VOL. I · NO. 1 FRIDAY, MARCH 21, 2026 SPECIAL INVESTIGATION · #STRAVALEAKS

The OPSEC Dispatch

"You can run, but you can't hide" — Special Edition — Open-Source Intelligence

LE MONDE CONFIRMS REAL-TIME TRACKING OF AIRCRAFT CARRIER CHARLES DE GAULLE VIA STRAVA FITNESS DATA FRENCH NAVY OFFICER RECORDED 7KM RUN ON FLIGHT DECK, GARMIN FORERUNNER 955, PUBLIC PROFILE DEFAULT ESA SATELLITE IMAGERY CORROBORATES GPS COORDINATES WITHIN 6KM, MATCHING CARRIER TRANSIT SPEED OF 27 KNOTS STRAVA GLOBAL HEATMAP CONTAINS 13+ TRILLION GPS DATA POINTS FROM 1+ BILLION ACTIVITIES WORLDWIDE 450+ MILITARY-AFFILIATED STRAVA USERS IDENTIFIED NEAR ILE LONGUE NUCLEAR SUBMARINE BASE SINCE 2014 LE MONDE CONFIRMS REAL-TIME TRACKING OF AIRCRAFT CARRIER CHARLES DE GAULLE VIA STRAVA FITNESS DATA FRENCH NAVY OFFICER RECORDED 7KM RUN ON FLIGHT DECK, GARMIN FORERUNNER 955, PUBLIC PROFILE DEFAULT ESA SATELLITE IMAGERY CORROBORATES GPS COORDINATES WITHIN 6KM, MATCHING CARRIER TRANSIT SPEED OF 27 KNOTS STRAVA GLOBAL HEATMAP CONTAINS 13+ TRILLION GPS DATA POINTS FROM 1+ BILLION ACTIVITIES WORLDWIDE 450+ MILITARY-AFFILIATED STRAVA USERS IDENTIFIED NEAR ILE LONGUE NUCLEAR SUBMARINE BASE SINCE 2014
INVESTIGATION
BREAKING

A 7-KILOMETER RUN ON A FLIGHT DECK EXPOSED FRANCE'S SOLE AIRCRAFT CARRIER TO THE WORLD

Le Monde Journalists Cross-Referenced Public Strava Data with ESA Satellite Imagery to Track the Charles de Gaulle Strike Group in Real Time — Northwest of Cyprus, 100 Kilometers from the Turkish Coast

BY S. BOURDON & A. SCHIRER, LE MONDE  |  10:35 UTC  |  DISPATCH #SL-2026-03

Exposure Timeline
JAN 2018

Nathan Ruser spots U.S. bases on Strava heatmap in Syrian desert

AUG 2018

Pentagon bans fitness trackers in designated operational areas

2022

Fake Strava segments planted inside 6 secret Israeli bases

2023

Russian sub commander assassinated after route tracked via Strava

OCT 2024

Le Monde traces bodyguards of Macron, Biden, Putin via Strava profiles

JAN 2025

Nuclear submarine patrol schedules deduced from fitness data gaps at Ile Longue

MAR 2026

Aircraft carrier Charles de Gaulle located in real time

On March 13, 2026, at 10:35 AM, a French Navy officer identified by Le Monde as "Arthur" strapped on his Garmin Forerunner 955 and went for a run. He completed seven kilometers in thirty-six minutes — a pace of roughly 4:58 per kilometer — running tight, repetitive loops with no surrounding roads or landmarks visible on the GPS trace. The pattern was unmistakable: someone running laps on the flight deck of a warship at sea. His Strava profile was set to public — the platform's default — and the GPS coordinates embedded in his activity were visible to anyone with an internet connection.

"There's a big difference between using nation-state resources like spy satellites, and using a public API exposed by a fitness app. Not everyone can use spy satellites. But anyone can use Strava."— HN commenter, March 21, 2026

Le Monde's investigative team, led by open-source intelligence reporters Sebastien Bourdon and Antoine Schirer, cross-referenced the GPS coordinates from the activity against European Space Agency satellite imagery taken approximately one hour later. The satellite image showed the distinctive outline of the 261.5-meter carrier roughly six kilometers from where the run was geolocated — consistent with the ship's movement during that interval at her cruising speed of 27 knots.

The carrier was positioned northwest of Cyprus, approximately 100 kilometers from the Turkish coast. But the exposure didn't stop at a single data point. By examining earlier activities on the same sailor's account — runs logged off France's Cotentin Peninsula and in Copenhagen — the journalists reconstructed the entire transit path of the Charles de Gaulle strike group from the Baltic Sea to the Eastern Mediterranean.

The strike group exposed includes not just France's sole carrier but its full escort: two air defense frigates, one FREMM multi-mission frigate, the replenishment ship Jacques Chevallier, and allied contributions from Italy, Spain, and the Netherlands. The carrier's air wing — 20 Rafale Marine fighters, 2 Hawkeye E-2C early warning aircraft, and 3 helicopters — was operationally compromised by a single public fitness profile.

A critical technical subtlety makes this vulnerability insidious: GPS watches do not require cellular service. They need only line-of-sight to GPS satellites, which is always available at sea. The recording happens silently on the wrist. The upload to Strava occurs later, whenever the watch syncs to a phone with connectivity — likely via the ship's satellite internet, provided for crew welfare. The data pipeline is: satellite → watch → phone → Strava → the world. No firewall on the ship's network can intercept a GPS trace that was recorded passively and uploaded as a standard HTTPS request.

