Today's briefing:
Canada linked two foreign intelligence services to GTA hitman networks
A Minnesota direct action group built professional-grade counter-surveillance infrastructure
London SMS blaster organizer sentenced 48 months for directing fraud operation
Welcome to your weekly briefing.
Criminal networks and state actors are moving in the same lanes more often now. The line between a hired criminal and a directed operative is blurry by design, and the cases this week show that blur is operational policy, not a side effect. The tradecraft is real, the pipelines are documented, and the person carrying the threat to your principal's door may not appear on any list you know to check.
Don’t have time to read? Watch 👇
TOP STORY
The Production Model
By the time Canada expelled six Indian diplomats in October 2024, the RCMP and CSIS had mapped what was behind it: at minimum two foreign intelligence services — Indian and Iranian — running parallel proxy networks through overlapping criminal infrastructure in Toronto, Vancouver, and Ottawa. The June 2023 murder of Sikh activist Hardeep Singh Nijjar in Surrey, BC surfaced the pattern publicly, but investigations confirmed the infrastructure predated Nijjar by at least 18 months.
The model works like this: a foreign intelligence service contacts an intermediary in the organized crime ecosystem of the target's city. That intermediary identifies a young man with a debt, an immigration problem, or a gang exposure. He gets a handler, a device, a route, and a payment structure. Canadian court records from 2024 and 2025 document the mechanics: single-point-of-contact handlers, compartmentalized cells, cryptocurrency payments, encrypted operational briefings on disposable devices. Classic clandestine tradecraft, transposed into the criminal underworld of a G7 country.
The recruits were selected precisely because they fail every conventional threat filter. Standard profiling looks for ideological markers, known associations, surveillance indicators. A 19-year-old with a gambling debt and a gang contact has none of those. He is invisible to the assessment process right up until the RCMP builds the case after the fact.
Our Take
What Canada's investigations revealed isn't that foreign states are willing to use criminals. That was never in question. What it revealed is that they have standardized the process — documented recruitment profiles, payment structures, and communication protocols, all converging on the same operational conclusion: the handler never crosses the border, the shooter was never on a watchlist, and the state that directed the operation will not be held accountable. The threat assessment that assumes a professional operative carries out a state-sponsored hit is the wrong threat assessment for this decade. Canada put the model on paper. Other states were already running it.
READER POLL
You're routing a principal through a major international airport where an insider threat has been reported. What's your call?
This week’s briefing is brought to you in partnership with:
Free Weekly AI Sessions for Experienced Software Engineers.
Every Wednesday at 5 PM CT, Gauntlet AI professors teach a live, hands-on AI engineering session — completely free. If you're nontechnical, this isn't for you. New topic every week, built for engineers who want to build, not just watch. See upcoming sessions.
MEANWHILE
Watching the Watchers
A domestic direct action organization operating out of Minnesota built and deployed a counter-surveillance capability that law enforcement intelligence assessments described, with notable frustration, as more operationally rigorous than most private sector protective security programs.
The capability was not improvised. The group ran commercial RF scanners for drone detection, trained surveillance detection runner protocols for vehicle movements, and encrypted mesh communications between dispersed observers. Post-operation digital hygiene was documented and consistently followed. Analysts assessed that individuals with professional close protection or intelligence backgrounds had been involved in designing the system. During multiple events, law enforcement surveillance assets were identified and neutralized before they could generate actionable intelligence.
A team conducting protective surveillance or SDR work in a protest-adjacent environment is now operating in a contested space, against counter-surveillance that is trained, organized, and effective. For any close protection team working near protests, the baseline assumption has to change: you are probably already being watched.
The Gate Keeper
Heathrow is the United Kingdom's largest international airport. Every person who clears its border is cross-referenced in real time against alerts set by UK intelligence agencies, foreign allied services, and law enforcement systems. That access lives inside the Border Force officer standing at the passport desk.
One of those officers was working for someone else.
A UK Border Force officer was arrested and charged with systematic unauthorized disclosure of traveler intelligence to a foreign state actor. The data included live cross-referencing of arrivals against police watchlists, intelligence alerts set by partner services, and immigration flags maintained by multiple allied governments. An internal audit identified prior data-access anomalies inconsistent with operational requirements, indicating the breach had been running for a significant period before detection. The scope of what passed out of the system has not been publicly confirmed.
Until it is, any principal whose movement is tracked or flagged by UK border intelligence should be treated as potentially exposed if Heathrow appears on their itinerary.
Two Targets
FBI and Secret Service disrupted a plot in which a suspect had placed two targets under concurrent surveillance: a UFC event and White House perimeter entry points. The suspect had documented overseas handler contact. The dual-target design was deliberate -- maximum coverage, maximum media impact, whichever execution went first.
The reconnaissance was entirely open-source. Commercial drone footage of access routes. Open mapping of perimeter infrastructure. Social media monitoring of visible security patterns. No specialist tradecraft, no classified knowledge — nothing beyond a motivated individual and a smartphone.
