Key OSINT Techniques for Crypto Investigators
checklist
Core idea
Six OSINT technique families used to bridge blockchain addresses to real-world identity, each with its main methods and tools. OSINT is the “who” behind the on-chain “what”.
Components
- Username & Persona Correlation: Search a username across hundreds of platforms with Sherlock and WhatsMyName (free/open source); cross-reference forum-registration emails against breach databases (HaveIBeenPwned, Dehashed); mine GitHub, PGP key servers, and Keybase for corroborating real-name data; look for linguistic quirks and timezone signals in post history; archive everything at point of discovery.
- IP Address & Network Analysis: A Bitcoin transaction’s first broadcast originates from a specific IP before propagating; exchange login and withdrawal-linked IPs are frequently sought in legal discovery; use Shodan and Censys to map target infrastructure; timing analysis (consistent UTC hours) indicates timezone. IP evidence is volatile, UK ISPs retain logs 12 months under RIPA, so secure preservation orders early.
- Domain & Infrastructure OSINT: Historical WHOIS via DomainTools or ViewDNS (pre-GDPR registrant details); Certificate Transparency logs at crt.sh expose subdomains without touching the target; smart contract deployer addresses link on-chain activity to web2 infrastructure; favicon hashing via Shodan groups sites by common operator; hosting provider and Autonomous System (AS) number analysis narrows geography.
- Forum & Darknet Research: BitcoinTalk.org posts (2009-2016) contain thousands of self-disclosed addresses, searchable by username or address string; darknet vendor PGP keys can match clearnet forum identities (key reuse); preserve deleted content via Wayback Machine, Google Cache, and archive.ph; Telegram membership and forwarded-message metadata identifies operators/admins; verify posted addresses were not edited after the fact.
- Metadata & Image Forensics: EXIF data can hold GPS coordinates, device model, serial number, and precise timestamp (use ExifTool); reverse image search via Google, TinEye, and Yandex; PDF/Office metadata reveals author, organisation, software version, and revision history; geolocate from background signage, architecture, and terrain; video frame analysis of lighting, accent, and room layout.
- Exchange & KYC Records: Exchange deposit addresses are the highest-value endpoints (they link on-chain activity to KYC identity); law enforcement uses subpoenas, production orders, and Mutual Legal Assistance (MLA) requests; civil litigants use letters rogatory or court-ordered disclosure; IRS v. Coinbase (2017) upheld a summons for ~14,000 accounts, establishing the mechanism is legally robust; document the deposit address, amount, and timestamp before initiating legal process.
When to use
Stage 4 (attribution) of an investigation, once on-chain tracing has produced addresses and endpoints and you need to tie them to a real-world identity or physical location.
Example
Ross Ulbricht was linked to the Silk Road when investigators found a 2011 BitcoinTalk post under the username “altoid” listing his personal Gmail address, Forum & Darknet Research combined with Username & Persona Correlation, converting a public forum post into a real-world identity.
Related
The 5-Stage Investigation Process, Crypto Investigation Glossary, Beginner Investigation Approach
Last updated on