• Which data is easiest to find this way

• Why jurisdictions matter if you want to stay on track

• How the right workflow can make any OSINT fun

• …and why real life isn’t the X-Files.

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Codifying Open Source Intelligence Methodology with AI

🎙️ If you prefer to listen, here’s a link to the podcast instead.

Let’s get started. ⬇️

Why Boring is Better: OSINT on Public Records & Government Databases

Public records have a reputation problem. Namely, they’re boring.

A government database doesn’t have the fast-moving, high-noise chaos factor of social media. No avatars, hot takes, or late night posting sprees about that jerk Stephen Colbert. Instead, you’re working with PDFs, registries and forms that look like they were last accessed in 2002. It’s enough to bore an investigator to sleep.

Sure, this isn’t OSINT that screams “start here” - but that’s precisely the point. Public records are unchanging and largely unnoticed, and that makes them some of the most reliable anchors out there. You can spend hours chasing a username that leads nowhere, or watch an account or post vanish mid-investigation when OP decides it’s too cringe to bear. But once a public record’s recorded, it sticks, and it won’t have moved in years - no matter how toe-curling.

Sometimes, with OSINT, boring is better.

This issue will cover:

• What you can get from public records and government databases

• Where to start without getting lost in endless registries

• A fun, repeatable OSINT workflow for even the dullest investigations

• …and why Trump’s tweets are actually relevant here.

Just resting your eyes, right? Let’s get started.

What Counts as a Public Record?

Think less X-Files, more just… Files.

Put simply: public records are any documents created, filed, or maintained by government bodies as part of official processes. They’re usually verifiable, real-world data that maps activity in the real world, such as:

Property Records

The least exciting documents that answer the most useful question: where someone actually lives (or lived). Property records show the ownership of a house, land or business, alongside purchase history, co-owners, and addresses.

Court Records

If something serious went down, it probably ended up here. Court records cover disputes, and charges, adding the context, timelines, and connections you definitely won’t find on someone’s carefully curated online presence. In Florida, for example, arrests are a matter of public record under specific rules - blessing the world with Florida Man.

Business Registrations

Follow the companies, find the employees (or bosses). Business records list directors, shareholders, and addresses for premises. They’re perfect for mapping who’s connected to what - especially for financial investigations, or if you’re looking to verify the wild claims on a subject’s LinkedIn.

Licensing Databases

Speaking of verification, these can prove if someone is (or isn’t) what they claim to be. Licensing records cut through inflated bios with something much less exciting: the truth.

Depending on the jurisdiction, they can confirm occupations, qualifications, certifications, and sometimes disciplinary actions in sectors like healthcare, law, construction, or transport.

Beginner Tools for Digging Government Dirt

Don’t try to play The Lone Gunmen straight off the bat. Start simple, with official sources.

The beginner-friendly following will get you direct access to structured, government-held data for OSINT investigations that get results. No Mulder and Scully shenanigans required.

Government Open-Data Portals

Pros: Great for quick wins without advanced tooling.

Cons: Easy to get lost.

The official hubs of “we’ll just leave this here”. Governments publish datasets on everything. Property, crime, spending, infrastructure - they all get dumped here in searchable, downloadable, and surprisingly underused form.

County/State Record Search Tools

Pros: Solid and often the fastest way to anchor an investigation in reality.

Cons: Interfaces from hell.

If this type of OSINT could get any less glamorous, it just did. On a local level, registries for property, courts, or business filings usually let you search by name, address, or company. Interfaces can be clunky (and ugly as sin), but the data can be beautiful.

A Boredom-Busting Investigation Workflow

Let’s demonstrate why OSINT looks good in beige. Follow these steps for a high hit-rate:

1. Identify the Jurisdiction

   Start by figuring out where the records you need live. Rules governing database access can vary quite randomly by country, state, or even county. Get the jurisdiction wrong and you’ll either get locked out, or waste time combing through the wrong (potentially frustrating) system. Get it right and your search becomes far faster, and far less painful.

2. Search

   Once you’ve got the jurisdiction, search. Search names, companies, or addresses directly in official databases. Search, search, search. Don’t overthink it. It’s that easy.

3. Cross-Reference

   One record is a clue, but four that match is a jackpot. Always cross-check names, addresses, dates, and associates across different databases to validate what you’re seeing; this is important, real-world data, so mistakes can cost you big.

That’s it. You should have found what you’re looking for… and you’re still awake!

What You Can Learn From Public Record OSINT

Public records can help you find the following:

Ownership Ties

If you find out who owns what, and who they own it with, you can identify a subject’s partners in both business and life. It’s common to discover hidden relationships like family ties that aren’t visible elsewhere online through ownership records.

Business Relationships

Company filings can help trace networks of influence. Look for repeat partnerships, for example, or the same names in operation across multiple businesses. Structures are the thing to look for here.

Legal History

If there’s disputes, criminal charges, civil cases, financial issues… These can act as great behavioural context, showing patterns over time that help to strengthen your overall investigation.

Key Takeaways

See? Public records and government databases aren’t that painful. Sure, it’s all very static. This OSINT just sits still, being true. While everything else moves (and generates the excitement that comes with it), records don’t - but that’s exactly why they’re priceless.

You should now know:

• Which data is easiest to find this way

• Why jurisdictions matter if you want to stay on track

• How the right workflow can make any OSINT fun

• …and why real life isn’t the X-Files.

Still wondering why Trump’s tweets were relevant in this article? The answer: they’re a matter of public record. The US National Archives has all of them on a database, free to browse. Yes, all of them. Even covfefe. What OSINT value one could gain from an AI President dancing with the Cracker Barrel Man is unclear, but it’s there.

Maybe we need Mulder and Scully on it after all.

🏁 New CTF Challenge Live - Secret Meeting

A new CTF challenge has been posted on our CTF website. This week’s challenge involves geolocating an image that has been intercepted by a counter intelligence agency.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a challenge titled “The Scammer” where participants were tasked with conducting an investigation on a phone number linked to a suspected scammer, in order to find the country and the phone operator associated to it.

Searching for the country code +91, we can see that it belongs to India.
Using https://www.emobiletracker.com/trace-process.php, we can see that the operator is Reliance Jio.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry. There’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

Tools, tactics, and fresh investigations expanding the open-source intelligence toolkit.

Some of the best OSINT pivots start with the things people forget about. A phone number that has quietly followed someone across a decade of accounts. A methodology buried in a blog post that could be running in the background of every future investigation.

This episode covers Issues 107 and 108 of The OSINT Newsletter and explores two sides of how modern investigators get more out of what they already have: squeezing real intelligence out of the most overlooked data point in the toolkit, and turning the methodology in your head (and other people’s heads) into something an AI agent can run on your behalf.

In Episode 19 of The OSINT Podcast, host Jake Creps starts with Issue 107 and one of the most underrated data points in the toolkit: the phone number. He walks through what intelligence actually comes from a number, where to check first without overcomplicating it, and a clean five-step workflow from standardising the format through to pivoting outward into the wider account network. He covers the platforms worth checking (WhatsApp, Telegram, Signal, Truecaller, Sync.ME), the carrier and HLR lookups that ground a number geographically, and the high-value pivots, usernames, social accounts, and breach data, that turn a single number into a network. He closes with how to handle disposable numbers and burner tactics, where the absence of data is itself a signal.

Highlights include:

📞 What a Phone Number Actually Tells You – geographic origin, platform presence, and identity fragments hiding in plain sight.

🧭 The Five-Step Workflow – from standardising the format to pivoting outward, a clean methodology for running phone number OSINT without skipping steps.

🔥 Burner Logic – why disposable numbers are not a dead end, and how patterns of behaviour and gaps in data become signals in their own right.

🤖 Codifying Methodology – discovering methods worth codifying with a Google Dork, turning them into local markdown, and chaining skills together into a continuous discovery engine.

🔗 A Worked Investigation – running /username through Sherlock, pivoting into /person-search on nxthacker99, and producing a full subject profile assessment with named intelligence gaps.

Whether the investigation starts with a single phone number or a methodology lifted from someone else’s blog post, Episode 19 is about getting more out of the OSINT you already have in front of you.

References

• OSINT Newsletter – Issue 107

• OSINT Newsletter – Issue 108

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Call Data: OSINT on Phone Numbers

Let’s get started. ⬇️

OSINT News

📰 How To Investigate A Person Of Interest In 2026

An advanced guide on person search built for the year 2026. It includes tools, tactics, and techniques using available methodology. You can use this guide to build a Claude skill and augment it with your own methods.

Read on Medium…

🎩 H/T: Precious Vincent

📰 Inside Modern OSINT: Detecting Disinformation, Tools of the Trade, and the Ethics That Shape It

An OSINT guide on tracking coordinated disinformation through timing patterns, account behavior, and cross-platform signals, using verification tools like image search, geolocation, and archives, while considering privacy risks and ethical challenges in open-source investigation.

Read on Impact Grid…

🎩 H/T: Zoya Baig

📰 Signals in the Noise: Open Source Intelligence (OSINT) for AI Loss of Control Detection

An advanced OSINT/CTI framework for detecting AI loss of control. It maps threat models, observable traces like user transcripts and inference choke points, plus monitoring techniques using available methodology.

Read the paper…

OSINT Tools

🔎 OpenOSINT

OpenOSINT is an open-source OSINT framework for collecting, organizing, and analyzing publicly available data to support investigations, combining automation tools and modular workflows for reconnaissance, data gathering, and information analysis.

GitHub

🎩 H/T: Tommaso Bertocchi

🔎 Open Graph Intel (OGI)

OGI is an OSINT-focused tool for visualizing and analyzing connections in data, helping map relationships between entities, sources, and signals to support investigative workflows and structured analysis of information networks.

Web App

🎩 H/T: khashashin

🔎 Anthropic Courses

Anthropic’s learning hub is a training platform providing structured courses on using Claude, AI workflows, and developer topics, with lessons, quizzes, progress tracking, and certificates for completion.

Anthropic Academy

🏁 New CTF Challenge Live - The Scammer

A new CTF challenge has been posted on our CTF website. This week’s challenge involves

conducting an investigation on a phone number linked to a suspected scammer.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a challenge titled “Last Order” where participants were tasked with finding a restaurant’s location, and the dish that a suspect had ordered.

