r/OSINT

Here is my issue, I can't connect a name and phone number to an address without creating a paid account through Property Radar or some other tool.
My goal is to have as much information as I can get about homeowners including name, phone and email so I can call the homeowner and pitch a free consultation for my friends electrical company.
I can dork the info with google but it takes too much time to make the list and it isn't organized
Anybody has any creative solutions?

Hey everybody

I'm a young journalist, and eager til learn more about OSINT, and looking for courses that can teach me some good basic skills (webscraping etc.) I checked out some of Bellingcats courses but they seem to be a bit to pricey for my budget. So does anyone have any good suggestions for some online OSINT-courses that are affordable? thanks in advance

I’ve been doing a few ctfs over the recent months, one thing I’ve noticed is when I’ve struggled to complete one and then watched the walkthrough, sometimes they’re using an AI agent to help.
Everyone seems to use a different one.
Is there generally a well regarded ‘one for all’ in terms of agents?
One ctf I use identical prompts in both ChatGPT and Gemini and Gemini got it right whereas ChatGPT was miles off.

Sharing notes from a year of trying to automate parts of source reliability scoring in a fact-checking pipeline. None of this replaces a human analyst with context, but pieces of it can do useful triage work at scale where humans can’t keep up with volume. Writing this up because it’s the kind of thing the OSINT community discusses better than anyone else, and I’d be curious to compare notes with people who do this in the field daily.

I ended up with three axes that I evaluate independently then combine with weights that vary by claim category. The axes are domain reputation, content recency, and cross-source confirmation. Each one fails in characteristic ways and each one taught me something the hard way.

Domain reputation is the most tempting and the most dangerous axis. The temptation is to maintain a curated list of trusted domains scored on a 0 to 10 scale: AFP at 9, nytimes.com at 8, randomblogger.substack.com at 2, and so on. This works for most claims and produces respectable triage. Where it breaks is what I call article-vs-domain variance. A normally credible outlet can run a poorly-sourced opinion piece. A normally unreliable outlet can run a properly-sourced investigation. Domain-level scoring will flag the first as trustworthy and the second as junk, and both calls will be wrong. My fix was to keep domain reputation as one input but never the deciding one, and to surface the gap between domain score and article-level signals as a flag for human review rather than absorbing it into a single number.

Content recency is the axis that looks easy and isn’t. The naive version is publication date: newer is better. This breaks immediately because the relevant freshness depends on the claim type. For a scientific claim, the most authoritative source is often a meta-analysis that’s three years old, not a press release from yesterday. For a political quote, the original transcription matters more than the seventh outlet’s summary. For an active event, anything older than 24 hours is borderline useless. I ended up with category-specific freshness functions: a decay curve for news claims, a step function for scientific claims (peer-reviewed vs not), a flat weight for definitional claims. Still imperfect, but vastly more honest than a single recency parameter.

Cross-source confirmation is the most powerful axis when it works and the most misleading when it doesn’t. The principle: a claim confirmed by N independent sources is stronger than the same claim from any one of them. The problem is independence is hard to verify automatically. Eight outlets running the same wire story are not eight independent confirmations, they are one source amplified. Two outlets owned by the same parent group with the same editorial line are not two independent confirmations either. My current approach is to cluster sources by likely independence (publisher, ownership, geographic origin, language family) and count distinct clusters rather than distinct URLs. It is still gameable, and a sufficiently coordinated influence operation can defeat it, but it kills the simplest forms of citation laundering.

A couple of general lessons took longer to learn than they should have. The first: surfacing the scoring per axis to the end consumer matters more than producing a single composite score. Investigators trust a system that shows them where confidence is coming from, and stop trusting one that hands them an opaque verdict. The composite is for triage. The breakdown is for decision-making.

The second: calibration on real cases beats theoretical purity every time. I had axis weights I was proud of on paper that produced terrible results on actual disputed claims. The fix was to assemble a labeled set of cases where I knew the right answer and tune until the system tracked human judgment, not until the math felt elegant.

What axes are you using formally or informally that I haven’t named here, and where have you seen automated scoring systems fail in ways that matter?

hello Internet armchair sleuths and cyber hacking whizzes! I'm looking for some guidance/ advice on getting into OSINT for journalism. Long story short, I've always thought I'd spend the rest of my life writing and reporting on the ground and talking to people, but AI is coming for my job and has already decimated my newsroom's headcount. I've survived layoffs so far, but my clock is ticking. The latest pivot that everyone seems to be trying to pick up is OSINT. Apparently, OSINT investigations are the future of human journalism, and leadership is willing to go to bat for the award-winning investigations team, which makes this skillset incredibly valuable. Only thing is, I can't code, I can't math, and I certainly have zero cybersecurity knowledge or techniques.

So my question is: where can I start learning all of this? Do I need to pick up coding first? Do I need to take a second degree in computer science, or attend night classes in cybersecurity? Where can I find online courses for OSINT that are geared more towards the techniques required for journos and less for the defence/military sector? And finally, the term OSINT appears to be extremely broad and vast. I feel the same way about young'uns reaching out for help in becoming "writers", and I'm like what kind of writing exactly??? So what sort of OSINT do journalists do?

