Blogs

Blog

Cyber and Physical Risks Targeting the 2026 Winter Olympics

In this post we analyze the multi-vector threat landscape of the 2026 Winter Olympics, examining how the Games’ dispersed geographic footprint and high digital complexity create unique potential for cyber sabotage and physical disruptions.

The Milano-Cortina 2026 Winter Olympics represent a historic milestone as the first Games co-hosted by two major cities. However, the event’s expansive geographic footprint—covering 22,000 square kilometers across northern Italy—presents a complex security environment. From the metropolitan centers of Milan to the alpine peaks of Cortina d’Ampezzo, security forces are contending with a multi-vector threat landscape.

Kinetic and Physical Security Challenges

The geographically dispersed nature of the Milano-Cortina 2026 Winter Games also creates unique physical security challenges. Because venues are spread across thousands of square kilometers of the Alps, securing transit corridors and ensuring rapid emergency response across different Italian regions—including Lombardy, Veneto, and Trentino—is an incredible logistical hurdle. New tunnels, increased train services, and extended bus routes have been welcomed but create new potential targets for physical disruption by threat actors or protestors.

Terrorist and Extremist Threats

Flashpoint has not identified any terrorist or extremist threats to the Winter Olympic Games. However, lone threat actors in support of international terrorist organizations or domestic violence extremists remain a persistent threat due to the large number of attendees expected and the media attention that this event will attract.

Authorities in northern Italy are investigating a series of sabotage attacks on the national railway network that coincided with the opening of the 2026 Winter Olympic Games. The coordinated incidents—which included arson at a track switch, severed electrical cables, and the discovery of a rudimentary explosive device—caused delays of over two hours and temporarily disabled the vital transport hub of Bologna.

Protests

Flashpoint analysts identified several protests targeting the 2026 Winter Olympics:

• US Presence and ICE Backlash: Hundreds of demonstrators have participated in protests in central Milan to demand that US ICE agents withdraw from security roles at the upcoming Winter Olympics.
• Anti-Olympic and Environmental Activism: The most organized opposition comes from the Unsustainable Olympics Committee. They have already staged marches in Milan and Cortina, with more planned for February.
• Pro-Palestinian Groups: Organizations such as BDS Italia are actively campaigning to boycott the games, demanding that Israel not be permitted to participate. Other pro-Palestinian groups have attempted to disrupt the Torch Relay in several cities and are expected to hold flash mob-style demonstrations in Milan’s Piazza del Duomo during the Opening Ceremony.
• Labor Strikes: Italy frequently experiences transport strikes, which often fall on Fridays. Because the Opening Ceremony is on Friday, February 6, unions are leveraging this for maximum impact. An International Day of Protest has been coordinated by port and dock workers across the Mediterranean for February 6.
  

On February 7, a massive protest of approximately 10,000 people near the Olympic Village in Milan descended into violence as a peaceful march against the Winter Games ended in clashes with Italian police. While the majority of demonstrators initially focused on the environmental destruction caused by Olympic infrastructure, a smaller group of masked protestors engaged security forces with flares, stones, and firecrackers.

Cyber Threats Facing the 2026 Winter Olympics

The Milano-Cortina 2026 Winter Olympics will be among the most digitally complex global events, making it a prime target for cyberattacks. The greatest risks stem from familiar tactics such as phishing, spoofed websites, and business email compromise, which exploit human trust rather than technical flaws. With billions of viewers and a vast network of cloud services, vendors, and connected systems, the games create an expansive attack surface under intense operational pressure.

Italy blocked a series of cyberattacks targeting its foreign ministry offices, including one in Washington, as well as Winter Olympics websites and hotels in Cortina d’Ampezzo, with officials attributing the attempts to Russian sources. Foreign Minister Antonio Tajani confirmed the attacks were prevented just days before the Games’ official opening, which began with curling matches on February 4. 

Past Olympic Games show a clear pattern of heightened cyber activity, including phishing campaigns, distributed denial-of-service (DDoS) attacks, ransomware, and online scams targeting both organizers and the public. A mix of cybercriminals, advanced persistent threats, and hacktivists is expected to exploit the event for financial gain, espionage, or publicity. Experts emphasize that improving security awareness, verifying digital interactions, and strengthening supply chain defenses are critical, as the most damaging incidents often arise from ordinary threats amplified by scale and urgency.

