Field notes from the investigation desk.
Practitioner analysis on data brokers, credential leaks, executive exposure, and corporate footprint — written by the team that does the work. Quarterly summary by email: subscribe to the intelligence brief.
Featured
Reading the Ransom Note: The 2026 Extortion Economy in the Actors’ Own Words
Read four current ransom notes alongside the ShinyHunters leak site to see how the extortion economy industrialised around named-individual exposure.
Most recent
Reset filters →When Privacy Becomes a Price Tag: The Three-Tier Problem in Europe’s Data Market Debate
A Bruegel working paper proposes regulated data markets as Europe’s fix for the consent impasse. On examination, the three-tier model makes full privacy available only to those who can pay for it.
ANALYSISWhen Someone Else's Security Becomes Your Breach: Third-Party Risk and Supply Chain Attacks Are Not the Same Problem
Third-party risk and supply chain risk describe opposite threat models — understanding the direction of trust changes what an organisation investigates and what it finds.
ANALYSISThe Silent Market: How Stolen Corporate Data Is Quietly Bought and Sold
The loud ransomware economy is the part you can measure. A priced, brokered market for stolen corporate access and data runs in silence beside it, and this is how we map it.
Executive Privacy
3 of 24 All Executive Privacy →EU Facial Recognition: Loud Regulation, Quiet Enforcement
The EU has the strictest facial-recognition rules in any major jurisdiction. It also has Clearview AI, fined more than €110 million across five member states, paying nothing, still indexing EU residents’ faces. The gap between regulation and enforcement is the story.
GUIDEWhat Traces Do You Leave Online: The Silent Data Trail
Your visible online presence is only the surface. Below it sit contact graphs built by others, location broker pipelines, insurance registers, archive snapshots, and an AI assistant layer that logs and may train on everything you type.
METHODHow a Mirror Investigation Runs
What actually happens in 48 hours of a Mirror investigation: the four sequential stages a finding moves through before it appears in the report.
Data Brokers
3 of 18 All Data Brokers →Best Data Broker Removal Services in the US: What Actually Works (2026)
Six US data broker removal services tested against the August 2024 Consumer Reports field test — and why the free manual baseline outperformed every paid vendor in the cohort.
ANALYSISWhy Data Brokers Make Opt-Outs Hard: The Economics of Friction
Broker opt-out URLs break for a structural reason: working opt-outs lower subscription revenue. The SEC-anchored math behind the friction.
GUIDEHow to Delete Your Personal Information from the Internet — The Practitioner’s Sequence
Removing your personal information from the internet is four problems, not one. Each layer has its own legal mechanic and its own DIY ceiling.
Credential Leaks
3 of 11 All Credential Leaks →From Gamble to Calculation: How Your Exposure Decides Who Gets Attacked
An intrusion told backwards from a single email address, and why a findable digital footprint turns a target from a gamble an attacker takes into a calculation they can run.
ANALYSISRansomware Negotiation: Four Response Modes Law Firms Have Actually Used
What the HWLE court record and four leaked transcripts reveal about how ransomware operators negotiate with law firms, and the four ways firms have actually responded when a ransom demand lands.
ANALYSISHow Modern Infostealers Work: Execution, Telemetry, and the 2026 Log Economy
How RedLine, Lumma, and Vidar execute on the host, what they harvest, what is visible on the wire, and how stolen credentials flow through 2026 log markets.
Corporate Footprint
3 of 33 All Corporate Footprint →The Attack Surface You Don't Own: How Personal Devices and Lives Extend Corporate Risk
Attack surface management maps what a company owns and can see. A growing share of corporate access lives on personal devices and accounts it owns neither, and the gap widens with seniority.
INTELCoinbaseCartel: A Data-Theft Extortion Profile
A profile of CoinbaseCartel, the data-theft extortion group that breaks into companies using years-old infostealer credentials instead of encryption.
INTELQilin Ransomware: The Most Active Threat Group of 2025-2026
Qilin posts more new victims to its leak site than any other ransomware operation in 2026. Who they are, how they work, the September 2025 cartel with LockBit and DragonForce, and why disruption has not slowed them.
Reporting Cybersecurity to Your Board: What NIS2 Requires, What Most Packs Miss
Most cybersecurity board packs were built for the audit committee, not the directive. A look at what NIS2 Article 20 actually asks the board to evidence, how the SEC and UK CSR Bill compare, and what a defensible six-section quarterly pack looks like in practice.
