Skip to main content

What Really Happened in Chernobyl During the Beginning of the Russian Invasion?

This blog post contains the web version of my research paper: "Seeing Through the Invisible: Radiation Spikes Detected in Chernobyl During the Russian Invasion Show Possible Evidence of Fabrication", which was unveiled at BlackHat USA 2023. It is intended to ease the indexing and dissemination of the information collected during this research. 

In a few days, I'll be in Brussels presenting this research. 

The original paper (PDF) can be downloaded here.

Additional references:


    Data Collection
    Central Processing Station
    The imbalance of the equilibrium
    Unphysical timings
    The perfect storm of 2020
    A simple mathematical model to understand the unphysical radiation spikes
    The ‘return to baseline levels’ mystery.
    The Six Stations
    The ‘Twin Stations’: Chapaevka and Kvartal
    ‘ChNPP’ Radiation Monitoring Network
    The ‘spike-and-offline’ approach to manipulate real-time radiation monitoring information
    Accuracy verification
    Legitimate radiation spikes     
    Unphysical radiation spikes.
    Electromagnetic Interference (EMI)
        1. EM attack against Central Processing Station
        2. EM attack against SkyLINK
        3. RF-induced voltage
        4. Unexpected ionization events
    SkyLINK spoofing


On the morning of the 25th of February 2022 Europe woke to discover that Chernobyl, an iconic symbol in our social imaginary representing everything that may go wrong with radioactivity, had been taken by the Russian occupation forces, as part of a full-scale invasion of Ukraine. If the situation was not bad enough already, it was officially reported that the levels of radiation in the area had been spiking since the previous night. These statements did not initially provide a clear explanation but shortly after, the intense traffic of heavy military vehicles, stirring up radioactive dust, was pointed to as the root cause of the spikes.

Once again, 36 years later, almost everybody was anxiously keeping an eye on Chernobyl. I am consciously using ‘almost everybody’ because, as I was about to find out, for some nuclear scientists the gamma radiation spikes detected by the Chernobyl Exclusion Zone’s Automatic Radiation Monitoring Network did not make sense at all.

Months later, I received an intriguing message from one of those scientists, that I’ll refer to as J.J., who has extensive fieldwork experience in Chernobyl.

This paper comprehensively describes the research that has been performed since that day, uncovering significant anomalies, previously unknown details, and data. Among other things, I have reconstructed the events through OSINT, talked to nuclear experts and visited radiological laboratories to analyze equipment and software. 

Based on these efforts, and my previous experience in the area, I am providing a technically grounded analysis for the detected radiation spikes, which points towards a ‘cyber’ origin rather than a physical one.


On February 24, 2022 Russia invaded Ukraine. On the border with Belarus, Russian troops attacked and occupied the Chernobyl Exclusion Zone (CEZ) and Chernobyl Nuclear Powerplant (ChNPP) sites.

The same day at 20:30, the Ukrainian nuclear regulator, SNRIU, acknowledged the loss of control over the nuclear and radiation facilities inside the Chernobyl Exclusion Zone. 10 minutes later, at 20:40, a series of radiation spikes began to be detected by the Automatic Radiation Monitoring System (ASKRS) of the Chernobyl Exclusion Zone. This situation lasted for the next 48 hours.

Official sources pointed to the intense traffic of heavy military vehicles, stirring up radioactive dust, as the root cause of these spikes.

The ASKRS network is comprised of, at least, 66 GammaTRACER radiation monitoring devices, of which 39 have a ‘regulatory’ status. These autonomous, battery-powered sensors periodically measure, log, and report the ambient equivalent dose rate, an operational quantity for area monitoring, using a proprietary radiofrequency protocol (SkyLINK). 

The Central Processing Station (DataEXPERT software) at the Chernobyl radioanalytical laboratory receives this timestamped radiation data and analyzes it. Under normal conditions, this processed radiation data is then relayed to the Ukrainian nuclear regulator (SNRIU) and the International Atomic Energy Agency (IAEA) via the IRMIS system. This data is additionally sent to the public-facing Ecocentre website, which displays a real-time map showing current radiation levels across the powerplant site and exclusion zone. 

However, evidence confirms that the radiation levels depicted by this map, which during that period was consulted by millions of people, also being consumed as a single source of information by media outlets and official entities, did not correspond to the actual physical conditions of the Chernobyl Exclusion Zone at that time. 

From a nuclear physics perspective, it is impossible to explain these radiation spikes as a response of the GammaTRACER radiation monitoring devices to a traffic-induced resuspension of contaminated dust in the Chernobyl Exclusion Zone. As opposed to being detected due to a naturally occurring ionizing radiation processes, the radiation spikes show possible evidence of fabrication. 

A total of 42 radiation monitoring stations reported 63 radiation spikes at 13 different determined timestamps, following what appears to be a specific set of software-generated patterns.

The sole purpose of this research is to provide sufficient technical evidence to allow it to be used as part of a rigorous assessment of the radiation spikes, detected in the CEZ, during the first forty-eight hours of the Russian invasion. 

The evidence herein presented has been collected by different means, including OSINT, hardware and software reverse engineering, and data analysis of the radiation levels scraped from the Ecocentre website by during the 24th and 25th of February 2022.


Receiving that message was certainly surprising because, until that moment, I had had no idea that the radiation levels reported in the Chernobyl Exclusion Zone (CEZ from now on) during the beginning of the invasion, had been a subject of controversy for some nuclear scientists.

So, right after being tipped off, I scrutinized different media outlets looking for any content related to this issue. What I found left me even more surprised, wondering how this potential incident could have gone under the radar for so long.

On February 25 Reuters published the article, ‘Ukraine Reports Higher Chernobyl Radiation after Russians Capture Plant’, where Bruno Chareyron from CRIIRAD  was quoted.

Figure 1 Bruno Chareyron quoted on Reuters

I reached out to him to see if I could get any additional insights.

I personally cannot believe that «soil resuspension» could explain some of the very high results collected on Feb 24th-25th’, he stated via email, also pointing out a couple of additional interviews in the French media where he had been quoted, which led me to this story published by ‘20 Minutes France’ on March 2.

Figure 2 IRSN quoted on 20 Minutes

Karine Herviou, Deputy Director General of France’s IRSN, stated that they could not find any coherent explanation for the reported radiation spikes. For me this set off an alarm since these kinds of statements are extremely rare in the dosimetry field; I have not been able to find public records of any radiological event that has not been properly explained and documented. As the reader will notice, but I would like to anticipate, in the context of this research the IRSN statements have a considerable weight due to the following reasons:

1. France is right behind the US in terms of nuclear power generation, so the 2nd largest in the world.
2. France, at a nationwide level, uses the same radiation monitoring equipment that was deployed in Chernobyl.

It was time to see what else I could find at the IRSN website.

Figure 3 IRSN statement

So, we have a ‘technical malfunction’ that somehow ends up generating a series of significant radiation spikes in multiple radiation monitoring devices, at the same time, during an ongoing invasion. Being optimistic, I would say that this scenario is a bit unusual for devices that are designed to operate under emergency conditions. 

Although these incidents are diametrically opposed, it is worth introducing that just few hours before that situation unfolded in Chernobyl, tens of thousands of ViaSat satellite terminals across Ukraine and the rest of Europe suffered a ‘technical malfunction’, which eventually turned out to be a cyberattack. At the time, I was focused on that incident, about which I published a series of technical analyses that would be confirmed a posteriori. 

In the same way that security people noticed something was going on with the ViaSat modems, certain scientists figured out that something about the radiation spikes in the CEZ were not quite right.

In April, Professor Mike Wood from the University of Salford (UK), together with four of his colleagues, published a paper analyzing the data coming from the Radiation Monitoring Network in the CEZ during those days. They developed a model that tried to converge with the recorded gamma radiation levels, reaching a conclusion that gives title to the publication: ‘Chornobyl Radiation Spikes are Not Due to Military Vehicles Disturbing Soil’. In this paper, they introduced the possibility of Electromagnetic interference as a contributing factor in the anomalous readings.

Mike Wood was positive during a meeting that we had to discuss his research that, ‘It has nothing to do with ionizing radiation.’ I would reach the same conclusion some weeks later.

I think this is the right moment to explain why a nuclear engineer got in touch to tip me off about the Chernobyl events. At BlackHat USA in 2017 I presented my paper, ‘Go Nuclear: Breaking Radiation Monitoring Devices’. That research disclosed vulnerabilities, that were acknowledged but not patched, in different radiation monitoring devices. Among the reported issues, I managed to break, from both firmware and radio perspective, a custom RF protocol (WRM2) implemented by Mirion. The protocol in question was used for some of their wireless Radiation Monitoring Devices, including those deployed at Nuclear Power Plants in the US and other countries. One of the attack scenarios I elaborated in the paper, a ‘simulated radiation leak’, was outlined as follows:

Figure 4 Radiation leak attack scenario

As a result, I found myself wondering whether the ‘technical malfunction’ explanation introduced by the IRSN, could in fact have been an attack scenario like the one outlined previously.  

After spending a significant amount of time working on this research in the last year, I think I have collected enough evidence to seriously consider the possibility that these radiation spikes were fabricated. My opinion, however, is irrelevant, because the only important aspect of this research is that all the data herein presented can be independently verified by anyone willing to do so. In fact, that is the objective of this paper.

I think that by comparing the top ten radiation spikes allegedly detected in the CEZ during the Russian invasion, with an actual major radiological accident, the reader may be easily introduced to the magnitude of both the scenario and its nonsense.

So, in 2022, 36 years after the explosion of Reactor IV in Chernobyl, the ‘DGS-2’ radiation monitoring station allegedly detected a spike of 93000 nSv/h (93 μSv/h). On the other hand, just one month after the accident the highest peak within an 80-km radius area around Fukushima Daiichi NPP (excluding the levels within the NPP area) was 91000 nSv/h (91 μSv/h).

Figure 5 Fukushima Daiichi NPP vs CEZ

As this research might attract readers from two different disciplines such as physics and security, I am breaking down the introductory section into two main areas: ‘Physical’ and ‘Cyber’. These sections are intended to provide the proper technical background to understand why the reported radiation spikes, not only do not comply with either the scientific literature or the most basic concepts of nuclear physics, but also have most of the elements to expect them to be part of a ‘cyber’ operation.


When I first read that the resuspension of soil due to the heavy traffic of military vehicles was leading to increased radiation levels in the CEZ, the image that ‘automatically’ came to mind was something like this:

Figure 6 Russian tank stirring up dust.

Let’s also visually introduce the latent concept of ‘Chernobyl’ that we intuitively recover from our memories: a devastated, radioactive hell. 

Scene from 'Chernobyl'
Figure 7 Scene from 'Chernobyl'

Now let’s look at three images to get back to reality.

1. The first one is the Chernobyl NPP at a random date before the invasion, with the usual tourists.

ChNPP area
Figure 8 ChNPP area

2. The frame below comes from a video taken on the first day of the invasion: it shows a convoy of Russian military vehicles crossing through the CEZ’s Checkpoint Leliv, south bound, hours before the first radiation spikes were detected. Please note the weather conditions and the damp, even snowy, paved roads because it will be important later. The only ‘plume’ that can be observed originates from the vehicles’ own exhaust fumes.

Russian convoy at Checkpoint Leliv
Figure 9 Russian convoy at Checkpoint Leliv

3. In April 2020, the CEZ suffered the worst forest fires ever recorded to date, which resuspended a significant amount of 137Cs that even reached Kiev. Below we can also see Checkpoint Leliv, but this time engulfed by an intense smoke plume. This picture introduces one of the main issues elaborated in this research:  the same radiation monitoring network that detected radiation spikes during the invasion did not report any during these wildfires.

Checkpoint Leliv during wildfires, April 2020
Figure 10 Checkpoint Leliv during wildfires, April 2020

Now let’s have a crash course on the science behind resuspension of soil in the CEZ.


The explosion of Reactor IV, and subsequent fires, released approximately 5% of the reactor core radioactive materials into the atmosphere in the form of aerosols, gases and fragmented fuel. As a result, there were over 100 different radionuclides released into the environment around Chernobyl NPP, with different half-life values. This basically means that some of those radioisotopes were short-lived and disappeared just a few weeks after the accident, while others are still present in the area, such as the anthropogenic 137Cs.

These radioactive materials eventually settled onto the ground following different paths and directions due to winds and other climatological conditions present at that time. Scientists performed a massive undertaking in an effort to map this process, not only around Chernobyl, but also in many other European countries (almost every country in the northern hemisphere was impacted to some extent) which were affected by the fallout.

As a result of those efforts, comprehensive deposition maps of the CEZ were generated. These allow scientists to predict the activity of those radionuclides which are the main contributing factors to any potential contamination, how they are distributed over the surface and even how deeply these elements have penetrated the soil. 

