How we identify anonymous internet users using open-source intelligence
If you are dealing with an anonymous account that is doing real damage to you or your business, the first question that has to be answered is not legal at all. It is factual. Who is the person behind the account? Almost every civil remedy worth having starts from there. This article explains the technique we use in our office to find out: open-source intelligence, or OSINT.
OSINT has changed identification work in a way that is easy to underrate if you have not seen it in operation. For a long time, the realistic route to a name was a court application against the platform, with the months and the fees that brought with it. We took a different view some years ago. We brought the open-source investigation in-house, with the same lawyers conducting the open-source pass on your matter and the substantive legal route alongside it, rather than the two sides being handed between separate firms. Working that way, a skilled OSINT investigation can often produce the same answer in days. The court route is still there when we need it, and we use it regularly. The order in which we deploy the two has reversed.
This article sits inside our wider work on how to unmask someone behind anonymous online posts. The court-route detail is on our notes on Norwich Pharmacal orders, getting disclosure from Facebook, how to get a disclosure request through to Google and disclosure orders in financial crimes. The service-level expectations are set out on our note on what to expect when you instruct a disclosure lawyer. This article is about the open-source layer that sits in front of, alongside and after each of those routes.
What open-source intelligence is, and how it differs from a Google search
Open-source intelligence is the structured gathering and analysis of information that is already public, to answer a specific question. In our work, that question is almost always: who is the real person behind this account? The "open" in open-source does not mean unregulated or do-as-you-please. It means the information used is accessible to anyone who knows where to look and how to read it. OSINT does not involve hacking, deception, paying for stolen data or any unlawful access to private accounts.
Our investigators are also lawyers. They are dual-qualified members of the team who conduct the open-source pass on your matter and the substantive legal route on it. That matters because the open-source pass is shaped by what the legal route is going to need next, and the legal route is informed by what the open-source pass is finding in real time. The two sides are run by the same people rather than handed between firms.
The easiest way to think about the difference between OSINT and a Google search is this. A Google search is a tourist standing in Baker Street looking around. OSINT is Sherlock Holmes standing in the same place. The information available to each is the same. What differs is what they notice, how they connect what they see, and what they can prove from it. A skilled OSINT investigator uses specialist tools and databases that the public does not generally use, follows a disciplined evidence-preservation routine, and ties findings together in a way that holds up if it is later put before a court.
Open-source is not the same as free. Many of the tools we rely on are paid services with strict access conditions, and some of the regulated databases we use are restricted to lawyers, licensed investigators and certain other professional users. The discipline matters as much as the tools. Every page captured is saved with a timestamp, a hash and a record of where it came from. That is how an open-source finding becomes an evidential one rather than a guess.
A worked example
The clearest worked example of the OSINT method we have on the site is the case of Sasha, whose four-year ordeal of impersonation across Instagram, TikTok and dating applications was covered by the BBC, ITV's This Morning and other broadcasters earlier in 2026. The investigation in her matter began with a single Linktree page operating under the impersonator's alias and ended with a Part 7 claim in the High Court against an identified individual.
The full account, including the ITV This Morning interview, the OSINT pass that produced the identification and the route to the civil claim, sits on its own page. See how we identified the person behind a four-year online impersonation and catfishing campaign against Sasha.
The techniques we use, in plain English
There are good reasons not to publish a step-by-step guide to identifying anonymous internet users. What we can say is that the information that becomes available through proper OSINT work falls into a few broad categories. Each by itself is suggestive rather than conclusive. The skill lies in combining them, weighing them carefully and building a picture strong enough to support legal action.
Usernames, profile photographs and account footprints. The same username, or a close variation, is often reused across platforms. An anonymous account on one site may be linked to a public account elsewhere, sometimes in the person's real name. Reverse image search occasionally unmasks a fake account whose profile photograph appeared years earlier on the real person's LinkedIn page.
Writing style and patterns of behaviour. People have linguistic fingerprints: particular phrases, particular punctuation habits, particular times of day to post. Two accounts that share enough of these patterns are a strong signal, especially when other evidence points the same way.
Public records, registers and connections. Companies House filings, court records, professional registers, the registration footprint of a domain name, the metadata on an image, the membership of a public Facebook group: each is an open-source datapoint. In commercial cases the combination of these often takes us straight to the person behind the conduct.
What we have access to that the general public does not
The structured part of the investigation, as opposed to the analytical part, rests on three things you do not get from a Google search and cannot get from any consumer product.
The first is licensed access to a layer of investigative databases and people-aggregator services that sit behind a regulated wall. These are the tools used by licensed private investigators and by banks for due-diligence purposes. The licences are not available to the general public. The information these databases hold, on linkages between individuals, current and historical addresses, registered business interests, directorships, mortgages, judgments and contact details, is often the data that converts a credible hypothesis about who the person is into a confirmed identification. Without that layer, much of what is needed simply cannot be reached.
