How OSINT, GEOINT & SOCMINT Can Link an Anonymous Account to a Real Person
A step-by-step case study: Three open-source intelligence disciplines, one digital profile, zero illegal methods.
An anonymous social media account has been spreading coordinated misinformation about a mid-sized company for weeks. No real name. No profile photo. The same account appears across three different platforms with a consistent posting style. Who is behind it? Here’s how investigators can approach this kind of case using only publicly available information, structured around three core disciplines of Open-Source Intelligence.
“The most revealing traces are often the ones people don’t realize they’re leaving behind.”
What are OSINT, GEOINT, and SOCMINT?
OSINT (Open Source Intelligence) is the umbrella discipline for collecting and analyzing information from publicly accessible sources—websites, public databases, archived content, forums, and other open resources. It does not involve hacking, unauthorized access, or covert surveillance.
GEOINT (Geospatial Intelligence) focuses on geographic information. Investigators analyze satellite imagery, maps, publicly available image metadata (where available), and recognizable landmarks to establish location context. Originally developed for military intelligence, it is now widely used in journalism, corporate investigations, and security research.
SOCMINT (Social Media Intelligence) examines publicly visible activity on social media platforms. It includes behavioral analysis, linguistic patterns, posting habits, and network mapping across platforms such as X, LinkedIn, Reddit, and Telegram.
Case Study: @shadow_guy_87 An account appears on three social media platforms using the same username: shadow_guy_87. There is no personal information, no profile picture, and no location. What is visible is a consistent writing style and coordinated messaging—enough to begin a structured OSINT investigation.
3 Platforms | 0 Real Names | 14 Days of Activity
PHASE 1 — OSINT: Building the Digital Footprint The investigation begins with a simple question: What publicly available information already exists about this username? Historical searches reveal the username on an archived gaming forum from 2019, where it was associated with an email address. Publicly available records indicate that the email address has appeared in a known historical data exposure, revealing a first name and birth year. Combining these findings with publicly accessible professional profiles produces two possible candidates working in the IT sector.
OSINT Findings: First name identified. Birth year: 1987. Likely IT background. Two potential professional profiles identified. Typical tools: Wayback Machine, Dehashed, Google Dorking, Intelligence search platforms, and LinkedIn.
PHASE 2 — GEOINT: A Photo Reveals More Than Expected One post contains what appears to be an ordinary photo of a local café. No location is mentioned, but for GEOINT analysis, that’s often enough. The image still contains embedded EXIF metadata with GPS coordinates pointing to the Schwabing district of Munich. Public mapping services and Street View imagery confirm the visible landmarks, while posting times are consistent with Central European working hours. A single photo with unremoved metadata can narrow a person’s location to a specific neighborhood.
GEOINT Findings: Approximate location: Schwabing, Munich. Central European time zone confirmed. Posting schedule suggests a regular weekday routine between 7:00–8:30 AM and 6:00–8:00 PM. Typical tools: ExifTool, Reverse Image Search, Google Maps Street View, and SunCalc.
PHASE 3 — SOCMINT: Behavior, Language, and Network Analysis SOCMINT shifts the focus from where someone is to who they are likely to be based on observable online behavior. Several indicators begin to align: a regular commuting-style posting schedule, Bavarian linguistic characteristics, technical vocabulary consistent with an IT professional, and public interactions centered around Munich-based technology communities. An inactive Reddit account using the same username contains a comment referencing a Munich developer meetup from 2021, strengthening the overall assessment.
SOCMINT Findings: Likely commuter. Strong IT background. Munich-based technology network. Cross-platform username correlation supports attribution. Typical tools: Maltego, SpiderFoot, Reddit API, Sherlock, and Gephi.
The Bigger Picture None of these disciplines alone would provide a sufficiently reliable attribution. Only when independent sources converge does a coherent picture emerge. That is one of the core principles of professional OSINT: Evidence should converge—not simply accumulate. OSINT provides identity indicators, GEOINT establishes geographic context, and SOCMINT builds the behavioral profile. Together, these observations can significantly narrow the pool of potential candidates.
Legal & Ethical Considerations The techniques discussed here rely exclusively on publicly accessible information and should only be used for legitimate purposes such as corporate security, journalism, academic research, security investigations, incident response, or law enforcement within applicable legal frameworks. OSINT is not a tool for harassment, stalking, or invading personal privacy. Responsible practitioners operate within legal boundaries while respecting necessity, proportionality, and ethical standards.
Three Ways to Improve Your Digital Hygiene
Remove EXIF metadata: Before uploading photos, strip GPS coordinates and device information using tools such as ExifTool or Scrambled Exif.
Use different usernames across platforms: Reusing the same handle creates strong links between otherwise separate online identities.
Avoid predictable posting patterns: Consistent activity windows can reveal routines, working hours, and even time zones, while scheduled posting can help reduce this signal.
