alt=A hooded figure stands with hands bound, while a tactical officer aims a weapon at them in a dimly lit, tech-filled room.
Cyber security
2025-05-17 Post a Comment

Israel arrests new suspect behind Nomad Bridge $190M crypto hack

By

An American-Israeli national named Osei Morrell has been arrested in Israel for his alleged involvement in exploiting the Nomad bridge smart-contract in August 2022 that allowed hackers to siphon $190 million.

Blockchain intelligence platform TRM Labs supplied key information to international law enforcement authorities, leading to the identification of Morrell, who is believed to have played a central role in what is one of the largest hacks in DeFi history.

“The suspect, American-Israeli dual national Osei Morrell, was arrested in Jerusalem by Israeli police working in coordination with the DOJ, the FBI, and Interpol,” explained TRM Labs.

According to the blockchain intelligence firm, Morell will soon be extradited to the United Statesas the legal precedures have already been approved.

Morrell’s links to Nomad Bridge hack

The Nomad bridge is a cross-chain communication standard that allows users to transfer assets between different blockchains.

On August 1, 2022, attackers exploited a critical vulnerability introduced in an update to its Replica smart contract, specifically in the ‘process() function.’

Though the contract was supposed to verify message proofs before releasing funds, a misconfiguration allowed any message with a correct root hash to be accepted, even if the underlying proof was invalid.

Once a single attacker figured out the flaw, the exploit method was quickly picked up by hundreds of other wallets, as it consisted in simply copy-pasting a specific transaction format.

This “mob-style” attack led to a chaotic and decentralized looting of the bridge, draining over $190 million in ETH, USDC, WBTC, and ERC-20 tokens.

Overview of the exploit process
Overview of the attack at Nomad Bridge
Source: TRM Labs

TRM Labs comments that the vulnerability was very easy to leverage, so even people with no hacking skills or deep blockchain knowledge joined in the exploitation. However, experienced North Korean actors were also implicated.

Osei Morrell is not believed to have written or initiated the exploit code itself, but TRM Labs says he “played a central role,” and evidence suggests he conspired with others to launder large amounts of funds stolen during the exploit.

Wallets linked to Morrell received stolen assets within hours of the bridge being drained, suggesting close coordination with early attackers.

TMR Labs’ data shows that Morrell used ‘chain-hopping’ to move the stolen tokens across various blockchains, the Tornado Cash mixer to obfuscate the origin of the funds, and swapped ETH into the privacy-boosting Monero (XMR) and Dash.

Morrell's laundering process
Morrell’s money laundering process
Source: TRM Labs

To cash out the proceeds, he used non-custodial exchanges, OTC brokers, and offshore bank accounts tied to fake or opaque legal entities, and also converted some crypto to fiat through providers with no KYC standards.

Despite all the obfuscation efforts and the time that has passed since these events, blockchain transaction analysis still yielded enough clues to uncover Morrell’s identity, resulting in his arrest.

Morrell’s arrest follows that of another suspected hacker, a Russian-Israeli citizen named Alexander Gurevich, who was caught on May 1st at the Ben Gurion airport in Tel Aviv using documents under a new name, Alexander Block, he had officially changed.

According to prosecutors, Gurevich exploited the Nomad bridge flaw and withdrew about $2.89 million in digital tokens. This was followed by others finding the issue and leveraging it to siphon assets.

Jerusalem Post reports that on August 4, 2022, Gurevich contacted Nomad’s Chief Technology Officer and admitted he had been probing Nomad for weaknesses, apologizing for the trouble and later demanding a $500,000 reward for identifying the vulnerability.

read more
alt=Close-up of a motherboard with glowing blue and red circuitry and a prominent illuminated Windows logo in the center.
Cyber security
2025-05-17 Post a Comment

Microsoft confirms May Windows 10 updates trigger BitLocker recovery

By

​Microsoft has confirmed that some Windows 10 and Windows 10 Enterprise LTSC 2021 systems will boot into BitLocker recovery after installing the May 2025 security updates.

The BitLocker Windows security feature encrypts storage drives to prevent data theft, and Windows computers typically enter BitLocker recovery mode after events like TPM (Trusted Platform Module) updates or hardware changes to regain access to protected drives.

