this shift in their 2025 criminal AI report: the underground ecosystem has moved from experimentation to industrialization. Criminals no longer build their own tools. They rent them. The barrier has collapsed, the tooling has professionalized, and the attack surface has expanded across every domain. Telegram channels now recruit “AI video actors” and “deepfake presenters” as a service category.

What does this mean for profiling? It means the behavioral signature, the profiler’s primary analytical unit, is increasingly a product of the tool rather than the person behind it. When a deepfake CEO orders a wire transfer on a video call, the behavioral cues that investigators would normally analyze (speech patterns, confidence level, emotional state, decision-making style) belong to the AI model, not the attacker. The criminal becomes invisible behind the synthetic layer.

AI Doesn’t Just Enable Crime. It Redirects It.

Here is the less obvious but more consequential effect. AI isn’t simply making existing criminal patterns more efficient. It is creating entirely new behavioral categories that classical profiling has no framework to address.

Take synthetic identity fraud. Criminals now build complete fake identities using a mix of real and fabricated data, pass automated KYC checks with AI-generated documents, and operate accounts that leave behind a perfectly normal behavioral footprint. There is no psychological signature to read because the “person” never existed. The behavior was designed by algorithm to look average.

Or consider AI-powered behavioral mimicry. Trend Micro and Group-IB both documented cases where AI studied institutional behavior patterns (transaction timing, approval workflows, communication styles) and then replicated them precisely to avoid triggering fraud detection. The criminal isn’t acting like themselves anymore. They are acting like the system expects a legitimate user to act. This is the opposite of what profiling relies on: instead of behavior revealing identity, behavior is engineered to conceal it.

The 2025 AI Incident Database recorded 346 AI-related incidents in a single year. Of those, 179 involved deepfake impersonation. The targets ranged from CEOs to private individuals. In one case, a British widow lost half a million pounds in a romance scam powered by deepfake video of a celebrity. A Florida couple lost $45,000 to a fabricated Elon Musk giveaway. These are not sophisticated adversaries with complex psychological profiles. These are operators running playbooks, sometimes literally purchased as step-by-step tutorials from underground forums.

The Profiling Crisis

Classical profiling depends on three things that AI is systematically eroding:

Behavioral consistency. AI allows criminals to switch personas, communication styles, and operational methods between attacks with zero psychological cost. There is no escalation pattern to track because each attack can be calibrated independently by the tool.

Skill-behavior correlation. The assumption that crime complexity reflects offender sophistication is broken. AI democratizes capability. The profile of “who could do this” expands from a narrow suspect pool to essentially anyone with internet access and basic prompt engineering skills.

Psychological leakage. Crime scenes and communications used to leak the offender’s personality involuntarily. When AI generates the phishing email, conducts the video call, or crafts the social engineering script, the psychological content belongs to the model’s training data, not the operator’s mind.

This doesn’t mean profiling is dead. But it means the discipline needs to shift its unit of analysis. Instead of asking “what kind of person did this,” investigators increasingly need to ask “what kind of toolchain produced this behavior.” The profiling target is migrating from psychology to infrastructure.

Where Profiling Still Works, and Where It Can’t

Profiling retains value in crimes that remain fundamentally physical and personal: serial violent offenses, sexual crimes, stalking, arson. These still carry strong behavioral signatures because the offender’s psychological needs drive the act directly, not through a technological intermediary.

But for the fastest-growing categories of crime (fraud, identity theft, business email compromise, financial manipulation, extortion through synthetic media), classical profiling is increasingly irrelevant. The offender’s psychology matters less than their toolkit. Their behavioral patterns are shaped more by the AI model they are using than by their own personality.

The intelligence community and law enforcement agencies that recognize this shift will adapt. Those that keep trying to build psychological profiles of operators who are essentially invisible behind AI-generated behavior will waste time and resources chasing ghosts.

The profiler’s question used to be: Who is this person?

Now it needs to be: What system is this person hiding behind, and where does that system leak?

I’ve been covering cyber threats for years now, and I’ve sat through countless conference panels where retired generals talk about “the coming cyber war.” Always in the future tense. Always hypothetical. That era is over.

On February 28, the US and Israel hit Iran. But the shooting started in cyberspace. Hours before any jet crossed Iranian airspace, US Cyber Command had already gutted Tehran’s communications and sensor networks. General Dan Caine confirmed it publicly: space and cyber operations came first, leaving Iran unable to “see, coordinate, or respond effectively.” Think about what that means. By the time the bombs dropped, the Iranian military was already operating blind.

And it only got stranger from there.

Tehran’s traffic cameras killed the Supreme Leader

This is the part that reads like fiction but isn’t. Israeli intelligence had been inside Tehran’s traffic camera network for what appears to be months, possibly longer. Not just watching. Feeding the footage into a machine alongside CIA human intelligence, signals intercepts, satellite imagery, communications metadata. The Financial Times was first to report the scope of it. One Israeli source called the whole setup an AI-powered “target production machine.” You pour data in, you get a 14-digit grid coordinate out.

They built what they called a “life pattern” for Khamenei. His routes. His schedules. Which aides traveled with him. When his security detail was thinnest. The Jerusalem Post reported that Israeli analysts mapped these patterns over an extended period, cross-referencing traffic camera data with other intelligence streams.

Then the CIA confirmed Khamenei would attend a senior military meeting on the morning of the 28th. The entire operation timeline shifted around that single piece of intelligence. The result: Khamenei dead, along with the IRGC commander, the defense minister, the chief of staff, the head of the National Defense Council. More than a dozen top officials, gone before lunch.

