The fragile ceasefire agreed between Israel and Hezbollah last month is holding. 

But satellite imagery shows that at least 46 of 54 towns and villages within the Israel Defense Forces (IDF) “Yellow Line” in southern Lebanon have been heavily damaged or, in some cases, entirely flattened. 

Much of the destruction and demolition has taken place in recent weeks.

Bellingcat’s satellite imagery analysis examined towns and villages identified on OpenStreetMap, a community-driven map database. Medium resolution PlanetScope satellite imagery covering each of the locations was provided by Planet Labs, a US company that recently restricted some of its imagery in the Middle East.

Bellingcat is sharing the annotated PlanetScope imagery for the dates of March 2 and May 8, 2026, showing the scale of damage that has occurred during roughly the first two months of the US-Israeli war against Iran.

The towns and villages detailed in the map are colour coded. Red shows locations  that have suffered varying degrees of damage or destruction, while yellow shows locations that were damaged prior to the US-Israeli war with Iran. White shows locations that have not been significantly damaged at time of publication.

Scroll and zoom to see damage throughout southern Lebanon in each of the date tabs. The first image is from March 2, 2026, shortly after the US and Israel attacked Iran. The second image is from May 8, 2026, more than two months after the start of the war and amid a fragile ceasefire between Israel and Hezbollah. PlanetScope imagery via Planet Labs PBC.

Israel’s Defence Minister, Israel Katz, is reported to have stated that “all homes in Lebanese villages near the border will be destroyed — in accordance with the Rafah and Beit Hanoun model in Gaza”. The aim, Katz said, is to “remove, once and for all, the threats near the border”. Israel has adopted similar methods of flattening buildings and homes close to Israel’s border in Gaza.

The large-scale destruction in southern Lebanon has been reported by multiple outlets including the BBC, CNN, SkyNews and The New York Times. These reports have shared images from several towns and villages, but Bellingcat is publishing satellite imagery for the entirety of southern Lebanon. The changes between the two dates show the scale and pace of destruction.

Within the Yellow Line  — the area occupied by the IDF since a ceasefire was agreed between Hezbollah and Israel on April 16 —  some towns were reported already destroyed or heavily damaged during the 2024 Israeli invasion of southern Lebanon. Some — like the coastal border town of Naqoura or the southeastern border town of Kfar Kila — have now been largely demolished. This is visible in both the medium-resolution PlanetScope imagery, and in high-resolution imagery obtained from Airbus by the BBC.   

Everything south of Lebanon’s Litani and Zahrani Rivers has been under evacuation orders issued by the IDF since early March, with regular updates warning residents to leave ahead of airstrikes. 

Much of the destruction within the “Yellow Line” appears to be from either controlled demolitions using explosives or construction vehicles. The IDF has shared numerous videos showing large-scale demolitions conducted in the towns and villages in southern Lebanon, while videos shared elsewhere on social media show the aftermath — large parts of towns like Beit Lif or Kheim reduced to rubble. 

One particularly large explosion took place in the small village of Qantara, where the IDF says it found two large tunnel systems built by Hezbollah. 

The tunnels were detonated with 450 tonnes of explosives, leaving large parts of the village obliterated. Another video released by the IDF showed some of the few remaining buildings in the nearby village of Aadashit being demolished with explosives. The IDF claimed the buildings were “Hezbollah infrastructure”.

Before and after imagery from Planet Labs shows the villages of Qantara and Aadshit in southern Lebanon on March 2 and April 30, 2026. The April imagery shows the aftermath of two large demolitions conducted by the IDF. Large parts of both villages have also been demolished. The UNP 7-1 label details the position of a UN peacekeepers facility.

Bellingcat contacted the IDF for comment on the details in this story but did not receive a response before publication. 

A full size version of the map can be found here.

---

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post Satellite Imagery Shows Ongoing Demolitions Across Southern Lebanon appeared first on bellingcat.

Since the beginning of 2026, at least four landslides are reported to have killed hundreds of people at the Rubaya mines in the Democratic Republic of Congo (DRC), a major global source of coltan. Coltan is widely used in smartphones, laptops and e-vehicles.

With the mines currently under the control of the Rwandan-backed group M23, and access restricted to journalists and many NGOs, the true number of casualties remains unclear. Frequent cellular network disruptions have also been reported across the region.

In the absence of reliable on-the-ground coverage, Bellingcat used open source methods to examine statements from the authorities and media reports. Bellingcat confirmed several incidents in which villages were engulfed in the landslide and residents living near the mine were among those killed.

Landslide No.1 – January 28

Reports of a deadly landslide killing more than 200 people began appearing in international media in late January and early February. 

Three days after the incident, the DRC government made a statement on Facebook outlining that at least 200 people had been killed. They said the landslide was “a consequence of the rampant and illegal mining by Rwanda and the M23/AFC”.

In response, the M23-appointed local governor, Lumumba Muyisa, told Reuters that at least 200 people had been killed, but attributed the landslide to heavy rains. 

Landslides are common in small-scale mines, especially during the rainy season, which in Rubaya spans from September to May and peaks between March and April. 

Bellingcat cross-checked local media reports against one of the few social media posts about the incident, geolocating the phone footage to a mining pit south-east of Rubaya. In the video, the narrator speaking in Kinyarwanda (the national language of Rwanda, also spoken in eastern DRC) pans from the top to the bottom of the slope. Filmed at a distance, no bodies are visible in the footage.

Satellite imagery captured before and after the first landslide shows how the mud advanced down the slope.

Landslide No.2 – March 3

Just over a month later, a second landslide was reported. On Facebook, the DR Congo Ministry of Mines released a statement including a provisional death toll of more than 200 people:

However, senior M23 official Fanny Kaj, speaking to AP, rejected the DRC government’s claims, stating: 

“I can confirm what people are publishing is not true. There was no landslide; there were bombings, and the death toll isn’t what people are saying. It’s simply about five people who died,” Kaj said. 

The same day the second landslide was reported, another M23 spokesperson, Lawrence Kanyuka, announced an attack involving “combat drones and heavy artillery”, at a location more than 250km from Rubaya.

Speaking to eyewitnesses at the mines, international media reported a landslide triggered by heavy rains, with no mention of bombings – only of workers buried under the earth. 

Bellingcat verified several social media videos of the second incident, in which dozens of people are seen digging for those buried under the mud. The clip below is an edited excerpt that excludes graphic images of bodies.

Edited video clip (left) geolocated to the camera icon (right). The white line (right) shows the camera’s movement as it pans across the slope. Source: Planet Labs PBC, March 26, 2026.

Later in the video, as the camera zooms in on several bodies, the narrator speaking in Kinyarwanda says: “Those you can see here have just been pulled out. These people are dead, but others are continuing to the search operations.” 

Due to the low quality of the footage, an accurate body count was not possible. 

Bellingcat geolocated footage of landslide No. 2 to the same location as landslide No. 1, shown in the satellite imagery below.

M23 did not respond to a request for comment on findings contradicting senior official Fanny Kaj’s claim that no landslide occurred on 3 March.

Landslide No.3 – March 7

Four days later, a third landslide was reported, with estimates of more than 300 people killed, according to civil society official Telesphore Nitendike. Speaking to EFE, Nitendike said the landslide had affected “more than 40 families” as houses were “swept away” by the mud.

Satellite imagery shows the landslide advancing from east to west as mud surged down the slope.

Before and after the third landslide on March, 3. Source: Planet Labs PBC.

Bellingcat verified more than a dozen social media videos from the third incident, the majority posted on X by local media accounts. Almost all contained highly distressing content, including the bodies of young children. In one video, the narrator walks through a crowd of more than a hundred people, then stops and pans across several bodies covered with blankets, saying: 

“These bodies were found here in Gatabi [name of village], inside houses. You can see how the houses were swallowed. The search for residents is still ongoing. It is truly a tragedy.”

As he continues filming, at least seven unclothed bodies, all young children, are seen being carried down the slope.

“You see, there, that’s another child’s body. These are children who were sleeping in their homes. Some were still in bed when they were swallowed by the landslide.”

Left: Video clip shows a body covered with a blanket on a stretcher. Right: Video clip shows the community-led rescue effort. The background satellite image shows geolocated pins marking the videos. Source: Planet Labs PBC, 16 February 2026.

Bellingcat geolocated 12 social media videos of the third landslide to a location southwest of Rubaya town.

Landslide No.4 – March 27

A fourth landslide was reported at the end of March by local outlets, describing the collapse of two mining shafts and the death of at least nine workers. 

Satellite analysis, combined with the geolocation of one social media video, indicates the fourth incident took place at the same location as landslides No.1 and No.2.

Before and after the fourth landslide on March 27. Yellow box highlights houses engulfed in the mud. Source: Planet Labs PBC.

Despite repeated attempts by Bellingcat to contact the DRC government and M23 for updated casualty figures across all four incidents, neither party responded. 

In February of this year, human rights group Global Witness called on companies and governments using or trading DRC’s coltan to ensure mine operators adhere to international human rights and environmental standards.

Bellingcat also contacted the DRC government spokesman and minister for communication and media, Patrick Muyaya, regarding a post he made on X that Bellingcat found to be promoting misinformation about the rate of expansion of the mines while under M23 control.

In the post, Muyaya urges followers to watch a video that presents itself as an open source report but includes satellite imagery falsely attributed to Bellingcat and “Planet Labs Inc.” We can confirm that this is not our work. The imagery also appears not to be from Planet Labs PBC, but from Google Earth Pro (illustrated below). 

The fabricated video was originally posted in 2025 by the Facebook account, Congo Kinshasa.

Contacted by Bellingcat, Congo Kinshasa confirmed that they were the creator of the video. Asked to explain why the satellite images were mislabeled and the analysis wrongly attributed to Bellingcat, they responded: “I don’t understand you. What exactly is your problem?”

Minister Patrick Muyaya did not respond to our request for comment on his post promoting false information.

---

Claire Press contributed to this report.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post DRC’s Coltan Belt: Verifying Deadly Landslides At Mines Under M23 Control appeared first on bellingcat.

This investigation is a collaboration between Bellingcat and Colombian media outlet Cerosetenta. You can read Cerosetenta’s piece in Spanish here.

A video posted on Feb. 26 shows several men painting over graffiti in Restrepo, a neighbourhood in Bogota, Colombia, and replacing them with images of their own: a logo used by Colombian political candidate and businessman Jorge Rodriguez, who is one of the men shown in the footage.

“Today we are defending public space to stop generating hatred in future generations!” said the caption posted on Instagram by Rodriguez, who unsuccessfully ran for office in the March 2026 congressional elections as part of Centro Democratico, the country’s largest right-wing party. 

But at least one of the graffiti-ed pieces they painted over carried a message critical of, rather than promoting, hate: “Creole Nazis will not pass” – using a term that refers to Nazi sympathisers in Latin America. 

And although the faces of most of the men shown in the video were pixelated, the tattoos visible on one of them have multiple similarities with a prominent member of neo-Nazi group Active Club Bogota – an individual known as Javier “Orlik” Ruiz, whom Rodriguez follows on Instagram and who “liked” the video.

In response to Bellingcat and Cerosetenta’s queries via Instagram, Rodriguez did not answer questions about his relationship with Active Club Bogota or the individual we identified as appearing in his videos, but said he was “not obligated to respond to any interview or request without a court order”. He also threatened legal action if we used his image or name in this investigation, saying that this would violate his rights to privacy, reputation and data protection, as well as the right to his own image. 

Similarly, Ruiz did not reply to questions that Bellingcat sent via email, including on his role in Active Club Bogota, but responded to our query by threatening legal action if we used his name, image or background information about him without his “prior, express and informed authorisation”. Ruiz said in his email that, among other things, processing his personal data without authorisation could be considered a violation of personal data under Colombian law.

After Bellingcat replied to both Rodriguez and Ruiz, noting that they did not answer our questions and inviting them again to do so, Ruiz responded with another legal threat referencing data laws – again without answering any questions related to this investigation. 

Bellingcat and Cerosetenta have consulted legal experts in both the Netherlands, where Bellingcat is headquartered, and in Colombia on the question of how privacy laws in both countries are balanced against the right to freedom of expression. In light of (amongst other factors) the public interest in this information and the fact that both Rodriguez and Ruiz qualify as “public figures” (persons who have, through their acts or their position, entered the public arena), the reporting in this article and the editorial choices made by Bellingcat are protected by the freedom of expression.

Both Rodriguez’s and Ruiz’s full responses are included at the end of this article.

