Running Into Open Secrets: How to Investigate Using the Strava Fitness App

During one of his routine jogs around Krasnodar’s Olimp sports complex, Stanislav Rzhitsky, a former Russian submarine commander accused of a missile attack in Ukraine that killed 23 civilians, was shot and killed. A few hours after the murder, Major General Kyrylo Budanov, head of Ukraine’s military intelligence, notably “liked” the latest run Rzhitsky had uploaded to his Strava fitness app profile. Although Budanov said his department had nothing to do with the attack — despite allegations that this “like” could have been a sardonic signature — this incident reinforces the privacy vulnerabilities about Strava.

This popular US social media app for fitness enthusiasts, released in 2009 and available in 13 languages, boasts over 135 million users in more than 190 countries. According to its website, Strava’s about “more than tracking workouts — it’s where connection, motivation, and personal bests thrive.”

One of Strava’s most popular features allows users to share their athletic goals and achievements, as well as review, comment, and send kudos to peers. Described as “Facebook for runners,” Strava turns lonely workouts into social experiences by gamifying fitness and encouraging competitive sharing.

But journalists and open source researchers have been pointing out the privacy concerns linked to Strava for years. And this very same ability to share has given journalists — and others — the ability to pinpoint movements of soldiers in European and Israeli military bases, of French nuclear submarine crews, and of the security teams of a number of world leaders. Although these scandals linked to Strava have been making headlines since  2017, recent investigations reveal how use of the app by people who should be keeping a lower public profile have left them, and even top secret institutions, vulnerable.

Israel’s Mystery Runner

Israeli officials were troubled in October 2024, when Omer Benjakob, disinformation and cyber reporter for Haaretz, sent them a query about a suspicious Strava user who claimed to be from Texas, and seemed to be  exploiting the app’s features to collect information about the country’s military installations. In the span of four days, the profile of “Kevin D” purportedly took 60 long runs in an incredibly very short timeruns on 30 Israeli military bases.

By posting fake runs in specific places on Strava, the app allowed “Kevin D” to see the routes and profiles of other users who had also exercised there, as long as they hadn’t turned on the most advanced privacy options in their profiles. Many soldiers were unlikely to have done so, which gave “Kevin D” access to sensitive data about them and their bases.

Indeed, this wasn’t the first time Benjakob covered how Strava had been key to finding data about Israel’s soldiers and bases. He had kept an eye on Strava since  2018 when, after the app published a heat map of all of its users’ runs around the world, independent open source analysts such as Nathan Ruser (then a 20-year-old student) and Alec Muffet had a field day pointing out how frequently people moved along CIA compounds in Somalia, US military outposts in Iraq and Syria, British bases in the Falklands, Italian bases in Djibouti, and even highlighted the path of a lone cyclist in Nevada’s legendary Area 51. Aric Toler, Bellingcat’s first director of training and research, even published a tipsheet to help journalists profit from the rich material available on the app —most of his tips are still relevant, so make sure to check them out.

Since then, reporters and researchers have delved into Strava as if it were an investigative journalism genre of its own. In 2020, Bellingcat’s Nick Waters identified 14 SAS troops in the top-secret Hereford base, and in 2022, the Israeli NGO FakeReporter revealed a Strava security breach that singled out 100 individuals in six top-secret Israeli bases.

Although the Israeli military had been blasé about Strava’s vulnerabilities before the Hamas terrorist attack on October 7, 2023, when Benjakob approached them a year later, alarm bells rang. But before Haaretz or the Israeli military could determine who “Kevin D” was, he revealed himself.

Le Monde’s #StravaLeaks Rip Through the World

The latest blockbuster investigation into Strava came from two French reporters: Sébastien Bourdon — an open source investigative reporter who specializes in Europe’s far-right, and Antoine Schirer — a journalist, filmmaker, and designer who expertly creates OSINT visualizations — the duo behind Le Monde’s 2024 #StravaLeaks investigative series.

The pair’s first piece revealed how it was possible to predict exactly where French President Emmanuel Macron would stay during his travels once a member of his Security Group for the Presidency of the Republic (GSPR) detail was identified in Strava.

