Belgrade Mayor’s Chief of Cabinet Sues BIRN for Defamation

Nenad Milanovic, chief of cabinet of Belgrade mayor Aleksandar Sapic, filed a defamation lawsuit against BIRN Serbia before the Higher Court in Belgrade, seeking 200.000 dinars (1,705 euros) in damages for mental anguish.

The lawsuit claims his reputation and honour has been damaged by the BIRN article, “Audios Reveal that Sapic’s Chief of Cabinet Offered to Fix Procurement to Kentkart”. The lawsuit states that the article is “full of absolute falsehoods”, but does not elaborate to explain which information Milanovic believes to be incorrect.

“The news published on website birn.rs was very disturbing to the plaintiff because the incriminating expressions used by the defendant were disparaging and have contributed to the damages for the plaintiff’s honour and reputation, especially in the plaintiff’s work environment, and then in the environment in which the plaintiff lives.

“Namely, the plaintiff is very successful in his job, and the insinuations mentioned in the text can have an extremely negative impact on the plaintiff’s reputation at his work and in the private sphere as well”, reads the lawsuit.

The lawsuit is filed against BIRN Serbia and its editor-in-chief Milorad Ivanovic.

Ivanovic says this is the fourth SLAPP lawsuit this year.

“This is forth SLAPP lawsuit filed against our newsroom this year. These lawsuits are not being filed in honest attempt to receive any kind of justice, but to exhaust journalists and newsroom.

“The lawsuit does not deny any fact we have published in the article. Mental anguish of public officials, their reputation and honour, cannot be above the truth,” said Ivanovic.

So-called SLAPPs aim to drain the target’s financial and psychological resources and chill critical voices, to the detriment of public participation, according to a report on SLAPP lawsuits in Serbia published in 2022 by Article 19, the American Bar Association Centre for Human Rights and the Independent Journalists’ Association of Serbia, NUNS.

Aleksandar Sapic, the mayor of the Serbian capital, has filed two separate defamation lawsuits against BIRN Serbia, its editor and journalists in March, claiming that their reporting damaged his reputation and caused him mental anguish. He is seeking six million Serbian dinars (around 50,000 euros) in damages in each case – a total of around 100,000 euros.

Predrag Koluvija, who is on trial for alleged illicit marijuana production, in February accused BIRN of incorrectly reporting on one of his court hearings and thus damaging his reputation and causing him mental anguish. He is seeking 200,000 dinars (around 1,700 euros) in damages.

Analysing Algorithms: Bosnian Media Complain of Facebook Guessing Game

Media outlets in Bosnia and Herzegovina have a headache, and part of the cause is Facebook.

As anywhere else around the world, the social media giant, owned by Meta, is a vital means for Bosnian media outlets to reach readers.

But editors and journalists in Bosnia tell BIRN they struggle with its inconsistency in content moderation and a lack of transparency about its algorithms. And when they call Facebook for clarification, too often they are left hanging.

“The same content is treated differently on two different Facebook profiles,” said one in an anonymous response to a BIRN survey of newsrooms, referring to the same text posted on the Facebook pages of two different media. “On one, it’s coloured orange [denoting semi-restricted content]. On another, it’s green, without any warnings or restrictions.”

“It’s confusing, and the procedure lacks transparency,” said another. “There’s no explanation; analysing algorithms comes down to experience.”

Analysing algorithms

Posting content that is deemed to violate Facebook rules can have far-reaching consequences for small media outlets, which rely on the platform’s sheer scale to reach an audience and attract advertisers. Repeat occurrences of content being flagged as false or misleading can result in a media’s visibility being reduced, or it being locked out altogether.

Meta’s website states: “Pages, groups, accounts and websites that repeatedly share misinformation will face some restrictions, including having their distribution reduced. This includes content rated False or Altered by fact-checking partners; content that is nearly identical to what fact-checkers have debunked as False or Altered…

But even content that passes the grade must negotiate complex algorithms that push, promote or suppress visibility, determining which feeds it reaches and how often. How these algorithms work exactly is kept under wraps, and they are constantly changing.

Experimentation is the only way to get anywhere close to figuring them out, said social media expert Haris Alisic.

“Algorithms are a business secret of every company in the IT industry,” Alisic told BIRN. “That’s their competitive advantage… And, of course, there is no significant transparency around it. They do share some stuff, but it’s very general. Based on that, it is hard to figure out how the algorithm really works.”


Social media expert Haris Alisic. Photo: Courtesy of Haris Alisic.

According to Facebook, its algorithm uses “hundreds of signals” to make a prediction as to how likely a user is to engage with a post. One of the signals is, ‘Who posted the story?’

Based on these signals, the algorithm creates a “relevancy score” – “our best guess at how meaningful you will find this story”.

Facebook, however, is constantly tweaking its algorithm in response to a range of factors, including news events. Keeping up is a matter of trial and error.

Moderating content

In Bosnia, hate speech, harassment and incitement to violence remain major issues almost three decades since the end of a 1992-95 war. This is reflected in the media, and online.

Most cases of digital rights violations in Bosnia identified in BIRN’s Annual Digital Rights Report 2022 concerned “breaches related to reputation, endangering security, discrimination and hatred, and pressures on individuals because of publishing information on the internet, among others”.

But social media companies on the whole lack detailed understanding of each society in which they operate.

According to a 2022 report on content moderation in Bosnia, published by Article 19, 

“87% of Facebook’s spending on misinformation goes to English-language content, despite the fact that only 9% of its users are English speaking”.

“It has also been revealed that most resources and means in terms of content moderation are being allocated to a limited number of countries.”

Content moderation becomes a problem for media outlets if it is inconsistent or ignorant of local context.

“In their policy explanations, Facebook names different reasons why certain content can be flagged, from hate speech to disinformation,” said another media worker surveyed. 