Challenge Solution WU :

Using a reverse image search on the provided cctv image, we find a match showing a restaurant called Amor Gastronomia in London on TheFork.

By checking the restaurant’s official website, the address is listed in the footer as Halloway Road 139.

Finally, reviewing the restaurant’s London menu, the most expensive signature pasta dish appears to be TAGLIOLINI AL TARTUFO.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

⚡ Codifying Open Source Intelligence Methodology with AI

• There are dozens if not hundreds of methods for open source intelligence collection, analysis, and dissemination. Everyone has a different process, too. In this issue, I’m going to show you how you can create a repository of methodology that you can use to instruct your AI of choice to automate.

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry there’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year. I’ll start with How To Investigate A Person Of Interest In 2026 from the OSINT news section.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

Read more

• What intelligence comes from a phone number

• Where to check first (without overcomplicating it)

• A clean workflow for investigations

• …and why it’s not worth changing your name to Spiderman.

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Creating Claude Skills for Open Source Intelligence

🎙️ If you prefer to listen, here’s a link to the podcast instead.

Let’s get started. ⬇️

Call Data: OSINT on Phone Numbers

Phone numbers sit in a strange place in OSINT. They’re near-ubiquitous and tied to everything, but as a result very easy to overlook. Unlike usernames (which can change) or email addresses (easy to create), numbers tend to stick. They follow people across platforms, accounts, years of activity, and even States. Surprisingly few people want the hassle of learning a new number, even when they get a new phone.

You might create a new Gmail, and change your username (or legal name) to Baron Venom Balrog Sabretooth Vader Megatron Vegeta Robotnik Magneto Bison Sephiroth Lex Luthor Skeletor Joker Grind, but your phone number is mostly static. This persistence makes phone numbers one of the most reliable anchors you can work with for OSINT.

Sometimes OSINT is just a number. This issue will teach you:

• What intelligence comes from a phone number

• Where to check first (without overcomplicating it)

• A clean workflow for investigations

• …and why it’s not worth changing your name to Spiderman.

Calling Baron Grind…

What Can Phone Number OSINT Uncover?

The infrastructure of phone numbers is key to what you can get out of them through OSINT. Every number is tied to a telecom system, to a region, and only then to a web of online accounts. That means even before you get into deeper online OSINT, there are three immediate layers of value:

Geographic Origin

Country codes (+1, +44, +91, etc.) are GeoINT in themselves. These one or two nifty numbers instantly place a phone’s owner at a national level. If you can find out carrier data, you can narrow a rough operating region even further. At the very least, you can find out if your target’s in the US or Uzbekistan.

Platform Presence

Many platforms use phone numbers as their backbone identifier. If a number is registered on apps like WhatsApp or Telegram, you may be able to view profile photos, usernames, or activity signals just by knowing the right digits.

Identity Fragments

Even before the real OSINT starts, people litter the world with identity fragments - by reusing their static phone number. Old listings, forgotten profiles, or scraped datasets can quietly connect multiple pieces together.

Some Phone OSINT Tools That Actually Work

You don’t need a complex stack to begin phone OSINT. That’s what makes phone numbers such a universally popular data point. In fact, the most effective tools and methods are often at your fingertips.

Caller ID Platforms

Sync.ME, NumLookup, and That’s Them scan public records and user-contributed data, drawing on that to see if a number’s been identified before. Results can be inconsistent, so treat them as leads not gospel. If multiple sources align, then they’re worth your attention.

Checking the Apps

Here’s an old OSINT trick. Save the number as a contact, then check WhatsApp, Telegram, or Signal. Adding a contact will reveal a profile photo and status - Telegram will even expose a username.

Caller ID Platforms

Truecaller, Hiya, and CallApp use crowdsourced data, so again, cross-reference. Patterns across multiple platforms mean something.

Finding Carrier Data

If you know nothing about the carrier, services like Numverify, Twilio Lookup, or other free HLR lookup tools can help identify the telecom provider and line type (mobile, VoIP, or landline). Cross-check as always.

Getting Started: A Clean Workflow (Don’t Skip Steps)

Investigating a number… That’s easy, right? Think you can improvise? Don’t. A structured approach will always get better results.

Give this workflow a try:

1. Standardize the Format

Always convert to international format. Tools and platforms require international format numbers and inconsistencies will cost you results. What’s more, country codes aren’t data you want to ignore.

2. Location, Location, Location

Use that country code. Combine with any carrier info to ground your investigation geographically; when you’re stratifying your findings later, you’ll be glad you did.

3. Check for Live Accounts

Run the number through message platforms. You’re looking for anything visible on Telegram or WhatsApp: images, usernames, timestamps etc.

4. Look for Repetition

Search the number directly. Then try variations, like with or without spaces. Reuse is what you’re hunting for.

5. Pivot and Expand

Got a hit? Pivot outward. Search that identifier (a username, profile, email or listing). Start building out the wider account network.

…And just like that, you’re doing phone number OSINT.

What Counts As a High-Value Pivot?

You might be wondering which leads are strong enough to take that fifth step. The real value comes from the following data points:

→ Usernames
If you see the same username twice, that’s your bridge into wider platform analysis; especially if the username is conspicuously unusual or unique. There’s unlikely to be two people choosing Baron_V_B_S_V_M_V_R_M_B… (You get the picture).

→ Social Accounts
If a number was required to sign up, some platforms expose profiles directly. Others reveal connections indirectly. Either way, a linked social account is OSINT gold.

→ Breach Data
If the number appears in leaked datasets or on HaveIBeenPwned, it can link to emails, credentials, and historic activity. As always, be careful working with data that comes from an inherently sketchy source.

Feel the Burn: Disposable Numbers & Evasion Tactics

OSINT investigators chasing fraud, spam networks, or illicit activity face up to a unique challenge. Phone number stability is usually the USP here. What if the number you’re looking for is temporary by design?

Burner phone numbers get spun up quickly, used briefly, and abandoned just as fast. The aim is to get a phone number, get what you need from it, and THROW IT ON THE GROUND. The point of virtual numbers, VoIP services, and burner SIMs is to create numbers and accounts without tying them to a long-term, real identity - the very thing that makes phone number OSINT so easy.

So, change of tactics. Look for patterns of behaviour, not long-term reuse. VoIP numbers, for example, might cluster around specific services or regions, or repeatedly appear attached to similar types of accounts or listings. That would signal the same person, exhibiting the same behavior over and over again.

Gaps are a biggie too: no reverse lookup data, no caller ID history, and limited presence across platforms are absences that constitute a signal in themselves.

If a number looks “empty”, don’t assume it’s useless. It may just be designed that way.

Key Takeaways

Phone number OSINT works because numbers are mostly static and stable things. You can change your email, your socials, or even your name, but most people are lazy with their phones. And unlike physical addresses or Social Security numbers, people hand out their phone numbers like candy.

You should know:

• One number won’t tell you everything, but it might tell you where to look next

• Use simple methods before complex ones

• Follow number reuse and patterns

• Build outward: number → account → network

…and when you change your name to Emperor Spiderman Gandalf Wolverine Skywalker Optimus Prime Goku Sonic Xavier Ryu Cloud Superman HeMan Batman Thrash in witness protection, maybe change your number.

Until next time, investigators!

🏁 New CTF Challenge Live - Last Order

A new CTF challenge has been posted on our CTF website. This week’s challenge involves analyzing surveillance footage from a blurred traffic camera frame to identify a suspect’s location. Investigators believe the suspect entered a highly rated restaurant, ordered its most expensive signature pasta dish, and left in a hurry. Your task is to determine the restaurant, its exact address, and the specific pasta dish ordered.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a challenge titled “The Dark Web Hacker” where participants were tasked with finding a hacker’s specific email address linked to a specific hacking forum.

Challenge Solution WU :

Knowing that the username had been reused across multiple forums and appeared in several data breaches, we searched for the username “sarkstic” on breach.vip. This led us to a World of Warcraft forum account on OwnedCore, along with the email address associated with it: dreadfuleyes@yahoo.com

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry. There’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

This episode covers Issues 105 and 106 of The OSINT Newsletter and explores two very different sides of modern investigations: going deeper into the Dark Web for intelligence, and using AI to automate the repeatable parts of your workflow.

In Episode 18 of The OSINT Podcast, host Jake Creps picks up where Part One left off and takes investigators further into Dark Web intelligence - or DARKINT. He recaps the layered structure of the surface, deep, and dark web, then digs into the beginner toolkit: onion browsers, hidden services, public leak indexes, and onion search engines. Jake walks through a practical methodology for tracing identifiers - emails, usernames, and phone numbers - from breach data on the Dark Web back up to the surface, and explains how to correlate and validate findings without falling for false positives.

He also pulls no punches on the limitations. DARKINT is an adversarial, high-risk environment full of manipulated datasets, unverifiable attribution, and content that can stay with an investigator long after the browser is closed. The episode covers the compliance considerations of handling breached data and the psychological risks of working in this space - and why both deserve serious thought before diving in.

From there, the episode shifts to something brand new: building Claude Skills for OSINT. Jake explains what Claude Skills are - reusable, plain-language instruction sets that turn AI into a reliable part of your investigative workflow - and walks step-by-step through creating one for username search. No code required. He covers picking the right workflow to automate, writing the skill itself, testing it inside Claude Code with Sherlock, and refining it with simple natural-language tweaks.

The episode closes with a look at how to supercharge an OSINT skill: instructing Claude to pivot on its own findings, find new tools when collection hits a wall, and fall back to manual methods when scripts fail. It is a glimpse of what investigative automation actually looks like when AI stops being a novelty and starts doing real work alongside the analyst.

Highlights include:

🧅 DARKINT Toolkit – onion browsers, hidden services, leak indexes, and onion search engines explained for beginners curious about web spelunking.

🔗 Surface-Bound Pivots – a step-by-step methodology for tracing emails, usernames, and phone numbers from breach data back to the surface web.

⚠️ The Monsters Under The Bed – the real limitations of DARKINT, from manipulated datasets and unverifiable attribution to the psychological toll of the work.

🤖 Building Claude Skills – how to turn a repeatable OSINT workflow into a reusable Claude Skill, with a full walkthrough of automating a username search using Sherlock.