Figure 11 Deposition map

Another important aspect is that the decay processes affecting these radioisotopes, as well as their interactions with the environment (i.e., vegetation, fires), have been mathematically modeled, so it is possible to estimate an accurate deposition map for an arbitrary year.

Based on this information, we have just learnt the first important concept to assess the ‘resuspension of soil’ scenario: the resuspension of radioactive materials present in the soil is not a homogenous process across the CEZ. Therefore, an accurate, updated deposition map is a key factor in analyzing the reported spikes.

For instance, the following map comes from the aforementioned Mike Wood et al. paper, where they generated an updated deposition map of the CEZ by adjusting the 137Cs decay to 2022. The dots represent the location of the different radiation monitoring stations, so it is easy to figure out which ones are in areas having a significant activity of 137Cs on the surface, which is the main contributor of gamma radiation emissions in the CEZ.

Deposition map - Mike Wood et al.
Figure 12 Deposition map - Mike Wood et al.


Intuitively, and empirically, we know that by driving on a dry, unpaved road we will stir up more dust than in doing so over a damp, paved surface, but there should be an approach to validate that this conclusion is scientifically valid.

There are multiple papers that describe the anthropogenic factors contributing to the resuspension of radioactive materials in contaminated zones. I recommend the paper, ‘Particle Transport of Radionuclides Following a Radiological Event’, published by the United States Environmental Protection Agency. That publication introduces most of the concepts involved in this research, also reviewing the related scientific literature. 

Although there are also natural processes that may resuspend radionuclides, such as strong winds or forest fires, our scenario is very specific as the main activity involved would be the traffic generated by a large number of military vehicles (up to 1700 according to testimonies from locals).

The analysis of the scientific literature on this topic shows that any research into these kinds of anthropogenic activities partially relies on an empirical approach: the characterization of the soil, climatological conditions, the type of vehicle and its speed… all of them contribute to the ability of resuspending radioactive materials.

One of the most complete papers on this topic to date (published in 1996) is ‘Contamination of Surfaces by Resuspended Material’ . It was a joint effort by the European Commission, Belarus, the Russian Federation and Ukraine.

Cover of the paper
Figure 13 Cover of the paper

This paper comprehensively covers the mathematical models and empirical experiments performed in the CEZ to assess potential contamination resulting from resuspension of materials due to both natural and anthropogenic factors. As one of the human activities considered for the latter was agricultural work, this paper includes the following picture.

Dust Cloud
Figure 14 Dust Cloud

During these experiments four different types of vehicles were used: 

- MTZ-82 (Tractor)
- T-150 (Tractor)
- ZIL-130 (Military truck)
- ZIL-131 (Military truck)

The ZIL-131 6x6 army truck is similar to some of the military vehicles that were observed when Chernobyl was taken. 

Russian convoy at Checkpoint Leliv - video
Figure 15 Russian convoy at Checkpoint Leliv - video

Certain conclusions expressed in this paper, which are corroborated by other scientific publications, are crucial to understanding the problem. 

Let’s briefly elaborate some of them.


Anthropogenic resuspension
Figure 16 Anthropogenic resuspension

In comparison with natural processes no anthropogenic activity, such as traffic, significatively contributes to redistributing radioactive materials. Essentially, the resuspension of radioactive dust due to traffic is a local event as a result of vehicle-induced turbulences over the surface, as well as the shear and friction forces from the tires (or wheels). Please note, that when the spikes were reported, wind speeds were low in the CEZ, which further reduces any potential redistribution of the resuspended radioactive dust.

On the other hand, forest fires have the capability of relocating significant amounts of radioactive materials. 


Resuspension and humidity
Figure 17 Resuspension and humidity

This finding with regards to humidity matches what has been observed in other experiments. For instance, Wagenpfeil et al. (1999), in the paper ‘Resuspension of Coarse Particles in the Region of Chernobyl’, found that the resuspension factor (ratio of activity in the air to the surface deposit) decreases exponentially when the soil moisture increases. 

The moisture index at the CEZ for those days in February 2022 can be obtained from ESA’s Sentinel satellites via the SentinelHub website. It is also possible to use any of the online weather websites that keep historic data, in order to verify there were cloudy days at Chernobyl, with temperatures in the range of 0-6° Celsius during the 24th/25th of February. These climatic conditions match with the images taken when Chernobyl was seized, such as the following one. Once again, we can observe damp roads, so the same conditions could be assumed for the forested, unpaved parts of the CEZ.

Russian tanks in Chernobyl - video
Figure 18 Russian tanks in Chernobyl - video

Consider this, according to Ukrainian official sources, some of the reported spikes were recorded the night of the 24th to 25th at 1:20 AM GMT, when the temperature was approximately 0° Celsius. 

AFP quote
Figure 19 AFP quote


Traffic-induced resuspension - Sehmel
Figure 20 Traffic-induced resuspension - Sehmel

The experiments referenced in this paragraph describe two interesting concepts:

1. After a rapid period of resuspension due to the initial traffic activity, the remaining vehicles would not be contributing that much to the resuspension rate, because basically there are no materials left to be resuspended. This behavior is exactly what happened in Denmark in 1986, just a few months after the Chernobyl accident. 

Figure 21 Resuspension outcome

Please note that, in 2022, it is unrealistic to even consider a substantial resuspension, as roads in the CEZ have been decontaminated since 1989. In addition to this, we must bear in mind the large number of vehicles that have been circulating throughout the CEZ during the last 30 years. 

In fact, data collected by the largest open dataset of background radiation readings, Safecast, can be used to verify the low levels of radiation detected on the main roads within the CEZ. 

Safecast map
Figure 22 Safecast map

2. Coarser particles are resuspended more rapidly, and they have also higher deposition velocities. Once resuspended, they will be transported and deposited according to their aerodynamics, the climatological conditions, and so on. 

Deposition velocity
Figure 23 Deposition velocity

We can read yet another empirical demonstration of this process in the paper ‘Measurement of Resuspended Aerosol in the Chernobyl Area’.

Resuspension graph
Figure 24 Resuspension graph

    As we might expect, the observed peaks correspond to the period when a big tractor is harrowing,             followed by a sharp decrease which corresponds to periods of inactivity. Please note the time intervals     for these physical processes to occur are in minutes, this will be important later.

As we have seen, the physical processes that had to take place in the CEZ to give any credence to the ‘resuspension of soil’ explanation are the exact opposite of what has been described in the scientific literature. I find it hard to believe that this explanation was even considered plausible in the first place, but the situation at that moment was certainly complicated.

On the 25th of February 2022, as the situation was unfolding, a fact-checking website reached out to Eugenio Gil, a now retired doctor in physics, who in 1986 was the head of the Radiation Protection Area in the Spanish Nuclear Regulatory Council. He oversaw the efforts to monitor the impact of the Chernobyl fallout in Spain. His analysis was spot on, he pointed out the underlying issue, resuspended radionuclides are almost negligible for calculating the ambient dose equivalent:

"If there had been a very intense movement of vehicles, especially with chains, in the most contaminated area, a few kilometers around the plant, it is possible that slight increases in the concentration of radioactive aerosols would have been observed in the air, as a consequence of the resuspension of radioactive materials deposited in the ground, which after 35 years have penetrated into subsoil layers. However, I doubt that they will have an impact on the level of direct radiation indicated by the graphs submitted. (Gil, 2022)"

His was the only realistic, physically sound analysis that I could find published during that time. 


In 2007 the TACIS U4.01/03S project, under the umbrella of the European Commission, was successfully completed. The goal was to endow the Chernobyl Exclusion Zone with a brand-new integrated radiation monitoring and early warning system, that could modernize their legacy radiation monitoring network (ASKRO) dating back to 1986.

SkyLINK deployment
Figure 25 SkyLINK deployment

This new system (АСКРС or ASKRS), fully operative until the invasion, was comprised of 68 radiation monitoring stations, of which only the following 39 are considered ‘regulatory’.

1 ДГС-2 DGS-2 51.392311 30.108719
2 ВЗС-2 VZS-2 51.392538 30.105307
3 СРТВ HZHTO 51.391494 30.101595
4 Нафтобаза Naftobaza 51.398889 30.104111         Yes
5 СВЯП HOYAT 51.391173 30.105543
6 БНС BNS 51.388333 30.142444         Yes
7 Пожежне депо Pozharne Depo 51.410918 30.030015
8 ВРП - 750 VRP-750 51.380000 30.100833         Yes
9 АПК-1 ABK-1 51.368745 30.129250
10 Відвідний канал Vidvodny kanal 51.388602 30.112367
11 ВОС № 3 VOS-3         51.416111 30.094722
12 СВЯП-2 HOYAT-2 51.385562 30.114748
13 Чистогалівка         Chistogalivka         51.358593 30.036599         Yes
14 Копачі Kopachi 51.348732 30.127442         Yes
15 Станція Янів Yanov Station                 51.397455 30.062421
16 Прип’ять Pripyat 51.404615 30.050510         Yes
17 Буряківка Buryakovka 51.382220 29.916600         Yes
18 Усів Usiv 51.475580 30.033780
19 Машево Mashevo 51.486665 30.148005         Yes
20 Зимовище Zimovyshe 51.421925 30.183049         Yes
21 Красне Krasno 51.454630 30.114450
22 Крива Гора Kryva Gora 51.384853 30.201195
23 ПЗРВ «Буряківка»PZRO Buryakovka 51.334605 29.914661         Yes
24 Чорнобиль-2         Chernobyl-2 51.303870 30.073099         Yes
25 Ст.Шепеличі      Stari Shypelychi 51.422550         29.946750
26 Бенівка Benevka 51.449412 29.977185         Yes
27 Старосілля Starosillya 51.356140 30.215781         Yes
28 Вектор Vektor 51.326667 29.944164
29 Діброва         Dibrova 51.279905 29.687310
30 Вільча Vilcha 51.360590 29.439740
31 Іловниця         Ilovnycya 51.179730 30.062970
32 Іллінці         Ilinci 51.295510 29.857960
33 Корогод         Korogod 51.274817 30.009007
34 Паришів Parishev         51.295770 30.329300
35 Дитятки Dityatki         51.109990 30.150319         Yes
36 Купувате Kupovate 51.157160 30.360790
37 Поліклініка Clinic 51.279389 30.207722
38 РУЗОД RUZOD 51.273363 30.227663
39 Славутич Slavutych 51.491360 30.531500
Table 1 ASKRS Regulatory Stations

As we can see in the following image, each of these stations includes a GammaTRACER area monitor with a SkyLINK radio transmitter. These specific models were originally manufactured by Genitron, then Saphymo and finally Bertin Instruments due to various corporate acquisitions. The GammaTRACER probes replaced the legacy БДМГ-08Р gamma detectors, although some of these stations have kept them as a backup system.

Radiation Monitoring Station
Figure 26 Radiation Monitoring Station

The other devices we find as part of these monitoring stations are WXT-520 weather stations and АУРА-02 aerosol analysis units (Petryanov filters). It is worth clarifying that although these latter devices may provide really valuable data (i.e., activity of 137Cs in air) to complement other analysis, such as dispersion models, the GammaTRACER devices are the ones in charge of measuring the ambient equivalent dose rate ( H*(10) ), the operational quantity that was reported in the official statements. As a result, any alleged spike in the radiation levels (H*(10)), reported during the 24th and 25th of February, should have been detected by the GammaTRACER devices, so they will be the focus of this research.

The following map shows the equipment installed in each of the various radiation monitoring stations. There are, at least, 14 stations that are equipped with the АУРА-02 unit.

ASKRS Equipment
Figure 27 ASKRS Equipment


The GammaTRACER is an autonomous gamma measurement probe. It is designed for continuously measuring, recording, and optionally transmitting the ambient equivalent dose rate (H*(10)). This is a simple but effective definition because these features are crucial to understanding what really happened.

These devices are usually restricted in terms of commercialization, so as an independent researcher I had to come up with an alternative approach. Fortunately, after several emails and phone calls, I eventually found some public universities that allowed me to visit their radiological laboratories to inspect equipment and software related to this research, including DataEXPERT (v4.0904B0, close to the version installed in Chernobyl) and DataVIEW.

GammaTRACER design
Figure 28 GammaTRACER design


It contains 2 batteries that allow the device to operate autonomously for up to 10 years, depending on the configuration of measurement cycles, but usually run for 5 years. This is important to note, because it means that power cuts do not affect GammaTRACER devices, contrary to what it has been published. 

GammaTRACER Batteries
Figure 29 GammaTRACER Batteries


Depending on the model, the device may contain one or two energy-compensated VacuTec Geiger-Müller tubes, for high and low dose rates. In this kind of device, in general terms, the voltage pulses generated in the tube’s anode go through a signal conditioning stage (see ‘Figure Hardware - GammaTRACER Basic’ below) and are then processed by firmware to calculate the H*(10).

