G7 Evian 2026: The Cyber Risk Map and Recommendations

In six weeks, the world’s seven largest economies will be on our doorstep. The summit perimeter sits on the French shore, but most of the delegations, journalists and corporate observers will land at GVA, sleep on the Swiss side, and cross the lake daily. For any organisation operating in the Geneva, Lausanne, Vaud, Valais and Haute-Savoie corridor, the question is no longer whether the summit will affect us, but in what form.

Summits draw a predictable mix of adversaries: hacktivists who want a public scoreboard, state services who treat the event as their best collection window of the year, and criminals who exploit the noise to slip their work past distracted defenders. Bürgenstock 2024 was the dress rehearsal we will get, and the December 2025 La Poste campaign showed that French and Swiss critical infrastructure remain prime targets even outside summit weeks. Evian will be more intense, not less.

The eight risks for the Evian window

1. Hacktivist DDoS waves timed to the summit calendar
2. State-sponsored intelligence collection through hotels, transport and telecom
3. AI-driven impersonation: deepfake calls, cloned voices, fake news, agentic crime
4. SMS blasters and cellular interception in and around the perimeter
5. Hotel system compromise: keycards, property management, in-room infrastructure
6. Mobile-device spyware against delegates, journalists and senior executives
7. Public transport and logistics disruption
8. Population-targeted scams using gendarmerie, banks, summit branding and Swiss Post pretexts

Risk 1: Hacktivist DDoS waves timed to the summit calendar

Why it is a risk

Pro-Russian hacktivism is the most predictable element of the threat picture. Groups like NoName057(16) operate on a publicised model: a daily target list pushed through Telegram, a volunteer-driven Go-based DDoS client, and a clear preference for symbolic timing. Summits, elections, anniversaries and high-traffic commercial moments are the trigger conditions. France is currently their second-most-targeted country after Ukraine, and Switzerland was hit hard during Bürgenstock. For any organisation whose name appears on a public target list, an outage during summit week is a customer-facing event regardless of whether the attack itself was technically sophisticated.

Recent precedent

During Bürgenstock 2024, NoName057(16) ran DDoS waves on each summit day against Swiss federal sites and conference-linked organisations. On 22 to 24 December 2025, the same group hit La Poste and La Banque Postale at the peak of the Christmas delivery period and, on the same day, Rennes Metro, Angers Tramway, French airports, the road safety agency and EDF portals. France’s domestic intelligence service DGSI took over the investigation. Operation Eastwood (Europol and Eurojust, July 2025) seized infrastructure and issued arrest warrants, but the group was operating again within hours. Companion groups Z-Pentest, Sector 16 and Dark Engine have started moving past DDoS into operational technology, including a December 2025 claim of access to two French water-treatment plant interfaces.

How to protect

Assume DDoS will happen, and plan to keep operating through it.

• Always-on Layer 3, Layer 4 and Layer 7 scrubbing, not on-demand. Most network-layer attacks now end in under ten minutes, faster than any human can authorise mitigation.
• Subscribe to GovCERT.ch IOC feeds and monitor the relevant Telegram channels for target-list mentions of your brand or sector.
• Pre-authorise your scrubbing provider to activate on a target-list mention, not on customer-impact metrics.
• Tighten Layer 7 defences at login endpoints with rate-limiting, JA3 and JA4 fingerprint filtering, and cache-bypass protections.
• Plan for degraded-mode operations and announce them in advance: alternative communication channels for customers, cached or static fallback pages, allow-listing of known good partner IP ranges, manual procedures for the workflows that depend on internet-facing systems.
• Build redundancy into the connectivity itself: in December 2025 the largest attacks reached Cloudflare’s own infrastructure. A single internet path is not redundancy.

Risk 2: State-sponsored intelligence collection

Why it is a risk

State services do not target the negotiating room. They target the providers around the negotiating room, because that is where access is durable and attribution is hard. Hotels carry IPTV, IP-PBX, surveillance, door systems and guest Wi-Fi on networks that are often poorly segmented. Transport providers carry telemetry and movement data. Telcos carry everything. The same operators who breach those providers years before a summit are the ones who exploit that access during the summit. The lesson from Olympic Destroyer in 2018 is that the credentials and the footholds were stolen months in advance and only weaponised on the day. For Lake Geneva organisations, the question is not whether you are a primary target, but whether you sit in the supply chain of one.