🚀 Supercharging Automation – instructing Claude to pivot on its findings, hunt for new tools, and fall back to manual methods when scripts come up short.

Whether the data is hiding in the dark or waiting to be unlocked by the right set of instructions, Episode 18 shows how modern investigators are reaching both.

References

• OSINT Newsletter – Issue 105

• OSINT Newsletter – Issue 106

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ OSINT and the Dark Web: Part Two

Let’s get started. ⬇️

OSINT News

📰 What happens when agentic AI meets intelligence analysis?

Agentic AI, Maltego MCP servers, conflict monitoring, and self-hosted intel platforms are opening up new possibilities for OSINT, but the tools only matter if the analyst knows how to turn information into intelligence.

🎩 H/T: Aaron Roberts

Read on LinkedIn…

📰 Vibe Coding Is Becoming an OSINT Risk

AI is making it easier to build and adopt OSINT tools, but the real risk starts when investigators trust software they do not fully understand to shape analysis, workflows, and operational decisions.

Read on DutchOSINTGuy…

🎩 H/T: Niko Dekens

📰 Turn Off ChatGPT’s New Ad Tracking

ChatGPT’s free tier is now opt-in to ad tracking and data sharing by default, linking user activity to marketing systems unless you actively turn it off in settings.

Read on Tate’s Online Safety Community…

🎩 H/T: Tate Jarrow

OSINT Tools

🔎 BamQam

A new OSINT-style dashboard that aggregates live geopolitical and military data into a map-based intelligence feed, with unclear provenance and trust level.

Web App

🔎 DrishX

A satellite-powered freight intelligence tool that uses open-source orbital imagery to detect and analyze logistics movement patterns like vehicle flow for OSINT-style monitoring and trend analysis.

GitHub

🎩 H/T: Sairaj Balaji

🔎 claude-osint

An OSINT automation framework built on Claude that structures investigative workflows for research and intelligence tasks.

GitHub

🎩 H/T: Sachin Sharma

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

⚡ Creating Claude Skills for Open Source Intelligence

• Claude Skills allow you to automate a significant portion of your workflow using very specific instructions. In this issue, I’m going to show you how you can fully automate a username search, including pivoting to additional methods based on findings, all with a single request from Claude.

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry there’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

Read more

• The tools you need to know

• Strategies and limitations

• Following data to the surface

• …and how to fight the monsters under the Internet’s bed.

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Gathering OSINT from Live Traffic: Datasets and Cameras

🎙️ If you prefer to listen, here’s a link to the podcast instead.

Let’s get started. ⬇️

OSINT and the Dark Web: Part Two

Welcome (back) to the dark side. We have OSINT.

Although it looks dangerous, DARKInt it’s perfectly safe if you know how - and if you read last week’s issue, you probably do. Without further introduction, let’s go even deeper into Dark Web OSINT.

In Part Two, we’ll cover:

• The tools you need to know

• Strategies and limitations

• Following data to the surface

• …and how to fight the monsters under the Internet’s bed.

Don’t forget your flashlight.

Recap: What is the Dark Web?

If the internet is an iceberg, it has three layers: the surface, deep, and dark web.

• Surface Web: The normie ”internet”. Indexed by search engines like Google and Bing.

• Deep Web: The “invisible” 90% of the web you don’t need a specific tool to access. Online banking, private networks, and corporate systems live here.

• Dark Web: The unindexed 1-6% of the web, only accessible via specialised tools. Always anonymised, always encrypted.

What you find in this dark bottom layer - open-source or not - is dark web intelligence. So, think of Dark Web intelligence (or DARKINT) as OSINT’s emo little brother. Got it? Good.

A Beginner’s Guide to DARKInt Tools

To access the Dark Web, specific tools are required. Here’s a conceptual run-down of the best tools for beginners curious about traversing the depths. Of course, this overview is intended for educational purposes only, rather than encouraging active exploration as soon as possible - it’s best to think before you leap.

Browsers Are Like Onions

TOR is the most (in)famous of the bunch. Short for The Onion Router, TOR is too complex to unpack fully here. What’s more, we already did that last week.

Basically, onion browsers work by routing your connection through multiple encrypted layers - a bit like an onion - so no single point can trace your activity. The Dark Web’s sites then use .onion domains; “hidden services,” where both user and host are obscured. Instead of connecting directly, both sides layer up encrypted links via a shared rendezvous point on the TOR network, so nobody knows anybody else’s true IP This creates the built-in anonymity which makes the Dark Web so popular, keeping everything… under wraps (sorry).

Where’s The Leak?

We know one of the most common forms of DARKInt comes in the form of the humble data breach. Public leak indexes are one of the most beginner-friendly entry points into DARKInt, as they point users to large collections of said breached data.

Unlike raw breach dumps (a.k.a. the actual compromised data) leak indexes are designed for search and discovery, and act as directories or lookup tools, rather than hosting any data directly. They’re finding where data exists, and how it connects across leaks. Although datasets are traded, reused or repackaged across multiple Dark Web platforms, indexes can often find specific data whether it’s circulating across the Dark Web or in the wider web bloodstream beyond.

The usual caveats about breached data apply. There’s always a compliance problem when handling potentially stolen data, so treat any data you find as if it were your own.

Search Engines Are Like Onions Too.

These aren’t the Dark Web Google. If TOR is your vehicle into the Dark Web, onion search engines are more like a slightly unreliable sat-nav; this Garmin won’t get you there, but it might point you in the right direction. These tools don’t provide access to anything. Instead, they index and surface .onion sites, helping users discover hidden services they might not know about. Onion search engines:

• Index .onion domains and hidden services

• Enable keyword-based discovery (once you’re already using TOR)

Unlike TOR browsers (which actually connect you to sites) onion search engines sit a layer above like the onion’s outer skin, acting as discovery tools rather than access tools. And because the Dark Web is so transient (sites appear, disappear, or hide deliberately), these engines are best thought of as more treasure hunt than Google search. The coverage on the aforementioned Garmin is patchy, unstable, and often outdated. Still, it works when it doesn’t drive you into a lake - or an active volcano.

Tracing An Account Back to the Surface, Step-By-Step.

1. Use the tools above (indexes, search engines) to identify breaches.

2. Extract identifiers (email, username, phone number) from DARKINT sources.

   • You’ll need a Tor browser to access them.

3. Pivot using emails.

• Identify email accounts, recovery emails, and profiles just as you would as normal.

4. Look for usernames.

• Do the same for usernames - especially look for reuse across social media, forums, or gaming sites.

• Look for variations, and cross-reference matches as in light-mode OSINT.

5. Pivot using phone numbers.

• Investigate links to messaging apps, listings, or leaked records that use breached phone numbers.

6. Correlate findings.

• Always combine multiple data points to strengthen attribution.

Lastly… Validate carefully.

• Watch out for false positives, outdated, or manipulated data - on the Dark Web, these are all over the place

Key Limitations on DARKInt

If these two guides have made the dark, dirty web sound all sunshine and rainbows, now is the time to crush your dreams. There’s no unicorns skipping around down there. DARKInt has limitations, and plenty of them. Let’s meet the monsters under the Internet’s bed.

A High Risk Environment

Imagine a world where everybody hates each other. That’s kinda the Dark Web. DARKInt operates within an anonymised, adversarial ecosystem built to keep its infrastructure volatile, and access inconsistent. Elevated operational security risks are baked-in. Hidden services frequently appear and disappear, and interacting with them can expose investigators to threat just by virtue (or vice) of a click. Tread carefully.

False-Data Scam-O-Rama

Data quality is ‘highly unreliable’ to be polite. Breach dumps are often annoyingly duplicated, hopelessly outdated, trickily manipulated, or deliberately seeded with false facts. Financially motivated actors frequently distribute misleading datasets. At worst, you might end up involved in a particularly icky scam. At best, the overall signal-to-noise ratio can reach a hair-tearing level. Be patient.

Not Everything is Verifiable

So you have that ‘highly unreliable’ data. It might never become reliable. Attribution and validation are inherently limited on the Dark Web, where anonymisation layers and restricted visibility are the whole point. So much activity occurs behind closed doors - in closed networks or private exchanges - that datasets can’t always be corroborated or independently verified (outside of our dreams). Manage your expectations.

Seeing Things You Can’t Unsee

If you work recklessly in DARKInt, you’re playing psychological Russian roulette. You may encounter material that is disturbing, illegal, or just deeply distressing; content that stays with you long after you’ve closed TOR. When people are anonymous, they showcase the worst things humanity can do to each other. Even if you do everything right, you can end up seeing something deeply wrong. Have caution.

Key Takeaways

Our journey through the Web’s dark side is coming to an end. You should now know:

• All DARKINT is OSINT, but not all OSINT is DARKINT

• The tools beginners need to go web spelunking

• How to bring dark data into the light

• … and why the Dark Web isn’t where the unicorns live.

See you next issue, investigators!

🏁 New CTF Challenge Live - Covert Communication

A new CTF challenge has been posted on our CTF website. This week’s challenge involves analyzing a covert communications channel used by a suspected intelligence operative and finding the name of the location.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a challenge titled “The Dark Web DB” required participants to investigate a suspected data breach involving Quick, where a threat actor allegedly published a customer database on the dark web and uncover key details about the publication.

To solve the challenge, we need:

1. Copy & paste the onion link into Wayback Machine.

2. Then we filter the results by date and select 06 March of 2026. We get a result for 06 March 2026 at 08:01:04.

3. We click on it, looking at the forum, on the right corner, we can see a post regarding a french and Belgian database.

4. It says that it was published 10 mins ago, we can also see the username of the threat actor who published it, which is: sarkstic.

5. Knowing that the forum was crawled at 08:01:04 and that the post says 10 mins ago, the post was made at 07:51:04.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry. There’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

This episode covers Issues 103 and 104 of The OSINT Newsletter and focuses on two distinct but complementary areas: understanding the Dark Web as an intelligence source, and using live traffic data and cameras to build real-time situational awareness.

In Episode 17 of The OSINT Podcast, host Jake Creps opens with a foundational primer on Dark Web intelligence - or DARKINT. He breaks down the difference between the surface, deep, and dark web, explains how onion browsers and hidden services work, and outlines what investigators are likely to encounter when they go looking: breach dumps, criminal forums, paste sites, and shared credentials.