Vacutec 70031A - GammaTRACER XL
Figure 30 Vacutec 70031A - GammaTRACER XL

The GammaTRACER models deployed in the CEZ contain two independent VacuTec GM tubes (70003A).

Vacutec 70003A - GammaTRACE Basic
Figure 31 Vacutec 70003A - GammaTRACE Basic 


The GammaTRACER can operate in two modes: ‘Normal’ and ‘Emergency’. The latter is automatically triggered when the detected H*(10) exceeds the configured control level for the radiation monitoring station. The following table shows this configuration for the regulatory stations in the CEZ.

ID NAME                 Control Level (nSv/h)
1 DGS-2                 29000
2 VZS-2                 21000
3 HZHTO                 18400
4 Naftobaza         13500
5 HOYAT                 9200
6 BNS                 5000
7 Pozharne Depo        4800
8 VRP-750                 4500
9 ABK-1                 1400
10 Vidvodny kanal       1100
11 VOS-3                 800
12 HOYAT-2         550
13 Chistogalivka         2300
14 Kopachi                 1900
15 Yanov Station         1700
16 Pripyat                 1500
17 Buryakovka         7500
18 Usiv                 3600
19 Mashevo                 2200
20 Zimovyshe         2100
21 Krasno                 2000
22 Kryva Gora         1200
23 PZRO Buryakovka 1100
24 Chernobyl-2         840
25 Stari Shypelychi     740
26 Benevka                 600
27 Starosillya         460
28 Vektor                 270
29 Dibrova                 700
30 Vilcha                 470
31 Ilovnycya         380
32 Ilinci                 260
33 Korogod                 260
34 Parishev                 250
35 Dityatki                 220
36 Kupovate         220
37 Clinic                 550
38 RUZOD                 370
39 Slavutych         300
Table 2 Control Levels

These two different modes mainly impact the interval of the measurement and transmission cycles, which are fully configurable as well. For instance, the GammaTRACER devices in the CEZ were configured to transmit the H*(10) every hour when running in ‘Normal’ mode and every two minutes under ‘Emergency’. 

It should be noted that the hourly transmission cycle does not mean that the GammaTRACER only measures gamma levels every 60 minutes. In actuality, the GammaTRACER probe measures the radioactivity levels constantly throughout the hour period, every hour, an average value is then calculated, internally logged and transmitted.

The following pictures show the common architecture for different models: GammaTRACER XL and the basic branch of the GammaTRACER. The latter are the models deployed in the CEZ.

Hardware - GammaTRACER XL
Figure 32 Hardware - GammaTRACER XL

Hardware - GammaTRACER Basic
Figure 33 Hardware - GammaTRACER Basic

The custom URI chip is in charge of controlling key intra-board synchronization mechanisms in order to optimize the battery consumption by interfacing between the sensors and the MCU.

These devices also contain an internal storage (Static RAM) with capacity for up to 12,800 records, which are cyclically overwritten when new readings are generated. These records include not only the measured radiation levels or other parameters such as temperature, but also an internal ‘quality’ status word that provides the operator with additional context to the readings. 


SkyLINK is the unidirectional (Tx only, although ShortLINK is bidirectional) custom RF protocol used by the GammaTRACER and other Bertin Instruments products. At the time of the Russian invasion, this radio system was operating in the CEZ to wirelessly transmit the H*(10) from GammaTRACER units to the ‘Central Processing Station’ in Chernobyl.

The SkyLINK transmitter is a separate, optional component. Other communication options available for certain models are cellular data or Satellite (Iridium).
SkyLINK Tx module
Figure 34 SkyLINK Tx module

Technical information about this protocol on the Internet is scarce, except for on the website of a Russian company (Soyuzatompribor) that participated in the ASKRS deployment in 2007, together with Ukraine’s State Specialized Enterprise Ecocentre and Ukratom Prilad

SkyLINK characteristics
Figure 35 SkyLINK characteristics

Radiation monitoring networks based on GammaTRACER area monitors with SkyLINK modules are widely deployed across Europe, in Nuclear Power Plants and other nuclear facilities. The large amount of information that can be found on this Russian website, reveals that Russian NPPs are also usually equipped with these devices. 


GammaTRACER devices can be locally interfaced in various different ways, such as the RS232 module or a built-in infrared interface present by default, as shown in the following image. 

GammaTRACER - InfraRed interface
Figure 36 GammaTRACER - InfraRed interface

By reverse engineering DataVIEW/DataEXPERT I managed to understand this custom serial protocol and its capabilities. 

Once a session is established, (a device’s serial number is required but can also be automatically detected) it is possible to collect different pieces of information from the device.

For instance, we can find timestamps for:
- Last measurement taken
- Last calibration

Configuration parameters:
- Control levels
- Measurement cycles
- Calibration constant

Additionally, there is a specific command implemented in this protocol that is interesting for this research, as it allows for the dumping of all historic measurements internally stored in the device. Please note that the ability to collect internal readings via the infrared/serial interface is a documented feature of the ‘DataVIEW’ software.

GammaTRACER protocol  - Dump data
Figure 37 GammaTRACER protocol  - Dump data

As a result, assuming the internal storage capacity of 12,800 records and the configuration for measurement cycles (1 hour in ‘Normal’ mode, 2 minutes in ‘Emergency’ mode), we have the situation that months after the Russians withdrew from Chernobyl it could have been possible to collect the data corresponding to the 24th and 25th of February 2022, from those monitoring stations that allegedly recorded radiation spikes. However, it is unlikely that more than 18 months later the original readings can be found intact in the static RAM.

It is also worth clarifying that the timestamps of the measurements are generated using the GammaTRACER’s own Real-Time Clock (See Figure 33 Hardware - GammaTRACER Basic’). This means that the timestamps of the reported spikes correspond to the internal GammaTRACER clock, instead of the clock of any other external system in charge of either dumping or receiving the readings.

'DataVIEW - Timestamp parsing’ shows how the internal GammaTRACER’s timestamp format is parsed in DataVIEW.

DataVIEW - Timestamp parsing
Figure 38 - DataVIEW - Timestamp parsing

There are other commands that might be used as ‘anti-forensics’ methods:

1. The ‘Reset’ command will delete the measurements from the internal storage. 
2. The ‘Firmware update’ command can also be abused to wipe data.

GammaTRACER - Firmware Update
Figure 39 GammaTRACER - Firmware Update

While reading this IAEA report about the reconstruction of the Radiation Monitoring Network in the CEZ I found this: 

As far as environmental monitoring is concerned, many of the fixed and mobile monitoring stations were damaged and were out of service.(IAEA, 2022)

Without having more details from the IAEA on this matter, it is not possible to fully assess the scenario. However, if by ‘fixed monitoring stations’ the IAEA is referring to the GammaTRACER stations, it would mean that certain parties specifically went to many of the 66 places inside the CEZ where the GammaTRACERs were deployed, just to destroy them. That is a considerable effort that would initially suggest a specific interest in damaging these devices. Why?

Assuming the radiation spikes were fabricated instead of being associated with actual physical events, it would make sense to damage these devices to prevent a forensic analysis that would certainly detect these abnormal levels were not saved to the internal storage. 

I really hope that the IAEA, or some other authorized organization, performed a forensic analysis of the GammaTRACER devices when they were working to restore the CEZ’s radiation monitoring network. It would be interesting to know whether they were able to collect dose rate readings from those sensors that allegedly reported increased radiation levels, especially in those GammaTRACERs close to, or even inside, the Chernobyl NPP area. Alternatively, it would be equally interesting to know why this task was not accomplished.

Central Processing Station

The Central Processing Station was located at the Ecocentre’s building in Chernobyl. It was mainly comprised of the following elements:

SkyLINK Base Station 

SkyLINK Base Station
Figure 40 SkyLINK Base Station

The Base Station is comprised of:

1. UPS unit
2. Downconverter
3. DSP modules
4. Computer


1. Bertin Instruments’ DataEXPERT Software (left) showing the 39 regulatory stations (green bars). 
2. Ecocentre’s Custom Software (right) apparently implementing radiation forecast, dispersion models, etc.

DataEXPERT and Custom Software
Figure 41 DataEXPERT and Custom Software


- Windows Workstations 
- A Windows server (Primary Data Center) where software previously described was installed
- Regular network equipment
- Visual Alarms module
    -Three lamps (‘System’, ‘Power’ and ‘Radiation’)

Central Processing Station
Figure 42 Central Processing Station

The high-level logic would be as follows: data coming from GammaTRACER units was collected by the SkyLINK Base Station and then ingested by DataEXPERT software and the custom software, along with any other data transmitted (or collected) by the WXT-520 or АУРА-02 devices. These processed H*(10) records were then made available through the (now offline) Ecocentre website, from which 3rd party collectors (i.e and scraped data.


Before continuing with the analysis, a timeline of the relevant events is provided so the reader can have the right context. 

February 4

Ukraine holds military drills within the CEZ, in the abandoned town of Pripyat.  Nearby radiation monitoring stations did not detect abnormal radiation levels.

CNN story
Figure 43  CNN story

February 24

(Ukraine local time is assumed)

Russian troops entered the CEZ through Belarus from two different locations: Vilcha on the north-west and Kamaryn, north-east.

Chernobyl was in the process of being seized, and Ukrainian workers were forcibly taken as hostages. 

A portion of the Russian military units then headed to Vyshhorod, 90 km south of Chernobyl. A video recorded at Checkpoint Leliv seems to capture that moment. Please also note that they are passing through a VM250 radiation portal monitor.

Checkpoint Leliv - Video
Figure 44 Checkpoint Leliv - Video

Chernobyl NPP fell completely into Russian hands, without detecting any noticeable change in the radiation levels, according to the SNRIU53 statement below.

SNRIU statement - translation #1
Figure 45 SNRIU statement - translation #1

SNRIU statement
Figure 46 SNRIU statement

The same statement mentions the exact time when the SNRIU establishes the loss of control over nuclear and radiation facilities inside the CEZ. 

SNRIU statement
Figure 47 SNRIU statement

Coincidentally, just ten minutes after the SNRIU formally reports the loss of control over the CEZ, the first spikes in radiation levels were recorded in Pozharne Depo, Benevka, Diyatki, Gornoystapol, Ordzhonikidze, Straholissya and Teremci (KPP) radiation monitoring stations.

The Ecocentre website also reflects a growing number of spikes. 

Ecocentre map - 22:20
Figure 48 Ecocentre map - 22:20

The first reports about spikes in the radiation levels then began circulating on twitter and various media outlets. 

February 25

The number of spikes has significatively increased.
Some scientists noticed the inconsistent spatial distribution of the radiation spikes.

Ecocentre Map - 01:00
Figure 49 Ecocentre Map - 01:00

Figure 50 Tweet of Eric Feigl-Ding

As France24 would be reporting later,

"Speaking to AFP, Alexander Grigorash, an official at the State Nuclear Regulatory Inspectorate of Ukraine, said increased radiation levels at the Chernobyl Exclusion Zone had been registered at 3:20 am local time (01:20 GMT).(France24, 2022)"

A tweet from the official twitter account of the Ukrainian Parliament (it seems to be just a copy-paste of a statement from the SNRUI published at 8:05 AM) raised the alarm, using data from Ecocentre website collected at 6:00 AM.

Tweet of the Ukrainian Parliament
Figure 51 Tweet of the Ukrainian Parliament

The SNRUI publishes a statement introducing the ‘resuspension of soil’ explanation,
"Experts of the Ecocenter connect this with disturbance of the top layer of soil from movement of a large number of radio heavy military machinery through the Exclusion zone and increase of air pollution.(SNRUI, 2022)"

This, and other official reports, went viral on social networks and media outlets. 

March 31

Russian occupation forces withdraw from the CEZ.

April 7

First published stories about the destruction left behind in the wake of Russian occupation forces. 

In a France24 video, Mykola Bespalyi, head of Chernobyl Central Analytical Laboratory reports looted equipment, including a server and, ‘software to predict the development of any unusual situations, for example if a fire started in the CEZ.’

That description matches with the Central Processing Station server that was described in the ‘Cyber’ section, where both Bertin’s DataEXPERT and Ecocentre’s custom software are installed. 

SkyLINK alarm lamps
Figure 52 SkyLINK alarm lamps

This assumption is reinforced by the fact that the video shows the characteristic alarm lights (see image above) that are installed with GammaTRACER/SkyLINK deployments.

SkyLINK visual alarm device
Figure 53 SkyLINK visual alarm device

April 14

In a press conference, Yeygen Kramarenko, head of the agency for the Chernobyl Exclusion Zone, confirms that the server in charge of processing data from the radiation monitoring stations ‘has disappeared’.

DataEXPERT Server disappeared.
Figure 54 DataEXPERT Server disappeared.

June 7

According to the IAEA the radiation monitoring network in the CEZ has been restored. 
The statement starts with the following sentence: ‘Dozens of radiation detectors are once again transmitting data from the area around the Chornobyl Nuclear Power Plant (NPP) .’

