Author: Polem4rch
Hi, my name is Polem4rch and I’m an open-source intelligence (OSINT) engineer and bug bounty hacker. My journey into this field started after watching Hackers, which likely catalyzed the interests of many other hackers. From there, things were a bit of a struggle as I navigated my place in this world. I was fed up with my workplace (completely unrelated to hacking) and started looking for alternate career opportunities. After studying cybersecurity for a year, I began staying up late at night and consuming everything available to me and during this time, I discovered OSINT. The reason OSINT stood out to me as a process is because it’s a method of collecting data that I was already practicing.
What exactly is OSINT? It is a process of accessing, gathering, and analyzing free and public information for intelligence analysis. OSINT plays a role in everyone’s day-to-day life. When you’re scouring the internet for the best prices for a plane ticket or a product, you’re applying the OSINT process: using the tools available to you to find something you need. Recently, I won Argentina’s Ekoparty 2024 Social Engineering CTF using OSINT. Finding the information was just a part of the CTF challenge. The trickiest part was that I also had to gather, collect, and analyze data to produce a finding.
Another simple way of thinking about OSINT is to embody the role of a detective—yes, like the ones in TV shows or movies. They find leads, pull at strings, dig deeper into points that stand out, and bring all the information together to uncover even more information and eventually close in on something big.
There are many real-world and TV cases where OSINT methods allowed investigators to find culprits, criminal organizations, and more. Every investigation depends on what information is publicly available. It could be photos, videos, emails, nicknames, places of work, or friends—the options are endless. Yet, limits exist.
Some key differences between OSINT in hacking and OSINT in detective work are the relationships you have with the authorities, different tools and data, and budgets. Another main difference is that OSINT in hacking often relies on information about target organizations, criminal organizations, and private companies, not individual people.
Therefore, OSINT in hacking is more about the technologies used by companies, third parties, and information disclosure. OSINT for detectives is related to the discovery and analysis of certain individuals and their activities.
In 2019, Netflix released a special documentary titled Don’t F**K With Cats. Luka Magnotta of Canada had posted graphic videos that led to everyday people using their internet sleuthing skills to find him and ultimately to provide evidence that resulted in his conviction.
This famous case started with online videos of an individual harming animals. It didn’t take long for viewers to feel enraged and want this man held accountable. From there, the internet sleuths started their own OSINT missions by closely examining the videos. This looked like gathering leads by intensely analyzing the background of each video and relying on the community to corroborate the intelligence gathered. People focused on bed covers, paintings, roads, desks, and anything else that could be used to identify the culprit. At this time (2010), the metadata of photos posted on social media wasn’t deleted by default, the way it is today (2025). This added a layer of intelligence to the case that we don’t see today because nowadays, metadata is usually removed after being uploaded.
What pushed people to dig into Luka Magnotta is that many knew that individuals who start committing acts of animal cruelty end up committing further crimes, oftentimes escalating in severity. This spurred a desire to stop him.
The internet sleuths created a private group that regularly shared data and any new findings on the culprit. They also shared photos, screenshots, and messages and theorized about the whereabouts of the criminal. They went even further and created schematics of rooms based on the videos uploaded to the internet. They analyzed sounds, weather, and the multiple social media accounts created by the killer. Later, the online sleuths found the metadata of the photos that offered the criminal’s name, GPS location, and much more. From there, they compiled all the evidence and sent it to a detective in the local police department to continue their own investigation.
The investigation took a turn with the gruesome discovery of a human victim. The internet group was angry with local law enforcement because they had provided police with addresses and enough detail to find the killer, but the police didn’t take the online group or their evidence seriously. Eventually, the police asked the online group for their help in gathering evidence and the killer was identified and arrested, after fleeing to France and then Germany. He was later apprehended and extradited back to Canada. The killer was ultimately given a life sentence.
Social media played a huge role in this case. It gave the perpetrator a platform to feed his ego, but it also exposed him by providing a very large surface area of data to analyze. Investigators were able to glean the tiniest of details, even finding the exact vacuum cleaner model he used. Social media also gave the internet sleuths a shared space to investigate, share ideas, and make plans.
This shows how a little data can lead to huge repercussions.
These days, social media is a crucial asset in investigations and used extensively in building individual profiles. Criminal psychologists create profiles that highlight a perpetrator’s lifestyle, assets, cars, purchases, peer groups, and more. Individuals who want to minimize their digital footprint have to pay attention to social media. Oftentimes, a leak comes from a family member or a friend. For example, you could be very protective of your digital footprint and avoid social media, but your grandma, your aunt, or someone else might be posting photos of you.
The dangers of a loose digital footprint are high. The impact varies from financial disaster to impersonation, physical attacks, and swatting. Attackers are continually discovering new ways to intimidate, harass, or harm individuals using their data. A common example is a sports tracker watch. The watch might track when you run, where you run, and what time you run. Many don’t even think twice about their workout data being public, but this can have dangerous consequences.
Sometimes, OSINT is enabled by leaks from GPS services like Garmin or Strava. For example, if GPS coordinates are leaked, the locations of military bases can be identified. Some sites share that information publicly, so anyone can find the GPS location of a specific individual and then cross reference that data with social media to confirm who and where the individual is. This recent article highlights this very issue and what security researchers are asking companies to do about it.
Another example of OSINT and social media being used in the wild is the war in Ukraine. Many videos have been shared through platforms like Telegram and Instagram. This has led to leaked base locations and factory bunkers. Individuals are accessing this data using the photos and videos of transport lines shared across platforms by cross-referencing images using Google Maps or Google Street View. As a result, they can pinpoint locations with excellent accuracy.
It’s important to understand that OSINT isn’t a hands-off methodology like running a scan or engaging with infrastructure. The information gathering required for hacking is not the same as that required for individuals sleuthing the internet. Information gathering for hacking focuses on details in technology or confidential company data.
When combing through company data, think about the impact of a given piece of information. There are endless spaces that house impactful data that can lead to big payouts. Trying exploring the following areas:
There is a lot of information to sift through, but it’s important to fine-tune your skills and learn to quickly differentiate what information is and isn’t important. For example, there are many files labeled “confidential” but aren’t actually impactful. Another example is investor reports. They often seem important because of the security level, but they don’t actually reveal anything useful.
Pro tip: To confirm ownership, rely on documents. Oftentimes, they hold metadata, but most of the time, it’s the names in the documents that are most valuable. Once names are obtained, you can work backwards to find emails and then use social media to match the users and the company.
Once there’s a match, report it! Make sure to always read the scope of a program and report ethically.
What distinguishes successful hackers is their attention to detail. Being able to cross-reference data is something that we all do; searching for patterns is a human trait. However, how we do it marks the difference between a hacker and an internet sleuth.