It’s been six months since the Nord Stream gas pipelines were ruptured by a series of explosions, leaking tons of methane into the environment and igniting an international whodunit. Russia, the United States, the United Kingdom, and an unnamed pro-Ukrainian group have all been accused of planting explosives on the Baltic Sea pipelines in recent months. But half a year since the sabotage took place, the mystery remains unsolved.
Digital sleuths are stepping in to help provide clarity around bombshell claims about who was behind the attacks. Open source intelligence (OSINT) researchers are using public sources of data in their efforts to verify or debunk the snippets of information published about the Nord Stream explosions. They’re providing a glimpse of clarity to an incident that’s shrouded by secrecy and international politics.
Since early February, multiple media reports have claimed to provide new information about who could have attacked the Nord Stream 1 and 2 pipelines on September 26. However, the reports have largely been based on anonymous sources, including unnamed intelligence officials and leaks from government investigations into the attacks.
First, American investigative journalist Seymour Hersh published claims that the US was behind attacks in a post on Substack. This was followed by reports in The New York Times and German publication Die Zeit claiming a pro-Ukrainian group was responsible. (European leaders have previously speculated Russia could be behind the attacks, and Russia has blamed the United Kingdom.) No country has claimed responsibility for the blasts so far, and official investigations are ongoing.
Each of the recent reports has provided little hard evidence to show what may actually have happened, while helping to fuel speculation. Jacob Kaarsbo, a senior analyst at Think Tank Europa, who previously worked in Danish intelligence for 15 years, says the claims have been “remarkable” but also “speculative” in nature. “In my mind, they don’t really alter the picture,” Kaarsbo says, adding the attacks look highly complex and would likely be “very hard to pull off without it being a state actor or at least with state sponsorship.”
In the absence of official information, OSINT researchers have been trying to plug the gaps by examining the claims of the new reports with public data. OSINT analysis is a powerful way to determine how an event may have unfolded. For instance, flight- and ship-tracking data can reveal movements around the world, satellite images show Earth in near real-time, while small clues in the backgrounds of photos and videos can reveal where they were taken. The techniques have uncovered Russian assassins, spotted North Korea evading international trading sanctions, identified potential war criminals, and documented pollution.
For the Nord Stream blasts, there was little OSINT available. Researchers identified “dark ships” in the area. But underwater, there are obviously limited data sources that can be tapped into—cameras and sensors don’t monitor every inch of the pipelines. “OSINT probably won’t break this case open, but it can be used to verify or strengthen other hypotheses,” says Oliver Alexander, an analyst who focuses on OSINT and has been closely looking at the Nord Stream blasts. “I do think that it’s more of a verification tool.”
Alexander and others have been examining the claims made so far. The New York Times and Die Zeit both published stories on March 7 claiming a Ukrainian group was behind the sabotage. (Ukraine has denied any involvement.) Die Zeit published more details, claiming German investigators searched a yacht rented from a company based in Poland, knew where the yacht sailed from, and that six people were involved in the operation, including two divers. All of them used forged passports, the publication reported.
The details were enough for OSINT researchers to start tracking down which yacht could have been used. Alexander, as well as contributors to the open-source investigative outlet Bellingcat, started following the breadcrumbs, narrowing down potential vessels. A follow-up report soon named the boat under suspicion as the Andromeda, a 15-meter-long yacht. Webcam footage from the harbor where it is believed the Andromeda was docked shows the movement of a boat around the time reported by the publications. (The Andromeda is reportedly too small to be required to use ship-tracking systems.) Years-old videos and photos of the boat have surfaced. The sleuthing adds public details to the reports.
Similarly, OSINT has been used to debunk Hersh’s story claiming the United States was behind the explosions. (Hersh has defended his article, while US officials have said it was false.) Alexander has used, among other things, ship-tracking data to show Norwegian ships were “accounted for” and not in a “position to have placed the explosives on the Nord Stream pipeline, as claimed by Hersh.” Another detailed article from Norwegian journalists has similarly poured cold water on Hersh’s claims, partly using satellite data.
The sabotage was always likely to be controversial and surrounded by rumors: Russia’s full-scale invasion of Ukraine in February 2022 has heated global tensions and put pressure on diplomats around the world. There has been a whirlwind of disinformation around the blasts, further muddying the waters. Mary Blankenship, a disinformation researcher at the University of Nevada, Las Vegas, who has analyzed online conversations around the war, says the “high uncertainty and high stakes” of the incident help to fuel the spread of disinformation.
“This is an issue that exploits existing worries, tensions, and grievances within European audiences,” Blankenship says. Initially, the earliest disinformation on Twitter about the explosions came from conspiracy theorists, Blankenship says, who shared a pre-war statement from US president Joe Biden, where he said there would be an “end” to Nord Stream 2 if Russia invaded Ukraine. Since then, Russia and China have taken to sharing unproven theories about the sabotage, the researcher says.
“Disinformation actors, but also official representatives of the [Russian] regime, stepped up their efforts on every news story that was published on this—however contradictory about the origins of the blast—be it a blog post by Seymour Hersh or a New York Times article,” says Peter Stano, an EU spokesperson, adding most disinformation narratives have circled around the idea that “the US is to blame.” The EU’s disinformation monitoring project, EUvsDisinfo, has flagged more than 150 pieces of disinformation linked to the Nord Stream explosions, including those building on Hersh’s story. “EUvsDisinfo experts also found that Moscow considers the recent materials in German-language media a hoax,” Stano says.
While OSINT is helping to provide bits of extra detail on the claims about the Nord Stream attacks, it is likely that reports debunking dubious claims reach fewer people than disinformation or claims that are hard to verify. “It does not nearly get the same level of engagement,” Blankenship says. “You can have a book’s worth of evidence for it, and they would still find a way to discount it.”
And while OSINT research can answer some questions, it has its limits and can also raise new ones. Kaarsbo, the former Danish intelligence official, and other experts have pointed out that the Andromeda is a relatively small yacht, and it may have been unable to carry the amount of explosives needed to blow the pipelines. “The Andromeda is quite likely a piece of the puzzle, but I don’t think it’s a bigger piece of the puzzle that everyone makes it out to be,” Alexander says. “I think there are a lot of the big pieces missing.” Detailed sonar imagery of the damaged pipes would help people to understand what happened underwater, Alexander adds.
Ultimately, there is still very little hard public evidence—either from governments or publicly available online—about who may have been behind the attacks. Behind closed doors, intelligence agencies likely have more data and theories on the potential culprits. However, investigators in Sweden and Denmark refused to comment on their progress, while Germany’s Office of the Federal Prosecutor confirmed it had searched a yacht and is continuing to examine for explosives. German officials have also said there could be a chance of a “false flag” operation to smear Ukraine. And when the countries complete their investigations, there’s no guarantee they will publish their findings or evidence to back them up. The mystery continues.
