Executive summary

• A suspicious website is a web resource that cannot be definitively classified as phishing, but whose activities are unsafe. Such sites manipulate users, tricking them into voluntarily transferring money for non-existent services, signing up for hidden subscriptions, or disclosing personal data through carefully crafted terms of service. These include fake online stores, dubious crypto exchanges, investment platforms, and services with paid subscriptions.
• Kaspersky has introduced a new web filtering category, “Sites with an undefined trust level,” into its security products (Kaspersky Premium, Android and iOS apps, etc.). The system analyzes the domain name and age, IP address reputation, DNS configuration, HTTP security headers, and SSL certificate to automatically detect suspicious resources.
• According to Kaspersky data for January 2026, the most widespread global threat is fake browser extensions that mimic security products — they were detected in 9 out of 10 regions analyzed worldwide. Such extensions intercept browser data, track user activity, hijack search queries, and inject ads.
• Kaspersky’s regional statistics reveal the specific nature of these threats: in Africa, over 90% of the top 10 suspicious websites are online trading scam platforms; in Latin America, fake betting services predominate; in Russia, fake binary options brokers and “educational platforms” with fraudulent subscriptions lead the way; in CIS countries — crypto scams and bots for inflating engagement.
• Key indicators of a suspicious website to check: a strange domain name with numbers or random characters, cheap top-level domains (.xyz, .top, .shop), a recently registered domain (less than 6 months old according to WHOIS data), unrealistic promises (“100% guaranteed income,” “up to 300% profit”), lack of company contact information, and payments only via cryptocurrency or irreversible bank transfers.

Introduction

The online landscape is filled with various traps lying in wait for users. One such threat involves websites that can’t be strictly classified as phishing, yet whose activities are inherently unsafe. These sites often operate on the fringes of the law, even if they aren’t directly violating it. Sometimes they use a cleverly crafted Terms of Service document as a loophole. These agreements might include clauses such as no-refund policies or forced automatic subscription renewals.

Fake online stores, dubious financial platforms, and various online services that mimic legitimate business operations are all categorized as suspicious. Unlike actual phishing sites, which aim to steal sensitive data like banking credentials or passwords, these suspicious sites represent a far more cunning trap. Their goal is manipulation: tricking the victim into willingly paying for non-existent goods and services or signing them up for a subscription that’s nearly impossible to cancel. Beyond financial gain, these sketchy websites may also hunt for personal data to sell later on the dark web.

Our solutions categorize them as having an “undefined trust level”. This article explains what these sites look like, how to identify them, and what you can do to stay safe.

The dangers of shady websites

One of the biggest risks associated with making a purchase from an untrusted website that seems to be an online store is the financial loss and falling victim to fraud. Fake shops will entice you with attractive deals to get you hooked. After you pay, you may never receive what you paid for, or you may receive some cheap piece of unusable junk instead of the item you ordered. Investment or “guaranteed income” programs are another type of classic scam — they promise rapid returns, and once they take your deposits, they disappear without a trace.

Visiting or buying from untrusted suspicious websites can expose you to various risks that go beyond a single bad purchase. Fraudulent websites often collect your personal information even if you do not end up making a purchase. By completing a form or signing up for a “free offer”, you may be providing the scammer with access to your information.

Personal data collection can happen in a fairly straightforward and obvious way — for instance, through a standard order delivery form. In this scenario, attackers end up with sensitive information like the user’s full name, shipping and billing addresses, phone number, email address, and, of course, payment details. As we’ve previously discussed, fraudsters sell this kind of information, and there’re countless ways it can be used down the line. For example, this data might be leveraged for spam campaigns or more serious threats like stalking or targeted attacks.

Common types of suspicious sites

Let’s take a closer look at the different types of shady sites out there and how interacting with them can lead to financial loss, data leaks, the unauthorized use of personal information, and other consequences.

It’s worth noting that rogue websites can masquerade as legitimate ones in almost any industry. The first type of fraudulent site we’ll look at is fake online stores. These can appear as clones of real brand websites or as standalone stores. Usually, the scam follows one of two paths: the buyer either receives a counterfeit or poor-quality product, or they receive nothing at all. These sites lure victims in with suspiciously low prices and “exclusive” deals. Often, users are subjected to psychological pressure: the time to make a purchase decision is purposefully limited, provoking the victim, as with any other scam, into making an impulse purchase.

Another common type of shady site includes online exchanges and trading platforms. These primarily target cryptocurrency, as the lack of legislative regulation for digital currency in certain countries makes them a magnet for fraudsters. These suspicious sites often lure victims with supposedly favorable exchange rates or other enticing gimmicks. If the user attempts to exchange cryptocurrency, their tokens are gone for good. Beyond simple exchanges, rogue sites offer investment services and even display a fake balance growth to appear credible. However, withdrawing funds is impossible; when the victim tries to cash out, they’re prompted to pay some fee or fictional tax.

Subscription traps are also worth noting, offering everything from psychological tests to online video streaming platforms. The hallmark of these sites is that they deliberately withhold critical information, such as recurring charges, or hide the fact it even exists. Typically, the scheme works like this: a user is offered a subscription for a nominal fee, like $1. While that seems attractive, the next charge – perhaps only a week later – might be as much as $50. This information is intentionally obscured, buried in fine print or tucked away in the Terms of Service where it’s harder to find. Legitimate services always clearly disclose subscription terms and provide an easy way to cancel before a trial period ends. Scam services, on the other hand, do everything possible to distract the user from the actual terms of use and subscription.

Shady sites can also masquerade as providers of mediation services, such as legal or real estate assistance. In reality, the service is either never delivered or provided in a stripped-down, incomplete form. For example, a user might be prompted to pay for a service that’s normally provided for free. The danger here lies not only in losing money for non-existent services but also in the significant risk of exposing personal data, such as ID details, taxpayer identification numbers, social security numbers, or driver’s license information. Once in the hands of attackers, this data can become a tool for executing further scams or targeted attacks.

On the whole, suspicious sites are fairly difficult to distinguish from legitimate, trustworthy services. Masquerading as a legitimate business is the primary goal of these sites, and the fraudulent schemes they employ are not always obvious. Nevertheless, there are protective measures as well as certain indicators that can help you suspect a site is unsafe for purchases or financial transactions.

How to identify suspicious or fraudulent websites

Despite the increasingly convincing attempts to create fake shops, the majority of them still lack the quality of real online stores, and there are many signs that may give them away. Some of these signs can be caught by the eye while others require a bit of technical investigation. By combining visual inspection, technical checks, and trusted online tools, you can protect yourself from financial loss or data theft.

Visual and manual clues

You don’t need to be a cybersecurity expert to catch many red flags just by observing the site’s domain, visuals, language and behavior. For instance, scam sites often have strange or randomly generated names, filled with numbers, underscores, hyphens, or meaningless words, like best-shop43.com. In addition, such vague top-level domains as .xyz, .top, or .shop are also frequently used in scams because they’re cheap and easy to register.

Furthermore, most fake stores sites look unprofessional, with poor visuals, pixelated images, mismatched fonts, or copied templates. Many fraudulent websites borrow layouts or logos from other brands or free templates, which makes them appear generic and sketchy.

Another major giveaway lies in the content itself. Be aware of persuasive language, unrealistic promises, or emotional triggers such as No KYC, Risk-free returns, 100% guaranteed income, Up to 300% profit, or Passive income with zero effort. Unrealistic deals are another red flag. If the products are listed at extremely low prices, continuous countdown timers, and “limited time only” messages that are often used to pressure you into making a quick purchase, it’s a clear tell of a fraudulent website.

Legitimate businesses always provide verifiable contact details, such as a physical address, company name, and customer support. On the contrary, scam sites hide this information. You may also notice the non-functioning pages, broken or suspicious links leading to unrelated external sites which indicate poor maintenance or malicious intent.

Another important signal is the website’s social media presence. Legitimate online businesses usually maintain at least one active social media account to promote their products and communicate with customers. In most cases, these businesses have long-established social media accounts with harmonized posting history and engagement from real users, consistency between the brand website and social media profiles (same name, logo, and links). The links to social media profiles from the website are usually direct. In contrast, fraudulent or deceptive websites often lack any meaningful social media presence or display signs of superficial or artificial activity. This may include missing social media accounts altogether, social media icons that lead to non-existent, inactive, or unrelated pages, or recently created profiles with very few posts and minimal user engagement. In some cases, comment sections are disabled or dominated by spam and automated content, suggesting an attempt to avoid public interaction rather than engage with customers.