I keep coming back to what RUSI wrote about this. They pointed out something that gets lost in the spectacle: cyber’s biggest contribution here wasn’t disruption. It was reconnaissance. Years of quiet network access, pre-positioned in Iranian infrastructure, activated at the decisive moment. That’s not a hack. That’s a long-term intelligence operation that happened to run through fiber optic cables instead of dead drops.

Israel doesn’t want to depend on Silicon Valley for its kill chain

Here’s something that should concern anyone in the AI policy space. Haaretz reporter Omer Benjakob told NPR that Israel is building its own military AI systems specifically because it can’t afford to rely on American commercial platforms. His quote was memorable: “One day someone will discover we also use Claude, and then there’ll be a protest in San Francisco, and then they’ll take Claude away from us.”

He said this on the record.

The Anthropic dispute with the Trump administration over military use of Claude is well documented at this point. But the strategic implications go deeper than one company’s ethical stance. If your precision targeting pipeline depends on a model whose provider can revoke access based on a policy change or public pressure campaign, you have a serious sovereignty problem. Israel clearly sees it that way. Others will too.

None of this means AI targeting is ready for primetime, though. The March 8 strike on the Shajareh Tayyebeh school in Minab killed 165 people. 110 of them were schoolgirls. The building used to be a military base. Whether AI targeting systems worked off stale data is still under investigation, but a UCL computer scientist put the core issue bluntly: “This stuff is only two or three years old.”

Speed and precision are not the same thing. This war is proving that every day.

60 hacktivist groups, one internet blackout, and a paradox

Iran’s internet dropped to somewhere between 1% and 4% connectivity on February 28. That’s barely functional. You’d think that would cripple the regime’s cyber response. And for the state-run APT groups operating inside Iran, it probably did, at least initially.

But that’s not how Iran’s cyber infrastructure actually works. Tehran has spent years building out proxy networks. Hacktivist groups, some loosely affiliated, some directly run by MOIS or the IRGC, operating from outside Iran’s borders. When the internet went dark domestically, these external nodes lit up.

Unit 42 counted around 60 groups active in the first week alone. Handala Hack, which has documented ties to the Ministry of Intelligence, ran wiper and exfiltration campaigns against Israeli defense targets. On March 12, they hit Stryker, one of the largest medical technology companies in the US. MuddyWater, an IRGC-linked group, turned out to have pre-planted backdoors in Israeli-adjacent defense and financial networks. They didn’t need to break in after the war started. They were already inside.

March 2 was when things escalated beyond the Middle East. Pro-Russian hacktivist group NoName057(16) formally joined the Iranian coalition. Since then, the combined front has been hitting targets in Cyprus, Romania, across the Gulf states. Government websites, airports, telecom providers. The Russia-Iran cyber axis is no longer theoretical. It’s operational.

Now, the OT and SCADA claims. Groups have been posting screenshots alleging access to Israeli water systems, Jordanian grain storage controls, various industrial systems. John Hultquist at Google Threat Intelligence has been saying for years that Iran exaggerates its cyber successes for psychological effect, and he’s right. A lot of these claims don’t hold up under scrutiny.

But I’d be careful about dismissing all of it. CyberAv3ngers compromised real US water systems in 2023 using nothing more sophisticated than default passwords on Unitronics PLCs. The capability is proven. What we don’t know is how much coordination these proxy groups can maintain while their state sponsors are dealing with an actual shooting war.

The information battlefield is now indistinguishable from the physical one

Before the first airstrike, Israel had already compromised BadeSaba, a popular Iranian prayer app with over five million users. They pushed messages to regime supporters urging military defection. They hijacked state news websites to publish anti-regime content. Later, they sent AI-equipped drone swarms over Tehran to hit Basij militia checkpoints.

Iran’s been playing the same game in reverse for years. Dozens of Israeli nationals recruited through Telegram, paid to commit low-level sabotage: starting fires, spraying antigovernment graffiti, sowing social discord. A Clemson University researcher called Israel’s approach “psychological operations integrated with military operations in one clean campaign with a single goal: toppling the Iranian regime.”

Both sides have turned every digital platform into a weapon. Messaging apps, news sites, social media, traffic infrastructure. There’s no longer a meaningful line between “cyber operation” and “influence operation.” It’s all one battlefield.

CISA is running on fumes at the worst possible time

I can’t write about this conflict’s cyber dimension without mentioning what’s happening at CISA. The agency has lost roughly a third of its staff. The temporary director got reassigned to another corner of DHS right as the war kicked off. FBI and NSA have put out joint warnings about Iranian targeting of US defense contractors and financial firms. Jamie Dimon at JPMorgan went on CNBC and said banks are bracing for a wave of cyber and terrorist attacks.

So at the exact moment when motivated, state-aligned Iranian cyber actors are looking for American targets, the primary agency that’s supposed to coordinate civilian cyber defense is hollowed out. That should worry people far more than it seems to.

European organizations need to pay attention

The NCSC in the UK puts Iran in the same threat tier as Russia and North Korea. That was true before February 28. It’s more true now, because the Russian hacktivist groups that joined the Iranian coalition have broadened the targeting aperture into Europe.

Organizations in Austria and the DACH region might feel geographically removed from this conflict. They’re not. If your supply chain touches Israeli technology, if your cloud provider hosts workloads for companies in targeted sectors, if you run Israeli-manufactured OT equipment, you’re in scope. CyberAv3ngers targeted Unitronics PLCs in 2023 specifically because they were Israeli-made. That logic doesn’t stop at borders.

Trellix published research showing that Iranian threat groups have expanded from targeting a handful of countries to more than twenty since the conflict started. Western Europe is on that list. The tactics are familiar: spear-phishing, unpatched edge devices, ransomware that looks criminal but serves state interests, data leaks timed for maximum embarrassment.

