The OSINT Newsletter - Issue #107
Call Data: OSINT on Phone Numbers
đ Welcome to the 107th issue of The OSINT Newsletter. This issue contains OSINT news, community posts, tactics, techniques, and tools to help you become a better investigator. Hereâs an overview of whatâs in this issue:
What intelligence comes from a phone number
Where to check first (without overcomplicating it)
A clean workflow for investigations
âŚand why itâs not worth changing your name to Spiderman.
đŞ If you missed the last newsletter, hereâs a link to catch up.
⥠Creating Claude Skills for Open Source Intelligence
đď¸ If you prefer to listen, hereâs a link to the podcast instead.
Letâs get started. âŹď¸
Call Data: OSINT on Phone Numbers
Phone numbers sit in a strange place in OSINT. Theyâre near-ubiquitous and tied to everything, but as a result very easy to overlook. Unlike usernames (which can change) or email addresses (easy to create), numbers tend to stick. They follow people across platforms, accounts, years of activity, and even States. Surprisingly few people want the hassle of learning a new number, even when they get a new phone.
You might create a new Gmail, and change your username (or legal name) to Baron Venom Balrog Sabretooth Vader Megatron Vegeta Robotnik Magneto Bison Sephiroth Lex Luthor Skeletor Joker Grind, but your phone number is mostly static. This persistence makes phone numbers one of the most reliable anchors you can work with for OSINT.
Sometimes OSINT is just a number. This issue will teach you:
What intelligence comes from a phone number
Where to check first (without overcomplicating it)
A clean workflow for investigations
âŚand why itâs not worth changing your name to Spiderman.
Calling Baron GrindâŚ
What Can Phone Number OSINT Uncover?
The infrastructure of phone numbers is key to what you can get out of them through OSINT. Every number is tied to a telecom system, to a region, and only then to a web of online accounts. That means even before you get into deeper online OSINT, there are three immediate layers of value:
Geographic Origin
Country codes (+1, +44, +91, etc.) are GeoINT in themselves. These one or two nifty numbers instantly place a phoneâs owner at a national level. If you can find out carrier data, you can narrow a rough operating region even further. At the very least, you can find out if your targetâs in the US or Uzbekistan.
Platform Presence
Many platforms use phone numbers as their backbone identifier. If a number is registered on apps like WhatsApp or Telegram, you may be able to view profile photos, usernames, or activity signals just by knowing the right digits.
Identity Fragments
Even before the real OSINT starts, people litter the world with identity fragments - by reusing their static phone number. Old listings, forgotten profiles, or scraped datasets can quietly connect multiple pieces together.
Some Phone OSINT Tools That Actually Work
You donât need a complex stack to begin phone OSINT. Thatâs what makes phone numbers such a universally popular data point. In fact, the most effective tools and methods are often at your fingertips.
Caller ID Platforms
Sync.ME, NumLookup, and Thatâs Them scan public records and user-contributed data, drawing on that to see if a numberâs been identified before. Results can be inconsistent, so treat them as leads not gospel. If multiple sources align, then theyâre worth your attention.
Checking the Apps
Hereâs an old OSINT trick. Save the number as a contact, then check WhatsApp, Telegram, or Signal. Adding a contact will reveal a profile photo and status - Telegram will even expose a username.
Caller ID Platforms
Truecaller, Hiya, and CallApp use crowdsourced data, so again, cross-reference. Patterns across multiple platforms mean something.
Finding Carrier Data
If you know nothing about the carrier, services like Numverify, Twilio Lookup, or other free HLR lookup tools can help identify the telecom provider and line type (mobile, VoIP, or landline). Cross-check as always.
Getting Started: A Clean Workflow (Donât Skip Steps)
Investigating a number⌠Thatâs easy, right? Think you can improvise? Donât. A structured approach will always get better results.
Give this workflow a try:
1. Standardize the Format
Always convert to international format. Tools and platforms require international format numbers and inconsistencies will cost you results. Whatâs more, country codes arenât data you want to ignore.
2. Location, Location, Location
Use that country code. Combine with any carrier info to ground your investigation geographically; when youâre stratifying your findings later, youâll be glad you did.
