Posts by Admin

social media risk management

Social Risk and Why Businesses Should be Prepared

Teaching businesses to maneuver social media risk management.

Social Media Risk Management is now an ever-growing need that should be implemented in businesses across the globe. Here are a few examples of Social Risk and how to be prepared for it, from tips to training.

Outside Influence affecting Social Risk

Something gets posted you don’t want others to see. Is it a corporate secret, comments of a disgruntled employee or an upset customer because of a lack of customer service? If you don’t already have one, a brief internal social media policy should cover what can and can’t be said along with how it could be said by those inside the organization. It should be flexible enough to encourage a passion for customers and the brand but should also make sure the brand remains an asset. If the comments are from outside the organization they should be quickly judged to determine constructive criticism or inappropriate behavior and appropriate steps should be taken to deal with them in a timely manner.

Hijacked Social Media Topics

You’re trying to be social but the topic gets sidetracked or even hijacked. Simply ask, “Why?” Perhaps there is something else more important you could or should be covering. One of the first rules of social media is that it’s not about you. Or perhaps you can suggest covering the new topic in next week’s discussions where you can research it further and get more input on it. The point of social media is that you don’t have direct control of the message but the more involved you are in social media and are aware of your business and customers, your ability to influence the message increases.

Social Media and Security Breaches, a Company Nightmare

Social media channels and content can open up breaches of security. Viruses, malware, identity, and brand theft can all occur with or without the use of social media. You should consider good IT practices to avoid the possibility of software and hardware security breaches. Some recommend being vague with content to avoid brand or identity theft. You need to consider the level of information you share and the possibility that information can be used against you. But if you participate in social media and all you do is listen without giving there is a high probability your community will wonder if it’s worth participating in your network.

Non-Participation in Social Media

Social media should start with a strategy and part of the strategy should include audience, content and appropriate channel(s). It takes time to grow a community. You may think you’re talking to yourself but really you can be honing your message to your customer while you also spend time listening to what is important to them and include it in your community content. The time you take working at establishing your social media standing can also be used as an ongoing case study to discuss what you’ve learned with your customers.

Alienation in Social Media

Some people don’t tolerate change. As your social media community grows and expands its reach there is a possibility of alienating your core followers. You need to consider your core first before diluting your approach to please the masses you’re not currently connected to. Sometimes it’s unavoidable, but if you include the core in your growth and choices for growth it’s often easier for them to deal with change. Also remember, there are some people who just don’t want to change. If they are your target audience, what about creating a core group just for them? Consider the impact on your resources and the benefits of keeping them happy while still addressing a larger potential community.

Social Media Strategies and the Risk

Social media strategies that don’t include the whole organization. In a small organization, the worry is not enough resources to establish a social media strategy and be able to execute while in a larger organization it may mean a fight to control or influence the approach, the theme, the content, the budget, and other resources. Not everyone needs to be directly involved but all should be aware of the social media benefits as part of the marketing and sales strategies of the organization.

Social Media, not just marketing

Many organizations believe social media should be managed from the marketing department to enable the acquisition and retention of customers. Other companies use social media as a critical enabler to their customer service efforts, research and development initiatives, and strategy planning. Social media enables conversation through online communities. The conversations you start or participate in can lead to so many great possibilities.

Put on Your Media Face, Balance the Power

There is a risk if the social media “face” of the company is a particular individual. What if that individual leaves the organization or takes another role within the company? Their social media currency could leave with them. Consider the impact of an individual and consider spreading the currency around to include others. It will help to balance the power. And, it can also help balance the responsibility to create great content and manage the social media strategy.

Expanding your message when your audience is local (Talking to the wrong crowd)

What happens if your social media presence expands to another country or a customer base outside your typical one? Monitoring your social media strategy and reviewing the needs of a particular audience can help you plan for the needs of your existing and future audiences. As you look to expand into a new audience you should evaluate tactics to localize your message to the audience. This could include translation services or evaluating the needs of a new layer of employees.

Ignoring Your Customers

Someone wants to have a conversation but they get ignored. With more and more communication channels available to us it’s very hard to keep up with it all. But a simple business principle plays here – ignore your customer and eventually, they will go away. Take the time to develop a solid social media monitoring plan. The plan should listen to what people are saying about you or your organization. It should also hear the smallest request and makes sure it gets the attention any good customer deserves.

If you feel your company is experiencing social risk, we are here to help. Drop us a line and let’s connect.

Thoughts by Peter Muir, an often-featured speaker on Social Media and related topics, offers some thoughts that are useful to those of us in the faith-based and non-profit arena as well as the business world.

Child Abuse and Open Source Intelligence (OSINT)

Child Abuse and Open Source Intelligence (OSINT)

Europol’s Child Abuse Image Geolocated In Ukraine using OSINT: A Forgotten Story Hidden Behind A Landscape

The following report contains a reference to a child modeling studio producing child sexual abuse material in 2001. All names related to the studio are fictitious. The original source did not contain any explicit material. All the images accessed and used during the investigation were already censored, but for the avoidance of doubt, it must be noted that the researchers did not obtain, look or download any explicit content. The original source was shared with Europol before the publication of this report and cannot be revealed for the protection of the victims and as to not impede the investigations. Although the main objective of the article is to show the method by which an image listed by Europol was geolocated, Bellingcat has decided to publish some details found in the investigation to create awareness of the subject and to support Europol’s #StopChildAbuse campaign.

Europol currently holds more than 40 million images of child sexual abuse from across the world.

In June 2017, Europol launched a crowdsourcing campaign called Stop Child Abuse – Trace an Object. Censored extracts from explicit images are regularly published on their website and members of the public are asked to help to trace their location or country of origin. These tips are then used to inform the competent law enforcement authority to further investigate the lead and to assist in the identification of the offender and the victim.

As of 23 March 2019, Europol has received more than 23,000 tips, which led to the identification of eight victims and the prosecution of one offender.

In recent reports, Bellingcat wrote about their contribution to geolocating images in China and Russia.

For several months, the image shown in Figure 1 was live on Europol’s website. From now on we will refer to this image as “ImageC5” in the text. Bellingcat team members and other Twitter users previously pointed out the difficulty of geolocating this image. The main reason: There are no mountains, landmarks, roads, posters, signs, brand names, or any remarkable object featured on it. Instead, there is a rather desolate landscape flooded with weeds and few rural buildings in very low resolution. What we did not know then was the dark story ImageC5 hid, the number of victims affected by it and how the story itself would allow us to geolocate this image to Kalahliya, a Ukrainian village 47 km southwest of Odessa.

Figure 1: ImageC5 as listed by Europol on their website #StopChildAbuse #TraceAnObject (left). The image was geolocated to a village called Kalahliya, which is southwest of Odessa in Ukraine. The red mark indicates the approximate location from which the original photo was taken from; just on the northeast corner of a group of building ruins (right).

The Initial Research
Our first observations about the image were as follows:

  • A small gradient in the terrain with a few sudden drops across the land
  • Rural houses and buildings with metal roofs (single and multiple pitches)
  • Tall dried weeds and broken branches as well as reeds and grasslands
  • An orange/brick construction with a dark roof far on the right side of the image
  • The image was edited by Europol to protect the victim. The censoring process was done in such a way that almost 10% of the landscape was reconstructed. Small fractions from other points on the image were merged into the cropped area. This caused the repetition of items in several points of the landscape.

Important Definitions And Key Facts

hild Sexual Abuse Material (CSAM), also called child pornography, refers to any representation, by whatever means, of a child engaged in real or simulated explicit sexual activities or any representation of the sexual parts of a child for primarily sexual purposes. In 2014, Russia was reported to host the second-highest amount of CSAM in the world, accounting for 24%. In 2016, Ukraine was the first in Eastern Europe. The traffic of children for sexual exploitation to Moscow and St. Petersburg from Moldova and Ukraine has also been documented.

The type of houses observed on ImageC5 suggested a very small village which seems to be a rural Soviet construction style, as opposed to western European.

ImageC5 did not feature either any type of tropical, coniferous, or desert vegetation. Therefore Asia, the Middle East and densely forested areas in Europe and North America were not considered. Grasslands are located across Moldova, Ukraine and a thin belt along the border between Russia and Kazakhstan. Intersecting all these geographical and architectural observations with the information about Children’s Sexual Abuse in the region, the initial search was chosen to be within the area marked in red on the map in Figure 3, particularly those villages with links to major cities such as Moscow and Kyiv.

Figure 2: Vegetation map of the former Soviet Republics. Grasslands are found across Ukraine and a thin Belt into Russia.
Figure 3: Initial region selected to start the search for ImageC5. The area included West Moldova, South and East Ukraine, and the area around the Ukraine-Russia Border, Moscow, and the River Volga.

It was initially believed the brick construction on the far right side of the picture could have been a Soviet-era railway water tower or a small train station. Railway routes, travelers’ videos, and hundreds of photos were checked to understand the landscape, as well as the typical layout and architecture of small villages.

The first slight landscape similarities with ImageC5 were found in eastern Ukraine within the Sumy oblast. Unfortunately, with no defined landmarks to look for and the limited availability of imagery and street views outside main cities, further visual checks were unproductive. No evidence found was significantly relevant to draw any conclusion. The place could have been anywhere in the marked region if it existed there at all.

A Breakthrough In The Search

The next step was to find more details about Child Sexual Abuse cases in the suspected region that could then be associated with ImageC5. In early June, after following a lead from a regional children exploitation report, a comprehensive investigative file was found containing details of a child modeling studio trafficking children from Moldova to Ukraine for the production of CSAM.

Important Note:

The source of such files cannot be revealed for the protection of the victims and as to not impede the investigations. The original source was shared with Europol before the publication of this report. All the images accessed and used by the Bellingcat team during the investigation were already heavily censored by the original source of the files, but for the avoidance of doubt, we will once again note that the researchers did not obtain, look or download any explicit content. All names related to the studio used in this report are fictitious.

What information did we find in the files and how did we use it to geolocate ImageC5?

The investigative file described the operation of the studio and its associated websites. Most of the CSAM created by the studio was reported as having been produced in the Odessa region in Ukraine. The file also included a list of unknown locations where at least 60 models were photographed in 2001 for Website2.

All unknown locations appeared classified as Coast, Inland or Ruins, followed by a sequential number, their respective group of censored thumbnails, and a brief description of the surrounding landscape or visible buildings. No specific geolocation was given.

To our surprise, in the group called “Location Ruins (1 & 8)”, a thumbnail containing the same ImageC5, as published by Europol, was found. A direct link between ImageC5 with an official Child Sexual Abuse case was established.

Other censored thumbnails found next to ImageC5 showed several building ruins and a red building in the background, which, according to the file description, could have been a church in a nearby village.

The search for a desolate landscape had evolved into a search for more identifiable landmarks – the building ruin and “the red church.”

Having new information about other potential unknown locations related to the case, our strategy was to “encircle” ImageC5’s location in the Odessa region by a simultaneous hunt for the red church, Location Ruins (1 & 8), Ruins (2,3 & 7), Inland (3,6 & 7), Inland (8) and Coast (1 & 6). This selection of censored thumbnails included the most recognizable items for each one of the locations and constituted the key to finding ImageC5. A diagram with all the material used is presented in Figure 4.

Figure 4: Selection of unknown locations listed in the investigative files and related to ImageC5. All images accessed and used by Bellingcat during the investigation were originally censored by the source of the files.

“The Red Church” And Landscape Features

Initial efforts were made to find the red church by exploring the area using Google Earth and Yandex. The number of churches in Odesa oblast (approx. 33.000 km2) was too large to scrutinize them one by one and many did not have photos easily available for checks.

We also noticed that in some cases the colors and features of churches were changed, due to upgrades and repairs. This made the initial search for the church extremely difficult. Although we were initially unsuccessful, valuable landscape and architecture information was gathered. Different points across the region were analyzed with similarities found in several areas; for example, Anan’iv Pershyi and Vyzyrka. Based on this and other examples, it was likely the location to be found along the coastal area of Odessa.

Using Google imagery, dimensional analysis was done on several churches to establish a reference geometric pattern (see Figure 5):
  • The height of the bell tower was the same as the altar tower, excluding the domes.
  • The width of the altar tower was approximately double of the bell tower.
  • Exterior made of red bricks. But we noted that it could have been repainted.
  • Both towers could feature either round, semi-round, pitched or onion type domes.
  • In church architecture, altar towers are normally oriented to the East. In almost all cases in Odessa there was no exception. This meant Ruins (1 & 8) were very likely to be located southeast of the church. A very important check to do when finding potential geolocations.

Figure 5: Dimensional characteristics of the similar church in Odessa oblast.

The Ruins

Group Ruins (1 & 8) featured what seemed to be the ruins of a small industrial facility. Scattered precast pillars could be seen on the ground. There were walls with faded pink tones, large holes, and bullet marks on many of them. The holes seemed similar to those left by a projectile impact. Presumably, these ruins were the result of previous conflicts in the area.

But where to find this type of ruin in an area of 40,000 km2 including Odessa oblast and west Moldova? Furthermore, do the ruins still exist or have the sites been cleared up to give way for new developments? Also, which conflict could have inflicted such damage on a rural structure before 2001?

Using Google imagery, examples of ruins were gathered to establish a visual reference as shown in Figure 6.

Two main events were considered: WWII and the Transnistria conflict in 1992.

WWII front lines were studied according to literature as per the maps in Figure 7. In 1941, a system of 3 defense rings was established by the Soviets to protect Odessa; with the outermost ring located at a 50km mark from the city. From March to April 1944, the Red Army launched offensives to liberate Odessa. In August 1944, as part of the Jassy–Kishinev operation to reclaim the Moldavian SSR, the Red Army engaged a large German-Romanian contingent with heavy battles starting with the Akkerman landing.

In both conflicts, WWII and Transnistria, there were fronts localized on several points along the Dniester River and Dniester Estuary. This line would become a focus of attention later in our search.

Figure 7: Battlefronts in 1941 and 1944 during WWII was used as a reference to find potential matching ruin sites. The Dniester Estuary would become important in our search.


Geolocating ImageC5 By Finding Other Locations Related To The Case

1. Location Ruins (2,3 & 7) – The Greenhouse

Ruins (2,3 &7) appeared to be part of a period property or castle featuring a glass roof structure typical of those found in old greenhouses. The studio was reported to operate from several apartments in the city of Odessa. Their approximate location was investigated and pinned as shown on the map in Figure 8. It was believed that one or several of the locations could have been nearby their studios. Hence, we started to explore the area with Google Maps along Road F. From north to south, we looked for abandoned buildings, castles and ruins where any of the studio’s sets could have been located.

A landmark symbol led us to the ruins of greenhouse Marazli, originally built in 1889. Pictures found in Yandex dated back to 2016 were gathered and analyzed.

