“In the age of misinformation, the line between fact and fiction is blurrier than ever.”

“For those of us working in video news, verification isn’t a nice-to-have. It’s a necessity. It is how we protect the stories we help shape and how we earn and maintain trust in an increasingly chaotic information ecosystem,” Abu Dhabi-registered video news agency Viory posted on LinkedIn on April 9, 2026, offering training to help newsrooms and journalists sort fact from fiction. 

The self-described “video news agency of the Global South” has delivered journalism training to multiple national press agencies across Africa, Asia and the Middle East.

However, when it comes to Viory itself, the line between fact and fiction is very blurry indeed. 

Bellingcat has found multiple links between the digital infrastructure of Viory and Ruptly news agency, a branch of sanctioned Russian propaganda outlet Russia Today, including shared IP addresses, a Viory-linked site using a digital security certificate registered to Ruptly, and Ruptly sending site performance data to Viory. While there have been previous reports on suspected links between the two outlets, our investigation adds new evidence about Viory’s ties to Ruptly media. 

When contacted for comment, both Viory and Ruptly denied any connection with each other.

‘Video News Agency of the Global South’

Viory’s main offering is raw video footage of news events provided via subscription. According to Viory, its clients include “major international news outlets, local media organisations, and independent creatives in more than 170 countries”.

If its own figures are to be believed, Viory was strikingly well established at its launch in November 2023, by which time it claimed to have a “pre-assembled team of over 150 full-time staff, and an established network of over 3,000 video journalists across the world”.

The name “Viory” is a trade name. The company’s legal name is Darpo Vision FZ LLC, according to its website, which also states that it is registered in Abu Dhabi. In August 2024, Darpo Vision FZ LLC filed for a trademark in the US for the name Viory, which was approved in December of 2025. 

As of May 2026, Bellingcat found press releases and news reports referencing at least 30 agreements between Viory and partners in more than 22 countries, as well as cooperation agreements with government agencies, training agreements with universities and regional journalism bodies. 

This includes:

• African Union of Broadcasting
• Mali’s Office de radiodiffusion et de télévision du Mali
• Democratic Republic of Congo’s Congolese Press Agency 
• Public Service Media Maldives 
• Namibian Broadcasting Corporation
• Ethiopian Broadcasting Corporation
• Cambodia’s Ministry of Information
• Media Office of the Government of Al Fujairah
• Abu Dhabi University
• University of Sharjah
• Asia Media Summit

Viory also sponsored a glitzy event for its inaugural Global South Video News Awards in December 2025 at Abu Dhabi’s first-ever BRIDGE Summit.

Ruptly Revisited

Ruptly is a video news agency formerly based in Berlin and ultimately controlled by Russia Today (RT), which is owned by Russian state media company ANO TV-Novosti. ANO TV-Novosti has been on the EU sanctions list since December 2022 for spreading “pro-Kremlin propaganda and disinformation” and supporting Russia’s war against Ukraine. 

RT launched Ruptly, which operated in Berlin via a German-registered subsidiary in 2013, with the goal of “becom[ing] the go-to alternative resource in a highly concentrated market of professional news video footage, and to deliver coverage of stories that other agencies miss.”

Sanctions imposed on RT following Russia’s 2022 invasion of Ukraine choked off Ruptly’s source of funds in Germany, leading the German company to begin insolvency proceedings in October 2024. Ruptly continues to operate from Moscow as of 2026.

As with Viory, Ruptly’s main offering is providing raw news footage to subscribers around the world. It relies on a large network of international freelancers and stringers. In 2016 RT claimed that Ruptly had “surpassed” newswire services AFP and Reuters on YouTube, and was serving more than 600 media organisations in 45 countries.

Felix Huesmann of the German outlet RedaktionsNetzwerk Deutschland (RND), was the first to outline links between Ruptly and Viory while covering the insolvency proceedings of Ruptly. He found that Darpo Vision’s original details on the Abu Dhabi Creative Media Authority’s site included an email address d.toktosunova@gmail.com. It has not been confirmed who this email address belongs to; however, the username matches the first name initial and surname of Dinara Toktosunova, the managing director of Ruptly. When asked about this email address by Huesmann  in 2024, Ruptly “explained that Toktosunova is focused on securing the future of the Ruptly team [in Moscow] and is not working anywhere else as a managing director.”The activist group, OSINT For Ukraine, also outlined links between Ruptly and Viory, including the movement of multiple key staff between the two organisations and strong similarities between the two organisations’ platforms and content.

Darpo Vision’s Security Certificate

The legal entity behind Viory, Darpo Vision, was set up in one of Abu Dhabi’s free zones – special economic areas that have business-friendly incentives such as tax exemptions and that allow 100 percent foreign ownership. The free zones also offer what some describe as high levels of “corporate privacy,”  which others assert has created a haven for shell companies and opaque corporate structures.

Darpo Vision initially had its own web domain, darpo.vision. The site has since been removed. Whois records show that the domain was registered by Darpo Vision FZ LLC in December 2022 to a PO Box in Abu Dhabi, using a Russian domain name registrar and a Moscow phone number. 

Initially, Darpo.vision had its own Secure Sockets Layer (SSL) certificate – a digital certificate that authenticates a website’s identity, allowing it to secure and encrypt data. However, VirusTotal data shows that as of at least June 2024, darpo.vision was using a wildcard SSL certificate registered to ruptly.video. A Wildcard SSL certificate is a single certificate with a wildcard character (*) in the domain name field. This allows the certificate to secure a single domain and multiple subdomains. You can see historical SSL certificates for darpo.vision.

James Wilson, a software and networking engineer with 20 years of experience and currently Enterprise Technology editor at Risky Business Media, told Bellingcat that to prevent unauthorised use or forgery of SSL certificates, a private key is needed to create and use a wildcard certificate across multiple domains. 

“The fact that darpo.vision was using a wildcard SSL certificate for ruptly.video indicates that whoever was running darpo.vision also had access to the private key for ruptly.video’s SSL certificate. Normally, only the people operating Ruptly’s web hosting infrastructure would be likely to have access to that,” Wilson explained. 

When asked by Bellingcat about whether there were alternative possible explanations, Wilson suggested that it was theoretically possible that someone may have hacked Ruptly and stolen their private SSL key. 

“However, using that wildcard SSL certificate on a domain that didn’t match the wildcard in the certificate defies explanation as the browser would alert the user to the certificate error,” he added.

Shared IP Addresses

Bellingcat also identified multiple shared IP addresses which appeared to be concurrently in use by both Ruptly and Viory between May 2025 and May 2026. 

From 2025 onwards, the Russian IP address 158.160.132.25 has been used concurrently by viory.video, ruptly.video, ruptly.agency and ruptly.tv, according to VirusTotal. Similarly, since the beginning of 2026, IP address 84.252.135.88 has been used concurrently by viory.video, viory.team, ruptly.video, ruptly.agency and ruptly.tv, according to VirusTotal. 

VirusTotal data shows that from 2025 onwards, IP address 158.160.166.22 has been used by ruptly.video and viory.video while from 2026 onwards, IP address 158.160.226.68 has been used by viory.video and ruptly.tv. The VirusTotal data appears to show these IP addresses being used exclusively by Ruptly and Viory as of 2025 and 2026. However, VirusTotal does not necessarily capture all domains which resolve to an IP, and other domains may also have resolved to these IP addresses, which were not observed by VirusTotal’s passive DNS replication service. It is also important to note that in some cases, unrelated domains use the same IP addresses.

Ruptly Sends Site Performance Data to Viory

Viory’s and Ruptly’s site infrastructure was also linked through data sent via Sentry, an internal error tracking and performance monitoring platform. 

An API scan of Ruptly’s main client login page, ruptly.agency, on March 26, 2026, shows that the page was sending data to a subdomain of viory.team. This domain appears to be used by Viory primarily for backend purposes, based on subdomains which appear to refer to common developer and site management tools such as Traefik and ArgoCD, in addition to Sentry.io. Notably, two subdomains also appear to refer to Ruptly. 

The purpose of one domain sending data to another domain’s Sentry project is generally to consolidate all of the relevant performance and error data in one place for in-house developers to monitor. 

The ruptly.agency page’s request to viory.team also includes an authentication key for Viory’s Sentry project. Ruptly.agency is not the only Ruptly domain sending Sentry data to viory.team. As of May 9, 2026 the login page for ruptly.video’s own Sentry project, sentry.ops.ruptly.video, automatically redirects to sentry.ops.ruptly.video/auth/login/viory/. Ruptly Video’s Sentry login page also features “Viory” as the title.

The ruptly.video Sentry login page is also sending data to the viory.team Sentry project, the ruptly.agency homepage and using a favicon hosted on viory.team.

A third Ruptly domain, ruptly.tv, also sends performance data to viory.team’s Sentry project via cms.dev.ruptly.tv. 

James Wilson noted that in each case, the Ruptly domains sending data to Viory appeared to be using a different Sentry key.

“If you look at each of these snippets sending telemetry data [from the Ruptly domains], the specific Sentry keys for sentry.ops.viory.team are different for each. I presume that someone with access to Viory’s Sentry keys has generated and included fresh Sentry keys in each of these instances in order to differentiate between the telemetry from this site versus others using the same Sentry instance,” Wilson said. 

“This cuts against the idea that this is, for example, a case of someone just lazily copy-pasting code on Ruptly’s domains. It suggests that each of these snippets was likely to have been deliberately included. The alternative explanation of changing these API keys to some arbitrary value seems much less plausible given the lack of diligence in ensuring other aspects of the content didn’t cross-reference the domains.”

‘Ruptly’ Page Title on Viory Test Page

Finally, Bellingcat found a page at frontend.dev.viory.video/en that appears likely to be a developer test page for the front page of Viory’s main domain viory.video.

Notably, however, the page title reads “Stream trending news | Ruptly.” The page description included in the source code also refers to Ruptly:  

“Follow breaking world news in real-time and stream the latest developments in politics, sports, finance, science, tech, and more from one of the top online news sites. Download and share international news today with award-winning news agency Ruptl” [sic].

Wilson said that the use of the Ruply page title and text on the Viory test page “looks like a case of lazy copy and pasting”.

“That could potentially be done by someone outside of Ruptly, although it would be strange.”

While this particular piece lies on the lower end of the spectrum of proof, Wilson said that together with the other stronger pieces of evidence, including multiple Ruptly domains appearing to send data to Viory using different API keys, and Ruptly’s wildcard SSL certificate on Darpo Vision’s site, the weight of evidence for a connection between Ruptly and Viory adds up.

“None of the pieces of evidence are watertight on their own, but when you add them together it’s difficult to think of other plausible explanations for all of them being true at the same time,” he added.

“None of the pieces of evidence are watertight on their own, but when you add them together it’s difficult to think of other plausible explanations for all of them being true at the same time,”

-James Wilson

Bellingcat also found that Ruptly appears to have connections to a company in Hong Kong. Company records from July 2022 indicate that this company was originally named Ruptly Limited, but in September of that year, the company’s name was changed to Lotus Production Limited. 

The Hong Kong company remains registered as active and filed annual reports in September 2025.

Russian Slant in the ‘Global South’ 

Anna Hiller, a Bangkok-based Consultant Research Analyst for the Institute for Strategic Dialogue told Bellingcat that the resources provided by Viory can be an attractive pool of source material for smaller media outlets, governments and academic institutions with small budgets.

She told Bellingcat that Viory’s editorial choices are clear when looking at the site’s videos.

“When accessing Viory, the prominence of pro-Russian and pro-China content is immediately noticeable, including numerous articles focused on Vladimir Putin, Russia-China cooperation, and broader China-related narratives.”  

