Camp locations
24
Attacks logged
110
Government emails
460
Introduction
There is a cruel irony at the center of this story. The same Colombian government that promised to protect former FARC guerrillas who surrendered their weapons and entered reintegration camps was also — unknowingly, catastrophically — publishing the precise location of those camps on an open server accessible to anyone with a web browser.
And alongside those camp coordinates: a second dataset. A growing list of dead.
In October 2025, the United States Treasury Department sanctioned Colombian President Gustavo Petro under OFAC narcotics designations — an extraordinary action against a sitting head of state. Trump called Petro "an illegal drug dealer." The USS Gerald Ford carrier strike group deployed to the waters off Colombia's coast. Diplomatic relations between the two countries spiraled into crisis.
But while diplomats exchanged threats and warships repositioned, ODINT was looking at something else entirely. During routine subdomain enumeration of Colombian government infrastructure, we discovered that the Presidential Office of Colombia was operating an ArcGIS portal — unauthenticated, publicly accessible — containing military intelligence maps, armed group territorial overlays, and a dataset that stopped us cold: 110 documented attacks on peace process signatories in the first six months of 2025 alone, including 29 homicides.
The presidency that Washington accused of narcotics ties was simultaneously leaking its own military intelligence — and the locations of the people its peace process was supposed to protect — to anyone with a web browser.
The Open Portal
What We Found at ergit.presidencia.gov.co
ODINT's Colombian infrastructure audit began with standard subdomain enumeration against presidencia.gov.co — the official domain of Colombia's executive office. The kind of reconnaissance any security researcher, journalist, or adversarial intelligence service performs routinely. What it returned was not routine.
The subdomain ergit.presidencia.gov.co resolved to an ArcGIS Enterprise server running version 11.3.0. ArcGIS is Esri's enterprise geographic information platform, used by governments worldwide for spatial data management ranging from urban planning to classified military intelligence. This instance was configured with a public gallery — meaning its contents were visible and downloadable without any authentication whatsoever.
No login. No API key. No access token.
The gallery listed dozens of services. But the folder names immediately signaled the severity of the exposure: CNR_SEP_2025_MIL1. CNR_julio_2025_MIL1. Mapa_AT_MIL1. Mapa_Caso_03_MIL1. These were not public transparency maps. These were Colombian military intelligence products — named with the conventions of operational classification — sitting on a misconfigured civilian server owned by the Presidency.
The Presidential ArcGIS portal — military intelligence folders visible in the public gallery, no login required. ODINT, January 2026.
A query to the server's REST API confirmed that data was not just visible but downloadable. ODINT's extraction tools, run across four sessions spanning approximately six hours, pulled 322 structured files. The total volume accessible through the portal exceeded 26 gigabytes.
Exposed Services
| Service | Description | Size |
|---|---|---|
| CNR_SEP_2025_MIL1 | September 2025 military intelligence map | 156 MB |
| CNR_julio_2025_MIL1 | July 2025 military operational map | 45 MB |
| Mapa_AT_MIL1 | Active theater zone map | 8 MB |
| Mapa_Caso_03_MIL1 | Case 03 criminal investigation map | 5 MB |
| Afectaciones_Firmantes_2025 | Attack data on peace signatories | 37.7 MB |
| FirmantesPaz_Presencia | Peace signatory location data | 163 MB |
| ETCR_Camps | 24 reintegration camp GPS coordinates | 0.5 MB |
| DDHH Services | 22 human rights monitoring services | Varies |
Who Are the Firmantes
The 2016 Peace Agreement
The 2016 peace agreement between the Colombian government and the FARC — the Revolutionary Armed Forces of Colombia — was the result of four years of negotiations in Havana. It offered FARC combatants a path out of armed conflict: demobilization, amnesty for non-atrocity crimes, political participation, and an AETCR camp reintegration program. Approximately 13,000 fighters accepted the terms. The Colombian government called them firmantes — signatories.
They gave up their weapons. They gave up their anonymity — registering with the state, receiving cédulas, appearing in government databases. They gave up the armed structures that had protected them for years or decades. In exchange: a camp, a stipend, and a promise of protection.
Then they started dying.
The Threat Landscape
The killings come from multiple directions. FARC dissident factions — principally the EMC led by "Iván Mordisco" and Segunda Marquetalia led by Iván Márquez, who returned to arms after the accord — regard the signatories as traitors. Drug trafficking organizations, particularly the Clan del Golfo (AGC), see them as competitors or liabilities in coca-producing territories. In several Colombian departments, those who demobilized and those who rearmed are competing for the same geography.