Lastly, the payment options offered by the site can also tell a lot about its legitimacy. Be extremely cautious if a website only accepts cryptocurrency, wire transfers, or third-party P2P payments. These payment methods are irreversible and are preferred by scammers. Legitimate e-commerce platforms typically offer secure and reversible payment options, such as credit cards or trusted payment gateways that include buyer protection policies.

However, the absence or existence of any of these factors alone does not necessarily indicate malicious intent. It should be evaluated in combination with technical, linguistic, and behavioral indicators, rather than treated as a standalone signal of legitimacy.

Technical indicators to check

Looking into technical signs can reveal whether a website is trustworthy or potentially fraudulent.

One of the first things to check is the domain age. Scam websites are often short-lived, appearing only for a few weeks or months before disappearing once users start reporting them. To check when the domain was created, use a WHOIS lookup. If it’s less than six months old, be cautious — especially for e-commerce or investment sites, where legitimacy and trust take time to build.

Let’s take a look at the registration details for the popular online marketplace Amazon. As we can see from the WHOIS information, it was registered in 1994.

Meanwhile, a reported suspicious online store was created a couple of months ago.

Legitimate websites usually operate on stable hosting platforms and remain on the same IP addresses or networks for long periods. In contrast, fraudulent websites often move between servers (in most cases using a cheap shared hosting service) or reuse infrastructure already associated with abuse. Checking the IP address reputation can reveal if the website or the hosting server has previously been linked to suspicious activities. Even if the website looks legitimate, a poor IP reputation can expose it.

In addition to that, looking at the infrastructure behavior over time can reveal patterns about its legitimacy. Websites associated with fraudulent activity often show short lifespans, sudden spikes in activity, or rapid appearance and disappearance, which indicates a coordinated campaign rather than a legitimate business.

Another important clue is hidden ownership. When the WHOIS details show “Redacted for Privacy” or leaves the organization name blank, it may indicate that the website owner is deliberately hiding their identity.

We should point out that while this can raise suspicion during investigations, hidden WHOIS data is not inherently malicious. Many legitimate businesses use privacy protection services for valid reasons. These may include protection from spam and phishing after public email addresses are taken from WHOIS databases, personal safety for small business owners, and brand protection to prevent competitors or malicious actors from targeting the registrant. This means that some businesses can use services like WHOIS Privacy Protection, Domains By Proxy, or PrivacyGuardian.org to remove the WHOIS data while still operating transparently on their websites through clear contact details, customer support channels, and legal pages (e.g. terms of use).

Therefore, hidden ownership should be treated as a contextual risk indicator, not a standalone proof of fraud. It becomes more suspicious when combined with other signals such as newly registered domains, and lack of legal information.

Next, you can check the security headers of the website. Legitimate websites are usually well maintained and include several key HTTP headers for protection. Some examples include:

• Content-Security-Policy (CSP) provides strong defense against cross-site scripting (XSS) attacks by defining which scripts are allowed to run on the site and blocking any malicious JavaScript that could steal login data or inject fake forms.
• HTTP Strict-Transport-Security (HSTS) forces browsers to connect to the site only over HTTPS. It ensures all communication is encrypted and prevents redirecting users to an insecure (HTTP) version of the site.
• X-Frame-Options prevents clickjacking, which is a type of attack where a legitimate-looking button or link on a malicious page secretly performs another action in the background.
• X-Content-Type-Options blocks MIME-type attacks by preventing browsers from misinterpreting file types.
• Referrer-Policy controls how much information about your previous browsing (referrer URLs) is shared with other sites.

These headers form the “digital hygiene” of a website. Their absence doesn’t always mean a site is malicious, but it does suggest a lack of security awareness or professional maintenance — both strong reasons to be cautious.

You should also check the SSL certificate. Scam sites may use self-signed or short-lived SSL certificates. You can inspect this by clicking the padlock icon in your browser’s address bar — if it says “not secure” or the certificate authority seems unfamiliar, that’s a red flag.

You can check the security headers and the SSL certificate by sending an HTTP request programmatically or by using some online service.

Another indicator that provides insight into how well a website is done and managed is DNS configurations. Legitimate businesses typically use reliable DNS providers and maintain consistent DNS records. Missing the name server NS or mail exchange MX records may indicate poor DNS configuration. In addition to NS and MX, reputable sites also configure SPF and DMARC records to protect their brand from email spoofing and phishing. Something scam website developers won’t bother with because they don’t intend to build a long-standing reputation.

You can check the configurations of DNS records either programmatically or by using an online service.

Another recommendation is to pay attention to website behavior. If there are frequent redirects, pop-up ads, or background requests to unknown domains, this may indicate unsafe scripting or tracking.

How to protect yourself

Tools and databases for detecting suspicious websites

We at Kaspersky have built an intelligent system for detecting suspicious web resources and added this new type of protection into many of our products, including Kaspersky Premium, Kaspersky for Android and iOS, and others. Our detection model is based on many factors, including but not limited to the following:

• domain name and age,
• IP reputation,
• stability of the infrastructure used,
• DNS configurations,
• HTTP security headers,
• digital identity and popularity of the web resource.

Kaspersky has been certified as a provider of effective protective technology for fake shop detection.

When a user tries to visit a site flagged as having an undefined trust level, our solutions show a warning to stop the visitor from becoming a victim of personal data leaks, financial losses or a bad purchase:

This component is on by default.

Moreover, there are several online tools and databases that can help assess a website’s legitimacy:

• ScamAdviser analyzes trust based on WHOIS, server location, and web reputation.
• APIVoid provides risk scoring using DNS, IP, and domain reputation databases.
• National government databases often maintain official lists of fraudulent or blacklisted domains.

Preventive measures

To protect yourself from such threats, it might a good idea to take some additional preventive measures. Always double-check the URL and domain name, especially when you are about to click a link or make a payment. Make sure the site uses HTTPS and has a trusted certificate.

You can use standard browser tools to verify site security. For example, in Google Chrome, clicking the site information button (the lock or settings icon in the address bar) displays details about the connection security and the site’s certificate.

In the Security section, you can check whether the site supports HTTPS – it should say “Connection is secure” – and view the site’s digital certificate.

Additionally, keep reliable security software with real-time protection running on your device to stop you from accessing dangerous websites. Do not download any files or enter your personal information on websites that look unprofessional or suspicious. And finally, remember the golden rule: if a deal seems too good to be true, it often is.

If you realize that you’re on a scam website, it’s important to perform certain post-incident actions immediately. First, contact your bank or payment provider as soon as possible to block the transaction or card. Then, change your passwords for the services which might have been compromised, and run a full antivirus scan on your device to detect and remove any potential threats. Lastly, consider reporting the website to the cybercrime agency in your country or to the consumer protection agency. Sharing your experience online by leaving a review or warning will give notice to potential customers alike.

By staying careful and taking quick actions, you can significantly reduce the chances of being a target and help make the internet a safer place for everyone.

An overview of detection statistics for sites with an undefined trust level

To illustrate the types of suspicious sites prevalent in various regions around the world, we analyzed anonymized detection data from Kaspersky solutions for the “websites with an undefined trust level” category in January 2026. For each region, we identified the 10 most frequently encountered sites and calculated the share of each within that list. To maintain privacy, specific domains are not listed directly; instead, they’re described based on their functionality and characteristics.

Most visited suspicious sites

First, let’s examine the sites that appear across multiple regions, indicating a high prevalence.

In 9 out of the 10 regions analyzed, we encountered a suspicious image processing platform (*a*o*.com). This site positions itself as a photo editing tool, but in reality, it serves as an intermediary server for uploading images used in phishing and other campaigns. By interacting with such a site, users risk exposing personal data under the guise of uploading images or falling victim to a phishing attack.

Percentage of the *a*o*.com domain detections by region, January 2026 (download)

This site has the largest share of detections in the Russian Federation, where it ranks first in the TOP 10 with a 40.80% share. It is also prevalent in Latin American countries (21.70%) and the CIS (14.64%), while it’s least common in Canada at 0.24%.

The next site appeared in 7 regions. It consists of a landing page for a fake antivirus solution presented as a browser extension (*n*s*.com). This extension redirects the user to a fake search engine page allowing it to collect data and track user activity, specifically search queries.

