SocialPath is a django application for gathering social media intelligence on specific username. It checks for Twitter, Instagram, Facebook, Reddit and Stackoverflow. Collected data is sorted according words frequency, hashtags, timeline, mentions, similar accounts and presented as charts with the help of D3js. This technique allows me to track darknet users who does not use unique nicknames.
In my previous articles you could read how to gather info on domains, collect geospatial intelligence, find leaks or malware. So now, time has come to look on social media from OSINT perspective.
Social media intelligence (SOCMINT) is one of the core of OSINT and element of Human intelligence (HUMINT). Nowadays, people use different platforms to share information about themselves and does not realize how it might expose their habits, interests, locations and obviously opinions. Social media monitoring is broadly used by various agencies to watch particular words, hashtags, drawing connections and track individuals. There are many scenarios that SOCMINT is useful, for example twitter botnet tracking, photo geolocation or identyfiying threat actors. The last one is possible due to using this same username across all social medias. It’s common thing if you are popular and wish to be known only from your one moniker, however, it’s not recommended to mix your identity from darknet or hacking forums with any social media service.
This provides easy win for Law Enforcement (LE) when you will engage in any criminal activity on illegal sites. I read about lots of cases when darknet drug dealers shared same nickname on darknet markets and Twitter, it’s lack of basic Operational Security (OPSEC) and the guys were easily caught.
I did a research which shows that sharing nicknames across all social media platforms are quite common for darknet users.
Based on unsealed criminal complaints, indictments, Department of Justice (DOJ) announcements and different articles I collected techniques that LE uses to investigate darknet users involved in illegal activity. Personally, I love to read this stuff, declassified documents, FOIA requests, complaints or inducements are better than books for me. In addition, you can get insight into the case, draw your own conclusions and dive into techniques used by LE to deanonymize darknet users.
I scraped one of the darknet forums in order to get members and then look for them in different social media platforms like Facebook, Instagram, Twitter, Stackoverflow and Reddit. It’s worth to mention here, that results depend of the forum you want to monitor. It does make sense to look into local social media services (used only in specific country) if you track users in Macedonian darknet forum. From the other side there is no point to look in Portuguese services when you target Belorussian forum. Some of the darknet sites allow to check all users with their reputation and number of posts without registering. By this, some accounts can be excluded.
This way might be used to deanonymize users if they repeat their nicknames across services. To confirm that both accounts (darknet and clearnet) belong to the same person further analyze of photos, words, timestamps or interest is done.
To proof my words, let’s take a look on case United States against Abdullah Almashwali
Finding email address associated with PGP key allowed to discover social media profiles. After that LE obtained search warrant for every account with detailed information and chats. The main mistake here was using same nick in the email address and social media. Probably this email was also used to register all of the accounts.
All social media sites are regulated by proper law and LE can obtain lots of information from search warrants. You can find below, example of what can be passed to LE from Reddit. It’s from criminal complaint, case United States vs Marcos Paulo De Olivieria-Annibale
Sharing username is not the best idea ever but sharing same profile picture is even worse. The United States of America v. HENRY KOFFIE a/k/a NarcoBoss case shows that one of the indicators to connect two accounts was same profile picture, which he used in two darknet markets.
Sometimes picture is worth a thousand words, case United States vs Wyatt Pasek shows that after identifying social media accounts of suspect, everything was crystal clear. From some reason drug dealers want to feel like rockstars and brag about their wealth everywhere but at the end of the day it’s just another proof in court.
Interesting aspect of this type of investigations is comparison of used words by accounts. Linguistic analyze is often hard and done by professionals to determine for example origin country of individual. Some words, sentences or idioms have unique meaning in different countries, based on this study it’s possible to connect writing style of two people. Personas of OxyMonster was connected due to “many similarities in the use of words and punctuation”.
Also people are used to make this same mistake all over again in certain words, it also can be used against them.
Besides that, the content of each post are examined manually in order to establish another connection with previously found photos, social media posts and other information. Another proof from Med3l1n case is that agents found photos with book „Gomorra” in the background and found reference to it on the Wall Street Market forum.
