To experience the interactive, original publication, please click here. You can find the full text without interactive and scrollytelling elements below.

This article in 1 minute

What’s the news?

FTM identified hundreds of soldiers from nations including Germany, the UK and the US on the dating app Tinder. The personal details including home addresses of many soldiers can be found and their travel movements can be tracked via the application.

The investigation found and virtually followed army personnel across major military facilities from the US Ramstein Air Base in Germany to a NATO complex in Lithuania.


Why is this important?

Intelligence services worldwide have been warning for years about “honey traps” via dating apps such as Tinder, in which spies establish contact with people who have access to sensitive data and deceive them in order to extract the information.

The use of these apps has not been comprehensively regulated by defence ministries of major nations, and guidelines on online privacy for soldiers are thin.

FTM found that military personnel share a lot of information about their work on their dating profiles. And Tinder’s security and location settings make it pretty easy to follow their movements, in what experts said could be a “threat to national security”.

But the problem doesn’t stop there. The same risks apply to all Tinder users, from members of the public to police officers and diplomats.

How did FTM investigate this?

FTM created three fake Tinder accounts and used a programme to change the locations of these profiles and virtually place them near military bases. By doing so, FTM gathered more than 100,000 Tinder profiles, and identified at least 400 soldiers in a short timespan.

These profiles could be monitored and their movements tracked, even if there was no match when FTM’s profiles were “turned down” by the soldiers being monitored.

Using trilateration, a technique in which FTM digitally moved its accounts to different points and measured the distance to a given soldier, it was possible to hone in on precise locations. In combination with information from public sources, FTM was often able to easily identify the soldiers on Tinder, verify or retrieve their home addresses and ascertain additional information about their work, hobbies, (sexual) preferences and interests.

This article is part of an ongoing series.

Some people look for love – or perhaps just sex – in unusual places.

Be it a US Air Force base in Germany, a NATO military complex in Lithuania or in the vicinity of a former UN peacekeeping facility in Mali.

The problem is that these singletons are soldiers scrolling through Tinder while on duty, either unaware or unconcerned about the fact that the dating app is indirectly giving away their personal data, current location and even their movements between military bases, an investigation by Follow the Money has revealed.

“This is a threat to national security,” said Dutch cybersecurity consultant Matthijs Koot.

By creating three fake accounts on Tinder – under the names Jacky, Naomi and Daisy – FTM identified the dating profiles of hundreds of military personnel at bases across Europe who came from countries including France, Germany, the Netherlands, the UK and the US.

Using the bios and photos on the soldiers’ Tinder profiles in combination with information from public sources such as LinkedIn and Instagram, FTM managed to find out details such as their job titles, home addresses, and reams of other material about their personal lives.

Thanks to Tinder’s lax security settings, the locations of the fictional Jacky, Naomi and Daisy could be constantly changed and digitally moved around various military bases. Because the app shows the distance between its users, FTM was not only able to establish the whereabouts of a given soldier, but also monitor their travel over many days or even weeks.

This did not require any swiping right (a match), simply liking the profiles was sufficient.

Take Michael, for example. FTM’s fake account Naomi came across his Tinder profile in mid-November while her location was set near the US Ramstein Air Base in southwestern Germany.

Michael’s bio showed that he was in his mid-thirties and worked in “ballistic missile defense”. Naomi liked him and although there was no match, FTM could still track Michael’s movements through the app’s location data.

Within the space of 10 days or so, the US soldier travelled from Ramstein to Frankfurt to London to northern Spain – near Santander – before returning to the base in Germany. FTM also discovered Michael’s date of birth, his past working as a pub crawl promoter in South Korea’s capital of Seoul, and information about his father, who also served in the US military.

From Germany and Estonia to Mali

Jacky, Naomi and Daisy found many other soldiers on Tinder across Germany – from the US Army’s European headquarters in Wiesbaden to the Grafenwöhr Training Area and the Büchel Air Base.

Looking closer to Russia, FTM’s three profiles also identified military personnel at the Rukla Military Base in Lithuania, where NATO’s Enhanced Forward Presence Battlegroup is based, and around the Ämari Air Base in Estonia. FTM tracked two members of the Dutch Royal Airforce travelling to this base in northern Estonia, where the Netherlands is part of an active mission to protect the eastern flank of NATO’s airspace from Russian threats.