Percentage of the *n*s*.com domain detections by region, January 2026 (download)

This site is most frequently detected in South Asia, with a share of 33.31%. Its presence in Canada and Oceania is roughly equal (15.47% and 15.09%, respectively). We recorded the lowest number of detections in Africa, at 2.99%.

Another suspicious browser extension appeared in the TOP 10 in 6 out of the 10 regions. It’s a fake privacy-enhancing tool hosted at *w*a*.com. Instead of providing the advertised privacy features, this extension carries a high risk of intercepting browser data. It can modify browser settings, harvest user data, and swap the default search engine for a fake one. Furthermore, it maintains full control over all browser traffic.

Percentage of the *w*a*.com domain detections by region, January 2026 (download)

This “service” has its largest share, 22.25%, in the Middle East and North Africa, and is also quite common in Canada (16.26%). It’s least frequently encountered in Latin America (5.38%) and East Asia (4.02%).

The site *o*r*.com appeared in five regional rankings. It’s a fake security service promising to provide online safety by warning users about malicious sites and dangerous search queries. This extension has the potential to steal cookies (including session cookies), inject advertisements, spoof login forms, and harvest browser history and search queries. We noted that this site made the TOP 10 in Africa (0.59%), the MENA (Middle East and North Africa) region (4.57%), Europe (5.61%), Canada (7.21%), and Oceania (1.93%).

In 4 out of the 10 regions, we identified several other recurring sites. One of them (*n*p*.xyz) mimics a repository for creative AI image generation prompts while capturing browser data. The domain hosting this site exhibits several red flags: it was recently registered, and the owner’s information is hidden. This site reached the TOP 10 in Africa (0.51%), the MENA region (7.04%), Latin America (22.54%, ranking first in that region), and South Asia (5.91%).

The second service (*i*s*.com) positions itself as a tool for safe searching, protecting the browser from threats, and verifying extensions. However, this is a typical browser hijacker, much like the others mentioned above. It made the TOP 10 in South Asia (8.03%), Oceania (17.97%), Europe (3.90%), and Canada (14.35%).

The third site (*h*t*.com) poses as a private browsing extension. In reality, it’s another potentially unwanted application designed for browser hijacking: it modifies settings, steals sensitive data (cookies, browser history, and queries), and can redirect the user to phishing pages. Users have specifically noted the difficulty involved in removing the extension. This site appears in the TOP 10 for the MENA region (10.17%), Canada (7.06%), Europe (3.81%), and Oceania (2.81%).

Another domain (*o*t*.com) that reached the TOP 10 in four regions is a service mimicking a browser extension for safe searching and web browsing. It’s dangerous because it injects ads and steals user data. It’s important to note that such extensions can be installed without explicit user consent – for example, via links embedded in other software. This service holds the number one spot in two regions: Canada (25.72%) and Oceania (30.92%), while also appearing in the TOP 10 for East Asia (8.01%) and Africa (0.88%).

Consequently, we can see that the majority of suspicious sites detected by our solutions worldwide are browser hijackers masquerading as security products. Nevertheless, other categories of sites also appear in the TOP 10.

Next, we’ll examine each region individually, focusing on descriptions of domains not previously covered. For clarity, the sites mentioned above will be marked as [MULTI-REGION], while those appearing in only two or three regions will include the names of those specific areas. We’ll observe several regional overlaps and similarities, allowing us to determine which types of suspicious sites are popular both within specific regions and globally.

Africa

Distribution of the TOP 10 suspicious websites in Africa, January 2026 (download)

The three most prevalent domains in African countries are found exclusively in this region. All of them – *i*r*.world (60.27%), *m*a*.com (22.84%), and *e*p*.com (9.36%) – are potentially fraudulent online trading platforms suspected of using forged licenses. These sites employ classic scam schemes where it’s impossible to withdraw any alleged earnings. In fifth place is a domain we’ll also see in the European TOP 10, *r*e*.com (1.46%): a platform marketed as a tool for retail and semi-professional traders. It charges for services available elsewhere for free. Eighth place is held by a site that also appears in the Russian TOP 10: *a*c*.com (0.56%). This is a dubious AI tool that claims to offer free subscriptions to a premium graphics editor. In ninth place is a domain that also surfaces in the Canadian TOP 10: *u*e*.com (0.53%), a browser extension of the “web protection” variety that we’ve encountered previously.

In summary, the African region is dominated by financial scams within the online trading and brokerage sectors. These include fake platforms that make it impossible to withdraw funds and use fake licenses and classic schemes to steal users’ money. Additionally, Africa sees paid tools that duplicate free services and questionable AI-based subscriptions. The primary threat in this region is financial loss through fraudulent investment-themed sites.

MENA

Distribution of the TOP 10 suspicious websites in the Middle East and North Africa, January 2026 (download)

In the MENA region, the site *a*v*.su holds the top spot with a 28.64% share; notably, this site also appears in the TOP 10 for Russia. It markets itself as a tool for building custom VoIP-PBX systems. However, it has an extremely low trust rating and is frequently associated with phishing, and hidden redirects. Using this service carries significant risks, including data leaks, and financial loss.

Ranked seventh is *a*r*.foundation (6.32%), an AI bot allegedly designed for trading, which we also identified in the TOP 10 for Oceania. This service has been flagged as an investment scam operating as a pyramid scheme with the hallmarks of a Ponzi scheme.

The ranking is rounded out by two domains not found in any other region. The first one, *l*e*.pro (4.42%), is a spoof of a popular betting service. The second, *p*r*.group (2.21%), is a clone of a well-known broker. Both sites are scams.

In the MENA region, the landscape is dominated by fake VoIP services as well as counterfeits of financial and betting platforms, which attackers use to conduct phishing attacks, and perform hidden redirects. A significant portion of suspicious sites consists of fake online privacy tools and browser hijackers masquerading as security extensions. Ponzi schemes and cryptocurrency scams are also prominent. The primary risks for the region are data theft, and financial loss.

Latin America

Distribution of the TOP 10 suspicious websites in Latin America, January 2026 (download)

In Latin America, we identified five popular suspicious sites specific to this region, which is unusual compared to other areas where more overlaps are typically observed. Ranking third with a share of 10.81% is the fake betting platform *b*e*.net. In fifth place is *r*e*.club, an illegitimate clone of a well-known bookmaker, with a share of 7.82%.

Further down the list of local threats are *a*a*.com.br (7.02%), a Brazilian Ponzi scam; *s*a*.com (5.07%), which offers dubious investment programs; and *t*r*.com (4.53%), a potentially dangerous trading platform.

In Latin America, the most-visited suspicious sites are betting-themed scams, including both clones of legitimate sites and those built from scratch. Also prevalent are Ponzi schemes, fake investment programs, and dubious online brokers. A significant portion of these sites consists of browser hijackers posing as crypto platforms and AI bots. The primary threats in Latin American countries include financial loss through gambling and Ponzi schemes, as well as the theft of NFTs and other tokens.

East Asia

Distribution of the TOP 10 suspicious websites in East Asia, January 2026 (download)

In the East Asian TOP 10, we see the highest concentration of domains that are absent from other regional rankings.

In first place, with an 18.77% share, is the fake broker *r*x*.com, which can be used to steal personal data or funds. Second place is held by a crypto-gaming site (16.44%) that we previously encountered in the Latin American TOP 10. Visitors to this site risk losing NFTs and other tokens. In third place is the domain *u*h*.net (11.61%), used for redirects, which can hijack sessions. Following this is *s*m*.com (9.98%), a domain typically used as a browser-hijacking server and for phishing attacks, serving as a link in an infection chain.

Rounding out the local threats in East Asia are the following domains: *e*v*.com (9.37%), utilized in drive-by attacks; *a*k*.com (9.16%), an API-like domain associated with suspicious scripts and extensions; and *b*l*.com (4.38%), a domain potentially used for redirects.

East Asia has a high concentration of region-specific fake brokers, crypto gaming platforms, and NFT marketplaces. The primary threats for this region include the loss of financial data, NFTs, and other tokens, as well as session hijacking.

South Asia

Distribution of the TOP 10 suspicious websites in South Asia, January 2026 (download)

In South Asian countries, we also observe a concentration of local suspicious sites specific to the region.

