The Netherlands’ largest newspaper, De Telegraaf, recently published an interview with a woman claiming to organise her own evacuation flights from Dubai, selling seats at €1,600 (US$ 1850) each. Four days later, her photo was removed from the article, though the interview remained.

Bellingcat has found that the original image not only includes artefacts commonly associated with generative AI, but that the flights referenced in the article do not appear to exist.

The story came at a time when thousands of Dutch people were reportedly seeking urgent ways to leave the region following Iranian missile and drone strikes across the Gulf in retaliation for US-Israeli strikes.

Published on De Telegraaf’s website on March 5, the headline reads: “Dutch people in the Middle East feel abandoned by the government: We just rented a plane ourselves.”

The Dutch minister of foreign affairs was confronted with this headline during a television interview, in which he described ongoing efforts by the Dutch government to repatriate citizens to the Netherlands.

The article features interviews with several Dutch people struggling to leave Dubai and Abu Dhabi, including Tamara Harema. Under the subheading “Dutch people hire their own plane”, Harema says she was “rebooked five times by Emirates” and that the official repatriation flights organised by the Dutch government were not ‘taking off’.

As part of a group, she says, they are organising buses and have hired an Airbus A321 to fly home. Harema is quoted as saying: “The first plane is already full, so we’re organising a second flight. Stranded travellers can contact us.”

However, several discrepancies in Harema’s photo, published in the original article, suggest it was AI-generated. No trace of a person matching Harema’s face or profile could be found, and flight-tracking data suggests no such plane took off.

The Photo

In the image below, the world’s tallest structure, Burj Khalifa, can be seen through the window overlooking the Dubai skyline. Each side of the tower is unique, with platforms that protrude at different heights and in different directions. It also contains several mechanical floors, which appear as dark bands in the photo.

By cross-checking the height of the visible platforms together with the location of the mechanical floors, it’s possible to determine that Harema’s hotel room faces north-west, towards the Burj Khalifa’s south-east-facing facade.

Several discrepancies are visible when comparing Harema’s photo with other images of the building, including an upper mechanical floor appearing higher than in other images and the absence of the water feature at the base of the building.

To establish whether Harema’s photo could have been taken several years earlier, Google Street View imagery was analysed from 2013 onwards. No match could be found when comparing the arrangement of buildings at the base of the Burj Khalifa.

Several other irregularities, as shown below, including the hotel room furniture and details of Harema’s clothing and jewellery, also suggest it may have been AI-generated.

Fully Booked Airbus A321

Regarding whether the plane existed, Harema says in her interview that buses have already been arranged to collect passengers from two locations in Dubai on Saturday, March 7, after which a 232-seater Airbus A321 will depart from Muscat, Oman, for the Netherlands.

The article notes the cost is €1,600 (US$ 1850) per person, without detours. “Although we read that a Dutch repatriation flight costs €600, just try getting on such a flight,” says Harema.

According to Flightradar24, multiple A321s departed Muscat on March 7 and 8, but none bound for the Netherlands. The only aircraft that did arrive in Amsterdam from Muscat were either government-organised repatriation flights or scheduled Oman Air services, none of which were Airbus A321s.

Two Airbus A321s were recorded on the ground at Muscat Airport on March 7. One, belonging to Gulf Air, later departed for Rome via Riyadh March 8. The other, operated by SalamAir, had been flying routes between Oman and Bangladesh until March 3, but has since remained in Muscat.

After contacting De Telegraaf, an explanation for the photo’s removal was added at the bottom of the article, stating that the photo did “likely not meet our journalistic guidelines.”

The newspaper’s deputy editor-in-chief, Joost de Haas, added:

“Regarding the quoted Tamara Harema, the editors contacted her after Mr. Chizki Loonstein—a long-standing source for one of our reporters—informed us about attempts to charter a plane. Mr Loonstein informed us that Ms Harema stayed in Dubai and could tell us more about it. This led to messages from which several quotes from Harema were extracted, as reproduced in the relevant passage of the article.”

A search for Loonstein led to a six-month-old report from another Dutch newspaper, NRC, which claimed that Loonstein, a lawyer, emigrated to Dubai after his legal company went bankrupt, leaving his clients, victims of fraud, worse off.

Contacted for comment, Loonstein confirmed that he knew Harema and had shared her contact details in “an app group” in relation to a flight from Muscat to Amsterdam. After this contact, Bellingcat sent him the photo of Harema to confirm her identity and asked him to share Harema’s contact details. In response, Loonstein refused to provide further comment. 

---

Merel Zoet and Claire Press contributed to this report.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The medical device manufacturer Stryker confirmed reports Wednesday that a cyberattack has disrupted operations. 

The Michigan-based company released a statement saying it is “experiencing a global network disruption” to its Microsoft environment as a result of a cyberattack. 

“We have no indication of ransomware or malware and believe the incident is contained. Our teams are working rapidly to understand the impact of the attack on our systems,” the company said in a social media message. “Stryker has business continuity measures in place to continue to support our customers and partners.”

On Wednesday, the company’s phone systems were responding to calls with an automated message claiming they are dealing with a “building emergency.”

The company’s statement comes after dozens of Stryker employees took to social media to complain that their corporate computers and phones had been completely wiped. 

On Facebook, Reddit and X, employees said none of their company devices were working. Several said the incident began early on Wednesday morning, with multiple company servers wiped clean and almost all work apps taken down. 

Several employees told Recorded Future News that they could no longer access corporate email systems and were completely cut off from several other work platforms. Two employees said when they tried to log in they saw the logo of the Handala hacking group.  

A group going by that name purportedly released a statement online taking credit for the attack on Stryker, claiming they targeted the company because of a recent U.S. missile strike on a girl’s school in Iran and the ongoing military conflict between the U.S., Israel and Iran.

Handala allegedly put their logo on every login page and sent emails to executives taking credit for the incident. 

The group, which cybersecurity experts previously tied to other Iran-based threat actors, claimed it wiped more than 200,000 “systems, servers and mobile devices” while also stealing 50 terabytes of company data. 

Since 2023, Handala has repeatedly targeted companies and government systems in Israel. Cybersecurity experts previously described Handala as a sophisticated group, noting that one of its most common tactics was the deployment of wiper malware designed to destroy all of the files on a device. 

Handala took credit for a phishing campaign last year involving the impersonation of the cybersecurity firm CrowdStrike and attempts to install wiper malware on Israeli networks. In a statement at the time, the hackers claimed to have launched other attacks, including targeting Israeli Iron Dome radars.

Last year, the group targeted the Israeli Ministry of National Security and sent fake missile alerts to Israeli schools and kindergartens through smartphones via SMS before wiping the system after sending the alerts.

Stryker is one of the biggest medical device manufacturers in the world, reporting more than $25 billion in earnings last year. It purchased Israeli medical tech company OrthoSpace in 2019. Stryker also has signed large contracts with the U.S. Department of Defense and other U.S. agencies. 

Stryker did not respond to requests for comment about Handala’s role in the attack. 

Several employees said the company has been brought to a standstill as a result of the attack. The incident first emerged in Ireland when news outlets reported that employees at large factories in the country were cut off from corporate access or sent home because they could not work. 

Some employees who had linked their personal phones to corporate systems also reported losing access to much of their data. 

Learn more.