“But in reality, we could see this kind of content still not removed or marked in any way, so the reader is aware of it. The responsibility of flagging the content is somehow left more to the users [individuals and organisations] and less to the company [Facebook], which is inviting people to its platform to use it but yet doesn’t protect them from this kind of content.”

In order to weed out misinformation and disinformation, Facebook relies on local fact-checkers; in the case of Bosnia, one of its partners is Raskrinkavanje, a team of 14 with backgrounds in media, political sciences, international relations and human rights.

Raskrinkavanje flags content, but it falls to Facebook to limit its reach. Media outlets need to check what they’re posting, said Elma Muric, communications editor at Raskrinkavanje.

“Journalists are not only obliged to disseminate correct information but also to stick to the ethics of journalism and fairly and impartially report about happenings and phenomena in the world,” Muric told BIRN. 

“Journalists who do follow the professional and ethical standards in their reporting, for sure, will not publish anything that could be flagged as disinformation or fake news.”


META’s office in Paris. Photo: Courtesy of Haris Ališić.

Mixed experiences

Besides their headaches in trying to figure out algorithms, some editors and journalists say they also struggle to get answers from Meta itself on any number of issues.

“Tried twice; they were slow and inefficient,” said one. “Didn’t really fix the problem I was having.”

Another said: “Enable simpler contact with Meta and easier access to information, especially algorithmic changes and recommendations.”

“We need clearer procedures regarding algorithm rules,” the journalist added. “There is no alternative, especially since we keep talking about the importance they [Facebook] have regarding the public debate and online participation.”

Not everyone shares such frustration. One journalist who took part in the survey told BIRN about their experience resolving an attempted scam:

 “I reached out to the Meta team and in a very short time I had a phone call with one of their crew, who checked from their side, and besides assuring us that it was a scam, not a real note from them, they shared advice on what to do to protect ourselves immediately, and how to recognise in the future if something is sent from there, or if it’s again some scam.”

Alisic described his own experience dealing with Facebook as “amazing”.

“We had a very close relationship. We still do,” he said. “They were always very professional and very quick to respond. They have very hard-working people.”

Given Facebook’s sheer size, inevitably there will be issues with communication, he said.

“You have to understand that there are tens of millions of pages on Facebook. It is literally impossible for them to be able to respond to everything timely, quickly, or personally, so just like in every other company, I guess they have to prioritise.”

BIRN contacted Meta for a response to this story, but received no reply.

Turkish Citizens’ Personal Data Offered Online After Govt Site Hacked

A website called sorgupaneli.org is offering to provide Turkish citizens’ private data that was stolen from the e-Devlet government services website, even claiming to be able to offer President Recep Tayyip Erdogan’s personal information.

The hacked information that is being offered for free by the website in return for a membership signup includes ID numbers, phone numbers and information about people’s family members.

More sensitive information, including full addresses, real estate deeds and education details, is being offered with a paid premium membership.

When BIRN accessed the website, it said that the personal data on offer includes information about high-ranking state and government officials including Erdogan and Turkey’s main opposition leader Kemal Kilicdaroglu.

Experts said that the data theft is the biggest yet in Turkey and constitutes a major digital security problem.

“First and foremost, access to this website should be blocked. Following this, a full-scale investigation should be launched,” Sule Ozsoy Boyunsuz, a professor of constitutional law, told HALK TV.

The Turkish authorities have so far remained silent on the issue and the website remains accessible although it often crashes due to the high demand putting pressure on its servers.

e-Devlet, which means e-government, is the main public administration portal in Turkey, and includes personal information including details about education, health, banking credentials and tax status.

For several years, the e-Devlet website has been criticised for not being secure enough, but the authorities have dismissed the claims.

Amid Growing Cyber Threat, Experts Urge Montenegro to Invest in Talent

In early May, a text message arrived on the phones of a number of people in Montenegro saying that a parcel had arrived, delivered by the Serbian postal service Posta Srbije, and telling them to click on a link for instructions on how to receive it.

The link opened a webpage where the user was asked to enter their bank card details, but it had nothing to do with Posta Srbije. The text was in fact the latest in a string of phishing attacks targeting individuals in Montenegro, attacks that authorities say are becoming increasingly common.

According to Montenegro’s Cyber Incident Response Team, CIRT, 684 such incidents were reported last year, up from 672 in 2021. In 2011, there was just one registered cyber-attack. Of the 684 last year, malware constituted the most common type of attack.

Experts see raising awareness among members of the public as vital to minimising the impact of such scams, but, said Adis Balota, a professor at the Faculty of Information Technologies in Podgorica, “alone this will not solve the cyber security problem”.

In August last year, a major cyber assault on Montenegrin state institutions paralysed parts of the public sector and underscored the tiny NATO country’s vulnerability to cybercrime.

Almost a year on, experts like Balota say Montenegro must invest much more in its defences and in recruiting the IT security expertise that the public sector currently lacks.

“Unfortunately, from the negative examples of the past year, it can be concluded that the state information systems are currently the most threatened,” Balota told BIRN.

“I’m of the opinion that in order to solve this problem, the government of Montenegro should make a strategic departure from the current way of developing, implementing and maintaining information systems in state bodies.”


Montenegro’s Cyber Incident Response Team, CIRT, data on cyber attacks since 2011. Infographic: BIRN/Igor Vujcic.

Experts needed

The August 2022 attack infected dozens of computers in 10 state institutions and knocked offline a host of public services.

Within days, the National Security Agency pointed the finger of blame at Russia, which Montenegro has long accused of trying to thwart its Western integration ambitions, but offered no evidence; then a cabinet minister said it was in fact the work of Cuba Ransomware, a cybercrime extortion group.

Months later, the National Security Council announced that, “given the specific nature and complexity” of the attack, it had been unable to determine exactly who was behind it, despite the assistance of the FBI in the United States and the French National Cybersecurity Agency, ANSSI.

Powerful as it was, the attack was only the most high-profile of many.

