Australia’s Black Widow: OSINT Exposing Kremlin Ties in the Korolev Espionage Case

"Espionage is real. Multiple countries are seeking to steal Australia's secrets.” - Mark Burgess, Australia’s Spy Chief [Source: ABC]

On a cloudy Thursday morning, men and women in dark jackets lead a Russian woman out of her suburban apartment. 

Later that day we see the Russian and her husband escorted through a twilit car park to an unmarked black vehicle. Their identities have been carefully concealed, but images of the smiling brunette suspect will soon appear in the press. 

The woman has been accused of spying: working from within her position in the Australian Defence Force (ADF) to steal secrets for the Russian state. 

This was not a Cold War fantasy, an Anna Chapman re-enactment, or a Black Widow comic. This was Brisbane, Australia in 2024. This was the case of Kira Korolev, the first woman arrested for espionage under Australia’s new espionage and foreign interference laws. 

And with OSINT Industries, an Australian investigative journalist exposed her secret double life in Moscow.

‍

Meet James

James is an acclaimed investigative journalist - and an OSINT Industries user. 

A national security expert who has contributed to international publications including The Guardian, ABC News and ASPI’s The Strategist, James conducted an exclusive investigation into the Korolev case for Australian digital paper The Nightly. 

At the crux of this investigation was James’s accessing internal Russian Government documents spanning two federal ministries: the first time in history an Australian media outlet has obtained any internal Russian Government material. 

James has shared the story of how OSINT Industries’ unique approach to Russia-focussed OSINT was a pivotal assist. Our groundbreaking approach, he revealed, was key in exposing the truth in Australia’s first 21st-century espionage case - and showcases a triumph of OSINT in investigative journalism.

‍

1: Bad Actors

‘It's unreal. Honestly, so strange. I didn't even think that that would be something that's going on, especially here.’ - Tristen, a neighbour of the Korolevs [ABC]

Kira Korolev, 40, and Igor Korolev, 63, are the Russian couple arrested that Thursday morning. Neighbours described their feelings of confusion at something so surreal: their sleepy Everton Park apartment complex transformed into an unlikely set for a Bond movie, with sniffer dogs and police officers carrying mysterious duffel bags. Reality and fiction seemed to blur.

Their Russian neighbour Kira, an ADF army private, had rarely been seen. She kept to herself, often traveling abroad, but seemingly dedicated herself to her work. The Australian Federal Police had access to a different perspective. These unassuming Everton Park neighbours were now suspected to be Russian spies.

Paid thousands of rubles by Russian State-affiliated organs - as James would later reveal - Kira Korolev’s vacations to Moscow had in fact been planned to conduct espionage, police allege; she would instruct her husband on how to log into her ADF work account, and send sensitive material to her in Russia.

Fitting for the so-called Moscow ‘theater director’, Kira Korolev had spent her decade in Australia playing the role of a lifetime. 

“I can meet new people and I can make friends for life. I like to serve the nation, which I love…” - Kira Korolev in an erased ADF promotion. [Source: The Nightly]

The Korolevs were active on social media: Kira broadcasted a Russian-language travelogue, and detailed their lives on Facebook. Kira could be seen ‘enjoying eateries in Melbourne and Tasmania; visiting the Royal Australian Mint in Canberra (somewhere she would later take her husband to); holding snakes and filming crocodiles outside Darwin; and exploring abandoned gold mines and tropic forests in northern Queensland.’ 

The couple had expertly concealed the irony in their attempts to appear perfectly ‘Australian’. Even the ADF fell for their facade of dedication to their adopted country; The Nightly revealed that while fully immersed in her role as a squeaky-clean ADF Information Technician, Kira had featured in two hastily-deleted recruitment videos. The Force were oblivious to the fact their model soldier was closer to a Black Widow, implicated with a servant of the FSB, SVR and GRU - the State organs that masterminded the long-term, deep-cover agents known as ‘Russian Illegals’.

‘The Illegals, as they were called inside the Department of Justice, had infiltrated American society, nearly all of them going by Anglicized names, passing themselves off as white-collar professionals.’ - Bret Forrest, Journalist [Source: Politico]

The US-based ‘Illegals Program’ sleeper cell, uncovered in 2010, gained media attention after the arrest of ‘celebrity spy’ Anna Chapman (born Anna Vasilyevna Kushchenko). 

These women, although separated by years, glamor and geography, are surprisingly alike in their approaches to espionage. Like Korolev, Chapman embedded herself in her adopted country’s society, posing as a slick New York real estate agent as she siphoned intelligence to the Kremlin. Chapman once posted on Facebook, ‘If you can dream it, you can become it.’ As much as Anna had dedicated herself to her portrayal of an opulent American socialite, Korolev had embodied the ideal, loyal Australian soldier, living a copybook suburban life. 