The reporters used a deceptively simple method: if you log a fake run in a specific place, Strava will reveal who also runs there. Choose a place where any other people except GSPR members are unlikely to run, and you’ll start closing in on a member of Macron’s security detail.  “The Elysée Palace is too small so you can’t jog there. Also, you’d find too many other people running around in Paris, so but Macron’s weekend house in the outskirts was our starting point,” Bourdon tells GIJN.

Using a Python tool developed by Schirer, they mapped all the locations where the security officers were running. Then they crossed that information with news about the president’s international trips and checked if a user’s locations matched the movements abroad. Finally, by using photographs and identifying if the person was physically next to the president, they corroborated that this person was part of Macron’s security detail.

Other times, the process was even simpler: some GSPR members used their real names in Strava, and when Googled, their LinkedIn profiles publicly confirmed they were part of Macron’s security team.

When contacted for comment, Bourdon and Schirer said the GSPR declined to speak to them. And when they reached out to Strava for comment, Bourdon and Schirer said the company shifted the responsibility to its users: “We treat privacy settings with care throughout our entire experience; location data is used only with explicit opt-in, is prominently displayed in each Strava activity, and can be easily modified in a user’s settings. While our platform is built for everyone, we expect people working in sensitive professions to leverage the controls available to them and appropriately limit their content.”

Le Monde’s second story, detailing US Secret Service agents’ public exposure in Strava, followed a similar method. They mined 150 Strava runner profiles from the Secret Service’s training ground in the US state of Maryland, and cross-referenced each profile with other public data to determine 26 people who were part of then-President Joe Biden’s security detail. This meant that, just as with President Macron, it was possible to predict Biden’s movements. Some Secret Service agents were also posting personal information online under their real names: such as pictures of family members — some of them alongside Joe and Jill Biden.

The US Secret Service’s official response was curt: they just said they would investigate the issue.

After finding vulnerabilities in both Europe and the US, the duo turned their attention to an even higher profile target: Russian President Vladimir Putin. Putin has repeatedly denied the findings of an investigation published by late Alexey Navalny’s team, which revealed how the Russian leader had built a billion-dollar palace on the Black Sea coast. By looking for Strava runners in that compound, Bourdon and Schirer found some of Putin’s bodyguards and were then able to track the notoriously cautious Russian leader around the world.

Do other world leaders have similarly relaxed social media policies, at least when it comes to exercising? When Bourdon and Schirer tried to conduct similar research with Xi Jinping’s security detail, they found that Strava is not used in China. Research on the German chancellor’s bodyguards was too cumbersome, because there is no isolated vacation home or training ground to pinpoint. And not enough personal security agents from the UK Prime Minister or the Turkish president use Strava, so those investigations hit a dead end. It was in their exposé identifying individual Israeli soldiers fighting in Gaza that their online investigative persona “Kevin D” came to light. “When we published our investigation, the Haaretz journalist wrote to us and said: ‘Great investigation about Strava. Look, I published my own investigation about Strava’, and he linked the article in which he found the profile we used. That’s when we told him the person he was after was, in fact, us,” Bourdon tells GIJN.

“Initially, I was kind of embarrassed. I thought ‘Shit, I’m gonna get in trouble,’” Benjakob recalls. “We made a big fuss with the army, the head of digital security, and the entire military. So I went to my boss, but he said: ‘It’s OK, this thing with Le Monde is a story, someone was testing the system and the system failed.’”

Bourdon and Schirer note that their investigative technique using the app was still operational during more recent reporting efforts, which explains why Le Monde’s #StravaLeaks methodology has been followed elsewhere. In March 2025, Jean-Hugues Roy, a data journalist from the Quebecois media outlet La Presse, identified where former Prime Minister Justin Trudeau and his wife had stayed during their travels. He even discovered what could be Trudeau’s usual jogging route in Rideau Cottage, his official residence, via examining 46 runs posted in Strava by one of his bodyguards.