Active Club Bogota is the local branch of the international Active Club movement. It hosted celebrations of Adolf Hitler’s birthday at a Bogota community centre in 2025 and 2026. At the 2025 event, the group hosted a Nazi-inspired book burning. This year, the group celebrated with Nazi swastika cupcakes, a swastika-emblazoned birthday cake and the screening of a 1940 Nazi propaganda film.

Bellingcat and our Colombian partner Cerosetenta reached out multiple times via email and phone to the president of the relevant Community Action Board managing the community centre where these events were held, using contact information listed in a document by the local mayor’s office. As of publication, we have not received a response to our emails, and calls to the president of the community centre have gone unanswered.

Active Club Bogota, which has had an online presence since early 2024, appears to be the only officially recognised South American chapter of the neo-Nazi network started in the US by white supremacist Robert Rundo. The international movement, which Bellingcat has covered extensively, is known for using fitness, fighting and fashion to recruit young men and boys into the far right, normalise fascist ideas and prepare them for physical violence against perceived enemies. 

Active Club Bogota’s official Instagram account followed just over 60 accounts earlier this year. Rodriguez’s public Instagram account was, and continues to be, one of them. In March this year, Rodriguez also “liked” a March 2026 post from the group that featured a flag for a neo-Nazi movement. 

While Rodriguez was unsuccessful in his bid for a seat in parliament, garnering just 4,401 votes, he presents himself as a prominent member of Centro Democratico and claims to have founded the party’s largest youth group. 

He has appeared in photos and events on his social media alongside notable figures from the party, such as former Vice Minister of Justice Rafael Nieto Loaiza, party director Gabriel Vallejo, presidential candidate Paloma Valencia and the party’s founder, Alvaro Uribe Velez.

Alexander Ritzmann, a senior advisor with the Counter-Extremism Project (CEP), told Bellingcat that an affiliation between Active Club Bogota and a political actor like Rodriguez should be taken seriously.

Heidi Beirich, co-founder of Global Project Against Hate and Extremism (GPAHE), said that any sort of legitimacy lent to an outwardly neo-Nazi group, like those that make up the Active Club movement, “sets a dangerous precedent”.

Bellingcat’s investigation into Active Club Bogota also suggests that the group has connections with the international far-right, with allies and “brothers” from Brazil to Spain, as well as apparent links with Combat 18, a violent neo-Nazi network accused of being an “international criminal organisation” and terrorist group. There is no evidence to suggest that Rodriguez has any connections to these other groups.

Centro Democratico was the biggest challenger to Colombian President Gustavo Petro’s left-wing coalition Pacto Historico in the March elections, securing 17 seats in the Senate, up from 13 in 2022, and a majority of 32 seats in the House of Representatives, double the 16 it won in the previous elections.

In response to Bellingcat’s queries, Centro Democratico National Director Gabriel Vallejo said the party was unaware of any proven links between Rodriguez and far-right, neo-Nazi, or extremist groups. 

Vallejo said that the Party’s candidates retain the right to exercise their freedom of expression and define their ideological affinities within the limits of the Constitution and the law. 

However, Vallejo said that Centro Democratico does not support or endorse any type of link with organisations or movements that incite hate speech, violence or the glorification of crime. 

“The Party maintains a firm stance in defence of the Constitution, the law, democratic institutions, and respect for human dignity, as well as in the protection of the public interest and fundamental rights,” he said. “In this regard, any conduct that contravenes these principles is contrary to the Party’s guidelines and will be subject to the corresponding actions in accordance with the Statutes and applicable regulations.”

Tattoo Identifications

In Rodriguez’s Feb. 26 video, the former political candidate can be clearly seen. However, several others had their identities obscured, with one particular individual being completely pixelated from head to toe in almost every frame he appeared in, even where only part of his arm was visible. 

But thanks to a few frames where parts of the individual’s arms or hands are briefly unpixelated, or where colouration shows through the pixelation, Bellingcat was able to match the person shown in the video to a prominent Active Club Bogota member and possible leader – an individual who goes by Javier or “Orlik” Ruiz – who Rodriguez follows on Instagram and vice versa. 

Between April and May 2024, the first few weeks after Active Club Bogota’s Telegram channel was set up, eight posts listed an author who went by “Orlik Ruiz”. 

Bellingcat searched online for social media accounts and information related to “Orlik Ruiz” and quickly found numerous public social media accounts that appear to belong to the same individual, with posts showing photos of his face and tattoos. Several of these accounts used the name Javier Ruiz. These accounts included a YouTube account featuring 2022 video clips showing Ruiz and other men at a shooting range, holding what appear to be automatic rifles.

In most of these social media accounts, Ruiz posted numerous photos exposing his face and, more frequently, his tattoos from multiple angles, allowing Bellingcat to confirm that the same individual appears in the vast majority of Active Club Bogota’s online content.

Active Club Bogota’s Telegram channel listed an account with the name “Javi” as the group’s main contact. There were more than 30 posts on this account’s own profile page, and though the face of the person shown in the photos posted from this account was obscured, the matching tattoos in many of these posts all pointed to the same person.

Ruiz’s tattoos had several distinctive features that appeared across multiple photos. The backs of both of his hands are tattooed up to the base knuckles. He also has an arrow tattoo on his left middle finger, pointing down towards the base knuckle, and a red design that circles his left wrist. 

These match several features of tattoos on the individual’s left hand that can be made out despite the pixelation, including what appears to be red colouration on the individual’s wrist, heavy dark hand tattooing, and also discolouration on the left middle finger, suggesting tattoos on that finger.

While blurred footage alone is not enough to confirm matching tattoos, several other significantly more detailed and clearer comparisons could be made. 

In one frame, a very similar arrow to that seen in photos of Ruiz appears on the left middle finger of the individual shown in the video.

In addition, there are gaps in the tattoos and a rounded shape visible on his left arm that are consistent in position with photos of Ruiz’s tattoos.

There are also several frames in the video where the individual’s right hand is visible. These unpixelated, although still blurry, frames show the individual has heavy tattooing on their right hand that forms a curved shape between their knuckles. This is consistent with the shape of the tattoos on the right hand of Active Club Bogota’s Ruiz as seen in photos posted on the group’s Telegram channel and on social media.

Another frame shows a small red tattoo visible on the middle-right finger as well as a detail between the index finger and right pinky. This matches with other, clearer images of Ruiz’s tattoos visible on his private Instagram.

Furthermore, in several frames of the video, the pixelated individual’s upper-right arm is visible, showing red colouration that is consistent in size and shape with images of Ruiz’s tattooed right arm.

Promoting Fascist Ideas in the Region

The first sign we could find online of Active Club Bogota’s appearance on the city’s neo-Nazi scene was in early 2024, when its official Telegram channel was created. 

The official Active Club website that Rundo, the American founder of the Active Club movement, has openly promoted in several podcasts features a map of “official” Active Clubs around the world. As of the time of publication, Active Club Bogota is the only one in South America on the map.

But social media posts from Active Club Bogota suggest that the Colombia-based group has been attempting to promote the development of other Active Clubs in Latin America, with mixed results.

In September 2025, Active Club Bogota promoted a new Active Club in Brazil, boasting that “our brothers … have also taken a big step forward.” 

This Brazilian Active Club Telegram channel no longer exists as of February 2026. 

Also in September 2025, Active Club Bogota promoted the Telegram channel of a new Active Club in Argentina, which they referred to as “our Argentinian friends”. This Telegram channel, like the Brazilian Active Club Telegram channel, no longer exists as of February 2026.

In December 2025, Active Club Bogota promoted the Telegram channel of another new Active Club based in Mexico City, which the Colombian channel referred to as “our Mexican brothers, who are joining this great movement that seeks to reclaim our identity and heritage”.

Beirich, the co-founder of GPAHE, said that Active Clubs are a concerted effort to market the far right to a new generation of young people. 

“Active Clubs can and do serve as a bridge between older generations of neo-Nazis and the current wave of youth engaging with the movement,” she said.

“Groups like the one in Bogota are hyper-local enterprises that also connect its members to a transnational extremist network of other Active Clubs and white supremacist groups that share a similar worldview,” she added.

Ritzmann, from CEP, also said that the threat posed by the group should not only be measured by its size. “Even a small local chapter can function as a recruitment hub, a training environment, and a bridge into wider transnational extremist networks,” he said.

International Connections

Our identification of Ruiz also led to evidence of links between Active Club Bogota and international neo-Nazi networks Blood & Honour and Combat 18.

In a May 2024 photo posted on his public Telegram account, a man whose face is covered by a cloth mask and further obscured with a digital image was pictured standing next to two neo-Nazi musicians who were in Bogota to perform at a concert that Ruiz had promoted on his Telegram account. One of the musicians is British neo-Nazi Ken McLellan, who has long been associated with Blood & Honour. 

The tattoos on the lower left leg and right hand of the man whose face was obscured appear to be the same as Ruiz’s – matching the shape, colour and position – based on photos publicly posted on Active Club Bogota’s Telegram channel.

Blood & Honour is an international neo-Nazi network founded in the United Kingdom in 1987; McLellan and his band were present at this founding meeting and still regularly perform at Blood & Honour-affiliated concerts. Blood & Honour’s affiliate group Combat 18, described as the “armed branch” of Blood & Honour, was founded in 1992. 

Members and associates of Blood & Honour and Combat 18 have been accused of crimes including possessing explosives and drug trafficking. Individuals associated with both groups have been convicted of crimes including attempted murder, murder and terrorism. Both groups have been designated terrorist organisations in Canada since 2019 and have been subject to financial counter-terrorism sanctions in the United Kingdom since January 2025. 

A Colombia-based neo-Nazi fashion retailer that sells t-shirts with Combat 18 symbolism and branding also lists Ruiz as the main contact on its Telegram channel (Bellingcat is not naming the retailer to avoid amplification). 

On its WhatsApp Business account, this retailer advertises neo-Nazi clothing and paraphernalia, including content with Combat 18’s name, symbolism and branding, as well as content promoting bands with documented links to Combat 18. Active Club Bogota has also promoted this retailer on its own Telegram channel. After reaching out to Meta, the parent company of WhatsApp, a spokesperson told Bellingcat that “this account breaks our terms of service and we have banned it”. As of publication, the WhatsApp Business account has been blocked.

After a series of arrests of alleged members in Spain in October 2023, Spanish authorities publicly called Combat 18 an “international criminal organisation” and claimed the Spanish wing of the group has relations with Combat 18 members in South America. 

Spanish media outlet El Periodico further reported that this police operation against Combat 18 in October 2023, according to their sources, “was mounted to pursue organised crime and other related offences, including drug trafficking”. 

Bellingcat established another link between the two groups through another individual associated with Active Club Bogota. 

In a 2015 post on one of Ruiz’s public Facebook accounts, an individual (in red below) who at the time was a bassist with a neo-Nazi band that sang songs praising and promoting Combat 18, is visible with a black tattoo on his left bicep.

Almost a decade later, in January 2025, Active Club Bogota posted a video that featured an individual with a tattoo that appeared to be in the same shape and placement.

The bassist’s name was mentioned in two posts by Juan de Dios Osuna Montanez, the alleged leader of Combat 18 in Spain, on Instagram in May 2024. 

Both posts featured a photo of what Montanez described as “little gifts directly from Colombia,” with Montanez thanking an account under this individual’s name, calling him his “brother.” These posts occurred during the same time period during which Active Club Bogota posted content from Catalonia, in northeastern Spain.

The photos Montanez posted of the apparent gifts are nearly identical, with the only difference being that the second photo is more zoomed in than the first. The photo shows a sticker with Active Club Bogota’s logo and branding, a t-shirt reading “Blood & Honour Colombia Division,” a sticker featuring both Blood & Honour and Combat 18’s logo, as well as packages of candy and coffee that Bellingcat was able to identify as being from small Colombian brands. 

Montanez did not respond to Bellingcat’s request for comment via Instagram and Facebook, but we were blocked by his Instagram account after we reached out. We were unable to find any other public contact information for Montanez.

Ritzmann of CEP said that Active Club Bogota’s repeated display of the Combat 18 flag on its Telegram channel signals identification with one of the most explicitly militant neo-Nazi traditions in Europe.

He added that while some Active Clubs avoid overtly antisemitic references to avoid scrutiny by law enforcement, reduce negative media attention and attract new recruits without frightening them away, Active Club Bogota “appears to sit at the more explicit edge of the Active Club strategy” with its open celebration of Hitler’s birthday and its antisemitic messaging. 

“The network wants to appear harmless enough to avoid scrutiny, but radical enough to attract militants. Active Club Bogota is an example of how that balance can shift toward overt neo-Nazi mobilisation while still remaining inside the wider transnational Active Club ecosystem,” he said.