This doesn’t end when the bombing stops

Iranian APT groups like APT42, APT34 and MuddyWater have a well-documented habit of running campaigns for years after the initial trigger. The proxy networks are activated. Russia and Iran have found operational common ground in cyberspace. The infrastructure built for this conflict will be repurposed, not dismantled.

Two decades of defense policy debates about whether cyber is a “real” domain of warfare just got their answer. In this conflict, cyber was the opening move, the intelligence backbone, the targeting enabler, the psychological weapon, and the retaliatory instrument of choice for a regime that lost its conventional military options in a matter of hours.

We’re not waiting for the first cyber war anymore. We’re in it.

Having spent over a decade in intelligence and security operations, from securing diplomatic missions for the German Federal Foreign Office to advising law enforcement on digital threats, I have observed a consistent pattern. Organisations do not fail because they lack firewalls or antivirus software. They fail because they do not know what they are exposing to the internet in the first place.

The Problem No One Talks About

Every organisation has an attack surface. It includes every domain, subdomain, IP address, open port, exposed API, cloud instance, and forgotten staging server connected to the internet. For a company with even a modest digital footprint, this can amount to hundreds of potential entry points.

The challenge is visibility. Most SMEs have no systematic way to inventory their external-facing assets. A marketing team spins up a subdomain for a campaign and never takes it down. A developer leaves a test environment exposed with default credentials. An old mail server runs an unpatched version of Exchange. Each of these is an open door.

Large enterprises address this through dedicated security operations centres and expensive enterprise tools. But for a company with 50 or 100 employees, these solutions are neither accessible nor affordable. This gap between awareness and capability is where most breaches begin.

Attack Surface Management: From Military Doctrine to Cyber Defence

The concept of attack surface management (ASM) has its roots in military intelligence. Before any operation, you map the terrain. You identify vulnerabilities in your own position before the adversary does. The same principle applies to cybersecurity.

Modern ASM platforms automate the process of discovering, cataloguing, and continuously monitoring an organisation’s external-facing digital assets. They scan for exposed services, misconfigurations, known vulnerabilities, leaked credentials on the dark web, and other indicators of risk.

What makes ASM fundamentally different from traditional vulnerability scanning is scope and continuity. A vulnerability scan checks known assets at a point in time. ASM discovers unknown assets and monitors them continuously. It answers the question most security teams cannot: What do we not know about our own exposure?

The European Dimension

For European organisations, the stakes are compounded by regulation. The NIS2 Directive, which came into full effect across EU member states, imposes strict cybersecurity requirements on a far broader range of companies than its predecessor. Entities classified as “essential” or “important” must implement risk-based security measures, conduct regular assessments, and report incidents within tight timeframes.

GDPR adds another layer. A breach resulting from an unmonitored attack surface does not just cause operational damage. It triggers mandatory notification requirements and potential fines of up to 4% of global annual turnover.

Despite these pressures, most European SMEs still rely on periodic penetration tests, conducted once or twice a year, as their primary security assessment. In a threat landscape where new vulnerabilities are disclosed daily and attack infrastructure is automated, annual testing is the equivalent of checking your locks once a year in a neighbourhood where break-ins happen every week.

Continuous Monitoring as the New Baseline

The shift from periodic assessment to continuous monitoring is not optional. It is a necessity. Attackers use automated reconnaissance tools that scan the entire IPv4 address space in minutes. If an organisation exposes a vulnerable service, it can be discovered and exploited within hours, sometimes within minutes.

This is the operational reality that led me to develop SecurityScanner.ai, an attack surface management platform designed specifically for the European market. The platform provides continuous external monitoring, automated vulnerability detection, dark web credential monitoring, and AI-driven risk assessment. It is built from the ground up with GDPR-compliant infrastructure and priced for organisations that do not have six-figure security budgets.

The philosophy behind it is straightforward. Every organisation, regardless of size, deserves the same level of visibility into its attack surface that was previously only available to large enterprises and government agencies.

What a Proper ASM Workflow Looks Like

For organisations beginning to take attack surface management seriously, the process follows a clear logic.

Discovery is the first phase. You cannot protect what you do not know exists. This means automated enumeration of all domains, subdomains, IP ranges, cloud assets, and third-party services associated with your organisation. The results are often surprising. Most companies discover 30 to 40 percent more external assets than they were aware of.

Assessment follows discovery. Each discovered asset is evaluated for known vulnerabilities, misconfigurations, exposed sensitive data, outdated software, and weak encryption. This is where automated scanning intersects with threat intelligence, correlating discovered exposures against actively exploited vulnerabilities in the wild.

Monitoring makes the process continuous. New assets, new vulnerabilities, and new threats emerge constantly. A platform like SecurityScanner.ai runs these checks on an ongoing basis, alerting security teams to changes in their attack surface before adversaries can exploit them.

Dark web intelligence adds a critical layer that traditional scanning misses entirely. Stolen credentials, leaked databases, and mentions of your organisation on underground forums represent threats that exist outside your network perimeter but directly impact your security posture. Integrating dark web monitoring into the ASM workflow provides early warning of compromised accounts and data breaches.

The Intelligence Perspective

From an intelligence standpoint, attack surface management is fundamentally an exercise in counter-reconnaissance. You are attempting to see yourself the way an adversary sees you, and to close gaps before they are exploited.

This is not theoretical. In my advisory work with law enforcement and government institutions, I have seen repeatedly how even well-resourced organisations are compromised through forgotten assets. A subdomain pointing to a decommissioned server. An exposed admin panel with weak authentication. A cloud storage bucket with public read access. These are not sophisticated attacks. They are failures of visibility.

