Intelligence sourcing
How we source and translate
Most cyber threat intelligence reaches English-speaking analysts only if a Western vendor published it. FancyIntel goes further — aggregating intelligence from 75+ sources across every major geopolitical bloc and making it searchable in English.
The bloc system
Every source in FancyIntel is assigned a geopolitical bloc — not as a political label, but as a sourcing perspective. The same threat actor can look very different depending on which bloc is writing about it. Tracking those differences is the point.
English, German, French, Japanese, Korean
US, UK, EU, Australian, Japanese, and South Korean vendors, government CERTs, and security journalism. The most densely indexed bloc in most CTI platforms — FancyIntel treats it as one perspective among many, not the default.
Russian
Russian-language security firms, government advisories (BI.ZONE, F.A.C.C.T., NKCKI), and analyst publications. These sources frequently attribute attacks to US, UK, and Ukrainian actors that Western reports leave unnamed.
Chinese (Simplified)
State-linked vendors (Antiy, QiAnXin, 360 Intelligence, NSFOCUS) and government CNCERT advisories. Chinese-language sources publish independently discovered actor profiles whose naming conventions often diverge entirely from Western aliases.
Korean, Japanese, and English
Regional CERTs and vendors in South Korea, Japan, India, and Southeast Asia — organisations like KISA and JPCERT/CC — whose intelligence rarely surfaces in English-language aggregators.
English, Hebrew, Arabic
Security firms and government advisories from Israel, the Gulf states, and Turkey. Covers regional threat actors and attribution perspectives that diverge markedly from Western or Chinese assessments.
English
Multi-region sources including academic research, international coordinating bodies (FIRST, ENISA), and independent analysts whose output spans multiple geopolitical perspectives.
Translation pipeline
Sources are ingested in their original language. Before a report reaches FancyIntel, it passes through the following steps:
- 01
Ingest in original language
Raw text is collected in Russian, Chinese, Korean, Japanese, Arabic, or whichever language the source publishes in. No pre-filtering by language.
- 02
Translate with technical term preservation
Machine translation handles the prose. CVE identifiers, MITRE ATT&CK IDs, IP addresses, domain names, and file hashes are treated as invariants and never translated.
- 03
Alias resolution
Actor names are the hardest part. A Chinese source may call APT28 "APT28", "Fancy Bear", or something with no Latin equivalent. Each name variant is stored as an alias and mapped to a canonical actor record — which is why the Actors page shows every known name a source has used.
- 04
Attribution claim extraction
Confidence language ("we assess with high confidence", "suspected", "likely attributed to") is extracted and scored. This powers the attribution signal on each actor page.
Why silence is a signal
When sources from a given bloc consistently avoid attributing a known actor — despite that actor appearing extensively in other blocs' reporting — that absence is itself intelligence. FancyIntel surfaces this as a coverage omission badge on actor pages.
Coverage omission — Eastern
Russian and Chinese sources have little or no reporting on this actor, despite extensive Western attribution. This may indicate the actor is state-linked to a country where domestic sources avoid attribution — or simply that regional coverage hasn't caught up.
Coverage omission — Western
Western vendors have little or no attribution for this actor, despite reporting from Russian, Chinese, or Asia-Pacific sources. This pattern often appears for actors targeting infrastructure or organisations outside the traditional Western CTI focus.
Neither omission is a verdict. It is a prompt: ask why a sophisticated, well-resourced security ecosystem chose not to publish, or chose not to attribute.
Explore the data