The government tracked this violence meticulously. What it failed to do was secure the database.
Peace process signatories (firmantes) who demobilized under the 2016 accord have faced systematic violence since reintegration. Source: [INSERT SOURCE].
The Map of Living Targets
CNR_SEP_2025_MIL1 — September 2025 Military Map
The September 2025 military map contained eight distinct armed group layers, each representing the Colombian military's current assessment of territorial control across the country. The groups mapped included the ELN, the Clan del Golfo (AGC), the EMC FARC dissidents, and Segunda Marquetalia.
Layer 9, titled AETCR, contained what is perhaps the most operationally dangerous data in the entire exposure. AETCR sites — Espacios Territoriales de Capacitación y Reincorporación — are the physical camps where former FARC guerrillas who accepted the peace accord went to demobilize.
Twenty-four of these camps were mapped with precise GPS coordinates:
North: Condores, Tierra Grata
Northeast: Caño Indio, Filipinas
Central-West: Caracolí, Llano Grande, Mutatá
Central: La Planoa, Carrizal, Monterredondo, Hato Bonbón
South-Central: Charras, Las Colinas
Southwest: El Ñoral, La Variante, El Estrecho, Oscar Mondragón, El Doncello 2, Agua Bonita, La Pradera
AETCR reintegration camp locations from the Presidential ArcGIS server (Layer 9). GPS coordinates withheld by ODINT. Source: ergit.presidencia.gov.co, September 2025.
These locations are not secret in a local sense — nearby communities know where the camps are. But their presence on an unauthenticated government server, overlaid with armed group territorial maps, creates a composite intelligence product no hostile actor could easily compile independently. The Colombian military did the analytical work. Then left the result on a public web server.
Armed Groups Mapped
The same military map carried the territorial control assessment for every major armed group in the country:
| Layer | Group | Zones | Territory |
|---|---|---|---|
| 24 | Disidencias EMC | 22 | Southern Colombia |
| 12 | ELN | 11 | Eastern Colombia, Venezuelan border |
| 15 | Clan del Golfo (AGC) | 22 | Northern Colombia, Pacific coast |
| 11 | Segunda Marquetalia | 21 | Venezuelan border region |
| 10 | Disidencias EMBF | 11 | Various regions |
Armed group territorial zones as assessed by Colombian military intelligence, September 2025. ELN, EMC, AGC, and Segunda Marquetalia zones overlaid on the same server as AETCR camp coordinates. Source: ergit.presidencia.gov.co.
In several Colombian departments, AETCR camp locations and EMC dissident territorial zones overlap directly. The military map showed precisely where.
The government mapped where the former guerrillas live. It mapped where they are being killed. It made both datasets freely available to anyone — including the people doing the killing.
The Death Ledger
Afectaciones Firmantes — First Semester 2025
If the AETCR layer was the map of where peace signatories live, Layer 0 was the map of where they are dying. Titled "Afectaciones Firmantes 1er semestre 2025" — Effects on Signatories, First Semester 2025 — the dataset documented every recorded act of violence against former FARC members who demobilized under the 2016 accord, organized by department.
The file was 37.7 megabytes. It contained 33 regional records. The aggregate numbers from the dataset's own field schema:
| Incident Type | Count (Jan–Jun 2025) |
|---|---|
| Homicides of Signatories | 29 |
| Forced Disappearances | 9 |
| Attempted Homicides | 4 |
| Threats Against Signatories | 68 |
| Total Incidents | 110 |
One homicide per week, sustained for six months. Since the 2016 agreement was signed, various monitoring organizations have documented over 400 killings of former FARC members. The Colombian government was tracking this data with precision. The data was geo-referenced by department. The data was correct.
And the data was sitting on an open server alongside the coordinates of the camps where the victims lived.
Afectaciones_Firmantes_2025 — 110 incidents against peace signatories, first semester 2025. Source: ergit.presidencia.gov.co.
The data fields exposed the Colombian government's own formal taxonomy of the violence: HOMICIDIO_FIRMANTE, DESAPARICIÓN_FORZADA, TENTATIVA_DE_HOMICIDIO_FIRMANTE, AMENAZAS_A_FIRMANTES. This was not informal estimation. This was the state's accounting of its failure to protect the people it persuaded to lay down their arms — filed in the same database as their addresses.