Late last year, even the police were forced to warn the public not to respond to emails purportedly from the then director of the Police Administration, Zoran Brdjanin, or open their attachments, saying they “may contain malicious content”.

A week later, police said they had registered a similar scam via emails claiming to be sent by the head of the criminal police in the Podgorica Security Department, Zoran Basanovic.

The ultimate goal, police said, was “fraud and obtaining financial benefit”.

Over the past few years, Montenegro has also seen a rise in fake prize games on social media, generated via fake websites and asking users to submit photos of their ID cards or follow instructions sent by email.

Balota cautioned that, while Montenegro has cyber security strategies on paper, their implementation is another matter.

The biggest problem, he told BIRN, is the failure to recruit and retain highly-specialised experts in the field of Information and Communications Technology, ICT.

“Such experts cannot be motivated with the salaries of civil servants and state employees,” Balota said. “The motivation of serious and educated personnel to work in state bodies is an extremely important goal.”

If a clear recruitment strategy were in place, “the financial resources for basic functioning could be provided, either from the state budget or from international projects,” he said. “In relation to other parts of the state budget, the amount of money that would be necessary is negligible.”

Instead, “there is a lack of vision, professional staff, specialist training, accompanying finances, and, in the end or at the outset, political will.”


Major cyber threats in Montenegro since 2016. Timeline: BIRN/Igor Vujcic.

Attacks will get ‘more aggressive’

The first big cyber-attack on Montenegrin state bodies occurred in 2016, on the day of parliamentary elections. Then, just as last year, authorities rushed to blame Russia for the Denial-of-Service, DDoS, attacks, with Moscow at the time angered by the prospect of Montenegro’s imminent accession to NATO.

Four days later, another attack targeted parliament’s servers. The following year, 2017, the government reported a new wave of attacks on its portal and sub-portals of state bodies. Blame was laid at the feet of Fancy Bear, a notorious Russian cyber espionage group.

Balota said the government should create a “centralised body or institution at the state level, which would coordinate and manage all IT projects at the level of state bodies and administration bodies”.

This, he said, “would certainly contribute to the rational use of all available resources, to monitor trends and allow the benefits of all implemented solutions to be measured”.

Training will be key, he said.

“Each subsequent attack will be even more aggressive and have greater consequences,” said Balota. 

Belgrade School Shooting Has Online Ripple Effect in Balkans

After two recent mass shootings in Serbia, one at a school in Belgrade, there was a surge of attempted copycat attacks in the Balkan region, but also a series of digital violations including the spread of misinformation, breaches of privacy, fake footage and misleading claims.

Albania experienced several disturbing incidents of its own, including a fake gun scare at a school in Tirana and a fatal stabbing stemming from an online feud in Gramshi, highlighting the role of online platforms in escalating conflicts among Albanian youth.

In Montenegro, incidents such as a concerning Facebook post by a pupil in Zabljak and threats made on a school’s Viber group in Podgorica highlighted the delicate balance between freedom of expression and the responsibility for safety within society, while Croatia faced its own challenges following the Serbian mass shooting, with incidents including a ‘hit list’ made by a student from Bjelovar being circulated on TikTok and a gun photo being shared in a Zagreb school’s WhatsApp group.

Following the mass shootings in Serbia, threats were made on social media in Bosnia and Herzegovina and a young man was arrested after allegedly announcing online that he planned to replicate the violence.

In Kosovo, false information was spread online through the sharing of misleading articles and recycled misinformation, while a threatening message was posted on Instagram in North Macedonia.

False reports and videos in Serbia

The mass shooting by a teenager at the Vladislav Ribnikar Elementary School in Belgrade on May 3, in which eight students and a teacher were killed, sent shockwaves through society and was followed by online violations such as the circulation of fake footage, the invasion of victims’ relatives’ privacy and the proliferation of misinformation.


A man reacts as he walks past police officers blocking a street near the ‘Vladislav Ribnikar’ elementary school in Belgrade, Serbia, 03 May 2023. Photo: EPA-EFE/ANDREJ CUKIC

The right to privacy of the families who were affected was violated by the tabloid website Republika, which on May 9 published a sensationalist report about the funeral proceedings, contravening Serbia’s journalistic code and inflicting further anguish on the grieving families.

False reports also began to circulate on media websites and social networks. Unfounded claims emerged that a wounded teacher had also succumbed to their injuries, that vaccinated citizens were ineligible as blood donors, and that N1 TV had demanded the release of the suspect.

Days after the shooting, a video claiming to depict the school massacre was circulated on social media. The footage was shared widely on TikTok on May 6, but closer scrutiny revealed that it was not from Belgrade but had been taken during a different school shooting in the United States.

On May 6, another video surfaced on TikTok, purporting to show students from the school that was targeted in Belgrade bullying the perpetrator. Accompanied by captions insinuating that the footage captured the moments preceding the massacre or depicted the treatment that the perpetrator endured at the school, the video gained widespread circulation.

However, it was soon discovered that the video was unrelated to the Belgrade incident and originated from a school in Russia several months earlier.

Violence in Albania echoes Serbian shooting

On May 10, Albanian media outlet Gazetatema.net published a video showing the mass shooting in Serbia. In the days following the shooting, there were also two violent incidents in Albania involving young men and weapons.


Police officers close off the crime scene at Cetinje, Montenegro, 12 August 2022. Photo: EPA-EFE/BORIS PEJOVIC

The first incident happened in Farka in Tirana when a 20-year-old male entered a schoolyard and discharged shots into the air using a fake gun, inciting fear among students and staff. The motives behind the incident remain under investigation.

In the second incident, a 15-year-old Albanian lost his life in a stabbing near his school in Gramshi. The stabbing occurred as a direct result of an online feud between the attackers and the victim’s cousin.

Online threats made in Montenegro

In the aftermath of the mass shooting in Serbia, there were also two online incidents in Montenegro that were reported to have been related to the crime in Belgrade.