Thanks so much y'alls - please help me not lose my job when I'm already desperately broke (:

I’ve worked in OSINT and online investigations for private companies for the past 4 years. There are some great video resources available but these tend to be on tools and geolocation.

I thought it could be cool to make content that takes viewers through the lifecycle of an OSINT investigation.

It’s unlikely that these will be once-off videos but rather cases with regular updates showing milestones and findings throughout, along with the different tools and resources I use along the way.

I love making and editing videos so that would also be a nice creative outlet for me.

I’ve got some decent experience and worked on some very interesting stuff - from standard corporate due diligence to tracing a Manila boiler room scam to a Canadian family man.

I’d love to hear what you all think of this idea!

Questions for the group:

Is this something y’all would be interested in watching?

How would you like to see the videos presented to maximise entertainment and learning?

Who/what should I look to investigate? Some ideas I’ve had:

- Look for people on the Interpol Red List
- Ask people to send me cases and if appropriate I can investigate them (like a local clothing brand who’s having their stuff counterfeited)
- Looking into corruption / public interest cases in the news
- Looking for scams online or asking people to send what they think might be scams and looking into them as a kind of due diligence exercise

*Any other suggestions? (*Also, if you are a lawyer - where is the line in terms of investigating these things and publishing my findings - I don’t want to get sued).

If you've come to an OSINT subreddit looking for advice but you don't do OSINT as a hobby or as a profession, I want to share some advice with you.

1. Asking us to do crimes for you, no matter how awesome and righteous your cause, is a huge no-no. Don't ask because if you do, someone will tell. And I don't mean to infer that we're all snitches but that a lot of us have jobs that come with badges, credentials, clearances, licenses, bonding, and insurance which require us to stay clear of getting involved in crime except to solve the ones we may be actively assigned to. And just because we may not have any of those special accouterments does not mean we will still entertain something like that. You may also be putting a ton of attention on yourself for asking for something many of us are tasked with investigating.

2. No matter how familiar or innocuous your backstory may appear, we have no way of knowing if fulfilling your request won't do others harm. This places them, you, and us in legal and physical jeopardy. In the best case scenario, we could just get fired from our jobs. However; that's not the only likely consequence we could suffer for an unauthorized disclosure.

3. Trust us when we tell you something can't be done or isn't worth your time. We may see pitfalls to what you're doing and how it could place you in peril. Many of us have been doing this since before many of you have heard of the Internet.

4. No. This is the answer you will get each and every time you ask if we can help you get a phone number, find your ex, lost parents, or even your dog. If you truly have a need to find someone to do that for you, look for a private investigator or consult an AI.

5. We won't be able to give you the name of a tool or an application that is your magic pill cure for getting that one piece of information you assume is so easy to get if you just had that one tool or app. Let me be honest - it doesn't exist. Breach data is cool but it can be dated which means it's only as good for as long as you don't change your information. People search sites can also have gaps. You get the idea, right.

6. No matter how you phrase your request, it will always be viewed as suspicious, especially when the request involves an ex and your inability to reach them. However; it's not limited to just that.

7. Patience does more to reach your goal than any instant phone number search ever could, in most of the circumstances I've seen here and in other places online.

8. Use the search function on this app. Look for requests like yours and how they were received. You'll notice some immediate commonalities.

9. READ the rules. Don't FAFO around with the mods. Trust me when I tell you they'd rather save this sub than allow it to be banned because someone's lovestruck ex wants to be able to call them "one last time". I'm not a mod but I have been around long enough to know "Homie don't play that".

10. If you don't want to be seen as weird, try to imagine how you appear hiring a PI or asking an OSINT subreddit to find your ex

I hope this helps and this is not directed at any particular person or account.

Long-time lurker. I do recon as a hobby and got tired of every

investigation starting the same way — sherlock, then theHarvester,

then holehe, then phoneinfoga, then a dozen tabs of crt.sh /

Wayback / HIBP.

So I spent the last few months building a single-menu Python

framework. Pick a number, run a module, get an HTML + JSON

report. 13 modules so far:

[1] Domain — WHOIS, DNS, SSL, WAF, crt.sh, Wayback, SPF/DKIM grade

[2] IP — geo, ASN, reverse DNS, port scan, 16 blacklists, threat score

[3] Email — SMTP existence, HIBP, Gravatar

[4] Username — 115+ platforms

[5] Phone — carrier, region, line type

[6] Google Dorks

[7] Auto Detect — infer input type, run everything relevant

[9] Email Header Analyzer — SPF/DKIM trace

[10] Leak Search — HIBP + paste sites + GitHub

[11] File Metadata — EXIF/GPS, PDF/DOCX

[12] URL Scanner — redirects + phishing score

[13] Network Scanner — subnet sweep + ports

[14] Crypto Wallet Lookup — BTC / ETH

What I'd genuinely like input on:

1. IP threat-scoring weights — currently blacklist hits 60%,

   port exposure 25%, geo-anomaly 15%. Anyone with stronger

   heuristics?