Recent precedent

France publicly attributed APT28, run by GRU Unit 26165, to a four-year campaign against twelve French entities in April 2025. Targets included ministries, defence and aerospace firms, think tanks and a sports body involved in the Paris 2024 Olympics. ANSSI documented the use of compromised edge devices, fake Roundcube and Outlook Web Access portals, and command-and-control hidden in legitimate cloud services like OneDrive and Google Drive. The French Interior Ministry breach of 11 to 12 December 2025 saw attackers reach the CHEOPS portal, the gateway to police criminal records, through passwords shared in unencrypted internal email. On the Chinese side, the August 2025 CISA, NSA and FBI joint advisory on Salt Typhoon explicitly named telecommunications, government, transportation, lodging and military networks as targeted sectors, with backbone routers and edge devices the preferred entry point. The Bundeswehr Webex leak of February 2024, where a senior officer joined a sensitive call from a Singapore hotel and the audio reached Russian state media, remains the cleanest illustration of the hotel-network problem.

How to protect

• Apply the patches called out in the recent ANSSI and CISA advisories now, not in June: Ivanti Connect Secure, Palo Alto GlobalProtect, Cisco IOS XE GuestShell paths, Roundcube, Outlook NTLM relay.
• Move privileged management of edge devices to a dedicated out-of-band network. Audit running configurations against authorised baselines weekly during the summit window.
• Hotels, conference venues and supplier organisations should rotate administrative credentials before 1 June and again after 30 June. Olympic Destroyer reminded us that stolen credentials sit dormant for months before being used; rotation defeats that pattern.
• Ensure every recommendation from your most recent penetration test is closed before 1 June. After is too late.
• For executives or staff inside the perimeter, brief them to avoid joining hotel Wi-Fi and use instead the data plan on their phone. TV and other smart-devices in the room should be unplugged during sensitive exchanges.

Risk 3: AI-driven impersonation, fake news, and agentic crime

Why it is a risk

The cost of producing a convincing deepfake video call, a cloned executive voice, a tailored phishing operation or a fabricated news story has collapsed. A few seconds of public audio is enough for a usable voice clone. A multi-participant Teams meeting can be staged with synthetic faces in real time. On the criminal side, large language models are being used end-to-end to run intrusions, calculate ransom amounts and write extortion notes, allowing operators with limited technical skill to behave like a small team. Around a high-profile event, attackers exploit the heightened tempo of urgent decisions, sanctions interpretations and last-minute payments. The dangerous moment is a video call from a familiar face asking for a confidential transfer that “cannot wait until after the summit”, or a fabricated press release attributed to a participant or a supplier moving markets and reputations within minutes.

Recent precedent

In January 2024, the Hong Kong office of the engineering firm Arup transferred around 25 million dollars after a Teams call in which the CFO and several colleagues turned out to be entirely AI-generated. Ferrari foiled a similar attempt against its CEO in July 2024 with a single book-recommendation question; WPP and LastPass foiled comparable attempts the same year. On the agentic-crime front, Anthropic’s August 2025 threat report documented one operator using its coding agent to run an extortion campaign end-to-end against seventeen organisations, including healthcare and emergency services. On the influence-operations side, AI-generated whistleblower videos and fabricated statements attributed to European politicians, executives and brands have moved from occasional to near-daily output across 2025 and into 2026.

How to protect

• Establish a written voice-and-video verification protocol. No transfer above a defined threshold should proceed on a video or voice call alone, regardless of how senior the requester appears to be. The protocol should include a callback to a previously known number, a code phrase, and explicit board policy that legitimate executives will not be offended by the verification.
• Inventory the public audio and video footage of each member of the C-suite so the communications team can authenticate or deny a deepfake clip in minutes.
• Pre-draft holding statements for the three scenarios most likely to need fast public response: a deepfake of the CEO, a fabricated press release attributed to your organisation or a participant, and a hack-and-leak.
• Activate a brand and executive monitoring service across Telegram, X, news clones and AI-generated video aggregators through 31 August 2026.
• Treat fake news targeting a participant or a supplier as a foreseeable scenario, not an exotic one. The attacker does not need to compromise you to damage you; a credible-looking statement attributed to your CEO, your supplier or a delegate will move the market and the inbox before any verification cycle catches up.

