‼️🚨 Google's Threat Intelligence warns UNC6671 aka BlackFile is running a high-tempo vishing campaign against Microsoft 365 and Okta since early 2026.
Callers pose as IT, push passkey/MFA migration pretexts, harvest credentials and MFA in real time, and register attacker-controlled MFA devices for persistence.
https://cloud.google.com/blog/topics/threat-intelligence/blackfile-vishing-extortion-operation/
Callers pose as IT, push passkey/MFA migration pretexts, harvest credentials and MFA in real time, and register attacker-controlled MFA devices for persistence.
https://cloud.google.com/blog/topics/threat-intelligence/blackfile-vishing-extortion-operation/
❤1🥰1
🚨🇺🇸 Federal jury just convicted Sohaib Akhter in the case of 96 wiped US government databases, including FOIA and sensitive federal records.
DOJ says he and his twin Muneeb were fired by a federal contractor, then nuked the systems over several hours.
Sentencing September 9, with up to 21 years in prison expected.
Worth noting: court records still call the contractor "Company-1." Public reporting has identified it as Opexus, but DOJ's indictment keeps the company anonymized.
Source: https://www.justice.gov/usao-edva/united-states-vs-muneeb-akhter-and-sohaib-akhter-case-number-125-cr-307-rda
DOJ says he and his twin Muneeb were fired by a federal contractor, then nuked the systems over several hours.
Sentencing September 9, with up to 21 years in prison expected.
Worth noting: court records still call the contractor "Company-1." Public reporting has identified it as Opexus, but DOJ's indictment keeps the company anonymized.
Source: https://www.justice.gov/usao-edva/united-states-vs-muneeb-akhter-and-sohaib-akhter-case-number-125-cr-307-rda
🤣7👍4❤3
International Cyber Digest
🚨🇺🇸 Federal jury just convicted Sohaib Akhter in the case of 96 wiped US government databases, including FOIA and sensitive federal records. DOJ says he and his twin Muneeb were fired by a federal contractor, then nuked the systems over several hours. Sentencing…
🚨🇺🇸 New detail in the Akhter twins case: after being fired, Sohaib and Muneeb forgot to stop the Teams meeting in which they were fired, and recorded themselves planning and executing the wipe of 96 US government databases tied to FOIA and federal records.
Full transcript from the DOJ filing:
SOHAIB: "Still connected? Still on the VPN?"
SOHAIB: "Delete all their databases?"
MUNEEB: "Eh, they can recover them…backups, I'm pretty sure."
SOHAIB: "Daily backups?"
MUNEEB: "Yup."
SOHAIB: "What's the plan [then]? We gonna take care of severance or are we gonna do something about…" "Should we retort to whatever they send us by saying we need $25,000 each? Hm?"
MUNEEB: "We are doing petty shit now."
MUNEEB: "I'm going to wipe my computer clean."
SOHAIB: "I can't access the system but I still have the email address for their customers for eCase and FOIAXpress."
MUNEEB and SOHAIB discuss being compensated by Company-1.
MUNEEB: "I'm not gonna threaten them shit, that's like could be shown as some sort of . . ."
SOHAIB: "It depends on how you write it. Just say, 'according to our previous agreement, this is the tally of the amount that I've been [paid], if you pay it up front, then I have no reason to communicate with customers.'"
MUNEEB: "I'm good."
SOHAIB: "Whatcha working on man?"
MUNEEB: "Nothing important, man."
SOHAIB: "Why won't you tell me? I ain't gonna snitch."
MUNEEB: "Don't need to. Don't worry about it."
MUNEEB: "People are logged out for the day, this is the perfect time."
SOHAIB: "How do you still have access? When did you connect to their VPN?"
MUNEEB: "10 minutes before their stupid meeting."
SOHAIB: "You might still have access to it until the end of the day. Until at least 6 hours."
MUNEEB: "Don't worry about it man. Don't worry about it."
SOHAIB: "I see you are cleaning out their database backups."