Full Response from Jorge Rodriguez to Bellingcat’s Queries

[April 24, 2026]

Translated to English
“In response to your questions, I would like to inform you that I am not obligated to respond to any interview or request without a court order. Therefore, I will not respond to any interviews. Furthermore, should you decide to use my name or image, I wish to state that I DO NOT AUTHORISE THE USE OF MY NAME, SOCIAL MEDIA ACCOUNTS OR ANY RELATED CONTENT.

Likewise, if you use my image or name, it constitutes a violation of my fundamental rights to privacy, reputation, habeas data, and the right to my own image, the latter of which has been repeatedly recognised and protected by the jurisprudence of the Constitutional Court.

The unauthorised use of my image or name may constitute a punishable offence, and I will be authorised to initiate the corresponding legal actions to restore my rights.

Sincerely,

Jorge Rodríguez”

In Spanish (Original)

“De conformidad con sus preguntas, me permito indicarle que no estoy obligado a responder ninguna entrevista o requerimiento sin que medie orden judicial. Por lo anterior, no responderé ninguna entrevista, asimismo, en caso de que ustedes decidan utilizar mi nombre o imagen me permito indicar que NO AUTORIZO LA UTILIZACIÓN DE MI NOMBRE O IMAGEN, REDES SOCIALES Y DEMÁS.

De igual manera, si ustedes utilizan mi imagen o nombre es una transgresión de mis derechos fundamentales a la intimidad, al buen nombre, al habeas data y al derecho a la propia imagen, este último reconocido y protegido de manera reiterada por la jurisprudencia de la Corte Constitucional.

Incluso la utilización de imagen o nombre sin autorización puede constituir una conducta punible y estaré autorizado de iniciar las acciones legales correspondientes en aras del restablecimiento de mis derechos.

Cordialmente,

Jorge Rodríguez”

First Response from Javier Ruiz to Bellingcat’s Queries

[April 21, 2026]

Translated to English
“As the data subject of the aforementioned personal data, I hereby submit this formal request regarding the use of my name, image, and background information in an interview request, without my prior, express, and informed consent.

The described conduct constitutes a potential violation of my fundamental rights to privacy, reputation, habeas data, and the right to my own image, the latter repeatedly recognised and protected by the jurisprudence of the Constitutional Court.

Likewise, the processing of my personal data without authorisation contravenes the provisions of Law 1581 of 2012 and its implementing decrees and could constitute the offence of personal data violation under Article 269F of the Colombian Penal Code.

Therefore, through this document, I expressly and immediately request:

– The suspension of any use, processing, circulation, or dissemination of my name, image, and other personal data.

– The permanent deletion of any content, file, record or publication in which my personal information has been used without my authorisation.

– A precise indication of the origin of the information, the purposes of its processing, and the third parties with whom it has been shared.

For the purposes of the foregoing, I grant a maximum period of forty-eight (48) hours from the receipt of this communication to demonstrate compliance with the requirement.

In case of non-compliance, I will be obligated to initiate the corresponding legal actions, including filing a writ of protection for the violation of my fundamental rights, as well as administrative proceedings before the Superintendency of Industry and Commerce and any applicable criminal actions.

This communication is understood as a formal prior request.

Sincerely,

J.R.”

In Spanish (Original)

“En mi calidad de titular de los datos personales referidos, me permito formular el presente requerimiento formal en relación con el uso de mi nombre, imagen y antecedentes dentro de una solicitud de entrevista, sin que medie autorización previa, expresa e informada de mi parte.

La conducta descrita constituye una posible vulneración de mis derechos fundamentales a la intimidad, al buen nombre, al habeas data y al derecho a la propia imagen, este último reconocido y protegido de manera reiterada por la jurisprudencia de la Corte Constitucional.

De igual forma, el tratamiento de mis datos personales sin autorización contraviene lo dispuesto en la Ley 1581 de 2012 y sus decretos reglamentarios, y podría adecuarse a la conducta tipificada como violación de datos personales conforme al artículo 269F del Código Penal Colombiano.

En virtud de lo anterior, por medio del presente escrito requiero de manera expresa e inmediata:

– La suspensión de cualquier uso, tratamiento, circulación o difusión de mi nombre, imagen y demás datos personales.

– La eliminación definitiva de cualquier contenido, archivo, registro o publicación en la que se haya hecho uso de los mismos sin mi autorización.

– La indicación precisa del origen de la información, las finalidades del tratamiento y los terceros con quienes haya sido compartida.

Para efectos de lo anterior, otorgo un plazo máximo de cuarenta y ocho (48) horas contadas a partir de la recepción de la presente comunicación, a fin de que se acredite el cumplimiento de lo requerido.

En caso de incumplimiento, me veré en la obligación de iniciar las acciones legales correspondientes, incluyendo la interposición de acción de tutela por la vulneración de mis derechos fundamentales, así como las actuaciones administrativas ante la Superintendencia de Industria y Comercio y las acciones penales a que haya lugar.La presente comunicación se entiende como requerimiento previo formal.

Cordialmente,

J.R.”

Second Response from Javier Ruiz to Bellingcat’s Queries

[May 7, 2026]

In English

“SUBJECT: FORMAL REQUEST FOR CESSATION AND WITHDRAWAL – NOTIFICATION OF VIOLATION OF FUNDAMENTAL RIGHTS AND DATA PROTECTION REGIME (LAW 1581 OF 2012)

In my capacity as a fully identified [Colombian] citizen and exercising my legal rights as the owner of personal data, I hereby submit this prior and peremptory request based on the following factual and legal grounds:

1. Lack of Consent and Legal Basis:

The unauthorised use of my name, image, and biographical information has been established within the framework of your informational activities. I declare that there has been no prior, express, informed, or qualified authorisation for the processing of said data, contravening the principle of legality and purpose established in Article 4 of Law 1581 of 2012.

2. Autonomy of the Right to One’s Own Image (Judgment T-040 of 2013): I hereby notify you that, in accordance with the jurisprudence of the Constitutional Court in its Judgment T-040 of 2013, the right to one’s own image is an autonomous and independent right. Therefore, the capture, use, or dissemination of my image and name requires my express consent, and journalistic practice does not grant an open licence for its exploitation without prior authorisation, especially when there is no public interest that proportionally justifies it.

3. Violation of Fundamental Rights:

Your actions constitute an arbitrary interference that affects my right to Habeas Data, my right to a good name (Art. 15 of the Colombian Penal Code), and, specifically, my right to my own image. According to the jurisprudence of the Honourable Constitutional Court, the use of a person’s image without their consent constitutes an overreach of journalistic practice that is not protected by freedom of information when it affects the private sphere.

4. Criminal and Administrative Liability: I hereby warn you that the processing of personal data without proper authorisation could constitute the conduct defined in Article 269F of the Colombian Penal Code (Violation of Personal Data), in addition to the fines imposed by the Superintendency of Industry and Commerce (SIC) for non-compliance with data protection regulations. 

LEGAL CLAIMS:

• IMMEDIATE CESSATION: The suspension of any act of processing, restricted circulation, or dissemination of my identity, image, or sensitive data.

• PERMANENT DELETION: The removal of any record from your databases or digital platforms containing information whose collection has not been authorised.

• TRACEABILITY REPORT: Submission of certification detailing the origin of my data and the identification of third parties to whom it has been transferred or transmitted.

TERM AND WARNING: You have a non-extendable term of forty-eight (48) hours to demonstrate compliance with the requests made herein. Silence or a negative response will authorise the initiation of a tutela action for the immediate protection of my fundamental rights, as well as the corresponding Administrative Complaint before the Office of the Superintendent Delegate for the Protection of Personal Data of the Superintendency of Industry and Commerce (SIC) and criminal proceedings before the Office of the Attorney General of Colombia.

1) Freedom of expression cannot infringe upon the right to privacy and honour.

2) The right to receive information, or rather, to inform, cannot supersede the duty not to disseminate defamatory information about a person or organisation.

3) A request for information from an independent, foreign media outlet cannot be based on erroneous presumptions regarding rulings, orders, and precedents pertaining to the Colombian judicial system. I thank you in advance for your attention, but I wish to clarify that I do not desire any response, understanding that you are complying with the order I have given and established.”

In Spanish (Original)

“ASUNTO: REQUERIMIENTO FORMAL DE CESE Y DESISTIMIENTO – NOTIFICACIÓN DE VULNERACIÓN DE DERECHOS FUNDAMENTALES Y RÉGIMEN DE PROTECCIÓN DE DATOS (LEY 1581 DE 2012)

En mi condición de ciudadano(a) plenamente identificado(a) y en ejercicio de mis facultades legales como titular de datos personales, presento ante ustedes este requerimiento previo y perentorio con base en los siguientes fundamentos de hecho y de derecho:

1. Ausencia de Consentimiento y Base Legal:

Se ha evidenciado el uso no autorizado de mi nombre, imagen y antecedentes biográficos en el marco de su actividad informativa. Manifiesto que no ha mediado autorización previa, expresa, informada ni calificada para el tratamiento de dichos datos, contraviniendo el principio de legalidad y finalidad establecido en el Artículo 4 de la Ley 1581 de 2012.

2. Autonomía del Derecho a la Propia Imagen (Sentencia T-040 de 2013):

Les notifico que, conforme a la jurisprudencia de la Corte Constitucional en su Sentencia T-040 de 2013, el derecho a la propia imagen es un derecho autónomo e independiente. Por tanto, la captura, uso o difusión de mi imagen y nombre requiere de mi consentimiento expreso, sin que el ejercicio periodístico otorgue una licencia abierta para su explotación sin autorización previa, especialmente cuando no existe un interés público que lo justifique de manera proporcional.

3. Vulneración de Derechos de Carácter Fundamental:

Su actuación constituye una injerencia arbitraria que afecta mi derecho al Habeas Data, al Buen Nombre (Art. 15 C.P.) y, de manera específica, al Derecho a la Propia Imagen. Según la jurisprudencia de la Honorable Corte Constitucional, el uso de la imagen de una persona sin su anuencia es una extralimitación del ejercicio periodístico que no encuentra amparo en la libertad de información cuando se afecta la esfera privada.

4. Responsabilidad Penal y Administrativa:

Les advierto que el tratamiento de datos personales sin la debida autorización podría configurar la conducta tipificada en el Artículo 269F del Código Penal Colombiano (Violación de datos personales), además de las sanciones pecuniarias que la Superintendencia de Industria y Comercio (SIC) impone por el incumplimiento del régimen de protección de datos.

PRETENSIONES LEGALES:

• CESE INMEDIATO: La suspensión de cualquier acto de tratamiento, circulación restringida o difusión de mi identidad, imagen o datos sensibles.

• SUPRESIÓN DEFINITIVA: La eliminación de cualquier registro en sus bases de datos o plataformas digitales que contenga información cuya recolección no haya sido autorizada.

• INFORME DE TRAZABILIDAD: Remitir certificación detallando el origen de mis datos y la identificación de terceros a quienes les hayan sido transferidos o transmitidos.

TÉRMINO Y ADVERTENCIA:

Cuentan con un término improrrogable de cuarenta y ocho (48) horas para acreditar el cumplimiento de lo aquí solicitado. El silencio o la respuesta negativa facultará el inicio de la Acción de Tutela para la protección inmediata de mis derechos fundamentales, así como la respectiva Denuncia Administrativa ante la Delegatura para la Protección de Datos Personales de la SIC y las acciones penales ante la Fiscalía General de la Nación.

1) La libertad de expresión no puede coartar el derecho a la privacidad y a la honra. 

2)El derecho a recibir información o más bien; a informar no puede supeditar el deber de no difundir información calumniosa sobre una persona u organización 

3) Un requerimiento de información por un medio independiente y extranjero no puede basarse en presunciones erróneas sobre sentencias, órdenes y antecedentes correspondientes al sistema judicial colombiano

De ante mano agradezco la atención prestada, sin antes aclarar que no deseo respuesta alguna, teniendo claro que acatan la orden dada y establecida de mi parte.”

---

Carlos Gonzales and Pooja Chaudhuri contributed research to this piece.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post Unearthing a Colombian Politician’s Connections to Neo-Nazi Active Club Group appeared first on bellingcat.

Bellingcat has identified at least 80 police stations or infrastructure related to law enforcement agencies and the Basij paramilitary group that has been damaged or destroyed in the first three weeks of the United States and Israel’s war against Iran. Experts told Bellingcat that both countries aim to degrade the Iranian regime’s “repressive capacity”.