Starlink antenna
Figure 55 Starlink antenna

Communication to the outside world can now be performed via SpaceX's Starlink.


From a dosimetry perspective, phrases such as ‘increased radiation levels’ is subject to many interpretations, so to properly assess the extent of the exposure of a human body to ionizing radiation, the International Commission of Radiation Units and Measurements (ICRU) defines three different quantities: Physical, Protection and Operational.

Dosimetry quantities
Figure 56 Dosimetry quantities

The GammaTRACER area monitors, devices intended to determine the ambient dose equivalent ( H*(10) ), an operational quantity for area monitoring. It is important to clarify this simple, but crucial, detail. 

Another factor to bear in mind is that the official reports were solely informing about the ambient equivalent dose rate (in nSv/h) allegedly detected by the GammaTRACER probes.  

There is nothing wrong in this approach. In fact, this is common practice in most of the radiological accidents involving a large-scale release of radioactive materials (e.g., Fukushima). The ambient equivalent dose rate data collected from the area monitors, which sustain the radiation monitoring networks, is used to provide an initial estimation of the impact. 

However, the consensus is that the radiological incident in Chernobyl did not involve any release of additional radioactivity from an unspecified source, but merely a resuspension of radioactive dust, and this is when everything stops making any sense. 

By reading the content published on the media and social networks during those days, it is easy to see that the most common interpretation of the official statements is that the soil in the CEZ was ‘quiet’ before the invasion. This ‘equilibrium’ of the radioactivity in the surface layer of the ground was then upset by the traffic of heavy military vehicles, which stirred up radioactive dust, thus causing the radiation spikes. The official explanation, emitted by the Ukraine’s SSE Ecocentre, is prone to this kind of interpretation because it explicitly mentions the same reasoning.

Ecocentre statement
Figure 57 Ecocentre statement

For most people, who do not necessarily have a deep understanding of either physics or the CEZ’s characteristics, this seems to be an intuitive explanation that it is easy to assimilate. The problem is that this theory contradicts not only every scientific paper published about the CEZ, but also the most basic concepts of dosimetry. Let’s see why.

The imbalance of the equilibrium

The vertical distribution of 137Cs in the forested (and/or unpaved) parts of the CEZ 
follows an exponential profile where approximately 90% of the activity is in the top layer of soil (0-10 cm). This has been studied for decades without any noticeable change until date. Similar results have been obtained from studying the contaminated soil in Fukushima.

Vertical profile of CEZ soil
Figure 58 Vertical profile of CEZ soil

This means that the shielding effect of the upper layer of soil is negligible because the main contributor of the detected H*(10) throughout the CEZ, is this very upper layer. As a result, even if we disturb the surface by driving heavy vehicles over it, this activity will not let any significant amount of gamma radiation ‘escape’ from the deeper layers. Gamma radiation interacts with matter according to the Beer-Lambert attenuation law. It is simply unrealistic to think that the mass attenuation coefficient of the soil in the CEZ in addition to just several centimeters of (already) contaminated ground, can provide any significant attenuation to a ‘deeper’ layer of gamma activity, which in fact, does not even exist.

This well-known physical fact is clearly explained in the following statement from the IRSN, as part of an analysis of the forest fires that devastated the CEZ in 2020.

IRSN statement #1
Figure 59 IRSN statement #1

If we obviate those cases where the resuspension occurs right after a significant deposition due to a massive radiological accident, the scientific consensus is that resuspension only accounts as a contributing factor in calculating the inhalation dose, being almost negligible from an external exposure perspective, and therefore also negligible to calculate the H*(10). 
Even for those extreme cases, i.e., a core melt, the IAEA explicitly mentions that resuspension is not a significant contributor when calculating the Operational Intervention Levels (OIL),

IAEA equations #1
Figure 60 IAEA equations #1

This is relevant, as some of the recorded spikes were in the range of OIL2γ levels (25 µSv/h - 100µSv/h), allegedly as a result of a resuspension event, which directly contradicts the methodology and equations published by the IAEA.

Unphysical timings 

Even if we consider the traffic-induced resuspension of soil as a plausible explanation of the radiation spikes, we will find that the timing between intense traffic activity and radiation spikes does not match either. 

I created the following diagram, based on the timeline of events previously elaborated. It helps us see that the spikes were not detected during the period of intense vehicular activity but, coincidentally, ten minutes after the SNRIU lost control of the radiation and nuclear facilities in the CEZ.

        Figure 61 Visual timeline

This unphysical behavior is clearly observed when analyzing the spikes recorded by the Kopachi station, which were only detected approximately 18 hours after a convoy passed nearby (at 9:20 AM, the morning of the 25th) as I depict in the following image.

        Figure 62 Kopachi - video

According to the ‘resuspension of soil’ theory, GammaTRACER probes should have detected increased radiation levels at the time of this intense traffic activity, during which even the climatological conditions were slightly more favorable, and not many hours afterwards.

For instance, from a physical perspective, it is also difficult to explain why dose rate spikes at the Vilcha Radiation Monitoring station, one of the main entry points for Russian troops during the early morning of the 24th, were not recorded until more than 12 hours later, at 12:10 AM, during the night of the 25th of February.

The same video also provides us with an interesting piece of information.

        Figure 63 Radiation Portal Monitors - Video

The cameras that recorded the video are part of another radiation monitoring system, different from the ASKRS, installed at the CEZ checkpoints for the purpose of non-proliferation control. The two white pillars located on the left lane are part of a VM250 Radiation Portal Monitor.

        Figure 64 Ecocentre presentation

As can be verified in the various manuals that can be found online for the VM250, this system continuously monitors the background Gamma radiation, triggering visual and acoustic alarms if abnormally high (or low) values are detected. This is a common functionality of Radiation Portal Monitors (in 2017 I also reported vulnerabilities in some of them).
It is worth mentioning that in the video it is apparent that there is no light indication that shows either high background levels or high Gamma radiation, even when vehicles are passing through the VM250. 

Besides this, there are a couple of facts that should also be noted: 

1. The VM250 can switch over to battery power when AC is lost.
2. Recorded values were sent to a central processing station. There is no information about whether the server containing these records was recovered or examined.

Did a significant resuspension event ever happen in the CEZ? The following section analyzes this scenario.

The perfect storm of 2020

The scientific literature agrees on the fact that, among the anthropogenic and natural activities that may lead to resuspension of radioactive materials, forest fires have the biggest impact. The extent of this influence covers both transport (and redistribution due to a subsequent deposition) and contribution to the increment of the activity of radionuclides in air. 

In April 2020, the Chernobyl Exclusion Zone suffered a ‘perfect storm’ of forest fires, the largest ever recorded in the zone. One-third of the land area of the Ukrainian CEZ was burnt, but to make matters worse, a dust storm occurred during the 16th and 17th, a combination that resulted in a significant amount of resuspended 137Cs. The resulting plumes reached Kiev and, marginally, other territories in Europe. 

The magnitude of the wildfires was great enough to be tracked by ESA  and NASA satellites.

        Figure 65 Satellite image of wildfires

Despite this appalling scenario, the GammaTRACER devices did not report abnormal levels of radiation. Let’s not forget that these are the same devices that, in 2022, allegedly reported radiation peaks tens of times higher than the configured control levels, not just the baseline levels, due to traffic-induced resuspension. 

The IRSN published several reports analyzing these wildfires. In one of them I found something interesting, let’s have a look at it in order to introduce the next part of the analysis.


        Figure 66 IRSN statement on CEZ wildfires

1.- To begin with, they reference the same Ecocentre website used by the official sources during the Chernobyl incident in 2022. Then they provide a key observation, ‘it should be remembered that these measurement devices are only capable of detecting major radiological accidents’. This is in concordance with what has been laid out previously, as the resuspension only matters for external exposure right after a major accident. 

Finally, they acknowledged the same probes are used, at a nationwide level, in France.

2.- The ‘radioactivity released’ basically means the resuspended 137Cs (in addition to other radionuclides such as 90Sr).

3.- This is particularly important in our scenario, as 14 of the 39 regulatory radiation monitoring stations were equipped with the АУРА-02 aerosol monitor units. During the Russian invasion of the CEZ, 8 of them reported radiation spikes: Chistogalivka, Kopachi, Pripyat, Buryakovka, Mashevo, Zimovyshe, PZRO Buryakovka and Benevka.

However, the airborne 137Cs activities have not been published as part of the official information. Obviously, as the CEZ was occupied, the АУРА-02’s aerosol filters that are manually analyzed could not be recovered at that time (before the occupation these filters were collected every 5 days).  As I will be elaborating later on, this kind of data would be key to validate the ‘resuspension of soil’ explanation. The image below demonstrates that 137Cs volumetric activities have been published in the past, for cases where resuspension was involved, like in these forest fires. 

        Figure 67 137Cs Airborne concentration

For reference purposes: 1 Bq/m3 is the maximum airborne activity of 137Cs detected in Sweden right after the Chernobyl accident of 1986. The Radiation Safety Standards of Ukraine (NRBU) establishes 0,8 Bq/m3 as the maximum admissible level.

To sum up this profound contradiction:

- The biggest forest fires ever recorded in the CEZ did not resuspend enough 137Cs to provoke an increase of the H*(10) calculated by the GammaTRACER probes.

- Heavy military vehicles driving over decontaminated roads in the CEZ, resuspended enough 137Cs to increase the H*(10) to levels that even exceeded those detected right after the accident at the Fukushima Daiichi NPP.

In the next part of the analysis, I will try to explain why this scenario is not physically viable by using a simple mathematical approach. 

A simple mathematical model to understand the unphysical radiation spikes

We have been talking about the H*(10) from a high-level perspective, but now I need to explain a little bit more about its characteristics.

The ICRP  defines it as: 

"The dose equivalent at a point in a radiation field that would be produced by the corresponding expanded and aligned field  in the ICRU sphere at a depth of 10 mm on the radius vector opposing the direction of the aligned field. (ICRP)"

The ICRU sphere is a phantom, intended to approximate the human body, made of tissue-equivalent material. 

        Figure 68 IAEA presentation

Within this expanded and aligned field all its contributions add up, as we can see in the ICRP Publication  144.

        Figure 69 ICRP - H*(10) components

This additive property allows us to come up with the following approach, where we decompose the expanded and aligned radiation field into different components. Please note that the basis of this approach is comprehensively elaborated in ‘Estimating the terrestrial gamma dose rate by decomposition of the ambient dose equivalent rate.’  
        Figure 70 Expanded and aligned field

As a result, the ambient dose equivalent can be expressed as the sum of the contributions from its n components. 

In general terms, there are three main components that will contribute to the H*(10): ground, air and secondary cosmic radiation. However, we can obviate the latter. 

Thus, for an arbitrary radiation monitoring station at time t0, we will have a decomposed ambient dose equivalent as follows:

For the same radiation monitoring station detecting a spike at time t1 we would have, 


The question is, which component would be enabling this significant increment? 
As the official explanation states that these radiation spikes are linked to resuspended radioactive materials, it must be ‘air’. 

This also means that our H*(10) ‘ground’ component is representing the baseline level, which allows us to easily perform the calculations when historic datasets are available. 

Please note that we are not trying to either harmonize or estimate the H*(10) between different radiation monitoring devices. This approach is possible because we have a dataset that contains years of measurements collected from the same monitoring devices. Thus, despite the different periodicities, after so many years the baseline level for each of these stations is stable enough to be used as a reference.

Figure 71 Radiation spike - component decomposition

It was reported that the additional airborne 137Cs activity due to resuspension of radioactive materials during the 2020 forest fires did not result in an increase of the total ambient dose equivalent in any of the radiation monitoring stations, so we will also have that,

where A2020 would be the set of the ambient equivalent dose rate values for the ‘air’ component, recorded during the 2020 forest fires for an arbitrary station.

However, as this specific dataset is not available, we can rewrite the previous expression based on a response function (fr) representing the GammaTRACER response for the recorded airborne 137Cs activities (Bq/m3). This dataset (α) is available in 14 of the 39 regulatory stations, those that were equipped with the aerosol analysis units as it has been previously mentioned.  

This operation is possible because, by convention, if we increase the 137Cs activity in air, the H*(10)air  will be incremented as well, ideally, following a linear progression as shown in the datasets for VacuTec Geiger-Müeller tubes used by the GammaTRACER probes.

         Figure 72 Pulse rate vs Dose rate

As a result, we end up with the following expression that we should be able to validate:

Now let’s use Buryakovka, a regulatory radiation monitoring station also equipped with the aerosols monitoring unit, as an example calculation for this model. 

Please note that these calculations are not intended to be exact. However, as the allegedly detected radiation spikes levels are so brutal, compared to previous recorded values, the reader will notice the figures still do not match by several orders of magnitude which neglects potential deviations.