MUNEEB: "Don't worry about it. You don't do nothing. Don't try nothin'. They are looking at you, they are not looking at me."
SOHAIB: "[G]oing to RDP into their systems and delete all their data."
[inaudible]
SOHAIB: "The ramifications for that would be worse though."
MUNEEB: "What are you talking about? I didn't do nothing. They closed my access when they had that meeting."
SOHAIB: "Alright, if you have good plausible deniability."
SOHAIB and MUNEEB then have additional discussion about deleting backups and changing DNS information.
MUNEEB: "Eh, they can recover from yesterday. [The IT manager] will have some work to do."
MUNEEB and SOHAIB discuss Company-1 customers, including Veteran's Affairs OIG, Education Department OIG, DHS OIG, and customer data.
MUNEEB: "DHS was a big [customer]."
SOHAIB: "Just go into each of them and start the delete process. It will take its time. . . It will eventually delete all their files."
MUNEEB: "Sabes, don't say nothin', OK, don't worry about it."
SOHAIB: "I ain't sayin' shit."
SOHAIB: "You should have thought about it prior, man."
MUNEEB: "What do you mean? Like had a kill script, what do you mean?"
SOHAIB: "Blackmailing them in for some money would've been…"
MUNEEB: "No, you do not do that. That's proof of guilt, man."
SOHAIB: "No but the thing was you always have your opinion, I could just communicate with their customers."
MUNEEB: "Communicate with their customers is a different thing!"
SOHAIB: "So you're saying these are two separate things?"
MUNEEB: "There ya go. Go say that man, go argue for that, then they'll think you're the one behind this shit."
SOHAIB: ". . . They're gonna probably raid this place."
MUNEEB: "Eh, I'll clean this shit up. I don't got shit."
SOHAIB: "We also gotta clean stuff up from the other house man."
MUNEEB: "Get rid of that shit."
SOHAIB: "Deleting their filesystems would be a harder fix."
MUNEEB: "Mhhmm, especially if you clear it out."
MUNEEB: "Everything that I did, I'm making sure it's protected. That it's clean."
MUNEEB: "Don't worry, we'll go to Texas."
Full transcript from the DOJ filing:
SOHAIB: "Still connected? Still on the VPN?"
SOHAIB: "Delete all their databases?"
MUNEEB: "Eh, they can recover them…backups, I'm pretty sure."
SOHAIB: "Daily backups?"
MUNEEB: "Yup."
SOHAIB: "What's the plan [then]? We gonna take care of severance or are we gonna do something about…" "Should we retort to whatever they send us by saying we need $25,000 each? Hm?"
MUNEEB: "We are doing petty shit now."
MUNEEB: "I'm going to wipe my computer clean."
SOHAIB: "I can't access the system but I still have the email address for their customers for eCase and FOIAXpress."
MUNEEB and SOHAIB discuss being compensated by Company-1.
MUNEEB: "I'm not gonna threaten them shit, that's like could be shown as some sort of . . ."
SOHAIB: "It depends on how you write it. Just say, 'according to our previous agreement, this is the tally of the amount that I've been [paid], if you pay it up front, then I have no reason to communicate with customers.'"
MUNEEB: "I'm good."
SOHAIB: "Whatcha working on man?"
MUNEEB: "Nothing important, man."
SOHAIB: "Why won't you tell me? I ain't gonna snitch."
MUNEEB: "Don't need to. Don't worry about it."
MUNEEB: "People are logged out for the day, this is the perfect time."
SOHAIB: "How do you still have access? When did you connect to their VPN?"
MUNEEB: "10 minutes before their stupid meeting."
SOHAIB: "You might still have access to it until the end of the day. Until at least 6 hours."
MUNEEB: "Don't worry about it man. Don't worry about it."
SOHAIB: "I see you are cleaning out their database backups."
MUNEEB: "Don't worry about it. You don't do nothing. Don't try nothin'. They are looking at you, they are not looking at me."
SOHAIB: "[G]oing to RDP into their systems and delete all their data."