Staying Safe at the 2026 Winter Games

The security success of Milano-Cortina 2026 relies on the integration of real-time intelligence, advanced technological safeguards, and public vigilance. As the Games proceed, the intersection of cyber-sabotage and physical protest remains the most likely source of operational disruption.

To stay safe at this year’s Games, participants should:

1. Download Official Apps: Install the Milano Cortina 2026 Ground Transportation App and the Atm Milano app for real-time updates on transit, road closures, and “guaranteed” travel windows during strikes.
2. Plan Around Friday Strikes: Be aware that transport strikes (Feb 6, 13, and 20) typically guarantee services only between 6:00 AM – 9:00 AM and 6:00 PM – 9:00 PM. Plan your venue transfers accordingly.
3. Secure Your Digital Footprint: Avoid public Wi-Fi at major venues. Use a VPN and ensure Multi-Factor Authentication (MFA) is active on all your ticketing and banking accounts.
4. Stay Clear of Protests: While most demonstrations are expected to be peaceful, they can cause sudden police cordons and transit delays.
5. Respect the Drone Ban: Unauthorized drones are strictly prohibited over Milan and venue clusters. Leave yours at home to avoid heavy fines or interception by security units.

Stay Safe Using Flashpoint

While there are no current indications of imminent threats of extreme violence targeting the Milano-Cortina 2026 Winter Olympics, the event’s vast geographic footprint and digital complexity demand constant vigilance. Securing an event that spans 22,000 square kilometers requires more than just a physical presence; it necessitates a multi-faceted approach that bridges the gap between digital and kinetic risks.

To effectively navigate the intersection of cyber-sabotage, civil unrest, and logistical challenges, organizations and attendees must adopt a comprehensive strategy that integrates real-time intelligence with proactive security measures. Download Flashpoint’s Physical Safety Event Checklist to learn more.

Request a demo today.

Blogs

Blog

Protecting the Big Game: A Threat Assessment for Super Bowl LX

This threat assessment analyzes potential physical and cyber threats to Super Bowl LX.

Each year, the Super Bowl draws one of the largest live audiences of any global sporting event, with tens of thousands of spectators attending in person and more than 100 million viewers expected to watch worldwide. Super Bowl LX, taking place on February 8, 2026 at Levi’s Stadium, will feature the Seattle Seahawks and the New England Patriots, with Bad Bunny headlining the halftime show and Green Day performing during the opening ceremony.

Beyond the game itself, the Super Bowl represents one of the most influential commercial and media stages in the world, with major brands investing in some of the most expensive advertising time of the year. The scale, visibility, and economic significance of the event make it an attractive target for threat actors seeking attention, disruption, or financial gain, underscoring the need for heightened security awareness.

Cybersecurity Considerations

At this time, Flashpoint has not observed any specific cyber threats targeting Super Bowl LX. Despite the absence of overt threats, it remains possible that threat actors may attempt to obtain personal information—including financial and credit card details—through scams, malware, phishing campaigns, or other opportunistic cyber activity.

High-profile events such as the Super Bowl have historically been leveraged as bait for cyber campaigns targeting fans and attendees rather than league infrastructure. In October 2024, the online store of the Green Bay Packers was hacked, exposing customers’ financial details. Previous incidents also include the February 2022 “BlackByte” ransomware attack that targeted the San Francisco 49ers in the lead-up to Super Bowl LVI.

Although Flashpoint has not identified any credible calls for large-scale cyber campaigns against Super Bowl LX at this time, analysts assess that cyber activity—if it occurs—is more likely to focus on fraud, impersonation, and social engineering directed at ticket holders, travelers, and high-profile attendees.

Online Sentiment

Flashpoint is currently monitoring online sentiment ahead of Super Bowl LX. At the time of publishing, analysts have identified pockets of increasingly negative online chatter related primarily to allegations of federal immigration enforcement activity in and around the event, as well as broader political and social tensions surrounding the Super Bowl.

Online discussions include calls for protests and boycotts tied to perceived Immigration and Customs Enforcement (ICE) involvement, as well as controversy surrounding halftime and opening ceremony performers. While sentiment toward the game itself and associated events remains largely positive, Flashpoint continues to monitor for escalation in rhetoric that could translate into real-world activity.