Combined, the US and Israel have conducted thousands of strikes during the course of the 2026 war in Iran. Targets range from Islamic Revolutionary Guard Corps (IRGC) sites, Navy vessels to Iranian weapons manufacturers.

In early March, a Bellingcat analysis using satellite imagery and available photos and videos identified police stations as another apparent target, with at least 15 damaged or destroyed in the capital, Tehran.

We also identified multiple strikes against police infrastructure in the country’s north and west; these areas were targeted by the Israel Defence Forces according to a map released by the IDF on March 31.

“We are providing the brave people of Iran with the conditions to take their destiny into their own hands,” declared the Israeli Ministry of Foreign Affairs official X account, along with a photo of a destroyed police station.

اینجا کلانتری ۱۲۱ سلیمانیه در خیابان نبرد تهران بود.

ما شرایطی را برای مردم شجاع ایران فراهم می‌کنیم تا سرنوشت خود را در دست بگیرند. pic.twitter.com/VSm6YVvIwZ

— اسرائیل به فارسی (@IsraelPersian) March 5, 2026

In all, the majority of strikes Bellingcat analysed focused on police stations (30 incidents) and command centers or headquarters (29 incidents). Locations also include sites related to Basij, a plainclothes paramilitary organisation (9) affiliated with the IRGC that were “involved in the deadly crackdown” of protests in January 2026, others are associated with special forces (3) and traffic (2) or diplomatic (2) police compounds.

Due to commercial satellite companies limiting access to imagery over Iran and neighbouring countries we relied on Sentinel-2 imagery data to help verify the incidents, as well as videos and photos, some of which were also verified by independent geolocators and contributors to the Geoconfirmed volunteer community and confirmed by Bellingcat researchers. 

Location data was partly determined using open source mapping data either from Wikimapia, OpenStreetMap or Google Maps. When video footage or photos were available for incidents reportedly targeting police stations, the location was verified with geolocation and satellite imagery analysis using either Planet Labs medium resolution PlanetScope data (restricted to imagery collected by March 9) or low resolution Sentinel-2 data.

Some locations were discovered utilising location data taken from OpenStreetMap using Overpass Turbo and comparing that with available Sentinel-2 data throughout Iran.

Map showing geolocated incidents in Iran. Click the markers to view the coordinates, sources, and verification notes. Map: Bellingcat/Miguel Ramalho

A Problem of Scale

Israel has released multiple videos showing the targeting of bases and checkpoints belonging to the Basij. In mid-March, the IDF announced the killing of the paramilitary group’s commander, Gholamreza Soleimani. 

Targeting the Basij is part of Israel’s and the US’ agenda “to degrade the regime’s repressive capacity,” Ali Vaez, the director of International Crisis Group Iran Project, told Bellingcat. Police stations are “not involved in repression in the way that crowd control police or Basij centers are”, so targeting them “appears more aimed at preventing the Islamic Republic from being able to maintain control internally,” he said.

Vaez told Bellingcat that, when considered alongside the broader range of targets, including industrial factories, the widespread targeting of police stations is part of a strategy “to make Iran ungovernable for the existing regime or whatever comes after”. 

Vaez was skeptical about the short term effects: “It’s a problem of scale. Iran is such a large country, even if you are able to completely destroy, not just degrade, the capacity of the regime in policing, oppressing, etc – it really requires not just maybe weeks but maybe months if not years.”

The Risk of Civilian Casualties

As of April 7, the Iranian Human Rights Activists News Agency estimates there’ve been more than 1,700 civilian fatalities during the war. 

Several police stations are situated in densely populated urban areas such as Tehran. Stations are used by civilians for various reasons including renewing driving licences, so if these buildings are targeted “during working hours and not in the middle of the night then risk is higher for these people,” Vaez said.

Map showing geolocated incidents in Tehran. Click the markers to view the coordinates, sources, and verification notes. Map: Bellingcat/Miguel Ramalho

A recent joint Airwars, Center for Civilians in Conflict and Human Rights Activists in Iran report detailing the first month of civilian casualties included a section on the worsening situation for detainees in Iranian prisons — including police stations that have been targeted. 

“I was detained in the holding cell of [Police Station 148] for ten days, along with four other activists. Now it looks like nothing is left of that station but ruins. I can’t even recognize where the detention area was. I keep wondering what happened to the people who were being held there during the attack. – Activist, told HRA upon seeing photos of the police station after recent US/Israeli airstrikes.”

Footage shared and geolocated by the BBC’s Shayan Sardarizadeh showed Police Station 148 damaged after an apparent strike in mid-March.

The main building of Tehran’s 148 police station and its courtyard, located on Enghelab Street, has been severely damaged in air strikes conducted on Friday.

The adjacent Hamoon Theatre also sustained some damage.

Video: @Vahid

Location: 35.700812, 51.402163@GeoConfirmed pic.twitter.com/9sdOtHd2XN

— Shayan Sardarizadeh (@Shayan86) March 14, 2026

One destroyed police station identified by Bellingcat in the city of Mahabad in northwestern Iran led to apparent damage to an Iranian Red Crescent Society building located next door. According to Iran’s Tasnim News agency (an IRGC-affiliated media outlet sanctioned by the EU, the US and Canada), one Red Crescent employee was injured in the attack.

The police station adjacent to the Red Crescent building isn’t identified on any mapping services, though there are reports “Police Station 11” was targeted the same day.

Israel has also targeted checkpoints operated by Basij members.

Bellingcat examined two cases showing Israeli strikes on checkpoints while civilians were passing. In one video, a strike hits a checkpoint as five motorbikes and a vehicle go by.

In another IDF video, a yellow bus is immediately adjacent to the checkpoint when it is hit. It is unclear how many people were on the bus at the time of the strike or if anyone was injured.

According to the Open Source Munitions Portal (OSMP), Israeli drones commonly employ the Mikholit bomb. A variant of this bomb has 890 grams of explosives, an amount that creates hazardous fragmentation up to 104 meters away. 

“I have been watching the reporting on these Basij strikes and the use of the Mikholit in particular in open urban areas. It is IDF standard—using precision munitions and even sometimes “low collateral” munitions but in a reckless manner that still puts the civilian population at risk,” Wes J. Bryant, a defence and national security analyst formerly with the Pentagon’s Civilian Protection Center of Excellence told Bellingcat.

Questions Over Legality

International Humanitarian Law defines civilians as “persons who are not members of the armed forces”. Police officers fall under that definition, according to Adil Haque, Professor of Law at Rutgers University and Executive Editor at Just Security.  “As a rule, police are civilians and may not be attacked unless they take a direct part in hostilities,” Haque told Bellingcat. National security analyst Bryant agreed, adding that targeting police “does not stand up to legal scrutiny”.

In an email to Bellingcat, the IDF noted “that the police form part of Iran’s internal security apparatus, which also forms part of Iran’s armed forces, under Iran’s own domestic legislation. In every strike, the IDF takes feasible precautions in order to mitigate incidental harm to civilians and civilian objects to the extent possible under the circumstances.”

Police are indeed “part of the country’s armed forces. By that logic, anything with a flag on it is a legitimate target,” Ali Vaez, the director of International Crisis Group Iran Project, said.

Although Basij is a paramilitary group, any strikes against it would require precautions to minimise harm to civilians, Haque told Bellingcat. “Since the hostilities almost entirely involve aerial bombardment, the concrete and direct military advantage anticipated from strikes on Basij members who qualify as combatants is extremely low, so significant harm to nearby civilians would be disproportionate and illegal,” he said.

When asked about potential civilian casualties in the checkpoint strikes, the IDF told Bellingcat that since the Basij are subordinate to the IRGC and are therefore part of the armed forces, they are regarded as lawful military targets. Regarding the checkpoint strikes specifically, they stated “precision munitions and surveillance means were used in the strikes, as part of the precautions taken under the circumstances to mitigate expected incidental harm”.

Bellingcat reached out to US Central Command (CENTCOM) to ask if the US had any role in the police station strikes identified but received no official comment at the time of publication. 

The data collected so far for these sites can be found here.

---

Miguel Ramalho and Felix Matteo Lommerse contributed to this report.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post “Make Iran Ungovernable” – Tracking Efforts To Destroy Iran’s Police Infrastructure appeared first on bellingcat.

The challenges of conducting open-source research in China are well-documented. Consistently named one of the most digitally oppressive countries in the world, China blocks some of the world’s largest social media platforms, such as Facebook, Google, and YouTube. Those that are still accessible are mostly Chinese-owned, strictly regulated and monitored in real time by AI systems as well as tens of thousands of “internet police”. 

But despite these strict controls, Chinese apps – which boast more than a billion estimated users – remain an information goldmine for investigative journalists covering stories both within and outside China.

Since most foreign sites are banned, Chinese platforms are the largest resource available to journalists and researchers interested in what’s going on in the world’s second-most populous country. Even when a topic is being censored, patterns in the censorship can themselves serve as investigative leads: a 2020 BuzzFeed News investigation, for example, mapped out detention camps in Xinjiang by examining areas that had been blanked out on China’s Baidu Maps.

With millions of Chinese people living overseas, social media activity by members of the diaspora can also turn into global stories.

Serial rapist Zou Zhenhao, a Chinese PhD student, was jailed in London last year after one of his victims posted a warning on Xiaohongshu, also known as Little Red Book or Rednote, an app popular with young Chinese women living abroad. Another woman Zou had raped reached out to the original poster, who put her in touch with the police – leading to the conviction of a man described by police as possibly one of the worst sexual predators in British history.

Founded in 2013 as a Hong Kong shopping guide, Xiaohongshu has evolved into a lifestyle and e-commerce platform that has been compared with Instagram, Pinterest and Amazon. Last year, it reported about 300 million monthly active users, rivalling some of China’s largest social media platforms.

The app’s 600 million daily searches by the end of 2024 also accounted for half of market leader Baidu’s search volume, demonstrating that it is emerging as a critical search and discovery engine, not just a social platform.

Although primarily a Chinese-language app, Xiaohongshu gained attention in the English-speaking world last year, when millions of American TikTok users flocked to the platform in anticipation of a TikTok ban under US President Donald Trump. 

Responding to the surge of international users – sparked by the #TikTokRefugees trend – Xiaohongshu rolled out an AI-powered translation feature, making the app more accessible to non-Chinese audiences. This also meant that journalists without Chinese language skills can more easily communicate on and navigate the platform.

Despite its growing popularity both within and outside China, the app is relatively new and underexplored compared to more well-established platforms such as Weibo. 

This guide aims to provide a starting point for those looking to explore Xiaohongshu for open-source investigations, including an overview of its main user demographics, potential topics to explore and strategic search methods specific to the app. 

User Demographics and Topics

According to Xiaohongshu’s official data, the platform’s demographic profile is mainly young, female and urban. As of 2024, 70 percent of its users were women, with half of all users belonging to Gen Z and living in China’s largest cities. 

As previously mentioned, the app has also gained popularity with the Chinese diaspora. Many Chinese nationals living abroad use it as a search engine for local information, posting and searching for content related to their daily lives, from restaurant recommendations and apartment hunting to navigating foreign bureaucracies and finding community resources. 

This demographic profile makes Xiaohongshu particularly well-suited for investigating stories about consumer fraud and urban livability issues. For example, Chinese outlets like Jiemian have used Xiaohongshu posts to expose the grey-market ecosystem of paid reviews and fake endorsements tied to the platform’s e-commerce model, while in 2022, International Financial News traced a mother-and-baby store scam that defrauded over 400 parents back to product recommendation posts on the platform.

Given its predominantly female user base, Xiaohongshu has also evolved into one of China’s most important spaces for feminist discourse and women’s issues. Academic researchers have used content on the platform to analyse local discussions on menstrual shaming, sexual harassment, and the controversial “divorce cooling-off period” introduced in 2021. As Rest of World reported, women have increasingly congregated on Xiaohongshu, where they outnumber male users and have found ways to trick the app’s recommendation algorithm so their posts are shown mostly to other women.

The Relevance of Censorship

Political content and current affairs about China are largely absent from the app – a result of both active censorship and platform design. 

All Chinese social media platforms, including Xiaohongshu, operate under strict content moderation requirements from the Cyberspace Administration of China. A leaked 143-page internal document published by China Digital Times in 2022 revealed how Xiaohongshu censors respond to government directives in “real-time”, blocking content related to politically sensitive topics such as criticism of the Chinese Communist Party, labour strikes and student suicides. Xiaohongshu’s commercial focus also makes it less likely that these topics would be discussed on the platform: as Rest of World reported, the platform functions less like Weibo – a public square for current events – and more like “a giant mall, where shoppers tell each other what to buy”.