Bellingcat contacted Viory, Darpo Vision and Lotus Production Limited to ask about the connections we found between the Viory website and Ruptly and between Lotus Production Limited and Ruptly. 

Viory said that it had no connection with Ruptly. “Viory has no connection with Ruptly; any suggestion otherwise based on ordinary use of similar digital platforms, tools or cloud providers is poorly founded and inaccurate; Viory is a UAE-based, privately held, self-funded and 100% privately owned organisation, and receives no funding, direction or instructions from any state media,” the company said in an email response. 

Ruptly also said it was not connected to Viory. It declined to respond to Bellingcat’s questions, including about specific findings such as Ruptly’s domains sending technical performance and error data to Viory, calling these questions “irrelevant”.

---

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post Tracing Digital Links Between Viory and Ruptly appeared first on bellingcat.

A “river of blood” was how one survivor described the scene in western Myanmar. “I saw shooting. I saw mass killing.” Another told the UN High Commissioner for Human Rights (UNHRC) how 20 relatives, including three children, had been killed in the 2024 attack on Htan Shauk Khan village.

Human Rights Watch (HRW) said earlier this month that the Arakan Army (AA) “may have killed at least 170 Rohingya men, women, and children” in Hoyyar Siri (known as Htan Shauk Khan in Burmese) in Buthidaung Township. It described the May 2, 2024, attack as a “massacre”.

Buthidaung is one of the two townships in Rakhine State that is home to the majority of the Rohingya, a mainly Muslim ethnic minority in the predominantly Buddhist Myanmar.

At least 40 villages in Buthindaung were burned down in April and May 2024 amid clashes between the AA, an ethnic armed group fighting Myanmar’s military junta for control of Rakhine, and junta forces battling to retain their hold of the township.

Both sides committed abuses against civilians during the clashes, according to HRW. The military junta’s forced conscription of Rohingya to fight on its behalf has also intensified violence against them. 

The military and Rohingya armed groups began arson attacks in Buthidaung township in April 2024. By mid-May the AA had captured all junta bases, according to the think tank, the Australian Strategic Policy Institute. The destruction of Buthidaung has previously been documented by Bellingcat. 

The AA has denied accusations that it massacred civilians in Buthidaung, claiming that those killed were junta soldiers and Rohingya militants.

Bellingcat emailed the United League of Arakan, AA’s political wing, about the alleged attack on civilians but did not receive a response at the time of publication. Myanmar’s Ministry of Defence also did not respond to our questions. 

Evidence of civilian harm in Myanmar is slow to emerge and difficult to obtain due to the military’s strict control of the region and the tight grip of armed groups such as the AA in areas they control. 

“The mass killing could only be confirmed more than a year later,” the recent HRW report said, “when survivors eventually crossed into Bangladesh and found their way to the Rohingya refugee camps in Cox’s Bazar.” 

Aerial imagery shows that Htan Shauk Khan was almost entirely destroyed in May 2024.

Erasing Homes

A new investigation by Bellingcat has identified 115 villages in Rakhine State, similar to Htan Shauk Khan, as partially or completely destroyed since the February 2021 military coup that overthrew Myanmar’s democratically elected government.

The data points to a pattern of violence that leaves civilian areas uninhabitable and in some cases, erases them completely.

This investigation is a collaboration between Bellingcat and Jeune Afrique. You can read Jeune Afrique’s article in French here.

Unexploded Russian-made cluster munition bomblets, as well as damage consistent with bomblet impacts, have been found in a village in northern Mali – despite the West African country being a state party to the Convention on Cluster Munitions (CCM) which prohibits their use. 

The deployment of cluster munitions in northern Mali was first reported by Radio France International last week, citing local sources yet without showing images of the munitions or strikes in the reporting. However, social media footage posted on May 17, and since analysed by Bellingcat and our publishing partner, Jeune Afrique, shows unexploded Russian manufactured ShOAB-0.5 submunitions (bomblets).

Bellingcat geolocated a video showing the unexploded ShOAB-0.5 bomblets in the village of Tadjmart (18.977305, 0.86072), located approximately 55-kilometers (34-miles) south of the larger town of Aguelhok in northern Mali. This matches the location of airstrikes announced by the Malian Armed Forces (FAMa) on May 17. FAMa claimed it had identified armed groups in the area.

Russia’s paramilitary Africa Corps group, which is controlled by the Russian government and which replaced the Wagner mercenary group in the country, has been supporting Malian military operations.

Mali’s civil war has been ongoing since 2012. But the conflict has spiked in recent weeks as Tuareg separatists from the Azawad Liberation Front (FLA) and militants from the al-Qaeda affiliated Jama’at Nusrat al-Islam wal-Muslimin (JNIM) seized control of parts of the country in coordinated attacks against Malian and Africa Corps forces.

Les mercenaires continuent de larguer des bombes sur des maisons et certains diront pourquoi se révolter contre ces genres des pratiques inhumaines ne respectant aucun Droit. https://t.co/5jynKwUgeW pic.twitter.com/nB3ym4yooc

— Mohamed Lilly (@MedLilly1) May 17, 2026

The footage geolocated by Bellingcat shows the unexploded submunitions near buildings, alongside multiple small craters, consistent with submunition explosions.

The buildings and landmarks visible in the footage allowed us to geolocate where it was taken.

Additional footage geolocated by Bellingcat to nearby coordinates 18.97954, 0.85989 shows destroyed and burning buildings several hundred meters away, although this damage is not consistent with cluster munition use. The damage appears more significant than that which would be caused by submunition impacts.

Cluster munitions are explosive weapons which open mid-air to release large numbers of submunitions. They are prohibited from being used by signatories of the Convention on Cluster Munitions (CCM) because they are indiscriminate, saturate a wide area and can leave behind highly volatile unexploded bomblets which can kill civilians long after deployment. 

While Mali is a signatory to the CCM, Russia is not a state party to the agreement. 

Brian Finucane, a senior adviser with the US Program at the International Crisis Group, told Bellingcat that as a party to the CCM, Mali is “subject to its prohibitions and requirements. These include not only prohibitions on the use of cluster munitions, but also obligations to clear and destroy such munitions on its territory.”

ShOAB-0.5 submunitions are carried by the Russian RBK-500 cluster munition dispenser. A single RBK-500 dispenser can deploy about 565 ShOAB-0.5 submunitions. There is as yet no footage posted online showing a spent dispenser linked to this incident.Footage did circulate online on May 16 showing the remnants of an RBK-500. It was claimed to have been used in a separate cluster munition strike in the Timbuktu region of Mali. However, this footage was not geolocatable, given it only shows a close up of the dispenser at night, nor was it possible to tell when the footage was taken.

A second video appears to show the same dispenser, but shows the side with visible Russian markings denoting the model: “РБК-500; ШОАБ-0.5; ТГ-30”. This identifies the dispenser, RBK-500, the submunition inside, ShOAB-0.5, and the explosive filler, TG-30.

RBK-500 dispensers are deployed by Russian-made aircraft including several MiG and Su models. According to the 2024 IISS Military Balance report, Mali does not have any known operational Russian fixed-wing attack aircraft. Two Russian Su-25 aircraft delivered to Mali – one in 2022 and another in 2023 – are reported to have crashed and been out of service since late 2023.

An Su-24M model has since appeared in satellite imagery captured at Modibo Keita International Airport in Bamako. The imagery was first published by France 24 in April 2025, although it was unclear if this aircraft was, or has been, operated by Africa Corps or Malian forces.

Bellingcat contacted the Malian military and Russian Ministry of Defence requesting comment, and asking which force was responsible for deploying cluster munitions. We did not receive a substantive response by publication time beyond the initial statement made by the FAMa which detailed it was responsible for the May 17 strike.

A video posted on May 17, by an account linked to Azawad rebels in Northern Mali, shows a person handling components of a ShOAB-0.5 submunition, seemingly unaware of the danger. However, as the video shows only a close up of the submunition, it has not been possible to geolocate the video or confirm when it was taken.

Les Azawadiens ne fabriquent pas les armes au contraire ils les démontent ! pic.twitter.com/0tqOb6ut9G

— Oumayya AG Ambeiry (@AgOumayya) May 17, 2026

The FLA condemned the use of cluster munitions in a statement published on May 18. 

Bellingcat has previously reported on the use of cluster munitions in Syria and Ukraine and the danger they pose to civilians.

---

Youri van der Weide contributed to this report.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post Banned Russian Submunitions Found After Mali’s Military Announces Airstrikes appeared first on bellingcat.

The fragile ceasefire agreed between Israel and Hezbollah last month is holding. 

But satellite imagery shows that at least 46 of 54 towns and villages within the Israel Defense Forces (IDF) “Yellow Line” in southern Lebanon have been heavily damaged or, in some cases, entirely flattened. 

Much of the destruction and demolition has taken place in recent weeks.

Bellingcat’s satellite imagery analysis examined towns and villages identified on OpenStreetMap, a community-driven map database. Medium resolution PlanetScope satellite imagery covering each of the locations was provided by Planet Labs, a US company that recently restricted some of its imagery in the Middle East.

Bellingcat is sharing the annotated PlanetScope imagery for the dates of March 2 and May 8, 2026, showing the scale of damage that has occurred during roughly the first two months of the US-Israeli war against Iran.

The towns and villages detailed in the map are colour coded. Red shows locations  that have suffered varying degrees of damage or destruction, while yellow shows locations that were damaged prior to the US-Israeli war with Iran. White shows locations that have not been significantly damaged at time of publication.

Scroll and zoom to see damage throughout southern Lebanon in each of the date tabs. The first image is from March 2, 2026, shortly after the US and Israel attacked Iran. The second image is from May 8, 2026, more than two months after the start of the war and amid a fragile ceasefire between Israel and Hezbollah. PlanetScope imagery via Planet Labs PBC.

Israel’s Defence Minister, Israel Katz, is reported to have stated that “all homes in Lebanese villages near the border will be destroyed — in accordance with the Rafah and Beit Hanoun model in Gaza”. The aim, Katz said, is to “remove, once and for all, the threats near the border”. Israel has adopted similar methods of flattening buildings and homes close to Israel’s border in Gaza.

The large-scale destruction in southern Lebanon has been reported by multiple outlets including the BBC, CNN, SkyNews and The New York Times. These reports have shared images from several towns and villages, but Bellingcat is publishing satellite imagery for the entirety of southern Lebanon. The changes between the two dates show the scale and pace of destruction.

Within the Yellow Line  — the area occupied by the IDF since a ceasefire was agreed between Hezbollah and Israel on April 16 —  some towns were reported already destroyed or heavily damaged during the 2024 Israeli invasion of southern Lebanon. Some — like the coastal border town of Naqoura or the southeastern border town of Kfar Kila — have now been largely demolished. This is visible in both the medium-resolution PlanetScope imagery, and in high-resolution imagery obtained from Airbus by the BBC.   

Everything south of Lebanon’s Litani and Zahrani Rivers has been under evacuation orders issued by the IDF since early March, with regular updates warning residents to leave ahead of airstrikes. 

Much of the destruction within the “Yellow Line” appears to be from either controlled demolitions using explosives or construction vehicles. The IDF has shared numerous videos showing large-scale demolitions conducted in the towns and villages in southern Lebanon, while videos shared elsewhere on social media show the aftermath — large parts of towns like Beit Lif or Kheim reduced to rubble. 

One particularly large explosion took place in the small village of Qantara, where the IDF says it found two large tunnel systems built by Hezbollah. 

The tunnels were detonated with 450 tonnes of explosives, leaving large parts of the village obliterated. Another video released by the IDF showed some of the few remaining buildings in the nearby village of Aadashit being demolished with explosives. The IDF claimed the buildings were “Hezbollah infrastructure”.

