A new open-source cybersecurity platform called DarkMoon has emerged as a significant advancement in autonomous penetration testing.

It provides security teams and DevSecOps professionals with a fully AI-powered vulnerability assessment system. DarkMoon integrates over 50 specialized offensive security tools, all managed through a controlled execution interface.

DarkMoon is an automated penetration testing platform that uses artificial intelligence to orchestrate complete security assessments without manual intervention.

Unlike traditional vulnerability scanners, DarkMoon deploys a multi-agent AI architecture where specialized sub-agents reason, plan, and execute real offensive security operations through a controlled Model Context Protocol (MCP) interface, a gatekeeper layer that ensures the AI never directly touches the underlying system.

The platform aligns with recognized security frameworks, including ISO 27001, NIST SP 800-115, and the MITRE ATT&CK methodology, making it a standards-compliant option for organizations seeking repeatable, evidence-based assessments.

DarkMoon AI-Powered Platform

When a target is provided via the command line, DarkMoon automatically progresses through a multi-phase assessment: discovering open ports and services, fingerprinting the technology stack, modeling the attack surface, and then deploying specialized sub-agents based on what it detects.

The platform dynamically triggers agents tailored to discovered technologies:

• CMS Agent — activates for WordPress, Drupal, Joomla, Magento, and Moodle environments
• Stack-Specific Agent — targets PHP, Node.js, Flask, ASP.NET, Spring Boot, and Ruby on Rails
• Active Directory Agent — covers NetExec, BloodHound, and 30+ Impacket scripts
• Kubernetes Agent — uses kubectl, Kubescape, and Kubeletctl
• GraphQL Agent — handles GraphQL-specific attack surfaces
• Headless Browser Agent — deployed when browser rendering is required

Multiple agents can execute in parallel across a hybrid infrastructure, significantly accelerating assessment timelines compared to sequential manual testing.

DarkMoon ships with a purpose-built Docker image housing over 50 compiled security tools organized by category.

Port scanning is handled by Naabu and Masscan; web application testing leverages Nuclei, ffuf, sqlmap, Arjun, and wafw00f; reconnaissance uses Subfinder, Katana, Waybackurls, and httpx; CMS testing relies on WPScan and CMSeeK; and network enumeration employs Hydra, dig, and SNMP tooling.

All tools are accessible inside the Docker toolbox without path configuration — the AI reasons and plans, the MCP controls execution, and the Docker container runs the tools in isolation.

DarkMoon is designed for security teams running continuous automated testing, DevSecOps engineers integrating security into CI/CD pipelines, bug bounty hunters accelerating target analysis, and security researchers exploring adaptive attack surfaces in real time.

The platform supports bug bounty mode natively, with command-line flags such as FOCUS, EXCLUDE, SEVERITY, and FORMAT=h1 interpreted directly by the AI agent.

DarkMoon is available on GitHub at github.com/ASCIT31/Dark-Moon and requires only Docker, Docker Compose, and an LLM API key from providers such as Anthropic, OpenAI, or OpenRouter with local model support via Ollama and llama.cpp also available.

The platform represents a broader industry trend toward autonomous AI-driven penetration testing that scales beyond the limits of human-only security teams.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post DarkMoon AI-Powered Autonomous Penetration Testing Platform With 50+ Tools appeared first on Cyber Security News.

To stop children from bypassing its age checks, Meta is revamping its age-verification tools with an AI system that analyzes images and videos for “visual cues,” such as height and bone structure.

The post The $200 Billion Tether: Anthropic’s Massive Google Deal Exposes the “Circular Economy” of Silicon Valley AI appeared first on Daily CyberSecurity.

The collaboration between the Unique Identification Authority of India and the National Forensic Sciences University marks a significant development in India's security landscape and digital forensics. In a move aimed at strengthening the country’s digital infrastructure, UIDAI and NFSU have formalized a five-year partnership to advance research, training, and operational capabilities in cybersecurity and digital forensics. 

According to an official statement, UIDAI and NFSU have established a structured collaboration designed to address emerging challenges in cybersecurity and digital forensics.