The second most popular site in the region is *a*s*.com (12.01%), a poor-reputation, high-risk microloan service typical of South Asia. By interacting with these sites, users risk not only losing significant funds but also compromising their overall security. Following this are *v*n*.com with a 9.47% share and *l*f*.com with 8.65%. These domains are employed in various fraudulent schemes, ranging from phishing to spam.

The TOP 10 also includes *s*o*.com (4.80%), a free video downloading service associated with a high risk of infection. The final site we analyzed in the South Asia region is *c*o*.site (1.89%), a pseudo-tool for local SEO optimization that carries the danger of data loss and a high risk of financial fraud through subscription sign-ups.

In summary, the region is dominated by fake antivirus extensions, microloan services, dubious video downloaders, and counterfeit SEO tools. The primary risks for South Asia include financial fraud, phishing and spam distribution, and data theft.

CIS

When analyzing statistics for suspicious sites in CIS countries, we treat Russia as a separate region due to the unique characteristics of its online space which are not found in any other CIS member states. However, we’ve placed these two regions in the same section, as we’ve observed overlaps between them that are not seen in other parts of the world.

Distribution of the TOP 10 suspicious websites in the CIS, January 2026 (download)

The top two sites in the CIS TOP 10 also appear in the Russian TOP 10. The domain *r*a*.bar, which ranks first in the CIS (39.50%), holds the second spot in Russia (15.93%) and is a fake trading site. It’s worth noting that sites in the .bar domain zone are frequently used for scams. In second place in the CIS (15.29%) and sixth in Russia (3.75%) is the domain *p*o*.ru, which is often associated with bots for inflating follower counts and automating community management.

Domains from fourth to eighth place are specific only to the CIS region and don’t appear in the Russian TOP 10. These sites include:

• *a*e*.online (8.42%): an online image editor that carries risks of data harvesting
• *n*a*.io (6.51%): a high-risk cryptocurrency trading platform
• *e*r*.com (3.72%): a site promising free cryptocurrency and posing the risk of compromising visitors’ private keys and digital wallets
• *s*o*.ltd (3.70%): a domain with an extremely low trust rating
• *s*.gg (3.49%): a scam site masquerading as a play-to-earn blockchain game

The ranking concludes with sites that overlap with the Russian region. *a*.consulting (2.42%) is a fake clone of a binary options site, and *a*.lol (2.32%) is a domain suspected of dubious activity.

The CIS landscape is dominated by fake trading platforms (particularly crypto exchanges), promises of easy profits, play-to-earn scams, and dubious investment projects. We also observe many bots for inflating social metrics and automation. The primary threat in the CIS is the theft of private keys, digital wallets, and funds through investment schemes and lures involving online promotion.

Distribution of the TOP 10 suspicious websites in Russia, January 2026 (download)

The Russian TOP 10 includes three unique domains not found in the rankings of other regions. The first, *n*m*.top (7.84%), is an imitator of a well-known binary options broker. This suspicious site was recently registered and has a tellingly low rating on domain verification services. The second, *t*e*.ru (3.25%), claims to be an educational platform and has a dubious subscription system with a high probability of fraud involving difficulties in canceling subscriptions. The third site, *e*e*.org (3.14%), positions itself as a tool for a popular media platform, but it’s actually a scam that fails to provide its stated services.

Overall, the Russian landscape is characterized by fake binary options brokers and sketchy sites with fraudulent subscriptions posing as e-learning platforms. There are also frequent instances of sites spoofing well-known legitimate services. The primary risks in Russia are scams related to the knowledge business sector, as well as the theft of money and personal data.

Europe

Distribution of the TOP 10 suspicious websites in Europe, January 2026 (download)

In the European region, we’ve found two unique domains. The first of these, *c*r*.org, has been identified as part of a chain for massive phishing and spam attacks. It accounts for a 16.08% share of the TOP 10. The second site, *o*n*.de, is an unofficial reseller with a poor reputation and a high likelihood of fraud. This domain ranks second to last in our statistics with a 5.95% share.

Among the sites not previously covered, the European TOP 10 includes one site that also appears in the Oceania TOP 10: *o*i*.com (6.61%). This is a classic cryptocurrency scam promising passive income.

A significant portion of suspicious sites in Europe consists of intermediary sites for phishing and spam, fake security extensions, and crypto scams. Unofficial sales services and paid trading tools are also on the list. The primary threats in the European region include session hijacking, data theft, spam, and investment fraud.

Canada

Distribution of the TOP 10 suspicious websites in Canada, January 2026 (download)

Canada has been designated as a separate region to illustrate prevailing trends within North America. The first four positions in the Canadian TOP 10 are held by multiregional domains discussed previously. In fifth place is *t*c*.com (10.88%), which also appears in the TOP 10 rankings for Oceania and South Asia. This is yet another browser extension masquerading as a security solution. Occupying the final spot is the domain *e*w*.com (0.17%), which is unique to the Canadian market. This site operates a dropshipping scam, offering products at prices significantly below market value. Customers typically either never receive their orders or get low-quality counterfeits.

The landscape of dubious websites in Canada is largely defined by fraudulent extensions capable of hijacking browser data, tracking user activity, spoofing search queries, harvesting cookies, and injecting ads. This is further compounded by dropshipping schemes involving counterfeit goods. The primary risks for users in Canada include data theft and financial loss from purchasing substandard products.

Oceania

Distribution of the TOP 10 suspicious websites in Oceania, January 2026 (download)

The final region under consideration is Oceania. Notably, we didn’t identify a single domain unique to this region. Every site appearing in the TOP 10 represents a global threat that’s already been detailed in previous sections. To summarize the findings for this region: the primary threats consist of fake security extensions and privacy products designed for browser hijacking, tracking user activity, displaying advertisements, and stealing data. There’s a minimal presence of crypto Ponzi schemes in this area. The main risk for users in Oceania is the loss of privacy and confidentiality through unwanted apps.

Conclusion

Suspicious websites are particularly dangerous because they often masquerade as legitimate sites with high levels of persuasiveness. They mimic online stores, subscription-based streaming platforms, repair firms, and various other services. Unlike standard phishing sites, they employ more sophisticated manipulations to deceive users, tricking them into voluntarily handing over their personal data and transferring funds.

By examining the TOP 10 suspicious sites across the world’s major regions, we can draw several conclusions. On average, the most prevalent threats globally are fraudulent extensions masquerading as security solutions and privacy services. Their true purpose is to hijack browser data, track user activity, and display ads. We also frequently encounter phishing platforms for image processing and financial scams involving trading, cryptocurrency, betting, and microloans. Our statistics demonstrate that these sites not only employ classic fraudulent schemes centered on easy money but also adapt to contemporary trends targeting younger audiences and specific regional characteristics. The primary risks for users interacting with these sites are a combination of privacy threats and financial loss.

To help protect users from these shady sites, we’ve introduced the category of “websites with an undefined trust level” as part of the web filtering features in our solutions. However, it’s important to note that user awareness and individual responsibility play a significant role in ensuring safe web browsing. It’s essential for users to be able to recognize suspicious sites and remain vigilant toward any that appear untrustworthy.

A developer at an AI startup wanted to cheat at Roblox. They downloaded a dodgy script on their work laptop. That one decision triggered a cascade of failures that ended with a $2 million data breach affecting hundreds of thousands of organisations. All for some free in-game currency. Meanwhile, there's a 1980s phone protocol called SS7 that lets shadowy surveillance companies track anyone, anywhere, via their mobile phone. Governments know about it. Telecoms know about it. Nobody's fixing it. All this and more in episode 465 of the "Smashing Security" podcast with cybersecurity keynote speaker and industry veteran Graham Cluley, joined this week by special guest James Ball. Plus! Don't miss our featured interview with Rob Edmondson of CoreView, discussing how to lock down Microsoft 365 before it's too late.

It was used to track a Dutch naval ship:

Dutch journalist Just Vervaart, working for regional media network Omroep Gelderland, followed the directions posted on the Dutch government website and mailed a postcard with a hidden tracker inside. Because of this, they were able to track the ship for about a day, watching it sail from Heraklion, Crete, before it turned towards Cyprus. While it only showed the location of that one vessel, knowing that it was part of a carrier strike group sailing in the Mediterranean could potentially put the entire fleet at risk.

[…]

Navy officials reported that the tracker was discovered within 24 hours of the ship’s arrival, during mail sorting, and was eventually disabled. Because of this incident, the Dutch authorities now ban electronic greeting cards, which, unlike packages, weren’t x-rayed before being brought on the ship.