​Today, Microsoft confirmed the issue and said it’s investigating reports that “a small number” of Windows 10 PCs display BitLocker recovery screens after installing the KB5058379 update.

“On affected devices, upon installing the update, Windows might fail to start enough times to trigger an Automatic Repair. On devices with BitLocker enabled, BitLocker requires the input of your BitLocker recovery key to initiate an Automatic Repair,” the company said in a Windows release health update.

Impacted users who check the Windows Event Viewer will also see LSASS errors and installation failure events with 0x800F0845 errors in the System event log. Additionally, while some devices will enter a BitLocker recovery loop after Startup Repair fails to initiate an automatic repair, others will successfully roll back to the previously installed update after several attempts to install KB5058379.

You can retrieve the BitLocker recovery key by logging into the BitLocker recovery screen portal with your Microsoft account. This support page provides further details on how to find the recovery key in Windows.

Microsoft says it’s investigating the issue and will provide an update once more information regarding the root cause becomes available.

BitLocker recovery screen
BitLocker recovery screen (Microsoft)

Microsoft’s acknowledgment of this issue comes after many Windows users and admins have reported seeing devices unexpectedly enter the Windows Recovery Environment (WinRE) and displaying a BitLocker recovery screen after installing the KB5058379 cumulative update released as part of the May 2025 Patch Tuesday.

Currently, these reports point to a wide variety of system configurations and devices from Lenovo, Dell, and HP being affected, so it’s unclear if this is caused by a specific hardware or software issue.

“The latest KB5058379 released May 13 quality update failed in Windows 10 devices. Some devices it caused triggering bitlocker key window after restart,” one user said on Microsoft’s forums.

“We have about a half dozen laptops that experienced various intermittent issues after receiving the same KB – some require bitlocker keys to start up, others refusing to start at all,” a Windows admin added on Reddit.

To get back into Windows on systems stuck at a BitLocker recovery prompt, you can try disabling the Intel Trusted Execution Technology (TXT) from the BIOS. If that fails, as Microsoft support advises, you can also try to disable Secure Boot, Virtualization Technologies (if the issue persists), or Firmware Protection.

In August 2024, Microsoft fixed another issue that triggered BitLocker recovery prompts on Windows 10, Windows 11, and Windows Server systems after installing the July 2024 Windows security updates.

Two years earlier, in August 2022, Windows devices were impacted by similar issues after the KB5012170 security update caused some devices to boot into the BitLocker recovery screen.

read more
alt=Digital artwork of a human face with circuits and patterns in blue and red, evoking a futuristic, technological theme.
Cyber security
2025-05-17 Post a Comment

Government webmail hacked via XSS bugs in global spy campaign

By

Hackers are running a worldwide cyberespionage campaign dubbed ‘RoundPress,’ leveraging zero-day and n-day flaws in webmail servers to steal email from high-value government organizations.

ESET researchers who uncovered the operation attribute it with medium confidence to the Russian state-sponsored hackers APT28 (aka “Fancy Bear” or “Sednit”).

The campaign started in 2023 and continued with the adoption of new exploits in 2024, targeting Roundcube, Horde, MDaemon, and Zimbra.

Notable targets include governments in Greece, Ukraine, Serbia, and Cameroon, military units in Ukraine and Ecuador, defense companies in Ukraine, Bulgaria, and Romania, and critical infrastructure in Ukraine and Bulgaria.

RoundPress targets
RoundPress targets
Source: ESET

Open email, have data stolen

The attack starts with a spear-phishing email referencing current news or political events, often including excerpts from news articles to add legitimacy.

A malicious JavaScript payload embedded in the HTML body of the email triggers the exploitation of a cross-site scripting (XSS) vulnerability in the webmail browser page used by the recipient.

All that is needed from the victim is to open the email to view it, as no other interaction/clicks, redirections, or data input is required for the malicious JavaScript script to execute.

Attack chain overview
Attack chain overview
Source: ESET

The payload has no persistence mechanisms, so it only executes when the malicious email is opened.

The script creates invisible input fields to trick browsers or password managers into autofilling stored credentials for the victim’s email accounts.

Credential stealer function
Credential stealer function
Source: ESET

Additionally, it reads the DOM or sends HTTP requests to collect email message content, contacts, webmail settings, login history, two-factor authentication, and passwords.