The first incident unfolded in the town of Zabljak, where Montenegrin police questioned a 13-year-old pupil after he wrote a Facebook post that alarmed the authorities.

The pupil wrote: “I understand the shooter in the Serbian elementary school. I would do the same, but I don’t have access to guns.” The authorities took his statement seriously and initiated an investigation. However, charges were eventually dropped, with the prosecution urging local social workers and the school to intervene and address the situation.

In another case, Montenegrin police questioned a pupil from an elementary school in Podgorica after threats were made in the school’s Viber group. The school management reported that the pupil had sent a photo of a gun along with a list of students he intended to harm.

Prompt action was taken by the authorities, who questioned the pupil and his parents, and the plastic gun was handed over to the police. The outcome of the investigation has not yet been made public.


Illustration of TikTok logo displayed on a phone in Los Angeles, California, USA, 17 May 2023. Photo: EPA-EFE/CAROLINE BREHMAN

Croatia faces school safety concerns

In the aftermath of the mass shooting in Serbia, there were also two incidents involving school students in Croatia.

On May 12, a pupil in the city of Bjelovar who claimed to have drawn inspiration from the shooting in Belgrade compiled a ‘hit list’ containing the names of her classmates. The list allegedly surfaced on the popular social media platform TikTok before being removed after the student was detained by the police.

However, concerns remained as it is possible that screenshots of the list might still be circulating privately among other students. The student was expelled from the school the same day.

In another incident that occurred on May 18 at the Dragutin Domjanic Elementary School in Gajnice in Zagreb, an eighth-grade boy who had argued with a friend allegedly took a photo of a gun and bullets at his home and shared it in a WhatsApp group.

The school promptly contacted the police, who reportedly spoke with the boy. The parents sent a message saying that the boy was under supervision at home and that everyone was safe, while the school emphasised that students should continue attending classes as usual because the overall safety of the school was being maintained.

Copycat shooting threatened in Bosnia

In the wake of the mass shooting in Serbia, a young man in Bosnia and Herzegovina threatened a copycat incident in the city of Bihac. The young man posted a threatening message on Instagram, claiming to be preparing to stage a massacre at a school of economics. Police arrested him on charges of endangering security and terrorism. Reuters reported that he had a history of threats and bullying on social media and that charges against him were dropped last year because he was too young to be prosecuted.

Meanwhile, a threatening video was circulated on social media, made by a man from the town of Banovici who said he was going to commit a massacre in Bosnia and Herzegovina, linking it to the recent mass shooting in Serbia. Authorities from both countries worked together to identify the individual and prevent any potential violence.

Incidents in Kosovo and North Macedonia

In Kosovo, a misleading article entitled “SERIOUS: The Moment When a 14-Year-Old Kills His Classmates in Serbia is Published” was published by the Sprint.al website. The article claimed to feature a video depicting the Belgrade school shooting.

However, investigations by BIRN Kosovo’s Kryptometer team revealed that the video was not filmed in Serbia, as claimed, but in Mexico in 2017.

Meanwhile in North Macedonia, a student from the Slavcho Stojmenski high school in Shtip posted a threatening message on Instagram on May 11 and was subsequently detained by the police. The motives behind the student’s actions have not yet been made public.

Bosnia has been covered by Elma Selimovic and Aida Trepanić, Albania by Nensi Bogdani, North Macedonia by Bojan Stojkovski, Montenegro by Samir Kajosevic, Kosovo by Diedon Nixha, Croatia by Matej Augustin and Serbia by Bojan Perkov and Ninoslava Bogdanović of SHARE Foundation

Battle for Balkan Cybersecurity: Threats and Implications of Biometrics and Digital Identity

The Balkan region has witnessed a significant increase in internet penetration and the integration of Biometrics and Digital Identity BDI technologies into various sectors, BIRN research shows.

Between 2020 and 2023, Albania, Bosnia and Herzegovina, North Macedonia, Kosovo and Serbia all experienced a notable increase in cyberattacks, specifically phishing and ransomware incidents.

BIRN has mapped 40 cases and has collated data on notable cyberattacks targeting the Balkan region’s BDI systems into a database. Research focused on cases that resulted in a significant data breach and/or compromised large amounts of data.

Data collection involved document analysis, case study examination and interviews with IT employees. These approaches provide insights into the state of BDI and cybersecurity threats in the Balkan region, as well as notable cyberattacks targeting critical infrastructure and public institutions.

The research shows a prevalence of cyberattacks targeting critical online infrastructure, services and computers. Inadequate public awareness and cybersecurity policies, and limited regional collaboration, have exacerbated the challenges the Balkan countries face in combating cybercrime.

The public sector, banks and individual citizens were primary targets of these cyberattacks. Perpetrators exploited vulnerabilities in the digital infrastructure and security measures of both private and public entities. 

A growing reliance on biometrics and digital identity in online banking, e-government services and border control is a key regional trend. Technological advances aimed at improving security and efficiency drove this reliance. However, implementing BDI systems has raised concerns about protecting individuals’ privacy, data, and the potential misuse of personal information. 

Addressing cybersecurity threats in the Balkan region requires increased public awareness, improved cybersecurity policies and practices and enhanced regional collaboration. 

The Balkan region faces significant risks and opportunities due to its growing reliance on biometrics and digital identity. Balancing security with privacy and data protection is crucial in this context.

The Balkan region has witnessed a significant increase in internet penetration and the integration of Biometrics and Digital Identity BDI technologies into various sectors, BIRN research shows.

Between 2020 and 2023, Albania, Bosnia and Herzegovina, North Macedonia, Kosovo and Serbia all experienced a notable increase in cyberattacks, specifically phishing and ransomware incidents. 

BIRN has mapped 40 cases and has collated data on notable cyberattacks targeting the Balkan region’s BDI systems into a database. Research focused on cases that resulted in a significant data breach and/or compromised large amounts of data.

