On December 14, 2015, US Special Operations Command sent an aircraft to Al Watiya Air Base in western Libya. The visit was unannounced. The local militia forces securing the base were not informed in advance. The Americans were asked to leave almost immediately.

It was ostensibly supposed to be a quiet reconnaissance mission — the kind of operation that happens dozens of times across conflict zones, conducted by small teams, leaving minimal traces, generating no headlines. The aircraft departed. The incident was over.

And then someone posted photos to Facebook.

Within hours, images of the American aircraft on Libyan soil were circulating on social media. The photos showed the plane on the tarmac. They showed Libyan personnel near the aircraft. They showed enough detail to confirm the presence, identify the aircraft type, and establish a timeline. What should have been a contained operational setback — a rejected visit handled quietly between the US and local forces — became an open-source intelligence event that anyone with an internet connection could analyze.

This is the story of how that happened, what the photos revealed, and what the incident tells us about operational security in an age where every phone is a camera and every social media account is a potential intelligence leak.

The Source: Libyan Air Force Facebook

The photos originated from a Facebook page associated with Libyan military personnel. The specific page and the individuals who posted the images have not been publicly identified in available reporting, but the pattern is consistent with how Libyan armed groups used social media during this period — openly, frequently, and with minimal operational security discipline.

Libyan militias and military factions in 2015 routinely documented their activities on Facebook, Twitter, and other platforms. These posts served multiple functions: propaganda, recruitment, morale-building within their own ranks, and signaling to rival factions. Posts included photos of weapons, vehicles, personnel, and operations. The distinction between what should be kept confidential and what could be shared publicly was, in many cases, either not understood or not enforced.

From the perspective of Libyan forces at Al Watiya, the arrival of an unannounced American aircraft was an event worth documenting. It was unusual. It demonstrated their control of the base. It signaled their willingness to reject foreign visitors who had not coordinated properly. Posting photos of the incident was, in their calculus, a way to assert authority.

From the perspective of US operational security, it was a catastrophic breach.

What the Photos Showed

The images that circulated publicly — described in the Menas Associates reporting and referenced in subsequent analyses — revealed several critical details:

Aircraft Identification: The photos confirmed the presence of a Dornier 328 jet operated by US Special Operations Command (SOCOM). The Dornier 328 is a civilian-derivative turboprop commonly used by special operations units for low-profile transport in permissive or semi-permissive environments. It does not have the profile of a military transport like a C-130 or a C-17, which makes it useful for missions where visibility needs to be minimized. But it is identifiable to anyone with basic aircraft recognition training — and once photographed, it becomes impossible to deny.

Location Confirmation: The photos placed the aircraft at Al Watiya Air Base. This was not ambiguous. The base’s infrastructure, the surrounding terrain, and other visual markers in the images confirmed the location. For analysts monitoring US special operations activity in Libya, this was actionable intelligence: the US had personnel on the ground at a specific location on a specific date.

Timeline: The metadata embedded in the photos — assuming it was not stripped before posting — would have included timestamps. Even if the metadata was removed, the timing of the Facebook posts themselves provided a window: the visit occurred on December 14, and the photos appeared online within hours or days of that date. This established a timeline that could be cross-referenced with other intelligence.

Personnel Presence: The photos reportedly showed Libyan personnel near the aircraft. They did not show US personnel — the Americans had either remained aboard the aircraft or had disembarked but were not photographed, or those images were not shared publicly. This is significant from an OPSEC perspective: the Libyans documented the visit but did not compromise the identities of the US operators. Whether this was intentional restraint or simply because the Americans were not in frame is unclear.

The OSINT Implications

Once the photos were on Facebook, they became part of the open-source intelligence landscape. This means that anyone — foreign intelligence services, journalists, researchers, rival factions, terrorist groups — could access them, analyze them, and incorporate them into their understanding of US operations in Libya.