Yet unlike her US counterpart, the ‘Australian Anna Chapman’ didn’t practically hand herself to authorities in a mistaken attempt to pass a fake passport, given to her by an undercover FBI agent, to another spy. What’s more, Kira Korolev wasn’t about to court media capital like her American double. After the ‘Iron Curtain’ had fallen on her performance, uncovering the truth about Kira Korolev took a feat of investigative journalism - and James was at the journalistic spearhead. 

A secret weapon in his arsenal? OSINT. 

‍

2: A 7-Minute Walk

‘Accused Russian spy Kira Korolev, once celebrated by the Australian Defence Force as a model soldier, was secretly employed by a Kremlin-backed war machine powering Russia’s invasion of Ukraine.’ - James King [Source: The Nightly]

James had a grip on the basics of the Korolev story. Questions, however, remained about several aspects of the case. Did the Korolevs have a financial incentive to betray Australian security? If so, who provided it? What was the significance of Korolev’s travel to Russia?

Not all of the truth had been discovered… yet. James began his investigation with leaked Russian Government documents and Russian-focussed OSINT research — in a first for an Australian news outlet.

At the crux of the case was Kira Korolev’s trips to Russia in the past year, undeclared to the ADF. James’s Russian Ministry of Internal Affairs documents showed Korolev would travel throughout Russia, to Belarus and the far western city of Saint Petersburg.

James geolocated the residence in Moscow, the city in which Australian Federal Police allege Korolev communicated with her husband Igor, exposing classified ADF documents to the Kremlin. 

Between January 18th 2022 and June 12th 2024, Korolev had stayed in Moscow’s Kuntsevo district. The leaked Russian Ministry of Internal Affairs documents James accessed made it apparent that on May 19, 2024, Kira had moved into a Moscow apartment only 375m from GRU headquarters. 

Kuntsevo was a 7-mile (11.3km) drive away from here. By James’s calculations, the Moscow apartment is a mere seven minute walk.

The GRU (trans. ‘Main Intelligence Directorate’) is Russia's central military intelligence agency; namely, the heart of Russia’s spying activity. Conducting espionage, counterintelligence, and even international destabilisation efforts in the ‘Five Eyes’ nations, the GRU has been implicated in various recent international incidents - from the Skripal Poisoning in 2018, to the 2017 NotPetya Ransomware Attack and interference in the 2016 US elections.

This placed Kira Korolev ‘at the epicentre of Russian military intelligence’; the building in question had been opened personally by Vladimir Putin. Her apartment wasn’t a holiday home either. 

‘Unlike that Kuntsevo district address that was registered as a place of stay — clause 9 of the 1995 Russian Government Decree No. 713 requires citizens staying in a temporary residence for over 90 days to register that place of stay with authorities — her new address next to GRU is instead listed as her place of residence.’

All of this was furthered by James’s access to Russian telecommunications records. Here, the cell of a GRU Major General would connect to a cell phone tower mere metres from Korolev’s home.

What’s more, this general was supervising the chief of GRU Department 5: the department directly responsible for handling deep-cover activity and the ‘Russian Illegals’. James saw this mobile phone had connected to a cell phone tower 55m away from Mrs Korolev’s apartment complex ‘more than it has to any other cell phone tower in Russia’.

James’s investigation was proving direct connections between Korolev and the Russian State. Flight records showed that Kira Korolev had booked a return flight from Moscow to Istanbul last year. James’s Russian records also revealed a payment to Korolev within four weeks of her journey. 

Kira Korolev’s questionable employment history came to light, and quickly contextualised her position near the GRU.

While in employment as an ADF Information Technician, Kira Korolev had been secretly listed on the employment roll of a titanic Russian war machine: Russian Basic Information Technologies, or RusBITech. 

Powering the highest information security classification - ‘of special importance’ - RusBITech is a key facilitator in Putin’s regime. It’s a contractor for the FSB, Russia’s domestic intelligence agency; FSTEC, Russia’s military information security agency; SVR, Russia’s foreign intelligence agency; and the Russian MoD itself, including Korolev’s ‘spymasters’, the GRU. 

This corporation, whose computer operating system Astra Linux powers the Russian Army, is high-tech, slick, efficient… and internationally sanctioned for facilitating war crimes in Ukraine. 

‍

3: War Machines

Frequently found destroyed in Ukraine, RusBiTech machines are dedicated tools of devastation. Korolev’s secret employer is the core of Russia’s communications efforts in their illegal invasion of Ukraine. They produce tactical vehicles like the R-441 ‘Liven’, with it’s ‘digital mobile complex of secret telephone communication and mobile super-protected telecommunications complex’; a key logistical component in Russia’s air attack system.

The firm also manufactures the APE-5 Mobile Command Post. This armored military vehicle has been deployed across Ukraine, allowing - in James’s words - Russian ‘military chiefs’ to ‘control combat… with satellite communication, cartographic processing, and automated attack modelling.’ 

When she joined the ADF ‘Signallers’ as an Information Technician, Korolev was allowed to ‘manage high-level military software and hardware that could determine the success of military operations.’ The APE-5, operated by Korolev’s employer, utilizes the same type of sensitive military technology that Kira had mastered as an Australian Army ‘Signaller’ - here, turned killing machine.