Data collection involved document analysis, case study examination and interviews with IT employees. These approaches provide insights into the state of BDI and cybersecurity threats in the Balkan region, as well as notable cyberattacks targeting critical infrastructure and public institutions. 

The research shows a prevalence of cyberattacks targeting critical online infrastructure, services and computers. Inadequate public awareness and cybersecurity policies, and limited regional collaboration, have exacerbated the challenges the Balkan countries face in combating cybercrime.

The public sector, banks and individual citizens were primary targets of these cyberattacks. Perpetrators exploited vulnerabilities in the digital infrastructure and security measures of both private and public entities. 

A growing reliance on biometrics and digital identity in online banking, e-government services and border control is a key regional trend. Technological advances aimed at improving security and efficiency drove this reliance. However, implementing BDI systems has raised concerns about protecting individuals’ privacy, data, and the potential misuse of personal information. 

Addressing cybersecurity threats in the Balkan region requires increased public awareness, improved cybersecurity policies and practices and enhanced regional collaboration. 

The Balkan region faces significant risks and opportunities due to its growing reliance on biometrics and digital identity. Balancing security with privacy and data protection is crucial in this context.

Cyberttacks reveal cracks in North Macedonia’s defences

North Macedonia has become a target of almost relentless hacker attacks, placing various state institutions in jeopardy. These attacks are a sobering reminder of the country’s inadequate cyber security capabilities, leaving it ill-prepared and vulnerable. An attack on the Health Insurance Fund in February 2023 for example disrupted its operations for several weeks, exposing gaps in cyber security.

The Agriculture Ministry’s experience in September 2022 further exposed the weaknesses in the government’s defences; its staff had limited internet access for over a month following a cyberattack. 

These incidents have shed light on the urgent need for the government in Skopje to invest in strengthening its cyber security infrastructure and safeguarding sensitive data and systems from malicious actors.

Multiple leaks of email addresses and passwords from various ministries have also raised concerns. These breaches underscore the importance of bolstering cyber security measures across government entities. Recognizing these challenges, the country’s national centre for responding to computer incidents has conducted a report outlining noteworthy trends based on cybersecurity incidents.

One concerning trend highlighted in the report is the increasing number of Macedonian websites falling victim to hacking, particularly through phishing tactics. Attackers often install malicious content on server operating systems, allowing them to compromise websites. The report emphasizes the urgency of addressing this issue.

Another alarming development involves Macedonian public IPv4 addresses being identified abroad as sources of attacks and data theft from foreign servers. This discovery raises concerns about the security of these addresses, necessitating enhanced measures to prevent such activities and protect sensitive information.

A case involving compromising email accounts of government and public sector organizations in North Macedonia is of particular significance. Attackers exploited vulnerabilities in mail servers to send phishing emails from compromised accounts. This highlights the critical importance of securing email systems and preventing unauthorized access.

Furthermore, several North Macedonian organizations have fallen victim to cyberattacks due to compromises or vulnerabilities in their email servers. In some instances, hackers executed ransomware attacks by exploiting unaddressed vulnerabilities. These incidents underscore the need for robust security measures to protect against evolving threats.

Cyberattack motive per country in per cents.

Distributed Denial of Service or DDoS attacks have also posed a significant threat, targeting numerous institutions and organisations in North Macedonia over the past few years. These attacks disrupt services by overwhelming servers with an overwhelming amount of traffic.

According to MKD-CIRT’s report, the number of reported incidents increased from 1,443 in 2020 to 1,880 in 2021. However, it is worth noting that these figures include malicious activities detected outside the country, where Macedonian IP addresses were identified as the source of harmful activities. This highlights the need for collaborative efforts to combat cyber threats beyond national borders.

The escalating wave of cyber attacks and the vulnerabilities exposed in North Macedonia’s cyber security apparatus necessitates urgent action. Strengthening defences, investing in advanced technologies and fostering international cooperation are vital to safeguarding the country’s critical infrastructure, sensitive data, and digital systems from malicious actors in an increasingly interconnected world.

Cyberattacks Targeting Industries and Institutions in Kosovo Prompt Action

Over the past three years, Kosovo has faced a significant number of cyberattacks targeting various industries. Among the most common attacks are password thefts from social networks. Some notable attacks include wealth gain schemes, attacks on banks, hacking of politician profiles, and various scams.

In April 2020, Banka Ekonomike, one of Kosovo’s largest banks, fell victim to a ransomware attack known as DoppelPaymer. According to a threat assessment by the Danish Centre for Cyber Security in 2021, the hackers leaked over 70 GB of data, including sensitive information such as clients’ names, credit card numbers, income details and client loans. The leaked data also contained sensitive information about bank employees.

Just five months later, in September 2020, the Facebook account of former Deputy Interior Minister Zafir Berisha was hacked. The incident occurred shortly after Berisha was appointed Kosovo’s National Cyber Security Coordinator. As of April 2023, there is no official information on the identity of the hackers.

Target in the countries in per cents.

Public institutions in Kosovo have been targeted with phishing. The Ministry of Interior confirmed phishing cyberattacks in February 2022, although it said no infrastructure damage or significant harm occurred. These phishing attacks, where institutions receive fraudulent emails appearing to be from official sources, are quite frequent.

All reported cases have been handed over to the police, but there is no official update on the progress of investigations. 

Due to the lack of a centralized approach to combating hackers, Kosovo has introduced a legal foundation to prevent cybercrime. As part of a proposed bill to enhance computer security, a State Authority for Cyber Security will be established.

Furthermore, in response to the cyberattacks, the government has proposed the creation of an Agency for Cyber Security. In September 2022, the government approved a draft cyber security law that includes the formation of this agency. 

The law aims to strengthen computer security in Kosovo, and additional measures include establishing a 24/7 contact point within the police. These initiatives seek to bolster the country’s defences and protect against future cyber threats.