Potential Physical Threats

Protests and Boycotts

Flashpoint analysts have identified online chatter promoting protests in the Bay Area in response to allegations that Immigration and Customs Enforcement (ICE) agents will conduct enforcement operations in and around Super Bowl LX. A planned protest is scheduled to take place near Levi’s Stadium on February 8, 2026, during game-day hours.

At this time, Flashpoint has not identified any calls for violence or physical confrontation associated with these actions. However, analysts cannot rule out the possibility that demonstrations could expand or relocate, potentially causing localized disruptions near the venue or surrounding infrastructure if protesters gain access to restricted areas.

In addition, Flashpoint has identified online calls to boycott the Super Bowl tied to both the alleged ICE presence and controversy surrounding the event’s halftime and opening ceremony performers. Flashpoint has not identified any chatter indicating that players, NFL personnel, or affiliated organizations plan to boycott or disrupt the game or related events.

Terrorist and Extremist Threats

Flashpoint has not identified any direct or credible threats to Super Bowl LX or its attendees from violent extremists or terrorist groups at this time. However, as with any high-profile sporting event, lone actors inspired by international terrorist organizations or domestic violent extremist ideologies remain a persistent risk due to the scale of attendance and global media attention.

Super Bowl LX is designated as a SEAR-1 event, necessitating extensive interagency coordination and heightened security measures. Law enforcement presence is expected to be significant, with layered security protocols, strict access control points, and comprehensive screening procedures in place throughout Levi’s Stadium and surrounding areas. Contingency planning for crowd management, emergency response, and evacuation scenarios is ongoing.

Mitigation Strategies and Executive Protection

Given the absence of specific, identified threats, mitigation strategies for key personnel attending Super Bowl LX focus on general best practices. Security teams tasked with executive protection should remove sensitive personal information from online sources, monitor open-source and social media channels, and establish targeted alerts for potential threats or emerging protest activity.

Physical security teams and protected individuals should also familiarize themselves with venue layouts, emergency exits, nearby medical facilities, and law enforcement presence, and remain alert to changes in crowd dynamics or protest activity in the vicinity of the event.

The nearest medical facilities are:

• O’Connor Hospital (Santa Clara Valley Healthcare)
  
• Kaiser Permanente Santa Clara Medical Center
  
• Santa Clara Valley Medical Center
  
• Valley Health Center Sunnyvale

Several of these facilities offer 24/7 emergency services and are located within a short driving distance of the stadium.

The primary law enforcement facility near the venue is:

• Santa Clara Police Department

As a SEAR-1 event, extensive coordination is expected among local, state, and federal law enforcement agencies throughout the Bay Area.

Stay Safe Using Flashpoint

Although there are no indications of any credible, immediate threats to Super Bowl LX or attendees at this time, it is imperative to be vigilant and prepared. Protecting key personnel in today’s threat environment requires a multi-faceted approach. To effectively bridge the gap between online and offline threats, organizations must adopt a comprehensive strategy that incorporates open source intelligence (OSINT) and physical security measures. Download Flashpoint’s Physical Safety Event Checklist to learn more.

Request a demo today.

Blogs

Blog

Qakbot Takedown: A Brief Victory in the Fight Against Resilient Malware

Prior botnet takedowns like Emotet and TrickBot have shown that sophisticated malware operations, like Qakbot, can often rebuild infrastructure and return from disruptions in new forms

Qakbot takedown and seizure

A global law enforcement operation has successfully disrupted the infrastructure of the Qakbot botnet, striking a major—though likely temporary—blow to a dominant player in the cybercriminal underground supply chain. 

Qakbot, familiarly Qbot, has been a major cyber threat since 2007, infecting victims’ computers to steal financial information and distribute additional malware payloads like ransomware. As a result of the takedown, more than 700,000 infected devices worldwide were identified and cleaned of the malware. The DOJ also announced the seizure of $8.6M in cryptocurrency in illicit profits.

While there is no doubt that the Qakbot takedown is a major win in the fight against cybercrime, it may only provide short-term relief in the fight against a notoriously resilient cybercriminal ecosystem.

‘Swiss Army knife’

A Swiss Army knife of cybercrime tools, Qakbot was a complex malware that opened remote access to victims’ systems, stole credentials and financial information, and downloaded additional malware payloads. Its modular architecture enabled frequent updates to add new capabilities over its 15+ years of operation.