Kira Korolev began, according to James’s Russian Ministry of Labor and Social Protection documents, receiving payments from RusBiTech on August 14th 2023. The payments of hundreds of thousands of rubles (equalling over $6000AUD) continued as long as data was available - and corresponded perfectly with her sudden, erratic travel.

‘The documents expose Mrs Korolev — whose Australian security clearance permitted her access to top secret Australian intelligence — secretly receiving hundreds of thousands of Russian rubles from a sanctioned military firm serving Russia’s top intelligence agencies while she was employed in the Australian Defence Force.’ - James King, The Nightly

‍

4: OSINT Undercover

OSINT, and our tool, aided James’s triumph as the first Australian journalist utilizing internal Russian Government material.

For James, it wasn’t enough to find Russian documents that listed a ‘Kira Korolev’ with a matching birth-year. Multi-layer verification gave higher confidence. The Russian embassy had already clouded the atmosphere with claims of ‘anti-Russian paranoia’ and (ironically) ‘theatrical tricks’. Links and identities had to be verified; the facts needed to be bulletproof. How to provide irrefutable evidence that these priceless documents didn’t misidentify the Korolevs?

Key in this corroboration process was OSINT Industries.

First, the documents. James corroborated Kira’s identity by matching his Russian Ministry of Labor and Social Protection documents with her known date of birth and social security number from a leaked 2009 Moscow medical record. Also on that medical record was a match for Korolev’s email address, mobile number, passport, and a former Moscow home address. These mirrored 2023 records from Alfa-Bank, Russia’s largest private bank, and a 2022 database from the Russian Federal Taxation Service.

Second, OSINT Industries. With a search, James could connect Kira Korolev’s mobile number to her OkRU profile. This was vitally important: Kira documented her Australian travels on OkRU, further corroborating her identity. An email address search linked to an Adidas Running account, where she was pictured wearing a Commonwealth Bank-branded hat - another Australian connection.

As for her husband and accused accomplice, Igor Korolev, a second mobile number was listed in his wife’s Alfa-Bank file. This cross-referenced with an Alfa-Bank account belonging to Igor - solid intel, but James wanted more. Thanks to OSINT Industries, the two other mobile numbers - including an Australian Vodafone number - quickly linked to a WhatsApp account featuring Igor’s face.

Two email addresses were also listed on WhatsApp: one tied to his OkRU profile where he lists living in Brisbane, pictured (bizarrely) standing beside a life-size figure of Chinese President Xi Jinping. And there was more. His Google account gave a five-star review to a Brisbane hair salon where his wife had posted her new look on Facebook.

Of all these accounts, none showed activity after 12th July, when the joint counter foreign interference task-force had taken Australia’s ‘Black Widow’ and her husband down. It was two days before Igor’s birthday.

Identities verified. Mission accomplished.

‍

5: The Russian Connection

When your targets are Russian, OSINT changes. 

For one, geopolitical tensions between the West and the Kremlin make OSINT investigations more treacherous. Thanks to stringent regulations on data accessibility from the Russian state, what’s OSINT in the West might not be in Russia - and these web restrictions have made many Russian citizens sophisticated cyber actors, or even just more adept at anonymization techniques like VPNs and proxies.

What’s more, Russian is a complex language, with a unique alphabet that can flummox Western translation AI; little-known cultural nuances might lead to misunderstandings, and SOCMINT-sources popular in Russia, like VKontakte (VK), differ in digital culture from Western platforms - it’s hard to imagine music integrated on Facebook, VK-style. 

The beauty of OSINT Industries is that we integrate Russian source modules into our platform: VK, OKRu and other Russian platforms are among the 300+ sources we scan in every search. We’ve overcome at least some of the barriers to Russia-focussed OSINT, allowing investigators to shed light on a region increasingly under international scrutiny.

James chose OSINT Industries and its unique Russia-focussed modules to reach higher confidence. 

As time goes on, and Putin’s Russia remains in the spotlight for the invasion of Ukraine, gay rights violations or press and political censorship that renders the nation a ‘cyber gulag’, OSINT in Russia will be vital for journalists and activists. 

James’s investigation exemplifies how the powerful multi-layer verification tool James found in OSINT Industries can be used to combat bad actors, expose the Russian regime and spread the truth as far as possible. 

‘I think it clearly shows that we are up against… not just the physical contest that we are seeing in Russia's war on Ukraine… We are seeing a battle for a whole range of strategic competition areas below that threshold of war and we have to be mindful, we can't just wait and react to where bullets are fired, we have to act before the contest and the competition becomes conflict.’ - Justin Bassi, Executive Director at the Australian Strategic Policy Institute [Source: ABC]

For further information about James’s investigations, visit:‍

James's Site: https://sites.google.com/view/isjamesking/

Twitter (X): https://x.com/isjamesking

LinkedIn: https://au.linkedin.com/in/isjamesking

Telegram: https://t.me/isjamesking

‍