Bosnia grapples with rising cyberattacks and data leaks

In Bosnia and Herzegovina, there have been 11 cases of data leaks resulting from hacking attacks since 2020, BIRN research reveals. Ransomware and phishing campaigns were the most prevalent types of attacks.

One of the most recent notable cases occurred in September 2022 when a ransomware attack targeted the servers of the Parliament of Bosnia and Herzegovina. The parliament’s website and computers were rendered inaccessible for over two weeks.

However, many hacking incidents remain hidden from the public. The Ministry of Interior of Republika Srpska, one of the two entities in Bosnia and Herzegovina, reported 23 registered ransomware attacks during the targeted period.

Regarding phishing campaigns, Police recorded 107 such attacks, mainly targeting individuals. The police spokesperson for Republika Srpska noted the complexity of accurately registering such cases, as they can be classified as the creation and introduction of computer viruses, computer sabotage, unauthorized access to protected computers, computer networks, telecommunications networks, or electronic data processing.

In the Federation of Bosnia and Herzegovina, Bosnia’s other entity, Police reported a total of 117 cyberattacks; 33 were ransomware attacks, with the majority targeting private companies and individuals. Public institutions were subjected to various hacking attacks on 30 different occasions during the monitored period.

Type of attack depending on the target in per cents.

In September 2022, Bosnia’s Intelligence-Security Agency OSA urged institutions and individuals to safeguard their information and communication systems due to increased cyberattacks. OSA emphasized the importance of conducting security assessments and implementing protective measures promptly to proactively prevent attacks. They also highlighted their cooperation with domestic and international partners to counter the intensifying threats.

The first report on cyber threats in Bosnia and Herzegovina revealed that the country faces millions of cyberattacks each month. However, it lacks the necessary strategies, legislation and capacity to protect its citizens, institutions, and companies effectively.

During November 2022, over 9.2 million distinct cyberattacks targeted a wide range of entities in Bosnia, as highlighted in a report presented by the Center for Cybersecurity Excellence, CSEC, and BIRN in mid-April.

From Ransomware to Phishing, Serbia Faces Persistent Wave of Attacks

Serbia has seen its share of cyberattacks over the past years, from major national incidents to almost daily phishing and scam campaigns. 

The first one coincided with the Covid-19 pandemic. In early March 2020, the local public utility company Informatika in Novi Sad, Serbia’s second largest city, was hit by ransomware compromising its infrastructure and employees’ data. 

Another big cyber threat occurred in May two years later, blocking the databases of the Republic Geodetic Authority for nine days, with the attack, launched from five IP addresses, involving two malwares and Phobos ransomware.

Public institutions were not the only ones targeted. According to international cyber security platforms and watchdogs, hacker groups, such as LockBit and Quilin claimed they attacked BIG CEE and Gigatron, two large private companies and chains, and obtained their financial and employees’ data. 

Malware, ransomware, phishing and, to a degree, Distributed Denials of Service, DDos, are the main threats. According to the National CERT of the Republic of Serbia, the information security organisation, the most common incidents in 2020 and 2021 involved attempted intrusions into ICT systems and unauthorized data collection. In that period, around 40 million cyberattacks on Information and Communication Technology (ICT) systems occurred.

Phishing campaigns remain one of the most widespread methods jeopardizing the cyber security of government, but also the financial sector. 

Numerous banks have warned their clients of ongoing phishing and scam emails being circulated, with perpetrators setting up fake social media accounts and organizing fraudulent giveaways. Another frequent target of phishing campaigns was the public enterprise Post of Serbia. Scammers use Viber and other messaging apps, or email, to allegedly inform recipients that their packages are held and that they need to pay money to recover them. 

Although these cases get reported, a recent report by the State Auditing Institution points out that communication between institutions and the National CERT needs to improve, as public and governmental bodies and companies often do not inform the authorities of incidents. For that reason, some attacks remain unidentified for a long period, increasing the risk and damage to the information infrastructure and data.

Type of attack per country in per cents.

Cyber activists have discovered that the app MojDoktor [My Doctor], used for health appointments and connecting Serbian health centres with the integrated information system, was exploited for almost three years. This included several email servers from a local health centre, which were used for spam, phishing, but also malware and virus attacks.

Most cases in the past three years were reported to the Special Prosecution Office for High Tech Crime and Organised Crime. However, the perpetrators often remain unknown, and court epilogues are few. 

Series of cyber intrusions shakes Albania

Albania has faced several cyberattacks that have targeted its key institutions and businesses. These attacks have caused significant disruptions and raised concerns about cybersecurity.

Methodology Used in the Research

To explore the intricate world of BDI and cybersecurity in the Balkan region, this research
adopted a qualitative approach using mixed methods, including a desk review of relevant
studies and reports, interviews with IT employees at IT departments in public companies and
institutions, and the case study research design. This research methodology is appropriate for
enabling a deep understanding of the complex relationship between cybersecurity and BDI in
the Balkan region.

A multifaceted data collection approach was employed for this research, including document
analysis and case study examination. The researchers first conducted a literature review of
government and NGO reports, news articles, and industry reports.

Secondly, the researchers collated data on notable cyberattacks targeting the Balkan
region’s BDI systems into a database and interviewed IT employees. Selected
case studies offered invaluable insights into cyberattacks on critical infrastructure and public
institutions, servers and revealed large data breaches and leaks.

To analyze the data, the report relied on qualitative content and comparative analysis methods
to analyze cyberattack incidents across five Balkan countries. The research also relied on
triangulation, a technique used in mixed-methods research, to enhance validity and reliability by
cross-checking data from different sources.

One notable incident occurred on January 30, 2023, when Air Albania, a prominent airline company, fell victim to a cyberattack. The attackers, identified as the LockBit ransomware group, claimed they infiltrated Air Albania’s online infrastructure to extort a ransom. They claimed to have stolen and encrypted the company’s data, demanding payment for its release. 

The ransom notice was displayed on the LockBit group’s Dark Web Tor Blog page. Despite the attack, Air Albania assured the public that its data remained secure and that system updates were being implemented. The company did not comment further on the incident.