Risk 4: SMS blasters and cellular interception

Why it is a risk

A rogue 2G base station in the back of a parked car can downgrade every nearby phone to 2G. Once the phone is on 2G, the same equipment can do three things: inject SMS messages directly to the device, intercept incoming and outgoing calls and SMS, and collect the international subscriber identifiers of everyone in the perimeter. The hardware costs about 3,000 dollars online. For a city hosting heads of state, that capability blends opportunistic fraud against the local population, financial fraud against delegations, eavesdropping on calls and texts, and intelligence collection on who was where and when.

Recent precedent

On 14 October 2025, Swiss police arrested a Chinese national driving an SMS blaster around Muttenz near Basel, broadcasting fake messages from Swiss Post, Migros and UBS. A parallel operation arrested three more men driving similar devices in western Switzerland in the preceding weeks. France is preparing the trial of fourteen defendants for a 23-million-dollar smishing campaign that used IMSI catchers to send hundreds of thousands of fake messages from the Ameli health-insurance system; the Chinese arms dealer who supplied the device was arrested in Geneva while waiting for a flight to Toronto. The United Kingdom prosecuted comparable cases in 2024 and 2025, and in late September 2025 the US Secret Service dismantled a much larger operation in the New York tristate area in the days leading up to the United Nations General Assembly. The capability described in that case included not only mass smishing but the ability to disrupt cell towers and emergency dispatch.

How to protect

• On every executive and delegate device that will spend time in the perimeter, disable 2G fallback in the operating system. SMS blasters and most call-interception attacks depend on the 2G downgrade; modern phones running on 4G or 5G only become much harder targets.
• Use end-to-end encrypted messaging and calling for everything sensitive: Signal or Threema for messages, voice and video. This adds a second encryption layer that an IMSI catcher cannot strip, even if it succeeds in intercepting the cellular path.
• Brief staff and family members during May that they will receive smishing messages, and that most institutions don’t ask for action through embedded SMS links.
• For the highest-risk roles, issue burner devices for the duration of the event.
• Pre-establish escalation contacts at Swisscom, Sunrise, Salt and the major French operators; they have detection telemetry that you do not.

Risk 5: Hotel system compromise

Why it is a risk

Hotels are a unique attack surface because they combine a porous physical perimeter, a flat IT network, a high turnover of trusted staff, and sensitive guests. Three problems converge during a summit. First, the keycard ecosystem on which most properties depend has well-documented weaknesses that have not been fully remediated. Second, the criminal groups that specialise in social engineering hotel help-desks have proven extremely effective and remain active. Third, individual staff credentials and reservation data are routinely traded on infostealer marketplaces, which gives any attacker a low-effort path to a property’s internal systems. And fourth, in-room infrastructure (smart TVs, voice assistants, IPTV boxes, in-room tablets, IP phones) is rarely segmented from anything sensitive.

Recent precedent

In March 2024, researchers disclosed the Unsaflok vulnerability set in dormakaba Saflok keycard locks, used on around three million doors across thirteen thousand hotels in 131 countries. With a single keycard from the property, including an expired one fished from an express-checkout box, and a 300-dollar RFID device or a Flipper Zero, an attacker can forge a master key that opens every door including the deadbolt. As of disclosure, only about a third of locks had been updated. On the social-engineering side, Scattered Spider and adjacent groups produced the MGM and Caesars breaches of 2023, the Omni Hotels ransomware of 2024, and the Transport for London compromise that followed shortly after. The same playbook of help-desk impersonation, MFA fatigue and SIM-swap is now in regular criminal use.

How to protect

For organisations hosting delegations:

• Request from the property in writing the patch status of their Saflok or equivalent keycard system and the migration status from MIFARE Classic to MIFARE Ultralight C.
• Audit network segregation between guest Wi-Fi, IPTV, IP-PBX, the property management system, surveillance and door systems. Insist on a delegate-only SSID with WPA3-Enterprise.
• Rotate all administrative credentials in the property management system, the booking platform, the keycard encoders and the Wi-Fi management plane before 1 June and again after 30 June. Olympic Destroyer’s lesson applies here directly: attackers steal hotel credentials months in advance and trigger them at the worst moment.

For your own staff and delegates arriving as guests:

• Treat the hotel network as hostile by default.
• Do not use the in-room communication infrastructure for anything sensitive: do not call from the in-room phone, do not stream meetings through the in-room TV, do not pair a laptop to in-room screens. If the room has a smart TV or a voice assistant, unplug it.
• Do not leave anything sensitive in the room when you are not there: laptops, paper notes, badges, and phones go with you or into a sealed safe-storage envelope. If the property has a deposit safe at reception that uses a different key system, prefer it to the in-room safe.
• Use the chain or deadbolt physical lock when in the room. The Saflok issue makes the electronic lock a weaker line of defence than it appears.