2. The username module hits 115+ platforms but a lot are

   unreliable. Which would you trim, which would you add?

3. Anything obvious missing from the module list?

Authorized targets only — strict on that.

What would you change?

​It started with reconnaissance. I noticed a cluster of IPs scanning specifically for .env files, .git configs, and neglected development environments. Unlike the usual PHP-based "spray and pray" attacks, this felt surgical. Ai analysis suggested this was specialized reconnaissance tailored to the framework I was running.

​Since I don’t keep sensitive configs in my production environment, I decided to provide the attacker with exactly what they were looking for. I placed ​created fake .env and .git/config file​. Loaded them with fake credentials, including canary tokens.

​It took a few days, but the scanner eventually bit. They downloaded the files and used the credentials.

​When the credentials were run, I caught the IP. While the IP was linked to a VPN, the User Agent was the first major "tell." It was a high-level Linux server and not the typical disposable cloud instance you see from automated botnets. This suggested a more permanent setup or a dedicated workstation.

​I searched that VPN IP and hit a breakthrough. It was linked to a high-profile account on PTT. The IP had been used as a security verification for signing onto that account and had been associated with the user for years.

​The profile handle used a feminine name, and early analysis of the metadata suggested a female persona. However, the linguistic style and the nature of the posts felt male.

​I took that username to Twitter to see if the identity crossed platforms. I found a coding guy for PTT explaining the specific meaning behind that username in a post. This was the missing link that connected the handle to an individual.

​His primary language of choice was Python.

He frequently discussed and built scraper tools and bots for people to use.

All of this matched the User Agent from the logs, which was hitting my server. The combination of the persistent VPN IP, the specific tech stack, and the unique username closed the loop. What started as a scan led to a developer's professional and social presence.

​Seeking Advanced Tooling / Advice

​I’m looking to evolve this "Active Defense" setup. I’ve proven that profiling the psychology and infrastructure works, but I need higher-level tools for the next phase.

​Advanced Honey-Logic: Does anyone have recommendations for "Active" honey-files? I’m looking for decoys (like .zip or .env files) that don't just alert on a download, but can trigger a metadata-grab or a "call-home" when processed on the attacker’s machine.

​Infrastructure Mapping: What are the best methods for tracking an actor once they realize they’ve been "burned" and shift to purely ephemeral cloud instances?

​OSINT Learning Resources: Any suggestions for resources that focus on the crossover between Infrastructure Analysis and Linguistic/Behavioral Profiling?

​If you’ve handled similar "Craftsman" level actors, I’d love to hear about your workflow or any scripts you recommend for better tracking.

I collect a lot of news from international RSS Feeds - 1000's of sites.
Over the last 2 months of collection from a specific RSS Feed, I have noticed a very strange pattern in this RSS Feed's article headlines and article descriptions.
The feed is https://belapan.com/rss
This domain was completely taken over by the Belarusian government in Jan 26.

Each day there is at least one new unique article that is just strings or random numbers, letters and symbols. (all are different and unique)

Example:
Article Headline:
belapan com MtCNTG 278 16558:98768 626 62944338_89538 372 230192_70084

Article Description:
belapan com MtCNTG 971 69916 24152 953 20128/56618 298 918632678:52346 424 59486-50497 635 5076664:39972 965 775500273 6933 680 53249341&94521 947 630898, 67425 294 74164 92735 469 621420750/87670

Article URL:
https://belapan.com/MtCNTG

If you visit that URL (don't unless you know what you are doing) you will see a paragraph or more of the same sort of random data.

On occasion and seemly randomly there will be a headline and description that says:
"I'm not going to tell you what I've been doing" or "I'm not sure if this is true, but I think it's true".

I have been trying to understand what this is and determine if there any recognizable patterns, but have not been able to discern any consistent pattern.

I have taken the data and had several local LLMs crunch it (up to 70 b) and also had Gemini take a pass at it. No patterns found.

Here is a .csv file that contains all the articles I collected, with full metadata, urls, vector data and more.
https://github.com/Rybatter50-cloud/Feeds/blob/main/belapan.csv

I think this might be some sort of RSS "Numbers Station".
Am I wrong?

Has anybody made this move, if so, how did you find it? What was the biggest pain point after making the switch?

What techniques did you learn? What tools became indispensable to your everyday investigations work that you didn’t use in the newsroom?

If you aren’t an ex-journalist yourself but work in corporate investigations, what advice do you have?

I’m thinking of making this switch, and have been presented some opportunities to freelance / do sub-contract work in this space. Any insights welcome! I am curious.

I'm writing this using Google Translate: I wanted to know if there's a kind of "OSINT" way to find out if someone is stalking us on Twitter? Like, looking at our profile, etc. I don't really know much about this, so maybe I should apologize for the impertinence of my question? I don't know, lol. Answer me if you can.

Title basically says everything, but I have been trying to find a phone number from an instagram account and have been unsuccessful. Could someone help me out