The lesson is clear. Cybersecurity is not primarily a technology problem. It is an intelligence problem. And like all intelligence problems, it begins with knowing your own terrain.

Conclusion

The European cybersecurity landscape is at an inflection point. Regulatory pressure is increasing. Attack automation is accelerating. And the gap between enterprise-grade security and SME capability remains dangerously wide.

Attack surface management is not a luxury. It is the foundation upon which all other security measures depend. Without continuous visibility into your external exposure, every other investment in cybersecurity is built on incomplete information.

For organisations ready to take this step, the tools now exist to make it practical and affordable. The question is no longer whether you can afford to implement continuous attack surface monitoring. It is whether you can afford not to.

Your WiFi router does more than connect you to the internet. The radio waves it sends are bouncing off everything in your room, including you. And those reflections contain a surprising amount of information.

This is called CSI sensing, and it is quietly becoming a big deal in security, smart homes, and healthcare.

What is CSI?

CSI stands for Channel State Information. When WiFi signals travel from your router to your phone, they dont go in a straight line. They bounce off walls, furniture, and people. This is called multipath propagation.

Modern WiFi (802.11n and newer) divides its channel into many subcarriers. For each one, the system measures amplitude (signal strength) and phase (timing). This data is CSI.

Here is why this matters: when a person moves through a room, they disturb these signal paths. The human body contains a lot of water, which affects radio waves significantly. This disturbance shows up in CSI data as measurable changes.

So if you can read CSI data and analyze it properly, you can detect human presence and movement without any cameras or sensors on the person.

How it actually works

Think about throwing a stone in a pond. The ripples spread out and reflect off the edges. If someone walks through the water, the ripple pattern changes in a predictable way.

WiFi signals work similarly. There are regions between transmitter and receiver called Fresnel zones where signals interfere with each other. When you walk through these zones, you cause phase shifts that can be detected.

The processing pipeline looks like this:

First you collect raw CSI data from WiFi hardware. Then you clean it up, remove noise, fix phase errors. After that you extract features like variance, frequency components, correlation patterns. Finally you feed this into a classifier, could be SVM, could be a neural network like LSTM or CNN.

Recent papers from 2024 and 2025 report accuracy rates above 99% for activity recognition on standard datasets. Real world performance is lower, but still impressive.

What can you do with this?

Detecting people

The most basic application. Is someone in the room or not? This works even through walls, which is something cameras cannot do. You dont need line of sight.

Activity recognition

With good training data, you can distinguish walking from sitting from falling. This is useful for elderly care. If grandma falls and doesnt get up, the system can alert someone. No wearable device needed.

Vital signs

This one surprised me when I first learned about it. When you breathe, your chest moves a few millimeters. This tiny movement creates detectable changes in CSI. Researchers have demonstrated breathing rate detection and even heart rate estimation in controlled conditions.

Intrusion detection

This is where it gets interesting from a security perspective. Traditional motion sensors have problems. They have blind spots. They can be fooled if you move slowly enough. They need to be installed and maintained.

CSI based intrusion detection uses your existing WiFi infrastructure. It can detect slow, careful movement that would fool a PIR sensor. It works through walls. The intruder cannot see where the sensors are because there are no sensors, just your router.

Systems like Wi-Alarm have shown reliable detection of various intrusion patterns in research settings.

Counting people

You can estimate how many people are in a room. Useful for building management, energy savings, or compliance with occupancy limits.

How to Get Started – Technical Implementation

The cheapest way to experiment with CSI sensing is an ESP32 microcontroller. Espressif provides an official esp-csi toolkit on GitHub. You flash the firmware, connect the ESP32 to your WiFi network, and it starts outputting raw CSI data over serial. The data includes amplitude and phase for each subcarrier, typically 52 values per packet at 100-200 packets per second. From there you pipe it into Python for processing. Basic presence detection works by calculating variance across subcarriers. When someone moves, variance spikes. When the room is empty, it stays flat. You can get this working in an afternoon.

For better results you need better hardware. Raspberry Pi 4 with Nexmon firmware gives you access to CSI from the Broadcom WiFi chip. More subcarriers, cleaner phase data, higher sample rates. The setup is more involved, you need to patch the firmware and compile kernel modules, but there is good documentation. Intel 5300 NIC is the classic research platform with the most published code to reference, but requires an older laptop with mini PCIe slot. Once you have data flowing, the processing pipeline is standard: denoise with a low-pass filter or PCA, extract features like variance, entropy, dominant frequency from FFT, then train a classifier. Start with SVM for binary presence detection before moving to LSTM or CNN for activity recognition. Scikit-learn and PyTorch both work fine. The main challenge is not the code, it is collecting good training data for your specific environment.

Law enforcement and intelligence use

This is not just academic research. Government agencies are already using this technology operationally.

The US Department of Homeland Security has been developing through-wall sensing systems for years. Their latest project, DePLife (Detect Presence of Life), was developed with MIT Lincoln Lab. In 2024, six law enforcement agencies across California, Texas and South Carolina conducted field assessments of the technology. The system uses radar on WiFi frequencies to detect human presence through walls, showing results on a mobile app.

Israeli company Camero-Tech makes the Xaver series, which is already deployed by military and police units worldwide. Their XLR80 model can detect people through concrete walls from over 100 meters away. It shows real-time position, movement direction, and can even detect breathing of stationary targets.

MaXentric sells the Detex Pro to US law enforcement for around 6000 dollars. It is compact enough to lean against a wall and streams results to a smartphone. Police have used similar devices in hostage situations and warrant services.

The Range-R is another device in active use by US police departments. It can detect movement and breathing through standard building materials.