Jake covers the key distinction between OSINT and DARKINT - all DARKINT is OSINT, but not all OSINT is DARKINT - and explains why investigators combine both to build a complete picture of a target. He also addresses the compliance considerations that come with handling data sourced from the shadowy side of the net.

The episode then shifts to something more grounded - literally. Jake walks through how live traffic data can be used to gain situational awareness around a specific location or event. Starting with familiar tools like Google Maps and Waze, he explains how investigators can layer incident data, traffic flow, and police sightings before moving into more technical territory: the MapQuest Traffic API, the unofficial Waze API, and how to fuse multiple data sources into a single, custom solution.

From there, Jake covers live traffic camera feeds - manual methods via Department of Transportation sites, and API-based options like Road511 and Vizzion that allow investigators to build scalable, multi-location monitoring pipelines. The episode closes with a look at an unexpected bonus data source: rideshare apps, and the real-time vehicle location data sitting inside their public-facing interfaces.

Highlights include:

🧅 Dark Web 101 – surface, deep, and dark web explained, how onion browsers and hidden services work, and why Dark Web users are like ogres.

🕵️ DARKINT Data Types – breach dumps, criminal forums, paste sites, and what each means for an OSINT investigation.

🚦 Live Traffic Intelligence – using Google Maps, Waze, MapQuest API, and the unofficial Waze API to monitor incidents, road closures, and traffic flow in areas of interest.

📹 Traffic Camera Feeds – how to aggregate live camera feeds manually and at scale using Road511, Vizzion, and scraping methods.

The best investigators know how to follow the data wherever it leads - even into the dark, or down the road. Episode 17 shows you how to do both.

References

• OSINT Newsletter – Issue 103

• OSINT Newsletter – Issue 104

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ OSINT and the Dark Web: Part One

Let’s get started. ⬇️

OSINT News

📰 3 Basic but Overlooked Intelligence Analysis Techniques

Plot it on a map, lay it out over time, or group it by theme. Simple moves that surface patterns, gaps, and what matters without collecting anything new.

Read on LinkedIn…

🎩 H/T: Paul Prouse

📰 Mining China’s ‘Little Red Book’ for Open Source Gold

A breakdown of how Xiaohongshu can be used for investigations, from diaspora activity to censorship patterns, plus practical tips for search, language, and preserving content before it disappears.

Read on Bellingcat…

🎩 H/T: Chu Yang

📰 Hundreds of Fake Pro-Trump Avatars Emerge on Social Media

An investigation finds networks of AI-generated avatars posting pro-Trump content across major platforms, blending spam, engagement farming, and political messaging at scale.

Read on The New York Times… | No Paywall

🎩 H/T: Tiffany Hsu

OSINT Tools

🔎 CoJournalist

coJournalist lets reporters deploy AI “scouts” to track pages, social accounts, and public records, then distills updates into structured, cite-ready leads.

Web App

🎩 H/T: Tom Vaillan

🔎 Snapchat Bitmoji History

A simple tool that pulls past Bitmoji versions from a Snap profile and displays them in one place, building on earlier research and tooling.

Bookmarklet

🎩 H/T: Micah Hoffman

🔎 ImageWhisperer

ImageWhisperer analyzes uploaded media for AI generation and manipulation signals, producing a single verdict with evidence across multiple detection models.

Web App

🎩 H/T: Henk Van Ess

🏁 New CTF Challenge Live - The Dark Web DB

A new CTF challenge has been posted on our CTF website. This week’s challenge involves identifying a threat actor who published a database allegedly belonging to a French and Belgian fast-food chain “Quick” on the Dark Web. Your objective is to find the actor’s username and determine the exact timestamp of the original publication.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a challenge titled “Crowd Control” where participants needed to estimate the number of people present in an auditorium by using a specific AI tool available publicly.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

⚡ Gathering OSINT from Live Traffic: Datasets and Cameras

• Traffic datasets and live cameras give you situational awareness into areas of interest for an investigation. Whether it’s business continuity, executive protection, global travel, or something niche, this issue breaks down the options available to you in an actionable plan.

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry there’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

Read more

• What the Dark Web is

• The difference between surface, deep and dark web

• The kinds of data you’ll find

• OSINT vs. DARKINT

• …and why Dark Web users are like onions.

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ OSINT Methods for Archiving and Searching Video by Keyword

🎙️ If you prefer to listen, here’s a link to the podcast instead.

Let’s get started. ⬇️

While OSINT operates out in the open - it is open source intelligence, after all - some of the most significant data lurks in the dark corners of the internet. So this time, we’re getting shady with it. Dark Web intelligence (or DARKINT) is the hidden side of OSINT. It sounds dangerous; but it’s perfectly safe to step into the gloom if you know how. Let’s begin our two-issue trip into the shadows with an overview of Dark Web OSINT. In Part One, we’ll cover:

• What the Dark Web is

• The difference between surface, deep and dark web

• The kinds of data you’ll find

• OSINT vs. DARKINT

• …and why Dark Web users are like onions.

Let’s go dark.

What is the Dark Web?

The internet looks a little like an iceberg. It’s divided into multiple layers: the surface web at the top, the dark web at the bottom, and the deep web in the middle.

• Surface Web: The normie ”internet”. The stuff you use every day, that is indexed by conventional search engines (Google, Bing etc.), and easily searchable.

• Deep Web: Also known as the “invisible web” or “hidden web’. Unindexed and not easily searchable, but still accessible without a specialised browser. Content on the deep web includes online banking services, private networks and corporate systems. It makes up around 90% of the internet.

• Dark Web: Unindexed, encrypted, and only accessible with specialised tools like onion browsers. The Dark Web makes up somewhere between 1% and 6% of the internet; and unlike its deep cousin, it’s always anonymised. Data found on this layer is known as dark web intelligence (DARKINT).

The important thing to remember about the Dark Web is that it’s not a single place; it’s a collection of anonymous websites hosted on encrypted networks. Some of these networks play host to financial fraudsters, terrorist cells, CSAM, drug dealing and weapons sales.

But - despite the scare stories - not everything on the dark web is dodgy. Although many criminals do ply their wares on the internet’s dark side, it also has legitimate privacy-driven and anti-censorship use cases. For example, even major news outlets mirror their sites on the Dark Web, to give citizens secret access under harsh state censorship.

Onion Browsers and Hidden Services

To access the Dark Web, you’ll need special tools. Enter TOR: short for The Onion Router. Onion browsers like TOR are too complicated to explain in detail here; but they basically work by encrypting your connections through multiple layers - like the skin of an onion. Each layer only knows part of the journey, making it extremely difficult to trace your activities. What makes the Dark Web a-peel-ing (sorry) to its users is anonymity; and onion browsers have this built-in.

Meanwhile, websites on the Dark Web use .onion domains, too, meaning both the user and the host are completely obscured. These sites are officially called ‘hidden services’ - and without them, there’s no Dark Web.

Hosted within the TOR network, hidden services work similarly; both user and host build encrypted connections instead of linking up directly. Each hidden service will send out a descriptor on the TOR network, that’s discoverable to all users that know the .onion address. When users gain access to the site, they actually go to this rendezvous point - so neither side knows each other’s real IP. This process means mutual anonymity for everybody involved.

So in Shrek terms, Dark Web users are the ogres of the internet. They’ve got layers.

DARKINT: What Will You Find on the Dark Web?

From an OSINT perspective, the most important part of the Dark Web will always be the data we meet along the way. But what data types can you expect to find on the shadowy side of the net? Here’s what’s usually lurking down there.

Data Leaks and Breach Dumps

One of the most valuable (and most common) forms of DARKINT is the good old breach dump. Compromised data - leaked logins, for example - proliferates all over the Dark Web. You can find:

• Email and password combinations

• Usernames and aliases

• Phone and mobile numbers

The boon with breach dumps is they often “package” multiple data points together; terrible for the subjects’ anonymity, but perfect for OSINT pros piecing together an identity profile. These datasets can even be traded, reused or repackaged across multiple Dark Web platforms. However, it’s important to bear in mind the compliance problem when handling potentially dirty data.

Forums and Marketplaces

Remember the fraud, drugs and guns we discussed earlier? Those Dark Web forums and marketplaces are central to the hidden net’s ecosystem; although they’re dangerous and damaging for the offline world, they allow OSINT investigators to catch bad guys in the act. Cybercriminal activity can include:

• Discussion of terrorist activities

• Organising financial fraud

• Buying and selling personal data

• “Service” marketplaces (drugs, guns, porn etc)

Even though the Dark Web is anonymised, it can still provide data that unmasks serious criminals. Many investigations have been cracked with DARKINT - exposing heinous offenders including child sexual abusers.

Paste Sites and Shared Credential

Paste sites - like Pastebin - are social media platforms that allow their users to dump large quantities of plain-text data online. They were created as innocent spaces for coders to share snippets of work, but have become increasingly popular with threat actors as a staging ground for dangerous activity.

These are often used to share sensitive information from stolen credit card details, to malware, to exploit code. Although they aren’t often persistent, they can still be full of data that gets widely distributed - data that can also be crucial for OSINT.

OSINT vs DARKINT

All DARKINT is OSINT, but not all OSINT is DARKINT. OSINT includes the publicly accessible, indexed or easily reachable by the normie-net data. Meanwhile, DARKINT is just the hidden, encrypted data that only specialised Dark Web tools can dig up.

The question remains, however: why risk digging into DARKINT at all? Surely - unless you’re fighting cybercrime - the Dark Web is more risk than reward? Well, whilst OSINT tells you what’s going on out in public, DARKINT exposes what netizens intentionally work to hide. In practice, most investigators will combine OSINT and DARKINT to find all the data they need.

Key Takeaways

So, now you’ve taken your first steps into the shadowy side of the internet known as the Dark Web. You should now know:

• The Internet is like an iceberg - 90% is below the surface

• The Dark Web isn’t all dodgy; it does have legitimate uses

• All DARKINT is OSINT, but not all OSINT is DARKINT

• … and DARKINT investigators are like onions - they have layers.

See you next issue, investigators!

