👋 Welcome to the 107th issue of The OSINT Newsletter. This issue contains OSINT news, community posts, tactics, techniques, and tools to help you become a better investigator. Here’s an overview of what’s in this issue:
-
What intelligence comes from a phone number
-
Where to check first (without overcomplicating it)
-
A clean workflow for investigations
-
…and why it’s not worth changing your name to Spiderman.
🪃 If you missed the last newsletter, here’s a link to catch up.
⚡ Creating Claude Skills for Open Source Intelligence
🎙️ If you prefer to listen, here’s a link to the podcast instead.
Let’s get started. ⬇️
Phone numbers sit in a strange place in OSINT. They’re near-ubiquitous and tied to everything, but as a result very easy to overlook. Unlike usernames (which can change) or email addresses (easy to create), numbers tend to stick. They follow people across platforms, accounts, years of activity, and even States. Surprisingly few people want the hassle of learning a new number, even when they get a new phone.
You might create a new Gmail, and change your username (or legal name) to Baron Venom Balrog Sabretooth Vader Megatron Vegeta Robotnik Magneto Bison Sephiroth Lex Luthor Skeletor Joker Grind, but your phone number is mostly static. This persistence makes phone numbers one of the most reliable anchors you can work with for OSINT.
Sometimes OSINT is just a number. This issue will teach you:
-
What intelligence comes from a phone number
-
Where to check first (without overcomplicating it)
-
A clean workflow for investigations
-
…and why it’s not worth changing your name to Spiderman.
Calling Baron Grind…
The infrastructure of phone numbers is key to what you can get out of them through OSINT. Every number is tied to a telecom system, to a region, and only then to a web of online accounts. That means even before you get into deeper online OSINT, there are three immediate layers of value:
Country codes (+1, +44, +91, etc.) are GeoINT in themselves. These one or two nifty numbers instantly place a phone’s owner at a national level. If you can find out carrier data, you can narrow a rough operating region even further. At the very least, you can find out if your target’s in the US or Uzbekistan.
Many platforms use phone numbers as their backbone identifier. If a number is registered on apps like WhatsApp or Telegram, you may be able to view profile photos, usernames, or activity signals just by knowing the right digits.
Even before the real OSINT starts, people litter the world with identity fragments – by reusing their static phone number. Old listings, forgotten profiles, or scraped datasets can quietly connect multiple pieces together.
You don’t need a complex stack to begin phone OSINT. That’s what makes phone numbers such a universally popular data point. In fact, the most effective tools and methods are often at your fingertips.
Sync.ME, NumLookup, and That’s Them scan public records and user-contributed data, drawing on that to see if a number’s been identified before. Results can be inconsistent, so treat them as leads not gospel. If multiple sources align, then they’re worth your attention.
Here’s an old OSINT trick. Save the number as a contact, then check WhatsApp, Telegram, or Signal. Adding a contact will reveal a profile photo and status – Telegram will even expose a username.
Truecaller, Hiya, and CallApp use crowdsourced data, so again, cross-reference. Patterns across multiple platforms mean something.
If you know nothing about the carrier, services like Numverify, Twilio Lookup, or other free HLR lookup tools can help identify the telecom provider and line type (mobile, VoIP, or landline). Cross-check as always.
Investigating a number… That’s easy, right? Think you can improvise? Don’t. A structured approach will always get better results.
Give this workflow a try:
1. Standardize the Format
Always convert to international format. Tools and platforms require international format numbers and inconsistencies will cost you results. What’s more, country codes aren’t data you want to ignore.
2. Location, Location, Location
Use that country code. Combine with any carrier info to ground your investigation geographically; when you’re stratifying your findings later, you’ll be glad you did.
3. Check for Live Accounts
Run the number through message platforms. You’re looking for anything visible on Telegram or WhatsApp: images, usernames, timestamps etc.
4. Look for Repetition
Search the number directly. Then try variations, like with or without spaces. Reuse is what you’re hunting for.
5. Pivot and Expand
Got a hit? Pivot outward. Search that identifier (a username, profile, email or listing). Start building out the wider account network.
…And just like that, you’re doing phone number OSINT.
You might be wondering which leads are strong enough to take that fifth step. The real value comes from the following data points:
→ Usernames
If you see the same username twice, that’s your bridge into wider platform analysis; especially if the username is conspicuously unusual or unique. There’s unlikely to be two people choosing Baron_V_B_S_V_M_V_R_M_B… (You get the picture).
→ Social Accounts
If a number was required to sign up, some platforms expose profiles directly. Others reveal connections indirectly. Either way, a linked social account is OSINT gold.
→ Breach Data
If the number appears in leaked datasets or on HaveIBeenPwned, it can link to emails, credentials, and historic activity. As always, be careful working with data that comes from an inherently sketchy source.
OSINT investigators chasing fraud, spam networks, or illicit activity face up to a unique challenge. Phone number stability is usually the USP here. What if the number you’re looking for is temporary by design?
Burner phone numbers get spun up quickly, used briefly, and abandoned just as fast. The aim is to get a phone number, get what you need from it, and THROW IT ON THE GROUND. The point of virtual numbers, VoIP services, and burner SIMs is to create numbers and accounts without tying them to a long-term, real identity – the very thing that makes phone number OSINT so easy.
So, change of tactics. Look for patterns of behaviour, not long-term reuse. VoIP numbers, for example, might cluster around specific services or regions, or repeatedly appear attached to similar types of accounts or listings. That would signal the same person, exhibiting the same behavior over and over again.
Gaps are a biggie too: no reverse lookup data, no caller ID history, and limited presence across platforms are absences that constitute a signal in themselves.
If a number looks “empty”, don’t assume it’s useless. It may just be designed that way.
Phone number OSINT works because numbers are mostly static and stable things. You can change your email, your socials, or even your name, but most people are lazy with their phones. And unlike physical addresses or Social Security numbers, people hand out their phone numbers like candy.
You should know:
-
One number won’t tell you everything, but it might tell you where to look next
-
Use simple methods before complex ones
-
Follow number reuse and patterns
-
Build outward: number → account → network
…and when you change your name to Emperor Spiderman Gandalf Wolverine Skywalker Optimus Prime Goku Sonic Xavier Ryu Cloud Superman HeMan Batman Thrash in witness protection, maybe change your number.
Until next time, investigators!
🏁 New CTF Challenge Live – Last Order
A new CTF challenge has been posted on our CTF website. This week’s challenge involves analyzing surveillance footage from a blurred traffic camera frame to identify a suspect’s location. Investigators believe the suspect entered a highly rated restaurant, ordered its most expensive signature pasta dish, and left in a hurry. Your task is to determine the restaurant, its exact address, and the specific pasta dish ordered.
Start competing in our Capture the Flag (CTF)
🪃 If you missed the last CTF, here’s a link to catch up.
Last week’s CTF challenge featured a challenge titled “The Dark Web Hacker” where participants were tasked with finding a hacker’s specific email address linked to a specific hacking forum.
Challenge Solution WU :
Knowing that the username had been reused across multiple forums and appeared in several data breaches, we searched for the username “sarkstic” on breach.vip. This led us to a World of Warcraft forum account on OwnedCore, along with the email address associated with it: dreadfuleyes@yahoo.com
✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.
By upgrading to paid, you’ll get access to the following:
👀 All paid posts in the archive. Go back and see what you’ve missed!
🚀 If you don’t have a paid subscription already, don’t worry. There’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.
🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.