The radiation spike at Buryakovka reached 52700 nSv/h on the 25th of February. 
        Figure 73 Ecocentre map - Feb 25, 15:00

The historic data collected from different documents shows an average value of around 2700 nSv/h. Then, for this radiation spike the required increment in the ‘air’ component can be easily calculated as follows:

According to this, the resuspension process itself should generate enough airborne 137Cs activity to allow the GammaTRACER to detect 50 μSv/h. 

For reference purposes, in 1986, just few weeks after the accident, an estimated dose rate of 50 μSv/h in air was the level used by the authorities to determine the evacuation zones in the 60km area around Chernobyl NPP. 

Although, even at this point, 50 μSv/h is an unrealistic increment for a traffic-induced resuspension activity, let’s continue to illustrate the idea behind the model.

In 2020 the airborne 137Cs activity  for the Buryakovka monitoring station increased by an order of magnitude compared to previous years. This pattern was also observed in other radiation monitoring stations, due to the resuspension caused by the forest fires.

        Figure 74 Volumetric activity

We are trying to validate the expression below, so we still need to come up with a method to realistically approximate the airborne 137Cs activity (at1) in 2022, as this data has not been made available, publicly, by any of the involved authorities.

The IAEA, responding to the claims that Russian troops dug trenches  in the vicinity of the Red Forest, calculated the estimated effective dose potentially received by those soldiers.

Therefore, to approximate at1 I used the values resulting from the measurements the IAEA performed on-site, which are publicly available.

        Figure 75 IAEA measurements

We are even using a conservative approach, as the assumption is that the concentration of dust in air while digging a trench is equal to the concentration generated by a vehicle passing over a decontaminated road, or even an unpaved surface. We just need to multiply the values highlighted in the previous image (Specific Activity * Concentration of dust in air during digging). 

According to the previous ‘Volumetric activity of 137Cs in 2020’ table, we have, 

By substituting the values in the expression, we have that at1 is just an order of magnitude higher than the maximum airborne 137Cs activity detected in Buryakovka in 2020.

Assuming the radiation spikes were physically sound, we would have that an airborne 137Cs activity of 2,95x10-2 Bq/m3 led to the expected increase of the H*(10) until reaching 50 μSvh-1 over its baseline level (‘ground’ component).

Obviously, that is not the case. This activity does not even reach the reference airborne 137Cs activity of 1 Bq/m3 by two orders of magnitude. Also, if it were true, we should be observing 50 μSv/h increases (on top of their baseline levels) in all those stations that recorded similar increments in their airborne 137Cs activities. 

As the reader can see in the following example, that never happened. 

Let’s take the highest airborne 137Cs activity detected (1,0E-02) during the forest fires of 2020, which corresponds to the VRP-750 radiation monitoring station. This value is in the same order of magnitude as that our previously calculated at1,

        Figure 76 Volumetric activity 2020

However, its maximum H*(10) value recorded in 2020 was 1,5 μSvh-1, far from the expected 50 μSvh-1.
        Figure 77 H*(10) values 2020

Let’s look at these two images to provide a visual summary of the issue. The indicated H*(10) levels (1, 5 and 45 and 50 μSv/h) do not correspond to any specific station, they are just sample values to illustrate the reasoning, although similar to those officially reported. Please also note that the distances between the elements depicted in the following diagrams are not to scale. 

        Figure 78 Baseline

1. The H*(10) level measured in the decontaminated road is 5 times lower than in the nearby contaminated soil. Although this is a sample value, it matches real ratios mentioned by the IAEA for the CEZ.
2. In our example the GammaTRACER is located really close to the road.
3. The H*(10) recorded by the GammaTRACER is mainly calculated from the 137Cs found in the contaminated soil.
4. The contaminated soil reports a baseline of 5 μSv/h
5. The 137Cs located in the upper layer is the main contributor to the baseline level.

        Figure 79 Radiation Spike

1. When the heavy military vehicles pass over the decontaminated road, they will resuspend potentially contaminated dust.
2. The number of resuspended materials is determined by the resuspension factor, which for an intense activity (such as digging) may reach 10-8. Regular activities will have a resuspension factor an order of magnitude lower.
3. The radionuclides stuck to the dust particles will emit gamma radiation whose intensity decreases according to the inverse square law. 
4. The resuspended dust particles will be deposited according to their aerodynamics and climatological conditions. 
5. The GammaTRACER reaches a level of 50 μSv/h. This means that the resuspended 137Cs is contributing to the total H*(10) with an additional 45 μSv/h. Obviously, this is not possible, coming from a decontaminated road whose baseline is just 1 μSv/h. 

The ‘return to baseline levels’ mystery.

The last, but not least, question the previous model raises is the following: Why did the stations return to their baseline levels just few days after the spikes?  

According to the ‘resuspension of soil’ theory we have that, either the resuspended materials that caused brutal increments of the H*(10) while airborne, stopped being gamma emitters after the regular deposition phase, or there was no deposition phase at all. Both cases would be equally unphysical. This scenario, in turn, leads to the following never-ending circular problem: How is it possible to achieve higher levels of H*(10) just by resuspending the same materials that were already present in the top layer of the soil?

There are two options:

1. An external release from a radioactive source. 
2. A resuspension activity with a massive transport involved. 

It is the consensus that the first option never happened. So, we are left with the second one. However, if there was a significant transport (relocation) of radioactive materials, large enough to achieve the reported H*(10) levels: Why did the stations return to their baseline levels just few days after the spikes?  And so on.

In this context, the ‘Contamination of Surfaces by Resuspended Materials’  paper provides, in a single sentence, a simple and intuitive, but still scientific, refutation to the ‘resuspension of soil’ theory. 

        Figure 80 Resuspension/deposition balance

Basically, what has been reported in the Chernobyl Exclusion Zone is an unprecedented case
in nuclear physics: an unbalanced resuspension scenario without a deposition phase. 

This scenario helps us to demonstrate, from an analytical point of view, that the radiation spikes were necessarily fabricated as they do not even comply with the most fundamental physical forces such as Gravity (Stokes’ law). Let’s illustrate this issue with the last 8 radiation levels detected at the Pozharne Depo station (radiation spikes are red-highlighted). This station was one of the six whose radiation spikes were officially reported to the IAEA by the SNRIU.

        Table 3 Spikes in Pozharne Depo

Let’s assume these are legitimate readings, so according to the timestamps I am analyzing the spikes from two different perspectives:

a. Intraday
In a period of 20 minutes, between ‘20:40:00’ and ‘21:00:00’, the GammaTRACER allegedly detected a radiation spike 8 times (8790) the regular baseline level, and then returned to the exact baseline level previously recorded (1760).
        Figure 81 Timestamps

As the above diagram shows, we can break it down in three steps with their corresponding timestamps,

t0 = Timestamp before the radiation peak, baseline level (< 20:40:00)
tp = Timestamp for the radiation peak (20:40:00)
t1 = Timestamp for the baseline level (21:00:00)

1. At t0 < tp 
The plume comprised of the resuspended materials has not yet reached the area of detection for the GammaTRACER.
2. At tp
Resuspended radioactive materials have reached the GammaTRACER, thus provoking a peak. V↓ indicates the deposition velocity (in this case, the lack of).
3. At t1 
The plume has left the area of influence for the GammaTRACER, which has then returned to its previous baseline level.

b. Long-term

There are two additional radiation spikes detected, at 21:50:00 (Feb 24) and 10:50:00 (Feb 25), without any other reading in between.

Then, after several days of radio silence, the GammaTRACER transmitted two measurements on March 1, back to its regular baseline levels.

Now let’s demonstrate why this sequence of events is a physical aberration.

Within a small window of time (20 minutes), the GammaTRACER detected a radiation peak and the returned to its baseline level. Please note that this kind of pattern is common during metrological verification procedures, as a certified approved gamma source is brought towards the probe device at controlled steps.

However, we are assessing a traffic-induced resuspension event so in addition to the timespan, there is another major anomaly: lack of deposition phase.

In a traffic-induced resuspension we should not see an ‘encapsulated’ plume like the one shown in the diagram above, instead the resuspended materials will be in touch with the surface via eddy diffusion, as the picture Figure 14 Dust Cloud’ shows. We should also note that resuspended radionuclides tend to stick to coarse particles (>1-3 µm), so we will have the sedimentation component due to the Stokes’ law.

As a result, we have that the deposition velocity  (V↓) is comprised of two components: 

a. Vi (eddy diffusion)
b. Vs (sedimentation – Stokes’ law)

As the GammaTRACER returned to its baseline level right after the radiation peak, we must assume that the plume did not cause any kind of deposition during the time it passed through the area of influence of the GammaTRACER. It is even more disconcerting that the deposition phase did not occur in the long term either, to this day.  

This means that V↓ is effectively 0, which, according to its equations, would mean that there were no particles involved, the gravitational force was neglected, or the air increased its density to a value close to a solid state. As none of these precepts are valid in the real world, reductio ad absurdum, the radiation spikes do not have a physical origin, and therefore were plausibly fabricated.


Radioactivity is invisible for the human eye. The capacity to approach an incident where radiation plays an important role, necessarily relies on a first responder’s   predisposition to trust an instrument’s output.  

Security is pretty much the same. We cannot just see security, we also have our instruments to see through its different layers.

In both cases, there is something in common: when approaching an abnormal situation, regardless of what your instruments say, you usually have a preliminary idea of what to expect.  

When you create a scenario where radiation levels are fabricated, the goal is to generate a response based on your ability to control the notion about the specific physical environment your target has. That may be leveraged to support a narrative, to force a specific move from a target, etc. Therefore, I would like to clarify that I am not planning to speculate about any of them, not even the actors potentially involved. This is data-driven research, conceived to be impartially verified, regardless of subjective claims or specific interests. 

The purpose of this research is to provide sufficient technical evidence that may be used as part of a rigorous assessment of the radiation spikes, detected in the CEZ, during the first forty-eight hours of the Russian invasion. 

In accordance with this principle, the following analysis comprehensively describes the technical details that exhibit how, at least, one of the intended outcomes of this operation may plausibly be to inject manipulated radiation levels (H*(10)) into the infrastructure of the Automatic Radiation Monitoring System (ASKRS) of the Chernobyl Exclusion Zone. As a result, the regular processing logic of this system would have been altered to influence the publicly available, real-time representation of the radiation levels in the CEZ, which at that time was officially provided by ‘’. 


During the early stages of this research, when I was still collecting information to see if there was really something to look at, I remember that one of the things that tipped the scale was the following paragraph from the Mike Wood et al. paper,

        Figure 82 Mike Wood et Al. paper

At the time, most of the articles and comments I found were talking about power cuts to explain the lack of continuous measurements, before I figured out that the GammaTRACER were battery-powered devices, which obviously did not match that ‘selective’ pattern for going offline. As it will be elaborated later, it turned out that this behavior was the key to understanding the operation.

As I was researching this issue, additional abnormal patterns emerged. It is worth describing some of the most significant ones, as they provide the right context before putting the pieces together.


In an interview for ‘Le Figaro’ , CRIIRAD’s Bruno Chareyron queried why the IAEA, in the publication ‘Update 1 - IAEA Director General Statement on Situation in Ukraine’, only mentioned the 9,46 μSvh-1 H*(10) value when there were other levels way higher. This was a well-directed question indeed, as during the 24th (of February) three monitoring stations within the Chernobyl NPP area reached levels over 50 μSvh-1: HZHTO 65,5 μSvh-1, HOYAT 54,2 μSvh-1 and DGS-2 58,8 μSvh-1.
          Figure 83 Criirad quote

So, I spent some time digging into this, which led me to find the following official document  from Ukraine’s Ecocentre, the State Specialized Enterprise which carries out radiation monitoring in the CEZ.
        Figure 84 Ecocentre statement translation

I also found the following screenshot , published by Ukraine’s Chernobyl Exclusion Zone State Agency (DAZV) during the 2020 forest fires crisis. It confirms they were using DataEXPERT to collect the information that is incorporated into their public reports. This reinforces the idea that the server where DataEXPERT was installed, which disappeared, played a significant role in this scenario.
        Figure 85 DataEXPERT screenshot

In fact, I noticed that the version of DataEXPERT in the screenshot (v.04.0526) is still very close to the version I found (and reverse engineered) in an old DataEXPERT manual I managed to get while visiting a radiological laboratory at a Faculty of Medicine. This manual dates to 2006, just before the ASKRS system was deployed in the CEZ. 
        Figure 86 DataEXPERT manual

The version that can be seen in the screenshot found in the manual shows “v.04.0480”, so it is safe to assume the DataEXPERT version deployed in the CEZ, at least in 2020, was outdated. Nothing out of the normal if we consider the idiosyncrasy of the Industrial Control Systems world.