[inaudible]
SOHAIB: "The ramifications for that would be worse though."
MUNEEB: "What are you talking about? I didn't do nothing. They closed my access when they had that meeting."
SOHAIB: "Alright, if you have good plausible deniability."
SOHAIB and MUNEEB then have additional discussion about deleting backups and changing DNS information.
MUNEEB: "Eh, they can recover from yesterday. [The IT manager] will have some work to do."
MUNEEB and SOHAIB discuss Company-1 customers, including Veteran's Affairs OIG, Education Department OIG, DHS OIG, and customer data.
MUNEEB: "DHS was a big [customer]."
SOHAIB: "Just go into each of them and start the delete process. It will take its time. . . It will eventually delete all their files."
MUNEEB: "Sabes, don't say nothin', OK, don't worry about it."
SOHAIB: "I ain't sayin' shit."
SOHAIB: "You should have thought about it prior, man."
MUNEEB: "What do you mean? Like had a kill script, what do you mean?"
SOHAIB: "Blackmailing them in for some money would've been…"
MUNEEB: "No, you do not do that. That's proof of guilt, man."
SOHAIB: "No but the thing was you always have your opinion, I could just communicate with their customers."
MUNEEB: "Communicate with their customers is a different thing!"
SOHAIB: "So you're saying these are two separate things?"
MUNEEB: "There ya go. Go say that man, go argue for that, then they'll think you're the one behind this shit."
SOHAIB: ". . . They're gonna probably raid this place."
MUNEEB: "Eh, I'll clean this shit up. I don't got shit."
SOHAIB: "We also gotta clean stuff up from the other house man."
MUNEEB: "Get rid of that shit."
SOHAIB: "Deleting their filesystems would be a harder fix."
MUNEEB: "Mhhmm, especially if you clear it out."
MUNEEB: "Everything that I did, I'm making sure it's protected. That it's clean."
MUNEEB: "Don't worry, we'll go to Texas."
🤣12❤5👏1
🚨🏥 Threat actor DragonForce has claimed a new healthcare-sector extortion hit involving ouradvancedhealth[.]com. The listing claims the group obtained 2.3 million lines of "full patient data," along with partner agreements, management files, payroll records, and HR files.
After deduplication across 179 patient files, the dataset resolves to almost 2 million unique patient records, including minors. Folder NetData/ also contains eClinicalWorks artifacts, and Departments/Payor Contracting holds carrier contracts with major insurers.
DragonForce told us they gained access through a vulnerable remote monitoring and management tool that was exposed.
The actor also posted a timed pressure tactic, claiming it will leak 1,000 lines of patient data per day until it is paid or the countdown expires.
A file tree linked to the alleged exfil suggests the scope is far broader than a single clinic. The folder PatientData/ contains roughly 200 subdirectories, one per medical practice.
We have not verified the entirety of the stolen-data claim, reviewed the alleged sample, or confirmed the incident with the victim organization. Public records for ouradvancedhealth[.]com point to AdvancedHEALTH in Nashville, Tennessee, while the ransomware listing names Advanced Medical Consultants.
If confirmed, the incident would represent a significant healthcare data exposure with possible patient privacy, payroll, HR, and partner-contract impact, and likely federal HIPAA and state-level reporting obligations given the volume of minor records.
After deduplication across 179 patient files, the dataset resolves to almost 2 million unique patient records, including minors. Folder NetData/ also contains eClinicalWorks artifacts, and Departments/Payor Contracting holds carrier contracts with major insurers.
DragonForce told us they gained access through a vulnerable remote monitoring and management tool that was exposed.
The actor also posted a timed pressure tactic, claiming it will leak 1,000 lines of patient data per day until it is paid or the countdown expires.
A file tree linked to the alleged exfil suggests the scope is far broader than a single clinic. The folder PatientData/ contains roughly 200 subdirectories, one per medical practice.