3. Check for Live Accounts
Run the number through message platforms. Youâre looking for anything visible on Telegram or WhatsApp: images, usernames, timestamps etc.
4. Look for Repetition
Search the number directly. Then try variations, like with or without spaces. Reuse is what youâre hunting for.
5. Pivot and Expand
Got a hit? Pivot outward. Search that identifier (a username, profile, email or listing). Start building out the wider account network.
âŚAnd just like that, youâre doing phone number OSINT.
What Counts As a High-Value Pivot?
You might be wondering which leads are strong enough to take that fifth step. The real value comes from the following data points:
â Usernames
If you see the same username twice, thatâs your bridge into wider platform analysis; especially if the username is conspicuously unusual or unique. Thereâs unlikely to be two people choosing Baron_V_B_S_V_M_V_R_M_B⌠(You get the picture).
â Social Accounts
If a number was required to sign up, some platforms expose profiles directly. Others reveal connections indirectly. Either way, a linked social account is OSINT gold.
â Breach Data
If the number appears in leaked datasets or on HaveIBeenPwned, it can link to emails, credentials, and historic activity. As always, be careful working with data that comes from an inherently sketchy source.
Feel the Burn: Disposable Numbers & Evasion Tactics
OSINT investigators chasing fraud, spam networks, or illicit activity face up to a unique challenge. Phone number stability is usually the USP here. What if the number youâre looking for is temporary by design?
Burner phone numbers get spun up quickly, used briefly, and abandoned just as fast. The aim is to get a phone number, get what you need from it, and THROW IT ON THE GROUND. The point of virtual numbers, VoIP services, and burner SIMs is to create numbers and accounts without tying them to a long-term, real identity - the very thing that makes phone number OSINT so easy.
So, change of tactics. Look for patterns of behaviour, not long-term reuse. VoIP numbers, for example, might cluster around specific services or regions, or repeatedly appear attached to similar types of accounts or listings. That would signal the same person, exhibiting the same behavior over and over again.
Gaps are a biggie too: no reverse lookup data, no caller ID history, and limited presence across platforms are absences that constitute a signal in themselves.
If a number looks âemptyâ, donât assume itâs useless. It may just be designed that way.
Key Takeaways
Phone number OSINT works because numbers are mostly static and stable things. You can change your email, your socials, or even your name, but most people are lazy with their phones. And unlike physical addresses or Social Security numbers, people hand out their phone numbers like candy.
You should know:
One number wonât tell you everything, but it might tell you where to look next
Use simple methods before complex ones
Follow number reuse and patterns
Build outward: number â account â network
âŚand when you change your name to Emperor Spiderman Gandalf Wolverine Skywalker Optimus Prime Goku Sonic Xavier Ryu Cloud Superman HeMan Batman Thrash in witness protection, maybe change your number.
Until next time, investigators!
đ New CTF Challenge Live - Last Order
A new CTF challenge has been posted on our CTF website. This weekâs challenge involves analyzing surveillance footage from a blurred traffic camera frame to identify a suspectâs location. Investigators believe the suspect entered a highly rated restaurant, ordered its most expensive signature pasta dish, and left in a hurry. Your task is to determine the restaurant, its exact address, and the specific pasta dish ordered.
Start competing in our Capture the Flag (CTF)
đŞ If you missed the last CTF, hereâs a link to catch up.
Last weekâs CTF challenge featured a challenge titled âThe Dark Web Hackerâ where participants were tasked with finding a hackerâs specific email address linked to a specific hacking forum.
Challenge Solution WU :
Knowing that the username had been reused across multiple forums and appeared in several data breaches, we searched for the username âsarksticâ on breach.vip. This led us to a World of Warcraft forum account on OwnedCore, along with the email address associated with it: dreadfuleyes@yahoo.com
â Thatâs it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.
By upgrading to paid, youâll get access to the following:
đ All paid posts in the archive. Go back and see what youâve missed!
đ If you donât have a paid subscription already, donât worry. Thereâs a 7-day free trial. If you like what youâre reading, upgrade your subscription. If you canât, I totally understand. Be on the lookout for promotions throughout the year.
đ¨ The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.