A Dutch journalist mailed a postcard to a warship. Inside it was a €5 Bluetooth tracker. For the next 24 hours, that tracker quietly broadcast the location of HNLMS Evertsen — a $585 million Dutch air-defense frigate operating as part of a NATO carrier strike group in the Mediterranean — to anyone paying attention. No hacking. No espionage tradecraft. Just a postcard, a cheap consumer gadget, and a government website that told him exactly where to send the mail.
How the Experiment Worked
Dutch journalist Just Vervaart, working for regional media network Omroep Gelderland, followed the directions posted on the Dutch government’s own website and mailed a postcard with a hidden Bluetooth tracker concealed inside. He didn’t need access to a port, a contact on board, or any technical sophistication beyond knowing how to slip a small device into an envelope.
The broadcaster was able to track HNLMS Evertsen — a Dutch air-defense frigate deployed to help protect France’s aircraft carrier Charles de Gaulle against missile threats — by mailing the tracker concealed in a postcard to the ship. Once the postcard was sorted and brought aboard, the tracker did exactly what these devices are designed to do.
Once the postcard reached the ship, the tracker began transmitting location data via nearby Bluetooth-enabled devices, allowing the journalist to monitor the vessel’s movements in near real time for an entire day. Bluetooth trackers work by pinging the crowdsourced networks of phones and tablets belonging to ordinary people nearby. Every sailor’s personal phone, every device in a nearby port — all of them become unwitting relays for the tracker’s signal. The ship essentially ratted out its own position.
Why This Is a Bigger Problem Than It Sounds
The obvious rebuttal is: the tracker was found within 24 hours. Navy officials confirmed it was discovered during mail sorting after the ship arrived at port and was subsequently disabled. Case closed, right?
Not quite. The fact that it was mailed in meant that spies don’t even need to go near the ship to place a tracker on it. That’s the part worth sitting with. Physical proximity — traditionally a hard constraint on surveillance and sabotage — has been removed from the equation entirely. A hostile intelligence service, a non-state actor, or even a curious journalist operating from a desk in Arnhem can now initiate tracking of a NATO military asset. The attack surface isn’t the ship’s hull. It’s the postal system.
There’s also the question of what 24 hours of real-time positional data means in a military context. HNLMS Evertsen wasn’t on a pleasure cruise — it was part of an active NATO carrier strike group centered on the Charles de Gaulle, tasked with air defense duties in a region where France’s carrier operates. Knowing where a strike group’s air-defense escort is located, when it moves, and at what speed is precisely the kind of intelligence that adversaries invest significant resources to obtain. Here, a €5 device delivered it for free.
The Crowdsourced Tracking Problem
Consumer Bluetooth trackers — Apple AirTags, Tile, and their generic equivalents — operate by exploiting existing networks of Bluetooth-enabled devices. When a tracker is near any phone running the relevant software (which, in the case of AirTags, means nearly any iPhone), that phone silently and anonymously relays the tracker’s location to a cloud server. The owner of the tracker can then see its location on a map.
This is a genuinely useful feature when you’ve lost your luggage or your keys. It becomes a surveillance vector when the “lost item” is a frigate in a NATO fleet. The sheer density of personal devices — among the crew, in nearby ports, on vessels transiting the same waters — means the tracker has ample opportunity to phone home. You don’t need to be physically proximate to interrogate it. The crowd does that for you.
This also isn’t the first time military operational security has been compromised by consumer fitness and location technology. In 2018, fitness tracking app Strava’s global heatmap inadvertently revealed the locations and patrol routes of military personnel at classified bases worldwide, simply by mapping where soldiers were running. The lesson was clear then: consumer tech doesn’t distinguish between civilians and soldiers. The Evertsen incident is a variation on the same theme, except cheaper and more deliberate.
What Should Actually Change
Mail screening on military vessels needs to be treated as a physical security perimeter, not an administrative task. This means systematic electronic scanning of incoming mail — similar to what’s already standard at many high-security facilities on land. A handheld RF scanner or a dedicated Bluetooth detection sweep of incoming parcels and correspondence is not a high-tech ask. The tools exist. The process apparently didn’t.
There’s also a broader policy question about whether crew members’ personal devices — which form part of the crowdsourced relay network these trackers depend on — should be subject to stricter controls when ships are in transit or in theater. That’s a harder problem involving personnel morale and practical utility, but it’s not one militaries can continue to ignore.
The Dutch Navy’s response to the incident has been notably muted in public statements, which is understandable but doesn’t inspire confidence that systemic changes are coming. The tracker was found. The postcard was flagged. The ship moved on. But the vulnerability that allowed a journalist to track a NATO warship for a day with a €5 gadget bought on the internet is still sitting there, open, waiting for someone with less benign intentions to use it.
Conclusion
The HNLMS Evertsen postcard incident isn’t really a story about Bluetooth trackers. It’s a story about the asymmetry between the cost of an attack surface and the cost of exploiting it. Militaries spend hundreds of millions building ships equipped with sophisticated sensor arrays, radar systems, and missile defenses. They invest billions in signals intelligence infrastructure. And then a regional TV journalist, following directions off a government website, mails a postcard and achieves 24 hours of near-real-time tracking for less than the price of a coffee.
The gap between offensive capability and defensive awareness doesn’t always favor the defender. Sometimes the most dangerous threat isn’t a sophisticated cyberweapon or a state-sponsored intrusion. Sometimes it’s a small chip in an envelope, riding the postal system to your deck.