Before and after imagery from Planet Labs shows the villages of Qantara and Aadshit in southern Lebanon on March 2 and April 30, 2026. The April imagery shows the aftermath of two large demolitions conducted by the IDF. Large parts of both villages have also been demolished. The UNP 7-1 label details the position of a UN peacekeepers facility.

Bellingcat contacted the IDF for comment on the details in this story but did not receive a response before publication. 

A full size version of the map can be found here.

---

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post Satellite Imagery Shows Ongoing Demolitions Across Southern Lebanon appeared first on bellingcat.

Since the beginning of 2026, at least four landslides are reported to have killed hundreds of people at the Rubaya mines in the Democratic Republic of Congo (DRC), a major global source of coltan. Coltan is widely used in smartphones, laptops and e-vehicles.

With the mines currently under the control of the Rwandan-backed group M23, and access restricted to journalists and many NGOs, the true number of casualties remains unclear. Frequent cellular network disruptions have also been reported across the region.

In the absence of reliable on-the-ground coverage, Bellingcat used open source methods to examine statements from the authorities and media reports. Bellingcat confirmed several incidents in which villages were engulfed in the landslide and residents living near the mine were among those killed.

Landslide No.1 – January 28

Reports of a deadly landslide killing more than 200 people began appearing in international media in late January and early February. 

Three days after the incident, the DRC government made a statement on Facebook outlining that at least 200 people had been killed. They said the landslide was “a consequence of the rampant and illegal mining by Rwanda and the M23/AFC”.

In response, the M23-appointed local governor, Lumumba Muyisa, told Reuters that at least 200 people had been killed, but attributed the landslide to heavy rains. 

Landslides are common in small-scale mines, especially during the rainy season, which in Rubaya spans from September to May and peaks between March and April. 

Bellingcat cross-checked local media reports against one of the few social media posts about the incident, geolocating the phone footage to a mining pit south-east of Rubaya. In the video, the narrator speaking in Kinyarwanda (the national language of Rwanda, also spoken in eastern DRC) pans from the top to the bottom of the slope. Filmed at a distance, no bodies are visible in the footage.

Satellite imagery captured before and after the first landslide shows how the mud advanced down the slope.

Landslide No.2 – March 3

Just over a month later, a second landslide was reported. On Facebook, the DR Congo Ministry of Mines released a statement including a provisional death toll of more than 200 people:

However, senior M23 official Fanny Kaj, speaking to AP, rejected the DRC government’s claims, stating: 

“I can confirm what people are publishing is not true. There was no landslide; there were bombings, and the death toll isn’t what people are saying. It’s simply about five people who died,” Kaj said. 

The same day the second landslide was reported, another M23 spokesperson, Lawrence Kanyuka, announced an attack involving “combat drones and heavy artillery”, at a location more than 250km from Rubaya.

Speaking to eyewitnesses at the mines, international media reported a landslide triggered by heavy rains, with no mention of bombings – only of workers buried under the earth. 

Bellingcat verified several social media videos of the second incident, in which dozens of people are seen digging for those buried under the mud. The clip below is an edited excerpt that excludes graphic images of bodies.

Edited video clip (left) geolocated to the camera icon (right). The white line (right) shows the camera’s movement as it pans across the slope. Source: Planet Labs PBC, March 26, 2026.

Later in the video, as the camera zooms in on several bodies, the narrator speaking in Kinyarwanda says: “Those you can see here have just been pulled out. These people are dead, but others are continuing to the search operations.” 

Due to the low quality of the footage, an accurate body count was not possible. 

Bellingcat geolocated footage of landslide No. 2 to the same location as landslide No. 1, shown in the satellite imagery below.

M23 did not respond to a request for comment on findings contradicting senior official Fanny Kaj’s claim that no landslide occurred on 3 March.

Landslide No.3 – March 7

Four days later, a third landslide was reported, with estimates of more than 300 people killed, according to civil society official Telesphore Nitendike. Speaking to EFE, Nitendike said the landslide had affected “more than 40 families” as houses were “swept away” by the mud.

Satellite imagery shows the landslide advancing from east to west as mud surged down the slope.

Before and after the third landslide on March, 3. Source: Planet Labs PBC.

Bellingcat verified more than a dozen social media videos from the third incident, the majority posted on X by local media accounts. Almost all contained highly distressing content, including the bodies of young children. In one video, the narrator walks through a crowd of more than a hundred people, then stops and pans across several bodies covered with blankets, saying: 

“These bodies were found here in Gatabi [name of village], inside houses. You can see how the houses were swallowed. The search for residents is still ongoing. It is truly a tragedy.”

As he continues filming, at least seven unclothed bodies, all young children, are seen being carried down the slope.

“You see, there, that’s another child’s body. These are children who were sleeping in their homes. Some were still in bed when they were swallowed by the landslide.”

Left: Video clip shows a body covered with a blanket on a stretcher. Right: Video clip shows the community-led rescue effort. The background satellite image shows geolocated pins marking the videos. Source: Planet Labs PBC, 16 February 2026.

Bellingcat geolocated 12 social media videos of the third landslide to a location southwest of Rubaya town.

Landslide No.4 – March 27

A fourth landslide was reported at the end of March by local outlets, describing the collapse of two mining shafts and the death of at least nine workers. 

Satellite analysis, combined with the geolocation of one social media video, indicates the fourth incident took place at the same location as landslides No.1 and No.2.

Before and after the fourth landslide on March 27. Yellow box highlights houses engulfed in the mud. Source: Planet Labs PBC.

Despite repeated attempts by Bellingcat to contact the DRC government and M23 for updated casualty figures across all four incidents, neither party responded. 

In February of this year, human rights group Global Witness called on companies and governments using or trading DRC’s coltan to ensure mine operators adhere to international human rights and environmental standards.

Bellingcat also contacted the DRC government spokesman and minister for communication and media, Patrick Muyaya, regarding a post he made on X that Bellingcat found to be promoting misinformation about the rate of expansion of the mines while under M23 control.

In the post, Muyaya urges followers to watch a video that presents itself as an open source report but includes satellite imagery falsely attributed to Bellingcat and “Planet Labs Inc.” We can confirm that this is not our work. The imagery also appears not to be from Planet Labs PBC, but from Google Earth Pro (illustrated below). 

The fabricated video was originally posted in 2025 by the Facebook account, Congo Kinshasa.

Contacted by Bellingcat, Congo Kinshasa confirmed that they were the creator of the video. Asked to explain why the satellite images were mislabeled and the analysis wrongly attributed to Bellingcat, they responded: “I don’t understand you. What exactly is your problem?”

Minister Patrick Muyaya did not respond to our request for comment on his post promoting false information.

---

Claire Press contributed to this report.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post DRC’s Coltan Belt: Verifying Deadly Landslides at Mines Under M23 Control appeared first on bellingcat.

This investigation is a collaboration between Bellingcat and Colombian media outlet Cerosetenta. You can read Cerosetenta’s piece in Spanish here.

A video posted on Feb. 26 shows several men painting over graffiti in Restrepo, a neighbourhood in Bogota, Colombia, and replacing them with images of their own: a logo used by Colombian political candidate and businessman Jorge Rodriguez, who is one of the men shown in the footage.

“Today we are defending public space to stop generating hatred in future generations!” said the caption posted on Instagram by Rodriguez, who unsuccessfully ran for office in the March 2026 congressional elections as part of Centro Democratico, the country’s largest right-wing party. 

But at least one of the graffiti-ed pieces they painted over carried a message critical of, rather than promoting, hate: “Creole Nazis will not pass” – using a term that refers to Nazi sympathisers in Latin America. 

And although the faces of most of the men shown in the video were pixelated, the tattoos visible on one of them have multiple similarities with a prominent member of neo-Nazi group Active Club Bogota – an individual known as Javier “Orlik” Ruiz, whom Rodriguez follows on Instagram and who “liked” the video.

In response to Bellingcat and Cerosetenta’s queries via Instagram, Rodriguez did not answer questions about his relationship with Active Club Bogota or the individual we identified as appearing in his videos, but said he was “not obligated to respond to any interview or request without a court order”. He also threatened legal action if we used his image or name in this investigation, saying that this would violate his rights to privacy, reputation and data protection, as well as the right to his own image. 

Similarly, Ruiz did not reply to questions that Bellingcat sent via email, including on his role in Active Club Bogota, but responded to our query by threatening legal action if we used his name, image or background information about him without his “prior, express and informed authorisation”. Ruiz said in his email that, among other things, processing his personal data without authorisation could be considered a violation of personal data under Colombian law.

After Bellingcat replied to both Rodriguez and Ruiz, noting that they did not answer our questions and inviting them again to do so, Ruiz responded with another legal threat referencing data laws – again without answering any questions related to this investigation. 

Bellingcat and Cerosetenta have consulted legal experts in both the Netherlands, where Bellingcat is headquartered, and in Colombia on the question of how privacy laws in both countries are balanced against the right to freedom of expression. In light of (amongst other factors) the public interest in this information and the fact that both Rodriguez and Ruiz qualify as “public figures” (persons who have, through their acts or their position, entered the public arena), the reporting in this article and the editorial choices made by Bellingcat are protected by the freedom of expression.

Both Rodriguez’s and Ruiz’s full responses are included at the end of this article.

Active Club Bogota is the local branch of the international Active Club movement. It hosted celebrations of Adolf Hitler’s birthday at a Bogota community centre in 2025 and 2026. At the 2025 event, the group hosted a Nazi-inspired book burning. This year, the group celebrated with Nazi swastika cupcakes, a swastika-emblazoned birthday cake and the screening of a 1940 Nazi propaganda film.

Bellingcat and our Colombian partner Cerosetenta reached out multiple times via email and phone to the president of the relevant Community Action Board managing the community centre where these events were held, using contact information listed in a document by the local mayor’s office. As of publication, we have not received a response to our emails, and calls to the president of the community centre have gone unanswered.

Active Club Bogota, which has had an online presence since early 2024, appears to be the only officially recognised South American chapter of the neo-Nazi network started in the US by white supremacist Robert Rundo. The international movement, which Bellingcat has covered extensively, is known for using fitness, fighting and fashion to recruit young men and boys into the far right, normalise fascist ideas and prepare them for physical violence against perceived enemies. 

Active Club Bogota’s official Instagram account followed just over 60 accounts earlier this year. Rodriguez’s public Instagram account was, and continues to be, one of them. In March this year, Rodriguez also “liked” a March 2026 post from the group that featured a flag for a neo-Nazi movement. 

While Rodriguez was unsuccessful in his bid for a seat in parliament, garnering just 4,401 votes, he presents himself as a prominent member of Centro Democratico and claims to have founded the party’s largest youth group. 

He has appeared in photos and events on his social media alongside notable figures from the party, such as former Vice Minister of Justice Rafael Nieto Loaiza, party director Gabriel Vallejo, presidential candidate Paloma Valencia and the party’s founder, Alvaro Uribe Velez.

Alexander Ritzmann, a senior advisor with the Counter-Extremism Project (CEP), told Bellingcat that an affiliation between Active Club Bogota and a political actor like Rodriguez should be taken seriously.

Heidi Beirich, co-founder of Global Project Against Hate and Extremism (GPAHE), said that any sort of legitimacy lent to an outwardly neo-Nazi group, like those that make up the Active Club movement, “sets a dangerous precedent”.

Bellingcat’s investigation into Active Club Bogota also suggests that the group has connections with the international far-right, with allies and “brothers” from Brazil to Spain, as well as apparent links with Combat 18, a violent neo-Nazi network accused of being an “international criminal organisation” and terrorist group. There is no evidence to suggest that Rodriguez has any connections to these other groups.

