How OSINT is Used in Cybersecurity (Real-World Use Cases)

In 2018, investigators at Bellingcat unmasked 305 officers from Russia’s military intelligence unit, GRU Unit 26165, using nothing but a public vehicle registration database and a Moscow address. No classified leaks. No hacking. Just open-source data, read carefully.

That story captures what OSINT is and why it matters in cybersecurity. Open Source Intelligence (OSINT) is the practice of collecting and analyzing publicly available information from sources such as search engines, domain registries, certificate logs, social media, job postings, and code repositories to build actionable intelligence. And here’s the core tension that makes it so powerful: the same public data attackers use to plan intrusions is what defenders use to find, track, and stop them.

Threat Actor Profiling: Turning Anonymous IPs Into Named Adversaries

When researchers built their APT41 “Double Dragon” profile, they didn’t start with classified intercepts. They started with forum posts. Two Chinese underground personas, Zhang Xuguang and Wolfzhi, had been advertising hacking-for-hire services on public cybercrime forums. By correlating those posts against observed intrusion working hours and code overlaps with known malware families, Mandiant assembled a picture detailed enough to support a DOJ indictment of five Chinese nationals in September 2020.

The Volt Typhoon case took infrastructure OSINT even further. In May 2023,Microsoft published a report on Chinese pre-positioning across U.S. critical infrastructure. Censys researchers latertracked Volt Typhoon’s command-and-control servers across multiple migrations using a single TLS certificate fingerprint, a 64-character SHA-256 hash tied to one of the group’s proxy clusters. When the servers moved, the fingerprint followed. What looked like anonymous infrastructure became a traceable trail.

Attack Surface Mapping: Finding Your Own Exposure First

The problem isn’t limited to network devices. Misconfigured databases are indexed just as readily. In April 2026, SOCRadar’s AI-powered Sensitive Data Exposure Monitoring service identified three publicly accessible Elasticsearch instances exposing a combined 9.8 billion credential records, roughly 1.5TB of data sitting open on the internet.

Discovery was particularly significant, and it wasn’t just the scale. Two of the servers contained ULP records: credentials tied directly to specific login URLs, making them immediately actionable for targeted attacks rather than bulk stuffing.

Over half of the 4.6 billion email records in one dataset were corporate addresses, and a significant portion were linked to identity providers and business platforms, meaning the exposure reached authentication infrastructure, not just individual accounts.

AI platforms appeared in the data too, a sign that credential monitoring hasn’t kept pace with how quickly these services have been adopted. All three servers were taken offline after responsible disclosure. The discovery method was the same as it always is: a scan, an open port, a misconfigured service that had no business being public.

Phishing Investigation: Infrastructure Leaves Fingerprints Everywhere

In July 2022, threat researchers received a client referral about suspicious Okta-themed login pages. What followed was a phishing-focused OSINT. By decompiling the phishing kit, they extracted the Telegram bot token being used to collect stolen credentials in real time. By pivoting on registrar patterns, hosting ASNs, and certificate transparency logs, they identified 169 unique phishing domains targeting over 130 organizations, including Twilio, Cloudflare, LastPass, DoorDash, and Signal, and traced nearly 10,000 compromised credentials.

The campaign, dubbed “0ktapus,” was run by a group that would later become known as Scattered Spider. The OSINT trail eventually contributed to the arrest of alleged ringleader Tyler Buchanan at Palma de Mallorca airport in June 2024, with roughly $27 million in Bitcoin on his devices.

Certificate transparency logs deserve special mention here. Every TLS certificate issued by a public CA is logged in public CT ledgers (crt.sh, Censys, Facebook CT Monitor). Phishing operators almost always provision certificates for their fake domains, which means defenders can monitor for new certificates containing their brand name and catch impersonation infrastructure within hours of registration.

Incident Response & C2 Hunting: Compressing the Timeline

WhenProgress Software’s MOVEit Transfer vulnerability was exploited over Memorial Day weekend 2023, the cybersecurity community moved fast. Huntress researcher John Hammond published a full technical analysis within 48 hours. Google traced the attacker group to Cl0p Ransomware by pivoting on a single IP address that had been used in January reconnaissance activity, which was confirmed by a matching x509 certificate. CISA’s consolidated advisory, with full IOCs, was published June 7. What might have taken weeks of isolated IR work became a shared community effort in days, anchored by public infrastructure pivots.