The data is then exfiltrated to hardcoded command-and-control (C2) addresses using HTTP POST requests.

Each script has a slightly different set of capabilities, adjusted for the product it’s targeting.

Vulnerabilities targeted

Operation RoundPress targeted multiple XSS flaws in various webmail products that important organizations commonly use to inject their malicious JS scripts.

The exploitation ESET associated with this campaign involves the following flaws:

  • Roundcube – CVE-2020-35730: A stored XSS flaw the hackers used in 2023, by embedding JavaScript directly into the body of an email. When victims opened the email in a browser-based webmail session, the script executed in their context, enabling credential and data theft.
  • Roundcube – CVE-2023-43770: An XSS vulnerability in how Roundcube handled hyperlink text leveraged in early 2024. Improper sanitization allowed attackers to inject <script> tags into the email content, which would be executed when viewed.
  • MDaemon – CVE-2024-11182: A zero-day XSS flaw in the MDaemon Email Server’s HTML parser, exploited by the hackers in late 2024. By crafting a malformed title attribute with a noembed tag, attackers could render a hidden <img onerror> payload, executing JavaScript. This enabled credential theft, 2FA bypass, and persistent access via App Passwords.
  • Horde – Unknown XSS: APT28 attempted to exploit an old XSS vulnerability in Horde by placing a script in an <img onerror> handler. However, the attempt failed, likely due to built-in filtering in modern Horde versions. The exact flaw is unconfirmed but appears to have been patched in the meantime.
  • Zimbra – CVE-2024-27443: An XSS vulnerability in Zimbra’s calendar invite handling, which hasn’t been tagged as actively exploited before. Unsanitized input from the X-Zimbra-Calendar-Intended-For header allowed JavaScript injection into the calendar UI. APT28 embedded a hidden script that decoded and executed base64 JavaScript when the invite was viewed.

Although ESET does not report any RoundPress activity for 2025, the hackers’ methods could be easily applied to this year too, as there’s a constant supply of new XSS flaws in popular webmail products.

read more
alt=An illustration of a padlock and a key on a digital grid background, symbolizing cybersecurity and data protection.
Cyber security
2025-05-16 Post a Comment

Top 10 Best Practices for Effective Data Protection

Data is the lifeblood of productivity, and protecting sensitive data is more critical than ever. With cyber threats evolving rapidly and data privacy regulations tightening, organizations must stay vigilant and proactive to safeguard their most valuable assets. But how do you build an effective data protection framework?

In this article, we’ll explore data protection best practices from meeting compliance requirements to streamlining day-to-day operations. Whether you’re securing a small business or a large enterprise, these top strategies will help you build a strong defense against breaches and keep your sensitive data safe.

1. Define your data goals#

When tackling any data protection project, the first step is always to understand the outcome you want.

First, understand what data you need to protect. Identify your crown jewel data, and where you THINK it lives. (It’s probably more distributed than you expect, but this is a key step to help you define your protection focus.) Work with business owners to find any data outside the typical scope that you need to secure.

This is all to answer the question: “What data would hurt the company if it were breached?”

Second, work with the C-suit and board of directors to define what your data protection program will look like. Understand your budget, your risk tolerance to data loss, and what resources you have (or may need). Define how aggressive your protection program will be so you can balance risk and productivity. All organizations need to strike a balance between the two.

2. Automate data classification#

Next, begin your data classification journey—that is, find your data and catalog it. This is often the most difficult step in the journey, as organizations create new data all the time.

Your first instinct may be to try to keep up with all your data, but this may be a fool’s errand. The key to success is to have classification capabilities everywhere data moves (endpoint, inline, cloud), and rely on your DLP policy to jump in when risk arises. (More on this later.)

Automation in data classification is becoming a lifesaver thanks to the power of AI. AI-powered classification can be faster and more accurate than traditional ways of classifying data with DLP. Ensure any solution you are evaluating can use AI to instantly uncover and discover data without human input.

3. Focus on zero trust security for access control#

Adopting a zero trust architecture is crucial for modern data protection strategies to be effective. Based on the maxim “never trust, always verify,” zero trust assumes security threats can come from inside or outside your network. Every access request is authenticated and authorized, greatly reducing the risk of unauthorized access and data breaches.