The technical barrier for pre-attack surveillance against high-profile targets has dropped to near zero. The threat envelope around a major sporting event does not stop at the arena perimeter -- fan zones, approach routes, hospitality footprint, and transit corridors are all within reconnaissance scope. Treating the secured venue and its surrounding environment as separate security problems is the assumption that gets exploited.
Sound even smarter:
State proxy doctrine is not new, but the venue is. Cold War-era proxy operations were typically run against dissidents in authoritarian-adjacent states or in conflict theaters. The Canadian model is the first documented case in which a G7 nation was the sustained operational theater for foreign state-directed contract killing using a civilian criminal supply chain. The CSIS 2025 annual report is the first Western intelligence service report to formally designate this as a primary domestic security concern rather than a foreign affairs matter.
SNAPSHOTS
🇧🇴 Bolivia -- An indefinite public transport strike has shut down surface movement across La Paz city and department. El Alto International Airport is accessible only via cable car; the main bus terminal is closed and intercity routes are suspended. Do not plan ground transport to the airport without a tested alternate route in place.
🇨🇴 Colombia -- FCDO advises against all but essential travel to Norte de Santander, Arauca, Pacific coastal zones, and several other departments. Post-first-round election tension (May 31 vote) has elevated protest and security force activity in major cities.
🇲🇽 Mexico -- World Cup matches running through July 19 across Mexican host cities; FCDO all-but-essential advisories remain active in Sinaloa, Tamaulipas, and Zacatecas. Cartel activity and crowd convergence are operating in simultaneous elevated states.
🇵🇰 Pakistan -- FCDO advises against all travel to Balochistan Province as of June 19, 2026 -- the strongest advisory level, not "all but essential." The Gwadar-Makran corridor and all CPEC-adjacent routes fall within this zone. Any team operating within the CPEC footprint should be running elevated threat posture with active route denial plans and regular local liaison.
EXTRA INSIGHT
Technology / Fraud -- Di Li, 43, of London, was sentenced June 3, 2026 to 48 months for organizing an SMS blaster fraud operation. The device mimics a phone mast, bypasses carrier fraud filters, and delivers bank impersonation texts directly to victims' phones. His co-conspirator Ruichen Xiong was convicted in 2025 after being caught operating the device from a car while fraudulent HMRC texts landed on officers' phones. Li directed the operation remotely.
Mass Events / Counter-UAS -- Since June 11, a joint FBI, Federal Air Marshal Service, and Kansas City Police Department operation has seized 14 drones at 2026 FIFA World Cup venues for Temporary Flight Restriction violations. Eight were seized on June 16 alone. TFR violations carry federal criminal fines up to $100,000 and up to one year in prison.
Physical Security / Violent Crime -- Rahmanullah Lakanwal, 30, an Afghan national, was indicted June 16 on 17 counts including first-degree murder for the November ambush of National Guardsmen near the White House. He drove cross-country from Washington state with a stolen firearm and opened fire in broad daylight, killing Specialist Sarah Beckstrom, 20, and seriously wounding Sergeant Andrew Wolfe. The charges are death-penalty eligible.
NEW RESOURCE FOR PREMIUM SUBSCRIBERS
The skill that keeps you on the detail
Most close protection careers do not end on the range. They end with a principal who would not listen, an override that was not challenged, and an operator who either pushed too hard or went too quiet. It is the most common point of failure in the work and the one almost no course teaches.
This week's premium piece takes the discipline aviation built after a fatal 1978 crash, Crew Resource Management, and adapts it for protective work: why the authority gradient runs the wrong way on a detail, the four-step escalation language that makes a principal listen without a confrontation, and how the best firms turn a reluctant principal into a compliant one. There is also a downloadable field playbook that includes escalation scripts and a pre-engagement checklist you can run before your next job.
More and more, the threat doesn't match the profile you built the assessment around. The handler is in another country. The shooter is on no list. The border officer was checked and cleared. The counter-surveillance team your surveillance team didn't detect. What this week's cases have in common is that the conventional tripwires missed every one of them. That is not bad luck. It is by design, and the design is now documented. You have the blueprint. Better to read it before someone else runs the play.
See you next week.
– On The Circuit
If you found this useful, forward it to someone who needs to read it. If someone forwarded this to you, subscribe at circuit-magazine.com
To give or receive feedback, hit reply.
PREVIOUS POLL - RESULTS
New city. New principal. You've got 2 hours before the detail starts. What's the first thing you look up?
🟨⬜️⬜️⬜️⬜️⬜️ A. Local crime patterns and hotspot mapping (12%)
🟩🟩🟩🟩🟩🟩 B. Hospitals, trauma centres and medevac options (44%)
🟨🟨🟨🟨⬜️⬜️ C. Routes, chokepoints and exit options (36%)
🟨⬜️⬜️⬜️⬜️⬜️ D. Something else. Let us know → (8%)
Your Comments:
LP: "Routes first, always. If you don't know your exits, nothing else matters. Hospitals are useless if you can't get there."
RJ: "Depends on the threat environment. In a stable city… routes. In a volatile one… medical."
***