⭐ Sponsor: SockPuppet.io

SockPuppet delivers secure, isolated environments with persistent virtual desktops and phones, real carrier-based SMS for OTPs, and residential IP connectivity—selectable from hundreds of locations. All accessible through a simple web interface that scales as your investigations grow.

Visit SockPuppet.io to empower your investigations with technology trusted by intelligence professionals.

🏁 New CTF Challenge Live - Crowd Control

A new CTF challenge has been posted on our CTF website. This week’s challenge involves estimating the number of people in a photograph from the 2024 NATO Summit using a specific tool.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a challenge titled “Digital Footprints” where participants needed to identify the domains linked to a specific email address using only OSINT techniques.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry. There’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

This episode covers Issues 101 and 102 of The OSINT Newsletter and focuses on two practical areas of modern OSINT: mapping a target’s digital footprint using a comprehensive open-source framework, and extracting intelligence from video content at scale.

In Episode 16 of The OSINT Podcast, host Jake Creps opens with a deep dive into TheBigBrother, a GitHub-based OSINT framework that consolidates username enumeration, reverse image searching, network scanning, dark web lookups, EXIF extraction, crypto tracing, and more into a single tool. Jake walks through setup, core modules, and the real investigative value it offers - from identity correlation and social media pivoting to red teaming and privacy audits.

He then moves into one of the more underrated challenges in OSINT: working with video. Jake breaks down how to extract transcripts from YouTube and TikTok using tools like YouTube Transcript API and TokScript, and explains how to scale that process across dozens or hundreds of videos using open-source libraries and lightweight custom tooling.

Once video content is converted to text, the episode shows how to make it searchable - combining local search methods, Obsidian vaults, and LLMs to analyse transcripts at scale and produce actionable intelligence outputs.

Along the way, the episode reinforces a core principle: tools support collection, but intelligence requires analysis. Knowing how to build the pipeline is only half the work - knowing what to do with the output is what separates a collection exercise from actual OSINT.

Highlights include:

🔍 TheBigBrother Deep Dive – a full walkthrough of the framework’s modules including Profiler, Footprint, Net Scan, Dark Web, EXIF, Dorks, and Sky Radar, with practical use cases for each.

🎥 Video Transcript Extraction – how to pull transcripts from YouTube and TikTok one at a time and at scale using YouTube Transcript API, TokScript, and the Summarize library.

📂 Searching at Scale – combining transcribed video content with local search tools, Obsidian, and LLMs to surface patterns and produce intelligence reports.

Whether you’re tracing a username across the internet or digging through hours of video evidence, Episode 16 gives you the tools and workflow to do it efficiently.

References

• OSINT Newsletter – Issue 101

• OSINT Newsletter – Issue 102

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ A deep dive into TheBigBrother, a comprehensive OSINT framework

Let’s get started. ⬇️

OSINT News

📰 Geolocating Taliban in the Afghan Desert

Ben walks you through a recent investigation he did in the Afghan desert. He steps through how he identified a base, tracked a flight, located a soldier drop off point, finding a dune strike location, and more.

Read on LinkedIn… | YouTube

🎩 H/T: Benjamin Strick

📰 How OSINT Verifies Viral Claims During Wartime Chaos

This video shows how to analyze a viral Reddit claim that Iran bombed its own girls’ school by identifying manipulation signals, evaluating online actors and naming patterns, comparing search results, and verifying wartime claims using government sources, fact-checkers, verification outlets, and cross-model AI.

Watch on YouTube…

🎩 H/T: Kirby Plessas

📰 How Wildlife Traffickers Are Using Coded Language to Sell Protected Animals On Facebook

Foeke walks through how to identify coded language on Facebook Marketplace that indicates the sale of protected animals, including screenshots and other evidence collected.

Read on Bellingcat…

🎩 H/T: Foeke Postma

OSINT Tools

🔎 OSINT Rack

OSINT Rack is a collection of OSINT tools categorized by use case, blog posts, courses, books, events, and more.

Web App

🎩 H/T: Mario Santella

🔎 Tor Node Archive

Tod Node Archive gives you insight into the world of Tor Nodes with a search engine, downloadable dataset, and a changelog.

Web App/Dataset

🎩 H/T:

🔎 CrowdCounter

CrowdCounter estimates how many people are in a photo, saving you the time it takes to count manually. Too bad it doesn’t have an API, Henk!

Web App

🎩 H/T: Henk Van Ess

🏁 New CTF Challenge Live - Digital Footprints

A new CTF challenge has been posted on our CTF website. This week’s challenge involves identifying multiple domains linked to a well-known threat actor using only its email address.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a challenge titled “Tracing the Source” where participants needed to identify the username of the Telegram channel that published a promotional message and the name of the telegram channel that was promoted in that message, using only OSINT techniques.

Solution WU :

To solve this challenge, we need to use https://deaddrop.theosintconsultants.com/ to locate the original Telegram message.

By enclosing the message in quotation marks for an exact search (e.g., (”نات ابعثولي الخاص...”) and applying a date filter corresponding to the timestamp (From: 2026-04-01 To: 2026-04-01), we were able to pinpoint a search result that displayed:

• The username of the channel that posted the message

• The content of the message

• The username of the promoted channel

This method allowed us to identify the Telegram channel solely using the message content and the timestamp, as required by the challenge.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

⚡ OSINT Methods for Archiving and Searching Video by Keyword

• Learn tools, tactics, and techniques for processing information from videos in a way that’s searchable at scale.

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry there’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

Read more

🎁 It’s been a while since a paid subscription of The OSINT Newsletter went on sale. Recently, the newsletter crossed the 32,000 subscriber mark. To celebrate, here’s a 50% off discount.

50% Off

Here’s what you’ll get access to by upgrading now:

• Access to the entire newsletter archive of paid content with over 100 issues of tools, tactics, and techniques.

• Continuously improve your skill set with the latest OSINT methods to discover more, be more efficient, and bring more value to your organization or mission.

Thanks for your support.

Click here to get 50% off The OSINT Newsletter👇

Get Better at OSINT for $40

🚨 This is the first post in the return of OSINT Tool Tuesday, an ongoing series of tool review deep dives aimed at helping investigators improve their tool kit. I understand it’s Thursday… we will be publishing these on Tuesdays moving forward!

TheBigBrother

TheBigBrother is a GitHub project that offers a comprehensive OSINT framework designed to investigate an individual’s digital footprint across the internet, enabling users to gather information such as associated usernames, social media profiles, metadata, and other publicly available intelligence. Essentially, it’s a username tool on steroids.

🎩 H/T: Chadi0x

TheBigBrother allows you to search primarily by username, while also supporting a range of modules including email lookups, domain intelligence, metadata extraction (EXIF), and cryptocurrency tracing.

It brings together multiple OSINT techniques into a single toolkit, making it a valuable resource for investigations across law enforcement, cyber security, corporate intelligence, executive protection, and online threat analysis.

In this guide, I’ll walk you through how to set up The Big Brother, how to use the tool, practical use cases you can apply it to, and key pivot points you can leverage from the information it uncovers.

Let’s get started. ⬇️

Setup

Recommended = Docker Method

The easiest way to get The Big Brother up and running is by using Docker, which handles all dependencies and environment configuration for you.

Prerequisites

Before you begin, make sure you have installed:

• Docker

• Docker Compose

You can verify installation with by typing these commands into your terminal:

docker --version

docker-compose --version

Step 1: Clone the Repository

On your terminal, run:

git clone https://github.com/chadi0x/TheBigBrother.git

cd the-big-brother

Step 2: Launch TheBigBrother

Run the following command to build and start the tool:

docker-compose up --build

This will:

• Build the Docker image

• Install all required dependencies

• Launch The Big Brother environment

MANUAL SETUP

If you prefer not to use Docker, you can install and run The Big Brother locally using Python.

Prerequisites

Make sure the following are installed:

• Python 3.8+

• Git

• pip

You can verify with:

python3 --version

git --version

pip3 --version

Linux/MacOS Setup

1. Create a virtual environment

python3 -m venv venv

source venv/bin/activate

2. Install Dependencies

pip install -r requirements.txt

playwright install chromium

3. Launch the Application

python -m uvicorn the_big_brother.gui.main:app --port 8000

Windows Setup

1. Install Dependencies

pip install -r requirements.txt

playwright install chromium

2. Launch the Application

python -m uvicorn the_big_brother.gui.main:app --port 8000

Next Steps:

Once running, open your browser and go to:

http://localhost:8000

You’ll see the The Big Brother web interface, where you can:

• Enter usernames

• Run modules

• View results visually

Now, let’s dive into TheBigBrother usage and use cases.

Usage

Now that we’ve covered the basics, let’s dive into some of the core modules within The Big Brother and how you can use them in OSINT investigations.

Profiler

The Profiler module is designed to build a high-level overview of a target by aggregating information from multiple sources into a single profile.

This can include:

• Usernames

• Social media accounts

• General online presence

Example:

python3 thebigbrother.py --profiler testusername

This will produce a consolidated view of the target, helping you quickly understand who you’re dealing with.

On the web interface, you can enter a target identifier (username, email address, phone number). Associated profile images will appear in the blank space above.

🗒️ This is a great starting point before diving deeper into specific modules.

Footprint

The Footprint module focuses on identifying where a username exists across the internet.

Example:

python3 thebigbrother.py --footprint testusername

This will:

• Enumerate accounts across platforms

• Highlight reused usernames

• Map out digital presence

As you can see, our test on the web interface brought up 7 platforms linked to our email address.

🗒️ Use this to identify pivot points into other tools or manual investigation.

Net Scan

The Net Scan module is used for gathering network-level intelligence.

Example:

python3 thebigbrother.py --netscan example.com

This may return:

• IP addresses

• Open ports

• Hosting/provider information

Our YouTube example on the web interface brought up the below network information:

🗒️ Useful for infrastructure mapping and identifying related assets.

Dark Web

The Dark Web module attempts to identify whether a target appears in:

• Data breaches

• Leaked databases

• Dark web mentions

Example:

python3 thebigbrother.py --darkweb test@email.com

This can help uncover:

• Compromised credentials

• Exposure risks

• Historical leaks

You can enter a keyword e.g. a leak or database into the web interface search bar as below:

Crypto

The Crypto module is used to analyse cryptocurrency wallets and transactions.

