Tracking ransomware infrastructure used to mean refreshing a handful of leak sites manually. In 2026 it’s a multi-source correlation problem, leak sites disappear, mirror, and reappear constantly, operators rebrand, affiliates migrate between programmes, and the noise floor of fake leaks and rebrand-bait has gotten loud. Here’s the OSINT methodology I run for my own tracking, with the sources and the discipline that make the output trustworthy.
The seven sources I check daily
1. Active leak sites. The primary sources are the operators’ own onion sites. RansomLook, Ransomwhe.re, and a few smaller trackers maintain inventories of active sites that you can check against your own collector. The discipline is not to rely on any single tracker, they all have blind spots.
2. Telegram channels. Operators announce victims, leak teasers, and recruit affiliates on Telegram more openly than on most platforms. A monitored list of fifty to a hundred channels and groups, refreshed weekly, surfaces most operator activity.
3. Russian-language criminal forums. XSS, Exploit, and a few smaller forums remain the recruitment and dispute-resolution venues for the Russian-speaking ecosystem. Account access is a hurdle (vouches, deposits) but reading the public sections is free.
4. Certificate transparency logs. When an operator rotates infrastructure, the new domains often appear in CT logs before they’re indexed elsewhere. Tools like Censys, crt.sh, and Cero make this searchable.
5. BTC blockchain monitoring. Chainalysis, TRM Labs, and the open-source Blocksci can connect known operator wallets to new addresses as funds move. The signal is slower than the operational signal but provides a second source of truth.
6. Vendor incident-response disclosures. The DFIR firms publish blog posts on incidents with enough detail to fingerprint the operator. Cross-referencing public IR posts against leak-site listings adds context.
7. Government advisories and KEV updates. CISA, NCSC, ANSSI, and BSI publish operator advisories that include indicators-of-compromise lists. These are slower than the underground sources but more rigorously verified.
How to correlate without getting fooled
The correlation rule I use is “two of three.” Before publishing or asserting that operator X claimed victim Y, two independent sources must support the claim. A leak-site listing alone isn’t enough, operators occasionally pre-announce victims they don’t actually have, either as pressure tactics or to inflate apparent claim count.
Strong corroboration sources include: the victim’s own public statement, a credible IR firm’s post, regulatory disclosures, news reporting with named sources, or a separate leak-site listing on a different operator (sometimes a sign of inter-affiliate sale of stolen data). Weak corroboration: another tracker citing the same single source you saw, social-media posts repeating the leak listing, or rumours in Telegram chats.
Persona and OPSEC discipline
If you engage with sources, Telegram channels, criminal forums, do it from a research persona that has never touched your real identity. Different email, different phone, different browser fingerprint. Use Tor or a research VPN for anything beyond passive observation. Document everything you said under each persona so you don’t slip later.
Don’t post on your real accounts about ongoing investigations. The smallest detail, “we’re tracking X this week”, gives operators advance notice. Hold the post until you publish.
Tooling that makes this sustainable
Maltego or any graph database for the correlation layer, operators, leak sites, victims, infrastructure, wallets. Spreadsheets work for the first month and break in the second. A scheduled scraper for the leak sites you can reach legally. A separate monitored email account for the operator-update RSS feeds and tracker mailing lists. A weekly review meeting with yourself or your team to triage the queue.
The work compounds. Six months in, you have an entity graph that surfaces patterns across operators that no single source shows. That’s where the real research output comes from.