For hostile intelligence services, the photos confirmed that US special operations forces were conducting reconnaissance in western Libya in mid-December 2015. This was not necessarily a surprise — US counter-terrorism activity in Libya was an open secret by that point — but confirmation is different from assumption. The photos provided proof.

For rival factions within Libya, the photos demonstrated that the US was engaging with specific militia groups and not others. The fact that the visit was rebuffed suggested that coordination had failed or that the local forces had rejected US overtures. This had political implications within the fractured Libyan security landscape.

For analysts tracking US operations, the photos were a data point that could be triangulated with other information. SOCOM aircraft movements are not publicly advertised, but they leave traces — flight tracking data, logistical support requests, personnel rotations. The Al Watiya photos provided a fixed point in time and space that could be used to map broader patterns of US activity.

The OPSEC Failure Chain

Operational security failures are rarely the result of a single mistake. They are typically the product of a chain of decisions, each one creating vulnerability, until the combined effect produces a breach.

In the Al Watiya case, the OPSEC failure chain began before the aircraft ever landed.

Failure Point 1: Lack of Local Coordination. The visit was not coordinated with the forces actually controlling the base. US officials may have coordinated with Osama Juwaili — a Zintani commander with whom they had an established relationship — but Juwaili did not control the specific forces at Al Watiya. This meant that when the aircraft arrived, the local commander saw it as an unannounced intrusion rather than an authorized visit. The lack of coordination created the conditions for everything that followed.

Failure Point 2: Permissive Posture Toward Documentation. The Americans either did not anticipate that the Libyans would photograph the visit, or they anticipated it but accepted the risk. In a truly covert operation, the first priority upon arrival would be to establish control over information: no photos, no posts, no documentation. The fact that Libyan personnel were able to photograph the aircraft suggests that the Americans did not treat the visit as requiring that level of information security — possibly because they believed the relationship with local forces was cooperative enough to prevent leaks.

Failure Point 3: No Post-Incident Damage Control. Once the photos were posted, there does not appear to have been any effort to have them taken down. This is not surprising — once an image is on Facebook, it spreads quickly, and removal requests are rarely effective. But the lack of any visible attempt to contain the breach suggests either that the US accepted the exposure as inevitable or that they did not have the leverage with the individuals who posted the images to request removal.

Failure Point 4: Broader Social Media Environment. The structural condition that enabled the breach was the fact that Libyan armed groups treated social media as a routine communication tool. This was not unique to the forces at Al Watiya. It was endemic across Libyan factions. The US was operating in an environment where the local partners they needed to work with did not share their understanding of operational security. That mismatch created persistent vulnerability.

What Could Have Been Done Differently

From an OPSEC perspective, the Al Watiya incident offers several lessons about operating in environments where local forces do not maintain Western standards of information security.

Pre-Coordination at the Right Level. The visit should have been coordinated not just with faction leadership but with the specific commanders on the ground who controlled access to the base. If Juwaili did not have authority over the forces at Al Watiya, then coordination with Juwaili was insufficient. This requires granular intelligence about local command structures — who actually controls which facilities, and who has the authority to authorize foreign visits.

Explicit Information Security Agreements. Before the visit, there should have been an explicit agreement with local forces: no photos, no social media posts, no documentation. This needs to be stated clearly, not assumed. In environments where social media use is routine, the default behavior is to document and share. Changing that behavior requires direct instruction.

Immediate Damage Control Protocols. Once the photos appeared, the US should have had a pre-established protocol for damage control: contact the individuals who posted the images, request removal, assess what additional information might be leaked, and adjust operational plans accordingly. The fact that this did not happen — or did not happen visibly — suggests that such protocols either did not exist or were not activated.

Accept the Risk or Don’t Conduct the Mission. Ultimately, if the US could not guarantee that local forces would maintain operational security, then the mission profile needed to change. Either accept that the visit would become public and plan accordingly, or do not conduct the visit at all. The middle ground — hoping that local forces would not document the visit — proved to be wishful thinking.