Many features in its interior matched those found in the censored thumbnails of ruins (2, 3 & 7), especially the angle of the glass roof structure, supporting beams, door features, windows and stone masonry (See Figure 9 ). The location served its purpose until the 1990s, but various events ultimately contributed to its abandoned state. The source reported the location was used by the studio to produce several CSAM between July and August 2001. No signs of location Ruins (1 & 8) or the red church were noticed in the surrounding areas.

Figure 8: Approximate location of the apartments owned by the studio in the city of Odessa. The F location allowed our investigation to get closer to a child abuse site: the greenhouse.

Figure 9: A 1889 greenhouse in Odessa City. Pictures found in Yandex and dated 2016 were gathered and analyzed. Many features in its interior matched those found in the censored thumbnails of ruins (2, 3 & 7). The source reported the location was used by the studio to produce several CSAM between July and August 2001.

2. Location Inland (3,6 & 7) – Oleksandrivske Reservoir

A thumbnail within the Inland (3 & 6) group featured a river or lake. A transmission tower in the background could be seen just opposite the bank from where the shot was taken. Another shot, believed to have been taken in the opposite direction to the first, featured another transmission tower, dried grasslands, and small trees in the background.

Using Google Earth, narrow bodies of water with these characteristics along the coast were investigated.

On the south end of Oleksandrivske Reservoir, a peninsula with transmission lines on its west side was identified. Across the reservoir, another transmission tower and cables crossing above the water were noticed. By setting the time bar to 05/06/2008, the grass on the peninsula showed up as dried and small trees could be seen clearer now on the east side of the peninsula, just behind the transmission tower. A match was found (see Figure 10). The source reported this location was used by the studio to produce several CSAM between July and August 2001.

Checking the rest of the reservoir for more clues, a white building with a slim tree in the front was noticed east of the previous location. These elements matched those displayed on location Inland (7). After analyzing the image, it was determined the shot was taken from the south shore of the Oleksandrivske Reservoir (see Figure 10). The source reported this location was used by the studio to produce CSAM in October 2001. No signs of Ruins (1 & 8) or the red church were identified in the surrounding areas.

Figure 10: Oleksandrivske Reservoir. Power transmission lines and landscape matched those featuring in thumbnail images for location Inland (3,6,7). The source reported these locations were used by the studio to produce several CSAM between July and October 2001.

3. Location Inland (8) – Kuyalnik Estuary

The unknown location Inland (8), featured a water body and sand around the shores. Despite the low quality of the censored thumbnails, a pink/red tone to the sand was noticed. On the left side of the image, along the cliff which ended in the horizon line was visible. Looking at the background, no buildings or mountains were seen. The body of water seemed to be quite elongated.

In our initial searches around Odessa, we had noticed Kuyalnik Reservoir, which had pink sands. We re-visited the images of Kuyalnik for a reinspection. The result: a Google maps image featuring the same cliff on the west shore of the reservoir.

The cliff exhibited the same angular lines converging downwards and touching the horizon. Dark pink sand was also noticed as well as curved watermarks. Another location verified. The source reported the location was used by the studio to produce CSAM in September 2001. No signs of Ruins (1 & 8) or the red church were identified in the surrounding areas.

Figure 11: Kuyalnik Estuary. The source reported the location was used by the studio to produce CSAM in September 2001.

4. Location Coast (1 & 6) – Mykolaivka Village (Dniester Estuary)

Many of the censored images within the group Coast (1 & 6) featured a peninsula with a slim tree on it. The images seemed to have been taken on a shore very close to a grassy cliff.

Rocks bigger than 1.5 meters in diameter, which had become detached from the cliff, appeared in almost every shot from different angles.

All main elements were numbered (1 to 10) and organized by scene (A to D). The tree and the peninsula were selected as landmarks with more potential to be identified in satellite images.

Having checked other bodies of water on the northeast side of the coastal region of Odessa, the southwest area around the Dniester Estuary was to be explored using Google Earth. On the east coast of the estuary at the level of the village Mykolaivka, a small peninsula was found. This peninsula had several trees on it but only one produced a long shadow relative to the size of the peninsula and matching the relative position to the one shown in the censored thumbnails.

From the 2014 satellite image, large rocks could be seen all along the shore. After careful analysis, all rocks and trees were identified. Another image geolocated. The source reported the location was used by the studio to produce several CSAM between the end of July and beginning of August 2001.

Figure 12: Location Coast (1& 6). All main rock elements on thumbnail images identified along the east coast of the Dniester Estuary at the level of the village Mykolaivka. The source reported the location was used by the studio to produce several CSAM between the end of July and beginning of August 2001.

5. The 
Final Search And Verification

After geolocating four different sites related to the case, a 50 km radial perimeter was established around the city of Odessa. This perimeter coincided with one of the battlefronts that took place during WWII on the east shore of the Dniester Estuary. Hence, it was believed that some type of ruins, if linked to the war at all, were likely to be found around this area.

Figure 13: Geolocation of the selected group of images marked in red.

The main road connecting the village of Mykolaivka and Ovidiopol (T1625) was checked for any signs of the red church or ruins. When doing a visual inspection with Google Earth around the village of Kalahliya (Калаглія / Калаглия ), a church was noticed at coordinates 46.281507, 30.358500 on June 2. Its name: Церква Миколая Чудотворця, i.e. the Church of St Nicholas. All the features matched our references. A Twitter user, Lorenzo Romani, also confirmed finding the same church on June 22 through someone in his network.

Figure 14: St. Nicholas Church, located in the village Kalahliya. The church matched all features recognized on the image related to ImageC5.

But was this truly the right place? Were there any ruins around?

Checks were done in the immediate surroundings southeast of the church but there were no signs of any recognizable ruin structure. Then, the historical view of Google Earth was changed. A compound in ruins was visible in other years, with 2007 being the earliest image available.

Despite the lack of street views on Google Earth and Yandex for this location, Images and YouTube videos of the village were scrutinized in order to identify all the buildings visible on ImageC5. A drone video found offered the best view of the site and it helped us not only to identify each of the elements but also to estimate the position of the camera (See Figure 15 and Figure 16).

Figure 15: ImageC5 buildings identified on a YouTube drone view of the village Kalahliya

Figure 16: Northeast corner of the ruins as the approximate camera position from where the ImageC5 landscape photograph was taken.

Further checks were done on two of the buildings featuring on ImageC5: the single pitch roof building (marked in yellow) and the brick construction on the far right (marked in red). We found videos recorded from Road T1625 which connects Kalahliya with Ovidiopol and passes just behind these buildings. The type of windows, roof, masonry colors, as well as relative position, matched those shown on satellite views as well as ImageC5 (see Figure 17).

Figure 17: Videos and satellite images used to analyze main building construction features such as masonry color, roof, and windows type for selected buildings. All elements matched those on ImageC5.

Satellite images and all thumbnails in group Ruins (1 & 8) were carefully analyzed to extract information such as the positions of trees, shadows sizes, sunlight direction, vegetation, exterior paint colors, and the relative position of debris. A solar calculation was done for early September 2001 as representative data for the month when the CSAM was generated.

Putting all of the puzzle pieces together, a basic sketch of the ruins was done to understand more about the site and to indicate the relative points where the thumbnail photos were taken from (See Figure 18).

The size of the construction and the presence of gates to the southeast and northwest ends of the main structure reconfirm the possibility that the building was an old, small-sized industrial/army facility. The reconstruction should be taken only as an intuitive guide only. With all elements identified, the site has been verified and ImageC5 has been now officially geolocated. The source reported the location was used by the studio to produce several CSAM between August and September 2001. A summary of the geolocation process followed is offered in Figure 19.

Figure 18: Basic reconstruction of ruins based on solar data for September 2001, satellite images as well as the image thumbnails found in the investigative files. The source reported the location was used by the studio to produce several CSAM between August and September 2001.

Figure 19: A summary of the strategy followed to geolocate ImageC5 after the finding of the investigative files. Geolocating other images within the set allowed the team for a relative quick converge into the final findings.


“Studio A” And Their Associated Websites

Although our main goal was to share information on how ImageC5 was geolocated, we also want to offer a brief summary of the operation of the studio and its websites as reported by the source. Though almost 20 years have passed and there is little reference to it on the internet, this studio impacted the world of CSAM production and contributed to its development. It is a clear example of how purveyors of CSAM adopt the guise of benefactors. First – they pay off the victims’ typically impoverished families. Second  – they develop a child education and entertainment program designed to quell the parents’ and the public’s distrust in the studio. Finally, they take advantage of then-underdeveloped CSAM legislation in Ukraine and an emerging worldwide internet. This is a business model that is still being followed by many modern criminal organizations.

This following section was extracted from the files and by no means expresses the views of the authors – it is rather meant to raise awareness of how such criminal enterprises operate. For legal reasons and for the protection of the victims and offenders, we cannot disclose the source. All names used here are fictitious.

Studio A was a company founded by Denis M. & Sergey P. in the early 2000s with funds coming from several European financiers. Denis was an IT expert and Sergey was a photographer known for nude “artistic” work with teens. Both individuals met in the summer of 2000 and made several arrangements with other webmasters and studios to set up Website1. Sergey would generate the photographic content and be the main model finder; whereas Denis would be in charge of the technical side. By September of the same year, Website1 was fully operational, with the material being produced by Sergey in Ukraine. All websites associated operated on a subscription basis. The studio operation included transportation, admin, and security crews. The latter were mainly previous law enforcement officers.

Most of the underage children featuring in their productions were scouted around schools in eastern Europe – mainly Moldova.

They usually came from impoverished backgrounds and were offered “modeling work” to help their families with money equivalent to a month’s salary of their parents. Knowing the conditions required by the studio, many parents reportedly agreed to send their children from Moldova to Ukraine with Studio A. The victims lived in different apartments owned by the studio across the city and received a computer, arts, and English lessons when they were not “modeling.” In efforts to further legitimize the criminal enterprise, the studio organized outings with the parents. Also, according to interviews reported in the files, Denis had falsely claimed on several occasions that the business was “socially responsible” and part of a charitable project in partnership with a worldwide human rights organization.

According to the files, Sergey, who managed the business independently, had a serious addiction to heavy drugs.

According to victims’ testimonies, as per the files, Sergey not only photographed victims naked but would then physically sexually assault them and offer them addictive substances. What ultimately happened to Denis and Sergey’s partnership remains unclear, but it is reported that tensions between Denis and Sergey increased and they parted ways in early 2001. Denis renamed the company Studio A* and Sergey kept the original enterprise. Studio A. Sergey convinced a number of parents and children to stay him, while another of the other children exploited by Website1 moved on to Studio A*.

Denis then created another website, Website2. The initial material used for this website came from Russia-based projects that featured nude underage girls. Later, Denis started to create new material for which he recruited new victims in Moldova. Sergey kept most of the material created for Website1 and sold it to other parties on the web. Sergey kept working for other studios and also created a new brand, Studio C. Both Website1 and Website2 went down starting in 2002. According to Denis, Website2 was hijacked and redirected to another page that apparently contained more explicit abuse material. According to the files, Denis placed responsibility for that on organizations based in Russia.

After the 9/11 attacks in the U.S., federal authorities and international agencies started to investigate all sorts of irregularities on the web more closely.

It is likely that Ukrainian authorities at this point came under more pressure, while the police had information about the frequent trafficking of minors from Moldova to Ukraine. In 2002, two women traveling with four children were detained in a train station close to the Ukraine/Moldova border for interrogation. They were carrying false documentation to take these minors abroad. During questioning, all underage girls mentioned they were paid an average of $50 per session in exchange for taking part in explicit photography produced by two individuals: Denis & Sergey. The police proceeded to raid all studios and seized all computer equipment, drugs, and CSAM. Both Denis and Sergey had fled by then, presumably alerted by their corrupt contacts on the police force.

Denis moved to Switzerland and then to Moldova, whereas Sergey was reported to have lived in Moldova, Germany and the U.S.

The Ukrainian government initiated a case against both individuals in 2002 for the production, sale, and distribution of CSAM. Surprisingly, charges against Denis were dropped in 2003. Ukrainian legislation at that time did not have any provisions for CSAM production.

According to the source, Denis relaunched Website1, but without any nude material. He also created a new studio called Studio B and closed Studio A*. By 2004, both websites Website1 and Website2 were down. In 2007, Denis married one of the girls that worked for the studios – it is unclear how old she was at the time and when she was first recruited – and the ceremony reportedly took place in Moldova. A documentary film was also produced to portray Denis and girls who worked for the studio in more recent years. This production was never commercialized.

Most of the CSAM Sergey produced remains undocumented due to missing data. Sergey was put on a wanted list by police in Germany in relation to the abuse of minors as well as for CSAM dissemination. There is no information available to determine whether Sergey was prosecuted or not.

Some key facts after analyzing the information presented in the investigative files:

  • ImageC5 was produced for Website2
  • At least 60 victims between the ages of 8 and 17 were hired to work for Website2
  • More than 7300 images were produced in less than a year
  • The website published approximately 270 sets of images
  • 60% of the CSAM was produced in studio facilities, while 40% was produced in outdoor locations
  • On average, 3% of the production was done in each one of the Ukrainian outdoor locations with an 8% maximum produced in Russia.
  • There were seven “photographers” working for the page including Denis and other unidentified individuals associated with the studio.
  • The source reported the studio employed assistants, drivers, teachers, and security staff. The latter have had previously worked in law enforcement.
  • $250,000 were received on the personal accounts of Denis and Sergey for the operation carried in Ukraine.

Conclusion & Recommendations

ImageC5 on its own contained no relevant information. The initial geolocation process for this image proved to be unproductive via employing traditional methods. More details were needed to be able to take the research further.

This time, an in-depth literature review on child sexual abuse cases supplied the information required to narrow down the search. Without knowing the details of the case, ImageC5 would have been never geolocated. By finding other locations related to the case, valuable landscape, architectural, war zone, and terrain data was collected. The iteration process of the search converged quicker towards the location where ImageC5 photograph was taken from.

After intensive research, Images are normally geolocated accurately. A great deal of information related to the cases is usually gathered through the process. Not all details found in our investigations are shared – due to the need to protect victims. In this case, the investigative files found came from an anonymous source that Europol has been informed about.

Eighteen years have passed since the discovery of the dark operation of Studio A.

The case was known to both Ukrainian and international authorities. If data and privacy laws permit, It could be helpful to see that for any child abuse case already processed by law enforcement bodies in Europe, all CSAM images seized should be entered into a centralized database. Law enforcement agencies could then run algorithms for an internal image reverse search to assist future geolocations and investigations. In this way, images for which there is already a background case would be left out of any crowdsourcing campaign. Moreover, if the amount of data collected is large, maybe the algorithm could be capable of comparing landscapes and other information between old and new images, thus drawing a preliminary geographical search area or creating leads for new cases.