Coverage of international affairs is also tightly controlled: only state-owned or state-controlled news organisations can obtain licences to publish original news content. However, content about life abroad, particularly stories about the cost of living, healthcare, or social problems in Western countries, circulates more freely on platforms including Xiaohongshu, and provide journalists with insight into how Chinese diaspora communities engage with local political systems. 

For example, when the 2025 Miss Finland was accused of making anti-Asian gestures, searching for “芬兰小姐” (Miss Finland) and “投诉” (complaint) on Xiaohongshu revealed a trove of collective action: users shared different complaint pathways, posted templates for filing reports, and documented various outcomes from their complaints. 

For such large-scale public events, Xiaohongshu can be both an organising platform and a rich source for tracking how diaspora communities coordinate responses to discrimination, providing journalists with insight into grassroots activism and transnational advocacy networks.

Getting Started

Xiaohongshu is available for download on both Apple’s App Store and Google Play worldwide, or can be accessed via a web browser. In international app stores, the app appears under the name “RedNote,” but this is the same application as Xiaohongshu – content and accounts are shared across both. The key difference is that RedNote users who register with overseas phone numbers are automatically tagged as international users, which affects the content the algorithm surfaces to them.

For users who download the app outside mainland China, Xiaohongshu automatically detects the device language and location. Upon first login, international users are prompted with an option to automatically translate all content into English (or their device language). If enabled, posts and comments will display with translations by default, and the algorithm will prioritise English-language content and posts created by or for international users, such as expat influencers.

For researchers and journalists seeking to observe the platform as Chinese users experience it, consider disabling automatic translation. This allows you to see content as it natively appears and helps you distinguish between posts created for international audiences versus those created for domestic users – a distinction that matters when assessing how representative your sample is for the relevant topic.

The default home feed, or the “Explore” tab, is where the algorithm surfaces content based on your engagement history, location and user profile. The feed uses a grid layout displaying post thumbnails with titles and like counts.

On the top right corner of the screen, the search bar also allows keyword searches across posts, users and topics. Results can be filtered by content type (e.g. notes, videos, users or products) and sorted by relevance or recency.

Using the Search Bar

Xiaohongshu’s search function is relatively basic. You can search by keywords and filter by time and location, but the options are general: time filters include “past day,” “past week,” or “past six months,” while location filters offer “same city” or “nearby”. 

For example, searching “Canada” returns posts tagged with that keyword, which you can then sort by recency or proximity. 

For breaking news events, try searching location names or names of individuals involved in the incident, filtering for the most recent posts to capture real-time reactions and on-the-ground accounts before they’re censored or deleted.

Xiaohongshu primarily uses algorithms to curate and push content through personalised feeds. For journalists using Xiaohongshu for investigative purposes, it can be useful to actively search for topics of interest to train your algorithm – the more you search and engage with specific content, the more relevant posts the algorithm will surface to you.

However, if you are researching the platform itself – studying what content Xiaohongshu promotes, how censorship operates, or what narratives dominate – you may want to start from a clean slate. In that case, consider periodically turning off personalised recommendations (Settings → Privacy Settings → Personalisation Options), clearing your browsing history, clearing cached data, or using a fresh account to observe what the platform shows to a “neutral” user.

Language and Lingo

During the influx of “TikTok refugees” in January 2025, Xiaohongshu launched a translation feature for users outside mainland China, enabling the automatic translation of comments and posts. 

However, this does not translate search queries. The platform’s search engine is still optimised for Chinese, though there is a “prioritise English” filter for overseas users, and searching in English will return some results.

But the language you search in shapes far more than just your results – it determines which version of the platform you see. When you search in English or use an international account, the algorithm treats you as a foreign user and surfaces content accordingly: influencers explaining why they love living in China, comparisons showing Chinese life favourably against the West. 

This isn’t a neutral cross-section of the platform – it is a curated bubble. To access what Chinese users actually discuss among themselves, it would be more effective to search in simplified Chinese and, ideally, use a China-registered account if you have access to one. If you don’t read Chinese, you can also consider using a translation tool (Google Translate, DeepL, or an AI assistant) to convert your search terms into simplified Chinese before entering them.

Despite such tools and the in-app translation feature, it is always useful when researching using Chinese platforms to work with a native speaker familiar with the local context. They can flag when an innocuous-seeming term actually carries hidden meaning, and help identify coded conversations about a censored topic.

On Xiaohongshu specifically, this coded language extends beyond political topics to include anything the platform’s algorithm might flag as “vulgar” or promotional. For example, users substitute fruits and neutral terms for body parts or sexual content to avoid being flagged as inappropriate – the peach emoji for buttocks, or 炒菜 (“cooking”) for explicit material. They may also use abbreviations and emojis for commercial terms to evade anti-marketing filters, such as “vx” (the abbreviation of how WeChat is pronounced in Chinese) or “绿” (“plus green”, apparently referring to WeChat’s green logo) for WeChat, or “米” (rice) or the moneybag emoji for money.

Advanced Search Strategies

For more sophisticated searching, consider using third-party marketing analytics tools like Xinhong and Qiangu, which can show trending topics, popular posts and engagement metrics, as well as identify key content creators posting about specific subjects. 

For example, on Xinhong, when you search for “Canada” in Chinese, it also shows show trending related searches such as “加拿大总理” (Canadian Prime Minister). Clicking through these suggestions leads to recent posts—for example, posts about Mark Carney’s latest statements at Davos, along with user comments and reactions.

While these tools are designed for marketers, they provide journalists with valuable capabilities: tracking how topics evolve, identifying influential voices in specific communities, and discovering related hashtags or discussions that might not surface through basic platform search. These tools often require paid subscriptions but can significantly enhance research efficiency for long-term investigations.

Another valuable feature is Xiaohongshu’s group chat function, where users gather around shared keywords and topics—from city-specific communities to niche interests. These groups are often highly active and provide access to candid community discussions that don’t appear in public posts. To find relevant groups, go to Messages → Group Square, where you can browse categories or search by keyword and request to join.

Monitoring active group chats related to relevant topics, whether that’s a specific city, industry, or issue, can help journalists and researchers stay updated on emerging issues and detect potential story leads before they become widely visible on public feeds.

Preserving the Evidence

Chinese social media content can disappear quickly and without warning due to censorship, making immediate preservation critical. 

Always take two preservation steps immediately upon discovering relevant content:

First, screenshot the entire post, including the URL, timestamp, username, like/comment counts, and location tags. These metrics establish context and authenticity. Use tools that capture full-page screenshots rather than just visible portions, as posts can be long and comments extensive. Second, archive the web page using services like archive.today or Wayback Machine. Note that these services capture only static content – comments and engagement metrics may not be fully preserved and should be screenshotted separately.

For Xiaohongshu specifically, always preserve the user’s unique ID found in their profile URL when viewed on a browser, which follows the format “user/profile/[unique ID]”. Users can change their display names, but this unique identifier remains constant, allowing you to track accounts over time even after name changes. This is critical for long-term investigations or when monitoring specific sources.

Xiaohongshu operates under the same legal and censorship constraints as all Chinese social media platforms, and researchers should approach it with appropriate caution. Content moderation is extensive: users who post about sensitive subjects risk having their content removed or their accounts suspended, and the platform is required to comply with government data requests. For researchers, this means the information you find represents only what has survived the censorship process.

That said, Xiaohongshu remains a remarkably rich resource for open-source research. Its strength lies precisely in its apolitical, lifestyle-oriented identity: while political discussion is suppressed, candid conversations about everyday life flourish. For journalists willing to invest in learning the platform’s rhythms, building Chinese-language search skills, and understanding its coded vocabularies, Xiaohongshu offers a window into how ordinary Chinese people talk among themselves – an area that remains largely untapped by international media.

---

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post Mining China’s ‘Little Red Book’ for Open Source Gold appeared first on bellingcat.

This article is the result of a collaboration with Indian media outlet Newslaundry. You can find Newslaundry’s editorially independent coverage here.

Indian companies have shipped more than 320 million synthetic opioid pills to West Africa – where they have not been approved by regulators – over the past three years, a Bellingcat investigation has found.

Export records from trade data provider 52wmb show that more than 1,400 consignments of tapentadol worth almost USD $130 million were sent from India to West Africa between January 2023 and December 2025.

Tapentadol, a painkiller two to three times more potent than tramadol, has not been approved for use in most West African countries, where some nations are grappling with an escalating opioid abuse epidemic.

However, this investigation shows that dozens of Indian suppliers have flooded the region with tapentadol over the past three years. Where dosages were listed, more than half the pills were in powerful strengths of 200mg or more – dosages that are not even approved in India.

The exports, cross-checked against records provided by trade data aggregator ImportGenius, show most tapentadol pills sent between 2023 and 2025 had the coastal nations of Sierra Leone and Ghana listed as their declared destinations.

The two West African countries were collectively marked as the destination for more than 80 per cent of the total value of tapentadol sent to the region.

Experts have documented how drug traffickers adapt quickly to international regulations and law enforcement efforts. In 2018, India tightened export controls around the opioid tramadol, one of the most trafficked synthetic drugs to West Africa.

In 2021, the International Narcotics Control Board (INCB) said large-scale tapentadol trafficking had been identified, particularly in consignments destined for Africa. It had previously noted that India’s strengthened tramadol controls could lead traffickers to substitute the drug with other potent synthetic opioids.

A BBC investigation last year revealed that Indian company Aveo Pharmaceuticals was illegally exporting tablets containing a mix of tapentadol and the muscle relaxant carisoprodol to West Africa. This led India’s drug regulator, the Central Drugs Standard Control Organisation (CDSCO), to ban the manufacture and export of all combinations of the two drugs.

Bellingcat’s investigation, in collaboration with Indian publishing partner Newslaundry, reveals that the supply of tapentadol pills from India to West Africa has surged in recent years.

Export data from 52wmb shows the value of tapentadol sent to the region has risen from about USD $27 million in the three year period from 2020 to 2022, to almost USD $130 million from 2023 to 2025.

Julius Maada Bio, Sierra Leone’s president, in 2024 declared a national emergency over rampant drug abuse and branded kush – a toxic blend of psychoactive substances including cannabis and synthetic opioids – a “death trap”.

Authorities in Sierra Leone have intercepted illegal tapentadol, including last July when the National Revenue Authority (NRA) said it thwarted a smuggling operation near its north-west border with Guinea.

The NRA and other agencies including the Transnational Organised Crime Unit, National Drug Law Enforcement Agency, and the Pharmacy Board of Sierra Leone did not respond to Bellingcat’s requests for comment.

Ghana’s Narcotics Control Commission (NACOC) said the illegal importation of tapentadol was first recorded in 2022 after international efforts to curb the tramadol crisis resulted in criminal networks shifting production to other pharmaceutical opioids including tapentadol, tafrodol and carisoprodol.

The agency has recorded a “steady rise” in tapentadol trafficking over the past three years, with authorities seizing more than 3.7 million tablets (250mg strength). Most were traced back to India, it said.

“NACOC investigations confirm that the bulk of tapentadol is trafficked into Ghana through seaports and by air, via express courier services,” a spokesperson said. “At the ports, the drug is concealed in containerized cargo falsely declared as pharmaceuticals, electrical materials or household goods. Express courier services are used for smaller, high-value quantities, often packed alongside legitimate consignments to avoid detection.”

NACOC said Ghana had emerged as both a destination and transit hub for tapentadol, with the majority of intercepted consignments bound for Niger, Mali, Burkina Faso and Nigeria. When sold domestically, it said the street drug was promoted as a tramadol substitute.

Ghana’s Food and Drugs Authority (FDA) said last year that the abuse of pharmaceutical opioids such as tapentadol — commonly known on the street as “Red” — was on the rise.

The FDA told Bellingcat it had “never issued any permit” for the manufacture or importation of tapentadol, in any strength, to any importer or to any country. It said any tapentadol shipments to Ghana were for “trans-shipment to neighbouring country”.

Import data for Ghana shows that no tapentadol entered the country between 2023 and 2025, which supports NACOC’s position that the drugs are being concealed and falsely declared. Import data for Sierra Leone was not available through 52wmb.

India’s drug and pharmaceutical exports have grown to more than $30 billion a year, according to the Pharmaceuticals Export Promotion Council of India (Pharmexcil), a division of the ministry of commerce and industry.

While tapentadol is available in India on prescription in strengths of up to 100mg (immediate release) and 200mg (extended release), authorities are aware of its risk of misuse. Last year, the Indian drug regulator’s Technical Advisory Board said the Department of Revenue may be requested to schedule the painkiller under the Narcotic Drugs and Psychotropic Substances Act, which would tighten rules around its export.

