Social-media OSINT used to be one of the easier specialities in the discipline. The major platforms had relatively open APIs, search interfaces that exposed substantial data, and tooling that automated most of the workflow. The past several years have changed this in nearly every direction. Twitter’s transformation into X dramatically restricted API access. Meta has progressively hardened its public-facing search. Telegram and Discord have grown to host significant volumes of investigative-relevant content with their own quirks. The state of practice in 2026 is meaningfully different than it was even three years ago.
A platform-by-platform survey.
Twitter / X
The 2023-2024 changes under new ownership transformed the platform’s accessibility for OSINT. The free public API was discontinued; the paid tiers are expensive ($200/month for basic access, with restrictive query limits); third-party tools that depended on the API were broken.
What still works:
Native search via the web interface. Advanced search at twitter.com/search-advanced supports operators like from:, to:, since:, until:, min_replies:, geographic and language filters. Often more useful than the API for ad-hoc investigations.
Snscrape (github.com/JustAnotherArchivist/snscrape). Maintained scraping tool that works without API access. Functionality has been intermittent as X has tightened anti-scraping measures; it has continued to work after each round of changes, but with reduced capabilities.
Archive Today and the Wayback Machine. Snapshot URLs let you preserve content that may later be deleted. Critical for investigations where the target may delete posts.
Twscrape, Twint forks, and other community tools. Variable quality and reliability.
Migration analysis. Many former Twitter users have moved to Bluesky, Mastodon, Threads, or Telegram. Following an account across platforms has become part of social-media OSINT.
The OSINT community on what was Twitter, the OSINT and security researcher community, has fragmented. Significant activity now happens on Bluesky and Mastodon (particularly the infosec.exchange instance), in addition to remaining on X.
Bluesky and Mastodon
The federated and decentralised alternatives have grown substantially.
Bluesky uses the AT Protocol; their public API allows scraping and analysis without significant restriction. Tools like firesky.tv (the public timeline visualiser) and various API clients work with little friction.
Mastodon is fully federated; each instance has its own moderation and visibility settings. Public timelines are scrapeable; some instances explicitly opt out. The infosec community on infosec.exchange in particular has become a significant source for early threat-intelligence reporting.
These platforms are growing OSINT relevance as more communities migrate. The methodology is largely the same as classical Twitter OSINT.
Meta platforms (Facebook, Instagram, WhatsApp, Threads)
Facebook’s public-facing search has been restricted progressively. Specific search modes that were once useful (search by person, search by interest, photo search by location) have been removed. The Graph Search era is over.
What still works:
Public Pages and Groups. Content posted to public Facebook pages and groups remains accessible. Search within the platform is functional but less powerful than historically.
Facebook Ad Library (facebook.com/ads/library/). Mandated by various regulations; provides searchable access to all advertising on Meta platforms. Useful for investigating coordinated inauthentic behaviour.
Public Profile information. Names, photos, and limited public posts remain visible to users not logged in.
Instagram public profiles, hashtags, and locations remain searchable. The geographic filter on locations has been removed but tagged photos remain findable.
Threads (Meta’s Twitter alternative) has limited search but is growing.
WhatsApp is fundamentally a closed system. Group join links and channel discoveries are findable; group contents are not, except via membership.
Tools for Meta OSINT have largely retreated to web-interface workflows rather than API-based automation.
Telegram
Telegram has grown into one of the most consequential platforms for investigative work, particularly around criminal communities, political extremism, and certain national-security adjacent topics.
The platform’s structure:
Public channels. One-to-many broadcast; subscribable by anyone with the link or via search. Content is searchable from within the app.
Public groups. Many-to-many; sometimes unlisted but joinable via link. Content is searchable from within the app for joined groups.
Private channels and groups. Invite-only; not directly accessible without an invitation.
Bots. Programmable accounts that can post, search, and interact with channels and groups.
Tools for Telegram OSINT:
Telegago (telegago.com). Custom Google search that searches across telegra.ph and channel previews indexed by Google.
TGStat (tgstat.com). Russian-language interface; comprehensive Telegram channel analytics and search.
Telethon and Pyrogram. Python libraries for programmatic Telegram interaction. Useful for systematic monitoring of public channels.