Another significant cyber incident involved Credins Bank, one of Albania’s largest financial institutions. On December 23, 2022, Credins Bank had to suspend its online services due to a cyberattack orchestrated by the Homeland Justice group. The attackers claimed they targeted the bank in response to the Albanian government’s support for the Iranian opposition group, MEK. 

In a concerning development, Homeland Justice shared documents allegedly obtained from the bank on one of their Telegram channels. The bank did not confirm the authenticity of these leaked documents, titled “ALLAccountsCustomers.zip,” which cautioned against their circulation.

The Albania Police Supervisory Agency also faced a cyber threat. On September 21, 2021, the agency reported an attempted attack on its servers. The attack was successfully blocked, however, and the agency stated that no data had been stolen.

The most significant cyber incident to date in Albania occurred on July 15, 2022, when the government’s centralized e-services system was breached. This breach affected various government infrastructure, resulting in the gradual leakage of sensitive information over several months. 

The attackers, masquerading as the Homeland Justice group on social network accounts, exposed emails belonging to the State Police director and a list of employees from the secret services. 

Microsoft Threat Intelligence investigations revealed that the initial access to the system occurred in May 2021 through a vulnerability in a SharePoint Server. By July 2021, the attackers had fortified their access using a misconfigured service account. Ransomware and wiper malware were employed to achieve their objectives. 

Microsoft and the FBI suggested that Iran might be behind the attack, leading Albania to sever diplomatic relations with Iran as a response. Iran has denied involvement, but Albania believes Tehran was responsible due to its decision to grant refuge to an Iranian opposition movement that is considered a terrorist group by the Iranian government.

These cyber incidents in Albania highlight the growing threat of cybercrime and the need for enhanced cybersecurity measures to protect critical infrastructure and businesses. The attacks have not only caused disruptions but also strained diplomatic relations. Albania’s government and institutions must remain vigilant and collaborate with international partners to strengthen their cybersecurity defences and mitigate future risks.

Journalists involved in conducting this research are Igor Ispanovic, Azem Kurtic, Gjergj Erebara, Xheneta Murtezaj, and Bojan Stojkovski.

Kosovo Journalists Left Unprotected in Violent Protests in North

Two BIRN journalists were among several journalists from both Albanian and Serbian-language media stuck for hours in a café in the Serb-majority municipality of Zvecan on May 30, after the protests became violent.

While NATO peacekeepers from KFOR and ethnic Serbs clashed in protests against the town’s newly elected ethnic Albanian mayor, the journalists remained for three hours inside the café.

“The situation inside the café was quite alarming; even when we were inside it, we ​​were attacked,” said Shkodrane Dakaj, who together with cameraman Naser Fejza was among the journalists stuck in the café.

She recalled that every time they tried to take photos or videos, “even when we approached the windows of the café, we were attacked by protesters”.

“The windows of the café broke; they [protesters] threw rocks at it when we approached the windows to film. The situation was very difficult,” she explained.

The journalists managed to leave safely only after three hours, with the help of the owner.

“It was impossible to go inside the municipality building or another place secured by the Kosovo Police, because there was a KFOR cordon in front of the municipality building that we had to pass,” Dakaj said, explaining that KFOR “did not accept the request of the journalists to open the cordon and let them pass through.”

The Association of Journalists of Kosovo, AJK, told BIRN that it had registered 20 separate attacks against media crews since Friday. Protesters threw rocks and eggs at journalists, pushed them, forced them to delete footage, took away their cameras and verbally assaulted them. Vehicles of media crews were vandalized.

KFOR and Kosovo police rarely interfered, even when they were present during the attacks on journalists.

Adelina Ahmeti, a BIRN journalist who has been on the ground in Leposavic, said that “the main problems are safe spaces for journalists; there is no specific area for journalists to stay and report from”.

“We are exposed from all fronts and the attacks can be very frequent,” said Ahmeti, who together with cameraman Jetmir Hoxha was pushed by masked protesters in Leposavic on May 30.

No strategy to protect journalists


BIRN’s journalist, Shkodrane Dakaj, while reporting live from Zvecan. Photo: BIRN/Afrim Ejupi

Kosovo journalists say reporting on the ground in the recent protests in Serb-majority municipalities in northern Kosovo has been difficult because of the lack of a strategy by the authorities.

Albioneta Ademi, from the AJK, told BIRN that “the authorities responsible for security in the north do not have a plan or strategy for the security of journalists reporting in tense situations, such as these”.

She said: “It is not the first time that similar situations are being repeated in the north”, adding that, nonetheless, “a record number of cases has been recorded in a few days”.

Kosovo Serbs gathered to protest for the fifth day on Thursday in front of municipality buildings in Zubin Potok, Leposavic, and Zvecan, calling on the mayors elected on April 23 in extraordinary elections boycotted by ethnic Serbs not to use the buildings and for the Kosovo Police to leave the area.

The first attack on media crews was registered on the first day of work of the mayors of the three municipalities, on May 26, which also was the first day of the protests.

Ahmeti said KFOR soldiers were very close when journalists were pushed by mainly masked protesters, who also verbally assaulted the journalists, but did not attempt to interfere.

This attack started five meters from the cordon of the KFOR soldiers and none of them came closer to the journalists, for safety; there was no reaction from them,” she said.

BIRN’s journalist, Adelina Ahmeti, while reporting from Leposavic. Photo: BIRN/Jetmir Hoxha

Ahmeti said the police “offered a space at the police station in Leposavic in case something happens, but the station is 300 meters from where the media are positioned.” Meanwhile, “KFOR has not offered any strategy for journalists, at least that’s what we gathered during short communications with them”.

Meanwhile in Zvecan, journalists do not have any direct communication with the police. Dakar said: “Police officials are in the municipal building in Zvecan but we do not have an official contact with them. Very rarely a police official can be seen outside the municipal building, behind the KFOR soldiers’ cordon”.