        Figure 87 DataEXPERT version

The highest level reported in the Ecocentre’s document is 9,46 μSvh-1 (corresponding to the Pozharne DEPO radiation monitoring station), coincidentally the same value mentioned in the IAEA statement on the 25th (of February). On the other hand, the lowest level is 2,05 μSvh-1, detected at Vektor. So, we would have H*(10) values from 2,05 to 9,46 μSvh-1, which is the exact range of radiation levels explicitly mentioned in a statement  published by the Czech Republic's State Office for Nuclear Safety (SÚJB). 

        Figure 88 Six stations reported to the IAEA

In that statement, the Czech regulator also mentions the exact ‘Control Level Exceeding Factor’ values that the Ecocentre’s document contains. Finally, it confirms the SNRIU reported radiation levels for the CEZ through the USIE  system, instead of the IRMIS. It is reasonable to assume the SNRIU, in turn, would be receiving H*(10) levels from the SSE Ecocentre, likely the aforementioned official document.

But what is the IRMIS  system? It is one of the two ‘Emergency Preparedness and Response’ systems the IAEA maintains to share information about radiological incidents.  The Member States voluntarily report the H*(10) information collected from their fixed radiation monitoring stations, aiming to pursue transparency and promote information sharing between stakeholders.

        Figure 89 IRMIS description

It is interesting that the IRMIS system  stopped receiving data precisely on the 24th, because during the 24th, and part of the 25th, the H*(10) values collected from all the radiation monitoring stations in the CEZ was still being transmitted to the real-time radiation map available on the Ecocentre website. So, it is reasonable to assume that no communication problems could be adduced, as opposed to the ZNPP case. Without entering into other considerations, I assume problems directly derived from the Russian occupation of the facilities.

Finally, it can be inferred that the IAEA simply based their statement on the data the SNRUI reported to them, without having any further visibility into the actual radiation levels. In fact, the IAEA confirmed this scenario in its ‘Summary Report by the Director General’ publication.
        Figure 90 IAEA statement on IRMIS

However, the SNRIU only reported to the IAEA the H*(10) values of six specific stations. A practice for which I am yet to find a logical explanation, bearing in mind those values did not come from manually taken measurements, but directly from the ASKRS system as I will demonstrate next.

I could confirm the H*(10) values from five of the six regulatory stations that were reported by the SNRIU, thanks to the historic dataset from

However, when I was double checking the reported levels, I found out that the spike for the Yanov Station (3,46 μSvh-1) was never recorded by any of the publicly available sources for radioactivity levels in the CEZ at that moment: and Please note that these websites were also used by France’s IRSN.

        Figure 91 IRSN statement on Ukraine

By using the image from the Ukrainian Parliament’s tweet , we can see that at 6:00 AM on the 25th all radiation levels match with those reported in the Ecocentre’s document, except for Yanov Station which keeps its regular baseline level (~620 nSvh-1) instead of 3,46 μSvh-1 

        Figure 92 Missing spike for Yanov Station

The only problematic value is the H*(10) (‘Fixed value’ in the table), as the ‘Average reading in 2021’ and ‘Control level’ for the Yanov Station match with the following table of historic measurements.

         Figure 93 H*(10) values in 2020

This monitoring station can be easily found on Google Maps , which allows us to verify that it is a GammaTRACER+SkyLINK deployment.

        Figure 94 Yanov Station – GammaTRACER

Besides this anomaly, one of the main questions is why SNRIU did not report the following values of three regulatory stations which were way higher, also collected from the same ASKRS system.

Obviously, I do not know the answer, neither do I want to speculate on the reasons. However, it is worth noting that these unreported radiation spikes are coincidentally in the range of the Operational Intervention Levels (OIL) for reactor emergencies and spent fuel (OIL2γ , 25 µSv/h – 100µSv/h). 

According to the IAEA: 

An OIL is a type of action level that is used immediately and directly (without further assessment) to determine the appropriate protective actions on the basis of an environmental measurement . (IAEA, 2007)

Thus, if these stations had been officially reported, the IAEA should have initiated specific emergency response procedures. Instead, the IAEA merely assessed the reported levels as follows:

"Some of these measurements from the Chornobyl Exclusion Zone indicated an increase in the gamma dose rates that was attributed to the displacement of soil due to heavy machinery movements in the area. Based on these data, the IAEA assessed radiation levels as low and within the operational range measured in the exclusion zone since it was established, and therefore considered that they posed no hazard to the public. (IAEA, 2022)" 

The following graph (Fig. 94), which the IAEA used in their report, located right after the previous statement, coincidentally shows H*(10) levels close to those reported by the SNRIU. However, the stations do not match.

These example radiation monitoring stations (referenced as ’station_01’, ‘station_02’, …) correspond to different stations than those reported by the SNRIU. I could identify them based on the latitude/longitude and the historic dataset of readings. The highest value (~8,00 μSv/h) in the image (station _05) corresponds to a station within the Chernobyl NPP area (DGS-2), but the highest value reported by the SNRIU was from Pozharne DEPO (9,46 μSv/h).  

                Figure 95 IAEA statement on reported spikes

As a result, the IAEA assessment can be considered ‘optimistic’, because they were merely comparing radiation levels instead of exact levels recorded for specific stations. For instance, if we exclude those radiation spikes derived from metrological verification procedures, in the last 5 years Pozharne DEPO never reached an H*(10) level of  9,46 μSv/h, not even close.

Finally, it should be noted that in this report the IAEA only assessed the values that were officially reported to them by the SNRIU. They did not take into consideration, at least publicly, the remaining radiation spikes the general public was observing on the Ecocentre Website.


A unique pattern was identified in the dataset, which was related to two specific stations: Chapaevka and Kvartal. 

        Figure 96 The ‘Twin’ stations

On December 23rd 2020 at 6:00 PM these stations started reporting the same H*(10) at the same timestamps. Probably this was caused by some kind of misconfiguration that was prolonged in time. 

The interesting aspect of this situation is that, in roughly 14 months, there were only two times when these two stations reported different H*(10) values at different time stamps: 

1. Approximately one month before the invasion, on January 3rd,

Kvartal:         95.0000 at 2022-01-03 22:10:00
Chapaevka: 94.0000 at 2022-01-03 22:30:00

2. One day after the beginning of the invasion, during the spikes, on February 25th, 

Kvartal:         7407.0000 at 2022-02-25 9:20:00
Chapaevka: 7410.0000 at 2022-02-25 10:40:00

Statistically, it is certainly something to take note of: in more than 8300 readings collected over 14 months, only two readings were not synchronized. One of them occurred during the reported spikes and the other one, not long before. 

The spikes reported by these stations match the ‘spike at two times’ pattern, meaning there were two incremental spikes reported at two different timestamps, with no other readings in between. It is even more curious that, when the spike was reported at the same time, the H*(10) value was the same.

Kvartal:         3303.0000 at 2022-02-24 23:30:00
Chapaevka: 3303.0000 at 2022-02-24 23:30:00

However, the second spike was slightly lower (7407 nSv/h) for the station that reported it earlier (Kvartal). 

Kvartal:         7407.0000 at 2022-02-25 9:20:00
Chapaevka: 7410.0000 at 2022-02-25 10:40:00

Assuming fabricated spikes, this may plausibly reveal an implicit correlation when generating these artificial values. The rationale for the incremental ‘spike at two times’ pattern seems obvious: for the same baseline at the same timestamp, the spike has the same value. A second spike injected in an earlier timestamp should have a lower value than the spike injected later.

It is also interesting that on March 1st, both reported the same baseline levels at the same timestamps once again.


In addition to the radiation monitoring network operated by SSE Ecocentre, inside the CEZ there is another, separate, radiation monitoring network limited to the Chernobyl NPP area, which is operated by SSE ChNPP .

The monitoring stations in this network did not report any abnormal radiation levels, even when Ecocentre’s stations located really close to them were actively reporting spikes.


        Figure 97 ChNPP radiation monitoring room

It is difficult to come up with a solid explanation for this anomaly, from a physical perspective. Looking at it from a different perspective, however, perhaps it is worth mentioning that according to some testimonies, the facilities from where this network is operated were never left unattended by Ukrainian personnel, even after being seized by the Russians. On the other hand, the situation in the Chernobyl’s administrative building, where the Ecocentre’s Central Processing Station was located, was more chaotic as their workers were evacuated.

In addition, without having a fully working ChNPP Radiation Monitoring Network the ability to control (in a non-manual way) the radiation levels in the Chernobyl NPP would have been severely limited (assuming the CEZ network cannot be trusted either). That was precisely what happened in 2017, when this radiation monitoring network was attacked, as part of the NotPetya  incident.

Few people publicly noticed this, as the situation was never publicized, but all of those who did had a very specific nuclear background. We can see in the following tweet a screenshot of the ChNPP radiation monitoring network showing no abnormal levels,


                            Figure 98 Tweet showing ChNPP levels (Feb 25, 2022)

For instance, Safecast acknowledged they did not even know about this network.

        Figure 99 Safecast statement on ChNPP radiation monitoring network

The resulting scenario is interesting: while anxiety levels surged among the public due to the reported radiation levels coming from the CEZ network, the ChNPP network discreetly kept nuclear experts, and related organizations, less worried about what was going on. 

Finally, let’s analyze what really happened during those 48 hours.

The ‘spike-and-offline’ approach to manipulate real-time radiation monitoring information

As introduced in the ‘Cyber’ section, GammaTRACER sensors are autonomous battery-powered devices, expected to work under emergency conditions. 

These devices are professional probes that have been deployed in nuclear facilities all over Europe for decades.

Let’s also remember that SkyLINK is a unidirectional RF protocol, only able to transmit information.  
Therefore, it is extremely unlikely that, all of a sudden, many of them just stopped transmitting data. Also, it is nearly impossible that these devices should have stopped recording data in their internal storage.

The GammaTRACERs operating in the ASKRS system never went offline, they were transmitting all the time. Instead, likely with the help of a specific program which I will call malware for abbreviation purposes only, the Central Processing Station (where DataEXPERT was installed) selected the readings, either manipulated or actual, that would be shared with the outside world. Essentially, a scenario similar to a MITM, where fabricated radiation spikes were injected at certain times, following a very specific software-generated pattern.

I reached this conclusion after analyzing the historic data from the SaveEcoBot  website, which contains years of measurements collected from the CEZ radiation monitoring network by scraping data directly from the Ecocentre website. 

The Ecocentre real-time radiation map provided a chunk of base64-encoded data for each station when new readings were available. Otherwise, the last received reading is kept in the map; if this reading is above the station’s control level, a red dot will indicate the alarm status.

     Figure 100 Ecocentre data chunk

The decoded data provides ‘Time’, ‘Date’, ‘Ambient Dose Rate’, ‘Latitude’ and ‘Longitude’.

Time:=09:00|Date:=25.02.2022|Ambient (Dose rate)=327 nSv/h|Latitude=N051.384853|Longitude=E030.201195

This is my approach, which is entirely reproducible for anyone with access to the same dataset.


It is worth clarifying that the information collected by the service (for the CEZ) just replicated data from official sources, it did not perform any additional calculation.  

Still, I wanted to check how accurate the data was. I performed this verification in three different ways:

1. By comparing SaveEcoBot’s dataset with the data stored in the ASKRS’ DataEXPERT database. So, I collected a couple of official  DataEXPERT screenshots  published by the Ukraine’s Agency for the Chernobyl Exclusion Zone (DAZV).

        Figure 101 DataEXPERT screenshot #1

        Figure 102 DataEXPERT screenshot #2

Please note that the screenshots show maximum and minimum values within a specific range. Some of the exact values are simply missing, as anyone would expect from this kind of data collector, but most of them are present and match SaveEcoBot data. For example:

- VRP-750 (ВРП – 750)
device_id    phenomenon      value       logged_at
3720            gamma                 1320        ”2020-04-09 18:00:00”

- ПЗРВ «Буряківка» (PZRO Buryakovka)
device_id    phenomenon      value      logged_at
3719            gamma                 536         ”2020-04-08 14:00:00”

- Вектор (Vektor)
device_id   phenomenon       value      logged_at
3736           gamma                  134          ”2020-04-07 15:00:00”

2. I collected screenshots from uploads of the Ecocentre radiation map on social media, thus building a timeline of these maps to double check that all the reported spikes were also found in the dataset. It is worth mentioning that SaveEcoBot was not the only aggregator scraping data from the Ecocentre real-time map, the website of the OPYT company ( also collected data. For instance, the spikes for three stations (Ilovnycya, Kupovate, Maksymovyshi) that were originally missing from the SaveEcoBot dataset could be found in the OPYT dataset. 

3. This final method cannot be publicly described but the details have been shared with a third party in order for them to verify its validity.


In November 2020 the SaveEcoBot’s parent organization, Ukraine’s Savednipro, raised the alarm after a significant increase in radiation levels at the CEZ was detected.