The Studio A case is a clear example of child sexual abuse and human trafficking.

The operation persuaded stakeholders of their “socially responsible” approach to leverage their business. The production of CSAM was allowed by an archaic legal framework and corruption, but also by the families of the victims, who exploited their children for financial gain. This business model has been copied by many crime organizations disguised as “modeling studios.” After many years, the situation in Ukraine has changed – but it has changed for the worse. The problem has been aggravated by the development of technology and faster communications. There are new forms of criminality and an intensified production and dissemination of child abuse material in the Ukraine-Moldova-Belarus-Russia region.

In sharing our investigations and search methods we believe we can contribute with authorities to bring offenders to justice, and that we can make the #StopChildAbuse network stronger while raising awareness about the problem.

Our intention is to encourage members of the public and OSINT professionals to be vigilant and pass any known information to the competent authorities. Although some images published by Europol might seem old, new cases might be related to those pictures and any lead or input into their database could mean the difference between continuous abuse or rescuing the victims. At Bellingcat, we are strongly committed to these efforts.

Source: By Carlos Gonzales 

Research by Carlos Gonzales, Daniel Romein, Timmi Allen and “Bo”
Power of Word of Mouth

The Power of Word of Mouth and Social Risk

Online Word Of Mouth is powerful! I don’t think anyone would dispute that fact but just to back it up here are some recent statistics.

  • 50% of Americans would pick the word of mouth if they had to pick one source of information [Chatter Matters Report]
  • 72% of people get news from friends and family, making word-of-mouth the most popular channel for sharing [Pew Research]
  • Building an online community is most important to brand awareness and word of mouth referrals, with average rankings of 8.87 and 8.52 on a 10 point scale, according to marketers.[Referral Rock]
  • 72% of people say that they most trust content that they get from family or friends.[Statistia]

I could go on and on, but you get a general idea. Online Word Of Mouth (eWOM) is huge and very important to any business.

But, What Happens When Social Media Goes Bad?

In recent years it has happened over and over from one industry to another. Everything is sailing along smoothly for a brand when all of a sudden, seemingly out of nowhere, social media explodes with wrath over something that the brand said or did. From that moment, forward, the brand’s world has been turned upside down.

You don’t have to look far to find brands that have mishandled a disgruntled customer and consequently have felt the sting from their social media followers, customers, and even the general public. Do you remember this company’s missteps?

American Airlines (sometimes too many to count) dragging a passenger off of their plane?

How about Adidas who text “Congrats you survived the Boston Marathon.” Or, Chase Bank suggesting that overspending is resulting in your bank account being too low, as opposed to too many bank fees.

What do all of these examples illustrate? That often times a seemingly harmless (well, not in American Airline’s instance) tweet will come off poorly and before you know it you have a Firestorm on your hands.

Are you prepared?

Q: When is the worst time to learn how to put out a grease fire?

A: When the pan on top of the stove is on fire!

Q: When is the worst time to try to figure out how to reply to an irate customer on social media?

A: When they are in the middle of telling the world how bad you are!

According to a report by Ethical Corp, 72% of companies rate their preparedness for potential online firestorms as “below average.”

So, you’re probably now wondering what you have to do to be prepared. In a perfect world, step one would be recognizing what causes these firestorms and deal with them before they gain momentum. Short of that, though, it’s critically important to know how to handle these firestorms once they get going.

How To Detect Potential Trouble

Before we get too far into the detection, let’s start by talking about what a firestorm is. Generally speaking, an online firestorm is defined as a sudden engagement and banding together of negative eWOM messages against a person, company, or organization via social media platforms.

Ok, now that we all have a definition of an online firestorm, let’s start with detection. How can you spot trouble before it hits? Is it even possible? If you follow what people are saying about you, then you can detect a firestorm before it gets traction.

The first step, monitor all mentions about you or your brand. You can’t stop a firestorm if you’re not aware of what people are saying about you. And, don’t think that you don’t have to respond to negative comments. You do! You also have to respond promptly. Remember that eWOM is way harder than traditional WOM. In the online communities, everything that is said about you is seen by everyone.

Think about it this way.

Someone walks into your store or office and starts telling you about the poor experience that they had with your company. In this scenario, you handle the situation, try to please this customer, and hopefully, that’s it. Online is a whole different scenario. Within the online context, everyone hears what that person who walks into your store or office is saying. They hear the frustration in their voice. They hear your response (or lack of response), and then they decide who’s side to take in the story that is quickly unfolding.

We’ve written about this before. Too many business people have decided that the best way to avoid a firestorm is to not engage with the online communities. The problem with this strategy is that, like it or not; you don’t have to be engaged online for people to be venting about you. And, if you don’t respond everyone that has any interest in your company, product or service will see that you’re unengaged and that all by its self will degrade the value of your brand to all these community members that are waiting to hear your solution to a customer’s problem.


A recent paper by the American Marketing Association found that 78% of online firestorms started and ended within 24 hours when properly handled – 24 hours! That means that you have to be monitoring comments about you and your company all the time. If you check in once a week, you’re already too late to handle a potential situation. It will already be a firestorm that is engulfing your company; you simply don’t know it yet.


Now, not every customer that has an issue with your company is going to turn into a firestorm and you don’t want to overreact to negative eWOM. How can you tell if a person’s negative eWOM has the likelihood to become a firestorm? There are a couple of ways:

Their Words:

Take a look at the words that the people are using. The more emotional the words are that they are using to describe their situation, the more likely it will be that more people in the online community will respond to their situation and join in the calls for “justice.”

Their Connections:

The more connected that the disgruntled person is the more reach that their comments will have. Because of this increase in reach, the greater the chance that their complaint will go viral.

Proper Handling Of Negative eWOM

There are a lot of articles out there about how to handle the negative comments that you may get.

Change Channels:

One of the more popular recommendations is to try to take the conversation offline and handle the situation one-on-one with the person that is frustrated. The problem with this method of handling negative eWOM is that the community, who has been witness to the situation, has no idea how the situation is being handled and often will continue its verbal assault. In this scenario, you may well have taken care of the initial problem. However, a firestorm could easily kickup because the community as a whole has not been satisfied.


Often times people try to appease dissatisfaction with an explanation of why something happened or went wrong. Something like “our production line was broken yesterday. If the complainant isn’t emotional (you’ll be able to tell by the words that they are using) and they’ve not yet engaged a large following, this strategy may work. Know that generally speaking, however, an explanation alone usually won’t work.


Being empathetic is a critical emotion to be able to show whenever you’re dealing with an upset customer or community. They want to know that you care, that you feel their pain, and that you want to fix their concerns. As with the explanation response, and empathetic only response will seldom fix the problem. It would be like saying “I completely understand how you feel…we’re not going to do anything about it but we fully understand your feelings”. Not very effective.

Empathetic Explanation:

This is one of the best responses that you can use when responding to negative eWOM. By combining the two, you’re expressing that you understand their feelings and you’re validating those feelings. By going on to explain why something happened you’re demonstrating the desire to research the problem and, to the best of your ability, resolve the problem moving forward.


eWOM can be both a blessing and a curse, depending on how you use it. Ignore it, and it will be a burden that could, without exaggeration, ruin your business. Engage with it, and it could literally make your business grow beyond your imagination. Have a plan for how to handle negative eWOM by using an Empathetic Explanation​ strategy, execute the plan quickly should the need arise, and make sure that everyone in your company knows what to do.

Social Media Could Ruin Business

How social media could ruin your business

How social media could ruin your business

Whether it comes from hackers, disgruntled customers, or is simply a backlash against something you post, negative social media content can destroy trust in your brand in a matter of minutes.

“Social media is the most immediate threat to your company’s reputation,” says Pete Knott, digital consultant at reputation management consultancy Lansons.

“If not taken seriously it can and will directly impact your company financially and culturally.”

Fake news remains one of the biggest challenges – despite machine learning crackdowns by networks such as Facebook and Twitter.

In May, for example, shares in the UK’s Metro Bank plunged 11% before it could shake off inaccurate social media rumors that it was facing financial difficulties.

And according to Ilia Kolochenko of Geneva-based internet security company Immuniweb, the consequences could potentially be much worse.

‘Dropping a bomb’

“Hackers can cause huge damage if they can find a way to post fake news on social media,” he says.

“Imagine if they managed to hack into the BBC accounts and post a story about Iran dropping a nuclear bomb.

“The effects could be devastating – especially if other news networks picked up the story.”

Social media posts don’t have to be inaccurate to damage your brand, though. Sometimes, the truth hurts too.

In 2016, battery manufacturer Samsung SDI’s market value plummeted by more than half a billion dollars when Tesla boss Elon Musk tweeted that the company was working with Panasonic on its next electric car.

If not properly thought out, your own posts can also cause problems, as US bank Chase found out earlier this year when it was accused of “poor shaming“. It published a post suggesting customers with low bank balances save money by avoiding taking cabs and buying coffees.

Stealing your good name

Other threats include fraudsters taking your brand name in vain.

“Creative crooks often exploit big companies’ names to run social media scams,” Mr. Kolochenko says.

“For example, they might set up an ‘Amazon India Support’ account on Twitter and ask customers who contact them about missing parcels to pay a customs fee.”

And even posts by unknown customers can do a lot of damage if other users pick them up.

“Consumers have recognized that social media is a very fast way to get a response from customer services,” says Claire Twohill, social media director at global PR agency FleishmanHillard.

“That’s why social media attacks are often a direct result of a problem with the supply chain or a change to a popular product.

“But whatever the reason, you need to react fast.”

‘Planning is crucial’

Masha Maksimava, a vice president at Belorussian social monitoring company Awario, says: “The key to online reputation management is handling negative feedback quickly to prevent it from turning into a crisis.”

So it pays to be properly prepared.

“Planning is crucial,” says Lopa Ghosh, an associate partner at global professional services provider EY.

Equally important, however, is not to overreact.

“You don’t need to jump on every negative tweet,” Ms. Twohill says.

“Sometimes it’s better to do nothing to avoid creating a crisis for no reason.”

Either way, finding the right tone is key.

Get it to spot on, and you might even be able to turn events to your favor.

Employee activity

“Social networks are a great place to rebuild the reputation,” Mr. Knott says.

“So try to think about how you can use your response to a crisis to demonstrate your company’s values and show its human side.”

Employee activity is one of the biggest social media pitfalls.

Cybercriminals, for example, often use information gleaned from employees’ social accounts to infiltrate an organization.

Richard Horne, a cybersecurity partner at accountants PwC, says: “People expose a lot about themselves on social media.

“So attackers could look at someone’s profile, see they love skiing and email them a malware link to a cheap chalet deal in Switzerland.

“It’s a very common way of infecting companies’ systems.”

Passwords and posts

The challenge, therefore, is to manage how your employees use social media, without impinging on their rights.

“You can’t monitor your employees’ social media accounts – that’s getting into very ethically murky waters,” says Ms. Ghosh.

“Instead, you have to educate them about passwords and what sort of thing they post.”

It’s also important to be clear about how they should respond – if at all – if the company becomes embroiled in a crisis.

Take advantage of social monitoring tech

Monitoring, or listening, tools that use Application Programming Interfaces (APIs) provided by social networks to collect and analyze data can help you to build a reputation and manage crises on social media.

“Setting up a social listening tool can be challenging, especially if your brand name is a common word such as Apple,” Ms. Maksimava says.

“So the main three things to look for are sentiment analysis, so you can handle negative mentions first; real-time results, so you can step in immediately; and flexibility, so you can exclude irrelevant mentions even if your keywords are ambiguous.”

Just be careful to avoid invading people’s privacy.

“There are definite benefits to using social listening tools, but it must be done in the right way,” Mr. Knott says.



Password Reset Functions Opening the Door to Hackers

Opening the Door to Hackers

At the DEF CON security conference earlier this month, researcher Martin Vigo demonstrated a technique using open-source intelligence (OSINT) to compile a target’s phone number through public sources and password reset functions.

If you forget a password for an online account, it is standard practice to request a password reset through either your email address or phone number. In the latter case, you are usually presented with a partial selection of digits from your phone number.

This results in a partial and intentional disclosure of PII that varies between online service providers. For example, eBay offers the first three and last two digits, PayPal prompts the first and last four digits, and LastPass leaks the last four digits.

An attacker is able to submit multiple password recovery requests to different providers it orders obtain up to seven out of 10 digits with relative ease.

Vigo says that it is possible to “reduce the possibilities of guessing your phone number from one billion possibilities to one thousand” through this technique.

The leak of a phone number and connected email account can lead to SIM-swapping, user tracking, caller ID spoofing, and social engineering attacks.

Original Article source: Charlie Osborne | The Daily Swig

Using Open Source Intelligence (OSINT) to show how IAF’s Abhinandan shot down a Pakistani F-16

for  The Print

New Delhi: After the Indian Air Force strike on a Jaish-e-Mohammed terrorist camp in Pakistan on 26 February, followed by the high voltage aerial skirmish the next day between the rival air forces, the widespread din — created from manufactured lies, deceit and a misinformation campaign by the Pakistan Army’s infamous Inter-Services Public Relations (ISPR) — to deny and cover-up tactical shortcomings of the Pakistan Air Force and the shooting down of the PAF aircraft — has pro-actively blurred the truth.

The first casualty of war is always the truth! Somewhere in between this subterfuge is a PAF pilot and an aircraft tail number — shot down in heady combat by an IAF MiG-21, before the MiG itself fell victim to an air-to-air missile fired by the PAF.

The insisted that the only aircraft which crashed in PoK that fateful day was an IAF MiG-21, the fall of which is well documented in multiple amateur video feeds — while craftily masking all evidence of the PAF aircraft crash to serve the wider agenda of upholding the morale and invincibility of the Pakistan Air Force — the Pāk Fizāʾiyah.

While the OSINT (Open-source Intelligence) evidence is available to sift through its worth — the first indication of a massive cover-up by the Pakistani state was provided by none other than Major General Asif Ghafoor, the DG ISPR — who overwhelmed by the need to be ahead in the information war with India — inadvertently gave away the presence of the #DoosraBanda within the hour after the aerial clash.

However, in today’s digital age — it is literally impossible to control and wipe away information traces in toto — especially on a day when hundreds of trigger-happy residents in Pakistan-occupied Kashmir (PoK) had their mobile phone cameras trained towards the skies, recording the massive presence of fighter jets and their ensuing melee.