What makes WiFi CSI interesting is that you do not need specialized military hardware. The same physics works with commercial routers and cheap microcontrollers. The difference is range and reliability, but the basic capability is accessible to anyone.

The security angle

I work in cybersecurity, so I see two sides here.

On one hand, CSI sensing is a powerful tool. You can monitor spaces without visible cameras, which some people prefer for privacy. It works in darkness. It is hard to detect or jam. It uses infrastructure you already have.

On the other hand, the same capabilities create risks. If an attacker has access to your WiFi network, they could potentially monitor your activities. Research has shown CSI can be used to infer keystrokes, identify individuals by their gait, and build activity profiles.

This is not theoretical. The technology exists in commercial products and government hands. Whether it becomes a widespread threat depends on how aware people are and how we design systems going forward.

Getting started practically

If you want to experiment with this, you have options at different price points.

The cheapest is ESP32, around 5 euros. Espressif provides official CSI tools and it is relatively easy to get started. The data quality is moderate but enough for presence detection.

Raspberry Pi with Nexmon firmware is maybe 50 euros total. Better CSI quality, more flexibility, but requires more setup.

Intel 5300 NIC is the classic research platform. Good data quality, lots of existing code and papers to reference. You need a compatible laptop though.

For software, check out the ESP-CSI repository from Espressif, or the Linux CSI Tool for Intel hardware.

A good first project is simple presence detection. Binary classification, room empty versus occupied. Once that works, you can try activity classification or multi-room setups.

Limitations

I should be honest about the challenges.

Environment sensitivity is the big one. A model trained in your living room probably wont work in your office without retraining. Even moving furniture can break things. This is an active research area but not solved.

Hardware support varies. Not every WiFi chipset exposes CSI data. Consumer routers usually dont. You need specific hardware or firmware modifications.

Multi-person scenarios are hard. When two people are moving, separating their contributions to the signal is complicated.

Real-time processing needs decent hardware. If you want to run neural networks on CSI data continuously, you need computing power.

Where this is going

WiFi 7 is coming with wider channels, which means more subcarriers and finer resolution. Some enterprise vendors like Huawei already ship access points with built-in CSI sensing for smart building applications.

I expect we will see more commercial products in the next few years. The question is whether security and privacy considerations keep pace with the capabilities.

Final thoughts

The WiFi signals in your home carry more information than most people realize. This technology is real, it is improving, and it has both positive and concerning applications.

For security professionals, it is worth understanding. For everyone else, it is worth being aware that walls dont provide as much privacy as you might think.

We used to say that intelligence work was like looking for a needle in a haystack. It was difficult, sure, but at least we knew that if we found something sharp and metallic, it was probably the needle.

Those days are over.

Today, AI isn’t just hiding the needle; it’s dumping thousands of “fake needles” into the pile every second. They look real, they shine like metal, and they even feel sharp. But they are decoys. The modern analyst’s nightmare isn’t a lack of information it’s Information Overload on an industrial scale. We aren’t just looking for the truth anymore; we are trying to survive a flood of convincing lies.

The Weapon of Exhaustion

We often think of cyber warfare as hackers breaking down firewalls or stealing secrets. But the new threat is subtler and perhaps more dangerous. It’s what we call a “Bureaucratic DDoS.”

Think of it as a weapon of exhaustion. Adversaries are using generative AI to create a “Cognitive Flood” millions of synthetic reports, deepfake videos, and bot managed panic. The goal isn’t to destroy our data; it’s to force us to waste our limited resources verifying it. It’s a “deceleration weapon” designed to clog the gears of intelligence agencies with perfectly formatted junk.

Chasing Ghosts in the Gray Zone

This isn’t just a digital problem; it has physical consequences. We are seeing the rise of “Physical DDoS” attacks.

Imagine a crisis scenario: An AI bot farm floods emergency channels with reports of a massive fire or an armed conflict in a specific neighborhood. The reports look genuine. Photos generated by AI start circulating. Police and first responders rush to the scene, sirens wailing. But when they arrive, the streets are empty.

While our security forces are busy chasing these digital ghosts, the real threat actors are operating unchecked elsewhere. This is the Gray Zone where digital deception translates into real world blindness.

The Cost of Verification

In this noise, the “Weak Signals” the subtle, quiet indicators of a real terrorist plot or a foreign intelligence operations are completely drowned out.

There is a concept called “Open Source Intoxication.” It means we are getting drunk on bad data. Every hour an analyst spends analyzing a high quality deepfake is an hour stolen from investigating a real threat. The “Verification Tax” we are paying is becoming too high to sustain.

Fighting Fire with Fire

So, how do we fix this? We have to admit that the human eye is no longer enough. We can’t “eyeball” our way out of this.

We need a “Zero Trust” approach to open source data. Unless a piece of information from the web (OSINT) can be cross referenced with human assets (HUMINT) or technical signals, it should be treated as noise.

More importantly, we need to adopt an “AI vs. AI” doctrine. If the attack comes at machine speed, the defense cannot move at human speed. We need our own algorithms to filter the noise, spot the synthetic patterns, and clear the haystack, so human analysts can get back to doing what they do best: finding the real needle.

The Greatest Danger is Hacked Perceptions

For years, I have monitored cyber threats for governments and international institutions. From securing diplomatic missions across 12 countries for the German Federal Foreign Office (Auswärtiges Amt) to tracking the digital footprints of terror financing for the Ministry of Interior in Türkiye, I have always encountered the same reality: The greatest danger I witnessed was not hacked devices, leaked databases, or cracked passwords. The greatest danger was hacked perceptions.