“The collaborative endeavors of these authoritative bodies exemplify the power of a comprehensive, multi-agency approach, designed to maximize its impact..”

Ian Gray, VP Of Intelligence

Qakbot has been a versatile workhorse for cybercriminals. Its banking trojan functionality has been used to pilfer payment information and intercept financial transactions. As a loader, it distributed ransomware such as ProLock to extort victims.

Qakbot has also powered large-scale spam email campaigns and brute force attacks. Its worm-like spreading kept it entrenched in infected networks. By providing the backdoor access and distribution channel for other malware, Qakbot played a key supporting role in the cybercrime ecosystem. Botnets like Emotet and TrickBot operated similarly, loading additional threats onto compromised systems. These jack-of-all-trades botnets have proven lucrative for their criminal operators.

A history of temporary relief

Prior botnet takedowns like Emotet and TrickBot have shown that sophisticated malware operations can often rebuild infrastructure and return from disruptions in new forms.

In the case of Emotet, the botnet came back online in 2022 using new techniques after its infrastructure was dismantled in 2021. TrickBot also persisted despite takedown attempts and remains an active threat. This resiliency highlights the challenges law enforcement faces in permanently eliminating cyber threats.

While takedowns temporarily degrade capabilities, dedicated cybercriminal groups adapt to avoid further disruption. New malware families also inevitably emerge to fill the gaps left by larger takedowns. For example, BazarLoader and ZLoader rose to prominence as loader malware after the Emotet takedown.

Yet despite their disruptions, resilient botnets often return and new ones emerge. After prior actions against Emotet and TrickBot, the lingering demand in underground markets brought them back in adapted new forms. Bots remain attractive tools for cybercriminals thanks to their versatility, automation, and money generating potential.

While Qakbot’s infrastructure was disrupted, its operators may attempt to rebuild or evolve their techniques. Sustained pressure on botnet financial flows, developer communities, and other aspects of the cybercrime supply chain is needed to deter future attacks. For now, the coordinated Qakbot takedown bought time and degraded the capabilities of a dominant cybercrime player.

The fight against cybercrime must be persistent and comprehensive

The Qakbot takedown was effectively coordinated among global governments, including France, Germany, Latvia, Romania, the Netherlands, the UK, and the US, as well as the private sector. The collaborative endeavors of these authoritative bodies exemplify the power of a comprehensive, multi-agency approach, designed to maximize its impact.

Law enforcement and the private sector should to continue coordinating takedowns while also focusing on detecting new malware variants early, disrupting communication channels, and following the money trails of criminal enterprises.

Cyber hygiene and threat awareness across organizations must also improve to reduce vulnerability to malware infections, including loaders and trojans that distribute threats like Qakbot. Technical controls like endpoint detection, network monitoring, and patching are also key.

Ultimately, defeating cybercrime requires comprehensive strategy across law enforcement operations, cybersecurity practices, and international collaboration. The Qakbot takedown represents meaningful progress, but the world must remain vigilant against an adaptable threat landscape.

Get Flashpoint on your side

Flashpoint Ignite enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.

Request a demo today.

Blogs

Blog

Lost in Transition: A Timeline of Failed Successors to Breach and Raid Forums

The legacy of Raid, Breach, and their ‘successors’ provides an important lens into how data breach communities function and the real-life implications of the information they traffic

Race to the bottom

Starting June 24, 2023, visitors to the former domain of Raid Forums were greeted by the avatar of arrested administrator “pompompurin” in tiny handcuffs—an unprecedented trolling of sorts by authorities. 

Pompompurin, whose real name is Conor Brian Fitzpatrick, became a highly reputable threat actor on the now-defunct top-tier hacking forum Raid Forums and upon its shutdown, founded Breach Forums. Breach Forums continued the legacy of Raid Forums, both as a fixture among the data breach communities and as a law enforcement target. 

The founder and administrator of Raid Forums, Diogo Santos Coelho (aka “omnipotent), was arrested on January 31, 2022. Fitzpatrick, who has been operating on English- and Russian-language forums under the pompompurin moniker since at least October 2020, was arrested by federal agents on March 15, 2023.