A privacy expert warns Chrome still allows browser fingerprinting and tracking, raising concerns after Google’s shift away from third-party cookie changes.

The post Chrome Privacy Concerns Rise as Expert Warns of Fingerprinting Risks appeared first on TechRepublic.

There is a certain irony in watching a statute designed to prevent clandestine eavesdropping on telephone calls become one of the most aggressively deployed tools against ordinary website functionality. The federal Wiretap Act—codified as part of the Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. §§ 2510–2522—was never intended to regulate marketing pixels, session replay scripts,..

The post From Analytics to “Interception”: How Website Tracking Became a Wiretap Problem—and What Companies Should Do About It appeared first on Security Boulevard.

The post The Hidden Hand: Why Adobe is Surreptitiously Modifying Your System Hosts File appeared first on Daily CyberSecurity.

A landmark jury verdict has found Meta and YouTube negligent in a social media addiction case, raising major questions about platform accountability and legal protections under Section 230. This episode covers the details of the case, why the ruling is significant, and what it could mean for the future of social media, privacy, and cybersecurity. […]

The post Meta & YouTube Found Negligent: A Turning Point for Big Tech? appeared first on Shared Security Podcast.

The post Meta & YouTube Found Negligent: A Turning Point for Big Tech? appeared first on Security Boulevard.

💾

In this episode, Tom Eston and co-host Scott Wright discuss research showing that Tire Pressure Monitoring Systems (TPMS) can create privacy risks because the sensors broadcast unencrypted, uniquely identifying wireless signals that could be used to track vehicles. They reference a 10-week study by researchers at IMDEA in Madrid that collected about 6 million signals […]

The post The Hidden Tracking Risk Inside Your Tires appeared first on Shared Security Podcast.

The post The Hidden Tracking Risk Inside Your Tires appeared first on Security Boulevard.

💾

The post Critical 9.3 CVSS Auth Bypass and XSS Flaws Hit MantisBT appeared first on Daily CyberSecurity.

A recent Pixel firmware update released in March 2026 has sparked concern among Pixel Watch users, as reports of inaccurate Fitbit tracking, missing SpO2 readings, and inflated activity data continue to surface. What was expected to refine performance has instead led to confusion, with some users questioning the reliability of their health metrics altogether.  The March 2026 Pixel firmware update was intended to deliver routine improvements and security enhancements. However, users quickly began noticing irregularities in their Fitbit tracking data. According to multiple reports shared online, daily step counts and calorie burn estimates have become exaggerated. 

Pixel Firmware Update Causes Fitbit Tracking Errors 

Some users claim their Pixel Watch recorded double or even triple the number of steps taken during periods of inactivity. In more extreme cases, individuals reported seeing as many as 14,000 steps logged and 6,300 calories burned without leaving their couch. These anomalies suggest that the issue is not minor but widespread enough to impact the credibility of the device’s fitness tracking features.  The problem has been widely discussed across forums such as Reddit, with coverage also highlighted by 9to5Google. The consistency of complaints indicates that the issue is not isolated to a handful of devices. 

Missing SpO2 and Health Data After Pixel Firmware Update 

Initially, the fallout from the Pixel firmware update appeared limited to missing health metrics. Users reported that SpO2 levels and skin temperature readings had disappeared from the Fitbit app. These metrics are typically crucial for users monitoring wellness trends, making their absence noticeable and concerning.  Over time, the issue evolved beyond missing data. Instead of simply failing to record certain metrics, the watch began generating inaccurate activity statistics. This shift, from incomplete Fitbit tracking to outright incorrect data, has made the situation more problematic.  Despite the growing number of complaints, there has been no official explanation addressing why SpO2 readings vanished or why activity metrics became inflated following the update, as reported by Android Central.  

Is the Pixel Firmware Update the Only Cause? 

While many users attribute the issue directly to the March Pixel firmware update, the situation may be more complex. Some reports indicate that similar inaccuracies are occurring on devices running older software versions. This raises the possibility that the bug may not be entirely tied to the update itself.  The presence of the issue across different versions suggests a potential server-side problem affecting Fitbit tracking systems. If true, resolving the issue could require backend fixes rather than a simple patch pushed to devices. This uncertainty complicates troubleshooting efforts and leaves users without a clear timeline for resolution. 

Fitbit Tracking Reliability Comes into Question 

For casual users, inflated step counts might seem like a harmless glitch. However, for individuals who rely on precise Fitbit tracking, whether for fitness goals, calorie monitoring, or health management, the issue is far from trivial.  Accurate metrics are central to the purpose of wearable devices. When a Pixel firmware update introduces discrepancies in step counts, calorie burn, and SpO2 readings, it undermines user trust. The ability to rely on consistent and accurate data is a key reason why users adopt such devices in the first place. 

No Official Response Yet 

As of now, there has been no public statement addressing the issue. The company behind the Pixel Watch has not posted updates on official support forums or acknowledged the problem through formal channels. However, given the volume of user complaints, it is widely assumed that the issue is under investigation.  Software updates are generally expected to enhance device performance, especially when they involve critical features like health monitoring. In this case, the March Pixel firmware update appears to have done the opposite for some users. 

The Netherlands’ largest newspaper, De Telegraaf, recently published an interview with a woman claiming to organise her own evacuation flights from Dubai, selling seats at €1,600 (US$ 1850) each. Four days later, her photo was removed from the article, though the interview remained.

Bellingcat has found that the original image not only includes artefacts commonly associated with generative AI, but that the flights referenced in the article do not appear to exist.

The story came at a time when thousands of Dutch people were reportedly seeking urgent ways to leave the region following Iranian missile and drone strikes across the Gulf in retaliation for US-Israeli strikes.

Published on De Telegraaf’s website on March 5, the headline reads: “Dutch people in the Middle East feel abandoned by the government: We just rented a plane ourselves.”

The Dutch minister of foreign affairs was confronted with this headline during a television interview, in which he described ongoing efforts by the Dutch government to repatriate citizens to the Netherlands.

The article features interviews with several Dutch people struggling to leave Dubai and Abu Dhabi, including Tamara Harema. Under the subheading “Dutch people hire their own plane”, Harema says she was “rebooked five times by Emirates” and that the official repatriation flights organised by the Dutch government were not ‘taking off’.

As part of a group, she says, they are organising buses and have hired an Airbus A321 to fly home. Harema is quoted as saying: “The first plane is already full, so we’re organising a second flight. Stranded travellers can contact us.”

However, several discrepancies in Harema’s photo, published in the original article, suggest it was AI-generated. No trace of a person matching Harema’s face or profile could be found, and flight-tracking data suggests no such plane took off.

The Photo

In the image below, the world’s tallest structure, Burj Khalifa, can be seen through the window overlooking the Dubai skyline. Each side of the tower is unique, with platforms that protrude at different heights and in different directions. It also contains several mechanical floors, which appear as dark bands in the photo.

By cross-checking the height of the visible platforms together with the location of the mechanical floors, it’s possible to determine that Harema’s hotel room faces north-west, towards the Burj Khalifa’s south-east-facing facade.

Several discrepancies are visible when comparing Harema’s photo with other images of the building, including an upper mechanical floor appearing higher than in other images and the absence of the water feature at the base of the building.

To establish whether Harema’s photo could have been taken several years earlier, Google Street View imagery was analysed from 2013 onwards. No match could be found when comparing the arrangement of buildings at the base of the Burj Khalifa.

Several other irregularities, as shown below, including the hotel room furniture and details of Harema’s clothing and jewellery, also suggest it may have been AI-generated.

Fully Booked Airbus A321

Regarding whether the plane existed, Harema says in her interview that buses have already been arranged to collect passengers from two locations in Dubai on Saturday, March 7, after which a 232-seater Airbus A321 will depart from Muscat, Oman, for the Netherlands.

The article notes the cost is €1,600 (US$ 1850) per person, without detours. “Although we read that a Dutch repatriation flight costs €600, just try getting on such a flight,” says Harema.

According to Flightradar24, multiple A321s departed Muscat on March 7 and 8, but none bound for the Netherlands. The only aircraft that did arrive in Amsterdam from Muscat were either government-organised repatriation flights or scheduled Oman Air services, none of which were Airbus A321s.

Two Airbus A321s were recorded on the ground at Muscat Airport on March 7. One, belonging to Gulf Air, later departed for Rome via Riyadh March 8. The other, operated by SalamAir, had been flying routes between Oman and Bangladesh until March 3, but has since remained in Muscat.

