1st Case Of Online Killing? Russian Submarine Commander Falls Prey To Fitness Tracking App

Running can kill you! Quite literally. A former Russian Submarine commander was reportedly assassinated after being stalked on the fitness tracking app Strava.

This comes years after the heat map released by Strava through data visualization revealed sensitive information about the location and staffing of military bases and US spy outposts worldwide.

The shooting incident has also brought the spotlight back to ‘Fit Leaking,’ disrupting the confidentiality of the military world.

Experts define Fit Leaking as “when fitness activities, recorded for personal benefit, emit into signals that reveal sensitive and confidential information.” The term was coined by University of Toronto’s Citizen Lab Senior Researcher John Scott-Railton to describe how one company’s “God’s Eye View” of fitness data reveals large amounts of secret and private information.

“The sheer amount of ‘signal’ in fitness tracker data is mind-blowing… the amount of location-aware devices we carry… and hence data we all emit has grown exponentially,” Scott-Railton said on Twitter, talking in the context of the reports about Ukrainian Intelligence tracking Stanislav Rzhitsky, the former commander of the submarine ‘Krasnodar’ of the Black Sea Fleet of the Russian Navy through Strava.

His mistake was being a runner and mountain biker; he followed a regular route through the city he lived in, Krasnodar, Russia, and recorded his races constantly on his account on Strava.

The online sleuths have been calling it a case of ‘Fit Leaking’ as recently a dormant account tagged the Russian commander’s last entry on the app with a “kudos” (the Strava version of ‘Like’). The name of the dormant account was “Кирилл Буданов,” the Cyrillic spelling of Kyrylo Budanov —Ukraine’s shadowy spymaster who heads the country’s intelligence services. Budanov has been credited with a series of intelligence coups before and during the Russian invasion.

Scott-Railton adds: “We don’t yet know whether his fitness tracker use (was the cause for the assassination) of the Russian submarine commander. But we’ve got plenty of examples of Fit Leaking that should raise the alarm. The danger is much more concrete.”

God’s Eye Is Tracking Your Every Run

In one such dangerous incident, Royal Navy officers at Faslane Naval Base, where Britain’s Trident nuclear deterrent is based, inadvertently leaked their details, including when they were onboard nuclear submarines. Strava has around 95 million users across the globe. And it has a feature where a user could have a private profile but still appear in public speed rankings for a particular location. Often, the users are oblivious that their identity is made public.

Strava lets users create “segments,” where short public routes are tagged to geographical coordinates. If someone runs on a route in a “segment,” their time appears in competitive rankings. The personnel who had access to the Faslane Base had created several segments. One of them was even titled “Race to the Home of the UK Submarine Service,” and another was titled “RM BFT,” an abbreviation for Royal Marines basic fitness test.

Strava military data leak
Representational Image

“Leveraging a flaw in Strava, you could track and identify personnel at secret Israeli military, intelligence, and nuclear sites. All you needed to do was create a fake jogger and see who else had exercised in similar areas,” Scott-Railton said while highlighting another security breach caused by Strava.

In June 2022, some unknown operative planted fake ‘segments’ at Israeli military bases. This enabled the person to see who all ran along the route and even track them to other countries. Details of roughly 100 Israeli officers, including names, photos, and movements, were leaked to outsiders through Strava.

This flaw also exposed locations of several highly sensitive sites in Israel, including the precise location of army and air force bases, Mossad headquarters, and military intelligence bases.

Earlier in 2018, the fitness tracking app had introduced a new feature that showed the most popular running routes, and the data revealed a US Army base in the Middle East, where its soldiers were recording runs.

Can You Escape The All-Pervasive Strava?

Much information can be gleaned from geolocation data gathered by Strava’s fitness tracker. One can identify secret military facilities in “dark areas” and specific identifiable behavior patterns of at-risk individuals.

Strava took the military world by storm when it released its data visualization map in 2017 that showed every single activity uploaded by its users – a massive three trillion GPS data points. Strava is a social network for athletes, and the global heatmap was a visualization of over one billion activities from its athletes across land and sea.

Strava heat map/Strava

The ‘global heatmap’ in major cities illuminated the popular running routes. But in conflict regions, the heat map lit up the military bases by aggregating the concentrated activities of exercise-focused individuals- such as military personnel. The heatmap revealed secret military bases for the US and other countries. This raised massive privacy and security concerns prompting Strava to allow its users to conceal their location.

However, the app circumvents this privacy setting by using two other features – Segment and Heatmap. These features allow users to see where other users have run in the past, and they can try to beat other users’ times in specific locations.

“Strava data chilled me. It was easy to profile, identify and track people from exercise routines alone. I still don’t think most folks…or lawmakers understand how invasive it is,” Scott-Railton opines.

Scott-Railton’s research showed that the information could be used to identify a covert military outpost through a consistent pattern of exercise activity and patrol routes at a military base or outside of it. The personnel activity rate at an embassy or installation can be monitored to reveal important information about activities and strategy.

In response to the concerns over the security breach, Strava had suggested that military personnel stay away from its app. Scott-Railton concurs with it. “It’s hard to motivate concern around location privacy. People care. But caring is exhausting when every company oversteps and abuses our location privacy. If we got angry at them all, we’d melt down. Still, if you or a loved one does sensitive things, don’t Strava,” he adds.

  • Ritu Sharma has written on defense and foreign affairs for over a decade. She holds a Master’s Degree in Conflict Studies and Management of Peace from the University of Erfurt, Germany. Her areas of interest include Asia-Pacific, the South China Sea, and Aviation history.
  • She can be reached at ritu.sharma (at) mail.com