
Distance (Sometimes) Makes the Threat Grow Stronger
TorchStone has tracked Persons of Interest (POIs) and analyzed threats involving individuals who have traveled vast distances to confront or attack high-profile targets. These incidents underscore the importance of a robust protective intelligence program capable of tracking threat actor movement and providing timely alerts regarding changes in proximity to a protected individual. Numerous recent examples illustrate how aggrieved or fixated individuals are willing and capable of traveling significant distances to reach their target and conduct an attack. This article highlights several of these examples and notes how protective intelligence helps to identify, track, and mitigate this risk.
The 2026 White House Correspondence Dinner: A Case Study in Long Distance Threats
In late April at the Washington Hilton Hotel in Washington, D.C. a gunman attempted to breach the annual White House Correspondents’ Dinner by charging through a security checkpoint and shooting a Secret Service agent. The gunman was not from D.C., but traveled cross-country (2,688 miles) from Torrance, CA to attempt his assault.
The gunman had no criminal record and was not on law enforcement’s radar before the event, despite displaying several escalating behavioral indicators of concern leading up to the attack. For example, the suspect’s digital profile had shifted in recent years. In 2022, his social media content consisted mostly of posts about video games; more recently, he shared posts comparing President Donald Trump to Adolf Hitler and encouraged others critical of his presidency to purchase guns. This language was echoed in a “manifesto” the gunman sent to family members minutes before the attack. This document laid out a plan to target Trump administration officials and expressed deep frustration and anger at their perceived actions.
Speaking with law enforcement following the attack, the gunman’s sister shared that her brother “had a tendency to make radical statements, and his rhetoric constantly referenced a plan to do ‘something’ to fix the issues with today’s world.” She also disclosed that he recently purchased two handguns and a shotgun, secretly storing them at their parents’ home.
These factors are indicative of a concerning escalation pattern along the pathway to violence and underscore the necessity of proactive threat monitoring. Though U.S. Secret Service agents successfully intervened before the suspect reached his target, the incident demonstrates how individuals with no prior criminal history or direct proximity to their target can still pose a significant threat to principals.
Not an Isolated Incident
TorchStone frequently encounters the assumption that concerning individuals (Persons of Interest) who are geographically removed from the principals pose a lower threat. While it’s true that geographic location is crucial in understanding the imminency of a potential threat, that factor alone does not accurately determine a potentially malicious actor’s overall risk profile. The White House Correspondence Dinner attack is one of several recent cases in which an aggrieved individual traveled significant distances to locate and attack a target.
In April 2026, an anti-AI activist from a Houston, TX suburb traveled to San Francisco and threw a Molotov cocktail at OpenAI CEO Sam Altman’s home before attempting to breach OpenAI’s downtown headquarters. The suspect later told security that he planned to burn the building down and kill anyone who was inside. In August 2025, the 345 Park Avenue shooter drove from Nevada to Manhattan to carry out his deadly attack, likely targeting NFL Headquarters. And, in December 2024, UnitedHealthcare CEO Brian Thompson’s murderer also traveled from out of state to Manhattan to conduct his targeted assassination.
These types of attacks are not reserved for large-scale, politically motivated shootings and killings – geographically removed stalkers and fixated individuals can also pose immediate threats.
In May 2025, a man traveled from Mississippi to Los Angeles to reach Jennifer Aniston, whom he had previously stalked, later crashing his vehicle through the gate of her Bel Air residence. More recently, in March 2026, police arrested a woman accused of driving across the country from Florida to open fire on Rihanna’s Beverly Hills home. In this case, the woman who carried out the attack had a long history of subscribing to online conspiracy theories about Rihanna and other celebrities.
When Principal Travel Meets the Threat
Another critical consideration is principal travel into areas where persons of interest (POIs) may reside or operate. Public awareness of a principal’s movements is increasingly common, whether driven by media coverage tied to a high public profile, corporate announcements regarding speaking engagements or events, or self-disclosure through the principal’s own social media activity. This visibility can create opportunities for malicious actors to exploit known itineraries and facilitate unwanted approaches or targeted attacks. For this reason, TorchStone strongly recommends conducting comprehensive Travel Risk Assessments (TRAs) prior to principal travel. Beyond evaluating the broader threat and operational landscape of a destination, TRAs help identify known POIs in the area, assess their proximity and capability, and inform mitigation strategies designed to reduce exposure and enhance protective readiness. On multiple occasions, TorchStone Travel Risk Assessments have identified POIs who attempted to approach principals during travel outside of their own home region.
Protective Intelligence in Action
Identifying and mitigating these threats requires ongoing visibility into the POI’s online and physical activity even despite geographical distance. Doing so keeps security teams informed of directional threat movement, whether danger may be approaching the principal, or the principal may be approaching potential danger. At TorchStone, we’ve supported cases where this type of intelligence-driven monitoring enabled teams to do just that.
In March 2024, TorchStone Senior Intelligence Analyst, Mare Cunningham, identified an international person of interest who signaled plans to travel to a major U.S.-based music industry office. She immediately began monitoring the individual’s public social media activity and provided timely updates to the organization’s physical security team as the situation developed, including off-hours notifications. This real-time reporting gave the investigations team and onsite security personnel advance notice of the individual’s likely arrival and allowed them to prepare a coordinated response. The person later appeared at the office as indicated, and security teams managed the encounter without disruption or escalation.
“One of the key lessons from my FBI experience,” stated Cunningham, “is that prevention often depends on recognizing and acting on subtle warning signs. This case highlights how protective intelligence, continuous monitoring, and close coordination with onsite security can help mitigate potential threats before they impact people or operations.”
Key Takeaways
Protective intelligence begins with the early identification of potential threats, regardless of proximity to principals, so teams are aware of aggrieved or fixated individuals before behavior escalates. Analysts then monitor online activity, communications, and other behavioral indicators to establish a baseline risk assessment and identify changes in behavior, whether that’s increased activity, complete silence, or events that could trigger one to take action. Tracking movement patterns and location-based activity also helps determine whether a subject may be planning travel or, in the case illustrated above, en route to the principal’s location. From there, security teams can take proactive steps through coordinated response measures like BOLOs (be on the lookout), vehicle identification, enhanced physical security, and law enforcement notification, when necessary, to mitigate the threat.

