Digital forensics


Our digital forensics investigations focus on Internet censorship, targeted malware, disinformation campaigns, election fraud,  digital attacks against media sites, and other digital threats against a free and open Internet.

We collaborate with independent media and investigative journalists to validate and enrich their stories with digital forensics. Qurium also assists with media dissemination so that the stories reaches a wider public beyond local media. Several of our media partners have been awarded for their work in investigative journalism:

  1. Kloop Media, Kyrgyzstan, Global Investigative Journalism Network (Best Investigative Stories from the Former Soviet Union — 2017)
  2. Azadliq.info, Azerbaijan, Guardian Journalism Award winner (2014)
  3. Premium Times Nigeria, Nigeria, Pulitzer Prize, as a part of the Panama Papers Investigation (2017)

This page includes all forensic reports that have been released to the public.  For full reports including media coverage, please see respective country page.

Afghanistan

[Dec 2019] Investigative reporting from Etilaat Rooz under ddos

Azerbaijan

[Jul, 2021] Phishing attack against Azerbaijani political and human rights activists

[Apr, 2020] Sandman and Fineproxy behind the DDoS Attacks against TimeTV.Live

[Mar 2020] Targeted sophisticated phishing attacks against dissidents in Azerbaijan is trending

[Feb 2020] Finding “man”, the phisher of journalists in Azerbaijan

[Jan 2020] Fishing fishers in Azerbaijan

[Dec 2019] Find Face and Internet blocking in Azerbaijan

[Oct 2019] Fineproxy used to launch DDoS attack against site critical of Azerbaijani state oil company’s leader

[Jul 2019] DDOS: the inconvenient business visitor of Name.com

[Apr 2019] Media websites from Azerbaijan under DDOS

[Jan 2019] SUS-759: Sandvine and Internet blocking in Azerbaijan

[Jan 2019] Political motivated attacks against azadliq.info

[Aug 2018] Azerbaijan and the fineproxy DIY DDOS service (Region40/QualityNetwork)

[Apr 2018] Corruption, censorship and deep packet inspection

[Jan 2018] Digital attacks against media reporting on SOCAR

[Apr 2017] Deep Packet Inspection and Internet censorship in Azerbaijan

[Mar 2017] News media websites attacked from Governmental Infrastructure in Azerbaijan

[Dec 2016] How Azerbaijan is trying to block main opposition media news

Belarus

[Nov 2020] Telegram latency in Belarus

[Sept 2020] Internet blocking in Belarus

Colombia

[Dec 2021] The attack of the clones

[Aug 2020] La Nueva Prensa under DDoS attack after publishing “Operación Jaque” documentary

[Nov 2019] Kontacto and Translife

[Nov 2019] Fake news and the Kontacto troll army

[Oct 2019] Kontacto – an insecure mobile app to track voters in Colombia

[Oct 2019] Kontacto’s lack of security exposed data from 55.000 people

Congo (DRC)

[Jan 2019] Democratic Republic of Congo shutdowns the Internet after Elections

Cuba

[Jun 2020] Internet blocking in Cuba – “Silencing dissents in the name of moral and good manners”

Egypt

[Mar 2022] Egyptian providers block Arabic investigative media by sub-domains

[Sept 2020] How operators use Sandvine to block independent media in Egypt

El Salvador

[Mar 2020] DDoS attacks against Salvadoran “Revista Factum” in El Salvador attributed to University infrastructure 

France

[May 2017] #MacronGate, tracing the source of the Macron offshore papers

[May 2017] The disturbing role of social media during the Champs-Elysées attack

Iran

[Aug 2022] Social Media Marketing – The unharmed phoenix

[Jun 2022] Weaponizing Instagram against the Iranian #Metoo movement

[Feb 2018] PART 3: Fake mobile apps in Iran, Fraud, Phishing and Users at risk

[Feb 2018]  PART 2: Fake mobile apps in Iran, – when spyware and click fraud can put millions of unaware users at risk

[Jan 2018] PART 1: Tracking Mobile Spyware during the Telegram blocking in Iran

Jordan

[Aug 2018] Orange Jordania introduces deep packet inspection to block My.Kali magazine

[Mar 2018] Internet blocking in Jordan

Kazakhstan

[Sep 2019] Collateral blocking in Kazakhstan traced back to illegal prostitution ring

[Jul 2019] Kazakhstan impose users to install government controlled certificate – FAQ

Kosovo

[Dec 2022] Looking Inside of the Traffic Cons

[Sep 2022] Kosovan Nacionale under repeated DDoS attacks

Kyrgyzstan

[Dec 2019] Fake newspaper announces the involvement of journalists of Radio Liberty in the killing of Saimaitu Airken

[Nov 2019] Kloop and OCCRP’s report “Public land, private hands” under DDoS

[Dec 2017] Infocom unprovisions the Samara technical setup days before the Press Conference

[Dec 2017] Samara press conference

[Nov 2017]  SRS caught in denial

[Oct – Dec 2017] Elections in Kyrgyzstan 2017, Exposing Samara, a fraudulent voter management system

Myanmar

[May 2022] Myanmar Junta keeps expanding the secret block list

[May, 2021] Myanmar’s official social application OKPar – Flawed privacy by design?