ANALYSISCybersecurity for Executives: Four Threat Models Most Buyers Don't Distinguish
Most executive cybersecurity products address one of four threat models. The other three are where the Arup, MGM, Coinbase and M&S losses landed.
ANALYSISRIA cybersecurity in 2026: where training-first programs miss the actual attack surface
Six RIAs breached by ShinyHunters in 90 days exposed a structural gap: firms train for phishing but leave principal data wide open to the attacks attackers actually used.
ANALYSISLaw Firm Data Breaches: What They Expose About the Client Side
When outside counsel is breached, the data exposed is the client’s. Six verified incidents, a 27-day ransomware leak-site cohort of 19 firms, and the questions principals can ask their counsel.
ANALYSISIdentity Attack Surface: What Infrastructure ASM Vendors Don’t See
Infrastructure ASM, CAASM, and exposure-assessment platforms map machines. They do not map the people-shaped surface that the most expensive intrusions of 2023–2025 actually turned on.
ANALYSISWhy Ransom Notes Read Like Demand Letters
Ransom-extortion text borrows the recognisable forms of demand letters, litigation pleadings, and PR holding statements. The form is a legitimation tool the corporate audit needs to read.
METHODHow a Lockdown Investigation Runs
The Lockdown is the credential-and-account-takeover tier of our investigation work. Five business days, fixed €995, the full Mirror foundation plus seven Lockdown-specific deliverables. This article walks the methodology stage by stage: discovery, cross-reference, verification, report.
ANALYSISHow Crypto Anonymity Breaks at the Endpoint
Crypto privacy was designed against chain analysis, not against the endpoint. The Fowler 2026 database showed why that gap is now the dominant threat.
ANALYSISFamily Office Cybersecurity: The Principal’s Exposure Surface
Deloitte’s 2024 family office report shows phishing at 93% prevalence. The IT layer cannot reach the surface that makes those attacks plausible.
GUIDEIs Doxxing Illegal? How EU, UK and US Law Treat It in 2026
How doxxing is treated under Dutch, German, French, UK and US law in 2026: dedicated criminal statutes, GDPR overlay, federal-and-state patchwork, and what victims can do.
GUIDEDark Web Monitoring: What It Actually Does and When It’s Worth Paying For
What dark web monitoring actually catches, what it misses on stealer logs and live session cookies, and when bundled, standalone, or human-led options each make sense.
ANALYSISRight of Access as Reconnaissance: The Article 15 Verification Gap
GDPR Article 15 was designed to protect data subjects. It also creates a pre-authenticated data exfiltration channel at understaffed controllers — and NIS2 will close the gap.
GUIDEData Brokers in the UK: Your Rights Under UK GDPR and the DUAA 2025
Who the UK's data brokers are, what the Data (Use and Access) Act 2025 changed, and why individual GDPR action now does what the ICO no longer can.
GUIDEDo Data Broker Removal Services Actually Work? A Practitioner’s Answer
A practitioner’s answer on how data broker removal works under GDPR and CCPA, and when a subscription service, DIY, or full OSINT investigation is the right fit.
INTELWhy Executive Digital Exposure Is a NIS2 Compliance Risk
Article 21 of the NIS2 directive names supply-chain and human-factor risk. Executive digital exposure fits both — and sits in the half of compliance that most programmes under-audit.
GUIDEIs Data Broker Removal Legal in Europe Under GDPR?
Data broker removal is legal across the EU under GDPR Articles 17 and 21 — but the "legitimate interest" argument brokers rely on usually does not survive a proper balancing test.
ANALYSISThe Identity Pack: How Breaches Without Credentials Fuel Executive Targeting
When a breach notification says no credentials were exposed, the data that was exposed is often exactly what executive targeting is built from.
INTELStealer Logs: Inside The Credential Market HIBP Doesn't See
Stealer logs are the credential exposure vector most organisations cannot see — per-device snapshots containing passwords and live session cookies, sold in underground markets within hours of infection.
ANALYSISThe ATHR Disclosure: Anatomy of a Sole-Source Threat Claim
Abnormal's ATHR vishing disclosure is sole-sourced, IOC-free, and invisible on the underground after a full verification window. A framework for reading AI threat marketing.