UIDAI and NFSU Join Forces on Cybersecurity and Digital Forensics

The agreement, announced on May 5 in Ahmedabad, provides a comprehensive framework to bring together expertise from both institutions. It is intended to reinforce cyber resilience across UIDAI’s systems, which form the backbone of India’s digital identity ecosystem.  The Ministry of Electronics and Information Technology highlighted that this partnership creates an umbrella structure for coordinated efforts in research, technical development, and capacity building. The initiative underscores the growing importance of cybersecurity and digital forensics as critical components of national digital infrastructure. 

Six Strategic Pillars Driving UIDAI and NFSU Collaboration 

The UIDAI and NFSU partnership is structured around six key pillars, each targeting specific aspects of cybersecurity and digital forensics. These include academic and professional development, aimed at building skilled talent in the field, as well as strengthening information security and system integrity within UIDAI’s ecosystem.  Another major focus area is the development of advanced forensic infrastructure and laboratory capabilities. This will support deeper investigation and analysis of cyber incidents. Additionally, the agreement outlines provisions for technical support in cybersecurity operations, ensuring that UIDAI benefits from NFSU’s specialized expertise.  The collaboration also emphasizes joint research and technical advisory in emerging technologies. Areas such as artificial intelligence, blockchain, cryptography, and deepfake detection are expected to play a central role. The sixth pillar focuses on strategic placement and outreach, creating pathways for NFSU students to gain hands-on experience and career opportunities within UIDAI-related projects. 

Strengthening India’s Digital Backbone

India’s digital identity framework, powered by UIDAI, requires continuous upgrades to counter evolving cyber threats. The UIDAI and NFSU partnership aims to address this need by integrating advanced cybersecurity and digital forensics practices into the system’s core operations. UIDAI Chief Executive Officer Vivek Chandra Verma described the agreement as a crucial step toward enhancing the security architecture of India’s digital public infrastructure. He stated that the collaboration will significantly improve forensic readiness and resilience, ensuring stronger protection against cyber risks. The signing ceremony was attended by senior officials from both institutions, including Deputy Director General Abhishek Kumar Singh and NFSU Gujarat Campus Director S. O. Junare. Their presence highlighted the institutional commitment to advancing cybersecurity and digital forensics through sustained collaboration. 

Expanding Access While Enhancing Security 

Alongside this partnership, UIDAI has also taken steps to improve accessibility to its services. Collaborations with digital platforms like MapmyIndia and Google now allow users to locate authorized Aadhaar centers more easily. These platforms provide information on available services, operating hours, and accessibility features. While these initiatives focus on user convenience, they also align with the broader objective of strengthening the integrity of India’s digital identity system. By combining improved accessibility with robust cybersecurity and digital forensics measures, UIDAI aims to maintain trust in its infrastructure.

Meta patched two WhatsApp flaws affecting iOS, Android, and Windows users, including bugs tied to risky files, links, and Reels previews.

The post New WhatsApp Flaws Could Affect Billions of Users After Meta Security Patch appeared first on TechRepublic.

Hackers abused Google AppSheet to send Meta phishing emails, compromising 30,000 Facebook business accounts across 50 countries.

The post Google AppSheet Abuse Helped Phish 30,000 Facebook Accounts appeared first on TechRepublic.

The post Shattering the Memory Wall: Why Anthropic is Betting on a British Startup to Kill the “NVIDIA Tax” appeared first on Daily CyberSecurity.

The post Tax Audit Trap: Silver Fox Unleashes “ABCDoor” via Modified Rust Loaders appeared first on Daily CyberSecurity.

A new open-source project called CVE MCP Server is redefining how security teams triage vulnerabilities, transforming Anthropic’s Claude AI into a fully capable security analyst by giving it direct, correlated access to 27 intelligence tools spanning 21 external APIs all through a single natural-language query.

Every security analyst knows the painful reality: triaging even a single CVE can mean opening a dozen browser tabs simultaneously, NVD for CVSS scores, EPSS for exploitation probability, CISA’s Known Exploited Vulnerabilities (KEV) catalog, GitHub for patch status, VirusTotal for malware associations, Shodan for exposed hosts, and more.