CRITICAL OPSEC FAILURE: The same ArcGIS portal that mapped the precise GPS coordinates of 24 FARC reintegration camps also mapped where peace signatories have been attacked and killed — including by the armed groups whose territorial zones are also visible on the same server. This is not two separate exposures. It is a single coherent targeting dataset, freely available on the public internet.
This is the Peace Map Paradox in its starkest form. Colombia's government built a sophisticated geospatial intelligence system to monitor the conflict and protect peace process participants. That system correctly identified the threat environment. And then, through a single configuration error, handed that intelligence simultaneously to every actor in the conflict.
The Broader Infrastructure Exposure
513+ Government Subdomains
The presidential ArcGIS server was not an isolated failure. ODINT's expanded enumeration revealed a systemic pattern across the entire Colombian government digital footprint.
Certificate transparency log enumeration via crt.sh uncovered 513+ subdomains across Colombian government and military infrastructure:
| Domain | Subdomains | Entity | Security |
|---|---|---|---|
| ejercito.mil.co | 147 | Colombian Army | WAF Protected |
| armada.mil.co | 94 | Colombian Navy | Secured |
| fac.mil.co | 79 | Air Force | Partial |
| cgfm.mil.co | 41 | General Command | DNS Failed |
| policia.gov.co | 60+ | National Police | Partial |
| ia.policia.gov.co | 20+ | Police AI Platform | AWS Exposed |
| ergit.presidencia.gov.co | 1 | Presidency ArcGIS | No Auth — Critical |
The military's own domains — Army, Navy, Air Force — were properly secured behind Web Application Firewalls. The civilian infrastructure was another matter entirely.
513+ Colombian government subdomains enumerated via certificate transparency logs. ODINT infrastructure audit, January–February 2026.
Three More Open ArcGIS Portals
ODINT's February 2026 follow-up scan identified three additional unauthenticated ArcGIS portals across civilian agencies:
IGAC (National Geographic Institute) — mapas.igac.gov.co — contained anti-personnel mine event databases with GPS incident coordinates, illicit crop cultivation maps by year, and land use conflict data.
SGC (Geological Survey) — srvags.sgc.gov.co — 53 folders including seismic hazard and volcanic threat maps.
IDEAM (Environmental Agency) — visualizador.ideam.gov.co — 72 services covering climate, water, and ecosystem data.
The pattern across 16 agencies and 60 additional GIS subdomains suggests not a single configuration error but a policy vacuum: no government standard requiring authentication for geospatial data publication, and no auditing mechanism to catch the gaps.
460 Government Emails
Embedded in ArcGIS feature metadata — editor tracking logs and service configuration records — ODINT extracted 460 email addresses, of which 113 belonged to Colombian government domains (.gov.co).
Usernames identified in the system: angiemontoya, maicolvelasquez, Esri_Anonymous.
Government email domains exposed:
- @presidencia.gov.co
- @mininterior.gov.co
- @cancilleria.gov.co
- @dnp.gov.co
- @policia.gov.co
- Municipal offices across Antioquia, Arauca, and others
In a country where government officials working on peace process implementation have been threatened and killed — where 68 formal threats against signatories were documented in six months — exposed contact information for the civil servants managing this data is not a compliance issue. It is a physical safety issue.
460 email addresses extracted from ArcGIS metadata — 113 Colombian government accounts. Individual details withheld by ODINT. January 2026.
The Police AI Paradox
Colombia's AI Intelligence Platform — On American Servers
One of the investigation's most striking findings involves Colombia's National Police AI platform — and the geopolitical contradiction it represents.
President Gustavo Petro, sanctioned by the US Treasury in October 2025, publicly accused Washington of violating Colombian sovereignty. He ordered his security forces to halt intelligence sharing with American agencies. His rhetoric positioned Colombia as a nation asserting independence from American power.
His National Police, meanwhile, runs its entire AI intelligence infrastructure on Amazon Web Services, US-East-1 region — Northern Virginia, United States.
NADIA — the Colombian National Police conversational AI assistant, running on Amazon Bedrock (AWS us-east-1). Discovered at nadia.ia.policia.gov.co. ODINT, January 2026.
The platform at ia.policia.gov.co is a sophisticated law enforcement intelligence system:
- NADIA — Conversational AI assistant powered by Amazon Bedrock
- ANTICIPACION — Predictive analytics module
- HOUNDOC — Document analysis AI
- AITRANSCRIBE — Audio and video transcription
- EXPERTOPOL — Expert investigation system
- AISEARCHENGINE — AI-powered search
- MAPS.ANALYTICS — Crime mapping and geospatial analysis
- DIJIN PANDORA — Criminal case management (dijinpandora.policia.gov.co)
ODINT's scan revealed the AWS account ID (926162397524), the S3 bucket naming convention (pon-prod-ai-platform-926162397524.s3.amazonaws.com), and session cookies from the forms endpoint. The exposed infrastructure details painted a clear picture.