ANALYSISNIS2 Personal Liability: What the Directive Actually Says About Board Members
The NIS2 Directive requires management bodies to approve, oversee, and bear liability for cybersecurity risk management. Twenty-one EU member states have transposed it into law. Most compliance programmes focus on technical measures — but Article 20 asks boards to understand the risks, including their own digital exposure.
GUIDEBest Data Broker Removal Services in Europe: Country-by-Country (2026)
A verified, country-by-country comparison of data broker opt out services in France, Germany, Netherlands, Spain and the UK — using Consumer Reports 2024 results and direct pricing checks, not vendor marketing.
ANALYSISBasic-Fit, Booking.com, and the SEPA Direct Debit Fraud Kit
Two major EU breaches disclosed on the same Sunday, two different attack patterns, one downstream consequence: targeted fraud built on real data. How SEPA Direct Debit fraud actually works after an IBAN leak, and what closes the window.
ANALYSISCanada Goose: Two Extortion Claims and the Vendors Nobody Named
ShinyHunters published 581,877 Canada Goose customer records in February 2026. Twenty-four days later, Coinbasecartel listed the same brand claiming supply chain data — on the same day as Lacoste.
ANALYSISHow a Security Scanner Breached the European Commission
CERT-EU confirmed the European Commission was breached through a poisoned Trivy vulnerability scanner. The supply chain attack exposed DKIM signing keys, military financing data, and 52,000 email files — at the institution drafting Europe's cybersecurity laws.
ANALYSISThe Reconnaissance Phase: Why Whaling Attacks Start With Your Data Broker Listings
BEC and whaling attacks rely on personal data gathered during the reconnaissance phase. Removing that data from brokers and breach databases disrupts the attack before it begins.
ANALYSISAgentic AI Is Building Executive Profiles. Here’s What Feeds Them.
AI search engines build executive profiles by connecting data across brokers, breach databases, and public registries in real time.
GUIDEDeepfake Detection: A Practical Guide for Executives and Their Teams
How deepfake fraud works, why detection alone is failing, and the verification protocols that actually prevent losses.
GUIDECorporate Breach Response Checklist: The First 72 Hours
A structured 72-hour breach response checklist covering GDPR and US state notification laws, with phase-by-phase guidance for DPOs, CISOs, and board members.
GUIDEData Broker Removal in Europe: What a Professional Engagement Actually Looks Like
Automated removal services average a 48 per cent success rate. Here is what a professional, human-led data broker removal engagement in Europe involves — from discovery through deletion, suppression, and ongoing monitoring.
METHODOSINT Research vs Stalkerware: Where Investigation Ends and Surveillance Begins
The FOUR rubric used by law enforcement — Fixated, Obsessive, Unwanted, Repeated — applied to the line between legitimate OSINT research and stalkerware surveillance, from both the investigator's and target's perspective.
ANALYSISRaaS Inc.: The Business Plan Nobody Asked For
Eighty-five ransomware groups competed for an $820 million market in 2025. Forty-seven of them claimed fewer than ten victims. The unit economics explain why.
ANALYSISHow OSINT Tracks Smuggling Networks: The Intelligence Tradecraft Behind Europol’s New Centre
Europol launched ECAMS and named OSINT a core strategic capability. Here is how open-source intelligence actually tracks smuggling networks — from Telegram forwarding chains to satellite change detection.
INTELWhat Happens After Your Corporate Credentials Leak
Google shut down its Dark Web Report because alerts without context are noise. Here is what stealer logs actually contain, why free scans miss most of it, and what a professional assessment covers.
GUIDEHow Executives Get Doxxed — and What Europe Is Doing About It
From the CEO Database to the Netherlands' first doxxing arrest, executive targeting has become organised. Here is where the data comes from, what the law now says, and what you can do about it.
ANALYSISThe EDPB Work Programme 2026–2027 and the Digital Omnibus: Is GDPR Quietly Shifting?
The EDPB is building compliance tools for a GDPR framework the European Commission may be in the process of dismantling. Here is what both documents change — and where they contradict.
GUIDEWhat Is a Digital Footprint — and How Attackers Use Yours
Your digital footprint is the sum of all data that can be linked back to you online. Here is what it contains — and how attackers exploit each piece.
GUIDEGDPR Data Subject Access Request: Template and Complete Guide
A complete guide to GDPR Data Subject Access Requests — what the law says, what you are entitled to receive, enforcement case law, and a ready-to-use template.
