đ Welcome to the 97th issue of The OSINT Newsletter. This issue contains OSINT news, community posts, tactics, techniques, and tools to help you become a better investigator. Hereâs an overview of whatâs in this issue:
-
Introduction to IP addresses.
-
How to investigate an IP address.
-
A step-by-step process for IP investigation.
đŞ If you missed the last newsletter, hereâs a link to catch up.
⥠Organizing Information and Avoiding Duplication of Effort
đď¸ If you prefer to listen, hereâs a link to the podcast instead.
Letâs get started. âŹď¸
The internet is like a big mail service. Every time somebody logs into their account, clicks on to a link or loads up a site, the data for that action gets parcelled up and shipped across the web. If domains are street names, IP addresses are the house numbers that actually direct the parcels to the right home. And like regular mail, the whole process leaves a trace behind.
Of course, stealing peopleâs mail is a felony (and a great punk track) – but that doesnât mean you canât get valuable OSINT from tracking its journey. If you know how to read IP addresses, they can tell you where traffic travelled, what infrastructure handled it, and whether someone tried to hide the sender.
In this issue, weâre following the packets. Weâll cover:
-
The basics of IP addresses
-
How IPs can change (and why that matters)
-
Reverse IP lookups
-
Geolocation with IPs
-
..plus all about VPNs and Tor traffic.
Now, letâs check the labels.
An IP address (short for Internet Protocol address), is a numerical identifier assigned to each device or server connected to a network. Think of it like a shipment number. It can either look like:
-
IPv4: The old faithful. Appears as four blocks of numbers separated by dots, e.g. 192.168.1.1.
-
IPv6: The longer, newer format, becoming increasingly common as the internet runs out of IPv4 space. Appears as eight blocks of numbers separated by colons, e.g. 2001:0db8:85a3:0000:0000:8a2e:0370:7334
In OSINT terms, you can divide all kinds of IPs into two categories: User IPs, and Server IPs. A user IP belongs to a device connecting to a service. Meanwhile, a server IP belongs to infrastructure hosting websites, apps, or mail networks. Confusing the two is like mistaking a senderâs return address for a warehouse location.
IP addresses arenât as stable an identifier as email addresses, for instance. But thatâs OK; IP address OSINT is less about identifying individuals, and more about mapping the movement of data back to its source. Follow enough parcels, and youâll find the depot.
One of the biggest misconceptions in IP OSINT is assuming that IP addresses are permanent identifiers. Just because IPs are unique, doesnât mean they canât move from place to place. So why do IPs change, why does it matter⌠and once an IP changes, can you trace where itâs been?
Most average-Joe residential IP users are assigned dynamic IPs by their ISP (Internet Service Provider). These can change for a ton of reasons: after a router gets rebooted, for example, when a lease gets refreshed, or just over time. The most important thing to remember is that dynamic IPs get passed around between users. An IP that belonged to one person last month might belong to somebody else now.
Businesses and hosting providers, however, usually use static IPs. These are longer-term allocations, tied to servers and infrastructure semi-permanently (emphasis on semi). However, when you see the same static IP appearing repeatedly, you can be reasonably confident youâre looking at a fixed point.
When Google alerts you that some stranger in France is suddenly using your login on an iPhone 12, theyâve gained this intelligence by checking the new French login IP address against the last 10 IPs you logged in from. Clearly, although an IP canât tell you who did something online, it can tell you where, and with what device.
Overall, what IPs show you is the circumstances at the time an online activity took place. Was a login coming from a residential ISP? A data centre? A VPN provider? Or did multiple compromised accounts route through the same infrastructure – then suddenly switch to a totally different address? When paired with timestamps, old IPs help reconstruct movement patterns, and build up a theoretical narrative; like reading old postmarks to imagine a packageâs journey.
So, now you know why itâs worth investigating IPs, we can get to work on how. Some involve pro OSINT tools, but others are significantly more lo-fi. Letâs get into our favourite tips, tricks and techniques for investigating IP addresses.
Reverse IP lookup – like reverse image search – flips the direction. Instead of asking âwhat IP does this domain use?â, you ask âwhat other domains are hosted on this IP?â. This is super useful when investigating scam networks and phishing campaigns.
To do it, plug the target IP into a passive DNS database, or an OSINT platform that supports reverse lookup (like Maltego). The results will bring up any domains associated with that address.
Next, look for suspicious infrastructure. This could look like:
-
Multiple domains sharing the same hosting
-
Sudden bursts of activity (registering lots of domains at once, then none at all)
-
Thematic similarities (crypto, âinvestmentâ, fake law firms etc.)
For example, if a single server IP hosts ten nearly identical âinvestment opportunityâ websites registered within weeks of each other – especially on the same cheap VPS – then thatâs a strong sign of unsavoury activity. Look up hosting and registration details with WhoIs searching.