We have not verified the entirety of the stolen-data claim, reviewed the alleged sample, or confirmed the incident with the victim organization. Public records for ouradvancedhealth[.]com point to AdvancedHEALTH in Nashville, Tennessee, while the ransomware listing names Advanced Medical Consultants.
If confirmed, the incident would represent a significant healthcare data exposure with possible patient privacy, payroll, HR, and partner-contract impact, and likely federal HIPAA and state-level reporting obligations given the volume of minor records.
😁3🤔3
‼️🚨 BREAKING: We found out Italian newspaper la Repubblica and other outlets are spreading a fake photo of the suspect of the Modena car attack, Salim el Koudri.
We used OSINT techniques to find his real photo and location.
As of today, la Repubblica has still not removed the photo of the fake suspect.
We located the Strava account of Modena car attack suspect Salim el Koudri. Full name, location, and profile picture are all visible on the profile.
We used OSINT techniques to find his real photo and location.
As of today, la Repubblica has still not removed the photo of the fake suspect.
We located the Strava account of Modena car attack suspect Salim el Koudri. Full name, location, and profile picture are all visible on the profile.
😱8👍4❤3💯1
‼️🚨 BREAKING: Cloudflare's CISO just published what Anthropic's unreleased Mythos did against more than 50 of their own production repos. According to him, Mythos is too powerful and must "include additional safeguards" before releasing to the public.
Turns out the model can chain multiple low-severity bugs into a single severe exploit with a working PoC, where previous frontier models would stop at "interesting bug, unclear if exploitable."
At triage time, that means fewer hedged findings and less time spent asking "is this even real?" A finding that arrives with a PoC is a finding you can act on.
Cloudflare is also explicit about the safety side. The Mythos Preview build provided for Project Glasswing did not include the safeguards present in generally available models like Opus 4.7 or GPT-5.5. The model's organic refusals are real, but Cloudflare states they are not consistent enough to serve as a complete safety boundary on their own, and that any cyber frontier model made generally available in the future must ship with additional safeguards on top of that baseline.
Interesting detail: Cloudflare was not on the original Project Glasswing launch partner list with Apple, AWS, Google, Microsoft, CrowdStrike, and others. Instead they got invited later on.
https://blog.cloudflare.com/cyber-frontier-models/
Turns out the model can chain multiple low-severity bugs into a single severe exploit with a working PoC, where previous frontier models would stop at "interesting bug, unclear if exploitable."
At triage time, that means fewer hedged findings and less time spent asking "is this even real?" A finding that arrives with a PoC is a finding you can act on.
Cloudflare is also explicit about the safety side. The Mythos Preview build provided for Project Glasswing did not include the safeguards present in generally available models like Opus 4.7 or GPT-5.5. The model's organic refusals are real, but Cloudflare states they are not consistent enough to serve as a complete safety boundary on their own, and that any cyber frontier model made generally available in the future must ship with additional safeguards on top of that baseline.
Interesting detail: Cloudflare was not on the original Project Glasswing launch partner list with Apple, AWS, Google, Microsoft, CrowdStrike, and others. Instead they got invited later on.
https://blog.cloudflare.com/cyber-frontier-models/
😁5😭5❤2
🚨🌍 INTERPOL carried out Operation Ramz, the first cyber operation in the MENA region with 201 arrests, 382 additional suspects identified, 3,867 victims, and 53 servers seized across 13 countries.
The operation ran from October 2025 to February 28, 2026, and targeted phishing, malware, and cyber scam infrastructure. Around 8,000 pieces of data and intelligence were shared between participating countries: Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and UAE.
Jordanese Police pinpointed a computer running fraudulent "trading platform" scams. A raid found 15 people running the scams, but investigators determined they were victims of human trafficking, recruited under false employment promises from Asia, passports confiscated on arrival, and forced into the scheme. Two suspects orchestrating the operation were arrested.
