// INVESTIGATIONS
OSINT
Tools, methods, and case studies from the open-source investigation discipline.
- Ransomware leak-site OSINT: 2026 investigation walkthrough
A practical OSINT walkthrough for investigating ransomware leak sites — workflow, sources, pitfalls, and how to verify victim claims without breaking operational security. - Audit your digital footprint 2026: Sherlock, Holehe, Whoxy
A 2026 self-doxxing tutorial — run the same OSINT tools attackers use, on yourself, to find every account, leaked credential, and broker entry tied to your identity. With remediation steps for each finding. - Attack-surface mapping 2026: Shodan, Censys, FOFA, NucleiA 2026 OSINT workflow for mapping the external attack surface of any organisation using only public data — internet-scan engines, certificate transparency, and authenticated vulnerability templates.
- OSINT.industries hands-on: a 2026 tutorial for journalists and due-diligence analystsA practitioner’s deep-dive on OSINT.industries — what it returns for username and email queries, how I use it for journalism and due diligence, and the ethics framework I won’t run a query without.
- Multi-tool OSINT search: tutorial using IntelX, Spiderfoot, and MaltegoA 2026 tutorial for running OSINT investigations across paste sites, breach data, and forums using IntelX for breach search, Spiderfoot for automated correlation, and Maltego for graph analysis.
- How to verify a ransom payment on-chain: tutorial with Mempool, OXT, and Ransomwhe.reA practitioner’s tutorial for verifying — or refuting — a claimed ransom payment on the Bitcoin blockchain using free tools. Useful for journalists, IR teams, and victims dealing with secondary-extortion claims.
- Inside a ‘cloud of logs’ Telegram subscription tierA practitioner’s look inside the “cloud of logs” subscription model — what attackers pay, what they get, and the operational mechanics that turn raw infostealer output into a productised threat.
- Stealer log forensics: tracing infections back to the userA practitioner’s forensic playbook for working backwards from a stealer log to the originating infection — what the log file structure tells you, where the malware sits, and how to clean it up properly.
- Hardening your home lab: the OPSEC checklist for indie security researchersA practical OPSEC checklist for indie security researchers, journalists, and bug-bounty hunters working from home. Network segmentation, hardware separation, identity hygiene, and the small habits that make the difference.
- Tracking ransomware infrastructure: a 2026 OSINT methodologyA practitioner’s OSINT methodology for tracking ransomware infrastructure in 2026 — the seven sources to monitor, how to correlate them, and the operational hygiene that keeps your work credible.
- The Bellingcat geolocation toolkit: 10 sources that always workTen geolocation sources that never let me down on an OSINT investigation, ranked by how often they crack the case. Free where possible, paid where necessary.
- Telegram OSINT: how investigators trace channels and admins in 2026A practitioner’s playbook for Telegram OSINT in 2026 — how to discover channels, fingerprint admins, archive content, and build defensible attribution without burning your access.
- Maltego workflows for ransomware research: a 2026 starter packA starter pack of Maltego transforms and graph patterns for ransomware research — entity model, transform recommendations, and three reusable graphs that pay rent on every investigation.
- How to verify a leaked dataset before you write about itNewsroom and researcher checklist for validating a leaked dataset before publishing — five tests that catch fabrication, recycled breaches, and misattributed dumps.
- Building an OSINT investigation workflow: from intake to reportThe five-stage workflow that separates an OSINT analyst from someone with a bookmarks bar full of tools.
- OPSEC for OSINT investigators: not contaminating what you researchHow journalists and OSINT analysts keep their personal accounts, devices, and identity separate from the investigations they run. Defensive opsec, not evasion.
- Geolocating a photo from scratch: the Bellingcat workflow for normal humansA practitioner walkthrough of the photo-geolocation method used by Bellingcat and most newsroom verification teams. Worked example included.
- Reverse image search beyond Google: when to reach for Yandex, TinEye, and the restGoogle Lens isn’t always the right tool. Here’s when each of the major reverse-image-search engines wins, and the ethics line on face-search services.
- OSINT.industries: a hands-on walkthrough for usernames and emailsWhat OSINT.industries actually returns, how I use it for journalism and due-diligence work, and the ethics framework I won’t run a query without.
- OSINT 101: a starter toolkit for 2026A practitioner’s roadmap to the OSINT tools that actually earn their place in your bookmarks bar. Free and paid, with honest notes on what each one is good for.
- The Telegram Stealer-Log Economy: How Stolen Credentials Are SoldTelegram has become the dominant marketplace for stealer-log distribution. Channels with hundreds of thousands of subscribers drop fresh logs continuously, with payment processed in cryptocurrency and a tiered access model that mirrors the SaaS industry. Here is how that economy works.
- The Bellingcat Methodology: How Open-Source Journalism Solved Real CasesBellingcat has, more than any other organisation, defined what serious open-source investigation looks like in practice. The MH17, Skripal, and Russian-spy investigations are landmark cases. Here is the methodology they developed and how it can be applied.
- Social Media OSINT: From Twitter/X to TelegramSocial-media OSINT was easier in 2018 than it is in 2026. Twitter’s API restrictions, Meta’s hardening, and the migration of communities to Telegram and Discord have reshaped what is possible. Here is the current state of the art across the major platforms.
- Shodan, Censys, and the Internet-Wide Scanners ComparedShodan, Censys, ZoomEye, FOFA, BinaryEdge, and a small set of others continuously scan every public IP on the internet and index what they find. They are essential tools for security research, attack-surface management, and OSINT. Here is the comparison.