Industry data confirms this bottleneck is severe, with EPSS v4 research showing that 96% of CVE alerts that fall below an exploitation threshold go completely uninvestigated due to manual workload alone.

For teams managing 50 or more CVEs simultaneously, that fragmented workflow can consume an entire workday.

Released on GitHub by developer Mahipal (mukul975), CVE MCP Server is a production-grade implementation of Anthropic’s Model Context Protocol (MCP) an open standard that enables seamless integration between LLM applications and external data sources and tools.

CVE MCP Server With 27 Tools

The server integrates Claude with 27 security tools organized into five categories: Core Vulnerability Intelligence, Exploit & Attack Intelligence, Advanced Risk & Reporting, Network Intelligence, and Threat Intelligence.

Built with Python, FastMCP, httpx, aiosqlite, Pydantic v2, and defusedxml, the entire stack operates via outbound HTTPS only, no inbound ports, no telemetry, no API keys ever logged.

The tool catalog is extensive and immediately production-ready. Core vulnerability tools include lookup_cve (NVD), get_epss_score (FIRST), check_kev_status (CISA), and bulk_cve_lookup for batch-fetching up to 20 CVEs in parallel.

Exploit intelligence tools map CVEs to MITRE ATT&CK techniques, check PoC availability across GitHub and Exploit-DB, and retrieve CAPEC attack patterns.

Network intelligence layers in AbuseIPDB reputation scoring, GreyNoise scan activity, Shodan host profiling, and CIRCL Passive DNS. Threat intelligence tools connect to VirusTotal, MalwareBazaar, ThreatFox for IOC lookups, and Ransomwhere for ransomware Bitcoin address tracking.

At the heart of the project is a weighted risk scoring formula that moves beyond CVSS-only prioritization, a methodology aligned with the industry shift toward multi-signal triage.

The formula weights EPSS probability at 35%, CISA KEV status at 30%, CVSS at 20%, and PoC availability at 15%, with boost multipliers applied for active KEV+PoC combinations, CVSS ≥ 9.0 with high EPSS, and recently published CVEs.

A score of 76–100 triggers a CRITICAL label requiring patching within 24–48 hours under an emergency change window.

One notable design decision is accessibility: eight tools require zero API keys to function, including EPSS, CISA KEV, OSV.dev, MITRE ATT&CK, CWE lookups, CVSS parsing, Ransomwhere, and NVD at a reduced rate.

Teams can deploy and begin querying immediately, then progressively add Tier 1 keys (NVD, GitHub) for 10× throughput and Tier 2 keys (AbuseIPDB, VirusTotal, GreyNoise, Shodan) for full multi-domain intelligence.

The server also addresses the software supply chain angle with three DevSecOps tools: scan_dependencies queries OSV.dev for vulnerable package versions, scan_github_advisories searches GitHub Security Advisories by ecosystem, and urlscan_check analyzes suspicious URLs.

In a single Claude prompt, a developer can scan an entire requirements.txt and receive prioritized upgrade recommendations.

The CVE MCP Server is available now at github.com/mukul975/cve-mcp-server under an open-source license, with Claude Desktop and Claude Code configuration supported out of the box.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post CVE MCP Server Turns Claude Into a Fully Capable Security Analyst With 27 Tools Across 21 APIs appeared first on Cyber Security News.

The post NVIDIA Patches High-Severity “Prompt Injection” Flaw in NemoClaw appeared first on Daily CyberSecurity.

ASEC Blog publishes Ransom & Dark Web Issues Week 5, April 2026           Emergence of a new ransomware group, M3RX Data from a South Korean religious organization sold on DarkForums ShinyHunters claims a data leak from a US interactive media company

The post Beyond the Chatbot: GPT-5.5 and the Dawn of the Autonomous AI Workforce appeared first on Daily CyberSecurity.

New GoGra Linux malware linked to Harvester APT targets systems in South Asia, using fake PDFs and Microsoft APIs for covert command and control.

The post The Lotus Evolves: Mustang Panda Targets Indian Banks in a New Espionage Pivot appeared first on Daily CyberSecurity.