The stack, from bottom to top:
- Amazon Bedrock — AI/ML foundation, AWS us-east-1, Northern Virginia, USA
- S3 + CloudFront CDN — Storage and delivery, bucket: pon-prod-ai-platform-926162397524
- Next.js Application Layer — NADIA, ANTICIPACION, HOUNDOC, AITRANSCRIBE
- Colombian National Police (DIJIN / Pandora) — End users, criminal intelligence analysis
If Washington chose to act — an AWS terms-of-service notice, an OFAC advisory to Amazon — Colombia's predictive policing and criminal intelligence platform could be suspended overnight. The sanctioned state built its surveillance apparatus on the sanctioner's cloud infrastructure.
The Geopolitical Frame
October 2025 — The OFAC Designation
In October 2025, the US Treasury's OFAC placed President Gustavo Petro, his wife Verónica Alcocer, his son Nicolás Petro, and Interior Minister Armando Benedetti on the SDN list under narcotics trafficking designations.
Treasury Secretary Bessent stated that cocaine production had reached its highest levels in decades under Petro. Trump called Petro "an illegal drug dealer" on Truth Social. The USS Gerald R. Ford carrier strike group deployed to the Caribbean. Petro ordered his security forces to halt intelligence sharing with Washington and dared Secretary Rubio to arrest him:
"If you are going to arrest me, let's see if you can. If you want to put me in the orange pajamas? Try it. But this people does not kneel."
US Treasury OFAC SDN designation of President Petro and family members, October 2025. A diplomatic rupture without modern precedent against a sitting head of state.
Sanctioned individuals:
- Gustavo Petro — President of Colombia
- Verónica del Socorro Alcocer García — Wife
- Nicolás Fernando Petro Burgos — Son
- Armando Alberto Benedetti — Interior Minister, former campaign chief
January 3, 2026 — The Maduro Capture
On January 3, 2026, Nicolás Maduro was taken into American custody. Petro convened a 3am emergency security cabinet meeting, condemned the operation as an attack on regional sovereignty, and deployed Colombian troops to the 2,219km Venezuelan border.
ODINT's January 5 scans — which captured the full dataset from the Presidential ArcGIS server — occurred in this exact window. The Colombian government was simultaneously managing a geopolitical crisis with the United States, a security emergency on its Venezuelan border, and a $4.2 billion budget deficit after Congress struck down Petro's tax reform. And its own military intelligence data remained publicly accessible.
The armed group territorial data on the presidential portal — Clan del Golfo cocaine trafficking zones, coca cultivation datasets from 2017 through 2023, FARC dissident operational areas — represented exactly the kind of intelligence Washington claimed the Petro administration was failing to act on. It was sitting on Petro's own open server.
The country sanctioned by the US for alleged drug ties was leaking its own maps showing cartel territories to the open internet. Washington's accusations. Bogotá's evidence. Same server.
Coca cultivation zones from the Presidential ArcGIS server — datasets spanning 2017 to 2023, including the PNIS voluntary substitution program areas. Source: ergit.presidencia.gov.co.
Key Findings
Raw Data & Downloads
All collected data is archived on ODINT's data server. The following datasets are available for researchers, journalists, and OSINT practitioners. GPS coordinates for AETCR reintegration camp locations have been withheld pending responsible disclosure review.
OSINT Disclaimer
This report is based entirely on open-source intelligence (OSINT). No classified information was accessed. No confidential sources were used. No systems were breached, exploited, or penetrated. All data referenced in this investigation was publicly available at the time of collection through misconfigured services, unauthenticated portals, and publicly accessible endpoints.
ODINT does not conduct offensive cyber operations. Infrastructure was enumerated using standard reconnaissance techniques — subdomain discovery, certificate transparency analysis, directory enumeration, and public API queries. No authentication mechanisms were bypassed. No credentials were brute-forced. No vulnerabilities were exploited.
GPS coordinates for AETCR reintegration camp locations have been withheld from this publication due to the direct physical safety risk to peace process participants.
Compiled 2026 — Classification: OSINT — Open Source Observatory for Digital Infrastructure and Network Transparency (ODINT)
© 2026 ODINT. All rights reserved. This report is produced for informational and accountability purposes.