In one extreme case, a US soldier identified only as “M” was tracked travelling from the Ramstein Air Base to the West African nation of Mali, where he stayed for a few days near a former UN peacekeeping base, before returning to Germany.

Intelligence agencies worldwide have warned for years about how malicious powers misuse social media and applications that process users’ location data, including dating apps.

The age-old tactic of the honey trap – whereby unsuspecting targets in positions of power or with access to sensitive data are approached by attractive individuals and deceived through flattery or other means – has evolved from smoky bars and glitzy nightclubs to the likes of Facebook and Tinder.

However, Tinder’s security flaws, along with limited online privacy guidelines from the defence ministries of major nations such as the Netherlands, Germany, and the US, suggest that the risk to army personnel is going largely unchecked, cybersecurity experts told FTM.

And it’s not just individuals who are in danger, but entire states, said the Dutch expert Koot.

“If you can follow the movements of soldiers in such a simple, structured and long-term way, that is a major problem” he said.

“For example, if there is suddenly a lot more app activity on a military base, that could mean that they are scaling up or that an exercise is imminent. In parts of the world, such strategic information can be crucial,” Koot added.

FTM shared its findings with Tinder and asked for a response, but received no reply.

Research from Belgian university KU Leuven (see the next section) shows how Tinder masks the exact whereabouts of its users so that only an approximate location can be found through the data it sends to its servers. But in sparsely populated or remote areas – such as military bases – this still allows users’ locations to be identified, as FTM did in this investigation.

Security flaws

Dating apps are increasingly being used by spies seeking to ensnare valuable targets and extract sensitive information, according to top intelligence and security services.

In January 2020, a representative of the US Department of Justice said in an interview that such apps could be weaponised by individuals and foreign intelligence agencies.

Two years later, in February 2022, the head of Australia’s Security Intelligence Organisation (ASIO) said the agency was tracking suspicious approaches from foreign spies on dating apps including Tinder.

And in April 2023, Germany’s military intelligence agency reported that Russian spies were using Tinder to try to obtain confidential information about the war in Ukraine from German politicians and army personnel.

In Tinder’s case, the location data it shares is likely why it is seen as a useful tool for spies.

Every time someone uses the app, their location is updated. While Tinder does not reveal the exact whereabouts of its users, an individual browsing the app can see the approximate distance between themselves and their potential suitors, even if there is not a match.

For this investigation, FTM created a programme to provide Tinder with false locations for Jacky, Naomi and Daisy. These accounts were then digitally placed at various army bases so that the profiles of users in the area could be identified and collected.

Jacky, Naomi and Daisy were repeatedly moved – virtually-speaking – to different points in a given area in order to measure the distance between them and individual soldiers, allowing FTM to hone in on their near-exact whereabouts (a process known as trilateration).

The soldiers in question would not have had any inkling that their location and movements were being tracked in this way, or been able to prevent it if they did while active on Tinder.

“It is worrying that profiles can be obtained on such a large scale from such a globally operating platform,” Belgian cyber researcher Karel Dhondt told FTM after studying its findings.

“If that information falls into the wrong hands, the consequences for the people and groups of people concerned can be far-reaching,” he said. “The fact that a group of journalists managed to do this without too many technical barriers is evidence of a lack of effective protective measures at Tinder.”

Dhondt obtained his PhD from KU Leuven on the security of location-based applications and is the lead author of a recent study into the security of 15 dating apps, including Tinder.

“If that information falls into the wrong hands, the consequences for the people and groups of people concerned can be far-reaching”

His research found significant differences in the ways that dating apps handle location data, even within the Match Group, which includes Tinder. Some of the apps in that group, such as Plenty Of Fish (POF) and Meetic, use less precise location data such as a user’s city or neighbourhood, according to Dhondt.

“This significantly reduces the risk of leaking exact locations,” he explained. “Tinder therefore consciously makes a different choice.”

Tinder knows where you are, and can share this data

According to Tinder’s privacy policy, it can collect exact geolocation (latitude and longitude) data with users’ consent (one of the many elements contained in the T&Cs)  – including when they are not using the app.

Tinder also reserves the right to share data from and about users with other Match Group companies, suppliers and advertising partners.