A highly detailed study of more than 128 OSINT videos reveals — though the Pakistani military was successfully able to impose a media and communication blackout over the crash site of the PAF jet, thus eliminating any proof of the debris on ground, as well as keeping the focus on the crash and capture of the Indian pilot, three videos — two filmed near the PAF jet crash site and one taken across the LoC from J&K — clearly record the last fall of a ‘second aircraft’ in the skies south of Kotli in PoK — proof that the Indian Air Force had indeed shot down a PAF asset that day!

The prelude

At around 1020 hours on 27 February 19, Wing Commander Abhinandan Varthaman of the Indian Air Force crossed into Pakistan-occupied Kashmir (PoK) abeam the Nowshera sector of Jammu & Kashmir (J&K) while flying a MiG-21 Bison of the 51 Squadron. Abhinandan, callsign Alpha-1, who had been scrambled from Srinagar Air Force Base — was in hot pursuit of Pakistan Air Force F-16s which, as part of ‘Operation Swift Retort’, had violated the Line of Control (LoC) and launched AMRAAM missiles against IAF Su-30MKIs a few minutes back.

A MiG-21 Bison of the IAF armed with R-77 and R-73 missiles at an air show | Photo:

Abhinandan was cautioned by the IAF fighter controller at the IACCS node about an F-16 Barrier Combat Air Patrol (BARCAP) going HOT, turning around to face him — with Alpha formation advised to go COLD and return back across the LoC. While Alpha-2, Abhinandan’s No. 2 turned back, Abhinandan pressed on his quest to lock on to the marauding PAF jets. He had search mode indication of at least two F-16s on his Kopyo radar at 30–35 km range on course 290 degrees. Wanting to make sure that he did not have any targets closer than that, Abhinandan switched over to his close combat mode on the radar and swept the area ahead of him trying to get a radar assisted lock for the R-73.

While climbing passing 20,000 feet, he got a lock on tone in one of his R-73s. This indicated that the missile head had locked onto an infra-red source within its gimbal limits. On the basis of a positive lock by the missile, Abhinandan fired the R-73 and turned around on a northerly course, before finally settling on an eastern heading towards the LoC.

About 45–50 seconds after his R-73 launch and about 7 km inside PoK, the MiG-21 was hit by an AMRAAM fired by a PAF F-16.

Safely Ejected

Abhinandan ejected from the stricken aircraft and parachuted to safety, landing 4 km away from the LoC near Horan Kotla village in PoK. He was brutally attacked by civilians, before being dramatically handed over to the Pakistan Army.

His ordeal made him a focal point of the developing crisis when in gross violation of the Geneva convention, the footage of his battered face was intentionally released on Pakistani television and social media by Pakistan Army affiliates minutes later. What was clear was that the Pakistani armed forces had activated the now-infamous Inter-Services Public Relations (ISPR) to get the narrative under control.

Meanwhile, the Indian Air Force, on the basis of the radar picture of the aerial engagement, as well as confirmation from the Indian Army on visual sighting of two aircraft crashing in PoK on separate radials, announced the shooting down of a Pakistan Air Force F-16. It also acknowledged the loss of one MiG-21 over PoK.

Pakistan has since then denied the loss of any airborne asset as part of ‘Operation Swift Retort’ on 27 February 2019.

Evidence 1: ISPR’s infamous ‘Doosra Banda’

The ISPR for all its so-called resourcefulness was overwhelmed by the pace of events after the 27 February aerial clash — when it inadvertently admitted to the presence of a ‘second pilot’ in custody of the Pakistan Army.

Immediately after the crash, Major General Asif Ghafoor — the Director-General of Inter-Services Public Relations (ISPR) and chief spokesperson of the Pakistani armed forces, tweeted on the ISPR handle that two Indian jets had been shot down by the PAF in PoK, with one pilot arrested by the Pakistani army and two still in the area.

While addressing a press conference at noon, a good hour after his first significant tweet, Ghafoor said that — another pilot has been arrested. “Our ground forces arrested two pilots, one of them was injured and has been shifted to CMH (Combined Military Hospital) and, God-willing, he will be taken care of,” said the army official, and reiterated that “the Doosra Banda (second pilot) is with us”. Ghafoor also assured all that no F-16 of the PAF had been shot down since the F-16s were ‘NOT’ used in combat in that sector at all.

Interestingly, Pakistani PM Imran Khan — also confirmed that Pakistan had two Indian pilots in custody.

However, after that press conference, the ISPR chief informed all that the pilot in their custody in the military hospital had died.

At 6:19 pm in the evening, the last tweet on the subject from Ghafoor clarified that the Pak Army had just ‘one’ IAF pilot in its custody. He was Wing Commander Abhinandan Varthaman.

Major General Asif Ghafoor gave the first clue of the ‘second pilot’ to Indian agencies on 27 February 2019

Admissions by Pakistan Army’s ISPR on 27 February:

  1.  There was an Indian pilot in Pakistan Army’s custody.
  2.  There was a second pilot captured, taken to the Pakistan Army Combined Military Hospital (CMH).
  3.  The second pilot in the CMH later died.
  4.  In the evening it was confirmed that Abhinandan was now the only Indian pilot in Pakistani custody.
  5. No F-16 of the Pakistan Air Force was used in the aerial clash that day, so no question of any being shot down by the IAF.

The moot point to observe is that Pakistan had a ‘second pilot in custody’, who later died due to his injuries in the Pakistan Army CMH. When this admission was made, Abhinandan was ‘already’ with the Pakistan Army.

The information on the second pilot to Ghafoor at ISPR would have passed through the following chain of commands of the Pakistan Army:

  1.  The locals who would have captured the pilot.
  2.  The Pakistan Army unit which would have taken him into custody.
  3.  The agency which would have transported him to the CMH.
  4.  Confirmation by CMH.
  5. Confirmation by Pakistan Army HQ at Rawalpindi.

The first four layers of the chain of command would have ‘physically’ seen the second pilot. So, there is NO question of a second pilot being a figment of someone’s imagination.

A friend and colleague from AJK said he saw with his own eyes the other pilot who was being brought to CMH but died on the way. Don’t know abt reality 

Sehar Shinwari@SeharShinwari

Pakistan & Israel do not recognize each others as a sovereign states neither allow their citizens to tavel Pak or Israel. If the 2nd pilot (who was caught after his jet was shot down by PAF) is an israeli citizen then how Pak would return it to Israel under geneva convention

The ‘second pilot’ was a Pakistan Air Force pilot — who was shot down by the Indian MiG-21. Most probably having sustained post-ejection injuries or being manhandled in a similar manner to Abhinandan, he was shifted to the Pakistan Army CMH where he had died. It is a common practice by fighter pilots across the world to fly operational missions without any mean of outward information like name tabs, squadron patches, ranks, etc., making it difficult for the locals to not recognize him as a Pakistani.

In the time between Ghafoor’s first and last tweet — social media, particularly on Twitter — spiked up with a virtual war between Indian and Pakistani sympathizers. The internet presence was spearheaded by over 20,000 fake ISPR handles and bots. There was also a dedicated campaign by ISPR and Pakistani media to showcase the travails of Wing Commander Abhinandan Varthaman in the custody of the Pakistan Army, increasing in intensity as the day progressed.

With the famed ISPR doctrine of ‘delay, confuse and deny’ in play, it was a clear attempt to shift the focus of attention away from the shooting down of a PAF aircraft. There was a second pilot — who was also captured by Pakistan Army on 27 February 2019.

Evidence 2: the Eyewitness account

Now, let us examine the various versions of the videos floating around on social media of eyewitnesses around the crash sites. Some of these witnesses interviewed — claim to have seen at least three different parachutes. The following key aspects emerge from the comments of the various eyewitness. Let us analyze them for their worth.

  1.  There was more than one parachute in the sky — Clearly seen in the various video grabs, this indicates that more than one pilot ejected.
  2. Pakistani civilians had apprehended Abhinandan, who tried to escape, but was caught and handed over to the Pakistan Army — This is documented well with a flurry of ISPR and Pakistani media videos and images on social media.
  3. Ostensibly, one of the witnesses claimed that they had apprehended an IAF Sikh pilot of the IAF — in all probability, the witness had confused Abhinandan, who was wearing a skull cap under his helmet, which resembles a Sikh patka at times. His burly mustache with the patka would have given the impression of him being a Sikh to the eyewitnesses on the ground. The same ‘Horan baba’ provides a very interesting clue though— he says another chatri (parachute) went towards Gola — which is a town further north of Horan. What it implies is that another parachute was noticed north of the location where Abhinandan crashed.

The eyewitness statements clearly established that there was more than ONE pilot who ejected that day in PoK.

Evidence 3: Electromagnetic evidence

The IAF’s Phalcon AWACS had adequate radar pick-up on the aerial engagement unfolding via its powerful airborne AESA radar. In addition, the Phalcon was able to map the large force engagement (LFE) from 20,000 to 50,000 feet, distinguishing and identifying the various PAF fighters taking part through their electromagnetic emissions (radars, navigational equipment and other active sensors) — duly picked up, processed and analysed by the powerful Electronic Intelligence (ELINT) systems. It identified F-16, JF-17 and Mirage IIIs as part of the Op Swift Retort PAF aircraft package.

Radar and ELINT data fused together identified the PAF aircraft operation in PoK near the Line of Control | Image : By special arrangement

This radar data proves beyond doubt — that F-16s were operating against India that day — exposing the lies and contradictions of Ghafoor — exposed further by the remains of the AMRAAM missile found in the Nowshera sector by the Indian military. AMRAAM missiles can only be fired by F-16s in the PAF inventory.

The IAF’s PRO and his team displaying part of an AMRAAM missile fired by the PAF F-16s against IAF Su-30 MKIs | Photo: By special arrangement

Both the IACCS (Integrated Air Command & Control System) and the Phalcon AWACS registered the radar signature of one MiG-21, piloted by Wing Commander Abhinandan Varthaman, cross the Line of Control and engage an F-16 with an R-73 missile.

Radar images of the aerial engagement as released by the IAF | Image: By special arrangement
Overlaying of radar data on satellite maps gives the last known position of the F-16 west of Sabzkot | Twitter

The F-16 ‘kill’ was noticed by the Phalcon’s radar — with the said blip vanishing from the radar scope in the radar picture processed 8 seconds after the previous one, which had shown the blip in place.

The same is corroborated by a Thales GS-100 Low Level Targeting Radar (LLTR) deployed in that area and integrated into the IACCS. The GS-100 is an AESA radar with low-altitude search capability that can track targets up to 180 km range with high accuracy. The post-event milking out of radar data from the GS-100 clearly has shown the MiG-21 closing into the F-16s. The overlapping time and place of the missile launch and the subsequent ‘splash’ with the blip vanishing is registered very accurately, matching with the Phalcon data.

The same LLTR had clearly registered a PAF F-16 maneuvering towards Abhinandan’s MiG-21, as he turned northwards post his missile launch. Guided by the Saab ERIEYE, in a classic Type III converting into a Type IV interception by the F-16 — which fired an AMRAAM from south of Mangla reservoir to shoot down the IAF MiG-21. The LLTR noticed the MiG-21 blip vanishing after nearly a minute post the F-16 kill, matching with the account from Abhinandan’s debrief after his repatriation to India.

There is merit in arguing that a blip can vanish from the scope due to pick up issues over undulating terrain and masking, or tactical maneuvers carried by combat aircraft like cranking or notching to get into the doppler slot of radar, as well as rapid change of height.

However, with over 4–5 geographically distanced ground radars and airborne (AWACS) radars recording the disappearance of the blip, this argument does not apply. The official comment of the Indian Air Force’s Fighter Controller, Sqn Ldr Minty Agarwal, who was vectoring Abhinandan and his No. 2, is available here. She clearly acknowledges that the PAF blip disappeared from her radar while viewing the ensuing air battle in the IACCS node.

This is hard evidence — based on the recorded radar signature of a PAF aircraft— indicative to be an F-16 through ELINT info, which went down in PoK on that day.

Evidence 4: Visual sighting and radio intercepts by Indian Army

The air battle was visible in great detail, on both sides of the LoC, thanks to the contrails formed at the altitudes where the jets were operating on most occasions.

As the F-16 fell to the ground after being hit by the MiG-21, its downward trajectory with parachutes in proximity was recorded by at least 2 different geographically apart Indian Army posts, which accurately estimated that the wreckage would have fallen 8–10 km in PoK general area Sabzkot.

The ensuing air combat as viewed from Pakistan’s side of Line of Control | Photo: By special arrangement

About 40–50 seconds later, the same army posts noticed and tracked Abhinandan’s MiG-21 going down and his ejection in general area Tandar 6–7 km in PoK, which through OSINT is close to the village of Horan Kotla where the wreckage can be seen on social media.

Radio intercepts picked up by the Indian Army around 1145 hours recorded Pakistani soldiers from Northern Light Infantry (NLI) talking about two ‘parinda‘ (aircraft) and two ‘parinde wale‘ (pilots), having bagged one in their custody.

While the first parachute was seen in General Area Sabzkot, the second parachute was spotted in General Area Tandar. The distance between the two locations of the F-16 and MiG-21 wreckage is about 6–7 km.

Indian Army sightings of two different aircraft crashing released by the IAF | By special arrangement
Indian Army sightings of two different aircraft crashing released by the IAF | Map: By special arrangement

In a damning intercept at 1242 hours, a soldier of 7 Northern Light Infantry battalion, Tandar area, blatantly talks about soldiers from 658 Mujahid battalion having picked up a second pilot — which was Abhinandan as seen with the Mujahid soldiers in the various social media grabs. The NLI soldiers already had one pilot in custody at the time. At 1520 hours, another intercept says that while one pilot is in custody, another has been sent to the military hospital.

So if one was Abhinandan with the Mujahids, who was the second pilot with the NLI battalion?

Besides, the initial eyewitness account of PoK locals stating that two parachutes were spotted— the sighting by the Indian Army of two parachutes coming down— proves that a second pilot also landed in PoK that day.

Evidence 5: ‘Evidence tampering’ by DG ISPR

On 5 April, DG ISPR Ghafoor came out with a supposedly new piece of ‘evidence’ to support the claim that Abhinandan NEVER launched his R-73 missile. This happened after the recovery of the MiG-21 debris from the crash site — a photo of which clearly shows a burnt-out R-73 on its launcher rail, with its seeker’s head a few feet ahead, lying near the nose of the MiG-21. Interestingly, the ‘second’ R-73 is NOT visible anywhere in the debris.

Debris of Abhinandan’s MiG-21 aircraft in PoK | Photo: By special arrangement

That caught Ghafoor’s goat and he, with support from the Pakistan Army’s dirty tricks department and some resourceful ‘jugaad’ — tweeted a picture of the so-called air-to-air missiles recovered from the MiG-21 crash site, insinuating that — no missile was fired by the MiG-21 — with all being recovered at the site of the wreckage.