Centro Democratico was the biggest challenger to Colombian President Gustavo Petro’s left-wing coalition Pacto Historico in the March elections, securing 17 seats in the Senate, up from 13 in 2022, and a majority of 32 seats in the House of Representatives, double the 16 it won in the previous elections.

In response to Bellingcat’s queries, Centro Democratico National Director Gabriel Vallejo said the party was unaware of any proven links between Rodriguez and far-right, neo-Nazi, or extremist groups. 

Vallejo said that the Party’s candidates retain the right to exercise their freedom of expression and define their ideological affinities within the limits of the Constitution and the law. 

However, Vallejo said that Centro Democratico does not support or endorse any type of link with organisations or movements that incite hate speech, violence or the glorification of crime. 

“The Party maintains a firm stance in defence of the Constitution, the law, democratic institutions, and respect for human dignity, as well as in the protection of the public interest and fundamental rights,” he said. “In this regard, any conduct that contravenes these principles is contrary to the Party’s guidelines and will be subject to the corresponding actions in accordance with the Statutes and applicable regulations.”

Tattoo Identifications

In Rodriguez’s Feb. 26 video, the former political candidate can be clearly seen. However, several others had their identities obscured, with one particular individual being completely pixelated from head to toe in almost every frame he appeared in, even where only part of his arm was visible. 

But thanks to a few frames where parts of the individual’s arms or hands are briefly unpixelated, or where colouration shows through the pixelation, Bellingcat was able to match the person shown in the video to a prominent Active Club Bogota member and possible leader – an individual who goes by Javier or “Orlik” Ruiz – who Rodriguez follows on Instagram and vice versa. 

Between April and May 2024, the first few weeks after Active Club Bogota’s Telegram channel was set up, eight posts listed an author who went by “Orlik Ruiz”. 

Bellingcat searched online for social media accounts and information related to “Orlik Ruiz” and quickly found numerous public social media accounts that appear to belong to the same individual, with posts showing photos of his face and tattoos. Several of these accounts used the name Javier Ruiz. These accounts included a YouTube account featuring 2022 video clips showing Ruiz and other men at a shooting range, holding what appear to be automatic rifles.

In most of these social media accounts, Ruiz posted numerous photos exposing his face and, more frequently, his tattoos from multiple angles, allowing Bellingcat to confirm that the same individual appears in the vast majority of Active Club Bogota’s online content.

Active Club Bogota’s Telegram channel listed an account with the name “Javi” as the group’s main contact. There were more than 30 posts on this account’s own profile page, and though the face of the person shown in the photos posted from this account was obscured, the matching tattoos in many of these posts all pointed to the same person.

Ruiz’s tattoos had several distinctive features that appeared across multiple photos. The backs of both of his hands are tattooed up to the base knuckles. He also has an arrow tattoo on his left middle finger, pointing down towards the base knuckle, and a red design that circles his left wrist. 

These match several features of tattoos on the individual’s left hand that can be made out despite the pixelation, including what appears to be red colouration on the individual’s wrist, heavy dark hand tattooing, and also discolouration on the left middle finger, suggesting tattoos on that finger.

While blurred footage alone is not enough to confirm matching tattoos, several other significantly more detailed and clearer comparisons could be made. 

In one frame, a very similar arrow to that seen in photos of Ruiz appears on the left middle finger of the individual shown in the video.

In addition, there are gaps in the tattoos and a rounded shape visible on his left arm that are consistent in position with photos of Ruiz’s tattoos.

There are also several frames in the video where the individual’s right hand is visible. These unpixelated, although still blurry, frames show the individual has heavy tattooing on their right hand that forms a curved shape between their knuckles. This is consistent with the shape of the tattoos on the right hand of Active Club Bogota’s Ruiz as seen in photos posted on the group’s Telegram channel and on social media.

Another frame shows a small red tattoo visible on the middle-right finger as well as a detail between the index finger and right pinky. This matches with other, clearer images of Ruiz’s tattoos visible on his private Instagram.

Furthermore, in several frames of the video, the pixelated individual’s upper-right arm is visible, showing red colouration that is consistent in size and shape with images of Ruiz’s tattooed right arm.

Promoting Fascist Ideas in the Region

The first sign we could find online of Active Club Bogota’s appearance on the city’s neo-Nazi scene was in early 2024, when its official Telegram channel was created. 

The official Active Club website that Rundo, the American founder of the Active Club movement, has openly promoted in several podcasts features a map of “official” Active Clubs around the world. As of the time of publication, Active Club Bogota is the only one in South America on the map.

But social media posts from Active Club Bogota suggest that the Colombia-based group has been attempting to promote the development of other Active Clubs in Latin America, with mixed results.

In September 2025, Active Club Bogota promoted a new Active Club in Brazil, boasting that “our brothers … have also taken a big step forward.” 

This Brazilian Active Club Telegram channel no longer exists as of February 2026. 

Also in September 2025, Active Club Bogota promoted the Telegram channel of a new Active Club in Argentina, which they referred to as “our Argentinian friends”. This Telegram channel, like the Brazilian Active Club Telegram channel, no longer exists as of February 2026.

In December 2025, Active Club Bogota promoted the Telegram channel of another new Active Club based in Mexico City, which the Colombian channel referred to as “our Mexican brothers, who are joining this great movement that seeks to reclaim our identity and heritage”.

Beirich, the co-founder of GPAHE, said that Active Clubs are a concerted effort to market the far right to a new generation of young people. 

“Active Clubs can and do serve as a bridge between older generations of neo-Nazis and the current wave of youth engaging with the movement,” she said.

“Groups like the one in Bogota are hyper-local enterprises that also connect its members to a transnational extremist network of other Active Clubs and white supremacist groups that share a similar worldview,” she added.

Ritzmann, from CEP, also said that the threat posed by the group should not only be measured by its size. “Even a small local chapter can function as a recruitment hub, a training environment, and a bridge into wider transnational extremist networks,” he said.

International Connections

Our identification of Ruiz also led to evidence of links between Active Club Bogota and international neo-Nazi networks Blood & Honour and Combat 18.

In a May 2024 photo posted on his public Telegram account, a man whose face is covered by a cloth mask and further obscured with a digital image was pictured standing next to two neo-Nazi musicians who were in Bogota to perform at a concert that Ruiz had promoted on his Telegram account. One of the musicians is British neo-Nazi Ken McLellan, who has long been associated with Blood & Honour. 

The tattoos on the lower left leg and right hand of the man whose face was obscured appear to be the same as Ruiz’s – matching the shape, colour and position – based on photos publicly posted on Active Club Bogota’s Telegram channel.

Blood & Honour is an international neo-Nazi network founded in the United Kingdom in 1987; McLellan and his band were present at this founding meeting and still regularly perform at Blood & Honour-affiliated concerts. Blood & Honour’s affiliate group Combat 18, described as the “armed branch” of Blood & Honour, was founded in 1992. 

Members and associates of Blood & Honour and Combat 18 have been accused of crimes including possessing explosives and drug trafficking. Individuals associated with both groups have been convicted of crimes including attempted murder, murder and terrorism. Both groups have been designated terrorist organisations in Canada since 2019 and have been subject to financial counter-terrorism sanctions in the United Kingdom since January 2025. 

A Colombia-based neo-Nazi fashion retailer that sells t-shirts with Combat 18 symbolism and branding also lists Ruiz as the main contact on its Telegram channel (Bellingcat is not naming the retailer to avoid amplification). 

On its WhatsApp Business account, this retailer advertises neo-Nazi clothing and paraphernalia, including content with Combat 18’s name, symbolism and branding, as well as content promoting bands with documented links to Combat 18. Active Club Bogota has also promoted this retailer on its own Telegram channel. After reaching out to Meta, the parent company of WhatsApp, a spokesperson told Bellingcat that “this account breaks our terms of service and we have banned it”. As of publication, the WhatsApp Business account has been blocked.

After a series of arrests of alleged members in Spain in October 2023, Spanish authorities publicly called Combat 18 an “international criminal organisation” and claimed the Spanish wing of the group has relations with Combat 18 members in South America. 

Spanish media outlet El Periodico further reported that this police operation against Combat 18 in October 2023, according to their sources, “was mounted to pursue organised crime and other related offences, including drug trafficking”. 

Bellingcat established another link between the two groups through another individual associated with Active Club Bogota. 

In a 2015 post on one of Ruiz’s public Facebook accounts, an individual (in red below) who at the time was a bassist with a neo-Nazi band that sang songs praising and promoting Combat 18, is visible with a black tattoo on his left bicep.

Almost a decade later, in January 2025, Active Club Bogota posted a video that featured an individual with a tattoo that appeared to be in the same shape and placement.

The bassist’s name was mentioned in two posts by Juan de Dios Osuna Montanez, the alleged leader of Combat 18 in Spain, on Instagram in May 2024. 

Both posts featured a photo of what Montanez described as “little gifts directly from Colombia,” with Montanez thanking an account under this individual’s name, calling him his “brother.” These posts occurred during the same time period during which Active Club Bogota posted content from Catalonia, in northeastern Spain.

The photos Montanez posted of the apparent gifts are nearly identical, with the only difference being that the second photo is more zoomed in than the first. The photo shows a sticker with Active Club Bogota’s logo and branding, a t-shirt reading “Blood & Honour Colombia Division,” a sticker featuring both Blood & Honour and Combat 18’s logo, as well as packages of candy and coffee that Bellingcat was able to identify as being from small Colombian brands. 

Montanez did not respond to Bellingcat’s request for comment via Instagram and Facebook, but we were blocked by his Instagram account after we reached out. We were unable to find any other public contact information for Montanez.

Ritzmann of CEP said that Active Club Bogota’s repeated display of the Combat 18 flag on its Telegram channel signals identification with one of the most explicitly militant neo-Nazi traditions in Europe.

He added that while some Active Clubs avoid overtly antisemitic references to avoid scrutiny by law enforcement, reduce negative media attention and attract new recruits without frightening them away, Active Club Bogota “appears to sit at the more explicit edge of the Active Club strategy” with its open celebration of Hitler’s birthday and its antisemitic messaging. 

“The network wants to appear harmless enough to avoid scrutiny, but radical enough to attract militants. Active Club Bogota is an example of how that balance can shift toward overt neo-Nazi mobilisation while still remaining inside the wider transnational Active Club ecosystem,” he said.

Full Response from Jorge Rodriguez to Bellingcat’s Queries

[April 24, 2026]

Translated to English
“In response to your questions, I would like to inform you that I am not obligated to respond to any interview or request without a court order. Therefore, I will not respond to any interviews. Furthermore, should you decide to use my name or image, I wish to state that I DO NOT AUTHORISE THE USE OF MY NAME, SOCIAL MEDIA ACCOUNTS OR ANY RELATED CONTENT.

Likewise, if you use my image or name, it constitutes a violation of my fundamental rights to privacy, reputation, habeas data, and the right to my own image, the latter of which has been repeatedly recognised and protected by the jurisprudence of the Constitutional Court.

The unauthorised use of my image or name may constitute a punishable offence, and I will be authorised to initiate the corresponding legal actions to restore my rights.

Sincerely,

Jorge Rodríguez”

In Spanish (Original)

“De conformidad con sus preguntas, me permito indicarle que no estoy obligado a responder ninguna entrevista o requerimiento sin que medie orden judicial. Por lo anterior, no responderé ninguna entrevista, asimismo, en caso de que ustedes decidan utilizar mi nombre o imagen me permito indicar que NO AUTORIZO LA UTILIZACIÓN DE MI NOMBRE O IMAGEN, REDES SOCIALES Y DEMÁS.

De igual manera, si ustedes utilizan mi imagen o nombre es una transgresión de mis derechos fundamentales a la intimidad, al buen nombre, al habeas data y al derecho a la propia imagen, este último reconocido y protegido de manera reiterada por la jurisprudencia de la Corte Constitucional.

