Threat Library

These Are Real Cases.

Stalker tags hidden in wheel wells. Rogue WiFi networks on commercial flights. BLE beacons sewn into gift bouquets. These are documented incidents — real people, real harm, real outcomes. VigilWatch was built to detect every threat in this library.

22
Documented Cases
4
Threat Categories
9
Countries Affected
$30
Avg Attacker Cost
🏷

AirTag Abuse

Apple's $29 tracking tile — designed to find lost keys, repurposed to stalk people

6 Cases
DeLand, Florida · March 2026
Sheriff's Deputy Plants Multiple AirTags in Ex-Girlfriend's Vehicle — and Her Daughter's
James Kleeman, 65, a part-time prisoner transport deputy with the Volusia County Sheriff's Office, allegedly placed multiple Apple AirTags in both his ex-girlfriend's vehicle and her adult daughter's vehicle to track their movements after their February breakup. The victim first discovered AirTag alerts as far back as 2025, with additional placements confirmed after the relationship ended. Ring camera footage captured Kleeman crawling under one of the vehicles with a flashlight during a covert placement. He admitted to placing the devices but denied following the victims. Detectives recovered the trackers during the investigation — and Kleeman's marked sheriff's vehicle was reportedly spotted near the victim's location on the day of his arrest.
Kleeman was arrested March 25, 2026 and terminated from the Sheriff's Office upon arrest. The case highlights the threat posed when access to law enforcement resources and positional authority is combined with tracker abuse — and underscores that AirTag alert systems alone are insufficient when a victim doesn't know what triggered them or how long surveillance has been ongoing.
Indianapolis
Stalker Hides AirTag in Woman's Wheel Well
A woman discovered an Apple AirTag concealed inside the wheel well of her vehicle after receiving an unexpected iPhone proximity alert. The suspect had been tracking her movements for weeks without her knowledge.
Suspect arrested. Indiana legislators strengthened anti-stalking statutes to explicitly include electronic tracking devices.
New York City
AirTag Sewn Into Jacket Lining
A woman received an unknown AirTag alert on her iPhone while wearing a coat she believed was gifted innocently. The device had been hand-sewn into the coat's inner lining — invisible to any physical inspection.
Went viral on TikTok, triggering nationwide awareness. Apple responded by reducing the unknown-AirTag detection window from 3 days down to 8–24 hours.
Chicago
Three AirTags Planted on Victim's Car
A domestic stalker placed three separate AirTags in different locations on the same vehicle — under the bumper, inside the trunk liner, and behind a door panel — to ensure at least one survived detection or removal.
Case directly influenced Apple's decision to enable AirTag scanning on Android devices, removing the iOS-only detection advantage stalkers had exploited.
Las Vegas
BLE Tracker Hidden in Rental Car Fleet
Hertz customers discovered undisclosed BLE tracking hardware embedded in rental vehicles. The trackers — never mentioned in rental agreements — continuously broadcast customer location data to fleet management systems.
Class action lawsuit filed. Settlement required Hertz to provide explicit opt-out disclosure for all vehicle tracking in rental agreements.
Dallas
Auto Theft Ring Uses AirTags at Airport Lots
An organized theft ring placed AirTags on vehicles in long-term airport parking lots while owners were traveling. The tags allowed thieves to track and steal target vehicles at will, then locate them even if driven to a secondary location.
8 arrests made. Law enforcement documented a 65% surge in AirTag-assisted vehicle theft in the metro area over 18 months.
📡

Tracker Abuse

Tile, Samsung SmartTag, and third-party BLE trackers used for domestic stalking and covert surveillance

4 Cases
Portland
Tile Tracker Hidden Behind Dashboard
A domestic abuse survivor discovered a Tile tracker wired behind her car's dashboard by her abusive partner. Because Tile's network relies on passive crowdsourcing, the tracker provided continuous location updates without ever needing to be near the attacker's phone.
Legal action followed. Tile updated its policy to formally cooperate with law enforcement subpoenas involving tracker abuse cases.
Houston
Samsung SmartTag Cloned onto School Bus Network
A Samsung SmartTag was discovered attached to a school bus in an unauthorized state — cloned into the local "unknown devices" Bluetooth network. The device appeared to be monitoring student pickup and drop-off patterns.
School district issued a full ban on unauthorized tracking devices within district vehicles. Investigation ongoing at time of disclosure.
Toronto
Abusive Partner Exploits Shared Family Tile Account
A victim fleeing domestic abuse discovered her location was being tracked through a shared Tile "Family" account her abuser retained access to. The feature, designed for parents and children, created a persistent surveillance channel the victim didn't know existed.
Tile redesigned the sharing UI to add explicit consent confirmations. Canadian women's shelters added BLE device scanning to intake protocols.
Las Vegas
BLE Trackers in Rental Vehicles (Multi-Brand)
Beyond the Hertz case, independent researchers documented similar undisclosed BLE tracking hardware across multiple rental car brands in the Las Vegas market, suggesting fleet-wide adoption of non-disclosed tracking was an industry pattern rather than an isolated incident.
Prompted FTC inquiry into rental industry data collection practices. Multiple carriers issued retroactive disclosures to affected customers.
📶

WiFi Attacks

Rogue access points, evil twin networks, and deauth attacks targeting travelers, executives, and journalists