Look for a zero trust solution that emphasizes the importance of least-privileged access control between users and apps. With this approach, users never access the network, reducing the ability for threats to move laterally and propagate to other entities and data on the network. The principle of least privilege ensures that users have only the access they need for their roles, reducing the attack surface.

4. Centralize DLP for consistent alerting#

Data loss prevention (DLP) technology is the core of any data protection program. That said, keep in mind that DLP is only a subset of a larger data protection solution. DLP enables the classification of data (along with AI) to ensure you can accurately find sensitive data. Ensure your DLP engine can consistently alert correctly on the same piece of data across devices, networks, and clouds.

The best way to ensure this is to embrace a centralized DLP engine that can cover all channels at once. Avoid point products that bring their own DLP engine (endpoint, network, CASB), as this can lead to multiple alerts on one piece of moving data, slowing down incident management and response.

Look to embrace Gartner’s security service edge approach, which delivers DLP from a centralized cloud service. Focus on vendors that support the most channels so that, as your program grows, you can easily add protection across devices, inline, and cloud.

5. Ensure blocking across key loss channels#

Once you have a centralized DLP, focus on the most important data loss channels to your organization. (You’ll need to add more channels as you grow, so ensure your platform can accommodate all of them and grow with you.) The most important channels can vary, but every organization focuses on certain common ones:

  • Web/Email: The most common ways users accidentally send sensitive data outside the organization.
  • SaaS data (CASB): Another common loss vector, as users can easily share data externally.
  • Endpoint: A key focus for many organizations looking to lock down USB, printing, and network shares.
  • Unmanaged devices/BYOD: If you have a large BYOD footprint, browser isolation is an innovative way to secure data headed to these devices without an agent or VDI. Devices are placed in an isolated browser, which enforces DLP inspection and prevents cut, paste, download, or print. (More on this later.)
  • SaaS posture control (SSPM/supply chain): SaaS platforms like Microsoft 365 can often be misconfigured. Continuously scanning for gaps and risky third-party integrations is key to minimizing data breaches.
  • IaaS posture control (DSPM): Most companies have a lot of sensitive data across AWS, Azure, or Google Cloud. Finding it all, and closing risky misconfigurations that expose it, is the driver behind data security posture management (DSPM).

6. Understand and maintain compliance#

Getting a handle on compliance is a key step for great data protection. You may need to keep up with many different regulations, depending on your industry (GDPR, PCI DSS, HIPAA, etc.). These rules are there to make sure personal data is safe and organizations are handling it the right way. Stay informed on the latest mandates to avoid fines and protect your brand, all while building trust with your customers and partners.

To keep on top of compliance, strong data governance practices are a must. This means regular security audits, keeping good records, and making sure your team is well-trained. Embrace technological approaches that help drive better compliance, such as data encryption and monitoring tools. By making compliance part of your routine, you can stay ahead of risks and ensure your data protection is both effective and in line with requirements.

7. Strategize for BYOD#

Although not a concern for every organization, unmanaged devices present a unique challenge for data protection. Your organization doesn’t own or have agents on these devices, so you can’t ensure their security posture or patch level, wipe them remotely, and so on. Yet their users (like partners or contractors) often have legitimate reasons to access your critical data.

You don’t want sensitive data to land on a BYOD endpoint and vanish from your sight. Until now, solutions to secure BYOD have revolved around CASB reverse proxies (problematic) and VDI approaches (expensive).

Browser isolation provides an effective and eloquent way to secure data without the cost and complexity of those approaches. By placing BYOD endpoints in an isolated browser (part of the security service edge), you can enforce great data protection without an endpoint agent. Data is streamed to the device as pixels, allowing interaction with the data but preventing download and cut/paste. You can also apply DLP inspection to the session and data based on your policy.

8. Control your cloud posture with SSPM and DSPM#

Cloud posture is one of the most commonly overlooked aspects of data hygiene. SaaS platforms and public clouds have many settings that DevOps teams without security expertise can easily overlook. The resulting misconfigurations can lead to dangerous gaps that expose sensitive data. Many of the largest data breaches in history have happened because such gaps let adversaries walk right in.