FTM has previously reported on how the sensitive data of military personnel, politicians, police officers and security service employees are for sale in the digital advertising market.

‘Love, sex, friendship or money’

While Tinder’s identified security shortcomings are systematic, militaries have to deal with individual lapses in judgment when it comes to sharing too much information on dating apps.

In the Tinder profiles analysed by FTM, many were instantly identifiable as soldiers: their bios stated that they worked in the military, and even included their specific divisions and roles (such as mechanic and radar specialist).

Often, photos showed them wearing army uniforms. US soldiers tend to have their surname printed on military fatigues. Other uniforms (from various nations) feature emblems indicating the military unit. Many of the photos FTM saw also featured weapons, tanks, and fighter jets.

By combining the Tinder profile information of soldiers with their location data, FTM was able to easily find out more about them from other online sources.

For example, their accounts on LinkedIn, Facebook or Instagram. These platforms can provide surnames and dates of birth, which help to track down and verify home addresses. They also offer the names of friends and family, employment histories, interests, hobbies and favourite places to go out. With just a few searches, an entire life can be pieced together.

The Dutch expert Koot said this kind of information is exactly what countries such as Russia, China and Iran use to reach out to and influence people who have access to sensitive data.

“Of course they don’t immediately ask ‘give me the launch codes’ – it is a grooming process that can be preceded by a long preparation, in order to  extract specific details from the target. Even seemingly unimportant details can in fact be of great value,” Koot said.

“The information that can be obtained via Tinder and from public sources makes it easier to start a conversation, gain trust and build a bond, and ultimately try to extract sensitive information under the promise of love, sex, friendship or money,” he added.

And the dangers presented by dating apps extend beyond targets in the military, according to Koot, who said he thought it was unlikely that Tinder had fully considered these possible consequences of its security settings.

From police to diplomats to civil servants

Not only military personnel are at risk of this flaw in Tinder’s settings. FTM also identified and tracked dozens of other people (mainly Dutch) on Tinder working in law enforcement or diplomacy.

In the Netherlands, a police security analyst, an employee of the interior ministry and an IT specialist at the defence ministry all shared their job titles in their Tinder bios. FTM was able to ascertain their home addresses and dates of birth through public sources. In another case, FTM managed to find the home address of a police chief who had suggested in a photo on social media that he was part of the Netherlands’ Special Intervention Service.

FTM was even able to track a London-based Canadian diplomat on two recent visits to Ukraine.

Underestimating the risks?

Despite the threat posed by Tinder and other applications that share location data, it appears that major countries’ defence ministries are lagging when it comes to taking concrete action.

In January 2018, military analysts observed that soldiers using the fitness app Strava to track their runs were giving away the locations of secret army bases and spy outposts.

Later that year, a joint investigation by Bellingcat and Dutch publication De Correspondent found that another fitness app, Polar, was revealing exercise by military and intelligence personnel in secretive locations including Guantanamo Bay and Baghdad’s Green Zone.

In response to these revelations, the Netherlands’ then-defence minister said army personnel would be banned from using fitness apps – but only on their work phones.

Several Russian and Chinese apps have also been blacklisted by the Dutch ministry of defence in recent years, meaning that the Netherlands’ troops can only use them on their personal devices, according to internal documentsseen by FTM.

However, dating apps such as Tinder are not on the blacklist, meaning that Dutch soldiers are permitted to use them on their work phones.

A spokesperson for the Dutch ministry of defence said military personnel are not allowed to use personal phones while on mission or at classified locations. The spokesperson did not respond to a question about if these rules are actively enforced.

One of the Dutch military personnel who FTM followed via its fake account Naomi agreed to a telephone interview.

“If you guys [FTM] can find out about that so easily, then yes, that is worrying” – a soldier who uses Tinder

Dennis, who works at the Volkel Air Base in the Netherlands, said that troops are informed about the risks of social media and online privacy in their training, but called it “limited”.

“There are apps banned on work phones, such as Strava, but private use is still possible,” he said. “Even on bases, this is not very difficult.”

When asked if he was worried that FTM could track him through Tinder, Dennis said he had nothing to hide. However, he did acknowledge the risks to colleagues in sensitive locations.

“If you guys [FTM] can find out about that so easily, then yes, that is worrying,” he said.

