Every Time Strava Exposed Military Positions

Strava released its Global Heatmap, a visualization of every activity ever uploaded by its users. In major cities it looked like a cool data art project. In Afghanistan, Syria, and Somalia it was a classified intelligence disaster. Soldiers running laps around secret forward operating bases had outlined them on the map. Bases that didn’t officially exist were visible to anyone with a browser.

The heatmap was just the start. Researchers cross-referenced Strava usernames, running routes, and public profiles at the exposed base locations to identify individual soldiers at classified facilities. Some profiles had real names, photos, duty stations, and home addresses. You could go from a dot on the heatmap to a service member’s Facebook page in a few clicks.

Researchers from Bellingcat and De Correspondent showed that Polar Flow, a competing fitness app, was actually worse than Strava. Its API let anyone pull the complete exercise history of any user, including locations. They identified military and intelligence personnel exercising near the NSA, MI6, the French DGSE, Guantánamo Bay, and nuclear weapons storage facilities. You could track individual agents from their workplace to their homes.

French soldiers deployed in the Sahel region of Africa uploaded patrol routes to Strava. The GPS traces showed exact paths, timing, frequency, and rest points of military patrols in active conflict zones. Anyone watching these routes could predict patrol schedules and pick ambush points.

Before and during Russia’s invasion of Ukraine, Strava data gave away Russian military positions. Soldiers’ running and cycling routes near military installations showed troop concentrations, staging areas, and base layouts. OSINT analysts tracked unit movements and verified intelligence reports about the Russian buildup before the invasion was officially acknowledged.

Secret Service agents had been uploading runs to Strava with public profiles. Their routes near the White House and at travel locations revealed protective detail patterns, advance team movements, and security staging areas. All of it was visible to anyone.

Stanislav Rzhitsky, a Russian submarine commander who had ordered cruise missile strikes on Ukraine, was shot and killed while jogging in Krasnodar, Russia. He ran the same route at the same time regularly, and his Strava profile was public. His jogging patterns, pace, schedule, and exact GPS route were right there for anyone to see. He was killed on his habitual morning run.

A sailor aboard the French aircraft carrier Charles de Gaulle posted a jog on Strava while the ship was at sea. The carrier’s exact GPS coordinates showed up on the public activity map. A nuclear-powered aircraft carrier had its position broadcast to the world because someone wanted to log their 5K.