Borussia Dortmund Coach Bombing

Cyber Threat Intelligence gets to truth of behind the bombing

[maybe-frm-field-value field_id=4685 user_id=current entry=7662 equals=”Anonymous during judging stage”]

Information Security award entry for the “[4721]” category

[/maybe-frm-field-value] [maybe-frm-field-value field_id=4685 user_id=current entry=7662 not_equal=”Anonymous during judging stage”]

Information Security award entry from for the “[4721]” category


On 11 April this year, the tour bus of German football team Borussia Dortmund was attacked with roadside bombs in Dortmund, Germany. Three bombs exploded as the bus ferried the team to the Westfalenstadion for the first leg of their quarter-final against Monaco in the UEFA Champions League.

The initial line of inquiry assumed that it was an Islamist terrorist attack, due to letters found at the scene, which claimed the attack was an act of retaliation for Muslims killed in the German military intervention against Islamic State; it threatened further attacks, unless Germany withdrew and the US military base in Ramstein was shut down.


Significant concerns were raised by another major club playing in Europe two days later. The club’s security manager, working alongside his retained security provider responsible for the physical security and travel risk management of the team, wanted to know if the club was a potential target and whether threats to their travelling players and coaching staff had increased.

Due to the heighten state of security across Europe and the initial confusion surrounding the event, the security manager was keen to understand if terrorism was playing a part in the attack against the Dortmund Team or if other factors were responsible.


Working with the club’s retained security team, the Cyjax Threat Intelligence Platform, backed by its incident response analysts, was tasked with producing live intelligence reports targeted at the Dortmund incident and its relevance to the client.

As a first step, Cyjax immediately deployed its resources towards the incident, providing up-to-the-second coverage of information propagation surrounding the event from a wide array of sources; this enabled a holistic view across all the standard internet mediums and allowed the support teams to quickly explore any potential intelligence leads as they were emerging.

Making use of the real-time cross-referencing capabilities of the technology and its vast coverage capacity, the support teams were also able to fuse together both the physical and cyber security aspects of the incident, linking known terrorist channels with organised crime, petty crime, and social and political activism.

“Attribution is a critical part of the intelligence cycle,” states Cyax. “With the knowledge and understanding which we gained from our research through the use of the tools available to us on the Cyjax platform, we were very quickly able to ascertain that the Dortmund bus bombing was not an IS-related terrorist attack, as was being widely reported, but was, in fact, an action perpetrated by an individual operating a financial scam.”


We were then able to advise the retained security teams and, in turn, the client club on their responsive strategy to this particular event, and reported ahead of the news agencies and local authorities. The resulting intelligence and its application to the physical security requirements led to the client continuing with their travel plans safe and unhindered.

The efficient and highly credible use of Cyber Threat Intelligence and human intellect overlaid in this way demonstrated just how the application of technology can really influence incidents outside of the conventional sphere of cybersecurity.