To export pharmaceutical products at strengths that are not approved in India, exporters are required to obtain an export “no objection certificate” (NOC) from the CDSCO, for which they have to submit proof of the drug’s approval in the importing country. Publicly available information shows tapentadol is not approved for use in any of the West African nations identified as part of this investigation.

The CDSCO did not respond to questions from Bellingcat or our publishing partner, Newslaundry.

In response to “Right to Information” requests submitted by Newslaundry, the CDSCO said only two companies had been granted authorisation to manufacture tapentadol for export between 2019 and 2024. However, the trade data analysed by Bellingcat did not list either company as an exporter of tapentadol to West Africa.

The CDSCO also said it had issued export NOCs for tapentadol to 51 companies since 2024, but that these were not for export to West African countries.

Meanwhile, Bellingcat’s analysis of trade data shows that more than 60 Indian suppliers have exported tapentadol to West Africa since 2023. The exporters are mostly pharmaceutical companies but also include smaller operations, such as one company owned by a Nigerian man who sent more than US $4 million of tapentadol to Niger and Ghana.

Dinesh Thakur, co-author of the book Truth Pill, told Newslaundry there were gaps in India’s drug regulatory framework that made it possible for potentially unsafe medicines to be manufactured and exported without proper oversight.

“There is no regulatory framework which checks a genuine importer and counterfeit importer between countries,” said Thakur, a former pharmaceutical executive who now works as a public health activist.

Mohammed Adinoyi Usman, a consultant anaesthetist at Rasheed Shekoni Federal University Teaching Hospital in Nigeria, said tackling Africa’s opioid crisis was complicated by a lack of resources across the region, weak government responses, and inaction by law enforcement agencies.

He said more collaboration and intelligence sharing was needed, especially across West African countries, to combat the problem. “We see so many opioids coming into our region because of a range of factors including under-funded institutions like customs and drug agencies, weak border controls and corruption,” he said.

“Africa is different. Even southern Africa is different from western Africa – each region has its peculiarities. In Nigeria, we don’t have well-functioning institutions to help control it. But our government is trying.”

Dr Usman said access to prescription opioids in Africa was inadequate, and pointed to research showing the disparity in distribution of legal opioids to low-income countries compared to high-income nations that consume the bulk of the world’s pain relief medication. He said opioid abuse was linked to crime and negative health outcomes.

“Sadly, access to prescription opioids is very limited in Africa,” Dr Usman said, “but the costs of illegal use are high.”

---

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post Painkiller Pipeline: 300 Million Tapentadol Pills Sent from India to West Africa appeared first on bellingcat.

Almost 800 Hungarian government email addresses and associated passwords are circulating online, revealing basic vulnerabilities in the security protocols of ministries involved in classified and sensitive work.

A Bellingcat analysis of breach data shows that 12 out of the government’s 13 ministries have been affected, which in some cases have exposed the confidential information of military personnel and civil servants posted abroad. 

Among those affected were a senior military officer responsible for information security, a counter terrorism coordinator in the foreign affairs department, and an employee whose role was to identify hybrid threats against the country.

The revelations come as Hungarians head to the polls this Sunday to decide if Viktor Orbán, leader of the right-wing populist party Fidesz and the country’s longest-serving prime minister, will be elected to a fifth consecutive term.

This is not the first time that deficiencies in the Hungarian government’s IT security have been revealed. In 2022, ahead of Hungary’s last election, Direkt36 reported that Russia’s intelligence services had gained access to the computer network of the Hungarian foreign ministry, including its internal communications channels.

It said Russian cyber attacks against the Hungarian government had been occurring for at least a decade and extended to the foreign ministry’s encrypted network for transmitting classified data and confidential diplomatic documents.

At the time, the foreign ministry denied it had been hacked. But in 2024, news outlet 444 published a letter that had been sent from Hungary’s National Security Service to the foreign ministry six months before the cyberattack was first reported. The letter linked the attacks to Russia and described more than 4,000 workstations and 930 servers as “unreliable”.

As part of this new analysis, Bellingcat identified a total of 795 unique email and password combinations among thousands of search results for Hungarian government domains in breach databases. Key departments that handle the country’s governance, defence, foreign affairs and finances were the worst affected.

The analysis does not include central government agencies that operate under the government’s official ministries and use separate domains, such as the tax and customs administration or the police – meaning breaches affecting government employees could be even more widespread.

The findings are not evidence of high-tech infiltration of Hungarian government systems. Instead, our analysis indicates that the breaches are more likely the result of poor digital hygiene. In many cases, staff used simple passwords along with their government email addresses for what appear to be non-work-related matters, such as signing up to dating, music, sport and food websites.

Some government workers used easy-to-guess passwords such as variations of the word “Password” or the number sequence “1234567”. One employee whose credentials were exposed in the 2012 LinkedIn hack used the password “linkedinlinkedin”. Another, in the defence ministry, used their surname. One leaked password from an employee in the foreign affairs ministry was “embassy13hungary”. 

Multiple breaches also contained phone numbers, addresses, dates of birth, usernames and IP addresses – data that, when exposed, could pose security risks.  

Additionally, a search of breach databases showed instances where computers have been infected with malware designed to steal login credentials. These records show that 97 machines across Hungarian government departments had been compromised, with stealer logs from as recently as last month found in the data.

Bellingcat contacted the Hungarian government’s spokesperson and the Prime Minister’s office, but did not receive a response.

The Weakest Link: Searching Breach Data

Breach databases are large collections of credentials harvested from previous cyber incidents. These databases can be searched by domain to identify email addresses belonging to a specific organisation, company or government. 

Bellingcat used Darkside, a paid service by District 4 Labs, to search the main email domains assigned to each of the Hungarian government’s 13 ministries. 

In total, 795 breaches containing government emails and associated passwords were identified. But most – 641 breaches – were linked to just four central institutions. 

In the examples detailed below, staff have been anonymised. However, Bellingcat has confirmed these accounts are genuine by cross-checking the employees named in the breaches against media reports and online profiles, such as LinkedIn.  

Ministry of Interior – this “super-ministry” oversees everything from health and education to the police, immigration, disaster management and local government 

Bellingcat identified 170 sets of emails and passwords linked to the domain used by the ministry in charge of domestic affairs. Passwords used by staff in this department included “Arsenal” and “Paprika”. Some used passwords that contained only three or four letters. We traced these accounts to professional profiles and government web pages listing both junior and senior staff.

One senior official in the prison service used the password “adolf”. After it appeared in breach databases the password was changed twice – first to a five-digit number and then to what appeared to be the name for a pet dog. The passwords were subsequently breached again. Bellingcat identified this employee through several instances of their name and email address being listed on public-facing documentation, including a press release celebrating an award for outstanding professional work.  

Ministry of Defence – responsible for national defence policy and directing the country’s defence forces

The credentials of staff working for the Ministry of Defence were found in 120 compromised records. This includes a 2023 breach of NATO’s eLearning services which resulted in 42 records containing emails, passwords and phone numbers becoming public.

The breaches peaked in 2021 but continued up to 2026. Included in the data were stealer logs, indicating that machines within the department may have been infected. 

Military personnel from junior ranks to command positions were identified. A Brigadier General used a common six letter nickname, based on his own, to sign up to a film festival. A Colonel specialising in “information security” took inspiration from an English football manager for his password: “FrankLampard”. A district director used the password “123456aA”, while a high-ranking member of Hungary’s delegation to NATO used a password that translates in English to “cute”. 

Ministry of Foreign Affairs and Trade – responsible for international relations, Hungarian embassies and consulates operate under the direction of the department

The credentials of current and former foreign affairs personnel have been exposed in dozens of data breaches from 2011 to February 2026. In total, there were 107 email and password combinations linked to this government ministry. 

Among the staff affected was a deputy head of mission, consuls, diplomats and communications personnel posted in Europe, the Americas and the Middle East. These include a counter terrorism coordinator, an EU spokesperson, and an individual whose role was to identify hybrid threats to Hungary.

Although the breaches peaked in 2020, with emails being found in 42 separate breaches indexed by Darkside, MFA emails have been circulated, often with passwords, in 36 separate breaches since the beginning of 2024. The most recent breaches were in 2026.  

Simple passwords appear to have left Hungary’s foreign affairs ministry vulnerable. In some cases, employees used a password that consisted of their own name and a two digit number. Others appeared to take inspiration from pop culture: “porsche911”, “frogger” and “Batman2013” are examples of real passwords used by staff.

Ministry of National Economy – oversees economic policy and financial strategy, including budget preparation and reducing national debt

Bellingcat’s analysis shows that staff in the Ministry for National Economy suffered 99 breaches. The Ministry of Finance, which was merged into this department in 2025, had suffered 145 breaches.

Among the breached data were the credentials of a deputy state secretary, who used the password “snoopy”. Other staff members used their date of birth or the word “Jelszo” – the Hungarian word for password.

A senior advisor who currently works in the ministry had their credentials breached four times using four different passwords, including “Kurvaanyad1” (roughly translated to “your mother is a wh**e”).

Cybersecurity Not Taken Seriously

Szabolcs Dull, a political analyst and the former editor-in-chief of the independent Hungarian news websites Index and Telex, said the government had failed to prioritise data security. 

“It’s clear from the data breaches that have come to light that government agencies did not take data security seriously,” he said. 

“This suspicion arose even when Russian hackers breached the foreign ministry’s IT system. That is why I believe Hungarian politicians and the public will interpret this new information as a continuation and confirmation of the Russian hacking story.”

Dull added that he was not aware of any investigation having been launched following the 2022 revelations of the Russian hack.

Kata Kincső Bárdos, a cybersecurity expert in Hungary, said it was difficult to understand why stricter controls would not be consistently enforced in government environments handling sensitive data.

She said governments should not only apply baseline rules for passwords – such as that staff use long, unique passwords and multi-factor authentication (MFA) – but also continuously monitor for compromised credentials and suspicious access patterns.

“Without MFA, systems become significantly more vulnerable to common attack methods such as phishing and credential stuffing,” she said. “A single compromised password can provide immediate access to internal systems.” 

Bárdos added that unauthorised access to government systems should automatically trigger incident response procedures, investigation and containment measures.

“It is also important to note that targeting lower-level employees is a well-documented and common tactic,” she said. “Attackers frequently gain initial access through phishing or weak credentials and then move laterally within systems.”

---

Bellingcat’s Ross Higgins and investigative journalist Eva Vajda contributed to this article.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post ‘Snoopy’, ‘Adolf’ and ‘Password’: The Hungarian Government Passwords Exposed Online appeared first on bellingcat.

Access to open source visuals of the current Iran conflict, which has spread to many parts of the Middle East, continues to be sporadic. Videos and photos from within Iran trickle out on social media as the Iranian internet blackout hinders the flow of digital communication. 

In past conflicts, satellite imagery has provided a vital overview of potential damage to both military and civilian infrastructure, especially when there are digital black spots or obstacles to on-the-ground reporting. But imagery from commercial providers is becoming increasingly restricted, leaving even those who have access to the most expensive imagery in the dark. 

Shortly after the war in Gaza began in 2023, Bellingcat introduced a free tool authored by University College London lecturer and Bellingcat contributor, Ollie Ballinger, that was able to estimate the number of damaged buildings in a given area. This helped monitor and map the scale of destruction across the territory as Israel’s military operation progressed. 

Bellingcat is now introducing an updated version of the open source tool — called the Iran Conflict Damage Proxy Map — focused on destruction in Iran and the wider Gulf region. 

It can be accessed here.

How it Works

The tool works by conducting a statistical test on Synthetic Aperture Radar (SAR) imagery captured by the Sentinel-1 satellite which is part of the Copernicus mission developed and operated by the European Space Agency. SAR sends pulses of microwaves at the earth’s surface and uses their echo to capture textural information about what it detects. 

The SAR data for the geographic area covered by the tool is put through the Pixel-Wise T-Test (PWTT) damage detection algorithm, which was also developed by Ollie Ballinger. It takes a reference period of one year’s worth of SAR imagery before the onset of the war and calculates a “normal” range within which 99% of the observations fall. It then conducts the same process for imagery in an inference period following the onset of the war, and compares it to the reference period. The core idea is that if a building has become damaged since the beginning of the war, then the “echo” (called backscatter) from that pixel will be consistently outside of the normal range of values for that particular area. Investigators can then further probe potential damage around this highlighted area.

The plot below shows how the process was applied to Gaza and several Syrian, Iraqi and Ukrainian cities. The bars represent the weekly total number of clashes in each place, sourced from the Armed Conflict Location Event (ACLED) dataset. The pre-war reference periods are shaded in blue, spanning one year before the onset of each conflict. The one month inference periods after the respective conflicts  began are shaded in orange. The blue and orange areas are what the tool compares. 