Incluso la utilización de imagen o nombre sin autorización puede constituir una conducta punible y estaré autorizado de iniciar las acciones legales correspondientes en aras del restablecimiento de mis derechos.

Cordialmente,

Jorge Rodríguez”

First Response from Javier Ruiz to Bellingcat’s Queries

[April 21, 2026]

Translated to English
“As the data subject of the aforementioned personal data, I hereby submit this formal request regarding the use of my name, image, and background information in an interview request, without my prior, express, and informed consent.

The described conduct constitutes a potential violation of my fundamental rights to privacy, reputation, habeas data, and the right to my own image, the latter repeatedly recognised and protected by the jurisprudence of the Constitutional Court.

Likewise, the processing of my personal data without authorisation contravenes the provisions of Law 1581 of 2012 and its implementing decrees and could constitute the offence of personal data violation under Article 269F of the Colombian Penal Code.

Therefore, through this document, I expressly and immediately request:

– The suspension of any use, processing, circulation, or dissemination of my name, image, and other personal data.

– The permanent deletion of any content, file, record or publication in which my personal information has been used without my authorisation.

– A precise indication of the origin of the information, the purposes of its processing, and the third parties with whom it has been shared.

For the purposes of the foregoing, I grant a maximum period of forty-eight (48) hours from the receipt of this communication to demonstrate compliance with the requirement.

In case of non-compliance, I will be obligated to initiate the corresponding legal actions, including filing a writ of protection for the violation of my fundamental rights, as well as administrative proceedings before the Superintendency of Industry and Commerce and any applicable criminal actions.

This communication is understood as a formal prior request.

Sincerely,

J.R.”

In Spanish (Original)

“En mi calidad de titular de los datos personales referidos, me permito formular el presente requerimiento formal en relación con el uso de mi nombre, imagen y antecedentes dentro de una solicitud de entrevista, sin que medie autorización previa, expresa e informada de mi parte.

La conducta descrita constituye una posible vulneración de mis derechos fundamentales a la intimidad, al buen nombre, al habeas data y al derecho a la propia imagen, este último reconocido y protegido de manera reiterada por la jurisprudencia de la Corte Constitucional.

De igual forma, el tratamiento de mis datos personales sin autorización contraviene lo dispuesto en la Ley 1581 de 2012 y sus decretos reglamentarios, y podría adecuarse a la conducta tipificada como violación de datos personales conforme al artículo 269F del Código Penal Colombiano.

En virtud de lo anterior, por medio del presente escrito requiero de manera expresa e inmediata:

– La suspensión de cualquier uso, tratamiento, circulación o difusión de mi nombre, imagen y demás datos personales.

– La eliminación definitiva de cualquier contenido, archivo, registro o publicación en la que se haya hecho uso de los mismos sin mi autorización.

– La indicación precisa del origen de la información, las finalidades del tratamiento y los terceros con quienes haya sido compartida.

Para efectos de lo anterior, otorgo un plazo máximo de cuarenta y ocho (48) horas contadas a partir de la recepción de la presente comunicación, a fin de que se acredite el cumplimiento de lo requerido.

En caso de incumplimiento, me veré en la obligación de iniciar las acciones legales correspondientes, incluyendo la interposición de acción de tutela por la vulneración de mis derechos fundamentales, así como las actuaciones administrativas ante la Superintendencia de Industria y Comercio y las acciones penales a que haya lugar.La presente comunicación se entiende como requerimiento previo formal.

Cordialmente,

J.R.”

Second Response from Javier Ruiz to Bellingcat’s Queries

[May 7, 2026]

In English

“SUBJECT: FORMAL REQUEST FOR CESSATION AND WITHDRAWAL – NOTIFICATION OF VIOLATION OF FUNDAMENTAL RIGHTS AND DATA PROTECTION REGIME (LAW 1581 OF 2012)

In my capacity as a fully identified [Colombian] citizen and exercising my legal rights as the owner of personal data, I hereby submit this prior and peremptory request based on the following factual and legal grounds:

1. Lack of Consent and Legal Basis:

The unauthorised use of my name, image, and biographical information has been established within the framework of your informational activities. I declare that there has been no prior, express, informed, or qualified authorisation for the processing of said data, contravening the principle of legality and purpose established in Article 4 of Law 1581 of 2012.

2. Autonomy of the Right to One’s Own Image (Judgment T-040 of 2013): I hereby notify you that, in accordance with the jurisprudence of the Constitutional Court in its Judgment T-040 of 2013, the right to one’s own image is an autonomous and independent right. Therefore, the capture, use, or dissemination of my image and name requires my express consent, and journalistic practice does not grant an open licence for its exploitation without prior authorisation, especially when there is no public interest that proportionally justifies it.

3. Violation of Fundamental Rights:

Your actions constitute an arbitrary interference that affects my right to Habeas Data, my right to a good name (Art. 15 of the Colombian Penal Code), and, specifically, my right to my own image. According to the jurisprudence of the Honourable Constitutional Court, the use of a person’s image without their consent constitutes an overreach of journalistic practice that is not protected by freedom of information when it affects the private sphere.

4. Criminal and Administrative Liability: I hereby warn you that the processing of personal data without proper authorisation could constitute the conduct defined in Article 269F of the Colombian Penal Code (Violation of Personal Data), in addition to the fines imposed by the Superintendency of Industry and Commerce (SIC) for non-compliance with data protection regulations. 

LEGAL CLAIMS:

• IMMEDIATE CESSATION: The suspension of any act of processing, restricted circulation, or dissemination of my identity, image, or sensitive data.

• PERMANENT DELETION: The removal of any record from your databases or digital platforms containing information whose collection has not been authorised.

• TRACEABILITY REPORT: Submission of certification detailing the origin of my data and the identification of third parties to whom it has been transferred or transmitted.

TERM AND WARNING: You have a non-extendable term of forty-eight (48) hours to demonstrate compliance with the requests made herein. Silence or a negative response will authorise the initiation of a tutela action for the immediate protection of my fundamental rights, as well as the corresponding Administrative Complaint before the Office of the Superintendent Delegate for the Protection of Personal Data of the Superintendency of Industry and Commerce (SIC) and criminal proceedings before the Office of the Attorney General of Colombia.

1) Freedom of expression cannot infringe upon the right to privacy and honour.

2) The right to receive information, or rather, to inform, cannot supersede the duty not to disseminate defamatory information about a person or organisation.

3) A request for information from an independent, foreign media outlet cannot be based on erroneous presumptions regarding rulings, orders, and precedents pertaining to the Colombian judicial system. I thank you in advance for your attention, but I wish to clarify that I do not desire any response, understanding that you are complying with the order I have given and established.”

In Spanish (Original)

“ASUNTO: REQUERIMIENTO FORMAL DE CESE Y DESISTIMIENTO – NOTIFICACIÓN DE VULNERACIÓN DE DERECHOS FUNDAMENTALES Y RÉGIMEN DE PROTECCIÓN DE DATOS (LEY 1581 DE 2012)

En mi condición de ciudadano(a) plenamente identificado(a) y en ejercicio de mis facultades legales como titular de datos personales, presento ante ustedes este requerimiento previo y perentorio con base en los siguientes fundamentos de hecho y de derecho:

1. Ausencia de Consentimiento y Base Legal:

Se ha evidenciado el uso no autorizado de mi nombre, imagen y antecedentes biográficos en el marco de su actividad informativa. Manifiesto que no ha mediado autorización previa, expresa, informada ni calificada para el tratamiento de dichos datos, contraviniendo el principio de legalidad y finalidad establecido en el Artículo 4 de la Ley 1581 de 2012.

2. Autonomía del Derecho a la Propia Imagen (Sentencia T-040 de 2013):

Les notifico que, conforme a la jurisprudencia de la Corte Constitucional en su Sentencia T-040 de 2013, el derecho a la propia imagen es un derecho autónomo e independiente. Por tanto, la captura, uso o difusión de mi imagen y nombre requiere de mi consentimiento expreso, sin que el ejercicio periodístico otorgue una licencia abierta para su explotación sin autorización previa, especialmente cuando no existe un interés público que lo justifique de manera proporcional.

3. Vulneración de Derechos de Carácter Fundamental:

Su actuación constituye una injerencia arbitraria que afecta mi derecho al Habeas Data, al Buen Nombre (Art. 15 C.P.) y, de manera específica, al Derecho a la Propia Imagen. Según la jurisprudencia de la Honorable Corte Constitucional, el uso de la imagen de una persona sin su anuencia es una extralimitación del ejercicio periodístico que no encuentra amparo en la libertad de información cuando se afecta la esfera privada.

4. Responsabilidad Penal y Administrativa:

Les advierto que el tratamiento de datos personales sin la debida autorización podría configurar la conducta tipificada en el Artículo 269F del Código Penal Colombiano (Violación de datos personales), además de las sanciones pecuniarias que la Superintendencia de Industria y Comercio (SIC) impone por el incumplimiento del régimen de protección de datos.

PRETENSIONES LEGALES:

• CESE INMEDIATO: La suspensión de cualquier acto de tratamiento, circulación restringida o difusión de mi identidad, imagen o datos sensibles.

• SUPRESIÓN DEFINITIVA: La eliminación de cualquier registro en sus bases de datos o plataformas digitales que contenga información cuya recolección no haya sido autorizada.

• INFORME DE TRAZABILIDAD: Remitir certificación detallando el origen de mis datos y la identificación de terceros a quienes les hayan sido transferidos o transmitidos.

TÉRMINO Y ADVERTENCIA:

Cuentan con un término improrrogable de cuarenta y ocho (48) horas para acreditar el cumplimiento de lo aquí solicitado. El silencio o la respuesta negativa facultará el inicio de la Acción de Tutela para la protección inmediata de mis derechos fundamentales, así como la respectiva Denuncia Administrativa ante la Delegatura para la Protección de Datos Personales de la SIC y las acciones penales ante la Fiscalía General de la Nación.

1) La libertad de expresión no puede coartar el derecho a la privacidad y a la honra. 

2)El derecho a recibir información o más bien; a informar no puede supeditar el deber de no difundir información calumniosa sobre una persona u organización 

3) Un requerimiento de información por un medio independiente y extranjero no puede basarse en presunciones erróneas sobre sentencias, órdenes y antecedentes correspondientes al sistema judicial colombiano

De ante mano agradezco la atención prestada, sin antes aclarar que no deseo respuesta alguna, teniendo claro que acatan la orden dada y establecida de mi parte.”

---

Carlos Gonzales and Pooja Chaudhuri contributed research to this piece.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post Unearthing a Colombian Politician’s Connections to Neo-Nazi Active Club Group appeared first on bellingcat.

Bellingcat has identified at least 80 police stations or infrastructure related to law enforcement agencies and the Basij paramilitary group that has been damaged or destroyed in the first three weeks of the United States and Israel’s war against Iran. Experts told Bellingcat that both countries aim to degrade the Iranian regime’s “repressive capacity”.

Combined, the US and Israel have conducted thousands of strikes during the course of the 2026 war in Iran. Targets range from Islamic Revolutionary Guard Corps (IRGC) sites, Navy vessels to Iranian weapons manufacturers.

In early March, a Bellingcat analysis using satellite imagery and available photos and videos identified police stations as another apparent target, with at least 15 damaged or destroyed in the capital, Tehran.

We also identified multiple strikes against police infrastructure in the country’s north and west; these areas were targeted by the Israel Defence Forces according to a map released by the IDF on March 31.

“We are providing the brave people of Iran with the conditions to take their destiny into their own hands,” declared the Israeli Ministry of Foreign Affairs official X account, along with a photo of a destroyed police station.