Now, both Raid Forums and Breach Forums are no more. And ever since their seizures, other threat actors, some of whom were involved in the Breach and Raid, have attempted to continue their legacies in the purpose and services they provide. But it has thus far been a race to the bottom. 

Insight into the illicit spaces where cyber threat actors operate is vital to any threat intelligence operation. The legacy of Raid, Breach, and their “successors” provides an important lens into how data breach communities function and the real-life implications of the information they traffic. 

Timeline

Here is a summary of the recent events that we have observed within cybercriminal communities related, in some way, to Breach Forums and its legacy as a popular home for threat actors. 

• March 17, 2023: Breach Forums administrator “baphomet” decides to shut down the forum following the March 15 arrest of administrator pompompurin. The Washington Post included Flashpoint analysis in its March 22 coverage on the end of Breach Forums.

• March 29, 2023: PwnedForum, an identically formatted clone of Breach Forums, launches and quickly gains users and shares compromised data. The forum’s creator, “Sinistery,” solicited forum administrators and developers to volunteer to operate the site. 
• However, the forum was quickly shut down on April 4, 2023, following a disagreement between Sinistery and forum administrators. A message attempting to sell PwnedForum was briefly advertised on the website before closing. One of the forum’s former main administrators, “Frost,” stated that they were working on a new forum separate from PwnedForum, though they did not provide a timeline.

• May 29, 2023: “Impotent,” the forum administrator Exposed, leaks the database of 478,870 Raid Forums users.

• June 4, 2023: PwnedForums posted on Telegram that the notorious leak collective, ShinyHunters, is launching a forum with former Breach Forums admins.
• Also on June 4, a user posted an advertisement for the Exposed forum, calling it the “new” Breach Forums and inviting the Russian hacktivist collective Killnet to join the forum.

• June 12, 2023: ShinyHunters launches a new forum called Breach Forums—eponymous by name only.

• That very same day, Exposed Forums shut down. Its founders, “Impotent” and “Purism,” share that they will no longer support the development of Exposed Forums while cautioning against using the new Breach Forums due to operational security concerns.

• June 18, 2023: Breach Forums is hacked, and the data breach exposes the personal information of over 4,000 registered members.
• OnniForums, which appears to have launched in April 2023, took responsibility for the attack. It also claimed to have breached the forum Exposed, using a zero-day vulnerability in the open source forum software MyBB. The data leak included login keys, usernames, email addresses, IP addresses, password hashes, registration dates, members’ last visits and posts, number of posts, last activity, and social media handles with profile links.

• June 24, 2023: The user database of DarkForums, a relatively new and unknown forum, is breached and leaked, joining the ranks of Raid Forums and the new Breach Forums. 

Though it is difficult to assess if any of these forums will sufficiently fill the void of the data breach communities that Raid Forums provided, threat actors continue to start new darknet venues—a perpetual cycle that shows the resiliency of illicit communities and forums, despite law enforcement, in-fighting, and the adversarial nature of these communities that lends itself to, well, data breaches. Though there may not be a centralized venue for data breaches, it will not be for a lack of trying … even if it means leaking the databases of their competitors.

Get Flashpoint on your side

Flashpoint’s suite of actionable intelligence solutions enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.

Request a demo today.

Blogs

Blog

Days of Chaos: How OSINT Helps Us Understand the Putin-Prigozhin Schism

Social media and messaging platforms like Telegram continue to play a key role in understanding events, rumors, and ideas as they unfold in the Russia-Ukraine war

Putin Vs. Prigozhin

The once-cordial relationship between Vladimir Putin and Yevgeny Prigozhin, commonly known as “Putin’s chef,” has soured completely, marking one of the most compelling storylines in Russia’s now 16-month-long invasion of Ukraine. This particular conflict, however, played out in Russia on June 23 and lasted a scintillating ~36 hours, ending in a schism whose implications continue to reverberate across the world, especially in Russia.

Social media and messaging platforms like Telegram continues to play a key role in helping individuals and organizations alike understand events, rumors, and ideas as they unfolded, often in real time. As we describe in this article, and as we highlighted in our popular report on the role of open-source intelligence (OSINT) in the Russia-Ukraine War, organizations are rightfully viewing OSINT as a key element of their intelligence and security operations and leveraging it to understand organizational risk as it relates to the cyber, physical, and informational battlefields of this war.

