Bellingcat is the open-source-investigation organisation that, more than any other in the past decade, demonstrated what is possible when systematic OSINT methodology is applied to consequential investigations. Founded by Eliot Higgins in 2014, initially as the personal blog "Brown Moses" focused on the Syrian civil war, Bellingcat has grown into an international team of investigators whose published work has, in multiple cases, contributed evidence later cited in international criminal proceedings.
Their methodology is documented, teachable, and increasingly emulated. Understanding how they work is one of the most useful exercises for any investigator wanting to operate at that standard.
The published archive of investigations is at bellingcat.com. The training arm, the Bellingcat Discord and online courses, are accessible. The methodology has been written about extensively, including in Higgins’ 2021 book "We Are Bellingcat."
The defining cases
Several investigations stand out for what they demonstrated about open-source methodology:
MH17 (2014 onwards). The Malaysian Airlines passenger jet shot down over eastern Ukraine. Bellingcat’s investigation reconstructed, from open-source imagery and social-media posts, the path of a Buk anti-aircraft missile launcher from a Russian base in Kursk to the launch site in Ukraine and back. The work used satellite imagery, social media posts by Russian soldiers (subsequently deleted but archived by investigators), traffic-camera footage, and ground photographs. The reconstruction was so detailed that it was later cited extensively by the Dutch-led Joint Investigation Team and by Dutch courts.
Skripal poisoning (2018). The attempted assassination of former Russian intelligence officer Sergei Skripal in Salisbury, UK. Bellingcat identified the two GRU officers responsible, Anatoliy Chepiga and Alexander Mishkin, using open-source records, leaked databases, and travel records. The identification was confirmed by other journalistic outlets and by UK authorities.
Russian opposition leaders investigations. The 2020 poisoning of Alexei Navalny: Bellingcat identified the FSB officers involved by combining flight-records, mobile phone metadata leaks, and matching social-media artefacts. The investigation, published with Christo Grozev as lead, is one of the most striking examples of open-source identification of state-actor operatives.
GRU operations across Europe. Identification of GRU Unit 29155 officers involved in destabilisation operations across multiple European countries, including the Vrbětice depot explosions in the Czech Republic.
January 6 2021 US Capitol attack. Bellingcat contributed to the open-source effort to identify rioters from photo and video evidence. The community of volunteers (Sedition Hunters and others) extended the methodology.
War crimes documentation in Ukraine since 2022. Geolocation and verification of strike sites, identification of perpetrators, preservation of evidence for potential later prosecution. The Eyes on Russia map and the Civilian Harm in Ukraine database are central deliverables.
These investigations have produced prosecutions, sanctions, public attribution, and shifts in international diplomatic posture. The methodology is consequential because it works.
The methodology
Pulled apart, the Bellingcat approach has several distinctive elements:
Hypothesis-driven investigation. Each investigation starts with a question that can be answered by available evidence. "Where was this missile launcher on July 17, 2014?" "Who is the man identified as Boshirov?" "Which GRU officers were involved in Navalny’s poisoning?" The question shapes what data is collected and how it is analysed.
Maximalist source collection. Wide casting of nets across imagery, social media, leaked databases, public records, satellite imagery, official statements, and witness accounts. The quantity of source material is what enables the cross-corroboration.
Patient verification. Each piece of evidence is verified independently before being treated as established. Geolocation, time-of-day analysis from shadows, cross-reference between sources, archive of original artifacts. The verification trail is part of the deliverable.
Transparent methodology. Bellingcat’s published work shows its work. Methodology sections describe what was done; sources are linked; reasoning is exposed. The reader can audit the investigation.
Collaborative analysis. Investigations are typically team efforts; multiple perspectives reduce the risk of confirmation bias and missed inferences.
Long timelines. Major investigations take months to years. The Skripal investigation continued for over a year before the second suspect was named; the GRU work has continued for nearly a decade.