6 Cases
Sydney
Airport Evil Twin WiFi Honeypot — First Conviction
An attacker created a rogue WiFi access point mimicking in-flight WiFi network names aboard commercial flights and at Perth, Melbourne, and Adelaide airports. Passengers who connected had their email addresses and social media credentials intercepted in plaintext.
First Australian criminal conviction for evil twin WiFi fraud — 18 months imprisonment. Australian Federal Police issued national passenger WiFi warnings.
Geneva
Rogue Hotel AP Targets Diplomatic Executives
APT28 (Fancy Bear), a Russian state-sponsored threat group, deployed rogue access points inside Geneva hotels hosting diplomatic summits. Executives and government officials connecting to the "hotel WiFi" had their credentials silently harvested via man-in-the-middle interception.
Multiple diplomatic credentials compromised. The operation was attributed by intelligence agencies and contributed to expanded TSCM protocols for high-level delegations.
San Francisco
Café WiFi Deauthentication Attack — DEF CON Demo
A DEF CON security researcher publicly demonstrated how a $40 device could broadcast WiFi deauthentication frames in a café, silently forcing all connected devices to reconnect — at which point the attacker's evil twin network captured their traffic.
The demonstration drove industry adoption of WPA3 Protected Management Frames (PMF), which prevents deauth frame spoofing. Most modern routers now enable this by default.
Washington D.C.
Wi-Fi Pineapple Deployed at Legal Conference
Security researchers deployed a commercially available "Wi-Fi Pineapple" rogue access point device at a major legal industry conference in D.C. to demonstrate attorney-client privilege vulnerability. Dozens of lawyers connected their devices to the honeypot without awareness.
The demonstration was disclosed to attendees and published. The American Bar Association updated cybersecurity guidance for attorneys working with sensitive client communications.
United Kingdom
EV Charging Station WiFi Compromised
UK security researchers found that 20% of public EV charging stations offered WiFi connectivity with exploitable vulnerabilities — ranging from open networks that intercepted driver app data to rogue SSIDs mimicking legitimate charger networks at high-traffic motorway services.
UK Department of Transport issued new minimum cybersecurity requirements for public EV charging infrastructure, effective 2025.
Washington D.C.
Journalist Tracked via Bluetooth Headphone Static ID
A Washington D.C. journalist discovered they were being passively tracked via their Bluetooth headphones, which broadcasted a static, unchanging device ID across Bluetooth pairing sessions. Hostile actors were able to log the journalist's location by correlating repeated device sightings across public spaces.
Bluetooth SIG renewed its MAC randomization recommendation for all consumer audio devices. VigilWatch detects static-ID Bluetooth devices as potential surveillance hardware.
🔵

BLE Surveillance

Bluetooth Low Energy beacons hidden in everyday objects — gifts, wristbands, and public spaces

5 Cases
London
BLE Tracker Concealed in Gift Flower Bouquet
A stalker in London concealed a small BLE beacon inside a gift flower bouquet presented to their target. The device — powered by a coin cell battery lasting months — allowed real-time location tracking through any nearby Bluetooth-enabled smartphone without triggering standard stalker alert apps.
Perpetrator charged under the UK Stalking Protection Act 2019. The case established legal precedent for prosecuting BLE beacon concealment as a stalking instrument.
Florida
BLE Skimmer Network at Gas Stations
A criminal network installed BLE-equipped card skimmers across 60+ gas stations in Florida. Unlike older skimmers that required physical retrieval, these transmitted harvested card data wirelessly via Bluetooth to a vehicle parked nearby — eliminating the need for criminals to revisit crime scenes.
14 arrested in coordinated law enforcement sweep. The technique highlighted how BLE's range and low power draw make it ideal for covert data exfiltration in physical environments.
Netherlands
Hospital BLE Wristbands Leak Patient Location
Dutch hospitals issued BLE-enabled patient wristbands for staff tracking that broadcast static, unrotated MAC addresses. Security researchers demonstrated that any Bluetooth scanner within range — including visitor smartphones — could passively map patient locations throughout hospital wards without authorization.
Netherlands Data Protection Authority (DPA) opened formal investigation. Firmware patches deployed to all affected facilities. Static MAC broadcasting prohibited in subsequent guidance.
Berlin
Marathon Runners Tracked via Race Timing Chips
Security researchers at the Berlin Marathon documented that BLE timing chips used for runner identification broadcast static identifiers that could be tracked by any off-the-shelf scanner. By deploying scanners along the course, researchers demonstrated full participant location history without official data access.
Findings presented at Chaos Communication Congress. Race event technology providers began evaluating rotating-ID BLE protocols for future timing chip generations.
Amsterdam
Nightclub BLE Passive Fingerprinting Without Consent
An Amsterdam nightclub operated a BLE beacon surveillance system that passively fingerprinted all patrons' smartphones for marketing analytics — tracking movement through the venue, dwell time at specific areas, and return visit frequency — without any form of disclosure, consent, or opt-out mechanism.
Dutch DPA issued a €475,000 GDPR fine. The case established that passive BLE fingerprinting of individuals in public-facing venues constitutes personal data processing requiring explicit consent.
Every Threat Above Is Detectable

VigilWatch Catches All of This

Tag fingerprinting. RSSI proximity alerts. Rogue WiFi detection. Route Contamination mapping. Whether it's a $29 AirTag or a state-sponsored rogue access point, VigilWatch gives you the intelligence to detect it and the evidence to report it.

Join the Waitlist See How Detection Works