Now, herein lies a story — a story of a lie, deceit and misdirection. Ghafoor posted a ‘grainy’ low resolution photograph of 4 missiles — 2 x R-77 and 2 x R-73. The R-73 missile seen burnt on its launcher, is very much there with its seeker head lying loose on extreme right. But what is a modern-day miracle is the recovery of a near intact Vympel R-73 from the crash site.

Ghafoor opportunistically timed this tweet with the release of the Foreign Policy media piece by Lara Seligman, who claimed in her post that US government sources had confirmed to her that NO F-16s had been lost by the PAF. The article created a furore in Indian circles, wherein the US Government denied that any such count had taken place at all. But Ghafoor was looking for one such opportunity to slip past his misdirection effort, which beyond making him the most ‘liked’ Pakistani General on Twitter — unfortunately exposes his ‘evidence tampering’ lie to a great extent!

A very thoughtful tweet on the above does full justice to Ghafoor’s protracted effort to keep up the disinformation campaign against India.

Yes, Ghafoor and his ilk — picked up an R-73 from the black market or from one of Pakistan’s allies or e-bay or from wherever it came and tagged it as a near intact R-73 — to support that NO R-73 launch took place on that fateful day. In fact, Ghafoor may just find ‘ball-tampering’ in an international cricket match to be a far more worthwhile proposition.

The ‘tampered evidence’ presented by Ghafoor is exposed by these three pertinent questions:

  1.  Why the grainy image, especially since it’s of no help to a serious observer wanting to examine same for authenticity?
  2.  Why NO observers allowed to check on these missiles — up-close and personal?
  3. Why NO serial number of the recovered R-73 provided, not even a partial one?

Ghafoor’s doctored evidence is proof that ISPR desperately wants to bury the PAF aircraft shoot down theory.

Because the ISPR boss knows that he and his army of bots, can control the narrative only so much — knowing well that in spite of the Pakistan Army’s best effort to cover the crashed debris of the PAF asset, social media is a far larger and sordid entity — beyond the control of any single nation — and one day — an image of the ‘second plane’ crashing in PoK will pop out from some abyss of the very medium which the likes of him exploit to generate misinformation, to come and haunt the Pakistani armed forces at large.

Examining fresh OSINT evidence

Beyond all the available hard evidence produced so far — what Pakistan laments and uses as a counterpoint to IAF’s PAF aircraft shoot-down claim — is the lack of any VISUAL evidence of the crashed PAF jet.

128 OSINT videos showing the air melee over PoK — uploaded on various social media and OSINT sites have been painstakingly examined by a group of dedicated Indian aviation enthusiasts with the Twitter handles — @bennedose @bishwa55900127 @sayareakd @anshumig and @joe_sameer.

The motivation for their effort has pivoted around the fact — that Pakistan cannot be allowed to peddle a blatant lie, change the narrative and dismember the ‘truth’ to seek glory for the Pakistan Air Force. The truth, masked behind ISPR’s disinformation campaign is that — an Indian Air Force MiG-21 on 27 February has shot down a PAF fighter jet in Pakistan Occupied Kashmir.

And PROOF to that effect is available — in three amateur videos showing the missile hit, a parachute, the crash of part debris and finally in full glory, the PAF jet’s last fall!
So how do we know that these videos are not fake/ tampered OR from some other part of the world?

To mitigate this, a large amount of effort beyond the deep analysis and reconstruction of the air situation — went towards cross-checking the technical authenticity of the videos (by @sayareak, @bennedose, @Vakil_Raghu) and geotagging/locations (by @bishwa55900127, @bennedose) them to their actual locations as seen on Google Earth and aircraft tactics (@anshumig).

On the basis of this—we can very realistically recreate the events after Abhinandan launched the R-73. Mating the video info and their geolocations with routine mathematics — a crash zone with a reasonable measure of accuracy has been deduced towards the end.
The three videos with irrefutable proof of the fall of the PAF jet are given below. The names reflect the location near which these have been taken from.

  1. Charhoi (PoK)
  2. Thanamandi (J&K)
  3. Khuiratta (PoK)

Evidence 6: The ‘Tadpole’

The ‘Tadpole’ is a nickname given to a tadpole-shaped ‘large smokey cloud-like object’, which was observed from two locations — Charhoi and Thanamandi (ref videos). In both videos, the ‘Tadpole’ stands out against a clear sky, which is devoid of any clouds and any other natural phenomenon.

So, what was it?

Before analyzing the videos, let’s take a look at the position of the Sun in southern PoK area on 27 February 2019 at approximately 1020 — 1030 hours. The position is as shown below, obtained through a Sun position calculator and will be used for calculating the directions as required.

Position of the Sun with respect to PoK at 1030 hours on 27 February 2019 | Image: By special arrangement

1. Analyzing the Thanamandi video

This video was shot by a Kashmiri named Wasim from the Thanamandi town of Rajouri district in J&K, looking towards PoK from his location. It was uploaded on YouTube on 28 February 2019. From the shadow of the objects and the known position of the Sun at approx 1030 hours in J&K, it can be inferred that the observer is looking towards a westerly course of 230–250 degrees.

A tadpole-shaped, cloud-like object is seen falling towards the earth in PoK in the video (Screenshot)
The enlarged view clearly shows a burning object falling, being shielded by a smoke cover.

Image analysis of the enlarged view of the Tadpole indicates the presence of a hot spot — with a fire burning within, shielded by the emanating smoke.

This clearly indicates that the Tadpole is a man-made object on fire.

With feedback from Wasim that he had taken the video from his mobile phone from Thanamandi area in J&K, it was easy to locate and geotag the location using Google Earth. The coordinates of the observer are 33°31’30.90″N, 74°20’37.20″E at an AMSL (above mean sea level) altitude of 4,800 feet. His geotagged position with Google Earth (Courtesy @bishwa55900127) is as shown below:

Geotagged position of Thanamandi observer | Courtesy: @bishwa55900127

The ‘Tadpole’ is mathematically calculated to be at a distance of between 37–40 km from, and 8,000 feet higher than the observer, which makes it 4,800+8,000 feet=12,800 feet or 13,000 feet AMSL. On the basis of this, the (bottom to top) height of the Tadpole is calculated as approx 800–1,000 feet. Thanamandi to Tadpole line is from 33°31’30.90″N, 74°20’37.20″E to 33°22’14.54″N, 73°46’4.47″E, that means that the Tadpole is located anywhere on this line between 37–40 km.

Thanamandi to Tadpole line | By special arrangement

2. Analysing the Charhoi video

The Charhoi video which was shot by an unknown PoK resident using a mobile camera, captures some very crucial events on 27 February. These raw clips from the same mobile within the period 1020–1045 hours were stitched together and uploaded on YouTube.

It shows the same Tadpole as seen in the Thanamandi video from a different direction, which assessing the position of the Sun, is on a course between 020–030 from the observer.

The Tadpole seen from the Charhoi observer’s position
A close up of the same Tadpole

When we superimpose the Tadpole seen from Charhoi with the one seen from Thanamandi, we get the SAME image. Both locations are seeing the same smokey cloud.

Both images show the same Tadpole image

Geotagging and finding the location of the observer took a while since the origin was unknown. However, two images in the video do provide us a clue to the location — a mobile tower and a building with a water tank, both located in the vicinity. The observer is on the building with the water tank. The scene matching with GE was done by @bennedose & @bishwa55900127, who were able to pinpoint the location well.

The video scenes matched to Google Earth | @bennedose

Observer’s location & scene matching in the video | Credits @bennedose

The location of the Charhoi building is at 33°18’29.17″N 73°57’25.38″E. Its elevation is approx 2,900 feet AMSL. Using maths and related thumb rules, the Tadpole near Charhoi was 3,000–4,000 feet above the observer, or 2,900 + 3,500 (avg)= 6,500 feet AMSL. Means that the Charhoi observer saw the Tadpole at a slightly later stage than as seen from Thanamandi. In fact, towards the end in the Charhoi video, one can see that the Tadpole starts to marginally disintegrate.

Taking the heading of the Tadpole from the Charhoi observer as 025 degrees on a north-east extended line, we now bisect it with the extended line from the Thanamandi observer. This gives us a ballpark position of the Tadpole on the map.

The bisector of two observation lines shows us the approximate position of the Tadpole

3. Tadpole — resolving the mystery

The Thanamandi and Charhoi videos clearly bring out that the burning object falling in the sky was made of combustible material. While the Thanamandi observer captured the Tadpole in a well-formed state around 13,000 feet AMSL— the burning object would have needed at least 8–10,000 feet to attain that shape from an initial null position, hence from altitude around 23–25,000 feet AMSL.

The white smoke and cloudy appearance also indicate — very high temperatures and continuous combustion from a supportive material, as well as condensation due to low temperatures of the burning fuel.

So, what would have the capacity to burn continuously, condense, as well as fall at a low ROD giving an appearance of a tadpole-like cloud?


Yes, lots of fuel. Okay, this would have to be a very cold day that warms up dramatically initially and then sustains very gradual warming, leading to condensation of fuel which burns steady and slowly thereafter. But when does this ever happen?

On an average, the temperature drops by 2 degrees Celsius for every 1,000 feet of altitude gained, which would mean a drop of 2 x 22,000 feet (elevation allowance of 3,000 feet) = 44-degree change. With the ground temperature over PoK on 27 February around 1020 hours being in the region of 10-degree centigrade, at 25,000 feet AMSL works out to be +10–44 = – 33 degrees centigrade. And what would cause a sudden, very high-rise temperature spike enough to ignite the fuel at -33 degree centigrade?

That would be a combustible material — which will burn very fast, producing very high temperatures, as well as adjust to temperature changes quickly. Aluminum is second only to copper for rapid heat transfer properties, which will burn at a very fast rate, within a confined zone.

And once the combustible material burns out, the large volume of condensation of fuel would still be good enough to maintain the consistency and cloudy shape of the tadpole, dissipating gradually.

Here’s the $75 million question — What is made of aluminum and carries a lot of fuel in the sky?

A fighter jet!!

For trivia’s sake, 80 percent of the airframe structure of the F-16 is of conventional aluminum alloy.

The Tadpole was formed after an aircraft’s aluminum airframe caught fire due to volatile kinetic stress — the damage releasing huge quantities of fuel in the rarefied cold air, experiencing condensation and started burning at a slow, but steady rate. A gallon of Jet A-1 type fuel weighs 6.66 pounds, which in its condensed form would have a low rate of decent — the net result — white smoke due to very high temperature (in addition to the aluminum airframe and fuel, all the armament would have exploded) intermixed with condensed fuel falling towards earth very slowly, forming a near definitive cloud-like shape till dissipation at lower (warmer) levels.

On that day, temperatures till about 4–5,000 feet AGL would have been below freezing point, hence seen for a large duration of time from two different locations. Would probably have started to dissipate below 5,000 feet AGL, especially with the airframe having burnt out much earlier, encountering warmer temperatures below the freezing point during descent.

The Tadpole’s journey from 15,000 feet to 5,000 feet

Refer to the Thanamandi image on the left — the hot spot nearly encompasses an area of 150 feet (height) x 75 feet (width), which indicates a super-HOT core. In the Charhoi image (right) there is no hot spot, which indicates the combustion material may have completely burnt out. There would however be very small pieces of unburnt debris and molten metal, which would have fallen below the Tadpole over a large area.

A very critical output here is that — MOST of the airframe would have burnt out at a very fast rate, hence no large-sized debris in that zone.

The Tadpole— is the VISUAL PROOF of the crash of a second aircraft in PoK on 27 February 2019!

IF IAF only lost one aircraft — who lost a second aircraft that day?

Why the Tadpole cannot be the IAF MiG-21 is addressed in subsequent paragraphs. Also, the claimed Su-30MKI kill by the PAF was supposed to have fallen over J&K, not PoK.

I can close the argument right here — because we now have the VISUAL proof of a ‘PAF asset’ going down during Op Swift Retort!

Yes, there is no image of the debris on ground (neither will there be anything meaningful)— but since time immortal, kills have been granted basis gun camera footage — in the absence of which, the crashing image of the ‘Tadpole’ is a very serious piece of evidence — debunking consistent lies of the PAF and ISPR on the subject.

However, let’s continue the reconstruction of events to get to the bottom of what happened that day! So, what caused a PAF fighter jet to convert into a Tadpole?

It all started with a puff!

Evidence 7: The puff

The ‘puff’ was the point of impact of a R-73 missile with the PAF aircraft. It can be seen in two videos in different capacities, setting in motion a series of events, which culminated in the formation of the tadpole.

Analysing the Charhoi video

The Charhoi video interestingly starts with a missile streak and appearance of a small ‘puff’ of smoke after some seconds, followed by the sound of twin thuds at an estimated distance of 4–5 km from the observer.

Based on the Sun’s position that day, the observer is looking at this on a heading between 290–320 degrees. The visible missile streak is indicative of an air-to-air missile, with the puff being its point of impact.


A missile streak and a subsequent puff is visible in begining of the Charohi video
A missile streak and a subsequent puff is visible in the beginning of Charhoi video
The red circle shows the approximate position of the puff from the observer

Could it have been a contrail? Possible at higher levels as seen that day — but unlikely around 25,000 feet for a small missile.

The puff appears 4–5 seconds after the spotting of the streak in the video, followed by two sharp thuds. Is this the MiG-21 shootdown video?

No, NOT the MiG-21 being hit by an AMRAAM (the MiG-21 crash videos is available here and here as reference). The MiG after being hit, fell down fast, with a well-formed smoke trail and one loud sharp bang — While in the Charhoi video, no other event is noticeable around the ‘puff’ for a considerable period thereafter.

The major difference being that — the ‘puff’ indicates an explosion of a warhead which has NOT caused any upfront incendiary damage — On the other hand, a large smoke trail in the MiG video is indicative of a post-impact explosion and trauma.

Also, the twin thuds heard in the Charhoi video, indicate the explosion of the missile warhead and probable deceleration below Mach 1 barrier by the stricken aircraft (wherein as per IACCS radar info, most PAF BARCAP F-16’s were flying supersonic over Mach 1+)

Comparison of MiG-21 shootdown vs events as seen by Charhoi observer

In terms of direction, for the observer at Charhoi — the MiG-21 crash site is on a southerly course of 170 degrees or so, while the ‘puff’ is on approx. direction of 300 degrees. Hence the missile streak and the ‘puff’ in the Charhoi video are not related to the MiG-21 crash at all.

The ‘puff’ as seen in the video is the point where the proximity fuse of the R-73 has activated its warhead close to a PAF aircraft (not visible).

