Published Sunday, June 14, 2026 at 10:36 PM PT

SECURITY ALERT // INTELLIGENCE DISCLOSURE // COZY BEAR (APT29) OPERATIONAL EXPOSURE

BLUF: A book reportedly titled In the Lair of the Cozy Bear — allegedly an English translation of the Dutch work In het hol van de Cozy Bear — has surfaced via OSINT feeds. The work purportedly details the AIVD’s 2014 covert infiltration of Russian state-linked threat actor Cozy Bear (APT29) from the perspective of an American liaison officer. Cybersecurity and intelligence professionals should be aware of potential operational detail disclosure. No immediate technical threat to networks is indicated at this time.

DETAILS

  • The Dutch intelligence service AIVD’s infiltration of Cozy Bear was previously reported on 25 January 2018 by de Volkskrant and TV program Nieuwsuur; that reporting confirmed AIVD had accessed Cozy Bear’s systems in 2014 and observed active hacking operations against U.S. targets, including the Democratic National Committee.
  • The book in question allegedly narrates these events from the first-person perspective of a U.S. liaison officer embedded with AIVD — a framing that, if accurate, could expose details of allied intelligence cooperation, tradecraft, and liaison arrangements.
  • UNCERTAINTY FLAG: The existence, publication status, authorship, and official or unofficial nature of this book have NOT been independently verified from this feed. It is unclear whether this is a published work, a leaked manuscript, fiction, or disinformation.
  • UNCERTAINTY FLAG: Whether the content constitutes classified disclosure, authorized publication, or fictionalized account is unknown at this time.

IMPACT

  • Intelligence Community / Allied Services: If authentic and containing non-public operational detail, the work could expose AIVD and U.S. intelligence tradecraft, liaison relationships, and collection methods related to APT29 operations.
  • APT29 / Cozy Bear Awareness: Any detailed account of how AIVD penetrated Cozy Bear’s infrastructure could inform Russian counterintelligence efforts to identify and close historical gaps — even years after the fact.
  • Scope: Potentially affects U.S.-Dutch intelligence equities; broader Five Eyes and NATO partner awareness may be warranted depending on content.
  1. Do not distribute or amplify unverified content from this source pending confirmation of its nature and classification status.
  2. Intelligence and security teams should monitor for the book’s emergence on open, dark web, or document-sharing platforms.
  3. Organizations tracking APT29/Cozy Bear should review existing threat profiles — no new TTPs are indicated by this trigger, but situational awareness is advised.
  4. Legal and compliance teams at affected organizations should flag for review if the document surfaces internally.

SOURCES

  • OSINT Feed trigger (unverified, single source)
  • de Volkskrant / Nieuwsuur reporting, 25 January 2018 — confirmed historical baseline on AIVD-Cozy Bear infiltration
  • Prior open-source reporting on APT29 / Cozy Bear attribution

Classification: UNCLASSIFIED // FOR AWARENESS All details from unverified OSINT. Treat as low-confidence pending corroboration.