The French Armed Forces General Staff described the incident as a "breach of operational security rules" and stated that personnel are "repeatedly reminded of digital hygiene, especially before deployment." But the same base where nuclear submarines are housed — Ile Longue — was first flagged for Strava exposure in 2018 by Le Telegramme, and again in January 2025. Eight years of "reminders" have not solved the problem.

ATTACK VECTOR
WEAPONIZED

Segment Explorer: How Strava's Leaderboards Unmask Personnel Inside Classified Facilities

BY TECHNICAL ANALYSIS  |  2022–2024

Strava's Segment Explorer may be the platform's most dangerous feature for military OPSEC. Users can create "segments" — specific route sections that generate competitive leaderboards. Anyone who has ever run or cycled through a segment appears on its leaderboard with their profile picture, first name, initial, and timestamp — even if their profile is set to "approved followers only."

In 2022, Israeli NGO FakeReporter discovered a user claiming to be from Boston who had planted segments inside six top-secret Israeli bases — including facilities near the Dimona nuclear reactor and Mossad headquarters — exposing 100+ individuals without ever physically visiting. In 2024, a suspicious account ("Kevin D") completed 60 runs across 30 Israeli bases in four days. No verification exists to prevent uploading fabricated GPS data.

TECHNICAL DEEP DIVE
ANALYSIS

The GPS-Upload Gap: Why Ship Firewalls Cannot Stop What a Watch Records Silently

BY SIGNALS ANALYSIS  |  MAR 2026

The vulnerability is architecturally unfirewallable. A GPS receiver needs only line-of-sight to satellites orbiting at 20,200 km — always available at sea, requiring no radiated signal from the watch. The device records position passively, storing a GPX track on local memory. The upload to Strava happens later via standard HTTPS when the watch syncs to a phone.

A ship's IT team can block strava.com, but the sync can occur at the next port call, via personal cellular data, or even weeks later. The recording and transmission are fully decoupled. Privacy zones — Strava's recommended mitigation — hide a fixed radius around a set address. A ship that moves renders this control meaningless. The USS Manchester case showed the parallel problem: chiefs secretly installed a Starlink antenna (Wi-Fi name: "STINKY") for personal internet, bypassing all network controls.

PARALLEL VECTORS
ADVISORY

From Tinder to Strava: The Full Spectrum of Consumer Apps Weaponized Against Military Targets

BY THREAT ASSESSMENT  |  MAR 2026

Fitness apps are not the only consumer software leaking military positions. A U.S. Army brigade training exercise roughly fifteen years ago demonstrated that an opposing force could triangulate a brigade headquarters using Tinder. The dating app provided one-mile-granularity distance to nearby users; by driving to multiple positions and recording distances, the OPFOR built enough data points to localize the HQ — then called in simulated artillery.

Ex-CIA officer Sarah Adams has publicly identified fitness apps and dating apps as the two greatest OPSEC threats for personnel abroad. The problem extends to any application that transmits or stores geolocation — food delivery apps, photo metadata, smart home devices. The attack surface is not one app; it is the entire consumer technology stack carried by every service member who owns a smartphone.

LETTERS & ANALYSIS

THE OPSEC DESK — FIELD QUESTIONS

FROM A NAVAL OFFICER — 08:15 UTC:

"Aircraft carriers are not stealth platforms. Adversaries with spy satellites already know where they are. Why does this Strava exposure matter?"

FROM THE OPSEC DESK — 08:16 UTC:

The ship's approximate position may be known to nation-states with satellite reconnaissance. But the Strava exposure is categorically different for three reasons. First, it democratizes the intelligence: any actor with a web browser — not just the five nations with real-time satellite capability — can now track the carrier. Second, satellites are affected by cloud cover, orbital windows, and revisit times; Strava data is on-demand and historically complete. Third, and most critically, Strava exposes individual identities. Names, faces, fitness patterns, home addresses via privacy zones, and social connections. A nation-state that knows where the carrier is cannot easily identify and target specific crew members. Strava makes that trivial. The risk is not the ship's position — it's the humans aboard.

FROM A CYBERSECURITY RESEARCHER — 09:30 UTC:

"Couldn't the military simply use GPS spoofing or edit the GPX files before upload to plant false positions? If all warfare is deception, why not weaponize Strava in reverse?"

FROM THE OPSEC DESK — 09:31 UTC:

Technically, yes. GPX and TCX files are XML-based and trivially editable. A coordinated deception campaign — uploading doctored activities showing the carrier in false positions — is feasible. But it would require institutional coordination across hundreds of service members' personal devices, sustained over months, without anyone accidentally uploading a real trace. The simpler military solution is a blanket ban on GPS-enabled personal devices during deployment. The Pentagon issued exactly this order in August 2018. France has not. The gap between knowing the fix and enforcing it is the entire story.

FROM A SOFTWARE ENGINEER — 10:45 UTC:

"Why hasn't Strava changed the default profile visibility to private? Or implemented military geofencing? This seems like a straightforward product decision."

FROM THE OPSEC DESK — 10:46 UTC:

Strava's business model depends on social engagement — public profiles, competitive leaderboards, and the global heatmap are core features that drive retention and premium subscriptions. Defaulting to private would reduce discoverability and social interaction. Geofencing military bases is technically complex (bases are not always publicly listed, and mobile assets like ships move), creates legal liability (acknowledging which locations are sensitive), and would require ongoing coordination with dozens of governments. Strava updated its terms of service in January 2026 to remind users in "sensitive roles" to configure privacy settings, but this places the burden entirely on individual service members — the weakest link in any security chain. The incentive structure does not reward Strava for solving this problem.