Discover and read the best of Twitter Threads about #OSINT

Most recents (24)

Last wk we noticed that an entire subset of our #Hamilton68 accounts had been suspended in mass. We have seen suspended accounts from time to time but not a whole set. To be clear these were bot accnts so it made sense they would all get suspended at once. #infosec #osint
We determined from our archive that they were mostly suspended around January 26th and this was the last tweet in our archive. #infosec #hamilton68 #osint
Some searching on Twitter & we found that our fellow bothunters @conspirator0 & @ZellaQuixote had already put out this excellent thread on Jan 24th outing most of the accounts in this small botnet. I apologize 4 missing it at the time #infosec #hamilton68
Read 13 tweets
1. Not Dead Yet: Our own @NicheIntel and @Intel_Prof use #FacialRecognition app @Betaface and voice comparisons to examine the rumours Abu Rofiq of #MalhamaTactical faked his own death in February of 2017.

We discuss some of the interesting findings here.
2. On Feb 7th 2017 Malhama Tactical announced that its leader Abu Rofiq had been killed in a Russian airstrike on his apartment in #Idlib, Syria. A report by @ForeignPolicy entitled The Blackwater of Jihad, countered that Abu Rofiq was not present at the time; per a local source.
3. After almost a year absent on social media, Malhama introduced Abu Salman Belarus as its "new" leader. Since then, there have been rumours that Rofiq faked his death. The biggest deterrent to testing the rumours were the lengths Abu Salman went to in masking his identity.
Read 9 tweets
Finally we are able to analyze the most common URL use from a subset of #Hamilton68 accounts. Many many thanks to @Saill for all the scripting work on this. We now have a ton of additional data that can be analyzed. #infosec #opsec #osint
This is the top 25 URLs used by the #Hamilton68 subset of accnts focused on Russian Geopolitics. The most recent 3000 tweets from each of 125 accts were analyzed. 375000 tweets total. Fairly expected results & shows the prominence of Youtube & Facebook use. #infosec #opsec #osint
Further down the list in top 35-56 range revealed more interesting sites being used by these accnts. Ria(.)ru is a fairly new Russian media site housed at the same location as the Russian IRA troll farm. Stalkerzone is well known disinfo site #infosec #opsec #osint #hamilton68
Read 5 tweets
1/ Who am I?

I'm a #CVE researcher who studies the process of radicalization, social groups, and movements. In short, I look for ways to prevent people like the #CovingtonBoys from swiping even further right & endorsing white nationalism, ethnic separatism, or dom. terrorism.
2/ On Twitter, I identify as a “#ProudBoys Whisperer,” a tongue in cheek reference to the ethnographic fieldwork I do. This work involves many conversations like the one below.

3/ I also look for ways to help men and women innoculate themselves from falling down the #antifeminist/anti-#SJW /conspiratorial rabbit hole.
Read 24 tweets
Just before Christmas we looked at #Hamilton68 accounts who focus on Russian geopolitics and how they were stoking the #giletsjaunes conflict in France. We noticed a new hashtag #integrityinitiative (red arrow) .. #infosec #osint #opsec
We didn't think much about this over the holidays but revisited it in early January 2019. Turns out the the #integrityinitiative had become even more prominent and prompted additional research .. #infosec #osint #opsec
We did a hoaxy analysis of the #integrityinitiative hashtag on January 5th and noticed two major nodes of well-known #Hamilton68 accounts .. @Ian56789 and @ShoebridgeC ... #infosec #osint #opsec
Read 10 tweets
A fascinating thread ...dont think 4 a minute that the only propaganda / misinformation campaigns come from Russia ... there are plenty of domestic operations going on right now. In this case a Wall Street Hedge Fund manager posing as a #Bernie2020 acolyte
As @HoarseWisperer alertly posted, this Hedge Fund manager is running a disinfo / troll campaign against @ewarren and her supporters. If ur reasonably intelligent, I think you can figure out why a wallstreet Hedge Fund manager might be behind promoting #Bernie2020 #infosec
No idea right now how much of the "we want Bernie" tweets to @ewarren are from trolls, cyborgs and bots. Guessing like ourselves lots of other groups are scrambling to collect the data for analysis. #infosec #opsec #osint
Read 8 tweets
The alt-right is in an interesting quandary. They want 2 argue #projectbirmingham, a small social media disinfo experiment by a handful of Dem activists affected the outcome in Alabama Senate race ...but not social media disinfo efforts by Russia, a nation state in 2016? #psyops
Some background on #projectbirmingham .... if everything from the original NYT story is true about this domestic disinfo campaign against #RoyMoore then yes I am against this as much as I am against what Russia did in the 2016 elections. #infosec #ALsen
NEW: This is a strong denial from the New Knowledge CEO Jonathan Morgan, including the part about the creation of fake Cyrillic Russian bots ... so someone has some explaining to do #ProjectBirmingham #infosec
Read 11 tweets
(1/10) #OSINT #thread
E-Reveal: #Reveal email addresses on #LinkedIn Profiles!…


