Cybercrime is a constant on the modern net. AI-powered ransomware attacks are making it easier than ever to con innocents out of thousands. Meanwhile, cybercrime-as-a-service has lowered the barrier to entry, and online criminal communities bring on more bad guys every minute. For the good guys, waiting for attacks to happen is no longer enough. We need OSINT that understands cybercrime, and helps us fight it safely - enter passive OSINT.
Passive OSINT allows investigators to profile scammers, fraudsters and shady operators hands-off; getting all the intel they need to understand their target’s methodology without getting noticed. In this guide, we’ll take you through the basics of cybercrime profiling with passive OSINT. We’ll explain what passive OSINT is, the difference from an active investigation, and how it can change your cybercrime investigations - whilst always staying undetected.
What Is Passive OSINT?
OSINT, or open-source intelligence is the practice of gathering data from publicly available sources online: anything from social media profiles, to leaks, to digital marketplaces. When it comes to cybercrime OSINT, the big difference is intent; investigators will focus on the forums and platforms where their targets leave traces of criminal activity. They can even take their investigation into the dark web in search of their quarry.
Want to learn more about dark web OSINT? Dive into OSINT Basics: What is Dark Web Intelligence (DARKInt)?
There are two types of investigation you’ll need for cybercrime OSINT:
- Active OSINT involves engagement with your target. This could involve joining forums, talking to users, requesting information, or even infiltrating communities. Active OSINT can yield deeper more specific insights, but it also carries higher risks - from exposure, to legal complications… or worse.
- Passive OSINT is gathering information without interacting with the target. The passive OSINT investigator only works with data that can be obtained without revealing their presence.
While active OSINT is a valid investigatory method, it’s no good for high risk situations - exactly the type of situation cybercrime OSINT investigators often find themselves in. If you need a way to safely, ethically and easily profile cybercriminals, you won’t find a better method than passive OSINT.
How Passive OSINT Works for You
Passive OSINT has three main advantages: safety, scale, and integrity.
- Safety: By staying hands-off, you can protect yourself. You reduce the risk of being noticed, targeted, or even sucked into the illegal activity you’re investigating. This is especially crucial around cybercrime OSINT; criminal communities are deeply suspicious, and being found out has serious consequences.
- Scale: Passive OSINT is much easier to scale. Cybercrime ecosystems can be vast, with thousands of users across even more platforms. Passive methods - like crawling, indexing, or searching with OSINT tools - allow an analyst to monitor multiple sources at once.
- Integrity: Passive OSINT, it’s easier to maintain consistency and integrity. Because you’re not engaging with your targets, you can see how they naturally behave over time: how they advertise their shady services, their shifting identities, and how their criminal activity evolves. All without the risk of entrapment or influence.
Master digital forensics with our guide to Handling Digital Evidence: Our Ultimate Guide to Forensic OSINT
Passive OSINT and Cybercrime
Passive OSINT is also perfect for profiling because it matches the way cybercriminals operate. Most threat actors won’t stick to a single platform; they leave a trail across several. However, they still need to maintain their rep as a source of the ‘good stuff’ - whether that’s selling legit products or being a trustworthy associate for criminal ops.
Therefore, cybercriminals have to signal trust to their compatriots by remaining at least a little recognisable. This often leads to predictable behaviour, which passive OSINT can exploit. Even if they try to ditch their previous profile - to hide past failures, dodge a damaged reputation, or hide from the cops - passive OSINT can catch the persistent patterns that give a bad guy away.
OSINT Profiling: Passive OSINT Methods for Fighting Cybercrime
Passive OSINT is the perfect profiling technique. It’s all about discovering how a certain criminal behaves, and linking their behaviours together into a consistent identity. Here are the methods you need to master.
- Username Analysis
Cybercriminals often rely on a trusted name to show their reputation; so it's easy to track their activity with username correlation. Even if the exact name isn’t the same, look for the similarities they’re using to build trust.
You can use an enumerator tool to generate plausible variations. Be aware: generic names can produce false positives. But even so, username analysis is often the starting point for passive OSINT profiling.
- Writing Style and Language Patterns
Every writer is unique - their style is like a linguistic fingerprint. Anything from unusual word choice to a signature spelling mistake can be a lead worth following.
As many cybercriminals are speaking in a second language, their writing will be even more idiosyncratic. If the same writing style appears under different usernames - it could be the same guy.
- Products and Services
Cybercriminals usually specialise. A drug lord isn’t going to suddenly switch overnight to malware hosting - but he might have a sideline in counterfeit trainers. By analysing the type of business your target proffers, you can link profiles and see how sophisticated (or not) their operations are.
Many cybercriminals publish PGP keys on their profiles to enable encrypted communication. These keys are often reused across platforms - and there’s no real reason to post someone else’s. Matching keys across forums is one of the most reliable ways to link profiles, so even beginner analysts can use this method to confirm whether two usernames belong to the same actor.
- Email Addresses
Email addresses occasionally appear in forum posts or profiles, and sometimes even contain fragments of usernames. Even anonymous email addresses are worthwhile pivots. Run the email through an OSINT tool - like OSINT Industries - and see what comes back.
Email OSINT is powerful. Make it work for you with our guide to Email OSINT Tools: Email Discovery, Reverse Email Lookup and More
Cybercriminals won’t just drop their digits in the chat. But they can still share contact info for their associates’ address books. Telegram usernames, Discord handles and other IDs are an easy lead to punch into your search tool. Even if you can’t find matches on-site, your OSINT tools may show up something else.
- Cryptocurrency
Cryptocurrency is commonly used for payments in cybercrime. When a threat actor publicly posts a wallet address, it’s fair game for passive OSINT profiling. At a basic level, you can search to see if the same address pops up elsewhere.
For the more advanced OSINT investigators, a wallet address opens up transaction history, linked addresses and payment patterns - but this often requires the right tools.
Want to see these tips and tricks in action? Our Case Studies cover real cybercrime cases cracked with OSINT.
“Aidan’s clients had lost their $50,000 to a ‘butcher’ that promised them a straightforward real estate investment, only to fill his own piggy bank with their savings … What these scammers don’t realize is that by providing contact details before they vanish, they’ve just made a pigs’ ear of their tidy profit.”
Read more: Squealing on Scammers: Exposing the Crypto-Scam Underbelly