Other notable hits:
- Algeria dismantled a phishing-as-a-service operation, with one arrest and a server, computer, phone, and hard drives seized
- Morocco seized devices containing banking data and phishing tools, with three individuals in judicial proceedings
- Qatar identified compromised devices whose owners were themselves cyberattack victims unknowingly spreading malware
- Oman disabled a private-residence server holding sensitive information that had been infected with malware
Private-sector partners included Group-IB, Kaspersky, Shadowserver Foundation, Team Cymru, and TrendAI.
https://www.interpol.int/News-and-Events/News/2026/201-arrests-in-first-of-its-kind-cybercrime-operation-in-MENA-region
The operation ran from October 2025 to February 28, 2026, and targeted phishing, malware, and cyber scam infrastructure. Around 8,000 pieces of data and intelligence were shared between participating countries: Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and UAE.
Jordanese Police pinpointed a computer running fraudulent "trading platform" scams. A raid found 15 people running the scams, but investigators determined they were victims of human trafficking, recruited under false employment promises from Asia, passports confiscated on arrival, and forced into the scheme. Two suspects orchestrating the operation were arrested.
Other notable hits:
- Algeria dismantled a phishing-as-a-service operation, with one arrest and a server, computer, phone, and hard drives seized
- Morocco seized devices containing banking data and phishing tools, with three individuals in judicial proceedings
- Qatar identified compromised devices whose owners were themselves cyberattack victims unknowingly spreading malware
- Oman disabled a private-residence server holding sensitive information that had been infected with malware
Private-sector partners included Group-IB, Kaspersky, Shadowserver Foundation, Team Cymru, and TrendAI.
https://www.interpol.int/News-and-Events/News/2026/201-arrests-in-first-of-its-kind-cybercrime-operation-in-MENA-region
😱4
Media is too big
VIEW IN TELEGRAM
‼️🚨 BambuLab printers are catching fire and melting due to a hardware issue. The fault lies in the NTC thermistor.
Many users on Reddit have reported this issue, and now GamersNexus is offering to buy one so he can do an analysis.
1. It's specifically the Bambu Lab A1 model.
2. The NTC thermistor in question sits on the AC power board, where it limits inrush current. It is not the hotend or nozzle thermistor.
Many users on Reddit have reported this issue, and now GamersNexus is offering to buy one so he can do an analysis.
1. It's specifically the Bambu Lab A1 model.
2. The NTC thermistor in question sits on the AC power board, where it limits inrush current. It is not the hotend or nozzle thermistor.
😱8❤2
‼️🚨 The Mini Shai-Hulud npm worm has hit again. Hundreds of antv packages compromised (Alibaba's data visualization suite) along with echarts-for-react, timeago.js, size-sensor, and canvas-nest.js.
It all started today with the compromise of npm account atool (i@hust.cc). In a 22-minute window between 01:39 and 02:06 UTC, the attacker published 631 malicious versions across 314 packages, all carrying the same payload.
Top affected packages by monthly downloads:
- size-sensor@1.1.4 - 4.2M dl/mo
- echarts-for-react@3.1.7 - 3.8M dl/mo
• antv/scale@0.6.2 - 2.2M dl/mo
- timeago.js@4.1.2 - 1.15M dl/mo
• antv/g@6.4.1 - 1.0M dl/mo
• antv/path-util@3.1.1 - 1.1M dl/mo
• antv/g-svg@2.2.1 - 975K dl/mo
• antv/g-lite@2.8.0 - 883K dl/mo
• antv/vendor@1.1.11 - 751K dl/mo
What the payload does (498KB obfuscated Bun script, runs via preinstall hook):
- Harvests 20+ secret types: GitHub PATs, npm tokens, AWS keys, GCP service accounts, Azure creds, DB connection strings, Stripe keys, Slack tokens, SSH keys, Docker auth, Kubernetes configs, Vault tokens
- Attempts Docker container escape if the host socket is reachable, spinning up a Privileged container with host filesystem bind mounts
- Pulls a secondary payload via optional dependency antv/setup from antvis/G2 commit 1916faa, which was pushed 19 minutes before the npm publishes started
Read:
https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/
https://socket.dev/blog/antv-packages-compromised
https://aikido.dev/blog/mini-shai-hulud-antv-npm-supply-chain-attack
It all started today with the compromise of npm account atool (i@hust.cc). In a 22-minute window between 01:39 and 02:06 UTC, the attacker published 631 malicious versions across 314 packages, all carrying the same payload.