Example:

python3 thebigbrother.py --crypto <wallet_address>

This may reveal:

• Transaction history

• Wallet activity

• Links to other wallets

On the web interface, simply enter the wallet address in question into the search bar below (bitcoin or ethereum).

🗒️ Particularly useful in fraud, ransomware, or financial investigations.

SSL

The SSL module gathers intelligence from SSL certificates.

Example:

python3 thebigbrother.py --ssl example.com

This can uncover:

• Associated domains

• Certificate details

• Infrastructure links

🗒️ Great for finding hidden or related domains tied to a target.

EXIF

The EXIF module extracts metadata from images.

Example:

python3 thebigbrother.py --exif image.jpg

This may include:

• GPS coordinates

• Device information

• Date/time data

As in our web interface example, you won’t always get detailed information.

🗒️ Extremely useful when analysing images from social media or leaks.

Dorks

The Dorks module leverages advanced search queries (Google Dorking) to find indexed information about a target.

Example:

python3 thebigbrother.py --dorks testusername

This will generate queries to uncover:

• Public documents

• Exposed data

• Indexed profiles

🗒️ Helps surface information that isn’t easily found through direct searches.

GEOINT

The GEOINT module focuses on geographic intelligence.

Example:

python3 thebigbrother.py --geoint <location_or_image>

This may help:

• Identify locations from images

• Analyse geographic patterns

• Support situational awareness

Our web interface search produced various location insights from various different sources, ideal for corroboration.

🗒️ Useful for uncovering location-based insights from images, videos, and geographic data.

Sky Radar

The Sky Radar module is used for aviation-related intelligence.

Example:

python3 thebigbrother.py --skyradar <flight_or_aircraft>

This can provide:

• Flight tracking data

• Aircraft information

• Movement patterns

🗒️ Useful in niche investigations involving travel, logistics, or tracking assets.

Use Cases

TheBigBrother is essentially a username intelligence + image correlation tool that:

• scans hundreds of platforms (~400+) for usernames

• pulls profile images

• runs automated reverse image searches across multiple engines

That combination is best for identity linking, username pivoting, and avatar-based correlation.

The bottom line? It shines in early-stage investigations, when you’re trying to answer: “Where else does this person exist online?”

Where this tool is actually useful in OSINT:

Identity Correlation/linking accounts

If you start with a username or even just a profile image, you can find matching usernames across platforms, confirm links using reused profile pictures, and cluster accounts belonging to the same person.

Social Media Investigations

The tool accelerates what analysts normally do manually i.e. searching usernames across platforms, comparing profile photos and running reverse image searches separately. With this automated, you can quickly find forgotten/old accounts, identify niche platforms, and uncover behaviour patterns across platforms.

Reverse Image Pivoting

This is, in our opinion, an underrated use of the tool. Essentially, because it auto-runs reverse image searches, you can detect reused avatars across multiple accounts, spot fake personas using stock/AI images, and find the original source of a profile image. This is useful for catfish investigations, scammer tracking, or simply verifying whether a persona is real.

Threat Intelligence / Cyber Investigations

In cyber threat intel, attackers often reuse usernames, avatars, and branding. TheBigBrother helps pivot from a known handle to a broader footprint, and can identify presence on GitHub, forums, marketplaces, and social platforms.

Red Teaming / Privacy Audits

Security teams can use this tool to understand what an attacker could discover publicly via simulating how easily identities can be correlated and identifying OPSEC failures such as username and avatar reuse.

🏁 New CTF Challenge Live - The Insider

A new CTF challenge has been posted on our CTF website. This week’s challenge focuses on Local search methods. Your task is to identify the username of an insider who plans to target a company with ransomware and also determine the targeted company name.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a challenge titled “The Hacktivist”.

Solution WU :

Using Twitter Viewer - View Twitter Without Account and typing the username of the X account “RepresaliaNet” we could browse the posts made by the threat actor without having an account.

While browsing the posts, we could notice that one of the posts published on Nov 28, 2024 contains the username : YourZer321-PVC

Scrolling further, we could see that the first post date was : 25/09/2024

To find the country we needed to have an account (Sock Puppet). By clicking on “about this account”, we could see that the account was based in : Uzbekistan

✅ That’s all for this issue of The OSINT Newsletter. Thanks for reading and supporting this publication with a paid subscription.

💡 Remember OSINT != tools. Tools help you plan and collect data but the result of that tool is not OSINT. You must analyze, verify, receive feedback, refine, and produce a final, actionable product of value before it can be called intelligence.

This episode covers Issues 99 and 100 of The OSINT Newsletter and focuses on two essential aspects of modern OSINT: processing large datasets locally using efficient tools, and developing your investigative skill set through consistent, ethical practice.

In Episode 15 of The OSINT Podcast, host Jake Creps explores offline OSINT from first principles, breaking down why traditional tools fail when dealing with investigative scale data. The episode explains how local search tools operate without loading entire datasets into memory, allowing investigators to extract key information from massive files quickly and efficiently.

Jake walks through core command line techniques used in local analysis, including grep for pattern matching, csvkit for structured data filtering, and tools like awk and jq for processing and transforming datasets. By combining these tools, investigators can build lightweight pipelines that turn raw data into usable intelligence.

The episode then shifts from tools to mindset, focusing on how investigators actually develop their skill set over time. Rather than relying on theory alone, Jake outlines practical, repeatable methods for improving as an OSINT practitioner.

He explores how collecting and sharing tools builds familiarity with the ecosystem, why writing and teaching methods reinforces understanding, and how small scale investigations such as analysing spam emails can provide valuable repetitions without ethical risk.

Jake also discusses the importance of applying OSINT for real world impact, highlighting opportunities to support non profit investigations and contribute to meaningful causes. Alongside this, the episode covers personal OPSEC, showing how investigators can use their own techniques to audit and reduce their digital footprint.

Along the way, Jake reinforces a core principle of OSINT: tools enable collection, but intelligence comes from analysis. Mastery comes from repetition, not novelty.

Highlights include:

📂 Offline OSINT – Working with Local Data – how to search and analyse massive datasets using tools like grep, csvkit, awk, and jq without overwhelming your system.

🧠 Building Your OSINT Skill Set – practical methods for improving as an investigator through repetition, teaching, tool discovery, and low risk investigations.

🛠 Tools in Focus – grep for fast pattern matching, csvkit for structured data handling, and command line workflows for scalable data processing.

Throughout the episode, the focus stays on practical investigative thinking. Data reveals patterns. Practice builds intuition. And the best investigators know how to combine both.

If you want to improve how you handle large datasets and develop your OSINT skill set in a structured, ethical way, Episode 15 is for you.

References

• OSINT Newsletter – Issue 99

• OSINT Newsletter – Issue 100

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Offline OSINT: Local Search Tools and Methods

Let’s get started. ⬇️

OSINT News

📰 Public GitHub Repositories from News Organizations

Open Journalism delivers a biweekly update of open source projects published by news organizations. Sometimes tools, datasets, or other useful bits of information, make sure show your support for this great project.

Read on Open Journalism…

🎩 H/T: Scott Klein

📰 Changes in Google Programmable Search Engines

There are changes coming to custom search engines in Google. They will no longer have the option to do a full web. Many OSINT tools are built on the back of custom search engines. If you use any, it might be time to diversify.

Read on LinkedIn…

🎩 H/T: Henri Beek

📰 Open-source intelligence shuts down

This article highlights something I’ve mentioned often, becoming too reliant on datasets being available and eventually being disrupted by changes. Satellite images of the area affected in the ongoing war in Iran have been blocked or removed. Many research projects rely on regular access to these images for humanitarian purposes or otherwise.

Read on The Economist… | No Paywall

OSINT Tools

🔎 WireTapper

This is a niche tool. It may even be somewhat of a grey tool. Using the Wigle, WPA Sec, OpenCellID, and Shodan API keys, WireTapper provides insight into location-based technical data from passive sources.

GitHub

🎩 H/T: h9zdev

🔎 Deaddrop

Another Telegram search engine. Always build redundancy. Search for content within a scraped Telegram archive and find information that isn’t indexed by search engines.

Web App | LinkedIn

🎩 H/T: The OSINT Consultants

🔎 LootBin

Termbin is like Pastebin but through the command line. LootBin helps you gather information from Termbin, another source not indexed by search engines.

GitHub

🎩 H/T: gustqvo432

Note: There seems to be some suspicious code in the Windows version of this tool. Do not install it. Instead, understand the concept educationally.

⭐ Sponsor: SockPuppet.io

SockPuppet delivers secure, isolated environments with persistent virtual desktops and phones, real carrier-based SMS for OTPs, and residential IP connectivity—selectable from hundreds of locations. All accessible through a simple web interface that scales as your investigations grow.

Visit SockPuppet.io to empower your investigations with technology trusted by intelligence professionals.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

⚡5 Ethical Ways to Develop Your OSINT Skill Set

• Developing an OSINT skill set is valuable for a variety of roles. I’ve seen OSINT used everywhere from recruiting for HR departments to tracking Elon Musk’s airplane. If you’re looking for ways to build your skill set ethically, you’ve come to the right place. If you practice all 5 methods even once, you’ll be noticeably better.

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry there’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

Read more

• How to search large datasets locally

• Command-line search methods

• Pro tools for processing structured data

• …and everything you need to know about analysing large files.

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Collecting Information from Local Sources in an OSINT Investigation

🎙️ If you prefer to listen, here’s a link to the podcast instead.

Let’s get started. ⬇️

Offline OSINT: Local Search Tools and Methods

Not all OSINT happens on the internet. Sometimes the most valuable insights come from something you’ve already got downloaded; and every OSINT investigator has heaps of exported spreadsheets and datasets on file to work with. But when you’re archiving everything, it’s easy for your collection of documents - or even the size of the datasets themselves - to get huge.

But processing data with the wrong tools can be a real drag. If you’ve ever tried to open a 3GB CSV file in Excel, you already know the pain. Standard office tools simply weren’t built for investigative-scale datasets - and that’s where local device search tools come in.

Let’s get into local search.

What is Local Search?