When Visibility Becomes Vulnerability: IRL Livestreaming and Real-Time Exposure Risk
On March 2, 2025, an in real life (IRL) livestream showed how quickly a routine fan interaction can escalate into an immediate physical threat. Several prominent female streamers, known to audiences by their screen names Valkyrae, Cinna, and Emiru, were broadcasting live at Santa Monica Pier in California when an individual who initially approached them as a fan became agitated, issued death threats, and pursued them while they remained on camera. The escalation unfolded in real time, providing continuous situational awareness of the creators’ location and movements and compressing the timeline between online exposure and physical confrontation.
This type of escalation reflects how livestreaming exposure has changed as creators increasingly operate in public spaces. For much of its early development, livestreaming occurred in relatively controlled environments. Streamers typically broadcast from bedrooms, studios, or personal offices, engaging audiences through a screen that kept their broadcast environment largely isolated from physical interaction. Although viewer engagement occurred in real time, the broadcasting location itself was generally static and predictable. Over time, that separation has steadily eroded. Streamers now increasingly bring audiences into public streets, crowded venues, and everyday routines, turning real-world movement into live content and narrowing the divide between online presence and physical location.
Even in these early environments, streamers faced identifiable risks. Practices such as doxxing and swatting emerged alongside early livestreaming culture, demonstrating how publicly available information could be used to target content creators. These threats did not rely on real-time movement, but they established an important pattern: visibility alone can create vulnerability. The growth of IRL streaming has increased these risks, allowing online exposure to translate into real-world consequences more rapidly.
The shift toward IRL streaming has coincided with the rapid normalization of livestreaming as a popular form of media consumption. By the third quarter of 2025, viewers spent approximately 29.4 billion hours watching live content across platforms, demonstrating sustained, large-scale engagement. YouTube Live remains the largest platform by viewership, while TikTok Live and Twitch together account for a substantial share of global audiences. Newer platforms, such as Kick, have also expanded during this period, reinforcing the continued growth of live content.
As livestreaming expands further into public spaces, it has created more exposure for creators defined by accessibility and predictability. Viewers are no longer simply observing content; they can infer location, routines, and behavior in real time. For most audiences, IRL streaming creates connection and authenticity. For a small but consequential subset of individuals, however, it creates opportunities for harassment, stalking, or, in some cases, physical harm. The risks facing streamers extend beyond internet culture and demonstrate how visibility and real-time interaction are increasingly linked to physical security.
The Streamer Target Profile
IRL streamers represent a distinct target profile defined by how they generate and sustain visibility. Unlike traditional celebrities, whose exposure is typically managed through scheduled appearances and controlled media environments, streamers often broadcast spontaneous and unscripted activity in real time without the support of staff or security. This format increasingly places creators in public spaces while providing audiences with continuous access to their behavior and surroundings.
Livestream content can reveal location even when no intentional disclosure occurs. Visual cues such as street signs, storefronts, landmarks, or transit stations may appear briefly, yet still provide enough information for viewers to identify where a stream is being made. Repeated livestreams from familiar areas can also further reduce ambiguity, making a streamer’s routines and frequently visited locations easier to recognize over time. Even when specific addresses are not shown, broader patterns of movement become apparent to viewers. By the very nature of their content, IRL streamers are essentially doxxing themselves.
Audience interaction further shapes a streamer’s overall risk profile. Livestreaming platforms are designed to maximize engagement, encouraging frequent and direct interaction between streamers and viewers. These interactions, combined with the personal details increasingly shared during streams, influence some viewers to develop parasocial fixations on the creators they watch. This generates views, subscriptions, and revenues, but can also create risks.
The overwhelming majority of livestream engagement is non-threatening. However, some individuals develop unhealthy fixations that can progress along a recognizable spectrum of online behavior. Early interactions are often passive but may become more aggressive over time. A fixated viewer may feel entitled to direct interaction and may become aggrieved if they perceive they are being ignored. As fixation intensifies, individuals may seek to increase connection through persistent communication, unsolicited in-person encounters, or efforts to identify a streamer’s offline location, as seen in the case of Korean streamer Jinnytty, who was confronted in public by an individual who had allegedly tracked her movements and stalked her for several months. This pattern demonstrates how online engagement can evolve over time before manifesting as real-world risk.