For C2 server hunting specifically, JARM fingerprinting has become one of the most effective OSINT techniques. Developed by Salesforce’s John Althouse in 2020, JARM generates a fingerprint from how a server responds to TLS handshake probes. Research showed that 80% of TrickBot command-and-control servers shared an identical JARM hash, with zero overlap in legitimate traffic. Cobalt Strike beacon servers, similarly, have well-documented default certificate serials and port behaviors that Shodan now catalogs as a named product, listing over 1,800 active servers at any given time.

Supply Chain Risk: Your Dependencies Have an OSINT Footprint Too

The XZ Utils backdoor, discovered in March 2024, is one of the most sophisticated attacks ever documented, and it was caught through OSINT-style analysis of public data. Microsoft engineer Andres Freund noticed a 500-millisecond SSH login latency and traced it to a malicious modification in XZ Utils, a compression library present in most Linux distributions.

What followed was a community forensic effort on GitHub’s public contribution history. The attacker had operated as Jia Tan (JiaT75) for over two and a half years, building credibility through legitimate open-source contributions before inserting a backdoor that would have enabled remote access to any affected SSH server globally. Researchers identified the deception by analyzing commit frequency patterns, self-merge ratios, timezone metadata inconsistent with the claimed location, and a suppression PR submitted to Google’s oss-fuzz project designed to prevent fuzzing from detecting the hook.

The Polyfill.io supply chain attack in June 2024 required less sophistication but hit further. A Chinese CDN firm purchased the polyfill.io domain and began injecting malware into JavaScript served to mobile visitors.Over 380,000 hosts were serving the malicious script, including Hulu, Mercedes-Benz, and the World Economic Forum, before Cloudflare deployed a real-time rewrite, and the domain was suspended.

Law Enforcement: OPSEC Failures Are OSINT Wins

The AlphaBay Dark Web Market takedown in July 2017 was a clear case of how OSINT exploits operational security failures. AlphaBay’s welcome emails had carried the return address [email protected] since 2014, which was an address that site operator Alexandre Cazes had also used on LinkedIn, his legitimate IT repair business, and a public tech forum where he posted under his real name in 2008. The FBI matched the email, found the man, and timed his arrest while he was logged into the site. His laptop was unencrypted.

LockBit’s administrator, long known online as “LockBitSupp”, was unmasked in May 2024 as Dmitry Khoroshev, 31, of Voronezh, Russia. Operation Cronos (a 10-country law enforcement coalition) seized LockBit’s servers in February 2024, recovering 7,000+ attack builds and the personal data of 194 affiliates. According to the DoJ, LockBit’s members extracted at least $500 million in ransom payments from their victims.

The pattern repeats across almost every major cybercriminal arrest: a reused username, a forum post with identifying details, a Bitcoin address that traces back to a KYC-compliant exchange, an IP address left in a seized database. Digital criminals tend to believe the internet is more anonymous than it is.

Conclusion

OSINT isn’t a silver bullet, but it is one of the most overlooked tools in defensive security. The cases in this post share a common thread: the intelligence that mattered most was never hidden. It was sitting in public certificate logs, open code repositories, domain registration records, and blockchain ledgers, available to anyone who knew where to look and how to connect the dots.

That’s both the promise and the warning. Attackers already treat public data as reconnaissance infrastructure. They map your exposed services, study your employees on professional networks, watch your dependencies, and monitor your domain registrations. The question isn’t whether your organization has an OSINT footprint because it does. The question is whether your security team is reading it too.

Building OSINT fluency doesn’t require a large budget. It requires curiosity, a structured methodology, and familiarity with the tools and frameworks that turn raw public data into actionable intelligence. As threats grow more sophisticated and supply chains more complex, the analysts who understand how to work with open-source data will have a decisive edge. Not because they have access to something others don’t, but because they pay attention to what’s already there.