When you visit a LinkedIn profile, the #chrome extension will (explained in tweets below 👇🏻)
Pull the person's name and company from the page
Convert the company name into a domain via Clearbit's [free autocomplete api](…)
Read 10 tweets
🔐 #OSINT Thread 🔓
(1/6) LINKEDIN 🔎 OPERATORS: TIP SHEET by @braingain 🛠
#osint #research #linkedin #search #boolean #tips 👇🏻🔥
Read 7 tweets
(6/1) #OSINT #Thread This thread is including the most valuable #GoogleDorks that you might find useful while searching for #Trello public boards. Enjoy and let me know if am miss any of them! #research #hacking #tips #tricks
(6/3) intext:accesskey
Read 7 tweets
We at @Bellingcat are often asked how one can help with #OSINT research. Well, here's a good example where geolocation and time determination is needed of 4 images, allegedly taken in Crimea. It would foster the investigative work of @houpaciosel. Context in thread below 👇
The person in the photos is Andrej Babiš Jr (35), son of Czech Prime Minister @AndrejBabis who's facing a political crisis after his son said he'd been kidnapped in Crimea to stop him giving evidence in a fraud case against his father. More context:….
The Czech PM denies that his son was kidnapped, and these 4 photos are used as a proof that his son and his companion (with hat) were voluntarily in Crimea during the Fall of 2017. Geolocation and time determination of these photos could shed a light on facts and/or fiction.
Read 33 tweets
Não deu pra ir no #codabr18? Foi, mas queria mesmo era se clonar pra ver as muitas atividades simultâneas? A gente reuniu quase 40 apresentações e recursos didáticos usados nas mesas, bootcamps e workshops! Conhecimento bom é conhecimento aberto! #ddj…
Vamos revisitar aos poucos as apresentações do #CodaBr18 :

Na abertura, o @albertocairo abordou a democratização da visualização de dados, falando de sua busca para que esta prática se torne uma linguagem universal 🌐…
@viegasf falou de suas pesquisas sobre inteligência artificial, #dataviz e inovação no Google. Aqui, você confere a oficina que ela deu sobre Interpretação e Fairness em Machine Learning
Read 37 tweets
Given that a common modus operandi for Russian influencer #Hamilton68 accnts is to sow division & weaken US groups & political parties, the upcoming speaker of the House election & whether Rep. Nancy Pelosi would again get the nod seemed like an obvious target. #infosec #osint
Searching our archived tweet data on about 350 #Hamilton68 accounts, sure enough these accounts had been injecting themselves into the debate on the upcoming Pelosi election. One particular tweet to a simple article caught our eye.
Displayed here are some example Tweets pushing this simple video posting. What is displayed here are not necessarily verified #Hamilton68 accounts, many are just activist accounts. #infosec #osint
Read 9 tweets
Great example of how geolocation and crowdsourcing works to assist investigations. @EmmanuelFreuden needed a video geolocated of buildings that had been burnt - hints were it was Kumbo in Cameroon. The following is how it was found. #Geolocation #OSINT Thread 1/👇
2/ There were direct clues in this video, which @Sector035 picked up a location for, in conjunction with tipoffs from @EmmanuelFreuden - they were tong structure, red roof, concrete square structure, long building and a light coloured roof.…
3/ In the video, we are also able to identify "GPS Bookstore". Plug that into Google and you get this result.… - It says "Squars" or Squares - an area in Kumbo.
Read 15 tweets
Just found an unlisted Pastebin shared by @James_inthe_box listing 124 #lokibot URLs. #osint
If you want to learn more about LokiBot, check out this write up.… #malware
If you want to learn more about my method of finding unlisted Pastebin pages, read here.… #osint
Read 3 tweets
Two days ago, Turkish sources revealed that Saudi Arabia dispatched a "clean up" team to Istanbul to cover up evidence of Jamal's murder. One of the members of this team were named as "chemist" Ahmed Abdulaziz Al Janoubi. Here's some #OSINT information about him.
On the 1st of October 2018 (one day before Jamal's murder), the Saudi forensics directorate posted about an event celebrating recent promotions within the department of forensics. They tweeted a thread with names & photos:
"Ahmad Abdulaziz Al Janoubi" is named as one of those recent promotions. He's seen in the picture here (left) and his name is listed. He's described in Arabic as "عميد" (corresponding to a Brigadier-General).
Read 10 tweets
Back on October 10th we got involved looking at a custom Twitter app called Tweetsquad that Ambassador Yakovenko at the Russian Embassy in London was using to promote embassy tweets. A tweet from @carolecadwalla attracted a number of #osint researchers
In the process of investigating this Tweetsquad app we identified some suspect accounts and @ChristinLuvsSno brought this account Leo Hawk @fractalhawk to our attention that appeared to be promoting Yakovenko tweets #osint #infosec
Analysis of @fractalhawk account had all the hallmarks of a Russian influenced #Hamilton68 Twitter account. #Hamilton68 accnts are Twitter accounts the German Marshall Fund has identified as Russian influenced propaganda accnts & many focus on US politics
Read 9 tweets
I hate the certification industry, it prevents talented people from participating, particularly younger and less well off. If you want to learn online #investigations I'll teach you everything I can with live support absolutely free. #OSINT #infosecjobs
If you can get an employer to pay then go for @SANSInstitute because @mcafeeinstitute stinks of stock photography and shyster marketing. Not to mention these people kick ass. @jms_dot_py @WebBreacher @kirbstr @baywolf88
An @OReillyMedia subscription ($39) and @jms_dot_py course ($45). These are what young #infosec / #OSINT investigators. Should be spending money on. Keeping low monthly payments allows people to get the skills while paying for quality.
Read 6 tweets
Let’s talk about an insane, criminal problem in digital media that gets no real media scrutiny: ad fraud. $19 BILLION will be stolen this year. Not wasted on ads that didn't work — straight up stolen by crooks!