Today, when we say “Cyber Security,” we still picture hooded hackers and scrolling green code. But as a cyber intelligence professional who has operated in the field, I can tell you this: To collapse a state or an institution, you no longer need to attack their servers. You only need to target their reputation and the trust that holds their society together. From border security to election manipulation, I have operated wherever data is weaponized. And with this experience, I can tell you: Digital Disinformation is the nuclear weapon of the 21st century.

We Are in an Invisible War

Understanding Digital Disinformation

Wars used to be fought along physical borders. Now, they are fought on the screen of your smartphone, inside that “innocent” tweet you read with your morning coffee. I have personally analyzed how bot networks are coordinated during election periods, how terror organizations manipulate algorithms to spread propaganda, and how “Deepfake” content is designed to disrupt financial markets.

1. Who Pushes the Button? (The Geopolitics of Likes)

The biggest misconception is that disinformation is chaotic. It is not. It is a calculated investment with a specific ROI (Return on Investment). The “button” is almost always pushed by states and state-sponsored groups. But the motivation isn’t just to cause trouble; it is strictly transactional. In my experience, I have seen that foreign powers invest heavily in influencing elections based on their future interests.

The Actors and Ethical Complexity :

Two or three major companies, primarily based in Israel and India, operate at the center of this industry, focusing on election interference and disinformation prevention. I can attest that the products performing the best in this field are often of Israeli origin. Importantly, the necessity of producing counter-information to prevent disinformation inherently gives these software capabilities the potential for intentional or unintentional disinformation. This demonstrates the complex dual-use ethical framework of the industry.

2. The Death of the “Egg Account” (The Incubation Era)

If you are still trying to spot a bot by looking at its creation date or lack of a profile picture, you are fighting a modern war with a stone axe. Those days are over. Today, millions of accounts are created daily across the globe, but they don’t tweet immediately. They are put into “Incubation”. These sleeper accounts are kept dormant for months or years. When the time comes, they are sold to the highest bidder. Because they have a history, they bypass traditional security filters. The only reliable detection method left is analyzing the Synthetic Text Ratio. We are no longer looking for a “fake photo”; we are looking for the linguistic fingerprint of an LLM (Large Language Model) in their posts.

Field Evidence: Instant Data Correlation:

To quantify the access speed of these tools, we conducted a test: We created a new social media account using a freshly acquired, unlisted phone number (a ‘zero’ line from the state) and defined political views/interests. We searched this number in an undisclosed disinformation tool on the same day. The result was instantaneous: the tool successfully returned the profile. This demonstrates an incredible data ingestion speed, suggesting zero-latency correlation or direct data access, proving that high-value information is immediately accessible.

Operational Depth: Data Enrichment and Sociological Targeting :

Open-market social media analysis tools are useless in elections for this reason. Effective disinformation requires data enrichment. These software capabilities must be fed by external data sources, such as previously compromised Turkish Republic personal information databases. By adding layers like the user’s phone number, address, age, and gender, highly potent disinformation applications can be created. This process allows for the acquisition of the target audience’s sociological profile; for example, if the area of residence is economically depressed, disinformation focused on financial matters is the most effective tactic.

3. The Timeline of a Lie: Simultaneous Saturation

How does a lie wash over a nation in minutes? The process I have observed in the field is a masterclass in coordination. It is not a ripple; it is a tsunami. The attack happens simultaneously across three layers:

• The Swarm: Thousands of small, incubated accounts initiate the spark.
• The Merchants: “Blue Check” verified accounts, which have been bought and repurposed, validate the lie to trick the algorithms.
• The Amplifiers: If necessary, mainstream media channels are engaged through paid advertisements or compromised journalists.

The key here is location diversity. The attack is launched from different geographical locations at the exact same second to trick the platform’s “organic trend” algorithms.

The Mechanism of Validation :

• Seeding: The lie is planted in “news sites” that appear reliable but are actually front operations.
• The Echo Chamber: Bot networks and “useful idiots” (an intelligence term for those who unwittingly spread propaganda) are activated.
• Legitimation: The topic becomes a Trend Topic (TT), and mainstream media validates the lie with headlines like “Claims circulating on social media…”

4. The Future: We Need “Police AI”

The sheer volume of AI-generated disinformation has surpassed human capacity to moderate. We cannot fight machines with humans anymore. The future of digital security relies on “Police AIs.” We need advanced AI systems designed solely to audit the outputs of other LLMs. These systems must verify information with 100% accuracy against trusted data ledgers.

Establishing AI Provenance :

Given the proliferation of AI models in the market, it is paramount to establish the origin of any AI-generated content (text, image, etc.). For this to be operational, every AI model must be mandated to possess a unique, invisible metadata ‘fingerprint’ or identifier. While some large AI providers are already implementing such systems, all new AI models entering the public market must be obligated to report this unique identifier to public institutions and regulatory bodies. This standardization is necessary to ensure analysis and attribution can be performed swiftly and accurately by intelligence organizations.

In 2025 and beyond, the only thing that can stop a rogue AI manipulating a population is a stronger, ethically coded AI policing the digital borders.

INTELLIGENCE REPORT

TECHNICAL ANATOMY OF MODERN DISINFORMATION

Infrastructure, Data Enrichment, and Attribution Protocols (2025)

Classification: PUBLIC (Redacted for General Release) Author: Ozan Akyol | Digital Intelligence Sector: Cyber Warfare & Strategic Intelligence Date: November 2025

EXECUTIVE SUMMARY

Unlike traditional cyberattacks that prioritize stealth and anonymity, modern disinformation operations prioritize “Localization” and “Persistence.” This report outlines the technical architecture of state-sponsored and private-sector influence campaigns observed in the field.