The Broader Pattern

The Al Watiya OPSEC failure was not an isolated incident. It was part of a broader pattern of operational security vulnerabilities that emerged during the 2010s as social media became ubiquitous in conflict zones.

In Syria, rebel groups posted videos of themselves with US-supplied weapons, sometimes including serial numbers and other identifying information that allowed analysts to track weapons flows. In Iraq, militia groups posted photos of US special operations advisors, compromising their identities. In Afghanistan, Taliban fighters monitored social media posts by Afghan forces to identify patterns and vulnerabilities.

The challenge is structural. US special operations forces operate under strict information security protocols. Their local partners — militia groups, transitional governments, irregular forces — often do not. When the two groups work together, the weaker link determines the overall security posture. And in environments where smartphones are ubiquitous and social media is the primary communication tool, the weaker link is very weak indeed.

Why It Matters Now

The Al Watiya incident occurred in 2015. The photos are still accessible on the original Facebook page — normally accounts are deleted, pages are taken down, and content disappears over time. But the images were captured, archived, analyzed when they first appeared, and are now being analyzed again. They are part of the intelligence record.

More importantly, the operational security lessons from Al Watiya remain relevant. The US continues to conduct small-footprint operations in fragmented conflict zones. The local partners in those operations continue to use social media routinely. The mismatch between US information security standards and local communication practices has not been resolved.

The only thing that has changed is that the tools have gotten better. In 2015, the photos from Al Watiya were posted manually by Libyan personnel. In 2025, every drone overhead, every surveillance camera, every network of sensors creates data that can be leaked, hacked, or inadvertently shared. The attack surface has expanded, and the information security challenge has become more complex.

The Al Watiya photos were a small breach in a single operation. But they illustrated a vulnerability that is systemic, persistent, and largely unsolved: how do you maintain operational security when your partners treat transparency as the default and secrecy as the exception?

That question remains unanswered – but not for long…

Related Reading:

• Al Watiya Air Base: The Night US Special Forces Were Expelled from Libya — The hub article: full account of the December 14, 2015 incident
• Libya, December 2015: The Week the Peace Deal Almost Died — The geopolitical context and why the timing mattered
• Delta Force Files: Al Watiya — How Turkey Rewrote Air War — What happened to the base five years later
• The Machine That Hunted Soldiers — The Kargu-2 and autonomous weapons in the same theater

Maple Leaks | Transparency & Pattern Documentation

The sequence is now documented in public record. It is not coordinated in any conspiratorial sense — there is no evidence of back-channel agreements or synchronized planning. What there is evidence of is four countries arriving at the same conclusion independently, and acting on it simultaneously.

Canada signed a trade agreement with China in January 2026 following Prime Minister Mark Carney’s visit to Beijing — the first major bilateral deal with China in years, concluded while Washington threatened 100% tariffs on Canadian goods if Ottawa pursued exactly that relationship.

The United Kingdom signed a “strategic and consistent relationship” framework with China on January 29, 2026, following Prime Minister Keir Starmer’s visit — the first by a British PM in eight years. Starmer brought a delegation of 60 business leaders, approved a sprawling new Chinese embassy in London, and described the meeting with Xi Jinping as “productive” and the relationship as being in a “good, strong place.”

Australia invited Carney to address its parliament in March 2026, making him only the second Canadian PM ever to do so. Prime Minister Anthony Albanese publicly endorsed Carney’s Davos speech, describing it as consistent with his own position and calling for middle-power cooperation.

New Zealand began distancing itself from Five Eyes consensus positions years earlier, with Foreign Minister Nanaia Mahuta stating in April 2021 that New Zealand was “uncomfortable” with using the intelligence alliance to confront China and wanted to pursue its own bilateral relationship.

This is not speculation. It is the public record. And the pattern is too consistent to be coincidental.