My latest investigation, and a thread:…
Background: tons of digital ads are bought using automatic or tech-faciliated placements, aka programmatically. The process includes a glut of middlemen & players who take their cut. This opacity breeds confusion, which is perfect for criminals. Example:
Let’s break down one part of the scheme I exposed with help from @PixalateInc, Protected Media, @Malwarebytes. It starts with an email to a developer who built the Emoji Switcher Android app. This person says they want to buy his app. They agree to pay up front in bitcoin. Done.
Read 16 tweets
I have some important information about Tom Barrack, Jr., that I hope to share soon.

My cognitive skills have been limited recently (#Lupus), which is why I have not completed significant research threads in a while.

This is very important information.
2/ I will do this thread over time to accommodate my disability. Thank you for your patience.

Among Manafort’s U.S. holdings were estates in Manhattan — including one in Trump Tower — Palm Beach, and Bridgehampton, on Long Island. (See Mueller forfeiture).
3/ Two people loaned Manafort money to purchase the latter property: Tom Barrack, Trump’s major campaign funder, and an arms dealer named Abdul Rahman El-Assir, who is suspected of paying kickbacks to secure French weapons deals to Pakistan and Saudi Arabia.
Read 88 tweets
Now that Turkish officials have pledged that they'll release evidence (including video footage, focus on black car) that they say supports the claim that @JKhashoggi was killed shortly after entering the Saudi consulate in Istanbul, let's see what the #OSINT community can find.
A request to look at openly tracked flights from Istanbul to Saudi Arabia, or the other way around, has led to no results so far, but who knows what can still be found.
We've been looking at publicly available webcams around the perimeters of the Saudi consulate (h/t @evaludemann), but no webcam has been found. Here's the location:…. Pakistani consulate surely has camera footage, but will they publish it?
Read 32 tweets
Here is my experience with my very first Missing Persons #OSINT CTF in Sydney. What is this about? What did I find challenging? What will I do different next time? ⬇️

@DC011612 @V3rbaal @TraceLabs @defcon @mercuryiss
Briefly, the goal of the game is to gather as much information as possible about missing persons (the preferred naming convention is ‘subjects’) using non-intrusive open source intelligence (OSINT) techniques.
The first 8 hours of a missing person can be the most important to help the reunification efforts with their family. We were trying to track down four recently missing subject’s whereabouts during a 24-hour period.
Read 46 tweets
Meet Tim Graboski, aka whiterook6. He works for AggregateIQ as software developer. If that name sounds familiar, it’s because they helped #CambridgeAnalytica during the 2016 election. And apparently they’re still interested in our elections. #Midterms2018 #osint #infosec
We know that part of the seed data for the models used by CA came from Facebook surveys users filled in as part of an app. Well doesn’t this look familiar....this is a project called Campaign Pillar aka Check-In. “AIQ” is plainly visible. As are the targeted election questions.
Well this little gem comes to us courtesy of Tim’s GitHub repository, found here :… Currently available to the public (cloned in case it comes down).
Read 10 tweets
.@judicialnetwork is picking #SCOTUS for us, first #Gorsuch now #Kavanaugh. @ZeldaShagnasty shows here, the domain confirmkavanaugh(.)com was registered in 2/17. 3 similar sites (.net, .info and confirmkavanaughnow(.)com) in 7/18, all three on the same day. #osint #infosec
That date was 7/10/2018. Given that all domains were registered through GoDaddy’s anonymous registration service, WHOIS doesn’t tell us much. But the site is copywritten to @judicialnetwork, so we know they’re involved. Let’s take a look at the page source for the .com site:
Notice something? A template created for a Gorsuch themed site is being used for #Kavanaugh. Was there a confirmgorsuch(.)com too? Blank page currently, but sure enough one was setup 12/19/2016. And taken down 7/9/2018. Well, when did confirmkavanaugh(.)com go live?
Read 10 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!