SaaS security posture management (SSPM) and data security posture management (DSPM for IaaS) are designed to uncover and help remediate these risks. By leveraging API access, SSPM and DSPM can continuously scan your cloud deployment, locate sensitive data, identify misconfigurations, and remediate exposures. Some SSPM approaches also feature integrated compliance with frameworks like NIST, ISO, and SOC 2.

9. Don’t forget about data security training#

Data security training is often where data protection programs fall apart. If users don’t understand or support your data protection goals, dissent can build across your teams and derail your program. Spend time building a training program that highlights your objectives and the value data protection will bring the organization. Ensure upper management supports and sponsors your data security training initiatives.

Some solutions offer built-in user coaching with incident management workflows. This valuable feature allows you to notify users about incidents via Slack or email for justification, education, and policy adjustment if needed. Involving users in their incidents helps promote awareness of data protection practices as well as how to identify and safely handle sensitive content.

10. Automate incident management and workflows#

Lastly, no data protection program would be complete without day-to-day operations. Ensuring your team can efficiently manage and quickly respond to incidents is critical. One way to ensure streamlined processes is to embrace a solution that enables workflow automation.

Designed to automate common incident management and response tasks, this feature can be a lifesaver for IT teams. By saving time and money while improving response times, IT teams can do more with less. Look for solutions that have a strong workflow automation offering integrated into the SSE to make incident management efficient and centralized.

Bringing it all together#

Data protection is not a one-time project; it’s an ongoing commitment. Staying informed of data protection best practices will help you build a resilient defense against evolving threats and ensure your organization’s long-term success.

Remember: investing in data protection is not just about mitigating risks and preventing data breaches. It’s also about building trust, maintaining your reputation, and unlocking new opportunities for growth.

read more
alt=Close-up of the Coinbase app icon on a dark screen, featuring a blue background with a white letter "C" and the word "Coinbase" below.
Cyber security
2025-05-16 Post a Comment

Coinbase says cyber criminals stole customer data and demanded $20 million ransom

Story by Euronews

Coinbase, the largest cryptocurrency exchange based in the US, said criminals had improperly obtained personal data on the exchange’s customers for use in crypto-stealing scams and were demanding a $20 million (€17.6 million) payment not to publicly release the information.

Coinbase CEO Brian Armstrong said in a social media post Thursday that criminals had bribed some of the company’s customer service agents who live outside the US to hand over personal data on customers – including names, dates of birth, and partial national identification numbers.

<cs-card “=”” class=”card-outer card-full-size ” card-fill-color=”#565656″ card-secondary-color=”#272727″ gradient-angle=”112.05deg” id=”native_ad_inarticle-1-d22636bd-d410-4838-9e63-01119a29c340″ size=”_2x_1y” part=””>

Ad

Tec Italy Hair Dimension Shampoo Profondo, Deep Cleansing, 10.1 Fl Oz

The stolen data “allows them to conduct social engineering attacks where they can call our customers impersonating Coinbase customer support and try to trick them into sending their funds to the attackers,” Armstrong said.

Related

Social engineering is a popular hacking strategy, as humans tend to be the weakest link in any network. Many large companies have suffered hacks and data breaches as a result of such scams in recent years.

Coinbase did not specify how many customers had their data stolen or fell prey to social engineering scams. But the company did pledge to reimburse any who did.

In a filing with the US Securities and Exchange Commission (SEC), Coinbase estimated that it would have to spend between $180 million to $400 million (€158 million to €352 million) related to remediation and customer reimbursements tied to the bribes.

Related video: Coinbase Hack Could Cost Company $400 Million (Bloomberg)

Coinbase has disclosed a hack that is expected to cost

View on WatchView on Watch

The SEC filing said that the company had detected some of its customer service agents “accessing data without business need”.

Related

Those employees had been fired, the company said, and it has since stepped up its fraud prevention efforts.

Coinbase said it received an email from the attackers on Sunday demanding a ransom of $20 million (€17.6 million) worth of bitcoin in order not to publicly release the customer data they had stolen.

Armstrong said the company was refusing to pay the ransom and would instead offer a $20 million (€17.6 million) bounty for anyone who provided information that led to the attackers’ arrest.