Acronis reveals Mustang Panda is using an updated version of LOTUSLITE backdoor to target Indian banks and Korean diplomats. Learn how this DLL sideloading attack works.

The post NVIDIA Fixes High-Severity Flaws in KAI Scheduler and CUDA-Q appeared first on Daily CyberSecurity.

A lawsuit from the Consumer Federation of America accuses Meta of misleading consumers about its efforts to combat scams advertisements on its platforms.

Over 130,000 users are at risk from fake TikTok downloader extensions on Chrome and Microsoft Edge. Researchers discovered these malicious tools use device fingerprinting to spy on users and steal sensitive browser data.

The challenges of conducting open-source research in China are well-documented. Consistently named one of the most digitally oppressive countries in the world, China blocks some of the world’s largest social media platforms, such as Facebook, Google, and YouTube. Those that are still accessible are mostly Chinese-owned, strictly regulated and monitored in real time by AI systems as well as tens of thousands of “internet police”. 

But despite these strict controls, Chinese apps – which boast more than a billion estimated users – remain an information goldmine for investigative journalists covering stories both within and outside China.

Since most foreign sites are banned, Chinese platforms are the largest resource available to journalists and researchers interested in what’s going on in the world’s second-most populous country. Even when a topic is being censored, patterns in the censorship can themselves serve as investigative leads: a 2020 BuzzFeed News investigation, for example, mapped out detention camps in Xinjiang by examining areas that had been blanked out on China’s Baidu Maps.

With millions of Chinese people living overseas, social media activity by members of the diaspora can also turn into global stories.

Serial rapist Zou Zhenhao, a Chinese PhD student, was jailed in London last year after one of his victims posted a warning on Xiaohongshu, also known as Little Red Book or Rednote, an app popular with young Chinese women living abroad. Another woman Zou had raped reached out to the original poster, who put her in touch with the police – leading to the conviction of a man described by police as possibly one of the worst sexual predators in British history.

Founded in 2013 as a Hong Kong shopping guide, Xiaohongshu has evolved into a lifestyle and e-commerce platform that has been compared with Instagram, Pinterest and Amazon. Last year, it reported about 300 million monthly active users, rivalling some of China’s largest social media platforms.

The app’s 600 million daily searches by the end of 2024 also accounted for half of market leader Baidu’s search volume, demonstrating that it is emerging as a critical search and discovery engine, not just a social platform.

Although primarily a Chinese-language app, Xiaohongshu gained attention in the English-speaking world last year, when millions of American TikTok users flocked to the platform in anticipation of a TikTok ban under US President Donald Trump. 

Responding to the surge of international users – sparked by the #TikTokRefugees trend – Xiaohongshu rolled out an AI-powered translation feature, making the app more accessible to non-Chinese audiences. This also meant that journalists without Chinese language skills can more easily communicate on and navigate the platform.

Despite its growing popularity both within and outside China, the app is relatively new and underexplored compared to more well-established platforms such as Weibo. 

This guide aims to provide a starting point for those looking to explore Xiaohongshu for open-source investigations, including an overview of its main user demographics, potential topics to explore and strategic search methods specific to the app. 

User Demographics and Topics

According to Xiaohongshu’s official data, the platform’s demographic profile is mainly young, female and urban. As of 2024, 70 percent of its users were women, with half of all users belonging to Gen Z and living in China’s largest cities. 

As previously mentioned, the app has also gained popularity with the Chinese diaspora. Many Chinese nationals living abroad use it as a search engine for local information, posting and searching for content related to their daily lives, from restaurant recommendations and apartment hunting to navigating foreign bureaucracies and finding community resources. 

This demographic profile makes Xiaohongshu particularly well-suited for investigating stories about consumer fraud and urban livability issues. For example, Chinese outlets like Jiemian have used Xiaohongshu posts to expose the grey-market ecosystem of paid reviews and fake endorsements tied to the platform’s e-commerce model, while in 2022, International Financial News traced a mother-and-baby store scam that defrauded over 400 parents back to product recommendation posts on the platform.

