🕵️‍♂️ OSINT for Goblins: How to Stalk Like a Pro (Legally-ish)

“all i did was google their username and now i know their blood type, favorite anime, and who they kissed in 2008”
— some cursed OSINT gremlin probably

okay kids. gather 'round the glow of your dusty monitor.

today we're gonna talk about OSINT which is short for Open Source Intelligence, long for holy shit i didn’t realize people leaked this much info just by existing on the internet.

this is a full guide. not one of those "just use Maltego" copouts. we're gonna get weird. you're gonna learn too much. let’s go.

🍿 the vibe check: what is osint, really

osint is the hacker’s version of digital stalking, except you do it with style and sometimes a warrant. it’s about taking publicly available info — google results, social media, public records, metadata, whatever — and using it to piece together someone’s life, infrastructure, or shady little secrets.

you’re not breaking in. you’re just... looking. and noticing what no one else bothered to hide.

🛠️ tools of the trade (aka your goblin toolbox)

here’s your standard issue OSINT starter pack:

🧠 mindset: don’t be a script kiddie

most people fail at OSINT because they treat it like a checklist. it’s not. it’s a game of inference.

you want to know what school someone goes to? don’t google “john smith college”. look at:

• what hoodie they’re wearing in a pic
• what time they post during the day (timezone inference)
• their friends’ bios
• wifi names in the background (lol)
• LinkedIn endorsements (💀)

you gotta be curious and stubborn and just a little nosy.

📖 story time: how i found “tim”

let me tell you about a guy named tim. not real name, but whatever.

tim ran a scammy dropshipping store and thought he was anonymous.

but tim:

• bought a .com domain and used his real email to register it (WHOIS hit)
• reused that email for a wordpress blog back in 2016
• blog had a selfie on it with exif data: GPS coordinates of his backyard
• backyard was visible on Google Maps
• google street view showed his house number
• Zillow showed who owned the house

five steps later, i had his real name, address, and his dog’s name.

tim is not very smart. don’t be tim.

🔍 how to start an osint investigation

ok let’s say someone gives you just a username: cryptodaddy420

here’s how to unravel that mess:

🧩 step 1: username enumeration

run it through:

• sherlock
• whatsmyname.app
• manual checks on twitter, reddit, github, keybase

look for:

• pattern reuse (similar bios, same pfps, same jokes)
• links to other platforms
• weird niche forums (stack overflow, leetcode, dark web forums)

🧩 step 2: email & password leaks

once you get an email, check:

• haveibeenpwned
• dump leaks on https://dehashed.com (paid but 🔥)
• check reused passwords across accounts (don’t actually log in unless you’re doing a pentest with permission ya goblin)

🧩 step 3: image metadata

find their profile pic. reverse image search it on:

• tineye.com
• images.google.com

if they ever uploaded it as an original photo, run it through:

exiftool cryptodaddy420.jpg

look for GPSLatitude, Camera Model, or even software used to edit it.

some filters leave signatures (e.g., VSCO, Snapseed, etc.)

🧩 step 4: social connections

track their friends. search their usernames. who follows who. who comments. this is called pivoting, and it’s the heart of OSINT.

people don’t exist alone. stalk the friends, the exes, the burner accounts.

🧩 step 5: infrastructure (if they're running a site)

• whois the domain
• check for DNS history on securitytrails
• scan for open ports with nmap
• check subdomains via crt.sh and amass
• run whatweb or wappalyzer to fingerprint tech stack
• grab robots.txt and sitemap.xml ... juicy stuff sometimes
• look at view-source: and see if they hardcoded an email or tracking ID

🤫 opsec while doing osint

you’re gonna want to be sneaky, especially if you’re poking around shady people or forums.

• use a VPN + Tor (duh)
• isolate browser sessions (firejail, Tails, Whonix, etc.)
• don’t use your real GitHub or Discord to talk to targets
• randomize user agents, use NoScript, don’t load images from targets directly
• avoid logging into your real accounts during recon

remember: the watcher can be watched back.

🧨 advanced moves

• use Google Dorks:

site:linkedin.com "cryptodaddy420"

intitle:"index of" "bitcoin wallet"

filetype:pdf resume "john smith"

• search in native languages if your target isn’t from your country.

transliterate their name. look in VK, Weibo, whatever fits.

• parse Breached Forums dumps (when they’re up) for pattern matching.
• use GHunt and Holehe for Google account data and service enumeration.
• scrape pages, use NLP to cluster info. yeah, that’s overkill. but fun.

🪦 the ethics part (ugh fine)

don’t be a creep. don’t harass people.

do this for learning, for CTFs, for OSINT challenges, or as part of legit infosec work.

if you’re doing it to feel powerful, you're just a nerd with too much time.

if you're doing it to help protect people or understand your own footprint, that's ✨chef's kiss✨.

🧹 clean your own damn footprint

if you read this and thought oh god this could be done to me, yep.

go:

• delete old accounts
• scrub metadata before posting pics (exiftool -all= img.jpg)
• stop reusing usernames, emails, and passwords
• use a password manager
• think before you post your entire life online like a digital diary

🧠 final brain dump

• every OSINT hit is a piece of a puzzle
• correlation is power. connect the dots.
• most people secure their servers better than their social media
• the real secrets hide in plain sight
• and always, always, read the alt text.

go forth and stalk responsibly.

— Dasho

“i know what brand of cereal you eat. fix your opsec.”