METHODHow a 10-Minute Phone Call Took Down a $34 Billion Company
How Scattered Spider used LinkedIn, breach databases, and a 10-minute helpdesk call to compromise MGM Resorts and Marks & Spencer. Both attacks dissected stage by stage.
GUIDEHow to Disappear from the Internet
A practitioner’s guide to reducing your digital footprint. What you can remove yourself, what persists regardless, and where DIY efforts reach their structural limit.
INTELDRAGONFORCE: Anatomy Of A Graduated Exfiltration Cartel
In-depth analysis of the DragonForce Ransomware Cartel’s graduated leak strategy, OSINT-driven executive targeting, and the RansomBay affiliate model.
METHODUsername and Alias Correlation: Methodology, Tooling, and Likelihood Assessment
A username is not anonymous. It is a behavioural fingerprint dressed as a pseudonym. This is how analysts trace handles to real identities — and why the same process is used against private individuals.
GUIDEIf You Were in the Odido Breach — What to Do Now
The Odido dataset is public. If you were a customer — even a decade ago — your data is likely in it. This is what the exposure enables, and what closes it.
INTELOdido: One Month After Disclosure, the Breach Is Still Expanding
One month after Odido disclosed the breach, every dimension has escalated. The full dataset is public. Ministers and protected persons are in it. Former customers who left a decade ago are in it. And the fraud is doubling.
GUIDEThe Friction of Erasure: A Realistic Guide to Data Broker Removal
A realistic framework for data broker removal: how broker tiers work, why deletions bounce back, and how to use GDPR/CCPA leverage effectively.
METHODWhat a LinkedIn Profile Reveals to a Scammer
LinkedIn profiles reveal far more than most understand—timing patterns, role signals, public networks, business-context posts, and document metadata all become intelligence for phishing and vishing. This is what attackers actually see.
INTELThe Odido Breach: 30 Days of Criminal Activity, Documented
The Odido breach was confirmed February 12. Within 19 days, the full dataset was published on criminal infrastructure. Within 20 days, active phishing campaigns were running. This is not a prediction — it is a documented sequence.
METHODThe Mosaic Effect: How Harmless Data Combines Into a Complete Profile
Your employer is public. Your general location is public. Your gym, your commute pattern, your lunch spot — all public. None of it is sensitive on its own. But combine them, and something qualitatively different emerges.
METHODHow the FBI Traced $3.6B in Bitcoin — Tool by Tool
The Bitfinex hack moved $3.6 billion through 2,000 addresses across six years. This is a step-by-step reconstruction of how investigators followed the trail — using Blockchair, 3xpl, and WalletExplorer, the same open-source tools anyone can access today.
ANALYSISWhat Cryptocurrency Transactions Reveal About You — Without You Knowing
Bitcoin transactions do not contain your name — but pseudonymous is not anonymous. The moment a wallet address links to your identity, that link is permanent and retroactive. Covers KYC breach risk, blockchain tracing methodology, Monero's reputational problem, and the Bitfinex and Colonial Pipeline cases.
ANALYSISIf Dutch Ministers Could Not Stay Out of the Odido Dataset, You Probably Didn't Either
Four ministers. A senior intelligence officer. Three individuals under active government protection. The Odido breach did not distinguish between ordinary customers and people who thought they were managing their exposure. What each data field enables — and why the window for acting is narrowing.
ANALYSISBypassed: How Voice Cloning, Virtual Cameras, and Real-Time Interception Defeated the Controls Everyone Trusted
MFA was supposed to solve password theft. KYC was supposed to solve identity fraud. Both assumptions are now broken — defeated not by nation-states but by criminal groups using free software, breach data as raw material, and OSINT to source every component.
ANALYSISWhat ShinyHunters Sees Before They Call: Your Organisation's Public Attack Surface
ShinyHunters called Wynn Resorts. Before that call was placed, they already knew who managed IT access, which SSO platform the company used, and which employees had credentials in breach databases. The call was the end of the intelligence phase, not the beginning.
GUIDEThe Accounts You Forgot About Are the Ones That Expose You Most
Most people think about their current online presence. They overlook the usernames, photos, emails, and forum posts from a decade ago — and that is exactly what attackers are looking at.