Top affected packages by monthly downloads:
- size-sensor@1.1.4 - 4.2M dl/mo
- echarts-for-react@3.1.7 - 3.8M dl/mo
• antv/scale@0.6.2 - 2.2M dl/mo
- timeago.js@4.1.2 - 1.15M dl/mo
• antv/g@6.4.1 - 1.0M dl/mo
• antv/path-util@3.1.1 - 1.1M dl/mo
• antv/g-svg@2.2.1 - 975K dl/mo
• antv/g-lite@2.8.0 - 883K dl/mo
• antv/vendor@1.1.11 - 751K dl/mo
What the payload does (498KB obfuscated Bun script, runs via preinstall hook):
- Harvests 20+ secret types: GitHub PATs, npm tokens, AWS keys, GCP service accounts, Azure creds, DB connection strings, Stripe keys, Slack tokens, SSH keys, Docker auth, Kubernetes configs, Vault tokens
- Attempts Docker container escape if the host socket is reachable, spinning up a Privileged container with host filesystem bind mounts
- Pulls a secondary payload via optional dependency antv/setup from antvis/G2 commit 1916faa, which was pushed 19 minutes before the npm publishes started
Read:
https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/
https://socket.dev/blog/antv-packages-compromised
https://aikido.dev/blog/mini-shai-hulud-antv-npm-supply-chain-attack
❤1😨1
Germany has lost it.
Back in November 2024, a teen in Germany posted "olaf scholz du bastard was soll diese scheiße" ("olaf scholz you bastard what the hell is this shit") while staring at a Fortnite update sitting at 3%, downloading a 37.9 GB patch at roughly 173 KB/s. At that rate the install would have taken over 60 hours.
The post pulled exactly 503 views.
Three months later, on February 11, 2025, German police sent him a Schriftliche Äußerung als Beschuldigter, the formal "written statement as the accused" notice. The charge: §188 StGB, insulting a person of political life.
A year on he posted the police letter with the caption "Happy anniversary to the funniest thing that ever happened to me." Per his own follow-ups, the matter ended without major consequences, though no formal outcome of the proceedings has been made public. The original tweet seems deleted.
Back in November 2024, a teen in Germany posted "olaf scholz du bastard was soll diese scheiße" ("olaf scholz you bastard what the hell is this shit") while staring at a Fortnite update sitting at 3%, downloading a 37.9 GB patch at roughly 173 KB/s. At that rate the install would have taken over 60 hours.
The post pulled exactly 503 views.
Three months later, on February 11, 2025, German police sent him a Schriftliche Äußerung als Beschuldigter, the formal "written statement as the accused" notice. The charge: §188 StGB, insulting a person of political life.
A year on he posted the police letter with the caption "Happy anniversary to the funniest thing that ever happened to me." Per his own follow-ups, the matter ended without major consequences, though no formal outcome of the proceedings has been made public. The original tweet seems deleted.
😁16🤣3❤1😭1
Media is too big
VIEW IN TELEGRAM
‼️🇩🇪 This is what German police actually do with their time now. Going door to door, seizing tablets and phones from pensioners over memes and tweets. The case of the Fortnite teen getting accused for cursing out Olaf Scholz is not an isolated one.
Prosecutors can now open cases on their own under "special public interest." The politician doesn't need to file anything. The result is a steady drip of cases that look insane from the outside and barely register inside the system.
Germany has a law problem.
The §188 StGB statute, "insulting a person of political life," got beefed up by the Bundestag in 2021.
This has led to the following absurd cases:
- Pimmelgate (2021): Hamburg interior senator Andy Grote got called a "Pimmel" (dick) on Twitter after he was caught violating his own COVID restrictions. Police raided the user's apartment at 6 a.m. with six officers. The Hamburg regional court later ruled the raid disproportionate. The term "Pimmelgate" became national shorthand for state overreach.
