A friend who reports on extremist movements told me a story a few years ago. She was working on a piece about a particular online subculture and, after a few weeks of lurking on their forums, started getting personalized ads for the subculture’s merchandise on her main Facebook account. The platforms had figured out, from the IP and browser fingerprint overlap, that the same person who read the New Yorker on her phone was also reading neo-Nazi forums on her laptop. The ad targeting wasn’t the worst of it; the same fingerprint overlap was potentially visible to the people she was reporting on, if any of them ran their own analytics.
That’s the OPSEC problem in a sentence. When you investigate a topic, you leave fingerprints on the topic, and the topic leaves fingerprints on you. The job of operational security in OSINT is to separate the investigator from the investigation cleanly enough that neither contaminates the other.
This is defensive opsec for journalists, security researchers, and due-diligence analysts. It’s not about evading legitimate law enforcement; it’s about keeping your personal life out of an investigation, keeping the investigation out of your personal life, and not handing the subject of the investigation a profile of you.
The four contamination vectors
There are four ways an investigation and an investigator contaminate each other. Each is fixable.
1. Network fingerprints. Your home IP shows up in the access logs of every site you visit. If you research a Russian disinformation network from your home connection, the network operators’ analytics know that an IP geolocated in your city visited their content twelve times last week. Combine that with the IP’s apartment-level granularity and you’ve potentially given them a starting point for finding you.
2. Browser fingerprints. Modern web tracking is more about your browser configuration than your IP. The combination of your installed fonts, screen resolution, time zone, language settings, browser plugins, and a dozen other signals produces a fingerprint that’s unique to perhaps one in a million users. Visiting one Wikipedia article and one extremist forum from the same browser tells the analytics on the second site that the same fingerprint also reads encyclopedia articles. If your fingerprint is unique enough, that’s enough to deanonymize you across sites.
3. Account fingerprints. Logging into your real Twitter to read your subject’s public profile means Twitter (and any cooperating analytics) know that your real account looked at the subject. Even the act of having the subject blocked, or muted, or in a list, leaks information.
4. Endpoint fingerprints. If your subject is hostile and technical, they may try to put a beacon, malware, or a tracking pixel into anything they think an investigator is going to fetch. The standard journalism opsec assumption is that anything an investigation subject can place on a website they control is potentially trying to identify or compromise the investigator’s machine.
The standard defensive setup
The setup below is roughly what newsroom verification teams and serious OSINT consultancies use. None of it is exotic. None of it is illegal. All of it is the same kind of professional separation you’d expect a doctor or a lawyer to maintain between client matters.
Network: a research-only VPN
Use a reputable commercial VPN exclusively for research. Mullvad is the standard recommendation in this community because it accepts cash payment, doesn’t ask for an email address, and runs an audited no-logs policy. ProtonVPN and IVPN are the other two I’d consider. The paid Tor-bridge route is also viable for very-high-sensitivity work but is slow.
The point is not to be anonymous. The point is to make sure your home IP doesn’t appear in your subject’s access logs, and to make the IP your subject does see consistent over time so it’s not unusual.
Browser: a research-only profile in an isolated browser
Run a separate Firefox profile dedicated to OSINT work. Configure it once: a non-default user agent, a normal screen resolution, the LibreWolf hardening defaults if you want them. Disable extensions you don’t need. Critically, never log into a personal account in this profile. The profile is for collection only.
For the most sensitive work, run it inside a virtual machine (VirtualBox is free and adequate; VMware is paid and faster). The VM gives you a clean network stack on top of the clean browser, and lets you snapshot before each investigation and revert after. If your subject is technical, the VM is also where you’d open suspicious documents, never on your main host.
Accounts: sock puppets, not your name
A sock puppet is a research persona: a fake-but-internally-consistent account on whatever platforms you need to read or interact with. They’re standard practice in journalism and due-diligence work and have been for decades. The opsec rules:
- One sock puppet per investigation, or one per topic area. Mixing is how analysts get burned.
- Built progressively. A new account that immediately follows your subject and posts nothing else looks fake to both humans and platforms. Build slowly: real-looking interests, occasional unrelated posts, joining communities aligned with the persona’s claimed background.
- Never use real personal information. Not yours, not anyone else’s. The persona’s name, photo, biographical detail are constructs; the photo should be either AI-generated (
thispersondoesnotexist.comis the canonical source) or a stock photo licensed for the purpose. Do not use a real person’s photo. - Never claim a profession, credential, or role you don’t have if doing so would change the subject’s behaviour or constitute pretexting under the relevant law. "I’m a marketer interested in your product" is fine if you are not interacting with the subject. "I’m a doctor here to discuss your medical condition" is not.
- Document the persona’s existence, purpose, and end-of-investigation cleanup in your case file.
The Bellingcat training programme has a solid public guide to sock-puppet hygiene which is more thorough than I can be here.
Endpoint: separation, snapshots, and never click
If your investigation involves anything that might be hostile (suspect documents, suspect URLs, infrastructure run by an adversarial actor), do that work inside a VM that you can roll back. Use a tool like ANY.RUN or Hybrid Analysis for actual document and binary analysis. Never click a link from an investigation subject’s infrastructure on your real machine. Never authenticate to anything on the research machine that you authenticate to on your real machine.
If your VM gets compromised, you revert the snapshot and lose nothing. If your laptop gets compromised because you opened a suspect PDF on it, you spend a week and a thousand dollars rebuilding your digital life.
Logging: keep your own audit trail
The opsec point of logging is two-fold. First, you want to know what you did, when, and why, so that your investigation is repeatable and defensible. Hunchly does most of this for you on the browser side. Second, if a subject ever accuses you of having done something you didn’t do (defamation suits and counter-investigations are real), the log is your defence.
Keep the log. Date-prefix the case folder. Don’t delete things "just in case." If you’re operating in a regulated jurisdiction, the retention policy on your investigations may be legally specified.
The line on "evasion"
Everything above is about not contaminating an investigation. None of it is about evading legitimate law enforcement, escaping accountability for misconduct, or hiding from the lawful processes that journalism and research are accountable to.
If your investigation is good, the opsec should be defensible to a judge, an editor, and a press regulator. If it isn’t, the opsec is the wrong tool for the wrong question and you should reconsider the investigation.
The trap
The trap is treating opsec as a checklist you do once. The fingerprint surface evolves. Browsers change. Platforms add new signals. The persona that was bulletproof last year is the persona whose tells the platforms now match within minutes. Practitioner opsec is a habit, not a setup. Spend an afternoon every quarter reviewing what you do, what’s changed, and what you’d update. The half-life of a defensive technique is roughly eighteen months.
A starter checklist
- Mullvad subscription, paid in cash or by Monero, single-tunnel set up
- A research VirtualBox VM with Ubuntu or Tails (or a hardened Windows guest if you need Windows-only tools)
- A research Firefox profile, default settings, no signed-in personal accounts, ever
- One sock puppet per investigation, declared in the case file
- Hunchly running on every research session
- Snapshot before each investigation; revert after, or after any suspect link
That setup is the working setup of probably 80% of the OSINT analysts I respect. The rest is taste and the specific demands of your beat.