اینجا کلانتری ۱۲۱ سلیمانیه در خیابان نبرد تهران بود.

ما شرایطی را برای مردم شجاع ایران فراهم می‌کنیم تا سرنوشت خود را در دست بگیرند. pic.twitter.com/VSm6YVvIwZ

— اسرائیل به فارسی (@IsraelPersian) March 5, 2026

In all, the majority of strikes Bellingcat analysed focused on police stations (30 incidents) and command centers or headquarters (29 incidents). Locations also include sites related to Basij, a plainclothes paramilitary organisation (9) affiliated with the IRGC that were “involved in the deadly crackdown” of protests in January 2026, others are associated with special forces (3) and traffic (2) or diplomatic (2) police compounds.

Due to commercial satellite companies limiting access to imagery over Iran and neighbouring countries we relied on Sentinel-2 imagery data to help verify the incidents, as well as videos and photos, some of which were also verified by independent geolocators and contributors to the Geoconfirmed volunteer community and confirmed by Bellingcat researchers. 

Location data was partly determined using open source mapping data either from Wikimapia, OpenStreetMap or Google Maps. When video footage or photos were available for incidents reportedly targeting police stations, the location was verified with geolocation and satellite imagery analysis using either Planet Labs medium resolution PlanetScope data (restricted to imagery collected by March 9) or low resolution Sentinel-2 data.

Some locations were discovered utilising location data taken from OpenStreetMap using Overpass Turbo and comparing that with available Sentinel-2 data throughout Iran.

Map showing geolocated incidents in Iran. Click the markers to view the coordinates, sources, and verification notes. Map: Bellingcat/Miguel Ramalho

A Problem of Scale

Israel has released multiple videos showing the targeting of bases and checkpoints belonging to the Basij. In mid-March, the IDF announced the killing of the paramilitary group’s commander, Gholamreza Soleimani. 

Targeting the Basij is part of Israel’s and the US’ agenda “to degrade the regime’s repressive capacity,” Ali Vaez, the director of International Crisis Group Iran Project, told Bellingcat. Police stations are “not involved in repression in the way that crowd control police or Basij centers are”, so targeting them “appears more aimed at preventing the Islamic Republic from being able to maintain control internally,” he said.

Vaez told Bellingcat that, when considered alongside the broader range of targets, including industrial factories, the widespread targeting of police stations is part of a strategy “to make Iran ungovernable for the existing regime or whatever comes after”. 

Vaez was skeptical about the short term effects: “It’s a problem of scale. Iran is such a large country, even if you are able to completely destroy, not just degrade, the capacity of the regime in policing, oppressing, etc – it really requires not just maybe weeks but maybe months if not years.”

The Risk of Civilian Casualties

As of April 7, the Iranian Human Rights Activists News Agency estimates there’ve been more than 1,700 civilian fatalities during the war. 

Several police stations are situated in densely populated urban areas such as Tehran. Stations are used by civilians for various reasons including renewing driving licences, so if these buildings are targeted “during working hours and not in the middle of the night then risk is higher for these people,” Vaez said.

Map showing geolocated incidents in Tehran. Click the markers to view the coordinates, sources, and verification notes. Map: Bellingcat/Miguel Ramalho

A recent joint Airwars, Center for Civilians in Conflict and Human Rights Activists in Iran report detailing the first month of civilian casualties included a section on the worsening situation for detainees in Iranian prisons — including police stations that have been targeted. 

“I was detained in the holding cell of [Police Station 148] for ten days, along with four other activists. Now it looks like nothing is left of that station but ruins. I can’t even recognize where the detention area was. I keep wondering what happened to the people who were being held there during the attack. – Activist, told HRA upon seeing photos of the police station after recent US/Israeli airstrikes.”

Footage shared and geolocated by the BBC’s Shayan Sardarizadeh showed Police Station 148 damaged after an apparent strike in mid-March.

The main building of Tehran’s 148 police station and its courtyard, located on Enghelab Street, has been severely damaged in air strikes conducted on Friday.

The adjacent Hamoon Theatre also sustained some damage.

Video: @Vahid

Location: 35.700812, 51.402163@GeoConfirmed pic.twitter.com/9sdOtHd2XN

— Shayan Sardarizadeh (@Shayan86) March 14, 2026

One destroyed police station identified by Bellingcat in the city of Mahabad in northwestern Iran led to apparent damage to an Iranian Red Crescent Society building located next door. According to Iran’s Tasnim News agency (an IRGC-affiliated media outlet sanctioned by the EU, the US and Canada), one Red Crescent employee was injured in the attack.

The police station adjacent to the Red Crescent building isn’t identified on any mapping services, though there are reports “Police Station 11” was targeted the same day.

Israel has also targeted checkpoints operated by Basij members.

Bellingcat examined two cases showing Israeli strikes on checkpoints while civilians were passing. In one video, a strike hits a checkpoint as five motorbikes and a vehicle go by.

In another IDF video, a yellow bus is immediately adjacent to the checkpoint when it is hit. It is unclear how many people were on the bus at the time of the strike or if anyone was injured.

According to the Open Source Munitions Portal (OSMP), Israeli drones commonly employ the Mikholit bomb. A variant of this bomb has 890 grams of explosives, an amount that creates hazardous fragmentation up to 104 meters away. 

“I have been watching the reporting on these Basij strikes and the use of the Mikholit in particular in open urban areas. It is IDF standard—using precision munitions and even sometimes “low collateral” munitions but in a reckless manner that still puts the civilian population at risk,” Wes J. Bryant, a defence and national security analyst formerly with the Pentagon’s Civilian Protection Center of Excellence told Bellingcat.

Questions Over Legality

International Humanitarian Law defines civilians as “persons who are not members of the armed forces”. Police officers fall under that definition, according to Adil Haque, Professor of Law at Rutgers University and Executive Editor at Just Security.  “As a rule, police are civilians and may not be attacked unless they take a direct part in hostilities,” Haque told Bellingcat. National security analyst Bryant agreed, adding that targeting police “does not stand up to legal scrutiny”.

In an email to Bellingcat, the IDF noted “that the police form part of Iran’s internal security apparatus, which also forms part of Iran’s armed forces, under Iran’s own domestic legislation. In every strike, the IDF takes feasible precautions in order to mitigate incidental harm to civilians and civilian objects to the extent possible under the circumstances.”

Police are indeed “part of the country’s armed forces. By that logic, anything with a flag on it is a legitimate target,” Ali Vaez, the director of International Crisis Group Iran Project, said.

Although Basij is a paramilitary group, any strikes against it would require precautions to minimise harm to civilians, Haque told Bellingcat. “Since the hostilities almost entirely involve aerial bombardment, the concrete and direct military advantage anticipated from strikes on Basij members who qualify as combatants is extremely low, so significant harm to nearby civilians would be disproportionate and illegal,” he said.

When asked about potential civilian casualties in the checkpoint strikes, the IDF told Bellingcat that since the Basij are subordinate to the IRGC and are therefore part of the armed forces, they are regarded as lawful military targets. Regarding the checkpoint strikes specifically, they stated “precision munitions and surveillance means were used in the strikes, as part of the precautions taken under the circumstances to mitigate expected incidental harm”.

Bellingcat reached out to US Central Command (CENTCOM) to ask if the US had any role in the police station strikes identified but received no official comment at the time of publication. 

The data collected so far for these sites can be found here.

---

Miguel Ramalho and Felix Matteo Lommerse contributed to this report.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post “Make Iran Ungovernable” – Tracking Efforts To Destroy Iran’s Police Infrastructure appeared first on bellingcat.

The challenges of conducting open-source research in China are well-documented. Consistently named one of the most digitally oppressive countries in the world, China blocks some of the world’s largest social media platforms, such as Facebook, Google, and YouTube. Those that are still accessible are mostly Chinese-owned, strictly regulated and monitored in real time by AI systems as well as tens of thousands of “internet police”. 

But despite these strict controls, Chinese apps – which boast more than a billion estimated users – remain an information goldmine for investigative journalists covering stories both within and outside China.

Since most foreign sites are banned, Chinese platforms are the largest resource available to journalists and researchers interested in what’s going on in the world’s second-most populous country. Even when a topic is being censored, patterns in the censorship can themselves serve as investigative leads: a 2020 BuzzFeed News investigation, for example, mapped out detention camps in Xinjiang by examining areas that had been blanked out on China’s Baidu Maps.

With millions of Chinese people living overseas, social media activity by members of the diaspora can also turn into global stories.

Serial rapist Zou Zhenhao, a Chinese PhD student, was jailed in London last year after one of his victims posted a warning on Xiaohongshu, also known as Little Red Book or Rednote, an app popular with young Chinese women living abroad. Another woman Zou had raped reached out to the original poster, who put her in touch with the police – leading to the conviction of a man described by police as possibly one of the worst sexual predators in British history.

Founded in 2013 as a Hong Kong shopping guide, Xiaohongshu has evolved into a lifestyle and e-commerce platform that has been compared with Instagram, Pinterest and Amazon. Last year, it reported about 300 million monthly active users, rivalling some of China’s largest social media platforms.

The app’s 600 million daily searches by the end of 2024 also accounted for half of market leader Baidu’s search volume, demonstrating that it is emerging as a critical search and discovery engine, not just a social platform.

Although primarily a Chinese-language app, Xiaohongshu gained attention in the English-speaking world last year, when millions of American TikTok users flocked to the platform in anticipation of a TikTok ban under US President Donald Trump. 

Responding to the surge of international users – sparked by the #TikTokRefugees trend – Xiaohongshu rolled out an AI-powered translation feature, making the app more accessible to non-Chinese audiences. This also meant that journalists without Chinese language skills can more easily communicate on and navigate the platform.

Despite its growing popularity both within and outside China, the app is relatively new and underexplored compared to more well-established platforms such as Weibo. 

This guide aims to provide a starting point for those looking to explore Xiaohongshu for open-source investigations, including an overview of its main user demographics, potential topics to explore and strategic search methods specific to the app. 

User Demographics and Topics

According to Xiaohongshu’s official data, the platform’s demographic profile is mainly young, female and urban. As of 2024, 70 percent of its users were women, with half of all users belonging to Gen Z and living in China’s largest cities. 

As previously mentioned, the app has also gained popularity with the Chinese diaspora. Many Chinese nationals living abroad use it as a search engine for local information, posting and searching for content related to their daily lives, from restaurant recommendations and apartment hunting to navigating foreign bureaucracies and finding community resources. 

This demographic profile makes Xiaohongshu particularly well-suited for investigating stories about consumer fraud and urban livability issues. For example, Chinese outlets like Jiemian have used Xiaohongshu posts to expose the grey-market ecosystem of paid reviews and fake endorsements tied to the platform’s e-commerce model, while in 2022, International Financial News traced a mother-and-baby store scam that defrauded over 400 parents back to product recommendation posts on the platform.

Given its predominantly female user base, Xiaohongshu has also evolved into one of China’s most important spaces for feminist discourse and women’s issues. Academic researchers have used content on the platform to analyse local discussions on menstrual shaming, sexual harassment, and the controversial “divorce cooling-off period” introduced in 2021. As Rest of World reported, women have increasingly congregated on Xiaohongshu, where they outnumber male users and have found ways to trick the app’s recommendation algorithm so their posts are shown mostly to other women.

The Relevance of Censorship

Political content and current affairs about China are largely absent from the app – a result of both active censorship and platform design. 

All Chinese social media platforms, including Xiaohongshu, operate under strict content moderation requirements from the Cyberspace Administration of China. A leaked 143-page internal document published by China Digital Times in 2022 revealed how Xiaohongshu censors respond to government directives in “real-time”, blocking content related to politically sensitive topics such as criticism of the Chinese Communist Party, labour strikes and student suicides. Xiaohongshu’s commercial focus also makes it less likely that these topics would be discussed on the platform: as Rest of World reported, the platform functions less like Weibo – a public square for current events – and more like “a giant mall, where shoppers tell each other what to buy”.