What the Public Record Shows

Maple Leaks exists to publish leaked and declassified documents revealing gaps between government statements and government actions. In this case, no leak is required. The governments themselves are documenting the fracture in real time, in public statements, official press releases, and parliamentary announcements. The transparency is deliberate.

The question is not whether the fracture is happening. The question is what it means.

The Canada-China Timeline

January 9, 2026: Carney visits Beijing, signs trade agreement focused on critical minerals, green technology, and market access diversification.

January 14, 2026: Trump threatens 100% tariffs on Canada if Ottawa signs a trade deal with China.

January 15, 2026: Carney responds by stating Canada will not be “dictated to” on trade relationships, and that diversification is a strategic necessity, not a negotiable preference.

January 20, 2026: Carney delivers Davos speech calling on nations to accept the end of the rules-based global order and build middle-power coalitions to avoid economic subordination.

The sequence matters. The China deal was concluded before the public articulation of the middle-power thesis, and before the Trump threat escalated to the 100% tariff level. That means the decision to pivot to China was not reactive — it was strategic. And it was already underway when Carney made it explicit at Davos.

The UK-China Timeline

January 28-31, 2026: Starmer visits China — first British PM visit in eight years — with 60-member business delegation.

January 29, 2026: UK and China sign framework for “strategic and consistent relationship,” including £600 million in immediate benefits and commitments on AI, green technology, education, and finance.

January 24, 2026 (pre-visit): UK approves sprawling new Chinese embassy in London after years of delays over political and security concerns.

January 30, 2026 (during visit): Trump warns UK it is “very dangerous” to do business with China, stating “if you are integrated with the United States economically or you are dependent on the United States, Trump will use that as a vulnerability and exploit it.”

The UK visit happened after Carney’s Davos speech and after the Canada-China deal. That suggests coordination at some level, or at minimum, that London watched Ottawa’s move and concluded the political cost of doing the same had dropped significantly. Either way, the pattern holds: another non-US Five Eyes member pivoting to China while Washington applies economic coercion to prevent it.

The Australia Sequence

October 2025: Canada and Australia sign bilateral agreement on critical minerals cooperation.

January 25, 2026: Albanese announces Carney will address Australian Parliament in March, publicly endorses Carney’s Davos thesis.

Context: Australia’s AUKUS submarine deal with the US and UK is visibly faltering. The US Navy cannot deliver Virginia-class boats on schedule, and a retired UK rear admiral has warned that Britain lacks the workforce to deliver its share of the programme. The submarines that were supposed to arrive are not arriving. The deal that was supposed to anchor Australia’s defence posture for decades is in question.

Australia is not pivoting to China in the way Canada and the UK have. But it is publicly aligning with Carney’s middle-power thesis, deepening bilateral ties with Canada outside of US frameworks, and signalling openness to alternatives. That is not neutrality. That is hedging.

The New Zealand Precedent

New Zealand Foreign Minister Nanaia Mahuta stated in April 2021 — three years before the current sequence — that New Zealand was “uncomfortable” with expanding Five Eyes to confront China and would pursue its own bilateral relationship. At the time, the statement was treated as an outlier. In retrospect, it was the first public signal that the non-US members of Five Eyes were no longer willing to subordinate their economic interests to American strategic preferences.

The pattern began with New Zealand. It has now extended to Canada, the UK, and (in more limited form) Australia. Four of the five eyes. All moving in the same direction. All within the same twelve-month window.

What This Is Not

This is not a formal break. No country has left Five Eyes. No intelligence-sharing agreements have been terminated. The surveillance infrastructure documented by Edward Snowden in 2013 — the ECHELON system, the XKeyscore databases, the bulk collection programmes — remains operational. Canadian communications still flow through American servers. British GCHQ still coordinates with NSA. The technical architecture of the alliance has not changed.

This is also not an alliance with China. None of the four countries signing trade deals or pursuing diplomatic resets with Beijing are abandoning their security relationships with Washington. They are diversifying. They are hedging. They are building alternatives. But they are not switching sides.