“For these would-be extortionists or anyone seeking to harm Coinbase customers, know that we will prosecute you and bring you to justice,” Armstrong said.

“And know you have my answer”.

read more
alt=Close-up of a Social Security card beside a paycheck showing earnings, federal and Medicare with check numbers visible.
Cyber security
2025-05-06 Post a Comment

Fake Social Security Statement emails trick users into installing remote tool

by Pieter Arntz:

Fake emails pretending to come from the US Social Security Administration (SSA) try to get targets to install ScreenConnect, a remote access tool.

This campaign was flagged and investigated by the Malwarebytes Customer Support and Research teams.

ScreenConnect, formerly known as ConnectWise Control, is a remote support and remote access platform widely used by businesses to facilitate IT support and troubleshooting. It allows technicians to remotely connect to users’ computers to perform tasks such as software installation, system configuration, and to resolve issues.

Because ScreenConnect provides full remote control capabilities, an unauthorized user with access can operate your computer as if they were physically present. This includes running scripts, executing commands, transferring files, and even installing malware—all potentially without you realizing.

This makes ScreenConnect a dangerous tool in the hands of cybercriminals. A phishing group dubbed Molatori—because of the domains they use to host the ScreenConnect client—has been found to lure their targets into installing the ScreenConnect clients by sending emails pretending to come from the Social Security Administration (SSA):

example SSA email

“Your Social Security Statement is now available
Thank you for choosing to receive your statements electronically.
Your document is now ready for download:

  • Please download the attachment and follow the provided instructions.
  • NOTE: Statements & Documents are only compatible with PC/Windows systems.”

There are some variations to this mail in circulation but the example above shows how legitimate these emails look.

The link in the email leads to the ScreenConnect support.Client.exe, but was found under several misleading names like ReceiptApirl2025Pdfc.exe, and SSAstatment11April.exe.

After cybercriminals install the client on the target’s computer, they remotely connect to it and immediately begin their malicious activities. They access and exfiltrate sensitive information such as banking details, personal identification numbers, and confidential files. This stolen data can then be used to commit identity theft, financial fraud, and other harmful acts. Experts have identified financial fraud as the primary objective of the Molatori group.

There are several circumstances that make this campaign hard to detect:

  • The cybercriminals send phishing emails from compromised WordPress sites, so the domains themselves appear legitimate and not malicious.
  • They often embed the email content as an image, which prevents email filters from effectively scanning and blocking the message.
  • ScreenConnect is a legitimate application which happens to be abused because of its capabilities.

What we can do

When receiving unsolicited emails there are a few necessary precautions you can take to avoid falling for phishing:

  • Verify the source of the email through independent sources.
  • Don’t click on links until you are sure they are non-malicous.
  • Don’t open downloaded files or attachments until you are sure they are safe.
  • Use an up-to-date and active anti-malware solution.
  • If you suspect an email isn’t legitimate, take a name or some text from the message and put it into a search engine to see if any known phishing attacks exist using the same methods.

Malwarebytes users are protected

Malwarebytes will detect suspicious instances of the ScreenConnect client as RiskWare.ConnectWise.CST.

Malwarebytes blocks RiskWare.ConnectWise.CST

And blocks connections to these associated domains:

  • atmolatori[.]icu
  • gomolatori[.]cyou
  • molatoriby[.]cyou
  • molatorier[.]cyou
  • molatorier[.]icu
  • molatoriist[.]cyou
  • molatorila[.]cyou
  • molatoriora[.]cyou
  • molatoriora[.]icu
  • molatoripro[.]cyou
  • molatoripro[.]icu
  • molatorisy[.]cyou
  • molatorisy[.]icu
  • onmolatori[.]icu
  • promolatori[.]icu
  • samolatori[.]cyou
  • samolatori[.]icu
  • umolatori[.]icu

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

read more
alt=A world map with cork background features gold pawns connected by red lines, symbolizing global connections and networking.
Cyber security
2025-05-06 Post a Comment

AI is getting “creepy good” at geo-guessing

by Pieter Arntz

If you are worried about revealing your exact location—or if you maybe even fib about it at times—there are some good reasons to worry about what is visible in background photos, because Artificial Intelligence (AI) is getting very good at guessing where you are based on the smallest of clues. And that might even include audio clues, if given the right data.

