A Dutch journalist proved that a consumer-grade Bluetooth tracker costing a few dollars — concealed inside a postcard — was enough to follow a NATO frigate across the Mediterranean for a full day. The ship was HNLMS Evertsen, a €540 million Dutch air-defence frigate operating as part of the NATO carrier strike group led by the French carrier Charles de Gaulle. The address to mail it to was published on the Dutch Ministry of Defense’s own website.
How it happened
The Dutch Ministry of Defense had posted instructions online to help family members send post to sailors deployed at sea — a routine welfare measure that did not account for how that same information could be used by someone with different intentions. Journalist Just Vervaart, working for regional broadcaster Omroep Gelderland, followed those instructions exactly, concealing a generic Bluetooth tracker inside a postcard and mailing it to the ship.
Because postcards — unlike packages — were not x-rayed before being brought aboard, the device made it onto the vessel undetected. Vervaart was then able to watch HNLMS Evertsen sail from Heraklion in Crete and track its movement toward Cyprus in near real-time. The tracker was only found some 24 hours after the ship’s arrival, when mail was being sorted by crew.
The wider risk
The security implications extended beyond the Evertsen itself. Knowing that a Dutch frigate was operating in a specific area of the Mediterranean was enough to infer the approximate position of the entire carrier strike group it was part of — a formation that includes the Charles de Gaulle and associated escort vessels. The tracker never needed to be placed by someone with physical access to the ship; it was delivered by the postal system.
In response to the incident, Dutch authorities updated their policy: electronic greeting cards are now banned from being mailed to naval vessels, and the mail screening process has been reviewed. The original instructions have been amended.
A pattern of digital opsec failures
The postcard incident is the latest in a series of consumer technology breaches that have inadvertently compromised military operational security across NATO fleets. Each involved off-the- shelf technology being used in ways that were never considered a threat.
An unauthorised Starlink terminal nicknamed 'STINKY' was installed by sailors on the O-5 weatherdeck. It went undetected for six months before officers discovered it.
A French officer posted their running route on Strava, inadvertently revealing the carrier's location in the Mediterranean. Open-source intelligence analysts were able to identify the officer and their role aboard the ship.
A journalist mailed a postcard with a hidden Bluetooth tracker using address instructions published by the Dutch Ministry of Defense. The device tracked the frigate for 24 hours across the Mediterranean before being found during mail sorting.
The broader lesson is one militaries have struggled to absorb: consumer technology is not designed with operational security in mind, and the line between a family welfare measure and an intelligence vulnerability can be thinner than anyone anticipated.