Risk does not scale evenly with audience size. A small number of motivated individuals can create a disproportionate impact when real-time information about a target is available. As livestreaming increasingly occurs in public venues and personal residential areas, the separation between online visibility and physical access continues to dissolve, leaving many streamers ill-equipped to manage these risks.
Many streamers operate with limited security awareness or security infrastructure. Unlike executives or other high-net-worth individuals, creators often experience rapid increases in visibility with little preparation for managing personal security or privacy boundaries. This is particularly common among younger streamers who gain prominence quickly, leaving security considerations largely reactive rather than proactive and deliberate.
These factors define streamers as a target profile characterized by persistent visibility, real-time exposure, and limited protective maturity. Potential threats do not stem from content creation itself, but from the structure of live content and the speed at which exposure can translate into access.
How Exposure Translates to Real-World Harm
Recent incidents illustrate how the exposure created by livestreaming can translate into physical harm or sustained safety concerns. While not exhaustive, the following cases highlight recurring patterns in how real-time content can be exploited.
On March 11, 2025, Japanese YouTuber Airi Sato was killed while livestreaming on a public street in Tokyo. Reporting indicated that Sato’s assailant, who had a prior legal and financial dispute with her, used the livestream to confirm her location immediately before the attack. The broadcast provided real-time awareness of her location. The livestream did not create the underlying conflict, but it confirmed her location at a critical moment to a known individual with a known grievance against her.
A similar incident occurred on May 13, 2025, when Mexican beauty influencer Valeria Márquez was shot and killed while livestreaming from her salon in Zapopan, Jalisco. During the stream, Márquez mentioned that someone had previously attempted to deliver an expensive gift when she was not present, expressing unease about the encounter. Shortly thereafter, an individual arrived under the pretext of delivering a gift, and Márquez was shot. Authorities later stated the killing was being investigated as a possible femicide and as a targeted attack rather than a random act of violence. As in the Sato case, real-time visibility allowed an existing threat to move quickly from observation to action.
Other incidents exemplify how one threatening incident can lead to long-term fear. Echoing the Santa Monica Pier incident described earlier, popular streamer Valkyrae, publicly stated that she had relocated her residence multiple times due to ongoing safety concerns, citing fears that her location could be identified and targeted. Those concerns later extended into organized events. Prior to TwitchCon 2025, Valkyrae and other notable creators announced they would not attend due to safety considerations. These concerns were reinforced on October 18, 2025, when fellow streamer Emiru was physically assaulted by an attendee during a meet-and-greet at the event. Despite the structured nature of the setting, the incident demonstrated how perceived accessibility can persist beyond livestreams themselves and result in vulnerability.
Residential exposure presents an additional and persistent danger. In May 2025, members of FaZe Media, a prominent collective of young male streamers and content creators, reported apparently armed unknown individuals at their shared residence. While details remain limited, the incident reflects a broader pattern in which high-profile creators become associated with fixed locations that attract unwanted attention. The residence’s address had previously been identified through open-source information, and members of the group have reported past incidents of doxxing and swatting. Regular fan interactions occurring near the property further increased exposure.
Collectively, these cases show how livestreaming can erase the gap between online visibility and physical access. Targeted threats develop over time rather than emerging suddenly, and follow a discernible attack cycle that can be disrupted if you are looking for indications of a developing threat. Live content can accelerate this process by providing immediate, verifiable information about a target’s location and environment, assisting the assailant’s surveillance phase.
Conclusion
Livestreaming offers a clear example of how digital visibility can shape physical risk. The cases examined suggest that harm is rarely disconnected from prior exposure. Instead, escalation often results from access, familiarity, and real-time disclosure of locations and routines.
For protective intelligence practitioners, IRL streamers demonstrate how open-source information can shift from passive visibility to actionable insight for malicious actors. Live content shortens decision timelines by allowing threat actors to confirm a target’s location and act quickly. The same signals that enable audience engagement can also reveal emerging risk when assessed over time.
As public real-time engagement becomes more common, IRL livestreaming highlights the growing need for threat monitoring, situational awareness, and early threat identification for individuals in live content creation roles. Understanding how both visibility and operating in public spaces influence vulnerability is becoming increasingly critical to the personal safety of creators. For security professionals, livestreaming provides a clear example of how digital behavior influences physical risk. As the boundary between online and real-world presence continues to narrow, protective intelligence teams must integrate visibility-driven risk into their assessments of the threat landscape, and these assessments should then be used to determine the physical security measures needed to protect publicly exposed individuals.