Sceptics will question why can’t this be an AMRAAM fired from a PAF jet? To the best my knowledge, no PAF missile was fired in this direction. On the other hand, the R-73 launch and distance covered by the missile matches perfectly with Abhi’s initial position as per the IACCS radar picture provided in Evidence No3. More on this later.

Interpretation of the streak and the subsequent puff in the Charhoi video

Evidence 8: The puff, a parachute & a piece of debris

The journey of the PAF aircraft after being hit by the R-73 is captured in video No. 4 called Khuiratta, available here.

Captured by an amateur who would have reacted at least 10 seconds after hearing the twin thuds post the ‘puff’ event and spotting the scene unfolding — this is taken near the town of Khuiratta in PoK. The observer is capturing the aerial component of the video and looking on course 220–250 degrees, which confirms with the angle of the Sun at that time.

This video provides the chain of events between the ‘puff’ and the ‘Tadpole’ — capturing the impact point ‘puff’ (which appears momentarily at 1:14 in the video) and after that, details the fall of a debris from the PAF aircraft and a parachute coming down.

The Khuiratta video, though mostly shows the debris piece and the parachute, also momentarily shows a glimpse of the puff

If we take a close-up look and compare the puff seen in the Khuiratta video, we see that it’s the same event seen in the Charhoi video.

The ‘puff’ recorded in the Khuiratta and Charhoi videos are nearly identical

The geotagging and Google Earth scene matching of the observer’s position was done by @bishwa55900127, which is shown as below.

Scene build-up from the Khuiratta video | @bishwa55900127


Credit | @bishwa55900127
Credit | @bishwa55900127

The location of the Khuiratta observer is at 33°14’13.82″N, 73° 54’25.29″E

Next we calculate the distance to the various objects seen and their direction lines. Here @bishwa55900127 has done the math well.

The montage of linked images shows the complete scene in the video | @bishwa55900127

The montage of linked images shows the complete scene in the video. The highest entity seen in the video is the ‘puff’, which may be around 25,000 feet AMSL. Mostly we see a parachute and a partial debris falling towards the earth. What is interesting to note is that these (puff-parachute-debris) appear to be on a near line.

Puff line: 33°22’9.96″N, 74° 0’23.89″E to 33°17’27.90″N, 73°52’47.01″E
Debris line: 33°22’9.96″N, 74° 0’23.89″E to 33°20’32.56″N, 73°51’4.00″E
Parachute line: 33°22’9.96″N, 74° 0’23.89″E to 33°20’15.53″N, 73°51’10.37″E

The distance of the puff from the observer is around 11 km (with the aircraft at 25,000 feet AMSL). The debris falling is a piece of the aircraft and NOT the complete aircraft. The various inferences are:

  1. The ‘puff’ or a missile impact is clearly seen from two different locations. In the Khuiratta video we have assumed that the observer starts to record 10 seconds after hearing the twin thuds from the R-73 explosion.
  2. In the video — we see a low rate of descent object falling — which can only be a parachute.
  3.  There is a displaced gap between the ‘puff’ and the parachute and the debris. The approx distance between them is calculated as 6 km. It also indicates that the pilot ejected after a ‘delay’ post the initial impact at the ‘puff’.
  4. The debris falling with a high rate of descent in this video is a ‘partial’ debris piece from the aircraft, having detached from the aircraft. This debris, will be the largest part of the aircraft still intact, especially in light of the fact that most of the airframe would have burnt during the Tadpole formation in the next phase— being seen to fall from the sky without any major fire.
  5. We still cannot see the aircraft in the video.

Why can’t this be the MiG-21 crashing?

It is not — because both aircraft crashes, are TWO distinct and DIFFERENT shoot-downs — each exhibiting a characteristic conveying the manner in which they were shot down.

Abhinandan’s crashing MiG (left) vs the PAF jet crash (right)

The Khuiratta video shows the parachute of a PAF fighter pilot, as well as a part of the debris falling after the ‘puff’ event — cementing the fact that there indeed is a ‘Doosra Banda’ in this very intriguing episode.

It also gives us a clue that in all probability, the PAF aircraft which crashed was a single-seater, unless for some reason in a twin-seater — the other pilot was not able to eject out.

Combining the observation lines from all 3 videos

Combined chart of the various observation lines from various locations

The combination of the observation lines from all three videos from the puff to Tadpole formation stage, will help us zero down on the approximate landing zones of the PAF parachute, the falling piece of debris, as well as the Tadpole formation zone.

What we don’t have is the altitude of the PAF jet when it was hit? Also, what was its speed and related parameters? A combination of these inputs, will give us near accurate points on the observation lines as shown above. This would help resolve the investigation into the subject in the most logical manner.

For this, we will need to go back to the time — when Abhinandan crossed over into Pakistan-occupied Kashmir around 1020 hours.

‘MiG-21 vs F-16’

Reconstructing the AIR COMBAT ENGAGEMENT over PoK between 1020 to 1045 hours

Wing Commander Abhinandan Varthaman crossed over to PoK sometime after 1020 hours, flying at 0.9 Mach at an altitude of 15,000 feet. He spotted targets on his Kopyo radar in search mode at 30–35 km, higher at 30–35,000 feet. He switched to close combat (CC) mode on course 290 (deg) and sweeped (cover a specified Field of View from the nose) the area ahead to pick anything closer. He was climbing. His approximate position is as shown in the radar picture shared by the Indian Air Force.

IAF Radar Situation Map | Image : by special arrangement
IAF Image superimposed on a map | Image: By special arrangement

Abhinandan was callsign ‘Alpha-1’. At this stage his No. 2 (Alpha-2) had turned back and was back in Indian territory.

Coincidentally, the PAF Barrier Combat Air Patrol (BARCAP) at that time, may also have had the call sign ‘Alpha’.

Tens of minutes before that 2 x 4 aircraft F-16 formations (total 8 aircraft) of 9 Sqn (Griffins) and 29 Sqn- CCS (Aggressors), both from Sargodha AFB had performed Offensive Counter Air (OCA) Missions at the LoC, where they had fired 4–5 AIM-120C-5 missiles against IAF Su-30MKIs, claiming a Su-30MKI kill. Two formations (C/S Bravo & Charlie) had fallen back around 1017 hours and the third (Alpha) now formed the BARCAP in depth. These were controlled by a Saab ERIEYE AEW&C aircraft, Callsign — ‘Vigil’. Alpha 1–4 (all probably from 29 Sqn-CCS) were the 4 x F-16s which the IAF radar picture showed.

According to sources in the IAF, the call sign of the aircraft which went down in PoK that day was ‘Alpha-3’. This is according to PAF’s R/T intercept, wherein after this sharp engagement, Callsign Alpha-3, never responded back on any communication channel.

Initial Situation Map based the shared IAF data
Initial Situation Map based the shared IAF data

As Abhinandan was looking for targets in CC mode, he got a missile seeker head lock. Important to note, it was not a radar assisted Lock, but a missile head Lock — which picked up a heat emitting target out to 30 km within its 30 deg field of view.

Abhinandan fired his missile while on course 280 at 20,000 feet, turning northwards and finally settling down on an eastern heading towards Jhangar in J&K for a getaway.

So what really happened that day?

The subsequent sequence of events gives a ‘blow by blow’ account of the final aerial engagement till the last fall of a PAF jet in PoK.

The Consolidated Air Situation Map based on OSINT & Shared data (Not to Scale)

Refer the above consolidated air situation map for events taking place, sequentially marked from 1 to 10 from 1020 to 1040 hours in the following paragraphs.

Event No. 1: 1022 hours — launch of an IAF R-73 AAM against a PAF F-16

  1.  Abhinandan launched a R-73 missile on a heading of 280–290 degrees at 20,000 feet after the missile head locked onto a target in frontal quarters. Since the radar was in close combat (CC) search mode at that time, the aircraft being tracked by the R-73 would not have got any Lock ON chirp on its radar warning receiver (RWR). Neither does the R-73 missile give any approach warning while using passive guidance. The PAF aircraft, targeted by the IAF MiG-21, was NOT aware that a R-73 missile had been fired against it.
  2.  The R-73 seeker could have locked on to two PAF jets, one at north edge and the other at the bottom edge of the Mangla reservoir. The blip at the north edge, which subsequently vanished from the scope was flying at Mach 1+ at 32,000 feet.
    Image: By special arrangement

    The IAF’s ELINT data suggests that an F-16 was on the bearing where PAF’s Alpha-3 was noticed — hence in all probability, the blip which vanished was an F-16.

  3.  This F-16 was identified to have a the callsign — ‘Alpha-3’ (IAF radio intercept).

 Event No. 2: 1022 hours — PAF targeting Abhi’s No. 2

  1. The PAF’s F-16, north over the Mangla reservoir, Call sign Alpha -3 was vectored eastwards to intercept Abhinandan’s No. 2, who by now was back across the LoC in J&K, heading north east in the Rajouri sector.
  2. According to reconstruction of the situation, the F-16 (Alpha-3) was at 32,000 feet and assisted by ‘Vigil’ (AEW&C) picked up the MiG-21 (Abhi’s No. 2) on his airborne interception (AI) radar at 60–70 km at 18,000 feet. The F-16 did a fast descending turn to a lower altitude to build up speed and achieve his firing solution sooner, as well as carrying out a rapid change of height to break any fire control lock with all aware that MiGs had crossed the LoC. For info, at Mach 1.5 the AIM-120C-5 AMRAAM receives a bump up of 10–15% in max range (standard USAF AMRAAM firing tactics).
  3. He would have fired his AMRAAM at IAF’s Alpha-2 between Dmax 1-2. This missile is seen in the Thanamandi video. We can also hear the sound of the Indian MiG-21, indicating it was close.

We know for sure now that the PAF fired an AMRAAM on Abhi’s No. 2. The AMRAAM missed Abhinandan’s No. 2, who had gone COLD by then.

Event No. 3: 1023 hours — The ‘puff’

  1. This describes the ‘puff’ point, when the R-73 missile fired by the MiG-21 reached the vicinity of the F-16 and activated its proximity fuse. The ‘puff’ happened at the cross-section of the observer to the ‘puff’ lines from Khuiratta and Charhoi.
  2. From Abhi’s last plotted position to the calculated position of the ‘puff’ is a distance of 20 km. The R-73 would have covered this distance + distance required during the proportional navigation ‘lead pursuit’ trajectory. Assuming max 2–3 km deviation for this trajectory from point to point navigation with a non-manoeuvring, supersonic speed F-16 in the R-73’s frontal quarters, passing left to right and descending. So, the R-73 covered approx 22 km to the ‘puff’ location. The F-16’s trajectory actually benefits the R-73 in adjusting a steady (greater) lead ahead and bleeds lesser energy. Reverse calculating, we get time of flight of R-73 to ‘puff’ location at an average speed of 612 m/s at 35 seconds.
    Advantage of ‘Lead pursuit’ over ‘pure pursuit’ guidance
  3. Flying at Mach 1 (conservative estimate), descending from 32,000 to 25,000 feet, the F-16 would have covered a ground distance of around 375 meters every second (subsonic to supersonic at an average altitude of 28,000 feet at -39 to 40 deg centigrade for that day). Assuming it turned for 3-5 seconds before it proceeded for the intercept (IAF radar picture showed this F-16 in a slight descending turn to left and assuming 20 deg/ sec rate of turn), in 35–5 = 30 seconds — it would cover 11,250 m or 11.25 km — which is close to the estimated distance of 12 km from the F-16s initial position north of Mangla reservoir to the ‘puff’.
  4. An R-73 missile can intercept a 12G manoeuvring target at 0.3–30 km. The F-16 was placed around 22 km (trajectory inclusive) from the missile. The F-16 was well within the kinematic performance range available to the R-73 missile to shoot down the F-16.
  5. How are we sure that it was this aircraft which fired the AMRAAM at Abhi’s No. 2 across the LoC? We are sure because we observe only two missiles fired by the PAF inside PoK that day. This was the first event, the second was fired to shoot down Abhinandan seconds later from south of the Mangla reservoir and Mirpur town.
  6. So why no explosion at the ‘puff’? For this we need to understand that the R-73 would have exploded at a near beam (3 o’ Clock) aspect to the F-16 based on our investigation. In my earlier assessment of April 19, I had assumed that the missile hit the F-16 in its frontal quarters. However, I did not have the IAF radar picture and the newer video evidence. The R-73’s proximity fuse activating the 7.4 kg continuous rod warhead in that aspect.
    The R-73 missile engineering drawing

    Let’s understand how the R-73 warhead would have exploded

    The R-73 has a continuous rod warhead weighing 7.4 kg — which is activated by a proximity fuse when it senses an aircraft in close quarters. When detonated, the high explosive imparts momentum to the rods, thrusting them outward in an expanding circle. The pressure wave from the explosive acts evenly on the rods over their length. The rods are sufficiently soft to allow the expansion without breaking the rods or the welded joints, and the detonation velocity is limited to approx. 1000 m/s, allowing the rods to bend at these locations instead.

    At some intermediate point the ring will have a zig-zag (alternating direction) appearance within a cylindrical envelope — Upon ultimate expansion, the ring is circular and contained within a plane. This rapidly expanding ring, when hitting the aircraft, is more effective than an equivalent fragmentation warhead — for the scientifically inclined, the ring’s effectiveness decreasing as 1/R, rather than 1/R2 for fragments.

    Portions of the aircraft intercepted by the expanding ring of the continuous rod warhead — will receive a continuous cut through the skin, light structure, underlying cables, hydraulic lines, and other plumbing if present — This may cause a structural failure, or, if not, can be sufficient for defeating the redundancy of aircraft systems. The effect is only pronounced as long as the ring is unbroken, so multiple layers of rods are employed in practical weapons to increase the effective radius.

    Expansion of a continuous rod warhead explained 
    Analysing the effect of the R-73 warhead hitting at right beam quarter to the F-16
  7.  On the basis of the above, we identify two zones of damage on the F-16. Traveling at supersonic speed, the nose and the cockpit area of the F-16 would have sustained limited damage due to shrapnel. This may, however, be enough to critically injure the pilot/s. The brunt of the continuous rod warhead would have been borne by the middle to rear portion. What the ‘puff’ indicates is that the damage was mostly due to the shrapnel’s kinetic effect, not a violent incendiary explosion of any manner. The supersonic state of the aircraft is the most probable reason for the F-16 not catching fire due to the expanding ring of the warhead. Continuous rod warheads generally tend to induce damage, which can slice open an aircraft as can be seen in the case of Abhinandan’s MiG-21, which was hit from the rear. So, while no explosion is visible, there would have been internal damage in the rear portion, as well as a new direction vector — a mix of aircraft forward speed and the impact from the right due to the warhead explosion, would have veered the damaged aircraft to the left.
  8. So what was the damage on the aircraft after the hit at the ‘puff’ stage? For this, we get a very brief idea in the Charhoi video. After the puff, the videographer briefly records the state of another ‘puff’ like an object, which is, however, moving towards the right, which is identified by the effort of the person to maintain this smoke blob in the center of the field of view of the phone. We know that this is not the puff, because the Sun position for this is different. Interestingly in a short glimpse around the 21 second run of the video, we see this object dividing itself into two parts.