According to Dakaj, the attacks on journalists in Zvecan have taken place outside the KFOR cordon, and “there has been no reaction from the NATO mission or from the Kosovo Police.”

BIRN asked KFOR whether it has a strategy to protect journalists on the ground and the reasoning behind soldiers not interfering in attacks but did not receive a response by the time of publication.

Ademi told BIRN that the police shared the same concerns as the AJK on the threats journalists face on the ground, “but have not had any strategy”. KFOR has not made any response to the AJK’s concerns.

Local Serb Called ‘Traitor’ for Sheltering Journalists

Mladen Perovic from Zvecan owns the café where journalists found shelter during the violent clashes between protesters and KFOR soldiers on May 29.

Perovic told the media on May 31, that “when I arrived at around 10 am journalists were already there, it was a good place to report and naturally when I opened, they all went in the café”. He opened the cafe at around 10 am, “when it was obvious the protest would last”, so people could refreshen themselves and use the bathroom.

After the protest escalated, he said he “ran away from the café” to be safe “but after some time, when the situation stabilised, concerned about my private property, I went back to my bar where the journalists were”.

They had been trapped there for around three hours, from around 2 pm to 5 pm, as it had been the only safe place for them to be.

Perovic helped the journalists leave the café safely. He told the media on Wednesday that he wanted to close his café and had asked the protesters if they would allow them safe passage; they had responded that “nobody will touch them”, meaning the Albanian-language journalists.

Nonetheless, Perovic said he was later pointed out as a “traitor” for having assisted the journalists. “I do not know what I have done to be called a traitor and be targeted,” he said.

Assaults, broken windows and nationalist symbols

BIRN’s car was damaged on May 31, in Leposavic, by unknown protesters. Photo: BIRN/Shkodrane Dakaj

Media crews have been both physically and verbally assaulted by protesters.

Jul Kasapi, from A2, the CNN branch in Albania, told BIRN that on May 29 around a dozen protesters gathered around him and his team and forced them “to delete footage”.

“Alongside the tense situations between the protesters and KFOR created in Zvecan (particularly on Monday when 30 KFOR soldiers and around 50 protesters were injured) and when our (journalists) lives were endangered, another problem … has been Serbian citizens interfering with our live broadcasts,” Dakaj explained, referring to protesters getting in front of cameras and showing nationalist symbols.

In Leposavic, when BIRN journalist Ahmeti asked about the attacks against journalists, Zoran Todic, former Leposavic mayor who has been negotiating with KFOR on behalf of the protesters, answered: “I am sorry, people here are protesting peacefully. Yesterday [on Wednesday] you came to me to express the issue and we have talked. People here are concerned, as I see the problem, about being filmed via phones and not camera. There isn’t any problem at all.”

Protesters have moved in front of cameras holding the letter “Z”, a symbol of support for Russia’s invasion of Ukraine, and tried to prevent journalists from filming either by moving fully in front of the cameras, or, in the worst situations, by pushing the journalists and trying to get their cameras, or throw them on the ground.

Most of the Albanian-language media that have reported on the ground have had their vehicles damaged with broken windows and blown tires, but also vandalized with nationalist symbols.

Some of the media houses with vandalised vehicles include Albania’s Top Channel, Euronews, A2 CNN, Panorama and Kosovo Albanian-language media RTV Dukagjini, Teve1, Koha, Syri, Periskopi, ATV, Kanal10.

On May 30, protesters threw an explosive device at the taxi the Radio Free Europe crew were traveling with in Zubin Potok. There were no injuries. One day earlier, the car of the media crew of Albanian-language Kosovo broadcaster TeVe1 was set on fire. Two BIRN vehicles were also damaged and vandalized.

The tires of the car in which Ahmeti traveled to Leposavic on May 29 were blown and vandalized with the “4S” symbol, which stands for the moto “Samo sloga Srbina spasava” (Only unity saves the Serbs). The RKS symbol, which stands for the Republic of Kosovo, was covered in the license plates.

Meanwhile, the windows of the car in which Dakaj and the crew had traveled to Zvecan on May 31 were broken.

BIRN has reported the cases to the Kosovo Police. It remains to be seen whether justice will be done.

In May, a BIRN analysis of 62 incidents involving firearms, knives, stones and physical assault since 2017 concluded that police and prosecutors in Kosovo are struggling to solve violent crimes, particularly when they occur in the mainly Serb north, where half of the cases, 31, occurred in the four northern Serb-majority municipalities.

Of these 31 cases, 13 were attacks against journalists which occurred between 2018 and 2022. The court ordered one month’s detention in one case and the police filed a complaint in another.

BIRN was not able to confirm if any other suspects have been identified or arrested in the other cases.

Share Your Experience: Social Media Company’s Content Removal During Turkish Elections

During Turkey’s key May elections, were your posts removed or restricted by Meta (Facebook and Instagram), Twitter or YouTube?

Were your posts marked as against community standards or was the decision taken due to Turkish court cases? Do you think that the assessment was fair?

We are looking for people, from media organisations to ordinary citizens, to share their experiences with us to help with a story that we are working on. Scroll down for information on how to take part.

The key things we want to know:

  • We would like to have insight into how many of your posts were removed, restricted, or flagged.
  • What was the reason for this?
  • We would like to have screenshots of your post/s, and social media companies’ assessment for their decision.
  • Was the assessment fair and well-explained?

How to take part?

To submit your experience, just fill out the form available here.

You can also contact us via email: readerstories@birn.eu.com

Or you can reach us on social media:

FB: @balkaninsight

TW: @balkaninsight

IG: @balkan_insight

BIRD Community

Are you a professional journalist or a media worker looking for an easily searchable and comprehensive database and interested in safely (re)connecting with more than thousands of colleagues from Southeastern and Central Europe?

We created BIRD Community, a place where you can have it all!

Join Now