Smuggler involved in Matamoros fatal kidnapping one of many exemplifying ongoing gun flow from US

Featuring TorchStone VP, Scott Stewart
While the fate of the man suspected of selling a weapon used in the fatal Matamoros kidnapping of four U.S. citizens unravels before a federal court, the problem of gun smuggling underscored by the arrest will likely continue.
Scott Stewart explains the economics behind gun smuggling and money laundering.

Heading to Mexico for spring break? Here’s what you should know about cartel violence

Featuring TorchStone VP, Scott Stewart
The tourism secretary in Quintana Roo (where Cancún is located) said work is being done to keep criminal gangs away from tourist destinations.
While violence aimed at tourists is low, the Texas Department of Public Safety urges against spring break travel to Mexico. Scott Stewart discusses why spring breakers may still encounter violence.

DPS warns Texans against traveling to Mexico for spring break after 2 Americans kidnapped and killed

Featuring TorchStone VP, Scott Stewart
The kidnapping and killing of U.S. travelers this week in the Mexican city of Matamoros, just over the border from Brownsville, Texas, has put a glaring spotlight on violence in a country that millions of international visitors flock to each year.
The Texas Department of Public Safety (DPS) is urging Texans to avoid traveling to Mexico during spring break, and beyond, due to the ongoing violence throughout that country.

Abducted Americans stepped into ‘hot zone’ of cartel warfare

Featuring TorchStone VP, Scott Stewart
Scott Stewart discusses the drug cartel war involving local groups and outside influences in the Mexican border city where four American citizens were abducted at gunpoint Friday.
Those groups are engaged in kidnappings and assassinations aimed to secure control of two cities – Matamoros and Reynosa – that are major doorways for the smuggling of drugs into the United States.

Here’s the Possible Fallout for Capture of Mexican Cartel Boss Wanted in Southlake Slaying

Featuring TorchStone VP, Scott Stewart
It took almost a decade, but mounting U.S. pressure to capture a Mexican cartel leader wanted for a sensational daylight murder in a busy and affluent Southlake shopping center paid off.
José Rodolfo Villarreal Hernández, a cartel boss known as “El Gato” or “the Cat,” was one of the most wanted men in Mexico, with a $1 million U.S. bounty on his head. The feds say he ordered the brazen, 2013 mob-style murder of a cartel lawyer at Southlake Town Square over a personal grudge he harbored for years after the murder of his father.

Sinaloa Cartel Split May Have Led to Prison Massacre

Featuring TorchStone VP, Scott Stewart
EL PASO, Texas (Border Report) – The warden of a prison from where 30 inmates escaped on New Year’s Day, the corpses of 10 security officers and seven prisoners left behind, has been suspended.
Alejandro Alvarado Tellez is under investigation in connection to the escape and the discovery of at least 10 cells where drugs, guns, cash and a plasma TV set were found, the Chihuahua Attorney General’s Office said on Tuesday.

Security: The Great Enabler of Organizational Strength

Featuring TorchStone VP, Scott Stewart
Scott Stewart, Vice President of Intelligence for TorchStone Global, is a pioneer for protective intelligence and counter surveillance. The Great Conversation had the opportunity to meet at a protective intelligence summit hosted by Ontic and decided to compare notes on their learnings in this great conversation podcast.

Assessing threats to sports and entertainment venues with TorchStone Global

Featuring TorchStone VPs, Scott Stewart and Chris Sanchez
Sky Sports’ Anton Toloui spoke with Scott Stewart, Vice President of Intelligence and Chris Sanchez, Vice President, both representing TorchStone Global, to assess the threats that face sports and entertainment venues around the globe.




