Given its predominantly female user base, Xiaohongshu has also evolved into one of China’s most important spaces for feminist discourse and women’s issues. Academic researchers have used content on the platform to analyse local discussions on menstrual shaming, sexual harassment, and the controversial “divorce cooling-off period” introduced in 2021. As Rest of World reported, women have increasingly congregated on Xiaohongshu, where they outnumber male users and have found ways to trick the app’s recommendation algorithm so their posts are shown mostly to other women.

The Relevance of Censorship

Political content and current affairs about China are largely absent from the app – a result of both active censorship and platform design. 

All Chinese social media platforms, including Xiaohongshu, operate under strict content moderation requirements from the Cyberspace Administration of China. A leaked 143-page internal document published by China Digital Times in 2022 revealed how Xiaohongshu censors respond to government directives in “real-time”, blocking content related to politically sensitive topics such as criticism of the Chinese Communist Party, labour strikes and student suicides. Xiaohongshu’s commercial focus also makes it less likely that these topics would be discussed on the platform: as Rest of World reported, the platform functions less like Weibo – a public square for current events – and more like “a giant mall, where shoppers tell each other what to buy”.

Coverage of international affairs is also tightly controlled: only state-owned or state-controlled news organisations can obtain licences to publish original news content. However, content about life abroad, particularly stories about the cost of living, healthcare, or social problems in Western countries, circulates more freely on platforms including Xiaohongshu, and provide journalists with insight into how Chinese diaspora communities engage with local political systems. 

For example, when the 2025 Miss Finland was accused of making anti-Asian gestures, searching for “芬兰小姐” (Miss Finland) and “投诉” (complaint) on Xiaohongshu revealed a trove of collective action: users shared different complaint pathways, posted templates for filing reports, and documented various outcomes from their complaints. 

For such large-scale public events, Xiaohongshu can be both an organising platform and a rich source for tracking how diaspora communities coordinate responses to discrimination, providing journalists with insight into grassroots activism and transnational advocacy networks.

Getting Started

Xiaohongshu is available for download on both Apple’s App Store and Google Play worldwide, or can be accessed via a web browser. In international app stores, the app appears under the name “RedNote,” but this is the same application as Xiaohongshu – content and accounts are shared across both. The key difference is that RedNote users who register with overseas phone numbers are automatically tagged as international users, which affects the content the algorithm surfaces to them.

For users who download the app outside mainland China, Xiaohongshu automatically detects the device language and location. Upon first login, international users are prompted with an option to automatically translate all content into English (or their device language). If enabled, posts and comments will display with translations by default, and the algorithm will prioritise English-language content and posts created by or for international users, such as expat influencers.

For researchers and journalists seeking to observe the platform as Chinese users experience it, consider disabling automatic translation. This allows you to see content as it natively appears and helps you distinguish between posts created for international audiences versus those created for domestic users – a distinction that matters when assessing how representative your sample is for the relevant topic.

The default home feed, or the “Explore” tab, is where the algorithm surfaces content based on your engagement history, location and user profile. The feed uses a grid layout displaying post thumbnails with titles and like counts.

On the top right corner of the screen, the search bar also allows keyword searches across posts, users and topics. Results can be filtered by content type (e.g. notes, videos, users or products) and sorted by relevance or recency.

Using the Search Bar

Xiaohongshu’s search function is relatively basic. You can search by keywords and filter by time and location, but the options are general: time filters include “past day,” “past week,” or “past six months,” while location filters offer “same city” or “nearby”. 

For example, searching “Canada” returns posts tagged with that keyword, which you can then sort by recency or proximity. 

For breaking news events, try searching location names or names of individuals involved in the incident, filtering for the most recent posts to capture real-time reactions and on-the-ground accounts before they’re censored or deleted.

Xiaohongshu primarily uses algorithms to curate and push content through personalised feeds. For journalists using Xiaohongshu for investigative purposes, it can be useful to actively search for topics of interest to train your algorithm – the more you search and engage with specific content, the more relevant posts the algorithm will surface to you.

However, if you are researching the platform itself – studying what content Xiaohongshu promotes, how censorship operates, or what narratives dominate – you may want to start from a clean slate. In that case, consider periodically turning off personalised recommendations (Settings → Privacy Settings → Personalisation Options), clearing your browsing history, clearing cached data, or using a fresh account to observe what the platform shows to a “neutral” user.