This object which divides itself later on into two segments is the elusive aircraft — which has moved on from the ‘puff’ position when captured by the observer on his phone.

The R-73 hit the F-16 at supersonic speeds around 25,000 feet at the ‘puff’ location. After which it veers to the left as a result, and a few seconds later broke into two distinct parts due to damage by the R-73 warhead.

Event No. 4: 1023 hours — The ‘Parachute’

  1.  In the Khuiratta video, we see a distinct object with a low rate of descent. While we are unable to identify the same adequately from the close-up, the rate of descent indicates that this is a parachute.
    The puff, the parachute, and the debris in the Khuiratta video
  2.  So, after the ‘puff’ event at 25,000 feet, the aircraft’s direction veered to the left on a north-westerly course, which was the resultant direction of its initial supersonic speed and the impact of the R-73 warhead from the right. Let’s assume at the point of impact at the ‘puff’ location, the speed of the aircraft was Mach 1 (375 m/s). Post impact by the R-73 with a velocity of at least 500m/s — the resultant velocity in the left turn would be approx 250 m/s for same AUW. This is effectively 990 kmph or 535 knots.
  3. Now we notice, that from the ‘puff’ to the parachute/debris, the altitude of the aircraft hasn’t changed more than 1,000 odd feet. This indicates that the engine was partially still processing power output.
    Reference the 25k feet line from the puff
  4. The puff to the tadpole distance shown on the 25,000 feet AMSL line in the above image is about 10 km. So, the aircraft, from the puff point, traveled 10 km before converting into the tadpole shape. At what average speed will the aircraft be able to cover 10 km from the puff point? The average speed = 650 kmph, achieved by partial engine run till at least 35–50 sec after impact at the ‘puff’ point.
  5. The F-16 was at 25,000 feet AMSL. From the observer at Khuiratta, the puff will be at a ground distance of 11 km.
  6. Since the videographer reacted basis the twin claps at the puff to film the scene, we take a 10 second reaction time. Sound travels from puff to Khuiratta in 37 seconds. So, he would have filmed at 37 + 10 seconds = 47 seconds. when he started filming, 47 seconds had elapsed since the ‘puff’, the parachute deployed and the debris falling. In those 47 seconds, the aircraft would have traveled 8.4 km. In 37 seconds, the aircraft would have covered approx 6 km.
  7. The parachute position will be 6 km from the Khuiratta observer to the puff line, on 25,000 feet puff to Tadpole line.
  8. Deploying all seen elements on the 25k line from the puff, we get approx positions of all objects seen in the air that day.
  9. At 6 km from the puff, the pilot of the F-16 ejected out of the stricken aircraft either before or after the separation of the debris, a good 36 seconds post the missile impact. What we analyzed a bit earlier becomes relevant now, with the separation of the debris from the main aircraft body around 5-6 km from the puff, about the time the pilot ejected out. This is also the time where I believe the partial working engine would have stopped. After this, the aircraft would have coasted another 4-odd km, before becoming the tadpole.
  10. Back to the parachute. The ROD of the parachute is lower than the debris, but cannot be calculated as not enough frames are available on the parachute, the observer focussing on the falling debris.
  11. So why did the pilot delay the ejection till 36 odd seconds after the missile hit? The most plausible answer is either the pilot was injured in the missile strike or was still assessing the state of the aircraft with engine running partially, although with the aircraft breaking in at least two pieces after 36 seconds, the pilot would have got signs inside the cockpit a good 15-20 seconds before. Hence the latter may not be plausible. A delayed ejection by the PAF pilot indicates that the pilot may have been stunned and injured in the R-73 hit.
  12. The approximate location of the landed pilot after ejection would be on the Khuiratta — parachute line, which is displaced by 6 km from the ‘puff’ to parachute line.
  13. After landing it is highly possible that the pilot was either mobbed by PoK residents or would have been in an unconscious state due to injuries sustained.
  14. It is quite possible he would have been mistaken for an IAF pilot due to the following reasons:

#The PAF’s F-16 ACES ejection seat resembles an Indian flag with its colors.

# Most probably, there would be no outward indication on his flying coverall of any PAF affiliation. The fact that IAF and PAF belong to the same subcontinental stock would have made any meaningful resemblance easier for a case of mistaken identity.

#The larger piece of the aircraft had landed a good 4–5 km from the pilot’s position, hence there was no means to know by the smaller debris that it was a PAF jet. The Doosra Banda mentioned by DG ISPR had landed north-west of Charhoi around 1025 hours. An information blackout was enforced in the area by Pakistan immediately after the crash, hence no close-up video is available of the parachute and the debris landing on the ground.

Event No. 5: 1023 hours — The ‘Debris’

The debris was a smaller part of the aircraft, most probably it’s tail portion, given that the R-73 would have inflicted most of the damage in the middle — rear section of the F-16.

  1.  It was spotted by the Khuiratta observer falling at a high ROD. Its rate of descent has been calculated at 180 m/s.
  2.  The piece of debris would have fallen on the Khuiratta to debris line and would be 6–7 km from the puff to debris line (25k line).
  3.  That there is no news ever heard on the debris indicates that the Pakistan Army was able to quickly move in and clamp down on the evidence.

Event No. 6: 1024 to 1028 hours — The Tadpole

The Tadpole was formed a further 4 km ahead of the parachute/ debris line, the momentum of the aircraft taking it beyond, until, post the debris separation the aircraft, the remaining airframe finally caught fire, with thousands of gallons of fuel converting into millions of permeable and condensed droplets, taking a smokey cloud-like appearance, resembling a tadpole.

The formation and end have been explained in the evidence section.

  1. The Tadpole was seen in decent fidelity from the Charhoi and Thanamandi videos.
  2. It is proven beyond doubt to be a man-made object.
  3. Behind the smokey cloud of high temperature and fuel, the main airframe caught fire and burnt to a great extent.
  4. The only debris left from the airframe would be smaller sized unburnt articles and semi-molten/molten pieces, which probably would have rained down below the overhang of the Tadpole.
  5. The smaller pieces of debris would have ensured that no one would be wiser to the fact that a PAF asset had been shot down. This was one of the major reasons why the Pakistan Army was able to ensure a complete blackout of information in the Kotli and Charhoi zones. However, the leftover/critical pieces of debris may have been collected over a period of time.
    By special arrangement

Is it a coincidence that the Pakistan Army issued an advisory in the Kotli area immediately after the tadpole crash — about use of across-LoC rockets by the Indian Army?

It was claimed that the Pakistan Army destroyed a couple of Indian rockets in the air. This would be the perfect alibi to cover up for the far strewn small debris/ molten elements from the crash of the PAF jet.

Tadpole — is the most conclusive VISUAL proof of the crash of a PAF jet in PoK that day.

Event No. 7: 1022 hours — The AMRAAM launch at the MiG-21

This event is characterized by a large-scale tactical failure by the PAF BARCAP, which allowed the IAF MiG-21 to penetrate 10-odd km into PoK before any tactical action was taken against him.

The AMRAAM was fired by Wing Commander Noman Ali Khan of 29 Sqn, embedded with the Combat Commander’s School (CCS) at Sargodha. Noman reached south of Mirpur, with a steady AI Lock on his APG-68 V9 radar, launching at least one AMRAAM against Wing Commander Abhinandan’s aircraft. A video link to the AMRAAM fired by him against Abhinandan on an approximate course is available here.

AMRAAM launch by PAF against Abhinandan

Fired from an altitude of 30,000 feet the AMRAAM covered the 20-odd km within its NEZ quickly and hit the IAF MiG-21 in the rear. Abhinandan ejected out successfully.

The IAF MiG-21 was shot down by a PAF AMRAAM and not a surface-to-air missile.

Events No. 8, 9, 10: 1023–1034 hours — The crash of the IAF MiG-21

50 seconds after Abhinandan Varthaman fired an R-73 against a PAF jet, he was hit by an AMRAAM. the MiG-21 crash is very well documented.

Event 8 indicates the missile hit point.

MiG-21 crash recorded near Horan Kotla in a clear video

Event 9 indicates the parachute landing point near Horan Kotla village. Event 10 indicates the area where the unburnt debris fell down.

Debris of Abhinandan’s MiG-21 aircraft in PoK | Photo: By special arrangement

Abhinandan, post ejection had a harrowing escape, when he was manhandled severely by an irate mob, saved by the arrival of the Pakistan Army in the nick of time. And yes, my Pakistani readers, the cup of tea is appreciated and will indeed be reciprocated!

He was made a pawn in a heightened disinformation war with India by the ISPR and after some deft diplomacy by the Indian government, was repatriated after 3 days in Pakistani custody.

Event No. 11: 1040 hours — A Pakistan Army search & rescue (SAR) helicopter

The last piece of the puzzle which supports that a PAF jet was shot down on 27 February is provided by an innocuous-looking Pakistan Army light communication helicopter, a Bell Jet Ranger. Utilized routinely for communication duties, the helicopter would not have caught our eye, except that it is featured in the Charhoi video flying at ultra-low level, after the Tadpole event.

After plotting its path, we see it make a left turn in front of the Charhoi videographer, heading for…surprise, surprise…the location of the downed PAF pilot’s parachute landing zone.

A Pakistan Army Jet Ranger is seen flying in front of the Charhoi observer

A major aerial engagement had taken just a few minutes back, with the perpetual loss of situational awareness (LOSA) still hanging over the battlefield, what business did a Pakistan Army communication/SAR helicopter have flying around without a highly urgent task at hand?

Or maybe the heli did have an urgent task.

Notice the path of the SAR helicopter plotted at 1040 hours towards the PAF Pilot’s landing zone

The Bell Jet Ranger was airborne minutes after the aerial engagement to locate and pick up the crashed PAF pilot.

Analyzing the fog of war

Yes, there would have been solid confusion in PoK from 1020 hours to 1100 hours. In the air, the PAF would have been surprised by the dash of the MiG-21, more after the PAF aircraft went missing. I am informed that a loss of situational awareness (LOSA) happened as soon as an R/T check was done after shooting down the MiG-21.

In fact, it is highly probable that the Tadpole may have been seen visually by other members of the Alpha formation, realizing for the first time that another jet has gone down. This is reinforced by the fact that we can hear aircraft sound over the tadpole in the Charhoi video. The PAF knew they had lost an asset within minutes of its loss.

On the ground it may have been even more chaotic. Abhinandan fell, with his aircraft in close vicinity, so was easily tagged and captured. But with the parachute and debris landing north-west of Charhoi, and the Tadpole still in the air — would have given an impression to the Pakistan Army on the ground that — two more aircraft had been shot down. This may indeed be the origin of the legend of the Doosra Banda.

  1. Abhinandan is captured by the Pakistan Army near Horan Kotla — Ghafoor confirms.
  2. One parachute lands north-west of Charhoi — Ghafoor confirms the second pilot in custody, picked up by SAR heli to CMH.
  3. The Tadpole in the air — The Pakistan Army assumes that a second IAF jet has crashed. Ghafoor informs that another pilot is yet to be captured.
  4. The debris near the PAF pilot tagged as an F-16 part and media/Internet blackout in Charhoi.
  5. Reports of small molten debris from Tadpole area. An investigation by evening reveals own aircraft. Information blackout and alibi of Indian surface-to-surface missile attack floated, with two of them intercepted by Pakistan Army. Would fit well with the debris evidence in the area, which people will believe.

There was also a communication gap between the PAF and the Pakistan Army during the first hour.

The Indian Army visual sighting of the PAF pilot was bang on in the General area Sabzkot.

By special arrangement

The crash search area

Unfortunately, no meaningful Indian or International ISR satellites with a good resolution were in the area of PoK where the PAF jet crashed All the major space assets were busy filming the Balakot camp on a displaced orbit about 100 km to the left of the crash sites. At the same time, there was never much debris either, which probably saved the Pakistan Army a lot of headache in terms of information control.

The map given below is the most accurate depiction of the search zones for the various events and can be used as a reference.

Accurate crash site depiction | @bishwa55900127

Was it an F-16?

This was the most obvious question for us while we were investigating this crash. That it was an F-16 is based solely on the IAF’s ELINT signatures, which identified F-16s operating on these radials. In reality, it could have been anything which the PAF flies. But yes, most probably it was an F-16, in addition to the ELINT signature, also verified by the AMRAAM launch against Abhinandan’s wingman.

Endgame — A bonafide closure to the case!

With this — the investigation and consolidated recreation of the events and the aerial combat which took place in the PoK are complete. There will be a ton of questions from like minds, zillions of naysayers haranguing in their ugliest format from across the world, and far more bursting at their seams, laughing at what they would interpret as, skewed logic, a saga of fiction or whatever.

Yes, whatever the affiliation, whatever your motivation — but if you are reading this — you want to know the truth or for that matter, find the right loopholes to checkmate the same.

However, the way you perceive yourself is what enables, or disables, you. And this has been the cheekiest of them motivations, which has helped me and my colleagues — @bennedose @bishwa55900127 @sayareakd @anshumig and @Vakil_Raghu get to the bottom of this affair.

Pakistan cannot be allowed to peddle a blatant lie, change the narrative and dismember the ‘truth’ to seek glory for the Pakistan Air Force.

The truth, masked behind ISPR’s ruthless disinformation campaign is that — an Indian Air Force MiG-21 on 27 February 2019 shot down a PAF fighter jet in Pakistan-occupied Kashmir.

Tragically for the Pakistani nation, with the Pakistan Army adept at hushing up the deaths of hundreds of its soldiers without as much as batting an eyelid — there is nothing more deceptive than an obvious fact — and somewhere in between this blatant game of lies and deception by the ISPR — is an F-16 tail number and a dedicated PAF pilot — both of whom have served Pakistan to the best of their ability may now have had their records unceremoniously wiped out from the face of earth to serve a wider subterfuge of upholding the morale and image of the Pāk Fizāʾiyah, the pantheon of past glory and Pakistan’s best shot at hitting back at India in these times of turmoil. But can any air force afford to prosper on a bedrock of lies and deceit, a reputation dented by the controversy, always on the tenterhook of being exposed or for that matter not care at all?

Unfortunately, the Pakistan Air Force with a proud heritage has done just that!