After contacting De Telegraaf, an explanation for the photo’s removal was added at the bottom of the article, stating that the photo did “likely not meet our journalistic guidelines.”

The newspaper’s deputy editor-in-chief, Joost de Haas, added:

“Regarding the quoted Tamara Harema, the editors contacted her after Mr. Chizki Loonstein—a long-standing source for one of our reporters—informed us about attempts to charter a plane. Mr Loonstein informed us that Ms Harema stayed in Dubai and could tell us more about it. This led to messages from which several quotes from Harema were extracted, as reproduced in the relevant passage of the article.”

A search for Loonstein led to a six-month-old report from another Dutch newspaper, NRC, which claimed that Loonstein, a lawyer, emigrated to Dubai after his legal company went bankrupt, leaving his clients, victims of fraud, worse off.

Contacted for comment, Loonstein confirmed that he knew Harema and had shared her contact details in “an app group” in relation to a flight from Muscat to Amsterdam. After this contact, Bellingcat sent him the photo of Harema to confirm her identity and asked him to share Harema’s contact details. In response, Loonstein refused to provide further comment. 

---

Merel Zoet and Claire Press contributed to this report.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post AI Used to Promote Non-Existent Evacuation Flights From the Middle East appeared first on bellingcat.

Flight tracking data is an important tool in open source research, but with 100,000 daily flights, it can be difficult to contextualise what a particular aircraft’s movements indicate. 

Bellingcat has developed a tool called Turnstone to make it easier to visualise historical trends in flight data and spot unusual patterns. It also allows users to filter by parameters such as aircraft type or a geographic region of interest. 

This tool primarily uses Automatic Dependent Surveillance–Broadcast (ADS-B) data, the technology that enables open source investigators and enthusiasts to track flights. 

Most aircraft are equipped with transmitters that broadcast ADS-B data to comply with global aviation regulations, though regulations vary by jurisdiction, and military aircraft might not always transmit. ADS-B data includes information about an aircraft’s identity and type, as well as its precise position, speed and altitude. 

Popular flight-tracking websites such as Flightradar24 and ADS-B Exchange typically display historical data for a particular time or aircraft. However, Turnstone aggregates ADS-B data for multiple aircraft over time, and allows users to search for flights across two areas of interest at once. These features provide additional context for open source investigators to better understand flight behaviour.

Watch the video for a demonstration of how the tool works, using the example of Black Hawk helicopter patrols near one of the borders between the US and Canada:

You can view Turnstone’s source code and information about hosting it yourself on Bellingcat’s GitHub. 

We also have a web-based instance of the tool that journalists and academics can access. Due to data hosting and processing costs, we can only grant access on a selective basis. If you would like to apply, please fill in this form. Priority will be given to researchers conducting open source investigations aligned with Bellingcat’s goals.

Read on for more examples of how Turnstone can be used for investigations, as well as some limitations of the tool.  

Spotting Unusually High US Tanker Activity Before Iran Strikes

The US and Israel launched joint air strikes across Iran on Feb. 28, 2026, reportedly killing more than 1,000 people, including members of the Iranian leadership, in five days.

This marked a dramatic escalation since the US and Israel bombed three Iranian nuclear sites in June 2025. 

Flight data before both the June 2025 and February 2026 strikes showed a large number of American aerial tankers leaving the US and crossing the Atlantic towards Iran. Aerial tankers such as the KC-135 and KC-46A can refuel military aircraft in-flight, making them essential for most long-range combat missions.

The 9 KC-46As that went to Ben Gurion.

All came direct from the eastern U.S. pic.twitter.com/izANyrqi4Q

— Evergreen Intel (@vcdgf555) February 27, 2026

With Turnstone, it is possible to interrogate the baseline level of movement and see how unusual this activity is.

To do this, three filters are set on the search: a geographic region of interest, set to the North Atlantic, a filter on the aircraft type, to search only for tankers, and a filter on the aircraft heading, to search only for eastbound traffic.

[Note: For the aircraft category designations, Bellingcat used a custom-prompted large language model (LLM), Claude Sonnet 4.0, to assign a category label using aircraft type code data. There may be some inaccuracies in the classifications, as LLMs are prone to hallucinations. We discuss this further in the “Limitations of the Data” section of this piece.]

This search finds over 40,000 aircraft locations that match these filter queries. However, a look at the summary table shows that this data includes non-American tankers as well.

We can filter this data to include only aircraft associated with the US by typing “United States” into the search box in the table. Note that ownership data is not 100 percent accurate – it may be out of date, especially for privately owned aircraft, and new aircraft might not have any data at all. However, especially when comparing trends over time or searching for research leads, this data can still be useful.

The graph of matching detections over time now shows that while there is a large baseline level of transatlantic movement for American tankers, there was a notably higher number of American tankers heading eastward from the US across the North Atlantic detected in the week of June 15, 2025, as well as in the last two weeks of February 2026.

A week after the increased eastbound traffic in June 2025, early in the morning on June 22, the US struck several nuclear sites in Iran. And on Feb. 28, 2026, the US and Israel launched over 900 strikes against Iran.

Altering the search query to look for westbound tankers instead of eastbound tankers, we can also see a larger-than-normal number of American tankers heading in the direction of the US during the week of July 13, 2025, bookending the summer airstrikes in Iran. No such return movement is yet visible following the recent strikes.

Finding Deportation Flights to Guantanamo Bay

Turnstone also allows you to search for aircraft detected across two different geographic regions of interest (ROIs). 

Shortly after US President Donald Trump announced the opening of a migrant detention centre at Guantanamo Bay in Cuba at the end of January 2025, the US military reportedly flew about 100 immigrants from El Paso, Texas, to the US naval base to await deportation. By selecting the areas around both Guantanamo Bay and El Paso, we can find flights between these cities that broadcast ADS-B data.

When two ROIs are selected, you can also enter the maximum time difference between an aircraft’s presence in the two regions. 

In the example below, we have entered 36,000 seconds (10 hours), meaning that the aircraft must have crossed through both regions within 10 hours of each other. We have also set the maximum altitude to 15,000 ft (4.57km) to look for planes landing and taking off. This limit is set relatively high as there are no ADS-B receivers at Guantanamo Bay, and only the initial approach is captured.

After five months with no tracked flights between the two locations, this search shows an uptick in flights in the few months from February 2025.

Results for this search query from Jan. 26, 2026, include several passenger aircraft operated by companies known to run deportation flights from the US, such as Omni Air International and Global Crossing Airlines.

Mapping US Customs and Border Patrol Aircraft

Turnstone also supports uploading a list of International Civil Aviation Organization (ICAO) addresses, informally referred to as aircraft “hex codes”, which are unique identifiers assigned to aircraft by ICAO member states.

For example, to explore data related to Department of Homeland Security (DHS) activity and look for patterns related to the US immigration enforcement and border security operations, we can copy and paste the hex codes from a list of US Customs and Border Patrol (CBP) aircraft (used across the DHS) into a text file, and upload that file. Now, we can search among these aircraft with any of the same filters demonstrated in the earlier case studies. Alternatively, we can also deselect all of the filters to track the most recent activity by those aircraft.

Let’s try that with the CBP list, this time with a very large number of results selected: 500,000. Note that increasing the number of results increases the search time and requires more browser memory.

When many points are displayed, the map is simplified, and hover features are disabled.

By the California-Mexico border, Eurocopter AS350 (type “AS50”) can be seen on frequent patrol missions over the land border. Over the Pacific Ocean, Black Hawk helicopters (“H60”) can be seen patrolling the international waters boundary off the Mexican coast, while CBP Dash-8s (“DH8B” and “DH8C”) travel farther offshore.

In contrast, by the Minnesota-Canada border, CBP makes more active use of one of its MQ-9 Reaper drones, as seen from the prevalence of red dots that correspond to “Q9”, the type code of these drones, in the results map.

Let’s take a closer look at these drones by filtering the results with the text “Q9”. Now the displayed aircraft only include MQ-9 Reaper drones.

Now we can take a closer look at the patterns of drones, specifically among the search results.

While overall CBP flight activity was relatively stable, drone flights seem to have intensified in December 2025 and January 2026, compared with previous weeks.

Limitations of the Data

In open source research, it is always important to be alert to the limitations of a particular data source, and ADS-B data is no exception. 