ANALYSISAfter LockBit: The Ransomware Market Never Shrinks
Every major takedown — LockBit, ALPHV, RansomHub — was followed by a larger, more capable successor. 680 victims across 54 groups in February 2026 alone. A market analysis of who fills every vacuum, and what comes next.
ANALYSISYour Digital Profile Already Exists. You Just Have Not Seen It.
Before anyone searches for you, your profile is already assembled. Three freely available layers — social media, data brokers, and breach data — combine into something far more complete than most people realise.
GUIDEData Brokers in the United States: No Federal Law, 25 Brokers, and How to Opt Out
The US has no comprehensive federal privacy law. Data brokers hold vast quantities of personal data on Americans with almost no legal obligation to stop. What the FCRA and state patchwork cover, 25 brokers with opt-out links, and why California's DELETE Act in 2026 changes everything.
GUIDEData Brokers in Europe: GDPR, UK Law, Germany, France — and the US Surveillance Risk Nobody Warned You About
GDPR gives Europeans powerful rights over their data. But data brokers exploit legitimate interest loopholes, US surveillance law undermines every EU-US transfer framework, and a third Schrems ruling may invalidate the current system again. A complete guide to EU privacy law, major fines, and how to use your rights.
GUIDEData Brokers in Australia and New Zealand: What They Hold, What the Law Allows, and How to Get Out
Australia has had some of the world's largest data breaches. But most Australians don't realise data brokers legally hold and sell their personal data every day — with few legal obligations to stop. What the law says, who the 25 biggest brokers are, and how to opt out.
ANALYSISAll Odido Data Is Now Online. Here Is What Happens Next.
When stolen data moves from 'for sale' to 'free for anyone', the real damage begins. Here is what typically happens next — illustrated with real Dutch and European cases.
ANALYSISThe OSINT Ethics Spectrum: When Does a Tool Become a Weapon?
Sherlock, GHunt, SpiderFoot, Recon-ng, Maltego — the same tools used in legitimate investigations are used in stalking and doxxing. A feature-by-feature ethics map of the most popular OSINT platforms.
INTELThe Right to Delete Your Data Exists. Data Brokers Are Ignoring It.
35 brokers hid their opt-out pages from Google. 43% ignored deletion requests entirely. California's new DROP tool changes everything. Here is the evidence — and how to fight back.
INTELShinyHunters: Inside the Threat Group
From Tokopedia to Canvas LMS, ShinyHunters has stolen data from hundreds of millions of people. Updated May 2026 with the Salesforce-Aura campaign, the documented Instructure resolution, and the 90-day cohort.
INTELOdido Breach: How ShinyHunters Stole 6.2M Records
ShinyHunters is publishing stolen Odido customer data daily — names, IBANs, ID numbers, sensitive account notes. The attack used a phone call, not a zero-day. Here is exactly how it unfolded.
GUIDEPunch the Monkey: OSINT and the Battle of Narratives
A baby spider monkey, three conflicting headlines — and a masterclass in how the same footage can be spun into entirely different stories. Here is how OSINT methodology cuts through viral fiction to find what is actually true.
INTELWhat Investigators See When They Search You: A 2026 OSINT Breakdown
A step-by-step walkthrough of how OSINT analysts build a complete profile on any individual using only public sources in 2026 — and what you can do about it.
INTELWhy Using AI for OSINT Leaves a Trail — And What to Do Instead
Using ChatGPT or Perplexity for OSINT research leaves an auditable trace that compromises operational security. Why automation with manual interpretation is the correct methodology.
INTELHow Criminals Bypass KYC Checks Using Your Leaked Data
KYC identity verification was designed to stop fraud. Here's how criminals use your leaked data to defeat it — and what that means for your exposure.
GUIDEHow to Remove Your Data from Brokers: A Step-by-Step Walkthrough
Your personal data is sold daily by brokers you've never heard of. Here's how to find them, opt out, and use the California CCPA shortcut that most people don't know about.
GUIDE15 Major Data Brokers: Direct Opt-Out Links (2026)
A practical guide to identifying data brokers holding your personal information and the most effective removal strategies available — including what they won't tell you.
INTELSchrödinger's Intel: The Zero-Trust Approach to OSINT
Until verified, everything is both real and fake. Learn how to apply Zero-Trust principles to validate intelligence in an age of AI-generated deepfakes and synthetic content.
No briefings match your filters.