Meanwhile, the US Department of Defense has no mandatory regulations on the use of dating apps but provided advice about “do’s and don’ts” as part of an online privacy and security guide it published in 2021 and re-issued in December 2023.

The guide recommends avoiding using names and photos that appear on other social media apps, and not sharing information about work. When using dating apps, US troops are encouraged to get a paid account to have more control over their privacy, to check and adjust location settings, and to critically read the terms and conditions and privacy policies.

The German ministry of defence’s guidelines on social media are also quite relaxed. A spokesperson from Germany’s Bundeswehr told FTM in response to emailed questions that the country’s military personnel are free to use social media and dating apps such as Tinder.

Military personnel are allowed to share their name, rank and job title on their social media accounts. They are warned about the fact that other people can see what they post online, and are expected to behave as representatives of the armed forces (sexualised content is banned). What German troops are allowed to share on social media – certain photos, for example – depends on the specific policy at a given base, according to the guidelines.

Ultimately, given Tinder’s popularity in several Western countries, it is not a problem that is contained to or that can be solved by any single nation, according to Koot.

“This [situation] offers serious opportunities for foreign intelligence services,” he said. “The only limit on how far malicious people can abuse this is their own imagination.”

The guide recommends avoiding using names and photos that appear on other social media apps, and not sharing information about work. When using dating apps, US troops are encouraged to get a paid account to have more control over their privacy, to check and adjust location settings, and to critically read the terms and conditions and privacy policies.

“The only limit on how far malicious people can abuse this is their own imagination”

The German ministry of defence’s guidelines on social media are also quite relaxed. A spokesperson from Germany’s Bundeswehr told FTM in response to emailed questions that the country’s military personnel are free to use social media and dating apps such as Tinder.

Military personnel are allowed to share their name, rank and job title on their social media accounts. They are warned about the fact that other people can see what they post online, and are expected to behave as representatives of the armed forces (sexualised content is banned). What German troops are allowed to share on social media – certain photos, for example – depends on the specific policy at a given base, according to the guidelines.

Ultimately, given Tinder’s popularity in several Western countries, it is not a problem that is contained to or that can be solved by any single nation, according to Koot.

“This [situation] offers serious opportunities for foreign intelligence services,” he said. “The only limit on how far malicious people can abuse this is their own imagination.”

Methodology

FTM created three free accounts on Tinder under the names Jacky, Naomi and Daisy. Using a computer programme, FTM was able to provide Tinder with false locations and virtually move the fake profiles around several military bases in different countries. By doing so, FTM was able to scroll through the dating profiles of individuals within a certain radius (for example, 5 kilometres), and see how far those users were from the three fake accounts.

Through trilateration, a technique in which FTM digitally changed the position of its accounts to different points to measure the distance to a given individual on Tinder, it was possible to eventually hone in on where those users were actually located.

By using keywords, inspecting profile photos, and repeatedly checking the location data indirectly provided by Tinder, FTM was able to easily identify the profiles of hundreds of military personnel. The investigation also mapped travel movements by monitoring profiles for longer periods of time, although this was not done for any longer than was necessary for the reporting.

Tinder replies:

‘At Tinder, the privacy and safety of our members are of paramount importance. We have implemented robust measures to help ensure that no user can be distinctly tracked through the app. Here’s an overview of the steps we take and our ongoing commitment to member safety: Tinder has developed a sophisticated system to protect our members’ privacy while allowing them to filter profiles based on the approximate distance of potential matches. Rather than using precise locations, we employ privacy and security centric grid snapping methods. [..]

We value the input of the global security research community in identifying and addressing potential vulnerabilities. Through our Bug Bounty Program, we incentivize responsible disclosure of security issues, ensuring that vulnerabilities are addressed promptly and effectively. [..]

That said, we have settings and systems to provide users additional control regarding how they use the Tinder app and how they show up to others in the app.  Our Safety Center and privacy settings are designed to empower users to make informed decisions while maintaining control over their experience. ’

  • Editors: Karin Spaink, Kieran Guilbert
  • Graphics: Leon de Korte, Thomas Kuijpers
  • Audio: Hannah Veldhoen, Frederique de Jong, Emma du Chatinier, Alexander Fanta
  • Socials: Maya Luz Hartog