The Signal, Issue #002

Three things this week. Europol ran its second multinational OSINT sprint in 14 months, this time against the deportation of Ukrainian children, and the format itself is the story. The European Commission's DSA rapid-response mechanism has now been used through two national elections without a published methodology for evaluating it, and the field should be pushing back on that. Hungary and Bulgaria voted within a week of each other and the results read as a mixed verdict for the FIMI frame, which is a problem for the analytic frame rather than for the verdict.

The issue also resolves the SkyOSINT test promised in #001. Full test, methodology, and assessment live in the From Signal & Shadow section below, which runs longer than the sections above it this week. That is deliberate.

Europol hosted 40 investigators from 18 countries at The Hague on 16 and 17 April for a two-day coordinated OSINT effort to identify and trace children forcibly transferred from Ukraine to Russia, Belarus, and the temporarily occupied territories. The team produced 45 reports, each containing leads that could help locate a specific child or identify individuals and structures involved in the transfer. The material covered possible transport routes, enablers such as orphanage directors, military units that may have assisted, facilities where children were taken (re-education camps, psychiatric hospitals, in some cases adoptive Russian families), and online platforms hosting photographs of the children. The output was handed to Ukrainian authorities to support prosecutions that will run through both Ukrainian courts and the ICC.

The 45 reports are the headline. The operational format is the story. This is the second time Europol has run a time-boxed multinational OSINT sprint with ICC and NGO participation. The first was in February 2025, targeting networks using online platforms to traffic Ukrainian nationals for sexual exploitation; that sprint involved 12 countries. The April 2026 sprint involved 18. The format is being normalised as an institutional operational mode: assemble the capacity in one location for a short, structured window, produce discrete leads attached to named individuals and locations, hand them to a prosecutorial pipeline. This is not how institutional OSINT has typically been done in Europe before 2024. It is closer to the way NGO investigations like Bellingcat, OSINT For Ukraine, and the Centre for Information Resilience have worked for a decade, now operating inside Europol's institutional structure and with ICC coordination.

What to watch for is whether the format holds. Two sprints in 14 months is a pattern, not yet a programme. Europol has not published whether the April output materially advanced specific Ukrainian prosecutions or ICC cases, and the February 2025 output was similarly opaque in follow-through. If a third sprint runs before autumn, the format is real. If the next 12 months produce a documented prosecution that rests on sprint-generated leads, the format is vindicated. Until either happens, treat the format as promising and under-evaluated.

The European Commission announced the activation of the Digital Services Act's rapid-response mechanism for the Hungarian parliamentary election on 16 March 2026, with the 44 signatories having agreed the activation the previous Friday. Commission spokesperson Thomas Regnier confirmed the activation at the midday press briefing, describing the mechanism as "a voluntary system" under which major platforms including TikTok and Meta would coordinate with fact-checkers and civil society organisations to flag potential interference and disinformation campaigns. The mechanism remained active until one week after the 12 April vote, taking it through to 19 April, the same day Bulgarians voted in their own parliamentary election. Orbán lost. The mechanism had been activated once before, for the 2024 Romanian presidential election, where TikTok's handling was subsequently cited in the Commission's case against the platform.

Both sides will claim vindication from the Hungarian result. Neither claim is supportable on the record.

The pro-mechanism read is that the rapid-response system helped deliver a clean election outcome. This cannot be sustained without evidence that specific flagged content would otherwise have shifted the result, that the flagging was proportionate and procedurally sound, and that the effect can be distinguished from the underlying political conditions (record turnout, sustained corruption grievance, a credible opposition candidate who built his own counter-narrative infrastructure). No such evidence has been published. The Commission's own notice on the first reporting round under the Code of Conduct on Disinformation explicitly does not assess whether the actions taken by signatories were sufficient, which is the data point that would matter most for an evaluation.

The critical read is that Brussels interfered in a domestic election. This is weaker than it sounds on first hearing because the mechanism is voluntary by design, with no binding takedown authority, but the structural concern survives the voluntariness. The mechanism still gives the Commission a coordinating role across 44 signatories during an active election period, and coordinating roles shape information environments even without formal takedown powers. Making the critique evidentiary rather than structural would require a methodology for identifying which flagged content was domain-legitimate (established disinformation by recognised actors, amplified through inauthentic networks) and which was politically coloured (legitimate opposition speech or legitimate incumbent speech flagged on contested grounds).

No such methodology has been published by anyone, including the publication's critics.The Signal call is narrow and concrete. The mechanism's legitimacy does not depend on whether Orbán lost or whether Brussels was right about the risk environment. It depends on whether the mechanism can be evaluated, by anyone, on published criteria. Civil society groups have begun building evidentiary infrastructure in this space (AI Forensics' contribution to the X case is the leading example). That work should now be pointed at the rapid-response mechanism specifically, with a written framework for what evaluation would require and a case record across the two completed activations. The next activation is a question of when, not if. The field should have a case record in place before it happens.

Two elections in eight days. Hungary on 12 April, Orbán loses his 16-year incumbency to an opposition campaign that ran on corruption and institutional capture. Bulgaria on 19 April, Rumen Radev wins a landslide on a campaign that ran on corruption and institutional instability. The dominant analytic frame in the European information-environment ecosystem reads these as opposite results: Hungary as a setback for the pro-Kremlin axis, Bulgaria as a gain. EUvsDisinfo's 17 April Disinformation Review framed both elections as Kremlin-targeted information environments, and its reading of Bulgaria's result will slot naturally into that frame in the coming weeks.