What this is is a documented pattern of strategic de-risking across all four non-US members of the Five Eyes alliance, happening simultaneously, in public, and without coordination but with obvious mutual reinforcement.

What the Transparency Reveals

The governments are being transparent about this because the alternative — conducting the same pivots quietly — would be worse. If Canada signed a trade deal with China without announcing it publicly, and it leaked six months later, the political cost would be catastrophic. The accusation would be deception, conspiracy, betrayal. By doing it openly, by announcing it in press releases and parliamentary statements, the governments are making a different argument: that this is not betrayal, it is adaptation. That the relationship with the US has become untenable, and that alternatives are not just permissible but necessary.

The transparency is the message. It is a signal to Washington that the subordination is over. It is a signal to domestic populations that the governments are acting in national interest, not alliance obligation. And it is a signal to each other — to the other non-US Five Eyes members — that the move is safe, that others are doing it too, and that the political cover exists.

That is why the sequence accelerated after Carney’s Davos speech. He broke the seal. He said publicly what the others were thinking privately. And once he said it, the cost of others saying it dropped to zero.

The Intelligence Implications

Five Eyes is not just a policy alliance. It is an intelligence-sharing network built on the assumption of aligned strategic interests. When those interests diverge — when Canada prioritizes trade with China over alignment with Washington, when the UK does the same, when Australia hedges, when New Zealand opts out — the intelligence-sharing framework becomes a liability rather than an asset.

Because here is what intelligence-sharing means in practice: it means Canadian signals intelligence collected by CSE flows through NSA systems. It means British GCHQ intercepts are accessible to American analysts. It means that any country within Five Eyes has access to the communications, the metadata, the surveillance data of the other four.

And it means that if one member of the alliance is conducting economic and diplomatic engagement with a country the US considers a strategic competitor, the US has access to the intelligence that member is collecting on that engagement.

That is not just a policy problem. That is a sovereignty problem.

The fracture we are documenting is political and economic. But the deeper fracture — the one that has not yet happened publicly but that the political fracture makes inevitable — is intelligence. At some point, one of these four countries is going to conclude that full-spectrum intelligence-sharing with Washington is incompatible with strategic independence. And when that happens, Five Eyes does not just fracture. It collapses.

What to Watch For

The pattern is established. The question now is how far it goes.

Does Canada restrict intelligence-sharing with the US on China-related matters? If Ottawa concludes that CSE intercepts on Canadian-Chinese trade negotiations are being accessed by NSA and used to inform American economic coercion, the logical response is to compartmentalize. To stop sharing. To build independent intelligence infrastructure. That is a massive shift, but the logic is sound.

Does the UK do the same? GCHQ and NSA are more deeply integrated than any other bilateral relationship in Five Eyes. If London starts restricting access — even marginally, even on specific topics — it signals that the intelligence alliance is no longer politically sustainable.

Does Australia move beyond hedging? Right now, Canberra is playing both sides: maintaining the security relationship with Washington while building economic alternatives. At some point, that becomes untenable. Either the US forces a choice, or Australia makes one preemptively.

Does New Zealand go further? Wellington has already signalled discomfort with confronting China through Five Eyes. The question is whether it formalizes that position — whether it restricts intelligence-sharing, opts out of specific programmes, or builds independent capabilities.

None of these outcomes are certain. But all of them are now plausible in ways they were not twelve months ago. And all of them are the logical extension of the pattern we are documenting here.

Maple Leaks publishes leaked and declassified documents revealing gaps between government statements and government actions. In this case, the governments are being transparent. The gap is not between what they say and what they do. The gap is between what this pattern means and what anyone in Washington is willing to admit.

For related analysis: Prime Rogue Inc.: “There Are No Friends” [link] Signal Cage: “Carney in Canberra” [link] Civil Defense Canada: “Why American Culture Is Structurally Incompatible With Allied Trust” [link]