Let’s zoom in on two crucial days—June 23 and June 24—of the conflict between Putin and Prigozhin and examine the importance of OSINT in understanding the events, then and now.

June 23: Wagner Accuses MOD of Missile Strike, Potential Military Coup Brews

On June 23, Yevgeny Prigozhin, the founder of the paramilitary company Wagner Group, accused Russia’s Ministry of Defence (MOD) and its leader, Sergei Shoigu, of conducting a missile strike on his mercenaries. Prigozhin claimed that the strike resulted in numerous fatalities. He characterized the MOD as “evil” and called for those responsible to be held accountable. It was unclear whether this move should be classified as a coup, insurrection, mutiny, or hardline bargaining tactic at the time.

In retaliation, Prigozhin has appeared to openly advocate for armed resistance against the MOD, adding fuel to an already tense stand-off. Prigozhin warned that “the next move will be ours,” and that those who are responsible for the deaths of the Wagner troops killed today, as well as the deaths of many tens of thousands of Russian soldiers, will be “punished” and “justice” will be “returned,” both to Russia’s armed forces and all of Russia. The MOD has rejected these accusations, claiming that they “do not correspond to reality” and labeling them as an “informational provocation.”

Round 2: #Shoigu hits back.

"All the video frames distributed on social networks on behalf of Yevgeny #Prigozhin about the alleged 'strike by the Russian Defense Ministry on the rear camps of the PMC Wagner” do not correspond to reality and are an informational provocation. pic.twitter.com/pBIPdFEdLc

— Jason Corcoran (@jason_corcoran) June 23, 2023

The current events, particularly the Wagner Group turning on Putin, can be traced back to the devastating fighting at Bakhmut, where the Wagner Group suffered heavy losses. This battle resulted in significant costs and losses for Russia.

June 24: Prigozhin’s March To Moscow

On June 24, Prigozhin announced that Wagner Group, the private military company (PMC) he leads, would cease its march on Moscow, ending what has been widely regarded as an armed insurrection and potential coup attempt targeting Russia’s military and government leadership.

In an interesting twist, Belarusian President Lukashenko stepped in, providing a means for Wagner to continue operating in a “legal” manner. This intervention prompted the move of Wagner Group and Prigozhin to Belarus. This is particularly noteworthy as PMCs are technically illegal under Article 359 of the 1996 Russian Criminal Code. As a result of the negotiations, the sides agreed that a “bloodbath” on Russian territory should be averted and de-escalatory steps should be taken. Prigozhin agreed that Wagner would halt its advance on Moscow, which Prigozhin claims Wagner got within 200 kilometers of, and turn back to “go in the opposite direction to [their] field camps.” In return, Wagner personnel would be granted “security guarantees.” 

Prigozhin claims that Wagner had not spilled “a single drop of blood of our fighters” since the start of their march on Russia the day prior. However, Prigozhin claims that Russia’s military had attempted to fire at the PMC during their march, reportedly downing at least one and potentially multiple Russian military helicopters. There are also reports of a fire at a fuel depot in Voronezh, which may have been hit by a Russian helicopter.

Wagner troops seized control of multiple military and administrative buildings in the Russian city of Rostov-on-Don early on Saturday morning and had since reportedly reached Voronezh, which lies 500 kilometers north of the city and on the way to Moscow. On June 24, Russian media reported that Wagner was preparing to leave Rostov-on-Don.

Since then, the Kremlin has said that Prigozhin would not have to face charges in Russia, but he has been dubbed a “traitor” by Putin. As of this publishing, Prigozhin is allegedly in Belarus, according to the country’s President, Lukashenko, who brokered the deal on Prigozhin behalf.

Concluding thoughts

In today’s dynamic geopolitical climate, staying ahead of the curve necessitates more than just monitoring mainstream media. Open-source intelligence collections have emerged as a game-changing tool for keeping abreast of the latest events in Ukraine and Russia, which can help various organizations and sectors sift through vast amounts of information, quickly filter out the noise, and deliver the most salient insights in real-time. The recent events in Russia showcase the value of this intelligence resource in offering a multifaceted perspective on ground realities. 

Get Flashpoint on your side

Flashpoint’s suite of actionable intelligence solutions enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.

Request a demo today.