Geo guessing

Our curiosity was triggered by this article in TechRadar claiming that ChatGPT o3 can geo-guess your location from almost any photo. So, we decided to do some tests and removed the metadata from a few selected photographs that I took myself and never published anywhere (for quality reasons, obviously).

Metadata can include technical details like camera settings, date and time, location, and descriptive information like captions or keywords. And we wanted to test the AI’s capability on the picture itself—not on additional data included in the file. I also used a VPN so I didn’t give away my current location.

We started with an easy one. A landmark in a relatively large city, but from a strange perspective. The picture was part of a selfie taken through a window of an office building in Cork.

view over Cork, Ireland from an office building
view over Cork, Ireland

It was no real surprise that ChatGPT got this right.

“Alright, let’s break this one down — this does have some standout features that make it easier to geo-locate. Here’s the reasoning step by step:”

🧱 Architectural Clues:

  • The old stone building in the foreground has Georgian-style windows and masonry, which are common in parts of the British Isles, especially in Ireland and the UK.
  • The clock tower in the back-left with the green copper dome is particularly distinctive and often used in civic buildings in Ireland.
  • The mix of historical and modern buildings, with the newer glass-fronted offices across a small river or canal, suggests urban regeneration in a historically rich city.

🌉 Infrastructure and Environment:

  • The modern bridge with a blue banner advertisement and the tree-lined waterfront hints at a city that integrates riverways into its urban design.
  • The road signs and general driving direction suggest left-hand traffic, supporting a guess of Ireland or the UK.

🏛 Key Landmark:

The building with the green dome in the background looks very much like the clock tower of Cork City Hall in Ireland. The angle of the shot shows the old Custom House building in front, and the modern offices across the River Lee, which runs through Cork.

This was spot on. But surely ChatGPT is not the only AI good at geo-guessing, so we used the same picture to test Perplexity as well.

“This image provides several strong clues for geo-guessing:

The architecture of the foreground building is classic Georgian or early Victorian, with grey stone and sash windows—styles common in the British Isles, especially Ireland and the UK.

The river, modern glass buildings, and the steel bridge suggest a city that blends historical and contemporary elements.

The most distinctive feature is the clock tower with a green dome in the background. This is a well-known landmark: the Cork Courthouse clock tower in Cork, Ireland.

The bridge over the river and the combination of old and new buildings align with the area around the River Lee in Cork city centre.

Conclusion

This photo was taken in Cork, Ireland, looking out over the River Lee. The stone building in the foreground is part of the historic courthouse complex, and the green-domed clock tower is a prominent feature of Cork’s skyline. The modern glass buildings and bridge further confirm this as central Cork, a city known for its mix of heritage and modern development.”

Perplexity provided almost the same level of accuracy, so we decided to raise the difficulty level. A lot.

Landscaping in progress around Dutch holiday home
Landscaping in progress around Dutch holiday home

You’ll have to agree that this photo doesn’t give away a lot. But the AI tools took some unexpected clues from the picture.

Here is what ChatGPT determined:

🧩 Visual Clues:

  1. Architecture:
    • The buildings are modular and prefabricated in appearance, with light-colored paneling and dark window/door frames.
    • This type of house is common in northern Europe, especially in the Netherlands, Germany, Denmark, or parts of the UK.
  2. Landscape:
    • Very flat terrain with closely trimmed hedges and grassy areas.
    • This suggests low-lying regions—again pointing to places like the Netherlands or Belgium.
  3. Infrastructure & Construction Tools:
    • The pavers being laid and the wheelbarrows used (particularly the yellow color and shape) are very common in northern and western European construction.
  4. Weather and Lighting:
    • Overcast sky and soft, diffused lighting typical of northern Europe in autumn or early spring.
  5. Small Details:
    • The small shed in the back, the organization of tools, and cleanliness/horticulture are consistent with Dutch/German design sensibilities.
    • The wheelbarrow has the brand name “Fort”, which is a Dutch manufacturer—this is a very strong clue.

🌍 Likely Guess:

The Netherlands 🇳🇱

📍Narrowing it Down:

Given the modular housing, flat landscape, and Fort-brand wheelbarrow, this could be a holiday park, construction site, or suburban area in the Dutch countryside. Possibly in a province like North Holland, South Holland, or Friesland where such structures and environments are typical.