Coverage of international affairs is also tightly controlled: only state-owned or state-controlled news organisations can obtain licences to publish original news content. However, content about life abroad, particularly stories about the cost of living, healthcare, or social problems in Western countries, circulates more freely on platforms including Xiaohongshu, and provide journalists with insight into how Chinese diaspora communities engage with local political systems. 

For example, when the 2025 Miss Finland was accused of making anti-Asian gestures, searching for “芬兰小姐” (Miss Finland) and “投诉” (complaint) on Xiaohongshu revealed a trove of collective action: users shared different complaint pathways, posted templates for filing reports, and documented various outcomes from their complaints. 

For such large-scale public events, Xiaohongshu can be both an organising platform and a rich source for tracking how diaspora communities coordinate responses to discrimination, providing journalists with insight into grassroots activism and transnational advocacy networks.

Getting Started

Xiaohongshu is available for download on both Apple’s App Store and Google Play worldwide, or can be accessed via a web browser. In international app stores, the app appears under the name “RedNote,” but this is the same application as Xiaohongshu – content and accounts are shared across both. The key difference is that RedNote users who register with overseas phone numbers are automatically tagged as international users, which affects the content the algorithm surfaces to them.

For users who download the app outside mainland China, Xiaohongshu automatically detects the device language and location. Upon first login, international users are prompted with an option to automatically translate all content into English (or their device language). If enabled, posts and comments will display with translations by default, and the algorithm will prioritise English-language content and posts created by or for international users, such as expat influencers.

For researchers and journalists seeking to observe the platform as Chinese users experience it, consider disabling automatic translation. This allows you to see content as it natively appears and helps you distinguish between posts created for international audiences versus those created for domestic users – a distinction that matters when assessing how representative your sample is for the relevant topic.

The default home feed, or the “Explore” tab, is where the algorithm surfaces content based on your engagement history, location and user profile. The feed uses a grid layout displaying post thumbnails with titles and like counts.

On the top right corner of the screen, the search bar also allows keyword searches across posts, users and topics. Results can be filtered by content type (e.g. notes, videos, users or products) and sorted by relevance or recency.

Using the Search Bar

Xiaohongshu’s search function is relatively basic. You can search by keywords and filter by time and location, but the options are general: time filters include “past day,” “past week,” or “past six months,” while location filters offer “same city” or “nearby”. 

For example, searching “Canada” returns posts tagged with that keyword, which you can then sort by recency or proximity. 

For breaking news events, try searching location names or names of individuals involved in the incident, filtering for the most recent posts to capture real-time reactions and on-the-ground accounts before they’re censored or deleted.

Xiaohongshu primarily uses algorithms to curate and push content through personalised feeds. For journalists using Xiaohongshu for investigative purposes, it can be useful to actively search for topics of interest to train your algorithm – the more you search and engage with specific content, the more relevant posts the algorithm will surface to you.

However, if you are researching the platform itself – studying what content Xiaohongshu promotes, how censorship operates, or what narratives dominate – you may want to start from a clean slate. In that case, consider periodically turning off personalised recommendations (Settings → Privacy Settings → Personalisation Options), clearing your browsing history, clearing cached data, or using a fresh account to observe what the platform shows to a “neutral” user.

Language and Lingo

During the influx of “TikTok refugees” in January 2025, Xiaohongshu launched a translation feature for users outside mainland China, enabling the automatic translation of comments and posts. 

However, this does not translate search queries. The platform’s search engine is still optimised for Chinese, though there is a “prioritise English” filter for overseas users, and searching in English will return some results.

But the language you search in shapes far more than just your results – it determines which version of the platform you see. When you search in English or use an international account, the algorithm treats you as a foreign user and surfaces content accordingly: influencers explaining why they love living in China, comparisons showing Chinese life favourably against the West. 

This isn’t a neutral cross-section of the platform – it is a curated bubble. To access what Chinese users actually discuss among themselves, it would be more effective to search in simplified Chinese and, ideally, use a China-registered account if you have access to one. If you don’t read Chinese, you can also consider using a translation tool (Google Translate, DeepL, or an AI assistant) to convert your search terms into simplified Chinese before entering them.

Despite such tools and the in-app translation feature, it is always useful when researching using Chinese platforms to work with a native speaker familiar with the local context. They can flag when an innocuous-seeming term actually carries hidden meaning, and help identify coded conversations about a censored topic.

On Xiaohongshu specifically, this coded language extends beyond political topics to include anything the platform’s algorithm might flag as “vulgar” or promotional. For example, users substitute fruits and neutral terms for body parts or sexual content to avoid being flagged as inappropriate – the peach emoji for buttocks, or 炒菜 (“cooking”) for explicit material. They may also use abbreviations and emojis for commercial terms to evade anti-marketing filters, such as “vx” (the abbreviation of how WeChat is pronounced in Chinese) or “绿” (“plus green”, apparently referring to WeChat’s green logo) for WeChat, or “米” (rice) or the moneybag emoji for money.

Advanced Search Strategies

For more sophisticated searching, consider using third-party marketing analytics tools like Xinhong and Qiangu, which can show trending topics, popular posts and engagement metrics, as well as identify key content creators posting about specific subjects. 

For example, on Xinhong, when you search for “Canada” in Chinese, it also shows show trending related searches such as “加拿大总理” (Canadian Prime Minister). Clicking through these suggestions leads to recent posts—for example, posts about Mark Carney’s latest statements at Davos, along with user comments and reactions.

While these tools are designed for marketers, they provide journalists with valuable capabilities: tracking how topics evolve, identifying influential voices in specific communities, and discovering related hashtags or discussions that might not surface through basic platform search. These tools often require paid subscriptions but can significantly enhance research efficiency for long-term investigations.

Another valuable feature is Xiaohongshu’s group chat function, where users gather around shared keywords and topics—from city-specific communities to niche interests. These groups are often highly active and provide access to candid community discussions that don’t appear in public posts. To find relevant groups, go to Messages → Group Square, where you can browse categories or search by keyword and request to join.

Monitoring active group chats related to relevant topics, whether that’s a specific city, industry, or issue, can help journalists and researchers stay updated on emerging issues and detect potential story leads before they become widely visible on public feeds.

Preserving the Evidence

Chinese social media content can disappear quickly and without warning due to censorship, making immediate preservation critical. 

Always take two preservation steps immediately upon discovering relevant content:

First, screenshot the entire post, including the URL, timestamp, username, like/comment counts, and location tags. These metrics establish context and authenticity. Use tools that capture full-page screenshots rather than just visible portions, as posts can be long and comments extensive. Second, archive the web page using services like archive.today or Wayback Machine. Note that these services capture only static content – comments and engagement metrics may not be fully preserved and should be screenshotted separately.

For Xiaohongshu specifically, always preserve the user’s unique ID found in their profile URL when viewed on a browser, which follows the format “user/profile/[unique ID]”. Users can change their display names, but this unique identifier remains constant, allowing you to track accounts over time even after name changes. This is critical for long-term investigations or when monitoring specific sources.

Xiaohongshu operates under the same legal and censorship constraints as all Chinese social media platforms, and researchers should approach it with appropriate caution. Content moderation is extensive: users who post about sensitive subjects risk having their content removed or their accounts suspended, and the platform is required to comply with government data requests. For researchers, this means the information you find represents only what has survived the censorship process.

That said, Xiaohongshu remains a remarkably rich resource for open-source research. Its strength lies precisely in its apolitical, lifestyle-oriented identity: while political discussion is suppressed, candid conversations about everyday life flourish. For journalists willing to invest in learning the platform’s rhythms, building Chinese-language search skills, and understanding its coded vocabularies, Xiaohongshu offers a window into how ordinary Chinese people talk among themselves – an area that remains largely untapped by international media.

---

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post Mining China’s ‘Little Red Book’ for Open Source Gold appeared first on bellingcat.

This article is the result of a collaboration with Indian media outlet Newslaundry. You can find Newslaundry’s editorially independent coverage here.

Indian companies have shipped more than 320 million synthetic opioid pills to West Africa – where they have not been approved by regulators – over the past three years, a Bellingcat investigation has found.

Export records from trade data provider 52wmb show that more than 1,400 consignments of tapentadol worth almost USD $130 million were sent from India to West Africa between January 2023 and December 2025.

Tapentadol, a painkiller two to three times more potent than tramadol, has not been approved for use in most West African countries, where some nations are grappling with an escalating opioid abuse epidemic.

However, this investigation shows that dozens of Indian suppliers have flooded the region with tapentadol over the past three years. Where dosages were listed, more than half the pills were in powerful strengths of 200mg or more – dosages that are not even approved in India.

The exports, cross-checked against records provided by trade data aggregator ImportGenius, show most tapentadol pills sent between 2023 and 2025 had the coastal nations of Sierra Leone and Ghana listed as their declared destinations.

The two West African countries were collectively marked as the destination for more than 80 per cent of the total value of tapentadol sent to the region.

Experts have documented how drug traffickers adapt quickly to international regulations and law enforcement efforts. In 2018, India tightened export controls around the opioid tramadol, one of the most trafficked synthetic drugs to West Africa.

In 2021, the International Narcotics Control Board (INCB) said large-scale tapentadol trafficking had been identified, particularly in consignments destined for Africa. It had previously noted that India’s strengthened tramadol controls could lead traffickers to substitute the drug with other potent synthetic opioids.

A BBC investigation last year revealed that Indian company Aveo Pharmaceuticals was illegally exporting tablets containing a mix of tapentadol and the muscle relaxant carisoprodol to West Africa. This led India’s drug regulator, the Central Drugs Standard Control Organisation (CDSCO), to ban the manufacture and export of all combinations of the two drugs.

Bellingcat’s investigation, in collaboration with Indian publishing partner Newslaundry, reveals that the supply of tapentadol pills from India to West Africa has surged in recent years.

Export data from 52wmb shows the value of tapentadol sent to the region has risen from about USD $27 million in the three year period from 2020 to 2022, to almost USD $130 million from 2023 to 2025.

Julius Maada Bio, Sierra Leone’s president, in 2024 declared a national emergency over rampant drug abuse and branded kush – a toxic blend of psychoactive substances including cannabis and synthetic opioids – a “death trap”.

Authorities in Sierra Leone have intercepted illegal tapentadol, including last July when the National Revenue Authority (NRA) said it thwarted a smuggling operation near its north-west border with Guinea.

The NRA and other agencies including the Transnational Organised Crime Unit, National Drug Law Enforcement Agency, and the Pharmacy Board of Sierra Leone did not respond to Bellingcat’s requests for comment.

Ghana’s Narcotics Control Commission (NACOC) said the illegal importation of tapentadol was first recorded in 2022 after international efforts to curb the tramadol crisis resulted in criminal networks shifting production to other pharmaceutical opioids including tapentadol, tafrodol and carisoprodol.

The agency has recorded a “steady rise” in tapentadol trafficking over the past three years, with authorities seizing more than 3.7 million tablets (250mg strength). Most were traced back to India, it said.

“NACOC investigations confirm that the bulk of tapentadol is trafficked into Ghana through seaports and by air, via express courier services,” a spokesperson said. “At the ports, the drug is concealed in containerized cargo falsely declared as pharmaceuticals, electrical materials or household goods. Express courier services are used for smaller, high-value quantities, often packed alongside legitimate consignments to avoid detection.”

NACOC said Ghana had emerged as both a destination and transit hub for tapentadol, with the majority of intercepted consignments bound for Niger, Mali, Burkina Faso and Nigeria. When sold domestically, it said the street drug was promoted as a tramadol substitute.