Never in the past has the PAF had to confront so many quarters, justify and dodge the right questions and disconnect the truth at such a feverish pace. The truth masked by a perpetual lie, far beyond the accepted threshold of chivalry and character of combat aviators over the ages. A convenient lie to serve a few in the Pakistan Army and Air Force, a so-called necessary lie which has overwhelmed even the PAF’s finest like Kaiser Tuffail.

There’s an apparent misconception in the Pakistan Air Force that survival of the fittest means survival of the most aggressive.

Wanton aggression was displayed by the Pakistan Air Force when their top dogs, the F-16s from Sargodha, fired a barrage of AMRAAMs against the IAF Sukhoi formation (Callsign Avenger) across the LoC, aiming to shoot a bunch of them down. What glory was there to be had in getting a kill in a rather sneaky manner — all justified in the name of the cold and calculative visage of modern-day air combat?

After Balakot, the PAF wanted to prove a point to India, send across a message that the forces were in balance; risking the highly dynamic threshold of escalation — the hallmark between a bold and stupid decision.

And when challenged by a chip of the old block, a fighter pilot flying an aircraft a generation lower than the PAF’s best, ignoring the thin red line of sound judgment and cheeky recklessness in combat. Doing so, with that single feat of daring can alter the whole conception of what is possible, displaying aggression at par or more. When confronted with the tip of the sword against their face, the icy cold aggression of the PAF’s air warriors took a serious hit.

Alpha -1, Wing Commander Abhinandan Varthaman, was from a fleet where the ‘Right Stuff’ is still audacity, grit, and ingenuity. In the likes of him — there’s still that edge that the Indian Air Force so much believes in; that attitude of leaning into a conflict. No slathering in shaking fists, but a resolute application of will, of force!

Abhinandan went into the wolf’s layer across the fence and threw in a knockout punch in the finest traditions of an Air Warrior. There was no glory for the PAF in shooting his MiG-21 down; if at all there was any glory in this for the PAF, it was to avoid getting any asset shot down!

The PAF miserably failed that day! It has a word for this situation — ‘Tumbleweed’ !!

The PAF may debunk the narrative as convenient, but how does it explain these three moot points:

  1. The TADPOLE proves that a man-made object on fire fell over the skies between Kotli and Charhoi on 27 February 2019.
  2. There are very clearly two distinct and different crashes noticed in the various videos shot by the residents in the PoK on 27 February 2019.
  3.  IAF lost ONE MiG-21 over PoK on 27 February 2019. So, who lost the other aircraft?

A PAF Shaheen had its last fall that day!

Beyond this frankly, no one gives a damn!!

3 Ways Criminals Can Get Your Data

3 Ways Criminals Can Get Your Data

3 Ways Criminals Can Get Your Data

When we hear social engineering, we immediately think phishing. Those of us in the industry may also think about vishing, dumpster diving, or the SECTF held at DEFCON and DerbyCon. Whether you are technically inclined or not, you are probably familiar with the “Nigerian Prince” or “419” schemes. You have probably received a convincing or near-convincing phishing email claiming to be “Delta” or “App1e” or “Amazon.” This article aims to educate you about other social engineering attack vectors.

Spear Phishing

This is a tactic that goes beyond the basic phish. Instead of a mass blasting, the attacker will craft the email to target a specific person or group of people. The email may be well informed with laser precision, which may include the attacker collecting Open Source Intelligence (OSINT) on the target person or people.

They may use this information to build rapport for the engagement (especially if it is a long-term engagement, think nation-states or APTs) or get the initial fear factor or attention grabber quickly. Depending on the scope and the target, they may attempt to deliver a malicious payload or collect information (such as a password) or provide information to pivot to someone else, such as a more privileged user or an executive (who would be targeted in a “Whaling” attack).


Most of us have received a phone call soliciting information about us or our employer. I have received numerous calls from “The Microsofts” telling me about the malware infecting their servers. To be honest, I get multiple calls daily from “Card Services” offering to “lower my interest rate.”

I give them a fake credit card number (meaning one that will never pass Luhn’s algorithm for a valid card number) that you may use 4867 5309 9035 7684 (Notice numbers 2-8). One person on the other end of the line didn’t find my response funny and threatened to have me called daily. He lives up to his promise 365 days of the year.

Anyway, these calls attempt to get your personal information, credentials, or other sensitive information. They do occasionally attempt to get you to perform an action for them. The best defenses for these attacks are using apps like RoboKiller or if you find yourself answering, come up with an urgent call or meeting and offer to call them back in a few minutes. If they are spoofing a number as most of them do, you will get pushback. Also, do a search for the phone number on your favorite search engine or using a myriad of OSINT tools.


This is akin to “getting into character.” It is also along the lines of impersonation. This could be someone who claims to be a store employee and seeks to help you (and themselves to your wallet). It could be a nice person in a “Waste Management” truck and a dark green polo who says there is a problem with your dumpster. Note: the white pickup truck is rented with a magnet on the side. This person will go “inspect” the dumpster and help themselves to a couple of bags of trash to do “TRASHINT” (h/t to Tess Schrodinger).

The moral of the story is to be wary of people. Demand proof. If you do not feel comfortable with what someone is asking, ask for someone else. Do not be afraid to abandon the situation within reason. You do not have to be rude, but be stern. In my experience as a social engineer, being polite gets you further than being rude. There is no reason to not put the shoe on the other foot.

In conclusion, phishing and social engineering are mainstays. Being aware of the tactics and methods used and applying them to our everyday lives is the key to defense. We live in an era where we must trust very little information and fewer people. Not everyone has our best interests in mind.

Source: Joe Gray | Forbes

Influencer Accounts Being Stolen

Hackers are Stealing Top Instagram Accounts

By: Taylor Lorenz, The Atlantic

In early October, a publicist received an irresistible message via email. The publicist’s client is a top “influencer”—someone who leverages a social-media following to exert influence and, usually, make money, often by selling sponsored posts. “We would be extremely interested in a business partnership,” a man calling himself “Joshua Brooks,” wrote. His pitch was eye-popping: He was offering “80 Thousand US Dollars” for a single picture. Yes, Influencer Accounts Being Stolen by Hackers.

The publicist hastily agreed. Brooks, who claimed to have worked with other internet stars including Bella Thorne, Amanda Cerny, and Jake Paul, said that to get started, the influencer would simply need to log in to a third-party Instagram analytics tool, Iconosquare—a common request; many brands use tools such as Iconosquare to track the success of their influencer campaigns.

But the link Brooks sent wasn’t to—it was to, a cloned version of the site set up for phishing. Once the influencer logged in with the Instagram username and password, Brooks seized control of the account. Within minutes, he was spamming the influencer’s millions of followers with offers for a free iPhone.

Brooks has targeted several YouTubers, Instagram stars, and meme pages and used the stolen pages to promote scammy-looking apps and fake offers for free products. In the past month alone, he has seized @Fact, with 7.2 million followers; @Chorus, with 10.1 million; and @SnoopSlimes, with 1.9 million. After the accounts are seized, the hackers update the account’s bio to say “managed by SCL Media” and begin reaching out to brands via direct message, telling them to negotiate sponsored-content deals with SCL, not with the previous account holder, going forward.

According to its website, SCL Media is “a tech-media company building content brands for multicultural and niche audiences.” Its website lists clients including Netflix, Microsoft, and Comedy Central. But representatives from all three companies said they have no affiliation with SCL Media, nor have they worked with the company in the past.

Read: Stealing Social Media

The influencer-marketing industry has exploded over the past several years. According to a 2017 study by Influencer Marketing Hub, 420 new influencer-marketing agencies opened in 2017 alone, more than double the amount that opened in 2015. “We’ve seen the industry go from a rising marketing tactic to an essential part of most marketing budgets,” one executive wrote in Adweek. Analysts estimate it’s currently worth more than $2 billion and could reach up to $10 billion by 2020.

But this very lucrative, very new market still lacks critical infrastructure. There’s no standard method of communication, no formalized negotiation process, and, often, no paperwork. Rates can range widely from brand to brand and are often hashed out entirely via direct message. And because sponsored-content deals typically happen beyond Instagram’s official advertising mechanisms, the company is all but powerless to stop scams.

Eric Toda, the head of marketing at Hill City, a Gap brand, said that the influencer industry right now is like the Wild West. “You see a lot of people selling snake oil,” he said, “because the market is so saturated.”

Influencers as young as 13 are entering into brand deals with zero experience in negotiating high-value business partnerships. It’s all too easy for a scammer to entice them with the promise of a big paycheck, then hack their accounts or escape without paying. “It’s an underground world, and what a lot of people are doing is representing themselves as Insta experts when they’re hackers and scammers,” explained Lisa Navarro, the founder of Espire, a digital marketing agency that works with influencers. “They’re stealing accounts from children.”

Ruvim Achapovskiy, the founder of Social Bomb, a social-marketing agency in Seattle, said he’s seen branded-content scams increase sharply over the past year. They’ve also gotten more sophisticated. Hackers sometimes create their own fake brands to phish influencers, but often they pretend to be representatives from real companies. “They’ll set up some sort of username that’s something that seems like it would be legit, like @LuluLemonAmbassadors,” Achapovskiy said. “They’ll use all the company logos, make it seem as legit as possible, make the bio seem normal, use the company’s mission statement. It’s super simple.”

Once hackers gain control of an influencer’s account, said Moritz von Contzen, the founder of the Dutch social-media agency Avenik, they’ll often hop into the account’s direct messages and begin spamming other influencers with the same phishing links, before the hacked influencer even knows what’s happening.

Von Contzen said he sees this scam play out over and over again. He even fell for it once.

A year and a half ago, von Contzen was running a luxury-lifestyle-themed Instagram account with nearly 300,000 followers when someone reached out about a collaboration opportunity with several brands, some of which were well known for reaching out to influencers directly. “I was super young and inexperienced, so I was really excited,” von Contzen said. He logged in to the Instagram analytics tool the “brand representative” had provided. “It all looked legit. But as soon as I logged in and gave my password, I went back into my Instagram and bam—my Instagram was gone, and that was that.”

For young influencers with no direct contacts at Instagram or Facebook, it can be nearly impossible to retrieve a stolen account. Hackers will change the contact email address and phone number, and reset the username so the account is impossible to find. Then they’ll run ads on it until they can sell the whole page off for a large price, sometimes for more than $100,000.

Faisal Shafique, a college student who Instagrams under the handle @Fact, said he earns roughly $300,000 a year from posting sponsored content for brands like TikTok and Fashion Nova. When Brooks seized control of his account several weeks ago, it put those brand deals in jeopardy, potentially costing Shafique his livelihood. Shafique was able to retrieve his account before it was sold off, but he estimates that he would have lost a half a million-dollar property if he hadn’t.

Rachel Taton wasn’t so lucky. She began posting to an account called @BestScenes five years ago. By 2014, it had grown to become one of the largest meme pages on Instagram. Two years ago, she lost it to a hacker. Brooks’s particular scheme hadn’t taken hold yet, but she thinks someone obtained her password through other means. Throughout the years, she’s watched helplessly as her old account has changed owners, changed names, and run sponsored content for major brands. It’s now operating under the handle @FunStuff with 1.3 million followers.

“I realized how fast everything could be taken away from me,” Taton said. Shortly after her account was stolen, she quit the influencer game. “I realized that my priority should be focusing on a real job, something that can’t be taken away from me,” she said.

All the influencers I spoke to said brands have a responsibility to be more diligent about who they work with. Greg owns a network of Instagram pages with 50 million followers and asked to be referred to by a pseudonym to protect his clients. He said he’s seen several campaigns from mainstream brands running on pages that he knows to be stolen.

But, he added, the brands themselves likely don’t realize this. Many rely on third-party media-buying or advertising agencies to negotiate the terms of sponsored-content deals across the whole Instagram market. Sometimes a brand will vet particular pages, but Toda said that happens “very rarely.”

Stealing Social Media

A look at how it can happen.

Some employees have direct access to the corporate social media platforms, giving them the power to rename social media channels or post whatever they like. Say a former employee moves to competitive business, changes the name of the original social media channel, and immediately starts contacting the fans and followers on behalf of the new company. This happens all the time. It’s called Stealing Social Media.

The need for good contracts and agreements between employers and employees when it comes to social media is paramount. In addition, systems need to be in place to prevent this from happening.

This includes securing all passwords and changing them immediately prior to terminating an employee with passwords, as well as a strict copyright and ownership clause in the contract.

Analysts need to erase their digital footprints

When we talk about the work of gathering intelligence, most people conjure the image of a James Bond-esque spy, infiltrating an enemy organization under an assumed identity. But there’s another kind of intelligence gathering, just as important to commercial, military, diplomatic and political operations: open-source intelligence, or OSINT for short. OSINT is gathered from publicly available information sources like the news, government documents, and social media reports, among others. But in order to be effective, OSINT analysts have to be just as careful about concealing their online identities as clandestine operatives.

Online surveillance is just as prevalent and often more subtle than real-world surveillance. If the OSINT analyst doesn’t cover their tracks, it’s fairly easy for someone with the resources of a nation’s intelligence agency, or even a large corporation, to track down the identity of that analyst as they dig for information. The analyst must wipe away their digital fingerprints, so to speak.

What is the Digital Fingerprint

“The digital fingerprint is pretty comprehensive, and there are a lot of things that can go into it. At its most basic level, a digital fingerprint includes information about your hardware and software profile, your network, your location, timezone, etc.,” says Nick Espinoza, head of technical solutions at Authentic8. “These are the sorts of things that the analyst needs to change or obfuscate, so he or she can collect information without tipping their hand. And not only that, humans are creatures of habit. So targets can begin to discern, based on your browsing patterns, what sort of demographic you might fall into in terms of age, income, spontaneity, general interests and so on. And in the intelligence space, whether it’s on the corporate or public sector side of things, having that level of detail on a user’s behavior, hardware, software profile, and everything else are absolutely detrimental.”

Because those fingerprints could potentially identify an OSINT analyst as working for a competitor or a government employee, an adversary could lock down previously available avenues of information.

That’s why OSINT analysts need a high level of training in the tools required to conceal their digital identities when gathering intelligence. VPNs, proxies and virtual machines are some of the more commonly known tools, but Espinoza says those only go so far. What’s far more effective, says Espinoza, is a remote browser platform like Authentic8’s Silo.

“Our company provides a web isolation platform with managed attribution. Essentially, managed attribution obfuscates who you are, what you do, and what you’re looking for. A combination of technology and tradecraft need to go hand in hand to enable an analyst to accomplish the mission safely and securely, without compromise,” Espinoza says. “We’ve architected our system to incorporate a lot of tradecraft and to minimize the signals that might indicate someone atypical is looking for a particular subset of information on, let’s say, a hacker forum, or a ship spotting blog, etc. Our goal is to enable better tradecraft and skillsets while reducing the digital signature of these analysts as they go about their job.”


1 2