Language and Lingo

During the influx of “TikTok refugees” in January 2025, Xiaohongshu launched a translation feature for users outside mainland China, enabling the automatic translation of comments and posts. 

However, this does not translate search queries. The platform’s search engine is still optimised for Chinese, though there is a “prioritise English” filter for overseas users, and searching in English will return some results.

But the language you search in shapes far more than just your results – it determines which version of the platform you see. When you search in English or use an international account, the algorithm treats you as a foreign user and surfaces content accordingly: influencers explaining why they love living in China, comparisons showing Chinese life favourably against the West. 

This isn’t a neutral cross-section of the platform – it is a curated bubble. To access what Chinese users actually discuss among themselves, it would be more effective to search in simplified Chinese and, ideally, use a China-registered account if you have access to one. If you don’t read Chinese, you can also consider using a translation tool (Google Translate, DeepL, or an AI assistant) to convert your search terms into simplified Chinese before entering them.

Despite such tools and the in-app translation feature, it is always useful when researching using Chinese platforms to work with a native speaker familiar with the local context. They can flag when an innocuous-seeming term actually carries hidden meaning, and help identify coded conversations about a censored topic.

On Xiaohongshu specifically, this coded language extends beyond political topics to include anything the platform’s algorithm might flag as “vulgar” or promotional. For example, users substitute fruits and neutral terms for body parts or sexual content to avoid being flagged as inappropriate – the peach emoji for buttocks, or 炒菜 (“cooking”) for explicit material. They may also use abbreviations and emojis for commercial terms to evade anti-marketing filters, such as “vx” (the abbreviation of how WeChat is pronounced in Chinese) or “绿” (“plus green”, apparently referring to WeChat’s green logo) for WeChat, or “米” (rice) or the moneybag emoji for money.

Advanced Search Strategies

For more sophisticated searching, consider using third-party marketing analytics tools like Xinhong and Qiangu, which can show trending topics, popular posts and engagement metrics, as well as identify key content creators posting about specific subjects. 

For example, on Xinhong, when you search for “Canada” in Chinese, it also shows show trending related searches such as “加拿大总理” (Canadian Prime Minister). Clicking through these suggestions leads to recent posts—for example, posts about Mark Carney’s latest statements at Davos, along with user comments and reactions.

While these tools are designed for marketers, they provide journalists with valuable capabilities: tracking how topics evolve, identifying influential voices in specific communities, and discovering related hashtags or discussions that might not surface through basic platform search. These tools often require paid subscriptions but can significantly enhance research efficiency for long-term investigations.

Another valuable feature is Xiaohongshu’s group chat function, where users gather around shared keywords and topics—from city-specific communities to niche interests. These groups are often highly active and provide access to candid community discussions that don’t appear in public posts. To find relevant groups, go to Messages → Group Square, where you can browse categories or search by keyword and request to join.

Monitoring active group chats related to relevant topics, whether that’s a specific city, industry, or issue, can help journalists and researchers stay updated on emerging issues and detect potential story leads before they become widely visible on public feeds.

Preserving the Evidence

Chinese social media content can disappear quickly and without warning due to censorship, making immediate preservation critical. 

Always take two preservation steps immediately upon discovering relevant content:

First, screenshot the entire post, including the URL, timestamp, username, like/comment counts, and location tags. These metrics establish context and authenticity. Use tools that capture full-page screenshots rather than just visible portions, as posts can be long and comments extensive. Second, archive the web page using services like archive.today or Wayback Machine. Note that these services capture only static content – comments and engagement metrics may not be fully preserved and should be screenshotted separately.

For Xiaohongshu specifically, always preserve the user’s unique ID found in their profile URL when viewed on a browser, which follows the format “user/profile/[unique ID]”. Users can change their display names, but this unique identifier remains constant, allowing you to track accounts over time even after name changes. This is critical for long-term investigations or when monitoring specific sources.

Xiaohongshu operates under the same legal and censorship constraints as all Chinese social media platforms, and researchers should approach it with appropriate caution. Content moderation is extensive: users who post about sensitive subjects risk having their content removed or their accounts suspended, and the platform is required to comply with government data requests. For researchers, this means the information you find represents only what has survived the censorship process.