The plot below shows an area with a number of warehouses in Tehran’s southwest. Some of the buildings show clear damage in optical Sentinel-2 imagery (something that has to be accessed outside of the tool via the Copernicus Browser). 

Clicking on the map within the tool generates a chart displaying that pixel’s historical backscatter; the red dotted lines denote a range within which 99% of the pre-war backscatter values fall. In this example, we can see that from March 14 onwards, the backscatter values over this warehouse begin to consistently fall outside of their historical normal range. This could signal that damage has been detected in the area.

Two important aspects of this workflow are that it utilises free and fully open access satellite data, as opposed to commercial satellite services; the second is that it overcomes some key limitations of AI in this domain, the most serious of which is called overfitting. This is where a model trained in one area is deployed in a new unseen area, and fails to generalise. Because we’re only ever comparing each pixel against its own historical baseline, we don’t run into that problem. 

Accuracy

The PWTT has been published in a scientific journal after two years of review.  Its accuracy was  assessed using an original dataset of over two million building footprints labeled by the United Nations, spanning 30 cities across Gaza, Ukraine, Sudan, Syria, and Iraq. Despite being simple and lightweight, the algorithm has been recorded achieving building-level accuracy statistics (AUC=0.87 in the full sample) rivaling state of the art methods that use deep learning and high resolution imagery. The plot below compares building-level predictions from the PWTT against the UN damage annotations in Hostomel, Ukraine. True positives (PWTT and United Nations agree on damage) are shown in red, true negatives are shown in green, false positives in orange, and false negatives in purple. The graphic shows the accuracy of the tool, while also emphasising that further checks on what it highlights should be conducted to draw full conclusions.  

It is important to note that just because the tool may show a high probability of a building or buildings being damaged or destroyed, that doesn’t make it definite. 

It is best to check with any other available imagery — either open source photos and videos that’ve been geolocated by a group such as Geoconfirmed or Sentinel-2 as well as other commercial satellite imagery if it’s up-to-date for the area. At time of publication, Sentinel-2 satellite imagery still offers coverage over the area that the tool focuses on. Other commercial satellite imagery providers have limited their coverage.

What the tool excels at is highlighting and narrowing down areas so that further corroboration or further confirmation can be sought.

Testing the Tool

Using the Iran Conflict Damage Proxy Map, we can spot some of the larger areas of potential damage or destruction that have occurred since the Iran war started. 

Starting from a zoomed-out view of Tehran, there are a few spots that appear with large clusters of high damage probability. Cross-referencing these locations with open source map data from platforms like OpenStreetMap or Wikimapia, we can start finding sites that would make for likely targets – such as military sites.

One example of a potentially damaged site visible in the tool is the Valiasr Barracks in central Tehran, which was struck in the first week of the war. By going to the Copernicus Browser and reviewing the area with optical Sentinel-2 imagery, we can see clear indications of damage at the barracks.

IRGC Valiasr Barracks in Tehran:

A large Islamic Revolutionary Guard Corps (IRGC) compound near Isfahan is another example of military infrastructure that is readily visible in both the Iran Conflict Damage Proxy Map as well as Sentinel-2 imagery. 

IRGC Ashura Garrison in Isfahan:

Air bases have also been a frequent target for U.S.-Israeli strikes in Iran. The Fath Air Base just outside of Tehran, near the city of Karaj, shows the signature of potential damage when using the tool. Checking Sentinel-2 imagery shows damage to multiple large buildings on the northern side of the base.

Fath Air Base in Karaj:

The U.S. has stated that destroying Iran’s “defense industrial base” is also a goal, which makes large areas like the Khojir missile production complex east of Tehran a good location to search with this tool. The tool suggests large clusters of damage on both the eastern and western sides of the complex — near areas where solid propellant is reportedly produced and where other fuel components are reportedly made.

Khojir Missile Production Complex outside of Tehran:

Usage in the Gulf Region

While useful for providing a sense of damaged areas in Iran, the Iran Conflict Damage Proxy Map can also be used to see damage outside of Iran, particularly at sites in the region which Iran has been targeting with drones and missiles.

In the below example at Al Udeid Air Base in Qatar, which hosts U.S. Central Command’s Combined Air Operations Center, there is a notable indication of damage over a warehouse-like building at 25.115647, 51.333125. Checking the same location in Sentinel-2 imagery shows that there does appear to be damage at that warehouse — represented by a large blackened area on the white roof. According to Qatar’s Ministry of Defense, at least one Iranian ballistic missile struck the base in early March.

Al Udeid Air Base in Qatar:

Civilian sites struck by Iranian drones or missiles are also visible in the tool — though the damage has to be fairly large in order to be picked up. Something like damage to the sides of high rise buildings from an Iranian drone attack doesn’t readily appear in the tool. Sites that do appear are places like oil refineries, such as a fuel tank at Fujairah port in the United Arab Emirates. 

Fuel tanks at Fujairah Port, UAE:

Accessing the Tool

It’s important to keep in mind that the data for the Iran Conflict Damage Proxy Map is updated approximately one or two times per week as new satellite data is collected by the Sentinel-1 satellite, so it’s not meant to be a representation of real-time damage to buildings. 

Still, it can be useful for researchers to quickly gain an overview of damage throughout Iran and the Gulf where suspected strikes may have taken place and when there is no other open source information available.

You can access the Iran Conflict Damage Proxy Map here.

Similar tools using the same methodology to assess damage in Ukraine following Russia’s full-scale invasion and Turkey following the 2023 earthquake can be found here. The Gaza Damage Proxy Map can be found here. 

---

Bellingcat’s Logan Williams contributed to this report.

This article was updated on April 7, 2026, to note that Sentinel-1 and Sentinel-2 are part of the Copernicus mission developed and operated by the European Space Agency.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post When Satellite Imagery Goes Dark: New Tool Shows Damage in Iran and the Gulf appeared first on bellingcat.

Bellingcat has identified several high-profile incidents where authorities in the United Arab Emirates have downplayed damage, mischaracterised interceptions and in some instances not acknowledged successful Iranian drone strikes on the country.

A review of official statements shows that the public account does not always align with what can be observed through open sources. This comes as the UAE faces sustained aerial attacks on civilian and economic infrastructure, challenging its image as a secure global hub for business and tourism. Hours after the United States and Israel launched coordinated attacks on Iran on Feb. 28, the Islamic Republic responded by launching an attack against US-allies in the region including the UAE. 

In the wake of the attacks, the UAE’s attorney general warned that publication of images or videos of strikes was illegal. People were also encouraged to report anyone sharing photos or videos of the strikes to authorities. 

The country’s attorney general has ordered the arrest of 35 people and said they would face an expedited trial for “publishing video clips on social media platforms containing misleading, fabricated content and content that harmed defence measures and glorified acts of military aggression against UAE.” Separately police in Abu Dhabi reported they had arrested just over 100 people on suspicion of filming incidents related to Iran’s attacks on the UAE and sharing misleading information online.

Bellingcat contacted the Dubai Media Office, the Fujairah Media Office as well as the UAE’s Ministry of Defence to understand how statements are put out and how distinctions are made between successful drone strikes and damage caused by debris. We did not receive a response by the time of publication.

“Spreading Rumours is a Crime”

During the first days of the conflict several videos were posted on social media, primarily on X, TikTok and Telegram showing footage of Iranian attacks and interceptions across the UAE. 

Around the same time the Dubai Media Office, the X account of the Government of Dubai’s press office, warned followers that legal action would be taken against those sharing “unverified material”.

 The X account of the Dubai Media Office has more than 2.3 million followers making it one of the largest state-run accounts in the country. 

“The public and media are urged to rely solely on official sources for accurate information and refrain from sharing unverified material,” the account posted.

Dubai Police issued similar warnings on social media, stating that sharing content that contradicts official announcements could lead to imprisonment of at least two years and fines of no less than 200,000 dirhams (approximately $55,000).

Despite authorities urging the public to rely on official sources only, Bellingcat found that some of the videos posted online as well as satellite imagery from the region contradicts a number of official accounts of high-profile attacks. For this piece we have only included links to videos that have already been widely published in mainstream news outlets, posted by professional journalists, or have been widely viewed on social media.

Successful Interceptions?

On March 3, a video filmed from a vessel appears to show a drone striking the port of Fujairah, one of the UAE’s most strategically important energy hubs. The port handles roughly 1.7 million barrels of oil per day and is among the world’s largest.

The drone appears to approach its target intact, with no visible sign of interception, Sam Lair, a researcher at James Martin Center for Nonproliferation Studies, told Bellingcat. 

Moments after it descends behind storage tanks, an explosion is heard and a large plume of smoke rises from the site.

On the same day, the Fujairah Media Office stated that a fire resulted from debris following a successful interception, adding that the fire had been brought under control. Satellite images captured on March 4 and 5 show thick black smoke rising from the site. NASA FIRMS data also detected fires on March 3, March 4 and March 5. By March 7, satellite imagery shows at least three storage tanks fully destroyed (25.184565, 56.345481).

Detained in Dubai, a group that provides legal advice to people detained in the UAE, said that a Vietnamese national who filmed the strike on Fujairah port had been detained by authorities after posting the footage online. 

Authorities made a similar report on March 1, stating that a fire at one of the berths of Jebel Ali Port was caused by debris from an aerial interception. Satellite imagery from the same day shows fires at two separate locations – approximately 3 km apart – within the port. One appears to be a central facility associated with fuel handling operations, connected via pipelines to surrounding storage tanks (25.00704, 55.07499). The other is a large structure (24.97953, 55.05204) in the military area of the port, which is one of the US Navy’s busiest ports in the Middle East. The New York Times previously identified an Iranian strike as the cause of the fire at the site. 

Burj Al Arab: A “Limited” Fire

Damage at Dubai’s Burj Al Arab Hotel was attributed by the Dubai Media Office to “shrapnel” from an intercepted drone and described as a “limited” fire. However, footage shows the fire extended to approximately 30 metres in height, covering approximately eight floors of the building, suggesting a far more significant incident than officially described.  

Lair told Bellingcat that the damage appeared more consistent with a direct impact. He added that if the damage had resulted from an interception it would have occurred irresponsibly close to the building.

Fairmont The Palm: Omission of Cause

On Feb. 28, the Fairmont hotel in Dubai’s Palm Jumeirah area was struck by a drone, as shown in footage verified by Bellingcat.

However the Dubai Media office did not confirm a strike took place, instead they stated  only that an “incident occurred in a building in the Palm Jumeirah area,” and urged the public not to share footage.

One video of the fire was shared by a Dubai-based Bloomberg journalist. In the replies to the journalist’s post, multiple users tagged the Dubai Police, a pattern seen across posts documenting the strikes, in an apparent effort to flag violations of the cyber-crime laws to authorities.  

The aftermath of the strike was also captured by a content-creator who has since left the UAE. 

Radha Stirling, founder of Detained in Dubai, told Bellingcat at least five people have been confirmed by the British embassy to have been charged and detained under the UAE’s cybercrime law in connection with documenting this strike. According to Stirling, authorities have sought access to individuals’ phones following incidents to determine whether they filmed or shared footage.

“Even just taking a photo is illegal, it’s illegal to share content that the government deems negative, even in a private message,” Stirling said.

Dubai International Airport: An Unacknowledged Strike

On March 7, the Dubai Media Office announced the temporary suspension of operations at Dubai International Airport, stating only that a situation was being handled under safety protocols. 

Footage that emerged online around the same time, and was verified by Bellingcat, shows a drone strike next to an airport terminal building (25.24165, 55.37498).

Stirling told Bellingcat that she has been in contact with a cabin crew member who was detained after sending an image to colleagues of Dubai airport after an explosion. 

Warda Complex: A Direct Hit

On March 1, a drone struck a residential apartment on the 19th floor of the Warda complex in Dubai (25.004320, 55.293164). Two videos filmed from different angles show the drone hitting the building directly, with no visible sign of interception. In one clip, filmed inside the apartment, a British resident says: “We’ve just been hit by a drone… I didn’t even finish my cup of tea.”

The footage shows relatively limited damage and no explosion, indicating the drone did not detonate. However, the incident appears to show a direct hit by an Iranian drone.

In contrast, statements published the same day by the Dubai Media Office describe air defence activity and attribute sounds heard across the emirate to successful interception operations. Bellingcat was unable to find any acknowledgement of a direct hit in UAE media.

These cases point to a gap between official accounts and observable evidence, raising questions about how incidents are being presented to the public.