For example, some aircraft do not have ADS-B transponders and use older transponders to transmit flight information, which can result in tracking tools such as Turnstone showing inaccurate position data. 

In the previous case study of CBP aircraft, the Turnstone results appeared to show an MQ-9 Reaper drone in Canada on Jan. 20, 2026. 

Is this evidence of covert DHS missions in Canadian airspace? Likely not: a cross-check of the drone’s hex code on that date with ADS-B Exchange shows that the aircraft’s position track is not smooth, but jumps back and forth between a line in the US and several points many kilometres away in Canada.

This happens because when ADS-B position data is not available, flight trackers often use multilateration (MLAT), which estimates the location of the aircraft using the time differences between signals transmitted from known sites, as a substitute. The flight tracking information on ADS-B Exchange shows that the position was calculated using MLAT, which is less accurate than position data directly transmitted through ADS-B. ADSB.lol, which is the data source used by Turnstone, uses MLAT when ADS-B position data is not available.  

ADS-B data is also limited by where ground antennas are available to receive radio signals from aircraft and by when aircraft choose to transmit the data.

Other datasets which Bellingcat has used to enable the filters available on Turnstone each have their own limitations. 

There is no single source of data on aircraft ownership. ADS-B data identifies an aircraft only using its ICAO address or hex codes, but does not contain other information that directly specifies the type of aircraft or its registration.

Instead, flight-tracking websites reference aircraft registration databases, such as those maintained by the US Federal Aviation Administration, to correlate ICAO addresses with registration information. The ownership data displayed on Turnstone is from tar1090-db, a community-maintained project which has produced the most comprehensive freely available global aircraft registration database. However, since ownership data is collected from many jurisdictions, with different privacy and disclosure requirements, it may sometimes be out-of-date or misleading. 

Ownership information displayed in Turnstone or any other flight-tracking software should still be verified independently using multiple sources.

For example, one of the aircraft that came up in the search for flights between El Paso and Guantanamo Bay had a hex code of a6b0f5. This showed up in Turnstone’s results as being owned by Bank of Utah Trustee, which matches the operator listed for this flight on ADS-B Exchange. But some of the flight codes used by this aircraft, starting with “GXA”, are used by Global Crossing Airlines (GlobalX). The Bank of Utah is known to legally own aircraft under a trust relationship, while leasing the aircraft and operational control to third parties such as GlobalX.

The “Category” label and “Military” flag, which provide a convenient way to filter aircraft, are pre-generated by a custom-prompted large language model, Claude Sonnet 4.0, based on the make and model of an aircraft. 

For example, the LLM may take a type code of A321, which refers to an Airbus A321 passenger jet, as input and assign the corresponding aircraft the category of “airliner”. 

Bellingcat manually verified over 80 per cent of aircraft, corresponding to the most common aircraft types. But as we know, LLMs are prone to hallucinations, and categorisation may be inaccurate for more obscure aircraft. Additionally, some aircraft, such as the V-22 Osprey, fall between categories and are inherently ambiguous. 

To prevent errors caused by the potential miscategorisation of aircraft, you may want to search by type code, which will draw from the raw tar1090-db data, rather than category. All aircraft registration, type, and owner information should be independently verified.

Suggestions and Further Information

As we’ve seen in this guide, Turnstone searches historical ADS-B data to allow researchers to explore flight patterns over time and in specific locations. While flight-tracking data has inherent limitations, Turnstone can provide useful leads for researchers looking to incorporate flight tracking in their investigations.

If you have suggestions for improving the tool, you can submit a pull request on Bellingcat’s GitHub. More technical information can also be found in the tool’s README.

For more demos and information about the history of this tool, watch a talk that Bellingcat gave about it at the What Hackers Yearn (WHY) 2025 hacker camp:

---

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here and Mastodon here.

The post Using Bellingcat’s New Open Source Tool to Explore Historical and Spatial Flight Data appeared first on bellingcat.

A joint investigation by Bellingcat and Lloyd’s List has identified Saudi Arabia as the newest country to import grain directly from a Western-sanctioned port in occupied Crimea, as Russia attempts to secure recognition of the Ukrainian territory via a US-led peace plan.

Satellite imagery and Automated Identification System (AIS) data from Lloyd’s List Intelligence shows the bulk carrier Krasnodar (IMO: 9296781) sailed from Avlita Grain Terminal in Sevastopol to Saudi Arabia on two occasions between September and November 2025. Bellingcat confirmed Krasnodar’s journeys ended at Saudi Arabia’s King Abdullah Port in September and the Port of Jazan in November.

These journeys show that Saudi Arabia has joined buyers in Iran, Syria, Egypt, Turkey, Venezuela and Houthi-controlled territories in Yemen who are willing to accept what the Ukrainian government describes as “stolen” grain. 

After leaving Jazan, Krasnodar returned to the Black Sea via the Bosphorus on November 23.

It stopped transmitting AIS for a third time on November 24 for nine days and has been intermittently transmitting data since.

Krasnodar was again captured in satellite imagery docked at the Avlita terminal in Sevastopol on November 26. 

Petrokhleb-Kuban Denies Visiting Avlita Terminal

Documents accessed on Russia’s federal registry indicate the vessel is leased by Russian firm Petrokhleb-Kuban, a major player in Russian and international grain markets. 

Petrokhleb Kuban told Bellingcat it “categorically denies any allegations of involvement in the theft of grain from Ukrainian regions”.

It added that Petrokhleb-Kuban does not export grain from the Avlita terminal to any country.

“Petrokhleb-Kuban does not operate at the port of Avlita and does not ship grain from there. All grain shipped by Petrokhleb-Kuban is produced by Russian farmers,” a spokesperson said. 

“The vessel Krasnodar follows all widely accepted safety protocols and does not disable its AIS while on passage. The AIS signal in the Black Sea is being jammed by the military due to the ongoing conflict between Russia and Ukraine.”

The spokesperson also said the vessel Krasnodar was loading barley at the port of Kavkaz, “as confirmed by bills of lading and port clearance.”

AIS interference is rampant in the Black Sea, however, instances of jamming typically do not last more than a couple of days. Further, third-party disruptions impact all vessels in one area indiscriminately. 

Bellingcat reviewed the AIS traces of vessels sailing near Krasnodar. In both voyages, Krasnodar was the only vessel in that area that stopped transmitting AIS data for that period of time.  

Bellingcat also checked available Planet Labs PBC and Sentinel-2 satellite imagery covering the grain terminal in Port Kavkaz during the two periods of August and October where Krasnodar has absent or unreliable AIS coverage and found no vessels matching the length of the Krasnodar.

Bellingcat identified Krasnodar in Avlita terminal on three occasions, by cross referencing satellite images of Krasnodar and recent images and video of the ship. Krasnodar was last detected at Avlita terminal in satellite imagery on November 26, again with its AIS switched off.  Krasnodar’s chimney is navy blue in colour, except for a white band on the left, right, and front side of the chimney. The ship’s other features – five grey hatches, four grey cranes, a red deck, a green floor on the bridge, all visually match known images of the ship.

Finally, the ship’s measurements (a total length of 183 metre according to Russia’s shipping registry) matches what we see in satellite images.

Visual Comparison: Images of Krasnodar at Avlita Terminal and other recent images of Krasnodar

The Krasnodar has a dark blue (midnight navy blue) chimney with a white band that runs around the sides and the front of the chimney, leaving the back completely blue.

The life boats are immediately to the left and right of the bridge. The boats can also be seen in satellite imagery from Saudi Arabia. The image below shows Krasnodar in Jazan.

Satellite imagery also clearly shows the colour of deck (dull red), the floor colour of the bridge (green), the colour of the hatches and the cranes (grey). All of that, as well as the chimney (navy blue with white) can be matched with satellite imagery from Sevastopol that show Krasnodar docked at the Avlita grain terminal.

Five grey hatches and a red deck. The image on the left is from Jazan (November 6). The image on the right is from Sevastopol (October 8).

If we zoom in on the bridge, we can also see that the shape and the colour (grey) of the top of the bridge are also a visual match. 

The chimney is not very clearly visible in the image from Jazan but it is clear that the chimney is dark in colour. The image from Sevastopol shows a dark blue chimney with a white band, which was also visible in images and video of Krasnodar.