1. INFRASTRUCTURE & NETWORK ARCHITECTURE

The primary objective of the network layer is not to hide the traffic, but to make it appear indistinguishable from organic local activity.

• 4G/5G SIM Farms (The Localization Layer): Botnets no longer rely solely on datacenter IPs, which are easily flagged. Instead, operators utilize industrial-scale 4G/5G SIM Farms.
  • Operational Logic: The goal is to ensure traffic originates from a legitimate mobile carrier (e.g., a specific cell tower in Berlin or Istanbul). This bypasses “Datacenter IP” filters and mimics genuine user behavior.
• Weaponized IoT Devices: Compromised IoT devices (smart cameras, home routers) are utilized to achieve “Geo-Distribution.” By routing traffic through residential devices, the operation signals to platform algorithms that a topic is being discussed organically across the entire country, rather than a single server farm.
• Bulletproof Hosting Strategy: For the “Seeding” phase (hosting fake news sites), operators prefer Bulletproof Hosting providers located in jurisdictions with high resistance to international takedown requests, specifically USA, China, and Myanmar. The priority here is physical control and resilience against legal intervention.

2. C2 ARCHITECTURE & SOFTWARE STACK

The Command and Control (C2) infrastructure is designed for Portability and Speed, not aesthetics.

• Tech Stack: 80% of observed operations utilize a Python-based architecture. Django is the standard for User Interface (UI) development.
  • Why Python? It allows for rapid prototyping (Hot-fixes), extensive library support for data manipulation, and easy Dockerization. If a server is burned, the entire C2 infrastructure can be migrated to a new jurisdiction in minutes.
• Minimalist Design: These tools do not have polished UIs. They feature raw dashboards focused on inputting targets and monitoring volume/sentiment.

3. DATA ENRICHMENT & TARGETING (The Kill Chain)

The most lethal aspect of modern disinformation is the fusion of social media data with leaked state databases.

• Database Management: Operators use SQL-based structures (PostgreSQL/MySQL) to handle massive datasets. Python libraries (Pandas/SQLAlchemy) are employed to ingest “Dump Data” (leaked ID numbers, addresses, GSM numbers) and convert them into operational targeting lists.
• The Confidence Algorithm: Systems use a “Confidence Score” to match a social media profile with a real-world identity:
  • Match (Name + Surname + Phone): 70% Confidence
  • Match (Name + Surname + Phone + Address): 90% Confidence
  • Tactical Application: This score dictates the attack vector. High-confidence targets in economically depressed areas are targeted with financial disinformation; others may be targeted with political or social polarization content.

4. DETECTION & FORENSICS

Identifying these networks requires moving beyond simple content analysis to behavioral and visual forensics.

• Temporal Analysis: We analyze the timestamps of activity.
  • Indicator: Does the account tweet every day at exactly 13:30? Is there a human-like randomization (jitter) in the intervals, or is it perfectly linear?
• Visual Forensics (GAN Detection): Profile pictures are scanned for artifacts typical of ThisPersonDoesNotExist (GAN-generated) faces, such as asymmetric pupils, background distortion, or ear irregularities.
• Network Visualization (Maltego): While public institutions often use proprietary reporting tools, Maltego remains the industry standard for deep analysis. It is used to map the relationship clusters—visualizing who follows whom, who retweets whom, and funding sources.

Figure 1.1: Visualization of a coordinated botnet cluster targeting specific keywords. Node relationships indicate simultaneous Retweet/Quote actions, revealing the inorganic structure of the network. (Generated via Maltego).

5. ATTRIBUTION (Following the Trail)

In the cyber domain, IP addresses can lie, but money cannot.

• “Follow The Money”: Disinformation is expensive. It requires servers, thousands of SIM cards, software development, and ads.
• Attribution Methodology: Technical artifacts (e.g., comments in Russian/Chinese code) are often False Flags left intentionally to mislead. The most reliable attribution method is Cui Bono (Who Benefits?). Following the financial trail of server payments and spend similar to terror financing investigations often leads to the true perpetrator.

End of Report Access restricted to Operational and Strategic tier members.

Milipol Paris 2025 presented a markedly different atmosphere compared to previous years. The exhibition area was significantly smaller, and the overall pace of the event reflected this downsizing. Walking through the halls at a steady speed, it became clear that the entire fair could be completed in roughly 2.5 to 3 hours, leaving many visitors with the impression that this year’s edition offered considerably less material, fewer innovations, and a more muted energy.

A Noticeable Downsizing: Compact Layout, Limited Movement

The most immediate observation was the reduced physical scale of the event. Booths were positioned more closely than in past years, and the density of exhibitors despite the large names felt objectively lower. This compressed setup resulted in a faster circulation flow, but it also contributed to a sense that Milipol 2025 lacked the depth, diversity, and exploratory appeal that previously defined the fair.

Country-Based Clustering: An Arrangement That Created Distance Instead of Engagement

One of the structural choices that shaped the atmosphere this year was the decision to cluster companies strictly by country. While the intention was likely to create national showcases, in practice it led to a somewhat fragmented and less inviting environment. Instead of fostering cross-sectional interaction among companies, the country pavilions unintentionally created psychological boundaries between groups.

Many exhibitors noted that this arrangement gave the fair a rigid, compartmentalized feel reducing spontaneous engagement and limiting the natural flow of visitors across sectors.

A Clear Sign of Cost-Cutting: The Decline of Traditional Giveaways

In earlier years, Milipol was known for its abundance of branded military caps, tactical accessories, patches, and various promotional items. This year, however, the overwhelming majority of booths offered nothing beyond a simple pen.
This shift is not trivial; it reflects a broader trend across the industry:

• Firms are reducing marketing expenditures,
• Trade show ROI is being questioned more openly,
• Promotional spending is no longer seen as essential for visibility.