Ghana’s Food and Drugs Authority (FDA) said last year that the abuse of pharmaceutical opioids such as tapentadol — commonly known on the street as “Red” — was on the rise.

The FDA told Bellingcat it had “never issued any permit” for the manufacture or importation of tapentadol, in any strength, to any importer or to any country. It said any tapentadol shipments to Ghana were for “trans-shipment to neighbouring country”.

Import data for Ghana shows that no tapentadol entered the country between 2023 and 2025, which supports NACOC’s position that the drugs are being concealed and falsely declared. Import data for Sierra Leone was not available through 52wmb.

India’s drug and pharmaceutical exports have grown to more than $30 billion a year, according to the Pharmaceuticals Export Promotion Council of India (Pharmexcil), a division of the ministry of commerce and industry.

While tapentadol is available in India on prescription in strengths of up to 100mg (immediate release) and 200mg (extended release), authorities are aware of its risk of misuse. Last year, the Indian drug regulator’s Technical Advisory Board said the Department of Revenue may be requested to schedule the painkiller under the Narcotic Drugs and Psychotropic Substances Act, which would tighten rules around its export.

To export pharmaceutical products at strengths that are not approved in India, exporters are required to obtain an export “no objection certificate” (NOC) from the CDSCO, for which they have to submit proof of the drug’s approval in the importing country. Publicly available information shows tapentadol is not approved for use in any of the West African nations identified as part of this investigation.

The CDSCO did not respond to questions from Bellingcat or our publishing partner, Newslaundry.

In response to “Right to Information” requests submitted by Newslaundry, the CDSCO said only two companies had been granted authorisation to manufacture tapentadol for export between 2019 and 2024. However, the trade data analysed by Bellingcat did not list either company as an exporter of tapentadol to West Africa.

The CDSCO also said it had issued export NOCs for tapentadol to 51 companies since 2024, but that these were not for export to West African countries.

Meanwhile, Bellingcat’s analysis of trade data shows that more than 60 Indian suppliers have exported tapentadol to West Africa since 2023. The exporters are mostly pharmaceutical companies but also include smaller operations, such as one company owned by a Nigerian man who sent more than US $4 million of tapentadol to Niger and Ghana.

Dinesh Thakur, co-author of the book Truth Pill, told Newslaundry there were gaps in India’s drug regulatory framework that made it possible for potentially unsafe medicines to be manufactured and exported without proper oversight.

“There is no regulatory framework which checks a genuine importer and counterfeit importer between countries,” said Thakur, a former pharmaceutical executive who now works as a public health activist.

Mohammed Adinoyi Usman, a consultant anaesthetist at Rasheed Shekoni Federal University Teaching Hospital in Nigeria, said tackling Africa’s opioid crisis was complicated by a lack of resources across the region, weak government responses, and inaction by law enforcement agencies.

He said more collaboration and intelligence sharing was needed, especially across West African countries, to combat the problem. “We see so many opioids coming into our region because of a range of factors including under-funded institutions like customs and drug agencies, weak border controls and corruption,” he said.

“Africa is different. Even southern Africa is different from western Africa – each region has its peculiarities. In Nigeria, we don’t have well-functioning institutions to help control it. But our government is trying.”

Dr Usman said access to prescription opioids in Africa was inadequate, and pointed to research showing the disparity in distribution of legal opioids to low-income countries compared to high-income nations that consume the bulk of the world’s pain relief medication. He said opioid abuse was linked to crime and negative health outcomes.

“Sadly, access to prescription opioids is very limited in Africa,” Dr Usman said, “but the costs of illegal use are high.”

---

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post Painkiller Pipeline: 300 Million Tapentadol Pills Sent from India to West Africa appeared first on bellingcat.

Almost 800 Hungarian government email addresses and associated passwords are circulating online, revealing basic vulnerabilities in the security protocols of ministries involved in classified and sensitive work.

A Bellingcat analysis of breach data shows that 12 out of the government’s 13 ministries have been affected, which in some cases have exposed the confidential information of military personnel and civil servants posted abroad. 

Among those affected were a senior military officer responsible for information security, a counter terrorism coordinator in the foreign affairs department, and an employee whose role was to identify hybrid threats against the country.

The revelations come as Hungarians head to the polls this Sunday to decide if Viktor Orbán, leader of the right-wing populist party Fidesz and the country’s longest-serving prime minister, will be elected to a fifth consecutive term.

This is not the first time that deficiencies in the Hungarian government’s IT security have been revealed. In 2022, ahead of Hungary’s last election, Direkt36 reported that Russia’s intelligence services had gained access to the computer network of the Hungarian foreign ministry, including its internal communications channels.

It said Russian cyber attacks against the Hungarian government had been occurring for at least a decade and extended to the foreign ministry’s encrypted network for transmitting classified data and confidential diplomatic documents.

At the time, the foreign ministry denied it had been hacked. But in 2024, news outlet 444 published a letter that had been sent from Hungary’s National Security Service to the foreign ministry six months before the cyberattack was first reported. The letter linked the attacks to Russia and described more than 4,000 workstations and 930 servers as “unreliable”.

As part of this new analysis, Bellingcat identified a total of 795 unique email and password combinations among thousands of search results for Hungarian government domains in breach databases. Key departments that handle the country’s governance, defence, foreign affairs and finances were the worst affected.

The analysis does not include central government agencies that operate under the government’s official ministries and use separate domains, such as the tax and customs administration or the police – meaning breaches affecting government employees could be even more widespread.

The findings are not evidence of high-tech infiltration of Hungarian government systems. Instead, our analysis indicates that the breaches are more likely the result of poor digital hygiene. In many cases, staff used simple passwords along with their government email addresses for what appear to be non-work-related matters, such as signing up to dating, music, sport and food websites.

Some government workers used easy-to-guess passwords such as variations of the word “Password” or the number sequence “1234567”. One employee whose credentials were exposed in the 2012 LinkedIn hack used the password “linkedinlinkedin”. Another, in the defence ministry, used their surname. One leaked password from an employee in the foreign affairs ministry was “embassy13hungary”. 

Multiple breaches also contained phone numbers, addresses, dates of birth, usernames and IP addresses – data that, when exposed, could pose security risks.  

Additionally, a search of breach databases showed instances where computers have been infected with malware designed to steal login credentials. These records show that 97 machines across Hungarian government departments had been compromised, with stealer logs from as recently as last month found in the data.

Bellingcat contacted the Hungarian government’s spokesperson and the Prime Minister’s office, but did not receive a response.

The Weakest Link: Searching Breach Data

Breach databases are large collections of credentials harvested from previous cyber incidents. These databases can be searched by domain to identify email addresses belonging to a specific organisation, company or government. 

Bellingcat used Darkside, a paid service by District 4 Labs, to search the main email domains assigned to each of the Hungarian government’s 13 ministries. 

In total, 795 breaches containing government emails and associated passwords were identified. But most – 641 breaches – were linked to just four central institutions. 

In the examples detailed below, staff have been anonymised. However, Bellingcat has confirmed these accounts are genuine by cross-checking the employees named in the breaches against media reports and online profiles, such as LinkedIn.  

Ministry of Interior – this “super-ministry” oversees everything from health and education to the police, immigration, disaster management and local government 

Bellingcat identified 170 sets of emails and passwords linked to the domain used by the ministry in charge of domestic affairs. Passwords used by staff in this department included “Arsenal” and “Paprika”. Some used passwords that contained only three or four letters. We traced these accounts to professional profiles and government web pages listing both junior and senior staff.

One senior official in the prison service used the password “adolf”. After it appeared in breach databases the password was changed twice – first to a five-digit number and then to what appeared to be the name for a pet dog. The passwords were subsequently breached again. Bellingcat identified this employee through several instances of their name and email address being listed on public-facing documentation, including a press release celebrating an award for outstanding professional work.  

Ministry of Defence – responsible for national defence policy and directing the country’s defence forces

The credentials of staff working for the Ministry of Defence were found in 120 compromised records. This includes a 2023 breach of NATO’s eLearning services which resulted in 42 records containing emails, passwords and phone numbers becoming public.

The breaches peaked in 2021 but continued up to 2026. Included in the data were stealer logs, indicating that machines within the department may have been infected. 

Military personnel from junior ranks to command positions were identified. A Brigadier General used a common six letter nickname, based on his own, to sign up to a film festival. A Colonel specialising in “information security” took inspiration from an English football manager for his password: “FrankLampard”. A district director used the password “123456aA”, while a high-ranking member of Hungary’s delegation to NATO used a password that translates in English to “cute”. 

Ministry of Foreign Affairs and Trade – responsible for international relations, Hungarian embassies and consulates operate under the direction of the department

The credentials of current and former foreign affairs personnel have been exposed in dozens of data breaches from 2011 to February 2026. In total, there were 107 email and password combinations linked to this government ministry. 

Among the staff affected was a deputy head of mission, consuls, diplomats and communications personnel posted in Europe, the Americas and the Middle East. These include a counter terrorism coordinator, an EU spokesperson, and an individual whose role was to identify hybrid threats to Hungary.

Although the breaches peaked in 2020, with emails being found in 42 separate breaches indexed by Darkside, MFA emails have been circulated, often with passwords, in 36 separate breaches since the beginning of 2024. The most recent breaches were in 2026.  

Simple passwords appear to have left Hungary’s foreign affairs ministry vulnerable. In some cases, employees used a password that consisted of their own name and a two digit number. Others appeared to take inspiration from pop culture: “porsche911”, “frogger” and “Batman2013” are examples of real passwords used by staff.

Ministry of National Economy – oversees economic policy and financial strategy, including budget preparation and reducing national debt

Bellingcat’s analysis shows that staff in the Ministry for National Economy suffered 99 breaches. The Ministry of Finance, which was merged into this department in 2025, had suffered 145 breaches.

Among the breached data were the credentials of a deputy state secretary, who used the password “snoopy”. Other staff members used their date of birth or the word “Jelszo” – the Hungarian word for password.

A senior advisor who currently works in the ministry had their credentials breached four times using four different passwords, including “Kurvaanyad1” (roughly translated to “your mother is a wh**e”).

Cybersecurity Not Taken Seriously

Szabolcs Dull, a political analyst and the former editor-in-chief of the independent Hungarian news websites Index and Telex, said the government had failed to prioritise data security. 

“It’s clear from the data breaches that have come to light that government agencies did not take data security seriously,” he said. 

“This suspicion arose even when Russian hackers breached the foreign ministry’s IT system. That is why I believe Hungarian politicians and the public will interpret this new information as a continuation and confirmation of the Russian hacking story.”

Dull added that he was not aware of any investigation having been launched following the 2022 revelations of the Russian hack.

Kata Kincső Bárdos, a cybersecurity expert in Hungary, said it was difficult to understand why stricter controls would not be consistently enforced in government environments handling sensitive data.

She said governments should not only apply baseline rules for passwords – such as that staff use long, unique passwords and multi-factor authentication (MFA) – but also continuously monitor for compromised credentials and suspicious access patterns.

“Without MFA, systems become significantly more vulnerable to common attack methods such as phishing and credential stuffing,” she said. “A single compromised password can provide immediate access to internal systems.” 

Bárdos added that unauthorised access to government systems should automatically trigger incident response procedures, investigation and containment measures.

“It is also important to note that targeting lower-level employees is a well-documented and common tactic,” she said. “Attackers frequently gain initial access through phishing or weak credentials and then move laterally within systems.”

---

Bellingcat’s Ross Higgins and investigative journalist Eva Vajda contributed to this article.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post ‘Snoopy’, ‘Adolf’ and ‘Password’: The Hungarian Government Passwords Exposed Online appeared first on bellingcat.