Risk 6: Mobile-device spyware

Why it is a risk

Mobile attacks have escalated sharply since the start of 2026. What used to be an exotic threat reserved for journalists and dissidents is now mass-deployed against anyone who might be financially or politically interesting. The tooling has spread from a handful of vendors to commercial spyware houses and criminal proliferation channels. The infection model has also shifted: zero-click watering-hole attacks, where simply visiting a legitimate website that has been silently injected with malicious code is enough to compromise the phone. There is nothing for the user to click, nothing to spot, and traditional awareness training does not help.

Recent precedent

Two related iOS exploit chains, Coruna and DarkSword, surfaced between November 2025 and March 2026 and have been observed in use by multiple actors including Russian, Saudi-aligned and Turkish commercial surveillance vendors, plus criminal proliferation after a version was published on GitHub. They infect devices when the user simply visits a compromised legitimate site (zero-click), use a chain of vulnerabilities to escape the browser sandbox, and silently exfiltrate messages, calls, location, browser history, Wi-Fi passwords, health data, notes and crypto wallets. Apple has shipped emergency patches across iOS 15, 16 and 18 to address them, but hundreds of millions of devices remain unpatched. Pegasus, Predator and TriangleDB campaigns continue in parallel against journalists and senior officials.

How to protect

• Apply hardening mode on every executive and delegate iPhone (iOS Lockdown Mode) and on Android (Google Advanced Protection Program). These modes deliberately reduce the attack surface by disabling features that exploit chains rely on, and they are now the baseline for any high-visibility role around the summit.
• Insist on the latest patch level before travel and during the summit window. Both Coruna and DarkSword exploit chains are defeated by current patches.
• Deploy a Mobile Threat Defence (MTD) solution as standard practice across executive, delegate and journalist devices. It is no longer reasonable to leave smartphones outside the corporate detection perimeter.
• Restart the phone every day. Both Coruna and DarkSword are fileless and do not survive a reboot. Daily restarts are the single cheapest control that raises the cost of these attacks meaningfully.
• Restrict app installation to the official stores; review installed VPNs, “battery savers” and keyboard apps, which are common spyware vectors.
• For the highest-risk individuals, run a forensic baseline check before and after the visit.
• Before any genuinely sensitive meeting, turn the phone off (not just silent, not just airplane mode) and place it inside a signal and voice jammer in the room. A phone that is on, even on a locked screen, is still a microphone.

Risk 7: Public transport and logistics disruption

Why it is a risk

Transport networks during a summit are the soft underside of the security plan. Disrupting an airport, a metro, a tram network or a postal service does not require breaking through diplomatic-grade defences; it requires breaking through whichever supplier of ticketing, signalling, contactless payment or customer-information systems has the weakest IT hygiene. The reputational impact is asymmetric: a six-hour ticketing outage on a tram network is on the front page of every newspaper covering the summit, while the actual security incident is buried weeks later in a regulatory filing.

Recent precedent

Transport for London was breached on 31 August 2024 in an intrusion attributed to Scattered Spider. Core trains kept running, but Oyster and contactless payment, the Citymapper API, traffic cameras, dial-a-ride and licensing systems went down for weeks. Damages reached around 40 million pounds, and the personal data of roughly ten million passengers, including bank account numbers and sort codes, was exfiltrated. NoName057(16) ran a Q1 2026 campaign that hit the Munich and Dortmund transit systems over a hundred times each. France saw arson on rail signalling boxes during the Paris 2024 Olympics, and the same operating model has been repeated in Germany and Poland since.

How to protect

• For transport, logistics and hospitality operators in the region, treat May 2026 as the latest acceptable date for help-desk hardening, MFA review on all customer-facing identity providers, credential rotation for administrative accounts in ticketing and operations platforms, and a tabletop walk-through of the credential-reset procedure that Scattered Spider has weaponised.
• Validate that backup ticketing and customer-information channels exist and have been tested.
• For organisations dependent on these providers, diversify payment paths, pre-establish manual procedures for the summit week, and prepare communications templates for partial-service days.

