Updated: December 18, 2025, at 4:47 p.m. EST
At 4:06 p.m. EST on December 17, 2025, the Global Internet Forum to Counter Terrorism (GIFCT) concluded its Perpetrator Content Incident (PCI) in response to a violent extremist event in Moscow Oblast, Russia.
Following the conclusion of the PCI, GIFCT is issuing the following summary of actions related to this event.
At 8:32 a.m. EST on December 16, 2025, GIFCT activated the PCI within its Incident Response Framework (IRF) in response to a violent extremist event in Moscow Oblast, Russia, and took the following steps:
- Alerted all GIFCT members that the PCI had been activated. By this time, in line with our IRF, communications were already underway between GIFCT and its member companies to share situational awareness about the offline violence in order to prepare for the potential that the event met the criteria to activate the PCI.
- Continuously shared open-source information about the event and perpetrator, communicated with external subject matter experts when relevant.
- Enabled GIFCT members to share hashes of the perpetrator-produced content depicting the attack, in video and image form, as well as other relevant information through internal channels.
- Alerted the Russian government, as the impacted government in this event, and GIFCT’s Independent Advisory Committee that the PCI had been activated in response to the violent extremist event.
Simultaneously, individual GIFCT members engaged in platform-specific enforcement operations, identifying and reviewing content in line with their respective terms of service, including instances of the content shared in a range of contexts.
At 4:06 p.m. EST on December 17, 2025, GIFCT concluded the activated PCI based on the time passed since the conclusion of the offline violent event and feedback from members on the level of attempts to upload new versions of the violating content on member platforms. New hashes of the perpetrator-produced content may be added to GIFCT’s hash-sharing database as members identify and share them.
We can currently provide the following information from this event:
- Between when GIFCT activated the PCI at 8:32 a.m. EST on December 16, 2025, and its conclusion at 4:06 p.m. EST on December 17, 2025, members added approximately 6,681 visually distinct items to the GIFCT hash-sharing database.
After concluding the PCI, GIFCT will convene multi-stakeholder debriefs with our members and community to review the steps taken as part of the response and identify lessons and improvements to be made. This is an essential, final step in our operations when the PCI is activated.
Ongoing Work:
In order for GIFCT and its members to further refine and strengthen our efforts, we continue to test our protocols and mature our Incident Response Framework, including the PCI. This work is currently underway amongst GIFCT’s internal team, and informed by the recommendations set forth by the GIFCT Year 3 Incident Response Working Group.
The Global Network on Extremism and Technology (GNET), the academic research network funded by GIFCT, contributes Insights in response to IRF activations and will continue to provide research from experts on issues and questions related to violent extremist behaviors and technologies.
First Published December 16, 2025, at 2:56 p.m. EST
At 8:32 a.m. EST on December 16, 2025, the Global Internet Forum to Counter Terrorism (GIFCT) activated a Perpetrator Content Incident (PCI) in response to a violent extremist event in Moscow Oblast, Russia.
The PCI was activated due to perpetrator-produced content from a violent extremist attack circulating online.
As a result, GIFCT members share relevant information for other members’ situational awareness about the event. Hashes corresponding to the perpetrator-produced content depicting the attack, in video and image form, qualify to be added to the GIFCT hash-sharing database. This enables other GIFCT members to identify whether the same content has been shared on their platforms and address it in accordance with their respective platform policies.
For more information about GIFCT’s:
- Incident Response Framework that guides how GIFCT and its members respond to mass violent attacks and their online dimensions, see here: https://gifct.org/incident-response/
- Hash-sharing database, see here: https://gifct.org/hsdb/
GIFCT is working with members and partners to monitor developments and respond accordingly. We thank our stakeholders for their continued engagement, and our thoughts remain with the victims and affected communities.
We will provide further updates on this post.