It’s tedious and time consuming manual work to review all of the posts, tweets or photos tied or possibly tied to individual.
Mentions of other user are also in interest of investigators, based on that they create a network with whom suspect is interacting with. Found mentions might be his real life friends with worst OPSEC, virtual friends or his other accounts.
Lack of information is also an information and sometimes pretty valuable. Your activity on social media is documented and might be monitored if you are suspect. The strong indicators are timestamps, which show when user was active in any way, post a photo, comment or interact with others. I use Med3l1n case again as an example of how social media activity and darknet persona can be connected. Inactivity on darknet market was also an information for LE and pictures from vacation in Miami on social media allow them to connect the dots.
Anyone who do this kind of investigation, needs to take timezone into account. Among other indicators, it may reveal origin country same as linguistic examination. It’s not recommended to telling anyone what is your timezone where you live or work from 9 to 5 is not good idea either.
It’s brave act to register a trademark associated to your darknet profile. Anyone involved in criminal activity on darknet should expect that his username is already in database and every mention of it is or will be monitored in virtual world and real life.
Of course it’s not decisive proof and only a support for whole case which includes parcel interception, physical surveillance or mobile records. But social media intelligence plays a crucial role in whole investigation.
The problem that appears in my research was how to compare users from different social media. Moreover, how to compare their activity, profile pictures, words and communities.
SocialPath is simple app to find accounts across social media — Facebook, Instagram, Twitter, Reddit and Stackoverflow. It uses Django as backend and D3js to draw charts. Results are presented in tiles with profile pictures in it and basic information about profile like bio, url from bio, followers or friends. Details page contain charts based on user activity, i.e. heatmap calendar, lolipop chart, scroll chart and wordcloud. It is used to present user timeline, hashtags, word frequency, mentions, comments and more depends of the type of account.
When you type the username, you will be redirected to the dashboard with your previously account in it. After couple minutes, when fields start to populate you will be able to see profile picture and primary info.
When user exist you can click on his photo and go to the details page. If user does not exist, you will see similar accounts the the one you specified. This option is also available in the wordcloud in detailed page if account exists.
Full data includes aforementioned interactive charts for each existing user. Heatmap calender known from Github shows when user make an interaction like posting a photo or tweet and how many times he did it. Clicking on each active square will redirect you to interaction from that particular day.
Lolipop charts presents hashtags for Twitter, Facebook and Instagram, tags for Stackoverflow and subreddits for Reddit. It shows how many times user includes the hashtag, how many times he was active in specific tag or subreddit.
Words frequency are ilustrated with help of scroll chart, there are plenty of words used by individual, sometimes just once so it’s really hard to visualize that. However, it presents 500 most popular words used by user in comments, tweets, posts etc and their frequency.
Wordclouds are used to present variety of user’s interaction. For Reddit for example, it shows upvotes, so it’s easy to check specific post with concrete upvotes in it. It’s fast way to determine if user is liked by community and which post gained most or least upvotes. After clicking on specific number it will redirect you to associated post or comment.
The app uses APIs, so you need to fill in your API keys in config file. Because of Facebook policy, only posts are downloaded and you don’t need any API access. Also Stackoverflow does not require authentication for less than 300 requests per day. I didn’t take authentication into account. Instagram allows to scrape their public API but sometimes it’s necessary to pass your cookie, if you have problem copy your Instagram cookie into config file.
You can lookup the tasks in admin interface
It’s first version and there are probably some imperfections so every issue or pull request are more than welcome.
If you need some help with your OSINT investigation you can write me @the_wojciech, if not you can just follow me.
From obvious reason I won’t publish results of my research but you can repeat it by yourself. When engaging in illegal activity on darknet, one should remember to treat their username as already compromised and should not share it across different services or even mention about it anywhere. Reality is often different and criminals get caught very often because of that mistake. SocialPath shows that it’s not hard to create this kind of app by anyone hence LE has more powerful tools, real time monitoring and bigger database including dumps from previous seized markets.
Originally published on September 24th, 2019
Please subscribe for early access, new awesome things and more.