Risk 8: Population-targeted scams during the summit window

Why it is a risk

Major events change the cognitive baseline of everyone in the area. People expect more police presence, more SMS notifications, more roadblocks, more parking restrictions, more last-minute messages from banks and transport operators. Criminals exploit precisely this. The Evian window will produce a surge in fake fines, fake summit accreditations, fake press passes, fake parking tickets, fake roadside checks, fake gendarmerie or police phone calls, fake taxi pickups and fake hotel reservations. The targets are not only delegates; they are local residents, employees of nearby organisations, and the elderly relatives of staff who can be socially engineered with AI voice clones.

Recent precedent

A coordinated smishing campaign documented from December 2025 into 2026 sent tens of thousands of fake parking and toll-fine messages across at least twelve countries including France. Fake gendarmerie and Europol Child Protection Unit emails accusing recipients of accessing illegal content remain a recurring French phenomenon, with the Interior Ministry repeatedly clarifying that it never operates this way. On 6 March 2025, a 94-year-old woman in Douzillac, Dordogne was robbed of jewellery and 1,000 euros in cash by two people wearing hats with police markings, claiming to be conducting a welfare check. Fake roadside checkpoints, with plain clothes and a fake gendarmerie armband demanding 135 euros in cash on the spot, have reappeared at every public-confusion moment in France since 2020. For Paris 2024, threat-intelligence vendors documented well over a hundred squatted Olympic-themed domains and dozens of fake ticket-resale sites; expect the same wave of “G7 Evian” branded fraud.

How to protect

Make this a staff and family communication, not just a SOC issue.

• Tell every employee in writing what scams to expect during the summit window: SMS fines, fake gendarmerie calls, doorstep visitors, AI voice calls to relatives.
• Repeat the simple rules: French gendarmes do not collect cash on the spot from residents, the Interior Ministry does not summon you by email, no legitimate institution asks for sensitive information through a clickable link in an SMS, and any unusual call from a relative claiming detention or emergency near Evian should be verified through a callback to a known number.
• Pre-register obvious typosquats of your brand including summit-themed variants, and brief your communications team to monitor for clones of your domain and your executives.

Checklist for the CEO

The CEO’s role during the Evian window is to set thresholds, hold the verification protocol, and ensure no decision is forced by manufactured urgency.

Before 11 June 2026

• Convene a single readiness review with the CISO, General Counsel, Head of Communications, COO, CFO and HR Director; one meeting, clear decisions
• Set in writing the thresholds that trigger public disclosure, regulatory notification and ransom decision-making during summit week
• Confirm cyber-insurance limits, war-and-hostile-act exclusions and notification clauses; obtain written confirmation
• Approve and circulate the voice-and-video verification protocol for unusual financial and sanctions-related instructions; signal that the protocol applies to instructions appearing to come from you
• Pre-approve holding statements for the scenarios most likely to need fast public response: deepfake of the CEO, fabricated press release attributed to the company or a participant, hack-and-leak, opportunistic ransomware
• Decide and communicate the travel-risk policy: default-deny non-essential trips into the Lake Geneva perimeter between 11 and 20 June 2026, with a defined exception process
• Send a clear staff-and-family communication explaining the scams to expect during the summit window and what to do
• Verify the cybersecurity retainer relationships are active through 30 June 2026 minimum: incident response, forensics, public relations, brand-impersonation takedown, legal
• Ask the CISO for a one-page exposure brief: which of our domains, executives, suppliers, hotel partners and transport partners are most likely to be targeted, and what is the residual risk after current controls
• Confirm with the CISO that all findings from the most recent penetration test have been remediated before 1 June

During 11 to 20 June 2026

• Receive a daily situation snapshot from the CISO at a fixed time
• Be reachable through two independent channels with verified key fingerprints; default to Signal or Threema for sensitive messages and calls
• Treat any urgent financial, sanctions or media instruction as suspect by default and verify out of band; the verification protocol applies even when the request appears to come from the board
• If a deepfake of you or a fabricated statement attributed to the company appears, do not engage on social platforms; activate the holding statement and let Communications and Legal handle the response
• If a regulator calls, route through the General Counsel and CISO; do not freelance the timeline
• After 17 June, do not stand down; the highest-value exfiltration window for state actors is the thirty days after a summit closes

Checklist for the CISO

The CISO’s role is to make sure the CEO’s decisions land in operational reality and that the SOC is calibrated for the specific TTPs we expect.