The minimalistic approach to giveaways mirrors the general tone of the event: lean budgets, cautious strategies, and a wait-and-see posture across the sector.

Innovation Gap: Few (If Any) New Products on Display

Perhaps the most striking aspect of Milipol 2025 was the absence of genuine novelty. Across both hardware and software domains, companies showcased products that were largely familiar iterations or re-presentations of existing solutions rather than newly launched concepts.

Notably:

• No groundbreaking surveillance systems,
• No next-generation counter-drone innovations,
• No major OSINT/SOCINT software advancements,
• No significant new tactical hardware platforms.

The fair felt more like a continuation of previous editions rather than a forward-looking showcase. Many exhibitors appeared to be present only to “maintain visibility,” not to demonstrate new technology.

Conversation with Exhibitors: “We’re Here Out of Obligation, Not Expectation”

During discussions with three to four companies, a recurring theme emerged: minimal expectations.
Multiple representatives openly admitted:

• “We’re not expecting much from this year’s Milipol.”
• “We came out of obligation rather than opportunity.”
• “Budgets are tight; this is more about presence than results.”

This sentiment was surprisingly consistent and highlights an important shift in the security and defence exhibition ecosystem. The industry appears to be navigating a transitional phase marked by budget constraints, uncertain market directions, and a reduction in high-impact product launches.

Overall Impression: A Transitional Year for the Security Industry

Milipol Paris 2025 can best be described as a quiet, transitional year. While the fair still gathered key players from across the defence, intelligence, and security sectors, the overall energy was restrained. With smaller booths, limited product innovation, cost-cutting signals, and lower expectations among exhibitors, the event reflected broader conditions in the European security landscape marked by strategic caution and reduced investment appetite.

Whether this signals a temporary slowdown or a longer-term recalibration remains to be seen. What is certain, however, is that Milipol Paris 2025 provided a clear snapshot of an industry taking measured steps rather than bold leaps.

A newly published academic study reveals that nearly half of all communication satellites in geostationary orbit transmit civilian and military data without any encryption. This finding highlights a critical weakness not only in communication technologies but also in the context of modern cyber-intelligence operations. With the rapid evolution of SDR (Software Defined Radio) technologies, these unencrypted signals can now be intercepted and decoded with low-cost receiver hardware.

Technical Findings and Observations

The analysis was conducted by collecting signals across the C-band and Ku-band frequency ranges used by 39 geostationary satellites. Researchers developed entropy-based classification algorithms to identify carriers transmitting unencrypted data. Carriers with lower spectral density typically contained VoIP sessions, SIP signaling, DNS traffic, and text-based command packets.

For data processing, open-source satellite telemetry solutions such as the OpenSatelliteProject were used. After demodulating QPSK and 8PSK signals at the physical layer, MPEG-TS streams or raw IP packets were extracted for higher-layer protocol analysis. The investigation successfully recovered the following categories of content:

• Mobile carrier traffic: SMS message text, SIP session details (INVITE, 200 OK, BYE), IMSI/IMEI associations.
• In-flight internet protocols: DHCP, DNS, HTTP GET/POST requests, captive portal logs.
• Corporate internal network data: VLAN-tagged broadcast packets, WINS queries, LDAP and SMB traffic.
• Military/police communication: Plaintext coordinates and operational messages transmitted through internal IP-trunked radio systems.
• SCADA and energy control systems: DNP3, Modbus-TCP and SNMP traffic exposing status variables and command-response sequences.

Much of this data contains sensitive personal, corporate, and state-level information, making it highly exploitable.

Structural Causes Behind the Vulnerability

The question of why such critical data is transmitted without encryption is rooted in legacy design assumptions and system architecture choices. Most satellite service providers delegate encryption to customers at the application layer. In other cases, constraints such as limited processing capabilities and latency concerns have resulted in the omission of real-time link-layer encryption.

Even when encryption is technically supported, it is often disabled due to configuration mistakes, cost-driven decisions, or operational convenience. Older terminals—such as early-2000s VSAT modems—frequently lack cryptographic support altogether, or the feature was never deployed. This leads to large-scale broadcast transmission of plaintext signals across the footprint.

Intelligence and Security Impact

This is not merely a data security flaw; it creates a strategic surveillance advantage. State-sponsored threat actors can passively monitor these signals in real time, gaining insights such as:

• Passive tracking of operational military movements
• Mapping weaknesses in critical infrastructure (e.g., SCADA failure and load data)
• Observing financial institution communication patterns
• Correlating mobile network user behavior
• Analyzing pre-VPN corporate traffic to identify attack vectors

Such information is valuable not only for technical exploitation but also for diplomatic, political, military, and economic intelligence.

Cyber-Intelligence Perspective

The assumption that “no one is listening” to satellite downlinks is no longer valid. Sky-borne data traffic is vulnerable to actors ranging from low-profile intruders to advanced persistent threats (APTs). Encryption is no longer optional—it is the minimum security baseline. In modern threat environments, securing both the network and the broadcast frequency layer is essential. For critical infrastructure, defense systems, and financial services, satellite communication should be treated like an open Wi-Fi network: if it is unencrypted, it is being monitored.

Institutional security strategies must assume that satellite-transmitted data is insecure by default and adopt a multi-layer encryption model from the physical layer upward.

Conclusion

This vulnerability in satellite communication is not simply a technical problem; it is the result of a neglected security culture. In the coming years, more governments and private organizations will inevitably have to prioritize this issue—updating existing systems, securing transmission layers, and adopting a “security-by-default” approach in new communication infrastructures.