The frame is doing less of the explanatory work than it needs to.

What Hungarian and Bulgarian voters rejected was not primarily an axis alignment. It was an incumbent. Orbán ran a 16-year incumbency that had fused state institutions, patronage networks, and media capture into a system voters had become exhausted by; Magyar ran against that system. Bulgaria's governing arrangements produced eight elections in five years, a collapse of trust in the GERB-led political class, and a succession of caretaker governments unable to stabilise policy; Radev ran against that class. Foreign-policy alignment in both cases followed the domestic grievance rather than leading it. The axis frame reads each result as the Kremlin or the EU gaining or losing ground. The domestic-governance frame reads each result as voters rejecting an exhausted system for the candidate best positioned to promise rupture.

Both frames are partially true. The difficulty is that the field imports analytic categories from think-tank and EEAS sources (FIMI, foreign interference, pro-Kremlin narrative ecosystems) that privilege one frame and discount the other. When the imported frame explains only the minority of variance in the outcome, OSINT and journalism work built on it produces confident-sounding analyses that understate their own uncertainty. The Romanian annulment in 2024 was already a warning of this. The two 2026 results should close the argument.

The work the field needs is not a repudiation of the FIMI frame, which describes real operational activity and names real actors. The work the field needs is a published methodology for separating externally amplified narratives from domestic grievance drivers in the same information environment, given both are present, both are real, and the relative weight varies by case. That separation is an OSINT problem with methodological answers: baseline domestic discourse before campaign period, network analysis distinguishing organic from coordinated amplification, provenance tracing on specific narratives to establish whether they originated domestically and were amplified abroad or originated abroad and were amplified domestically. The infrastructure for this work exists. What does not exist is the published framework for combining it.

EUvsDisinfo publishes its 17 April review framing both elections as Kremlin-targeted
Worth reading as the source the Shadow argues against. The FIMI frame is doing real work in the ecosystem; the question is where it stops explaining.

Russia's digital iron curtain tightens through April
Roskomnadzor adds Bluesky to its banned registry on 14 April, the Telegram block took effect on 1 April, and a 15 April deadline for 20-plus major platforms to enforce VPN detection has now passed. Practitioner question: which Russian discourse platforms are still monitorable from outside, and through what collection routes.

Sweden publicly attributes a mid-2025 thermal power plant cyberattack to Russia-linked actors on 15 April
Sweden's first public mention of the incident joins a pattern of European attributions (Poland in December, Norway on a dam valve, Latvia on rail, Denmark on water) tracked by AP across 150-plus incidents since February 2022. The same evidentiary question the Signal raises about the rapid-response mechanism applies here: attribution confidence without published methodology is a structural problem the field should be pushing back on in both directions.

i-intelligence's Aleksandra Bielska publishes a list of privacy-preserving frontends for major platforms
A useful consolidated reference for quick checks without an account, though the practitioner question is which of these mirrors actually preserve the privacy properties they claim, and which are fragile to platform countermeasures. Worth saving; worth stress-testing before integrating into an investigation workflow.

Following last week's note on the platform, I ran two recently documented orbital events through SkyOSINT on 21 April. The question from #001 still stands: corroboration layer, or lead-generation layer. The test was designed to answer that question against events already in the specialist record, using queries any newsroom user would attempt.

Case one. The classified Soyuz-2-1b launch from Plesetsk on 16 April UTC, catalogued as international designator 2026-083. US Space Force tracking had grown to 10 catalogued objects by 18 April across two distinct orbital planes, with a rare Volga upper stage enabling the multi-plane insertion. Jonathan McDowell's General Catalog covers the mission and flags the NORAD ID gaps where additional objects had been detected but not yet formally listed. The launch is exactly the kind of event the platform's marketing implies it should surface: fresh, classified, with a specialist reporting trail already building out.

Case two. Shijian-25, the Chinese GEO spacecraft flagged in the CSIS GEO study covered by Breaking Defense on 7 April. SJ-25 executed a rendezvous and refuelling manoeuvre with SJ-21 in June 2025, tracked by independent sky watchers and by Slingshot Aerospace and COMSPOC at the time. No orbital parameters for SJ-25 have been published by either the US or Chinese governments. The object sits in the specialist record and outside the formal public catalogue, which is a stress test for a platform whose data lineage runs through Space-Track and CelesTrak.

The platform returned zero matches on the newly catalogued NORAD IDs from the Plesetsk launch through both the AI Search and the direct lookup, four days after launch. Zero matches on "SJ-25" and "Shijian-25." For reference, NORAD 25544 (the International Space Station) resolved correctly, which confirms the parser works against mature catalogue objects. The platform's own header strip read 17,112 tracked, 17,112 TLE records, and zero manoeuvres detected in the last 30 days. One TLE per object leaves nothing to compare against, which is why the detector is idle.

The #001 framing holds with one refinement. The platform is a verification tool, not a discovery tool, but the verification it supports is bounded to objects and patterns already in the mature Space-Track catalogue. For fresh events, the platform is neither lead-generation nor corroboration; it is silent. This is not a failure against its own methodology block, which scopes the tool to OSINT use over public TLE data. It is a mismatch between what the launch-week framing implied and what the data architecture can deliver. That mismatch is the story.

The work continues.

Derek