W1nterSt0rm: OSINT on steroids

I’m a former cybercriminal. However, while operating under the black flag of cybercrime, I strove to give back to the community through good deeds so it could satisfy the inherent burden of guilt I carried due to my hacking addiction. I did this by using Open Source Intelligence (OSINT) to expose and neutralize online trolls, sexual predators, stalkers, and all other manner of nasty human beings.

Nowadays, I am an ethical hacker and director of an #OpChildSafety initiative called W1nterSt0rm. Similar to the golden years of my threat actor days, I still try my best to avoid copying what everyone else is doing, especially when exploring the OSINT landscape for better techniques and, by extension, better and faster results.

After all, people who get caught up in the latest trends are like hooked fish being pulled by a line. This reminds me of something someone once said, “If you always do what you’ve always done, then you’ll always get what you always got.”

This is why I’m always exploring new tools. I want our team to break the mold and obtain the best results in the field. Our success depends solely on access to reliable resources if we hope to de-anonymize predators targeting children.

OSINT is the act of collecting and analyzing publicly available information in order to answer an intelligence question. The sources you’re using to find the information are open, and the purpose is intelligence. If you’ve ever googled someone or performed a background check, these are common OSINT methods.

Many of us who use OSINT find ourselves against a wall of limitations due to the fact most tools do the same things but have different names. We get frustrated because many search results contain more false positives than the records we’re digging for.

Sadly, the tools and methods used in the wild are pretty much the same. If you don’t want to use another GitHub script, then this will appeal to you. After all, I want to show you that there are better OSINT tools available if you’re willing to explore new areas of intelligence collecting.

Mobile phone tracking

Whether you’re investigating a stalker or trying to locate a lost person, mobile phone tracking would be pretty useful, right? But how to do that without a warrant…

The good news is that you don’t need a warrant.

Earlier this year, W1nterSt0rm received a distress call that someone had gone missing in Lithuania. The individual wasn’t responding to phone calls or text messages. Not being aware of exactly why the person disappeared but aware that they might be in a position to self-harm only compounded the worry.

One of our operators used a service called Scannero.io to track the GPS chip in the person’s smartphone, and WiFI and cellular data were used to pinpoint their location within a 10-meter radius, which is pretty impressive. Additionally, it displays coordinates and detailed street maps. It doesn’t matter if the target changes SIM cards as long as the number remains static.

From this, we were able to offer a good estimate of where the individual was so that contact could be made. It turned out to be impressively accurate. This made me think about how a tool like this could benefit our OpChildSafety operations.

Scannero.io works by sending a text message with a link from a pre-selection of messages containing a link. Once the link is clicked, it will provide GPS coordinates, a map, an address, an IP address, an Operating System, and the Browser type – the works. You can also simply generate the links and then use them the way you would prefer, such as attaching them in an IP address-grabbing redirect script.

The service is legal because it requires consent once the link is clicked.

IP to geolocation

Another tracking method we have previously used was also in a missing person’s case, where we used the missing person’s IP address to trace their geolocation using a variety of tools, starting with https://db-ip.com/ which is a free service that offers IP to geolocation. Running this IP search will provide coordinates.

Next, I input the coordinates into Google Earth and compare the results by downloading a specialized KMZ file plugin and then importing it into Google Earth. This will display the locations of every cellular tower in the United States. This way, I was able to ascertain whether the person was using the cellular network to access the internet, which would display a cellular tower, or if she was connected to a local WiFi hotspot.

Hunting by social media enumeration

During OpChildSafety work, I have often used a burner phone. Once a suspect proffers their phone number, it provides a cluster of potential investigative nexus points to follow aside from performing reverse phone searches in public record databases.

However, If you add the target’s phone number to your contacts list on a burner phone or Voice Over IP (VoIP) phone service, you will receive notifications if they ever join any of the social media services you’re currently using, as long as you’ve opted for these apps to sync your contacts. This way, you can uncover any apps they use in common and extract more information.

This is how I was able to unmask a clever scammer impersonating an attorney. He blocked me on Facebook Messenger, but I was able to find him instantly on WhatsApp, along with photos of himself and a confirmation of his name.

To do this more autonomously, I use Sync.Me, which does just that. It will sync the target’s number with many popular social media accounts and, in many cases, will include their address and other useful information.

Twitter Circles

Have you ever seen Twitter (X) users post their Twitter Circle photo, and you’re tagged in it? Everyone always says thank you and gets excited when they see they’ve been included in your circle.

However, W1nterSt0rm uses Twitter Circle for OSINT because this will reveal exactly who you interact with on Twitter. It’s separated into three rings, from least to greatest. The outer circle reveals the accounts you interact with the least, whereas the circle around your profile picture depicts the greatest. It also publishes the results of each circle, showing each circle’s Twitter username, which is why everyone in these circles gets tagged.

Twitter circle

However, each Username in the list is clickable, which can either take you to their profile or give you an option to generate their circle, which is extremely useful from an OSINT perspective.

This can help OSINT investigators discover if someone is interacting frequently with an alternate account, spam bots, or sock accounts, as well as uncover who their common friends are.

For example, if you suspect a person is reposting content to or from a fake account, this is how you can link the two (or more) together. Knowing who a person is prone to interact with the most without having to doom-scroll through their feeds is pretty time-saving.

Whether you’re an OSINT enthusiast or a private investigator needing to investigate a possible fraudulent workman’s compensation claim, catch a suspected cheating spouse, try to help track down a missing person, or unmask the identities of bad actors, these same tools are paramount.

If I were you, I’d develop an OSINT plant, like an Incident Response playbook. Knowing which tools to use for every foreseeable incident can help you prepare for any scenario and obtain results faster.