After the initial turmoil, the SSE Ecocentre clarified the situation  stating that the reported spikes were due to the annual metrological verification procedure. The state organization reported that, as part of this process, the GammaTRACER devices were directly exposed to a high-power radiation source, resulting in the detected radiation spikes. Please note that these tests are performed indoors. 

In the response provided to the media outlets, Ecocentre confirms that they were using DataEXPERT

        Figure 103 Metrological verification

Besides the fact that if we compare these spikes with the ones detected during the 24th and 25th of February 2022 some of the latter are even higher, the interesting part of this issue is that we can locate those dates in the SaveEcoBot dataset. This enabled me to see what legitimate radiation spikes actually look like in data.

Let’s analyze the highest spike detected during the calibration procedure (124000 nSv/h), which occurred in the ‘HOYAT-2’ radiation monitoring station.

By looking carefully at the ‘logged at’ field, a timestamp, we can see how the ‘emergency’ (calibration) mode is activated in the GammaTRACER, as the Control Level has been exceeded. As a result, H*(10) values are sent every few minutes, rather than every hour. Despite the spike, the GammaTRACER is obviously still transmitting, not offline, nothing out of the normal has happened, because that is what these devices have been designed for.

During that period in November 2020, other similar patterns can be identified, depending on the metrology test that was carried out. The same patterns, including abnormally high radiation spikes, observed during this metrological verification exercise can be observed at later dates, where additional metrological procedures were performed. For instance, February 19 2021, where multiple stations reported radiation spikes, for example, Usiv and Ilinci.

Now, let’s move to the radiation spikes recorded during the 24th and 25th of February 2022.


After analyzing the dataset obtained from SaveEcoBot, the patterns emerged very clearly. As opposed to the expected naturally occurring radiation spikes detected at arbitrary times, whenever the alleged ‘resuspension of soil’ caused the H*(10) peak value, I found that the spikes were recorded in a limited set of batches involving just 13 different timestamps, at which 63 different radiation spikes were detected in a total of 42 radiation monitoring stations.

STATION TIMESTAMP (dd/mm/yy) H*(10) (nSvh-1)
DGS-2 24/2/22 21:50 58800
DGS-2 25/2/22 10:40 93000
HZHTO 24/2/22 21:50 65500
HZHTO 25/2/22 10:40 92700
Naftobaza 24/2/22 22:20 8560
HOYAT 24/2/22 21:50 54200
HOYAT 25/2/22 10:40 72200
Pozharne Depo 24/2/22 20:40 8790
Pozharne Depo 24/2/22 21:50 9460
Pozharne Depo 25/2/22 10:50 32300
Vidvodny kanal 24/2/22 21:50 702
Vidvodny kanal 24/2/22 23:50 1630
Vidvodny kanal 25/2/22 09:20 3150
VOS-3 25/2/22 00:20 921
HOYAT-2 25/2/22 10:40 7950
Chistogalivka 24/2/22 21:50 3560
Chistogalivka 25/2/22 09:20 11100
Kopachi 25/2/22 09:20 27300
Pripyat 24/2/22 22:20 5390
Pripyat 25/2/22 00:10 10200
Buryakovka 24/2/22 22:20 3540
Buryakovka 25/2/22 09:20 52700
Usiv 24/2/22 23:05 7340
Mashevo 24/2/22 22:20 5490
Mashevo 24/2/22 23:30 8040
Zimovyshe 24/2/22 21:50 2540
Zimovyshe 24/2/22 22:20 8220
Krasno 24/2/22 23:50 2490
Krasno 25/2/22 00:01 3340
PZRO Buryakovka 24/2/22 22:20 2330
Chernobyl-2 24/2/22 23:30 5370
Benevka 24/2/22 20:40 992
Benevka 24/2/22 22:20 3890
Starosillya 24/2/22 21:50 946
Vektor 24/2/22 23:50 2050
Vektor 25/2/22 09:20 3990
Vilcha 25/2/22 00:10 2360
Ilinci 24/2/22 23:30 3670
Ilinci 25/2/22 09:20 8230
Dityatki 24/2/22 20:40 293
CAP G2 24/2/22 23:50 1760
Chapaevka 24/2/22 23:30 3303
Chapaevka 25/2/22 9:20 7407
Denysovychi 24/2/22 23:50 2300
Denysovychi 25/2/22 10:40 34700
Glynka 24/2/22 22:20 832
Gornostaypol 24/2/22 20:40 308
Kocyubinske 25/2/22 00:03 1690
Kvartal 24/2/22 23:30 3303
Kvartal 25/2/22 10:40 7410
Ladyzhychi 25/2/22 09:20 60500
Nova Krasnica 24/2/22 22:20 2330
Ordzhonikidze 24/2/22 20:40 264
Poliske (KPP) 24/2/22 23:30 3780
Poliske (KPP) 25/2/22 09:20 8477
Rozsoha 24/2/22 21:50 712
Rozsoha 25/2/22 10:40 7785
Stechanka 24/2/22 21:50 6850
Straholissya 24/2/22 20:40 314
Teremci (KPP) 24/2/22 20:40 234
Kupovate 25/2/22 10:40 6770
Ilovnycya 25/2/22 10:40 74300
Maksymovyshi 25/2/22 09:20 5420

For instance, the three highest radiation spikes detected within the Chernobyl NPP area, were recorded at the same exact timestamps 21:50 (Feb 24) and 10:40 (Feb 25), without receiving any other reading within this interval.

                                    Figure 104 Spikes at ChNPP area

There are 4 different patterns of manipulated measurements:

1.- Spikes injected at one time
A unique spike is reported, and the station goes offline.
This pattern was identified in 18 stations:
Naftobaza, VOS-3, HOYAT-2, Kopachi, Usiv, PZRO Buryakovka, Chernobyl-2, Starosillya, Vilcha, CAP G2, Glynka, Kocyubinske, Ladyzhychi, Nova Krasnica, Stechanka, Kupovate, Ilovnycya, Maksymovyshi.

2.- Spikes injected at two times
Two spikes are injected following an incremental logic: the first spike is always lower than the second. No additional readings in between (offline).
This pattern was identified in 17 stations: DGS-2, HZHTO, HOYAT, Chistogalivka, Pripyat, Buryakovka, Mashevo, Zimovyshe, Krasno, Benevka, Vektor, Ilinci, Chapaevka, Denysovychi, Kvartal, Poliske (KPP), Rozsoha.

3.- Spikes injected at three times
Three spikes are injected following an incremental logic.
This pattern was identified in 2 stations: Pozharne Depo and Vidvodny kanal.
There is a particularity in Pozharne Depo, where what seems like a legitimate baseline value slipped in after the first spike. Please note the timestamp for this value is a regular one (the corresponding hourly o’clock time) rather than one of the 13 timestamps. 

3743,gamma,1760.0000,2022-02-24 20:00:00
3743,gamma,8790.0000,2022-02-24 20:40:00
3743,gamma,1760.0000,2022-02-24 21:00:00
3743,gamma,9460.0000,2022-02-24 21:50:00
3743,gamma,32300.0000,2022-02-25 10:50:00

4.- Spike and decrease
A spike is injected, and the next injected value is lower than the spike.

This pattern was identified in 5 stations, which were among the first seven to report spikes on February 24th: Ordzhonikidze, Diyatki, Gornostaypol, Straholissya, Teremci (KPP).

On Feb 24th, all of them, although separated by tens of kilometers, reported a spike at 8:40 PM, and then a decrease in the radiation level at 11:30 PM.

        Figure 105 Five stations in the South of the CEZ

During the time that SaveEcoBot and OPYT collected data from the Ecocentre website, until 10:50 AM of the 25th, there were 13 fixed timestamps when 63 spikes were detected. The following graph clearly exhibits these unphysical patterns.


        Figure 106 Plot of Radiation Spikes

It is worth mentioning that those stations which, during the 24th, did not record any radiation spikes, received the values at the expected rate. For instance, we can see this pattern in the measurements below, which correspond to Yanov Station. This confirms that the entire system was not offline, but only those stations reporting spikes.

3745,gamma,600.0000,2022-02-24 11:00:00
3745,gamma,592.0000,2022-02-24 12:00:00
3745,gamma,606.0000,2022-02-24 13:00:00
3745,gamma,598.0000,2022-02-24 14:00:00
3745,gamma,594.0000,2022-02-24 15:00:00
3745,gamma,582.0000,2022-02-24 16:00:00
3745,gamma,580.0000,2022-02-24 17:00:00
3745,gamma,594.0000,2022-02-24 18:00:00
3745,gamma,600.0000,2022-02-24 19:00:00
3745,gamma,592.0000,2022-02-24 20:00:00
3745,gamma,590.0000,2022-02-24 21:00:00
3745,gamma,604.0000,2022-02-24 22:00:00
3745,gamma,590.0000,2022-02-24 23:00:00
3745,gamma,594.0000,2022-02-25 00:00:00
3745,gamma,610.0000,2022-02-25 01:00:00

As a result, the plausible manipulation pattern would be as follows: 

1. A fabricated spike is generated by software and injected into the ASKRS at the DataEXPERT level.  

2. This spike is then populated to the Ecocentre website.

3. Legitimate readings still coming from the GammaTRACER probes are blocked from being populated to the Ecocentre website. This is the reason why the stations went ‘offline’ after reporting spikes.

4. As there are not new values, the Ecocentre radiation map will keep showing the last received reading for each station (in the map the stations will keep the ‘red dot’ associated with the last spike received).

By injecting these radiation spike patterns, the actors behind this operation would ensure that the real-time radiation map available at, whose stations were only updated when new data was received, represented the information they wanted at specific times. 


There are three patterns in the data that plausibly denote an intentionality behind the radiation spikes: 

1. Timestamps
Instead of being dispersed in time, we have seen how the spikes were reported in different batches comprised of just 13 different timestamps. In certain cases, up to 10 different stations, separated by tens of kilometers, reported spikes at exactly the same time.

2. Online/Offline
As it has been elaborated in the previous section, the stations reporting spikes did so by following four different, structured patterns. Patterns 1 and 2 were identified in 83% of the stations that detected radiation spikes.

3. Radiation Levels
The ambient equivalent dose rate allegedly transmitted by the GammaTRACER did not represent the actual physical conditions in the CEZ.

According to the information that has been presented here, it is now necessary to technically assess those scenarios that may realistically provide a sound, reproducible and verifiable explanation for these events.

The following table represents four different scenarios and the corresponding assessment with regards to the probability these may successfully sustain each of three patterns found in data.

GammaTRACERs are widely deployed in a significant number of nuclear facilities across Europe. In decades, there have been no public records of incidents that resemble what was detected at Chernobyl.

Electromagnetic Interference (EMI)

Mike Wood et al. proposed a potential explanation for the abnormal readings based on Electromagnetic Interference affecting the ASKRS base station. This was presented more like a starting point to develop additional theories rather than to provide a full explanation, as he pointed out during a call to discuss his paper. 

So, I am just assessing four main scenarios involving potential EMI. I do not think that any of them could actually explain any of the three patterns.

It is reasonable to assume that EM warfare equipment was, at some point, used during the invasion. The ‘Primary Data Center’, the server where DataEXPERT software and its MS SQL Database are installed, could also have been exposed to unintentional EMI patterns coming from RF equipment present in the area during the invasion.

However, it is not realistic to assume that either EM warfare or arbitrary electromagnetic emanations could have caused, with a surgical precision, non-transient high-level behaviors, such as changing tens of specific values in a database installed into a modern, complex IT system.

Another possibility is that the SkyLINK communication channel was affected. That surely may happen, but then we would have two scenarios, according to the motivation of the EMI attack:

This is mostly covered in the ‘SkyLINK spoofing’ scenario below.

By ‘unintentional’ I mean as ‘collateral damage’ from either an EMI attack pattern targeting other systems or arbitrary electromagnetic emanations. First of all, it should be noted that there were no reports of EM pulses or any other system failures derived from directed energy weapons.

SkyLINK is a digital communication system. The RF signals received by the base station go through different stages of decoding and verification. 

Therefore, the side-effects of the EMI pattern should be able to successfully modify frames in a complex, custom RF protocol (SkyLINK), which has a very specific structure, including checksums. 

Additionally, the unintended EMI patterns should have been able to precisely corrupt only selected beacons from certain stations, those that went ‘offline’, while those transmissions coming from the stations that did not report spikes were successfully received, decoded, and verified by the base station.

Once again, we must bear in mind that 42 radiation monitoring stations reported a total of 63 spikes during a period of 48 hours. In most cases, these spikes were detected at the same exact timestamps. These structured patterns are the opposite of what one could expect from the non-deterministic nature of unintentional EMI patterns, in a vast area of ~2600km2. 

As a result, I would consider this scenario as extremely unlikely.