That said, context still rules. Large hosting providers often place hundreds of legitimate websites on the same shared IP. In those cases, youâre looking at shared warehouse space, not necessarily shared ownership.
We covered IP geolocation a little in the last issue; itâs a way of identifying the country and often the city an IP is hosted in. Itâs often inaccurate, and canât pinpoint a specific address. So, think of it as narrowing delivery to the right city – not the exact doorstep.
However, it can still be useful – particularly for spotting inconsistencies. If a company claims to operate exclusively in one country but consistently routes traffic through infrastructure in another, for instance. Also look for repeated logins from the same location, and check if that matches with the IP geolocation result.
VPNs are a blessing and a curse for IP OSINT. When someone uses a VPN, the IP address you see belongs to the VPN providerâs infrastructure – not the userâs original connection. These VPN IPs often resolve to big data centres, too, making it tricky to tie down the userâs actual details.
There are ways to track if somebodyâs using a VPN; rapid shifts between locations, for example. This is extremely useful if you need proof that a target is intentionally rerouting their traffic to avoid being detected.
Tor also adds another layer of complexity. The IP you see with a Tor browser is the targetâs exit node, not the actual origin. Tor exit nodes are also completely public and rotate between users globally; so if you detect one, all it tells you is that the target didnât want to be tracked. It doesnât imply malicious intent, but it does tell you the package was deliberately relabelled before delivery.
This time, imagine somebody has been making repeated attempts to log into your Strava account. If successful, they could hopelessly distort your PBs. All you know is that the logins originate from the same IP address. Letâs find out whoâs running things.
Step 1: Identify the Owner
A Whois search shows that the login IP is registered to a regional consumer IP; a specific subscriber, on residential broadband. But where, and who?
Step 2: Analyse the Behavior
The IP is fairly consistent – with no jumping locations or ties to known exit nodes. That means the user isnât attempting to hide their identity. The login attempts are also spaced irregularly, with pauses that resemble manual interaction rather than botting. So this is a real person.
Step 3: Geolocate
Cross-referencing multiple IP geolocation services places the IP consistently in western Ohio, near a cluster of rural towns. Youâve never been to Ohio. And you definitely havenât been logging into Strava from there. An interesting detail: the region is known for its expansive cornfields.
Step 4: Reverse IP & Domain Check
A reverse IP lookup reveals two domains hosted to that same IP.
The first is a personal blog documenting endurance training experiments; one man pushing himself to run further and further in concentric circles without becoming dizzy.
The second, humanccohio.com, shows groups of runners arranged in geometric formations across harvested fields – what the author calls âhuman crop circles.â Metadata from the site aligns with the same western Ohio geolocation as the IP.
Step 5: Behavioral Context
The timestamps of the login attempts coincide with posts on the blog discussing âmapping local athlete dataâ and âidentifying high-mileage runners nearby.â
Mystery solved: this is one guy in western Ohio, checking out Strava profiles in an attempt to recruit (or map) local athletes without their knowledge for his âhuman crop circleâ project. Weird.
Message delivered – now you know how to do OSINT with IP addresses. You should know:
-
How delivery works: An IP is like a house number, it directs the data
-
IPs change: Just because an IP is there now, doesnât mean itâll stick around
-
Check the return address: reverse IP search is your most powerful tool
-
Cross-reference everything: corroborate with behaviour to get the full story
See you next week, investigators!
đ New CTF Challenge Live – The Wi-Fi Password
A new CTF challenge has been posted on our CTF website. This weekâs CTF challenge focuses on finding the password of a weird Wi-Fi using only open source intelligence techniques.
Start competing in our Capture the Flag (CTF)
đŞ If you missed the last CTF, hereâs a link to catch up.
Last weekâs CTF challenge featured a GEOINT challenge titled âThe Unknown Bridgeâ.
Looking at the UAV in the image, we could see its number which is 166509.
Using bing browser and searching for â166509 flightâ we could find a flight of this UAV on : flightaware.com/live/flight/166509
Looking at the tracking, we could see that it was last seen near Patuxent River MD, we could also notice the same airport as in the image which is Patuxent River (NHK)
On the left side of the airport we could see the same bridge as in the image which is named: Thomas Johnson.
By searching on Google : Patuxent River Bridge, we could see that the full name of the bridge was : Governor Thomas Johnson.
â Thatâs it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.
By upgrading to paid, youâll get access to the following:
đ All paid posts in the archive. Go back and see what youâve missed!
đ If you donât have a paid subscription already, donât worry. Thereâs a 7-day free trial. If you like what youâre reading, upgrade your subscription. If you canât, I totally understand. Be on the lookout for promotions throughout the year.
đ¨ The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.