Influencers and Narrative Control

At the same time, pro-government messaging has proliferated online. A number of near-identical videos posted by influencers promoting the UAE’s safety and leadership appeared, often using the format: “You live in Dubai, aren’t you scared?” followed by images of UAE leaders and the response: “No, because I know who protects us.” 

Analysis by the BBC found that some of these videos were uploaded within seconds of each other, suggesting coordinated activity.

Stirling told Bellingcat that influencers in the UAE, who require licences to operate, are often paid to promote official narratives. “They are seen as an asset,” she said, describing them as “almost an extension of the government.”

As of April 1, UAE media reported that a total of 12 people had been killed and 190 injured by strikes since the beginning of the war.  

“People are dying. It’s not as safe as the government is reporting. It’s not as safe as influencers are reporting. It’s like a dream narrative that you wish was true.” Stirling said.

Bellingcat also identified a number of incidents in which authorities reported deaths or injuries caused by “debris” following “successful interceptions”. In these cases, however, we were unable to identify supporting photo, video, or other independently verifiable evidence to corroborate the official account.

Notably, fewer videos of such incidents appear to have emerged online in recent weeks, likely as public awareness of detentions under the cyber-criminality law has increased.

Jonathan Dagher, head of the Middle East desk at Reporters Without Borders told Bellingcat that the UAE government was using the Iran war to further restrict independent reporting in the country. 

“When the conflict began, the government stepped up this repression, explicitly prohibiting the public (including journalists) from publishing photos or information related to the strikes, and encouraging the public to report on such incidents.”  

He added that legitimate concerns about national security should not infringe on the public’s right to information. 

“Broad and loosely worded bans on covering events, in the name of security, violate this right and expose journalists to arrest and violence.”

Bellingcat contacted the Dubai Media Office, the Fujairah Media Office as well as the UAE’s Ministry of Defence to understand how statements are put out and how distinctions are made between successful drone strikes and damage caused by debris. We did not receive a response by the time of publication.

Lana Nusseibeh, a representative of the UAE’s Foreign Ministry previously told the BBC: 

“In order for everyone to feel safe it’s important at this time that the information is credible and the sources are reliable. That is the basis of the legislation that has come into play in this State, which is obviously a tense time.” 

She added that her advice for residents, citizens, tourists and journalists in the UAE was to: “Follow the guidelines. The guidelines are there for your safety and for your protection.” 

---

Merel Zoet contributed to this report.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post The War You’re Not Allowed to See: How the UAE Rewrites the Story of Iranian Strikes appeared first on bellingcat.

This article is the result of a collaboration with Josimar. You can find Josimar’s corresponding piece here.

A European academic used a false name to represent an opaque Asian-facing bookmaker that is sponsoring Croatia’s national football team in the run up to the 2026 FIFA World Cup.

Croatia’s national governing body of football, the Croatian Football Federation (HNS), struck the deal to make gambling website Dragon Z6 the team’s “exclusive betting partner” across Asia in May 2024.

Promotional footage of the ceremony to ink the two-year agreement was filmed in Zagreb, with Croatian national team players Marco Pašalić, Lovro Majer and Josip Juranović in attendance.

A video posted to Dragon Z6’s website shows HNS International’s chief executive Dennis Lukančić and the federation’s head of marketing Ante Cicvarić signing the contract with the bookmaker’s representative.

“We hold Dragon Z6.com in high regard,” Cicvarić said in the clip. “A brand with a 25 year legacy and a stellar reputation for providing an exceptional gaming experience. Their motto, ‘Life is a gamble’, resonates deeply with us.”

Dragon Z6’s representative, who is named on screen and in a placard as “Alexander Smith”, described the deal as a “momentous partnership”. 

He said: “The Dragon Z6.com family proudly welcomes the Croatian national football team. We embark on an exciting journey to realise our shared ambitions.”

But the man who appears in the footage on behalf of Dragon Z6 is not Alexander Smith. He is Branko Balon, a senior lecturer in computer science at Algebra Bernays University in Zagreb. 

The Croatian national was identified using facial recognition search engine PimEyes, with images from his Facebook, university profile and media reports confirming the match.

In addition to his university position, Balon is the president of non-profit group the Croatian-Chinese Friendship Society for Cultural, Scientific and Economic Cooperation (CCFS).

He appears to have visited China on several occasions, including last July when he took part in a visiting scholar programme with the Nishan World Center of Confucian Studies in eastern China’s Shandong province, according to his Facebook posts.

Six months before the signing ceremony with HNS, Balon reportedly addressed a Zagreb sports and tourism symposium whose attendees included representatives from the Croatian Football Federation.

After initially confirming receipt of an email from Bellingcat, Branko Balon did not respond to questions. Dragon Z6 did not respond to multiple emails.

Dennis Lukančić said the Croatia Football Federation respected the rules and regulations of the sport’s governing bodies as well as Croatian law, but did not answer specific questions about how it became involved with Dragon Z6 or if it was previously aware of Balon’s real identity.

“Regarding the signing ceremony, we note that the Croatian Football Federation did not publish or officially communicate the identity of the Dragon Z6 representative present at the event,” he said. “As is customary with such ceremonies, the event itself was of a promotional nature and did not constitute the formal execution of contractual documentation.”

“The Croatian Football Federation is not in a position to comment on the internal decisions, communications, or presentation choices of Dragon Z6, including the use of names or identities in their own materials or appearances. Any questions regarding the identity or representation of Dragon Z6 at promotional events are best addressed to Dragon Z6 or their representatives. 

“In any of our proceedings we always negotiate in good faith and we respect all rights and obligations that arise from any agreement.”

Lukančić said the federation had carried out “standard compliance and due diligence procedures” before entering the deal and that the agreement was executed between the relevant legal entities, with Dragon Z6 “represented by their duly authorised signatories”. 

Asked which country Dragon Z6 was headquartered in, who its beneficial owner was, and for the name of the person who signed the contract on behalf of the gambling company, Lukančić said: “In our previous email we gave you already all answers and our position in this matter.”

We also asked if the Dragon Z6 deal includes sponsorship during the upcoming FIFA World Cup, but did not receive a response. England is Croatia’s first opponent, facing off against the Three Lions in Dallas on June 17.

The Many-Headed Dragon

Open source findings suggest that Dragon Z6 – sometimes referred to in Chinese as “Zunlong Kaisheng” – is just the latest iteration of an Asian-facing online gambling platform that has been sponsoring Western sports teams under different names for more than a decade. Dragon Z6 appears to be associated with the Hong Kong-linked gambling company KashBet, also known as KB88.

Gambling does not occur directly on the Z6.com domain. The site is essentially a gateway that redirects users to a fluctuating number of mirror websites with alphanumeric string domains. These Chinese-language sites host the gambling content, including live-streamed card games, and provide clues about Dragon Z6’s association with KashBet.

The image of Dutch former professional footballer Robin van Persie is featured prominently on Dragon Z6’s mirror sites. In the “About” section of these websites, the online casino says it signed van Persie as its brand ambassador in 2021. The same photograph of him is used interchangeably to promote both Dragon Z6 and the KashBet brand.

Van Persie’s agent, Kees Vos, said the footballer had not entered into a partnership with Kashbet, was not involved with Dragon Z6, and had not been aware that his image was being used on these websites.

“We have taken notice of the abuse of the image of our client Robin van Persie by several Asian gambling platforms, and we will instruct our lawyers to take legal action against these parties,” Vos said.

Z6’s mirror sites also say Zunlong Kaisheng is the “official sponsor” of Bundesliga clubs Bayer Leverkusen and Augsburg, Brazilian side Fluminense, Italian club Roma, English league team Wigan Athletic and Dutch club Ajax. 

However, it was KashBet that signed sponsorship deals with these football teams in 2017 and 2019. No record of a sponsorship with FC Augsburg was found, but KB88 was promoted in pitchside advertising during one of the team’s 2019 home games.

In 2019, Australian football team Melbourne Victory dropped their AFC Champions League sponsor “Kaishi Entertainment” after concerns were raised about the company’s link to Kashbet. 

KashBet’s representative at the signing with Bayer Leverkusen was the same person who represented Kaishi Entertainment during the Melbourne Victory announcement in the same year.

A YouTube channel branded as “Zunlong Kaisheng” and featuring the Dragon Z6 logo hosts a 2024 video titled “Welcome to Dragon Casino”. It shows a tour of a facility where female croupiers are live-streamed operating table games. 

The video also features framed photographs purporting to show various ceremonies. These include the KashBet image of van Persie, as well as club teams AS Roma and AFC Ajax’s Asian betting partnerships with KB88 in 2017. Another photo claims to show former Real Madrid, Chelsea and Belgium footballer Eden Hazard becoming a Dragon Casino “brand ambassador” in 2020.

Bellingcat’s emails to representatives for Eden Hazard, who was recently announced as a “global ambassador” for online gambling platform Stake, were not returned.

The location of the facility is not stated but open source evidence shows it was filmed in the Philippines, where offshore gaming operators were banned in 2024. Reverse image searches confirm one section of the promotional video was shot in the five-star Peninsula Hotel in Makati City, Manila.

Offshore Corporate Labyrinth

Dutch club Ajax, who were sponsored by KB88 in 2017, said their deal involved Hong Kong firm KB88 Entertainment Culture Limited. A company based in the British Virgin Islands is also behind trade names linked to KB88, according to a 2023 investigation by Dutch outlet NRC. But the entities purportedly in control of the gambling platform do not stop there.

Dragon Z6’s site links to a 2012 statement posted by English Championship club, Queen’s Park Rangers (QPR), announcing a one year deal to make KashBet the club’s international betting partner. The press release, which was removed from QPR’s website earlier this year, said KashBet was “fully owned and operated by Keen Ocean Entertainment (IOM) Limited” and licensed and regulated by the Gambling Supervision Commission (GSC) on the Isle of Man.

Records from the Isle of Man company registry show a company named Goldenway Investments (UK) Limited was incorporated in 2010 and changed its name to Keen Ocean Entertainment (IOM) Limited a month later. The company’s two directors were all residents of the Isle of Man, adding Hong Kong resident Yong Tang as the third director in November of that year. A company acting as the secretary, Rivercroft Limited, is also named in documents.

An archive of the Isle of Man’s Gambling Supervision Commission’s 2012-13 annual report shows that Keen Ocean Entertainment obtained a full online gambling license. This enabled it to enter into the QPR deal as the regulated body behind Kashbet.

Filings on the Isle of Man register are low on detail. Balance sheets are not filed, and the only documented activity about the company was the occasional movement of Isle of Man-based directors. By November 2015, Yong Tang was the sole director of the company. 

In 2016, Keen Ocean Entertainment was informed by the Companies Registry that it did not have the authority to maintain its registered office at the address it had given as its premises. Yong Tang did not respond to this correspondence, according to the available documents, and the company was subsequently struck off the register.

Gaming Compliance International (GCI), a regulatory intelligence firm that monitors the global online gambling market, said Dragon Z6 and KashBet did not have a current gaming license in any credible jurisdiction.

Ismail Vali, GCI president and the founder and former chief executive of Yield Sec, which tracks gambling and streaming marketplaces, said Dragon Z6 “ruthlessly” targeted audiences in China – where gambling is illegal – but that did not mean the operators were based there.

“Generally, in the illegal gambling model, they use triangulation and separation,” he said. “It’s the most basic form of organised crime: operate your business in one place, incorporate your business in another, make your money from many places, bank your money in many places, and, finally, invest and spend it everywhere to create more crime. Separating the elements of the illegal activity creates problems for tracing, policing and enforcement.”

Vali said Western football associations that are struggling to operate on shrinking budgets could be lured into sponsorship deals with unregulated and illegal gambling companies, which were focused on building brand recognition through live-broadcast games.

“The illegal gambling companies aren’t focused upon making money from the direct audience of the clubs or from the football association’s footprint in Croatia,” he said. “What they are making money from is the audience the football matches are broadcast to globally. They want to communicate what the brand is and because it’s associated with international soccer people think it must be trustworthy.

“The whole point here is to recruit you through sports. That’s the cheapest way to get you interested because you want to place a bet on Croatia versus the Czech Republic in the World Cup qualifiers. Once they recruit a customer cheaply via sports events, they can then cross-sell or migrate them into casino and more products – where the profit margin is far higher.

“Unregulated gambling companies want a blended customer – they don’t just want you for sports betting, they want you for everything.”

---

Ross Higgins and Connor Plunkett contributed to this article.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post Croatia’s Football Team Signed Deal With Gambling Sponsor Whose Rep Used Fake Name appeared first on bellingcat.