I must admit I was amazed that it mentioned South Holland which is where this photograph was taken.

Perplexity did not come as close as ChatGPT, but the tool did reach this conclusion:

“Based on architectural style, landscaping, and contextual clues, this scene is almost certainly from the Netherlands. It showcases the country’s embrace of modular housing and practical, tidy outdoor spaces, reflecting broader trends in Dutch residential design and sustainable living.”

Which is still a lot better than I expected when I selected that picture.

Bird songs

So, modern AI tools can pick up visible clues. But then I had another idea—call it an epiphany if you will—which deserves a brief explanation. I use an app called Merlin Bird ID which is able to identify birds based on their singing.

Some bird species are a lot more local than others, so I asked Perplexity:

“Would it be possible to do geo-guessing based on bird songs? And how many species do you think it would take to make a good guess?”

The answer:

“How Many Species Are Needed?

One Species: Sometimes, a single species is enough if it’s highly range-restricted (e.g., endemic to an island or a small region). However, this is rare.

A Few Species (3–5): In most cases, hearing three to five distinct species can allow for a strong guess, especially if their ranges only overlap in a limited area.

More Species, More Precision: The more species you can identify, the more precisely you can geo-locate. With about 10–15 species, especially if some are local specialties, you can often narrow it down to a specific region, habitat, or even a particular park or reserve.”

So, I tried an experiment and offered both AI tools (ChatGPT and Perplexity) a list of bird song matches made from my Merlin Bird ID app. Here is the bird list, and what they tell us about where those birds are located:

Latin NameCommon NameClue
Fringilla coelebsChaffinchCommon across Europe
Turdus merulaEurasian BlackbirdAlso common across Europe
Parus majorGreat TitUbiquitous, widespread
Grus grusCommon CraneMigratory — breeds in Scandinavia, Baltics, parts of Central Europe; passage bird elsewhere
Carduelis carduelisEuropean GoldfinchEurope and western Asia
Turdus viscivorusMistle ThrushForests, open woodland — common in Europe
Certhia brachydactylaShort-toed TreecreeperTells us something — this species avoids northern/colder parts of Europe (rare in the UK, absent in Scandinavia)
Ardea albaGreat EgretFormerly rare in Europe, but now expanding — increasingly common in wetlands and rivers of Central and Southern Europe
Sylvia atricapillaEurasian BlackcapWoodland; migratory in north, resident in south
Anthus trivialisTree PipitBreeds in open woodlands across Europe; migratory
Vanellus vanellusNorthern LapwingFarmland, wet grasslands; declining in the west but still widespread

In analyzing this list, Perplexity was the “winner,” able to more accurately guess my location:

“Given all of these factors, my best guess is that you were somewhere in Northern Europe, likely Germany, Denmark, the Netherlands, or the UK. Without more information about habitat (e.g., forest, farmland, coast), it’s difficult to narrow it down further.”

Here was ChatGPT’s response to the same bird song list:

🗺️ My Final Geo-Guess:

You were likely in Germany — possibly in northern or eastern Germany (e.g., Brandenburg or Mecklenburg-Vorpommern), which is:

  • On the Grus grus migration route
  • Rich in mixed forests and wetlands
  • Within the range of Certhia brachydactyla
  • Likely to host all the species you heard, in late April

In reality, the birds were recorded near the Dutch-German border, which put ChatGPT off by almost 400 miles, whereas Perplexity mentioned both countries I was in or close to, but covered a large area with its geo-guess.

Conclusion

If you’re making selfies or vlogging and you don’t want to give away your location, you’ll need to be very aware of your visual and auditory surroundings. A wheelbarrow of a specific brand or the sound of a bird with a limited habitat are enough to provide hints about your location. With enough hints, AI can deduce your exact location.

With social media being used for AI training, it is likely that these results will rapidly gain even more in accuracy.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes at https://livingsafeonline.com/malwarebytes-fix-today-protect-forever/

read more
Trustpilot
The rating of livingsafeonline.com at Trustprofile Reviews is 9.1/10 based on 13 reviews.
Verified by MonsterInsights