That said, Xiaohongshu remains a remarkably rich resource for open-source research. Its strength lies precisely in its apolitical, lifestyle-oriented identity: while political discussion is suppressed, candid conversations about everyday life flourish. For journalists willing to invest in learning the platform’s rhythms, building Chinese-language search skills, and understanding its coded vocabularies, Xiaohongshu offers a window into how ordinary Chinese people talk among themselves – an area that remains largely untapped by international media.

---

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post Mining China’s ‘Little Red Book’ for Open Source Gold appeared first on bellingcat.

This article is the result of a collaboration with Indian media outlet Newslaundry. You can find Newslaundry’s editorially independent coverage here.

Indian companies have shipped more than 320 million synthetic opioid pills to West Africa – where they have not been approved by regulators – over the past three years, a Bellingcat investigation has found.

Export records from trade data provider 52wmb show that more than 1,400 consignments of tapentadol worth almost USD $130 million were sent from India to West Africa between January 2023 and December 2025.

Tapentadol, a painkiller two to three times more potent than tramadol, has not been approved for use in most West African countries, where some nations are grappling with an escalating opioid abuse epidemic.

However, this investigation shows that dozens of Indian suppliers have flooded the region with tapentadol over the past three years. Where dosages were listed, more than half the pills were in powerful strengths of 200mg or more – dosages that are not even approved in India.

The exports, cross-checked against records provided by trade data aggregator ImportGenius, show most tapentadol pills sent between 2023 and 2025 had the coastal nations of Sierra Leone and Ghana listed as their declared destinations.

The two West African countries were collectively marked as the destination for more than 80 per cent of the total value of tapentadol sent to the region.

Experts have documented how drug traffickers adapt quickly to international regulations and law enforcement efforts. In 2018, India tightened export controls around the opioid tramadol, one of the most trafficked synthetic drugs to West Africa.

In 2021, the International Narcotics Control Board (INCB) said large-scale tapentadol trafficking had been identified, particularly in consignments destined for Africa. It had previously noted that India’s strengthened tramadol controls could lead traffickers to substitute the drug with other potent synthetic opioids.

A BBC investigation last year revealed that Indian company Aveo Pharmaceuticals was illegally exporting tablets containing a mix of tapentadol and the muscle relaxant carisoprodol to West Africa. This led India’s drug regulator, the Central Drugs Standard Control Organisation (CDSCO), to ban the manufacture and export of all combinations of the two drugs.

Bellingcat’s investigation, in collaboration with Indian publishing partner Newslaundry, reveals that the supply of tapentadol pills from India to West Africa has surged in recent years.

Export data from 52wmb shows the value of tapentadol sent to the region has risen from about USD $27 million in the three year period from 2020 to 2022, to almost USD $130 million from 2023 to 2025.

Julius Maada Bio, Sierra Leone’s president, in 2024 declared a national emergency over rampant drug abuse and branded kush – a toxic blend of psychoactive substances including cannabis and synthetic opioids – a “death trap”.

Authorities in Sierra Leone have intercepted illegal tapentadol, including last July when the National Revenue Authority (NRA) said it thwarted a smuggling operation near its north-west border with Guinea.

The NRA and other agencies including the Transnational Organised Crime Unit, National Drug Law Enforcement Agency, and the Pharmacy Board of Sierra Leone did not respond to Bellingcat’s requests for comment.

Ghana’s Narcotics Control Commission (NACOC) said the illegal importation of tapentadol was first recorded in 2022 after international efforts to curb the tramadol crisis resulted in criminal networks shifting production to other pharmaceutical opioids including tapentadol, tafrodol and carisoprodol.

The agency has recorded a “steady rise” in tapentadol trafficking over the past three years, with authorities seizing more than 3.7 million tablets (250mg strength). Most were traced back to India, it said.

“NACOC investigations confirm that the bulk of tapentadol is trafficked into Ghana through seaports and by air, via express courier services,” a spokesperson said. “At the ports, the drug is concealed in containerized cargo falsely declared as pharmaceuticals, electrical materials or household goods. Express courier services are used for smaller, high-value quantities, often packed alongside legitimate consignments to avoid detection.”