We see red on the hull, below the water line, in the Sevastopol satellite image. You can also see it in the image from when the ship transited the Bosphorus. The rest of the hull is dark.

There are no live or historic sanctions on Krasnodar, according to Lloyd’s List Intelligence data.

Saudi Arabia Joins List of Importers of Russia’s Smuggled Grain

Krasnodar’s voyages from Sevastopol to Saudi Arabia demonstrate that Russia is continuing to expand its grain exports from occupied Crimea to new markets as it negotiates to end the war in Ukraine.

Crimea’s occupied ports have become important assets for Moscow, having evolved into key logistics hubs for dark grain exports over the course of the war.

Prior to the full-scale invasion of Ukraine in 2022, the ports in occupied Crimea were used for the small-scale export of grain and scrap metal, mostly to Syria and Turkey.

The occupation of additional territory in Donetsk and Zaporizhia enabled Russia to establish a new supply route, resulting in more grain being shipped south to Crimea for export to international markets.

The Port of Sevastopol and the Avlita grain terminal remain under European, UK and US sanctions. While no UN sanctions specifically target the port, a majority of UN member states have passed resolutions condemning Russia’s invasion of Ukraine and its occupation of Crimea since 2024. 

Ukraine has repeatedly tried to dissuade countries from purchasing shipments loaded with what it describes as “stolen” grain from occupied regions.

In 2023, Iran received its first grain shipments from Sevastopol. In 2024, it was joined by Venezuela, Libya, Egypt and the Houthis, which control territory in Yemen. Last month, Bellingcat revealed that the bulk carrier Irtysh (IMO: 9664976) delivered grain from the Crimean port of Sevastopol to the Houthi-controlled port of Saleef in Yemen despite Western Sanctions. 

Bellingcat and other news outlets have identified a total of eight countries that have imported grain directly from occupied Crimea.

While Saudi Arabia is the latest direct importer from Sevastopol, it is unclear if authorities are aware of the origin of the cargo. 

The grain shipments follow a similar pattern to Russia’s shadow fleet, which moves sanctioned oil barrels. In both cases steps are taken to disguise the origin of the cargo and port of loading.

Most ships calling to Crimea disable their AIS transponders, which is considered a deceptive shipping practice, and fraudulent documents are issued. 

Alona Shkrum, First Deputy Minister for Development of Communities and Territories of Ukraine, told Bellingcat that Ukraine was closely monitoring Russian exports from occupied territories. She said Ukraine had discussed the issue with Saudi Arabia on the sidelines of recent talks at the International Maritime Organisation Assembly.

She told Bellingcat that Ukraine had “received assurances that Saudi authorities are actively counteracting the risks posed by shadow fleet operations and other violations of international maritime law.” 

She added that Ukraine would continue to work with partners to identify and sanction vessels involved in the illegal export of grain from occupied territories. 

Bellingcat contacted both the Saudi Arabian Ministry of Foreign Affairs and the Russian Ministry of Foreign Affairs; neither responded to requests for comment. 

US-Russia Peace Plan and Ownership of Ukraine’s Ports

The US-Russia 28-point peace proposal includes the recognition of Crimea, Luhansk and Donetsk as “de facto” Russian. Ownership of Crimea and the occupied territories bordering the Sea of Azov is critical for securing shipping routes to and from Russia, and these ports play a vital role in supporting economic growth in the region. 

However, the impact of ceding control of this region and the port of Sevastopol to Russia is not mentioned in either the original US draft plan or subsequent amended versions.

Ian Ralby, chief executive of the maritime and resource security consultancy I.R. Consilium said while it was a high priority for Ukraine to ensure access to the grain market through the Black Sea is preserved, Russia is continuing to try to expand its global access to ports. 

“We see that there is a resurgence in Russia’s efforts on port access.”

“As the prospect of potential peace begins to loom, even though it seems to be much farther off than many would want, there is likely to be a renewed focus on the key strategic assets that matter for the future, and the ports have to be foremost among them.” 

---

Bridget Diakun, Yörük Işık, Youri van der Weide, Peter Barth and Galen Reich contributed to this report.

Cover image: Planet Lab image shows Krasnodar docked at Jazan City, Saudi Arabia on November 6. Credit: Planet Labs PBC.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Twitter here and Mastodon here.

The post Russia’s Smuggled Grain Finds New Market in Saudi Arabia appeared first on bellingcat.

An investigation by Bellingcat has identified yet another Russian-flagged bulk carrier, Irtysh (IMO: 9664976), operating in defiance of Western sanctions by exporting grain from occupied Crimea to Houthi-controlled Yemen. 

Following the same pattern of deceptive methods used by other vessels involved in what Ukraine describes as “grain theft,” Irtysh disabled its location tracking en route to and from the Port of Sevastopol. The vessel also made a mandatory stop in Djibouti for inspection by the United Nations Verification and Inspection Mechanism (UNVIM) for Yemen before sailing on to the Port of Saleef, Yemen. 

The majority of UN member states have repeatedly voted against Russia’s invasion of Ukraine. UNVIM told Bellingcat: “As a UN mandated body UNVIM does not have the authority to block shipments based on unilateral national or regional sanctions.” They added: “The UNVIM mandate is limited to verifying compliance with the UN Security Council resolutions related to Yemen.”

However, experts have previously highlighted to Bellingcat that even with the limitations of that remit the fact that grain shipments from occupied Ukrainian territories are passing through UN inspection mechanism creates an awkward situation.

Bellingcat mapped Irtysh’s journey by combining Automated Identification System (AIS) data from Lloyd’s List Intelligence and satellite analysis. During the investigation, two additional vessels were also identified with their tracking systems disabled while loading grain in Sevastopol: Matros Pozynich (IMO: 9573816) and Zafar (IMO: 9720263).

Just over a month after Irtysh was first seen loading grain at the Port of Sevastopol, Bellingcat identified another Russian vessel, Matros Pozynich, at the same berth. Previously identified by CNN in 2022 for exporting grain from occupied Ukraine, and by Bellingcat the following year, the vessel was docked at the Avlita grain terminal on Sept. 20.

Two days later, Matros Pozynich switched its AIS back on before sailing through the Bosphorus Strait, just as Irtysh had. With its hull sitting low in the water, the vessel was photographed passing through Turkish waters seemingly fully laden.

After calling at Djibouti, likely for inspection by UNVIM, AIS data shows the bulk carrier departing for Saleef, Yemen, on Oct. 8. At time of publication, Matros Pozynich remains in anchorage off the Port of Saleef, Yemen.

A third vessel, also previously implicated for smuggling grain, Zafar, was captured by satellite imagery with its AIS turned off at the Port of Sevastopol from Sept. 23.

At the time of publication, Zafar had not sailed to Yemen via Djibouti. Instead, it was anchored off the Port of Alexandria, Egypt – another known location for offloading grain from occupied Ukraine, according to OCCRP reporting.

“Grain Theft”

Ukraine has repeatedly tried to dissuade countries from purchasing shipments loaded with what it describes as stolen grain from occupied regions. 

The Port of Sevastopol and the Avlita grain terminal remain under European, UK and US sanctions. While no UN sanctions specifically target the port, a majority of UN member states have passed resolutions condemning Russia’s invasion of Ukraine and of its occupation of Crimea since 2024. 

Both Irtysh and Matros Pozynich delivered grain to the Houti-controlled Port of Saleef via Djibouti – the UNVIM inspection point for Yemen. After ten years of war, the UNHCR reports that tens of thousands of people in Yemen are living in famine-like conditions, with a further five million people experiencing food insecurity.

UNVIM confirmed to Bellingcat that the Irtysh was inspected “in line with UNVIM operational protocols” on Sept. 7 and cleared by the Saudi-led coalition Evacuation and Humanitarian Operations Cell (EHOC) – a body entirely separate from the UN – on Sept. 8.

Asked whether UNVIM was aware the vessel had picked up grain from a port under Western sanctions, the agency replied: “The UNVIM mandate is limited to verifying compliance with the UN Security Council resolutions related to Yemen. Unilateral national sanctions or measures beyond that scope are outside the UNVIM mandate.”

Neither the Russian government nor its foreign ministry responded to requests for comment.

---

Yörük Işık, Bridget Diakun, Peter Barth, Galen Reich, Claire Press and Merel Zoet contributed to this report.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Twitter here and Mastodon here.

The post Russia’s Grain Smuggling Fleet Continues Undeterred appeared first on bellingcat.