Telegram’s own search. Functional but limited; manual exploration is often necessary.
Operationally, Telegram is the platform where many ransomware operators, dark-web markets, and politically extreme communities congregate. Investigative work in this space requires careful OPSEC; the platform is more freely accessible to investigators than the dark web equivalent, but the communities are aware of being observed.
Discord
Discord has grown into a hub for developer communities, gaming, criminal subcultures, and various political fringe. The platform is structurally less open than Telegram:
Public Discord servers are joinable via link but not searchable from outside.
Discord’s search within a server is functional but limited.
Bot frameworks (discord.py, Discord4J) allow systematic monitoring of joined servers.
Several investigations of leaked classified material have involved Discord servers (the 2023 Pentagon leak case being the most prominent). Investigative methodology for Discord has caught up partially; it remains less developed than for older platforms.
TikTok
TikTok presents its own challenges:
Public videos are searchable through the app; web interface is more limited.
The recommendation algorithm is opaque; investigative observation of "what is being shown to whom" is hard.
Tools like TikScraper and various API clients have variable reliability as TikTok has tightened access.
The platform is significant for disinformation and influence-operation analysis; the methodology is more manual than for older platforms.
Reddit’s IPO and API changes in 2023 reduced third-party access. The free API tier remains, with rate limits.
What still works:
Native search; reasonably powerful with operators.
Pushshift (pushshift.io). Long-running archive of Reddit data; access has been restricted to authorized researchers since the 2023 changes but remains a source where access is permitted.
Old Reddit (old.reddit.com) interface offers different views and is more amenable to scraping.
Subreddit-specific archive projects.
LinkedIn is structurally restrictive but remains essential for professional-context OSINT.
What works:
Public profile information visible without login (limited).
Search via Sales Navigator (paid) for advanced filters.
Phantombuster, Octopus, and similar scraping tools at the edges of TOS.
Inferences from connection patterns, posted activity, employment history.
Facebook OSINT and LinkedIn OSINT are both tightly tied to platform terms; aggressive scraping invites legal risk.
Specialised tools
Several tools cut across platforms:
Sherlock (github.com/sherlock-project/sherlock). Search for usernames across hundreds of platforms.
Maigret (github.com/soxoj/maigret). Sherlock alternative with broader coverage.
OSINT Industries (osint.industries). Commercial; specialised in social-media account discovery from email and phone.
Epieos (epieos.com). Commercial; account enumeration from email addresses.
Various breach-data services. Combining breach data with social-media account-mapping tools produces detailed identity inferences. The ethical and legal considerations are non-trivial.
Methodology common to all platforms
A few patterns that apply universally:
Username consistency. People often use the same username across platforms. Sherlock-style enumeration is the first move on any new identity.
Temporal patterns. Posting times often reveal time zones; patterns reveal sleep schedules and rough geographic location.
Network analysis. Who follows whom, who is connected to whom, who interacts with whom, the social graph is often more informative than the content.
Content cross-referencing. The same image, video, or text appearing on multiple platforms allows cross-validation; differences across platforms reveal what is being curated.
OPSEC. The investigator’s own footprint matters. Sock-puppet accounts (where ethical and legal), non-attributable infrastructure, and discipline about what queries are made from which accounts are part of professional practice.
Documentation. Screenshot everything. Platforms delete content; targets edit posts; capabilities change. The archive you build today is what survives the next platform restriction.
The longer trend
Platforms have hardened progressively. Each year the API surface for OSINT shrinks; manual workflows expand to fill the gap; community tools work harder to maintain capability.
Two countervailing trends matter:
Regulatory transparency requirements (Digital Services Act, US state laws on platform transparency) are forcing some platforms to expose more researcher-accessible data. The DSA’s Article 40 access for "vetted researchers" is the highest-profile example.
Decentralised and federated platforms (Bluesky, Mastodon, Nostr) are growing and are structurally more open. Some OSINT relevance is migrating to them.
The pragmatic 2026 advice: master the manual web-interface skills, automate where the platform allows, archive aggressively, document everything, and accept that the discipline requires more effort than it did five years ago. The work remains essential and consequential; the methods continue to adapt.