OSINT investigators often end up working with big datasets. Breach dumps, scrapes, exports and archives can mount up, with a single file easily containing millions of rows. A rookie investigator will usually try to open these with traditional spreadsheet software (think Microsoft Excel); only to find it crashes instantly or slows to a stop. In turn, searching through a dataset is even more of a struggle. It’s possible, but it’s extremely painful.

Local device search tools are made to solve this problem. They scan the files directly, without loading everything into memory and making themselves sluggish. Instead of manually scrolling through data, you can extract exactly what you need in seconds - like pulling from a digital library catalog, rather than searching shelf-by-shelf.

Searching vs. Processing: How to Handle Large Files

The tools we’re about to talk about are all naturals at searching big files. But what if you want to do more than just search? Then you need processing power. If you want to:

• Extract all email domains from a breach file

• Identify the most common usernames in a dataset

• Count how many times a specific organisation appears

• Separate valid data from corrupted rows

Then clearly, just search won’t cut it. Luckily, command-line processing tools excel at these tasks because they’re designed for automation and scale. Many investigators will even combine the tools we’re about to discuss together; mixing and matching methods and modules lets you build data- processing pipelines that perfectly fit your needs.

For example, you might search up a keyword with grep, then use awk to count the matches. If it sounds like we’re talking nonsense… let’s learn what the grep we’re on about.

grep: The Text Search Tool

grep (short for global regular expression print) is one of the most popular local device search tools in the OSINT community. It’s a Unix command-based search, localised to your device; grep scans text files for matching patterns, and returns every line containing your query.

It’s fast, simple, and extremely powerful when working with large text-based datasets. The perfect way to surface those pesky data points when they’re swamped. Use grep to search files for:

• Email addresses

• Phone numbers

• Domain names

• Usernames

• Keywords related to your investigation

For example, if you wanted to search a breach file for a particular email address, grep could scan millions of rows for it almost instantly.

On top of this, grep can also do pattern matching. This means you can search for entire categories of data, too, as well as exact words; any email address ending in a particular domain, for instance. Because it reads line-by-line rather than loading files fully, grep can comfortably handle big datasets that would blow up normal apps.

csvkit: Making Sense of Spreadsheets

Most OSINT datasets are stored as CSV files. CSV stands for “comma separated values,” and it’s one of the most common formats for structured data exports. Breach databases, scraped content, and research datasets are frequently distributed this way. Usually, CSV means spreadsheets; but even programs that don’t seem like spreadsheet apps will often offer CSV as an output file type.

But CSV files grow big, fast. To deal with this, you need a tool specially designed to deal with CSVs - without opening them and overloading your machine. csvkit is such a tool; it works from the command line to search, filter, and analyse spreadsheets without opening. Instead of scrolling through millions of rows, you can:

• View column headers instantly

• Filter rows based on conditions

• Extract specific columns

• Convert files into other (more manageable) formats

For example, if a sheet has three columns full of usernames, IPs, and emails, csvkit allows you to isolate just the column you need and ignore the rest. Makes it much easier to focus on each different data point methodically without getting distracted.

More Tools for Local Data

Beyond grep and csvkit, several other lower-case-named tools are popular in pro OSINT workflows. They might have a disregard for grammar rules, but they’re great at handling big datasets - searching, processing, analysing, and more.

• ripgrep: ripgrep is designed to make grep commands even quicker and easier with little changes; automatically ignoring irrelevant files, like binary data for example. If you have a whole folder of datasets, ripgrep will whip through that entire directory structure - stat.

• awk: like grep and sed, awk is a command-line filter. More general than grep, it’s often used for processing structured data - and can handle different commands and modifications than its cousins.

• jq: described as “sed for JSON data”. Sometimes, datasets are stored in JSON format rather than CSV, making them much more difficult to read manually. jq can search and pull out specific fields from JSON data turning messy machine-readable files into human-readable intel.

• SQLite: When a dataset gets super big, it’s sometimes easier to import it into a lightweight database than leave it standalone. SQLite lets you do this. Plus, it’s already the most used database engine in the world.

Example: Local Search in Action

this time, imagine you are a professional osint analyst, working with a dataset containing millions of logins. but something seems wrong. immediately, you realise - all the data appears in lowercase.

somebody has stolen all the capital letters, and the issue is spreading. you need to find out when, and how.

step one: search

first you need to confirm that the capitals have gone. using grep, you scan the dataset for a username you know should be capitalised. Here, every instance appears in lowercase - confirming the capitals aren’t where they should be.

step two: process

next, you process the data for evidence. you use awk to analyse patterns across the dataset - counting the examples of that de-capitalised username, and identifying other entries that should have been capitalised. you begin to question the thief’s motives.

step three: structured analysis

you isolate each column with cvskit, and work through each methodically: usernames, email addresses, dates, checking each for formatting issues. the loss has occurred consistently across all fields. seeing the scale of the crime disturbs you.

step four: check other formats

Finally, you run jq on an older version of your dataset. these files still contain capital letters - meaning the dataset was just corrupted during the csv export.

as for the issue spreading… you need a new keyboard.

Key Takeaways

So, now you know the basics of local search. By now you should be able to:

• Search: Use commands to find specific data points

• Process: Execute more complex commands to make your life easier

• Analyse: Work with tools to identify patterns and pivot

• type: ignore automatic capitalisation and write in lower case

See you next time, investigators!

🏁 New CTF Challenge Live - The Hacktivist (2 Parts)

A new CTF challenge has been posted on our CTF website. This week’s challenge focuses on identifying the hacker username of a threat actor, the date of their first post announcing the start of a cyberattack and the country in which the account is actually operated, using only open source intelligence techniques.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a challenge titled “Trace The IP”. Here is the solution:

Using IP Lookup | Find Your Public IP Address Location and searching for 151.202.95.130 we could see that the IP was linked to several cities : Tuckahoe, Bronxville, New York, Eastchester, Yonkers. Formatting them in alphabetical order gave us : Bronxville, Eastchester, New York, Tuckahoe, Yonkers.

Looking at the ISP we could see that it was Verizon Business.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry. There’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

This episode covers Issues 97 and 98 of The OSINT Newsletter and focuses on two critical aspects of modern OSINT: understanding how IP addresses reveal the movement of data across the internet, and how investigators can gather intelligence from a specific location even when they are nowhere near it.

In Episode 14 of The OSINT Podcast, host Jake Creps explores IP address OSINT from first principles, explaining how IPs function as the routing system of the internet. The episode walks through the difference between user IPs and server infrastructure, why dynamic IP addresses constantly change hands, and how static infrastructure can reveal patterns behind suspicious activity.

Jake then breaks down several investigative techniques used in IP analysis, including reverse IP lookups, passive DNS research, IP geolocation, and identifying traffic routed through VPNs and Tor nodes. When combined with timestamps and behavioural patterns, these signals allow investigators to reconstruct the path digital activity has taken across networks.

The episode then shifts to a different but equally important challenge: local OSINT investigations. Some investigations require extremely targeted intelligence from a specific city or region. In those cases, investigators must replicate the local internet environment in order to see the same results a local user would.

Jake explores how investigators can use VPNs and browser location manipulation to appear local, allowing search engines, advertisements, and recommendation systems to reveal location specific information. From there, he discusses how to build local intelligence feeds by aggregating small regional publications, government websites, and community sources into a single stream using RSS readers and alerting tools.

The episode also looks at analysing activity around physical locations using Google Maps “Popular Times” data, showing how investigators can detect patterns and unusual activity around businesses or venues without ever being physically present.

Along the way, Jake highlights several useful OSINT tools and resources including Dark Light Viewer, Twitter Viewer, and GeoSentinel, while also touching on developments in AI driven investigations and evolving OPSEC considerations.

As always, the emphasis remains on method over novelty. Infrastructure reveals behaviour. Location reveals context. And the best investigators know how to follow both.

Highlights include:

📦 IP Address OSINT – Following the Packets – how IP addresses function as the routing system of the internet, why dynamic IPs complicate attribution, and how reverse IP lookups and passive DNS can reveal hidden infrastructure.

🌍 Local OSINT Investigations – techniques for collecting intelligence from a specific place remotely using VPNs, browser configuration, local news aggregation, and location specific data sources.

🛠 Tools in Focus – Dark Light Viewer for satellite light comparison, Twitter Viewer for footprint free browsing of X profiles, and GeoSentinel for tracking global movement across maritime and aviation data.

Throughout the episode, the focus stays on practical investigative thinking. Infrastructure creates patterns. Location creates context. And when both are understood together, digital activity becomes much easier to trace.

If you want to strengthen your understanding of IP address investigations and location based intelligence gathering, Episode 14 is for you.

References

OSINT Newsletter – Issue 97

OSINT Newsletter – Issue 98

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Return to Sender: OSINT With IP Addresses

Let’s get started. ⬇️

OSINT News

📰 Exploring a Secret Underground OSINT Marketplace

This issue of The OSINT Insider is a treasure trove of useful information for OSINT practitioners covering topics from new OSINT tools and datasets.

Read on OSINT Insider…

🎩 H/T:

📰 I Built an OSINT Agent Skill to Expose Your Digital Tattoo

OPSEC isn’t just about what you post online, it’s about what happens to the content after you post. This issue of The Secure Circuit covers an OSINT tool that helps you cover your tracks and also find the tracks of others.

Read on The Secure Circuit…

🎩 H/T:

📰 AI for OSINT Investigations: Turning Data Chaos into Intelligence

It’s 2026, AI is here and you’re going to use it whether you want to or not. Generic AI tools like GPT and Gemini may not be great for OSINT; however, AI within OSINT tools is a different story.

Read on Project OSINT…

🎩 H/T:

OSINT Tools

🔎 Dark Light Viewer

Compare nighttime light levels across any location on Earth, across any period from one month to ten years.

GitHub

🎩 H/T: Benjamin Strick

🔎 Twitter Viewer

View a Twitter (X) profile without having to log in. See posts and media without leaving a footprint.

Web App

🔎 GeoSentinel

Track global movement in real team; from maritime to aviation. Review in geospatial tooling.

GitHub

🎩 H/T: H9

Description

Scenario

A potential IP address associated with a French threat actor has been identified. Further investigation is required to determine the ISP name and the cities linked to this IP address in order to support attribution and ongoing analysis.