[Mar 2021] Myanmar – Multi-stage malware attack targets elected lawmakers

[Sept 2020] My Ooredoo Myanmar. Insecure communications

[Aug 2020] Internet blocking in Myanmar – Secret block list and no means to appeal

[Jan 2017] Unrest in Myanmar

Nigeria

[Feb 2021] Nigeria attempts to silence the investigative media Peoples Gazette by ordering blocking

[Mar 2020] Cyberattack against Premium Times Nigeria attributed to “student” at the Federal University of Technology, Akure

Philippines

[Nov 2023] Hundreds of sites cloned to promote a Chinese gambling network

[Sep 2022] Tracking toxic backlinks against Rappler

[Jun 2022] Independent Philippine media “Bulatlat” blocked by smart broadband

[May 2022] The tip of the iceberg – the algorithm fraud industry

[March 2022] Forensic analysis of the multiple distributed denial of service attacks in the Philippines

[Aug 2021] Israeli firm ‘Bright Data’ (Luminati Networks) enabled the attacks against Karapatan

[Aug 2021] Human rights alliance ‘Karapatan’ under long lasting DDoS attack

[Jun 2021] Attacks against media in the Philippines continue

[May 2020] Attacks against websites in the Philippines during Covid-19

[Apr 2019] What is hosted at the Suniway network?

[Mar 2019] Attributing the attacks against media and human rights websites in the Philippines

[Jan 2019] Alternative news agency from Philippines “Bulatlat” under denial of service attack

Romania

[July 2022] The kompromat Delorean – How to hide the source of a defamation campaign against investigative journalist Emilia Șercan

Russia

[Feb 2024] Russian disinformation against Zelenskyy exposed on Times Square billboard

[Sep 2022] Under the hood of a Doppelgänger

South Sudan

[Aug 2020] “Sudans Post” gets blocked after receiving personal threats from NSS – transcript revealed

Spain

[Oct 2018] One year after denial of service against registremeses.com

[Oct 2017] Evidence of Internet Censorship during Catalonia’s Independence Referendum

[Oct 2017] Blocking techniques Catalunya

Sri Lanka

[Aug 2020] Colombo Telegraph blocked by Dialog Axiata

Switzerland

[Sept 2021] Gotham City under denial of service

Togo

[May, 2021] TogoWeb.net blocked by deep packet inspection

[Apr 2020] Togolese investigative media “The Confidential Report” blocked by authorities

Turkmenistan

[Sep 2019] Turkmenistan blocks Google’s cloud storage

[Jul 2019] Turkmenistan and their Golden DPI

Uganda

[Feb, 2024] Adsterra used to promote malicious content using hacked Facebook pages

[Jan, 2021] Uganda blocks Kenyan news ahead of the presidential elections

Uzbekistan

[Feb, 2020] Procera-Sandvine blocks Eltuz.com in Uzbekistan

Vietnam

[Jul 2018] DDOS against luatkhoa.org and thevietnamese.org

[Jun 2018] DNS tampering in Vietnam

Zimbabwe

[Sep , 2018] Cybersecurity at Zimbabwe Electoral Commission: What went wrong? (Part II)

[Aug 2018] The cyber attack against the Zimbabwe Electoral Commission (Part I)


Weaponizing Proxy and VPN Providers

[Dec 2023] Proxy providers weaponized to launch denial of service attack against Rappler

[Nov 2023] DDoS attacks against Hungarian media traced to proxy infrastructure “White Proxies”

[Sep 2023] Volatile networks as a source of Denial of Service

[Sep 2023] Infrastructure of VPN providers is used to launch DDoS attacks

[Sep 2023] RayoByte infrastructure enabling DDoS attacks

Dark Ops Undercovered

[Feb 2023] Episode VIII: Eliminalia re-appears to sink unwanted content

[Dec 2022] Episode VII: Looking inside of the Traffic Cons

[Nov 2021] Episode VI: Eliminalia behind yet another technique to silence investigative media

[Nov 2021] Episode V: The mysterious lawyers of Alexander Mashkevich

[Jun 2021] Episode IV: Reputation Control and content take down

[Apr 2021] Episode III: Hello Mr. Andersan

[Apr 2021] Episode II: Eliminalia – What’s hiding behind the fake DMCA complaints?

[Apr 2021] Episode I: Eliminalia – illegal use of DCMA and GDPR