- The Schwachkopf-Affäre (2024): Stefan Niehoff, a 64-year-old pensioner, reposted an edited meme putting Robert Habeck on a fake "Schwachkopf Professional" shampoo bottle (roughly: "Professional Moron"). Reported via a state-linked "trusted flagger" pipeline, police raided his home at dawn in November 2024 and seized his tablet while his wife and his daughter with Down syndrome were home. Habeck filed the complaint. The main insult charge was later dropped, but Niehoff was fined €825 on related counts. He died in early 2026. The case became the single most-cited symbol of the law's reach.
- The Merz "Pinocchio" probe (per Brussels Signal): a pensioner reportedly commented "Pinocchio is coming to HN" with a long-nose emoji on a police post about Chancellor Friedrich Merz visiting Heilbronn. Police flagged it during routine monitoring and opened a full §188 file, sending him a formal letter. Legal commentators have called the comment protected satirical speech.
- The David Bendels case: the right-wing journalist shared a photomontage mocking then-Interior Minister Nancy Faeser. He was initially given a 7-month suspended prison sentence. On appeal in 2026, he was acquitted. The court ruled the satire was protected political expression.
The pattern is the same every time. A low-engagement post or meme triggers a complaint. Prosecutors open a §188 file. Police execute a dawn raid or send a formal letter. Months or years later, a judge throws it out or dramatically narrows it.
By that point the damage is already done. Devices are seized. Names are on file. Pensioners are dragged through a criminal process for posting a shampoo joke.
This is what "wehrhafte Demokratie," aka militant democracy, looks like in 2026.
Prosecutors can now open cases on their own under "special public interest." The politician doesn't need to file anything. The result is a steady drip of cases that look insane from the outside and barely register inside the system.
Germany has a law problem.
The §188 StGB statute, "insulting a person of political life," got beefed up by the Bundestag in 2021.
This has led to the following absurd cases:
- Pimmelgate (2021): Hamburg interior senator Andy Grote got called a "Pimmel" (dick) on Twitter after he was caught violating his own COVID restrictions. Police raided the user's apartment at 6 a.m. with six officers. The Hamburg regional court later ruled the raid disproportionate. The term "Pimmelgate" became national shorthand for state overreach.
- The Schwachkopf-Affäre (2024): Stefan Niehoff, a 64-year-old pensioner, reposted an edited meme putting Robert Habeck on a fake "Schwachkopf Professional" shampoo bottle (roughly: "Professional Moron"). Reported via a state-linked "trusted flagger" pipeline, police raided his home at dawn in November 2024 and seized his tablet while his wife and his daughter with Down syndrome were home. Habeck filed the complaint. The main insult charge was later dropped, but Niehoff was fined €825 on related counts. He died in early 2026. The case became the single most-cited symbol of the law's reach.
- The Merz "Pinocchio" probe (per Brussels Signal): a pensioner reportedly commented "Pinocchio is coming to HN" with a long-nose emoji on a police post about Chancellor Friedrich Merz visiting Heilbronn. Police flagged it during routine monitoring and opened a full §188 file, sending him a formal letter. Legal commentators have called the comment protected satirical speech.
- The David Bendels case: the right-wing journalist shared a photomontage mocking then-Interior Minister Nancy Faeser. He was initially given a 7-month suspended prison sentence. On appeal in 2026, he was acquitted. The court ruled the satire was protected political expression.
The pattern is the same every time. A low-engagement post or meme triggers a complaint. Prosecutors open a §188 file. Police execute a dawn raid or send a formal letter. Months or years later, a judge throws it out or dramatically narrows it.
By that point the damage is already done. Devices are seized. Names are on file. Pensioners are dragged through a criminal process for posting a shampoo joke.
This is what "wehrhafte Demokratie," aka militant democracy, looks like in 2026.
🤣11❤1😁1😭1