Challenge Objective

Your task as an OSINT analyst is to find :

• The cities linked to this IP (in alphabetical order).

• The ISP name.

🏁 New CTF Challenge Live - Trace The IP

A new CTF challenge has been posted on our CTF website. This week’s challenge focuses on identifying the ISP name and the cities associated with a specific IP address using only open source intelligence techniques.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a challenge titled “The Wi-Fi Password”. Participants needed to identify the the password of a suspicious Wi-Fi using only open source intelligence tools and techniques.

Solution:

• Searching for : epstein property Florida on google brings us to the wikipedia page where the address is displayed

• Looking at the address we notice that it’s in Palm Beach

• Using 🔎 p3Wifi Free WiFi map - p3wifi and searching for the Palm Beach area we notice a weird Wi-Fi named SteinStein with the password visible in clear, located in front of a store named LaMuse which is exactly 0.7 miles and 3 minutes away from Epstein’s property when checking it on google maps with itinerary search.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

⚡ Collecting Information from Local Sources in an OSINT Investigation

• The internet reacts to where you are in the world. You can trick the internet into thinking you’re somewhere else. Once you do that, your entire browsing experience changes. I discuss this, local news aggregation, and mining “Popular times” from Google Maps in this issue of The OSINT Newsletter.

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry there’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

Read more

• Introduction to IP addresses.

• How to investigate an IP address.

• A step-by-step process for IP investigation.

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Organizing Information and Avoiding Duplication of Effort

🎙️ If you prefer to listen, here’s a link to the podcast instead.

Let’s get started. ⬇️

The internet is like a big mail service. Every time somebody logs into their account, clicks on to a link or loads up a site, the data for that action gets parcelled up and shipped across the web. If domains are street names, IP addresses are the house numbers that actually direct the parcels to the right home. And like regular mail, the whole process leaves a trace behind.

Of course, stealing people’s mail is a felony (and a great punk track) - but that doesn’t mean you can’t get valuable OSINT from tracking its journey. If you know how to read IP addresses, they can tell you where traffic travelled, what infrastructure handled it, and whether someone tried to hide the sender.

In this issue, we’re following the packets. We’ll cover:

• The basics of IP addresses

• How IPs can change (and why that matters)

• Reverse IP lookups

• Geolocation with IPs

• ..plus all about VPNs and Tor traffic.

Now, let’s check the labels.

What Is an IP Address?

An IP address (short for Internet Protocol address), is a numerical identifier assigned to each device or server connected to a network. Think of it like a shipment number. It can either look like:

• IPv4: The old faithful. Appears as four blocks of numbers separated by dots, e.g. 192.168.1.1.

• IPv6: The longer, newer format, becoming increasingly common as the internet runs out of IPv4 space. Appears as eight blocks of numbers separated by colons, e.g. 2001:0db8:85a3:0000:0000:8a2e:0370:7334

In OSINT terms, you can divide all kinds of IPs into two categories: User IPs, and Server IPs. A user IP belongs to a device connecting to a service. Meanwhile, a server IP belongs to infrastructure hosting websites, apps, or mail networks. Confusing the two is like mistaking a sender’s return address for a warehouse location.

IP addresses aren’t as stable an identifier as email addresses, for instance. But that’s OK; IP address OSINT is less about identifying individuals, and more about mapping the movement of data back to its source. Follow enough parcels, and you’ll find the depot.

Package Redirected: Why IPs Change, and What They Tell You

One of the biggest misconceptions in IP OSINT is assuming that IP addresses are permanent identifiers. Just because IPs are unique, doesn’t mean they can’t move from place to place. So why do IPs change, why does it matter… and once an IP changes, can you trace where it’s been?

Dynamic IP Addresses

Most average-Joe residential IP users are assigned dynamic IPs by their ISP (Internet Service Provider). These can change for a ton of reasons: after a router gets rebooted, for example, when a lease gets refreshed, or just over time. The most important thing to remember is that dynamic IPs get passed around between users. An IP that belonged to one person last month might belong to somebody else now.

Static IP Addresses

Businesses and hosting providers, however, usually use static IPs. These are longer-term allocations, tied to servers and infrastructure semi-permanently (emphasis on semi). However, when you see the same static IP appearing repeatedly, you can be reasonably confident you’re looking at a fixed point.

What IP Addresses Can Tell You

When Google alerts you that some stranger in France is suddenly using your login on an iPhone 12, they’ve gained this intelligence by checking the new French login IP address against the last 10 IPs you logged in from. Clearly, although an IP can’t tell you who did something online, it can tell you where, and with what device.

Overall, what IPs show you is the circumstances at the time an online activity took place. Was a login coming from a residential ISP? A data centre? A VPN provider? Or did multiple compromised accounts route through the same infrastructure - then suddenly switch to a totally different address? When paired with timestamps, old IPs help reconstruct movement patterns, and build up a theoretical narrative; like reading old postmarks to imagine a package’s journey.

Delivery Instructions: How to Investigate an IP

So, now you know why it’s worth investigating IPs, we can get to work on how. Some involve pro OSINT tools, but others are significantly more lo-fi. Let’s get into our favourite tips, tricks and techniques for investigating IP addresses.

Reverse IP Lookups

Reverse IP lookup - like reverse image search - flips the direction. Instead of asking ‘what IP does this domain use?’, you ask ‘what other domains are hosted on this IP?’. This is super useful when investigating scam networks and phishing campaigns.

To do it, plug the target IP into a passive DNS database, or an OSINT platform that supports reverse lookup (like Maltego). The results will bring up any domains associated with that address.

Hosting and Registration

Next, look for suspicious infrastructure. This could look like:

• Multiple domains sharing the same hosting

• Sudden bursts of activity (registering lots of domains at once, then none at all)

• Thematic similarities (crypto, “investment”, fake law firms etc.)

For example, if a single server IP hosts ten nearly identical “investment opportunity” websites registered within weeks of each other - especially on the same cheap VPS - then that’s a strong sign of unsavoury activity. Look up hosting and registration details with WhoIs searching.

That said, context still rules. Large hosting providers often place hundreds of legitimate websites on the same shared IP. In those cases, you’re looking at shared warehouse space, not necessarily shared ownership.

Geolocation

We covered IP geolocation a little in the last issue; it’s a way of identifying the country and often the city an IP is hosted in. It’s often inaccurate, and can’t pinpoint a specific address. So, think of it as narrowing delivery to the right city - not the exact doorstep.

However, it can still be useful - particularly for spotting inconsistencies. If a company claims to operate exclusively in one country but consistently routes traffic through infrastructure in another, for instance. Also look for repeated logins from the same location, and check if that matches with the IP geolocation result.

VPNs (Virtual Private Networks)

VPNs are a blessing and a curse for IP OSINT. When someone uses a VPN, the IP address you see belongs to the VPN provider’s infrastructure - not the user’s original connection. These VPN IPs often resolve to big data centres, too, making it tricky to tie down the user’s actual details.

There are ways to track if somebody’s using a VPN; rapid shifts between locations, for example. This is extremely useful if you need proof that a target is intentionally rerouting their traffic to avoid being detected.

Tor Nodes

Tor also adds another layer of complexity. The IP you see with a Tor browser is the target’s exit node, not the actual origin. Tor exit nodes are also completely public and rotate between users globally; so if you detect one, all it tells you is that the target didn’t want to be tracked. It doesn’t imply malicious intent, but it does tell you the package was deliberately relabelled before delivery.

Example: IP Address OSINT in Action

This time, imagine somebody has been making repeated attempts to log into your Strava account. If successful, they could hopelessly distort your PBs. All you know is that the logins originate from the same IP address. Let’s find out who’s running things.

Step 1: Identify the Owner

A Whois search shows that the login IP is registered to a regional consumer IP; a specific subscriber, on residential broadband. But where, and who?

Step 2: Analyse the Behavior

The IP is fairly consistent - with no jumping locations or ties to known exit nodes. That means the user isn’t attempting to hide their identity. The login attempts are also spaced irregularly, with pauses that resemble manual interaction rather than botting. So this is a real person.

Step 3: Geolocate

Cross-referencing multiple IP geolocation services places the IP consistently in western Ohio, near a cluster of rural towns. You’ve never been to Ohio. And you definitely haven’t been logging into Strava from there. An interesting detail: the region is known for its expansive cornfields.

Step 4: Reverse IP & Domain Check

A reverse IP lookup reveals two domains hosted to that same IP.

The first is a personal blog documenting endurance training experiments; one man pushing himself to run further and further in concentric circles without becoming dizzy.

The second, humanccohio.com, shows groups of runners arranged in geometric formations across harvested fields - what the author calls “human crop circles.” Metadata from the site aligns with the same western Ohio geolocation as the IP.

Step 5: Behavioral Context

The timestamps of the login attempts coincide with posts on the blog discussing “mapping local athlete data” and “identifying high-mileage runners nearby.”

Mystery solved: this is one guy in western Ohio, checking out Strava profiles in an attempt to recruit (or map) local athletes without their knowledge for his ‘human crop circle’ project. Weird.

Key Takeaways

Message delivered - now you know how to do OSINT with IP addresses. You should know:

• How delivery works: An IP is like a house number, it directs the data

• IPs change: Just because an IP is there now, doesn’t mean it’ll stick around

• Check the return address: reverse IP search is your most powerful tool

• Cross-reference everything: corroborate with behaviour to get the full story

See you next week, investigators!

🏁 New CTF Challenge Live - The Wi-Fi Password

A new CTF challenge has been posted on our CTF website. This week’s CTF challenge focuses on finding the password of a weird Wi-Fi using only open source intelligence techniques.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a GEOINT challenge titled “The Unknown Bridge”.

Looking at the UAV in the image, we could see its number which is 166509.
Using bing browser and searching for “166509 flight” we could find a flight of this UAV on : flightaware.com/live/flight/166509
Looking at the tracking, we could see that it was last seen near Patuxent River MD, we could also notice the same airport as in the image which is Patuxent River (NHK)
On the left side of the airport we could see the same bridge as in the image which is named: Thomas Johnson.
By searching on Google : Patuxent River Bridge, we could see that the full name of the bridge was : Governor Thomas Johnson.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry. There’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.