Five-Dollar Bluetooth Tracker Exposes Dutch Warship Location for 24 Hours
Netherlands, Sunday, 19 April 2026.
A journalist successfully tracked a $585 million Dutch naval frigate for an entire day using just a $5 Bluetooth tracker hidden in a postcard sent through military mail. The HNLMS Evertsen, currently protecting a French aircraft carrier in the Mediterranean, had its position compromised when the tiny device bypassed security screenings that only check packages, not envelopes. The tracker followed the warship’s route from Crete to Cyprus before being discovered and disabled after 24 hours at sea.
How a Simple Postcard Became a Security Breach
The security vulnerability exploited by journalist Just Vervaart demonstrates how consumer-grade technology can compromise military operations [1]. On April 14, 2026, Omroep Gelderland reported that a €5 Bluetooth tracker, typically used for locating everyday items like keys, was concealed within a postcard and sent through the Militaire Post Organisatie (Military Postal Organization) [4]. The device successfully bypassed security protocols because while packages undergo thorough scanning, envelopes receive no such scrutiny [2][4]. This oversight allowed the tracker to reach the HNLMS Evertsen, which was stationed at Heraklion port in Crete as part of its mission to protect a French aircraft carrier from potential missile attacks [4].
Tracking the €500 Million Asset Across the Mediterranean
The tracker’s journey revealed the frigate’s complete operational route with alarming precision [4]. Beginning at a sorting center, the device traveled to Den Helder naval base, then to Eindhoven Airport, before finally reaching the warship at Heraklion, Crete [4]. On March 27, 2026, when the Evertsen departed from Heraklion port, the tracker continued transmitting the vessel’s location as it sailed toward Cyprus [4]. The tracking capabilities remained active for approximately 24 hours after the ship left port, providing real-time location data that could have been accessed by hostile forces [1][4]. The device only went offline near Cyprus, effectively ending the unauthorized surveillance operation [4].
Defense Ministry Scrambles to Address Security Gaps
The incident prompted immediate action from Dutch defense officials, with Defense Minister Dilan Yeşilgöz informing the Tweede Kamer (Dutch Parliament) about the breach on April 11, 2026 [4]. Following the discovery, the Ministry of Defense implemented new restrictions prohibiting the sending of greeting cards containing batteries to naval vessels and announced a comprehensive review of military mail guidelines [2][4]. Former Lieutenant-General Mart de Kruif emphasized the severity of the situation, stating that naval forces have become “a bit naive” and require a fundamental shift in security mindset [4]. University lecturer Rowin Jansen from Radboud University highlighted the delicate balance between maintaining communication channels for military personnel and ensuring national security, noting that current geopolitical tensions demand prioritizing security concerns [4].
Broader Implications for Military Cybersecurity
This incident represents part of a troubling pattern of military security breaches involving consumer technology and social media platforms [1]. In March 2026, a French officer aboard the aircraft carrier Charles de Gaulle inadvertently revealed the vessel’s Mediterranean location by posting a running route on the fitness app Strava [1]. Similarly, in 2024, the USS Manchester operated with an unauthorized Starlink terminal for six months, complete with a Wi-Fi network dubbed “STINKY,” before officers discovered the breach [1]. These cases underscore how new technologies and social media usage by military personnel can expose sensitive operational information including locations, schedules, and behavioral patterns [1]. As former Lieutenant-General de Kruif noted, revealing a warship’s location creates immediate tactical risks, particularly in contested waters where “you run the risk of missiles being fired at you” [4]. The Dutch Ministry of Defense maintains that the tracking incident posed no operational risk, though security experts argue that such vulnerabilities require immediate attention given the current threat environment [4].