Tips for Fitness App Investigations

Bourdon and Schirer shared tips with GIJN for journalists that want to do their own #StravaLeaks:

• Search locations where the only people likely to run are the ones you’re looking for.
• When using Python, map all the activities of a profile you find interesting. The script should go to every race, collect the locations, and put pins on the map. At the end just map everything the profile gives you in a decade of activity.
• Plotting user’s activities not in space but in time with a Python script might give you interesting results. By using this approach, Bourdon and Schirer identified users in a nuclear submarine base in Brest with two-month gaps, suggesting they might be part of a submarine crew. Bourdon later confirmed these suspicions by cross-referencing the findings with their posts on Strava. “It’s hard to return [to running] after spending two months in a litter box,” complained a user in his profile.
• Folium may give you map data visualization, so when you click on a specific pin the activity comes up. “This allows you to quickly verify locations,” Schirer explains. “It’s not too complicated: just collect the data and plot it on a map.”
• Having a visual designer in your open source investigation will take it to the next level, and you’ll collect a lot more information if you also include a tech-savvy person.
• Schirer hesitates when sharing his last tip, because it’s not how they found most of the information, but if you have a list of profiles you’re interested in, conduct a search that determines if any of them have jogged in a location that’s important for your research.

GIJN asked Bourdon if Strava could be useful to find and follow far-right extremists, but he wasn’t very optimistic about that angle. “What’s difficult about this technique, and the reason it worked with Macron’s security detail, is it’s about where you’re looking, more than who. Most far-right activists live in neighborhoods where many other people also run, so you can’t go to an isolated and specific location to identify their profiles,” Bourdon notes.

Nonetheless, if you know who your specific target is, you can try finding them in Strava. In a 2024 investigation, Nepal’s Netra News, Deutsche Welle, and Süddeutsche Zeitung collaborated for a story that revealed a United Nations peacekeeper in the Central African Republic had been a Bangladeshi “death squad” member. In March 2025, reporters from The Times and Bellingcat revealed a respected German fintech executive was also a financial advisor to Ireland’s infamous Kinahan crime syndicate.

In a collaborative exposé, Netra News identified a Bangladeshi soldier (left) suspected of being a ‘death squad’ member — and then found he had later deployed to the Central African Republic as a UN peacekeeper by tracking one of his posted Strava runs (right) in that country. Image: Screenshot, Netra News

The OG Strava Reporter and the Company’s Evolving Responses

Back in 2017, nearly a year before OSINT analysts and investigative journalists used Strava to crack open secret military bases and the movement of presidential bodyguards, Rosie Sparks, then a freelance journalist who regularly published in Quartz, was raising the alarm about the app’s privacy risks.

“I was a big runner back then and I used Strava a lot, and I was also a single urban female, so I was very aware,” Sparks explains. “I found people I didn’t know liking my runs. It was weirdly invasive because it was in parks in London that were right by my house or routes I was running from my front door, so I thought: how can it be that random dudes are liking my runs, when I thought I had enhanced privacy settings on?”

Sparks’ first story detailed how she realized that the app’s “enhanced privacy settings” were insufficient at the time, and she needed to access a web of other options to protect her data and location from being shared with strangers.

After the 2018 heatmap scandal, Strava’s then-CEO went on a damage control campaign, answering questions about privacy and explaining how they had modified their privacy settings.

But since then, the same cycle repeats. A story about Strava being used to find top secret information breaks, and Strava says they’re working on improving their app.

Haaretz investigative reporter Omer Benjakob. Image: Courtesy of Benjakob

“A lot of these problems are not because of bugs, but of functions that are a problem if you’re Emmanuel Macron’s bodyguard,” says Benjakob.

And at the heart of the issue is the poor cyber hygiene of users who should know better, because they have highly sensitive jobs. “The privacy settings put in place by Strava are actually quite good, and it’s true that they are easily accessible for users. The issue around our investigation wasn’t that privacy settings did not exist, it was that most of the users we were interested in were not using them,” Bourdon points out.

In our recklessly digital age, in which even the heads of US intelligence agencies and the military message war plans through Signal, information is no longer easily compartmentalized into “top secret” and “public” channels. Overflows are pervasive, protocols are ignored, technology is clumsily regulated, if at all, and both a lone urban woman and the President of the United States’ safety can be compromised by the same fitness app’s features.

Santiago Villa is an award-winning journalist who has written for Latin American news outlets for more than a decade. He is currently based in Colombia, and writes an opinion column for El Espectador. He has previously worked as a foreign correspondent in South Africa, China, Venezuela, and Ecuador.