Use of leaked data, ethically. Bellingcat works with leaked datasets, flight records, phone-metadata leaks, telecom databases, in jurisdictions where the use is lawful and where the data has been verified. The ethical guardrails are explicit.
Adversarial mindset. The investigators expect counter-OSINT efforts: deletion of social media posts, denial of established events, disinformation campaigns targeting the investigation itself. The methodology is designed for adversarial conditions.
Specific techniques borrowed from Bellingcat
Several techniques are now standard in the broader OSINT community largely because of Bellingcat’s prominent application:
Satellite-imagery-based reconstruction. Using sequential satellite imagery (Sentinel-2, Maxar, Planet) to determine when a piece of equipment moved, when a structure was built, when a road was used.
Vehicle tracking through social-media imagery. The pattern of a specific vehicle (distinctive markings, license plate where visible) appearing in successive locations and times.
Travel-record cross-referencing. Combining airline manifests, customs records, hotel registration data (where available through leaks), and public mentions to reconstruct movement.
Identification through document leaks. Russian phone-record databases, Ukrainian databases, and various leaks providing background information that, combined with photographs and travel records, produces unambiguous identification.
Network-pattern analysis. Identifying the social and operational network around an individual through their connections, their phone-call patterns, their colleagues’ patterns.
Temporal cross-checking. Building a timeline of events from multiple sources and identifying inconsistencies that reveal misinformation.
The Bellingcat training programs at bellingcat.com/category/resources/how-tos/ document the methods explicitly.
What the methodology requires
Bellingcat-quality investigations are not casual undertakings. They require:
Time. Major investigations are dozens to hundreds of person-hours of work. Casual searching does not produce Bellingcat-quality findings.
Skills. Geolocation, image analysis, archive search, language facility (English alone is insufficient for most investigations involving non-English-speaking subjects), database query skills, and judgement.
Tools. The full OSINT toolkit covered in the previous posts in this category. Bellingcat publishes their internal tool list periodically.
Discipline. The verification standards, the documentation practices, the willingness to publish only when confidence is justified.
Ethical framework. The decisions about what to investigate, what to publish, how to handle innocent bystanders in source material.
OPSEC. Russian and other state actors have targeted Bellingcat investigators directly; physical safety considerations are part of the work.
Many of these are scarce in casual practice. Bellingcat’s success comes partly from operating at scale and with discipline that less-resourced investigators struggle to maintain.
What this means for the broader OSINT community
The Bellingcat example has shifted the discipline:
Standards have risen. The bar for "credible open-source investigation" is now closer to what Bellingcat publishes than to what casual researchers could produce a decade ago.
Methodology has been documented. The Bellingcat How-Tos and the broader training ecosystem mean that the techniques are teachable rather than tribal knowledge.
Communities of practice have formed. Sedition Hunters for the January 6 work, the Eyes on Russia network, the various war-crimes documentation efforts, these are larger than Bellingcat itself and apply the same methodology.
Adversarial response has intensified. Counter-OSINT, disinformation aimed at investigators, and direct intimidation have all increased. The work has become harder; it has also become more important.
Bellingcat itself has expanded, the core team has grown, the funding model has matured, and the geographic and topical scope has widened. The organisation has become institutional in a field that was previously informal.
Lessons applicable to less ambitious investigations
A casual OSINT practitioner cannot produce a Skripal investigation. They can borrow specific principles:
Start from a clear question, not from "let me see what I can find about X."
Verify before believing. Cross-reference sources; do not treat any single source as authoritative.
Document everything. The investigative trail is the deliverable, not just the conclusion.
Be transparent about methodology. Show your work.
Acknowledge uncertainty. Say what you do not know; do not stretch evidence.
Plan for adversarial conditions. Sources will be deleted; subjects will lie; investigations will be attacked.
The Bellingcat methodology is what serious open-source investigation looks like at its best. Approximating it, even at smaller scales, with fewer resources, is a useful aspiration for any investigator.
The discipline has been established. The case studies are public. The training is accessible. What remains is the work.