Blogs

Blog

5 Reasons Taiwan Is a Growing Source of US-China Tension

Five key indicators that may represent current and future escalations in US-China tensions related to Taiwan. 

Introduction

At the end of last year, Flashpoint correctly forecasted that Taiwan would prove critical to US-China relations. In the same way its asserted authority over Hong Kong, recovering Taiwan, we wrote, would also continue to be a primary pillar of China’s geopolitical strategy.

Fast forward to the present-day, as US-China tensions around the Taiwan Strait are elevated—buttressed by observed trends that may indicate that an increase in Chinese aggression around the Taiwan Strait is likely within the next 6-12 months. 

Here are five key indicators that may represent current and future escalations in US-China tensions related to Taiwan. 

1) Xi’s Third Term and the NPC

China’s National People’s Congress (NPC), scheduled for October 16, is held by the Chinese Communist Party every 5 years. It is considered to be the largest and most important time period for the CCP—this is when it typically announces political priorities as well as senior leadership appointments. This year’s NPC will be the 20th conference since the Party’s founding in 1921; without a planned successor, President Xi will take a third term—a first in CCP history since term limits were officially abolished by President Xi himself.

President Xi has remained vocal about his desire to complete reunification with Taiwan, which was most recently outlined in China’s most recent whitepaper, “The Taiwan Question and China’s Reunification in the New Era.” Notably, this is the first whitepaper that omits China’s desire to reunify with Taiwan peacefully, suggesting that an attempt to forcefully reunify is possible.

2) China’s Show of Might in the Taiwan Strait

Directly following the Speaker Pelosi’s August trip to Taipei, China’s military, the PLA, scheduled a series of live-fire drills around Taiwan, the most impactful particularly occurring from August 4-7 that included short, unprecedented incursions into the “median line” dividing Taiwan from China.

China’s air and sea exercises included several frigates, fighter jets, drones, and cyber attacks, and from the Chinese perspective, demonstrated China’s ability to encircle Taiwan swiftly and effectively on the world stage. The 22 ballistic missiles fired around Taiwan—five of which landed in Japan’s Exclusive Economic Zone (EEZ)—were the first launched near Taiwan since 1996. Additional military exercises around Taiwan occured on August 15, coinciding with the visit of five senior lawmakers from the US Congress.

3) US-Taiwan Economic Partnership

On August 17, the US government announced its intention to begin formal trade negotiations with Taiwan to support US trade facilitation, including its support of state-owned small to medium enterprises in Taiwan. Though the US has maintained that its policy towards Taiwan remains unchanged, the Biden administration has unveiled new initiatives like these to suggest a deepening of the US-Taiwan partnership due to mutually perceived threats to democracy in the Indo-Pacific region. 

On August 30, the Biden administration introduced another lever to its cooperation with Taiwan, announcing a planned $1B arms package with the island nation that will reportedly include “60 anti-ship missiles and 100 air-to-air missiles.” The package, officially approved by Congress on September 2, signals a commitment by the US to help Taiwan defend itself in the event of conflict with China. 

4) Taiwan Ups Fefense Spending

Taiwan continues to prepare its military for an increased likelihood of conflict with China, including a sharp increase in its announced FY2023 defense budget. On August 25, Taiwan said that it will increase its military budget by 13.9 percent—approximately triple its usual four-to-five percent increase year over year. Several aspects of Taiwan’s military are set to be modernized as well, including its naval capabilities, which will be a key component in any kinetic conflict with China.

5) China Cutting Key Diplomatic Channels with US 

China has made a handful of quiet, diplomatic moves that signal its unhappiness with the current state of US-China relations, including severing cooperation with the US on key mutually beneficial touchpoints, such climate change and counternarcotics. 

On August 25, US Deputy Secretary of State Wendy Sherman met with China’s Ambassador to the US, Qin Gang, to discuss China’s moves to cut diplomatic communication with the US. According to Chinese officials in Beijing, these moves were a series of “demarches” made by China regarding several recent US CODEL visits to Taiwan, including US Indiana Governor Holcomb’s August visit to Taiwan to discuss US-Taiwan semiconductor cooperation.

APAC Intelligence that Drives Decision-Making

To ​see firsthand how Flashpoint can help your organization leverage APAC-centric intelligence to protect critical assets and stakeholders, sign up for a free trial today.

Request a demo today.