Before 11 June 2026

• Produce the executive exposure brief: brand on actor target lists, executive deepfake exposure, hotel and transport supplier dependencies, regulatory reporting matrix
• Patch inventory specifically against the recent ANSSI and CISA advisories (Ivanti, Palo Alto, Cisco IOS XE, Roundcube, Outlook); confirm by attestation, not assumption
• Close every finding from the most recent penetration test before 1 June; do not enter the summit window with known unfixed issues
• Enforce phishing-resistant MFA on all privileged accounts and all executive accounts; retire SMS-based and TOTP-only methods wherever possible
• Rotate privileged credentials, service accounts and OAuth tokens before 1 June; revoke stale refresh tokens
• For organisations hosting delegates (hotels, venues, suppliers), rotate administrative credentials on the property management system, booking platforms, keycard encoders, Wi-Fi management and surveillance systems, both before and after the summit
• Edge-device hardening pass: out-of-band management network, default-deny ACLs, SNMPv3 only, GuestShell monitoring on Cisco IOS XE, configuration-baseline diff weekly
• Always-on DDoS scrubbing verified through a live test, not a paper review; confirm scrubbing activation triggers include target-list mentions on Telegram
• Document the degraded-mode operating procedures: alternative communication channels for customers, allow-listed partner traffic, manual fallback for internet-dependent workflows
• Incident-response retainer warm: signed scope, named contacts, after-hours number, jurisdiction map covering CH and FR
• Cross-border contacts established and tested: BACS and GovCERT.ch in Bern, ANSSI and CERT-FR in Paris, cantonal cyber police in Geneva, Vaud and Valais, Préfecture de Haute-Savoie, Europol EC3
• Mobile-device hardening completed for all travelling executives, delegates and journalists under our duty of care: Lockdown Mode or Advanced Protection enabled, 2G disabled, fresh patch level (Coruna and DarkSword fixes), Mobile Threat Defence deployed, Mobile Verification Toolkit baseline for highest-risk profiles, daily-restart policy communicated
• Issue Signal or Threema as the default for sensitive messaging and calling; verify key fingerprints out of band
• Burner-device fleet provisioned and tested; travel-router fleet provisioned and tested; Faraday bags issued for sensitive meetings
• Pre-stage signal and voice jammers for sensitive meeting rooms, where local regulation permits
• Brief delegates on hotel hygiene: do not leave anything sensitive in the room, do not use in-room communication infrastructure, unplug in-room smart TVs and voice assistants, ensure mobile data package covers the full stay
• Internal awareness campaign covering deepfake voice and video, fabricated press releases attributed to participants or suppliers, SMS-blaster smishing, fake gendarmerie or police calls, fake roadside checkpoints, QR-code scams on parking and restaurants, fake event accreditation
• Detection content updated: Outlook NTLM relay, ClickFix, anomalous Office equation-editor child processes, anti-recovery commands (vssadmin, wbadmin, bcdedit), GuestShell anomalies, OneDrive and Google Drive command-and-control patterns, Coruna and DarkSword indicators on managed mobile devices
• Brand and domain monitoring extended through 31 August 2026; pre-register typosquats including summit-themed variants
• One end-to-end response rehearsal during May 2026 covering DDoS plus deepfake plus opportunistic ransomware plus regulatory notification

During 11 to 20 June 2026

• 24/7 SOC coverage with a named incident commander on rotation; CISO on call
• Daily threat-intelligence briefing at a fixed time; daily review of BACS, ANSSI, GovCERT.ch and partner feeds; Telegram channel monitoring for target-list changes affecting our brand or sector
• Pre-authorised emergency change windows for blocking, isolation and password resets
• Dual-channel reachability for CEO, GC, CFO, COO and Head of Communications, defaulted to Signal or Threema with verified fingerprints
• Voice-and-video verification protocol enforced on every unusual financial or sanctions-related request
• Live monitoring of: hacktivist Telegram channels, clone-domain registrations targeting our brand, deepfake mentions of our executives, fabricated statements attributed to participants or suppliers, SMS-blaster reports near our perimeter, hotel-partner anomalies (PMS errors, keycard log anomalies), mobile-fleet alerts from the MTD platform
• One status snapshot per day to the CEO; clear escalation thresholds documented and respected
• After 17 June, hold posture through 30 June minimum; hunt actively through 31 August 2026 for in-memory implants, suspicious driver signatures, anomalous OAuth grants, persistence in supplier networks, login-page anomalies on your exposed platforms.