NACOC said Ghana had emerged as both a destination and transit hub for tapentadol, with the majority of intercepted consignments bound for Niger, Mali, Burkina Faso and Nigeria. When sold domestically, it said the street drug was promoted as a tramadol substitute.

Ghana’s Food and Drugs Authority (FDA) said last year that the abuse of pharmaceutical opioids such as tapentadol — commonly known on the street as “Red” — was on the rise.

The FDA told Bellingcat it had “never issued any permit” for the manufacture or importation of tapentadol, in any strength, to any importer or to any country. It said any tapentadol shipments to Ghana were for “trans-shipment to neighbouring country”.

Import data for Ghana shows that no tapentadol entered the country between 2023 and 2025, which supports NACOC’s position that the drugs are being concealed and falsely declared. Import data for Sierra Leone was not available through 52wmb.

India’s drug and pharmaceutical exports have grown to more than $30 billion a year, according to the Pharmaceuticals Export Promotion Council of India (Pharmexcil), a division of the ministry of commerce and industry.

While tapentadol is available in India on prescription in strengths of up to 100mg (immediate release) and 200mg (extended release), authorities are aware of its risk of misuse. Last year, the Indian drug regulator’s Technical Advisory Board said the Department of Revenue may be requested to schedule the painkiller under the Narcotic Drugs and Psychotropic Substances Act, which would tighten rules around its export.

To export pharmaceutical products at strengths that are not approved in India, exporters are required to obtain an export “no objection certificate” (NOC) from the CDSCO, for which they have to submit proof of the drug’s approval in the importing country. Publicly available information shows tapentadol is not approved for use in any of the West African nations identified as part of this investigation.

The CDSCO did not respond to questions from Bellingcat or our publishing partner, Newslaundry.

In response to “Right to Information” requests submitted by Newslaundry, the CDSCO said only two companies had been granted authorisation to manufacture tapentadol for export between 2019 and 2024. However, the trade data analysed by Bellingcat did not list either company as an exporter of tapentadol to West Africa.

The CDSCO also said it had issued export NOCs for tapentadol to 51 companies since 2024, but that these were not for export to West African countries.

Meanwhile, Bellingcat’s analysis of trade data shows that more than 60 Indian suppliers have exported tapentadol to West Africa since 2023. The exporters are mostly pharmaceutical companies but also include smaller operations, such as one company owned by a Nigerian man who sent more than US $4 million of tapentadol to Niger and Ghana.

Dinesh Thakur, co-author of the book Truth Pill, told Newslaundry there were gaps in India’s drug regulatory framework that made it possible for potentially unsafe medicines to be manufactured and exported without proper oversight.

“There is no regulatory framework which checks a genuine importer and counterfeit importer between countries,” said Thakur, a former pharmaceutical executive who now works as a public health activist.

Mohammed Adinoyi Usman, a consultant anaesthetist at Rasheed Shekoni Federal University Teaching Hospital in Nigeria, said tackling Africa’s opioid crisis was complicated by a lack of resources across the region, weak government responses, and inaction by law enforcement agencies.

He said more collaboration and intelligence sharing was needed, especially across West African countries, to combat the problem. “We see so many opioids coming into our region because of a range of factors including under-funded institutions like customs and drug agencies, weak border controls and corruption,” he said.

“Africa is different. Even southern Africa is different from western Africa – each region has its peculiarities. In Nigeria, we don’t have well-functioning institutions to help control it. But our government is trying.”

Dr Usman said access to prescription opioids in Africa was inadequate, and pointed to research showing the disparity in distribution of legal opioids to low-income countries compared to high-income nations that consume the bulk of the world’s pain relief medication. He said opioid abuse was linked to crime and negative health outcomes.

“Sadly, access to prescription opioids is very limited in Africa,” Dr Usman said, “but the costs of illegal use are high.”

---

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post Painkiller Pipeline: 300 Million Tapentadol Pills Sent from India to West Africa appeared first on bellingcat.