There is another scenario where the EMI attack pattern could have created a RF induced voltage into the electronics that handles the pulse counting from the Geiger-Müller tubes. I am pretty sure that this is something feasible in a laboratory, under controlled conditions in the near-field , by carefully targeting one device at a time. However, in the real world this scenario is totally unrealistic due to the following reasons:
a. The GammaTRACER probes and the SkyLINK transmitter module are specifically designed to mitigate EMI. Obviously, that is not a guarantee per-se but it does make things harder. Anyone who has worked with RF knows that things escalate quickly.

b. Any artificially injected pulse should be generated according to very specific timings required to comply with the deadtime and recovery intervals for the GammaTRACER’s Geiger-Müller tubes, which are in the microseconds range. 

Additionally, the Chernobyl Exclusion Zone covers ~2600km2. In a significant number of cases, the radiation monitoring stations reporting spikes were many kilometers apart from each other. This means that we are talking about a potential electromagnetic induction derived from way beyond any antenna’s initial far-field. We should bear in mind that the Power Density in the far-field decrements according to the inverse square distance from the source. 

Let’s illustrate this with the first seven spikes that were reported on February 24th at 8:40 PM. 

Those stations that reported spikes are red-highlighted. In addition to the fact that some of them are separated by more than 40 kms, there is no coherent spatial distribution for the potential radiated EM pattern, as the other stations in the area did not report anomalies.
      Figure 108 First spikes at 20:40

As a result, the precision and power required to potentially trigger this behavior in multiple devices, at the same time, separated by tens of kilometers places this scenario out of the realm of reality.

c. A signal conditioning circuit (see Figure 33 Hardware - GammaTRACER Basic)  between the MCU and the Geiger-Müller tubes is able to filter unusual pulse patterns. There are additional countermeasures in firmware, in fact there is one we can validate by reverse engineering DataEXPERT/DataVIEW, as data transmitted by the GammaTRACERs contains a ‘quality status’ word, which adds context to the readings. There is a bit (EMI/COINC) in this data status word that is enabled when simultaneous, anomalous pulses are detected in the Geiger-Müller tubes. This allows the software (and the user) to detect, and potentially discard, those values

                                    Figure 109 ‘EMI/COINC’ bit

In addition to the fact that this functionality can be verified by reverse engineering the software, there are public references about it:



In 2019 the metrology laboratory of the Chernobyl Exclusion Zone published a paper (‘Periodicities in the Signals of Long-term Measurements of the Gamma Background in the Chernobyl Exclusion Zone’ ) within which they analyzed the potential influence of Electromagnetic Interference, due to power lines, in the GammaTRACER’s responses, finding no evidence of such behavior. The ‘COINC’ bit is also documented in this paper. 

We should not forget that the CEZ is a vast area with a significant density of vegetation. Additionally, in areas such as Pripyat or the ChNPP there are multiple buildings. All these elements are environmental attenuation factors for the strength of the electromagnetic fields that may eventually hit a GammaTRACER.

As it has been previously introduced, the GammaTRACER contains two Energy Compensated Geiger-Müller tubes. These models are designed to operate with a potential between the cathode and the anode within the 400-600 V range.  These tubes also lack a window, usually present in the GM tubes that also respond to alpha and beta particles, thus preventing low-energy, spurious EMI, from easily reaching the gas chamber.

Being equipped with energy-compensated and windowless tubes means that the GammaTRACER is only designed to respond to high-energy ionization events (45 kEV to 2000 kEV), resulting from either X-Rays or Gamma radiation. 

Due to this consideration, it is extremely unlikely that any RF source could have triggered even a single ionization event, never mind the tens of them, per-second, required to reach the reported H*(10) levels.
        Figure 110 Attenuation factors

SkyLINK spoofing

As I see it, this is very much the same scenario I elaborated during the Mirion’s WRM2 research, but adapted to Bertin’s SkyLINK, as we have the same elements: a custom RF protocol, a base station and software ingesting the readings.

Basically, my approach back then was to break the protocol from two different perspectives: radio and firmware.


The idea is, to be able to replicate the RF custom protocol of a Software Defined Radio (SDR), you need to characterize the protocol, modulation, encoding, frequencies, frame contents, and so on.
        Figure 111 BH presentation #1


Usually, the most time-efficient approach is to capture (i.e., by tapping into the SPI bus, as in the slide below) the configuration loaded by the MCU into the RF transceiver. In order to do this, we just need to buy the same commercial RF transceiver used by the target device, inject the configuration we sniffed for that particular custom protocol and we will have a fully functional transceiver for our own purposes.

        Figure 112 BH presentation #2

Mirion acknowledged the issues but did not patch because doing so would break a whole range of products. However, they sent a letter to their customers to warn them against the attack scenarios.

            Figure 113 Mirion letter #1

They also recommended the following mitigation strategy:

                                    Figure 114 Mirion letter #2

After all we have seen, I would say they were spot-on. 

That said, do I think this is what happened? No, I do not think so. Although it is technically possible, it is a complex approach, prone to errors. 


* I am using the term ‘Malware’ here purely to mean a piece of software that implements a potentially malicious logic. As a result, it should not be inferred that this software has been deployed by an adversary nor should one assume its origin.

Malware* makes everything easier. It is a likely assumption that the Central Processing Station was, somehow, manipulated. As a result, it would then be a trivial matter to forge radiation levels at will as we have seen. This data would then be populated to other systems (e.g., scraped by

The DataEXPERT architecture (Database + acquisition modules + main program) makes it an easy target, so the malware would not have to be anything very sophisticated either.

Additionally, the fact that the Central Processing Station ‘disappeared’ does not help particularly in invalidating this option.

Figure 115 Missing DataEXPERT server 

In view of the situation, I reached out to Juan Andrés Guerrero-Saade, a security researcher who managed to find the AcidRain wiper  back in March 2022. The idea I had was to explore the, unlikely, possibility of finding the potential malware based on certain specific information (strings, database fields, paths…) collected by reversing DataEXPERT. As expected, nothing was found.


I devised this research to be sustained by four fundamental pillars: independency, objectivity, verifiability, and accuracy. I cannot conceive of any other way to proceed, as the scope of the events under consideration is basically comprised of well-known physical processes and a series of deterministic behaviors derived from modern digital electronics. 

By sticking strictly to these principles, I have comprehensively elaborated all of the technical details and required references to allow for external verification of the results herein presented, a summary of which is as follows: 

1. The abnormally high ambient equivalent dose rate (H*(10)) levels, detected during the 24th and 25th of February 2022 by the Automatic Radiation Monitoring System (ASKRS) of the Chernobyl Exclusion Zone, were plausibly fabricated.

2. From a nuclear physics perspective, these radiation spikes cannot be explained as a response of the GammaTRACER radiation monitoring devices to a traffic-induced resuspension of contaminated dust in the Chernobyl Exclusion Zone.

3. Instead of being detected due to ionizing radiation processes, the H*(10) values, corresponding to the allegedly detected radiation spikes, were plausibly injected into the ASKRS network infrastructure at 13 different determined timestamps, following a specific set of software-generated patterns.

4. As a result of this plausible manipulation, the radiation levels (H*(10)) depicted by the real-time maps provided by and, did not correspond to the actual physical conditions in the area. During the period, these maps were consulted by millions of people, and also consumed as a single source of information by media outlets and official entities.

Due to its importance, it is worth elaborating why the second point is implicitly confirmed by the IAEA in its second ‘Summary Report by the Director General’ publication. In this report the IAEA, among other things, assessed the potential dose of radiation the Russian troops could have received while digging a trench close to the Red Forest. 

        Figure 116 IAEA report on Ukraine #1

The results described in this IAEA report match with the scientific consensus: the main contributor to the H*(10) is the 137Cs accumulated in the upper layer of the soil. Resuspended dust may only marginally contribute to the inhalation dose.
The IAEA analysis literally debunks the ‘resuspension of soil’ theory, although for some reason this official explanation was never amended. 

Under regular conditions, a precise explanation is what everybody should expect from the only international organization that has the authority to pronounce a ‘verdict’ on this incident. However, nothing around these radiation spikes can be objectively described as ‘normal’, but totally the opposite.

Among the unusual reactions, or simply the lack of them, there is a decisive one for which I could not initially find a logical explanation.
        Figure 117 YouTube video - IAEA 

During the radiological incident of the CEZ there were two important events that attracted all the headlines: abnormally high radiation spikes and Russian soldiers digging trenches in the vicinity of the Red Forest. Coincidentally, the IAEA just analyzed the latter. The radiation spikes were barely mentioned in their technical reports or press conferences. This is a notable anomaly, as this approach goes against their own emergency response guidelines and past incident reports.

The IAEA calculated the estimated doses for the Russian soldiers who were, hypothetically, in the trenches during a long period (35 days) resulting, for the worst-case scenario, in a low dose, approximately 0.6 mSv.  


Figure 118 YouTube video #2 - IAEA

This task required significant efforts and resources.

        Figure 119 IAEA report on Ukraine #2

        Figure 120 IAEA report on Ukraine #3

However, nothing can be found about the estimated doses for the hundreds of Ukrainian workers (and Russian soldiers) located within the Chernobyl NPP area.

There, the ambient equivalent dose rate (according to the reported radiation spikes)  reached levels over 60 μSv/h for more than 12 hours, and over 90 μSv/h for at least 4 hours. 

        Figure 121 Tweet of the Ukrainian Parliament showing Ecocentre map

These values would represent an estimated dose higher than the annual public dose limit (1 mSv), absorbed in less than 24 hours. 

There is no mention of samples collected from the Chernobyl NPP area either. Therefore, anyone who assumes the radiation spikes were real, after reading the IAEA reports, would be bound to believe in the fanciful scenario where a resuspension-based radiological incident, able to generate ambient equivalent dose rates of 93 μSv/h (within the range of certain Operational Intervention Levels), left no deposition traces.  

As a result, it must be assumed that the IAEA experts were more worried about a trench than about radiation spikes recording radiation levels higher than those detected after the Fukushima-Daiichi NPP accident. This is hard to believe, unless obviously, the nuclear safety experts from the IAEA silently concluded that the radiation spikes never actually happened.

Then one could ask why the IAEA did not come forward to clarify the situation about these radiation spikes. As I see it, the main reason is because at that moment, the IAEA would have likely been required to provide a proper explanation. This is the Gordian knot of this whole issue, not because of its technical difficulty, which is far from being a challenge for the nuclear experts who work at the IAEA, but likely due to its geopolitical implications.

Popular posts from this blog

SATCOM terminals under attack in Europe: a plausible analysis.

------ Update 03/12/2022 Reuters has published new information on this incident, which initially matches the proposed scenario. You can find the  update  at the bottom of this post. ------ February 24th: at the same time Russia initiated a full-scale attack on Ukraine, tens of thousands of KA-SAT SATCOM terminals suddenly  stopped  working in several european countries: Germany, Ukraine, Greece, Hungary, Poland...Germany's Enercon moved forward and acknowledged that approximately 5800 of its wind turbines, presumably those remotely operated via a SATCOM link in central Europe, had lost contact with their  SCADA server .  In the affected countries, a significant part of the customers of Eutelsat's domestic broadband service were also unable to access Internet.  From the very beginning Eutelsat and its parent company Viasat, stated that the issue was being investigated as a cyberattack. Since then, details have been scarcely provided but few days ago I came across a really inter

VIASAT incident: from speculation to technical details.

  34 days after the incident, yesterday Viasat published a statement providing some technical details about the attack that affected tens of thousands of its SATCOM terminals. Also yesterday, I eventually had access to two Surfbeam2 modems: one was targeted during the attack and the other was in a working condition. Thank you so much to the person who disinterestedly donated the attacked modem. I've been closely covering this issue since the beginning, providing a  plausible theory based on the information that was available at that time, and my experience in this field. Actually, it seems that this theory was pretty close to what really happened. Fortunately, now we can move from just pure speculation into something more tangible, so I dumped the flash memory for both modems (Spansion S29GL256P90TFCR2 ) and the differences were pretty clear. In the following picture you can see 'attacked1.bin', which belongs to the targeted modem and 'fw_fixed.bin', coming from t

Reversing 'France Identité': the new French digital ID.

  -------------- Update from 06/10/2023 : following my publication, I’ve been in contact with France Identité CISO and they could provide more information on the measures they have taken in the light of these findings: We would like to thank you for your in-depth technical research work on “France Identite” app that was launched in beta a year ago and for which you were rewarded. As you know, the app is now generally available on iOS and Android through their respective app stores. Your work, alongside French cybersecurity agency (ANSSI) research, made us update and modify deeply the E2EE Secure Channel used between the app and our backend. It is now mostly based on TLS1.3. Those modifications were released only a few weeks after you submitted your work through our private BugBounty program with YesWeHack. That released version also fixes the three other vulnerabilities you submitted. From the beginning of “France Identite” program, it was decided to implicate cybersecurity community,