The second is software that can search and analyse large volumes of data drawn from the dark web and from publicly disclosed breach databases. Where an anonymous account has been opened with an email address or a phone number that has appeared in any major data leak over the past decade, that account is far less anonymous than the person operating it believes. That kind of analysis is not done in a browser tab. It uses tooling that is built for the purpose, and both the cost and the access conditions keep it out of general circulation.
The third is the people. The members of our team who carry out this work are lawyers who have built specialist OSINT capability inside the firm, with academic qualifications in the disciplines this work draws on and experience built inside an internet-law practice rather than inside a general investigation firm. They have the legal training to know what evidence the substantive route is going to need from the open-source pass, the analytical background to interpret what the licensed tools return, the discipline to preserve the chain of evidence so it holds up if a witness statement is later built on it, and the experience of having done this work on enough matters to know which leads are worth chasing and which are dead ends. The licences and the software are useful only in the hands of someone trained to use them.
How OSINT sits alongside court orders
OSINT and court orders are not two routes that compete with each other. Open-source work is our first move on identification in the substantial majority of matters that reach us, and it sometimes resolves the question without any court order being needed at all. Where a court application is in flight, the OSINT pass continues alongside it, develops the supporting evidence and takes whatever the court order returns down to a real identifiable person. A court order without OSINT often returns a name on paper that nobody can actually act against. For the platform-route and court-route detail, see our note on how to unmask someone behind anonymous online posts.
OSINT is now usually the first move on identification, not the last resort. The court route is still there, and we use it. But the order in which the two are deployed has reversed, and that is the single most significant practical development in this area for our clients.
Why this often brings clients the result they want
The practical benefits of handling identification this way, from the client's point of view, come together in a small set of points that are worth setting out plainly.
The first is speed. An open-source identification that takes days is not just cheaper than a court application that takes months; it is faster than the underlying problem is. By the time a Norwich Pharmacal application against a major platform is granted, the offending account has often moved, the original posts have been deleted and parts of the trail have gone cold. The open-source pass moves at the speed the situation actually requires.
The second is the privacy of the process itself. A court application against the platform is, by default, a public event. The application sits on a court list. The platform's response is in writing. Where the matter is one the client would rather keep out of the public eye until they have decided what to do, the court route is the wrong starting point. The open-source pass leaves no public footprint at all. The client receives the identification, sees the picture in full, and then decides what to do with it from a position of having all the facts and none of the audience.
The third is that there is no risk of a failed application. A Norwich Pharmacal application that the court refuses, or that the platform successfully contests, leaves the client worse off than they were at the start: the fees have been paid, the substantive position is on the record, and the next move is harder. An open-source pass either produces the identification or does not. Where it does not, the court route remains available untouched, and the work done in the open-source phase usually sharpens the application that follows.
The fourth is integration with the rest of the response. The identification that comes out of the open-source pass is not handed across to a separate firm to be turned into legal action. The same people who built the picture from the open-source side draft the letter, the witness statement and (where needed) the application. The matter moves from identification into a substantive response without the friction and the loss of detail that comes when two firms are working sequentially on the same client matter.
Why this often saves our clients money
The cost picture for a reader weighing up identification work is rarely just our fees against the cost of doing nothing. It is usually our fees against two other things, and the second of those is the one less often anticipated.
The first is the cost of a Norwich Pharmacal application against the platform, which used to be the only route to a name and which still carries court fees, counsel's fees and the platform's reasonable costs of compliance on top of solicitor fees. Where the open-source pass identifies the person without a court application being needed, the saving against the court-route option is significant on its own.
The second is the cost of going to an independent private investigator first and then bringing the investigator's report to a lawyer afterwards. Private investigators vary enormously in what they charge for this kind of work. We have seen quotes for investigator work on single matters that came to multiple tens of thousands of pounds, with no guarantee of a result and no built-in safeguard that the evidence produced will hold up in court when it eventually needs to. The split-firm route also slows the matter down, because the investigator and the lawyer are working sequentially rather than in parallel, and a chunk of the cost goes into translating the investigator's report into a form a court will accept.
Because we carry out the open-source investigation in-house, the investigation proceeds at our rates rather than at the rates an unconnected investigator would charge for the same conclusion. Clients commonly access the relevant information through us at a fraction of what they would have paid a stand-alone investigator. The investigation is also framed from the start around what the legal route is going to need next, so the evidence comes out in a form that can be used. For the cluster-level cost framing, see our note on what to expect when you instruct a disclosure lawyer.
Why we built this capability rather than outsourcing it
The decision to bring OSINT into the firm rather than relying on external investigators was taken over time, and for a small set of reasons that are worth setting out.
The volume of disclosure applications we are instructed on
We are instructed on a significant number of identification matters across the major platforms each year, including a steady volume of cross-border applications that combine an English Norwich Pharmacal route with a US follow-on. An in-house OSINT capability across that volume is cost-effective in a way that going to external investigators on every matter is not, and it allows us to build a body of knowledge about what works on which platform that an externally-retained investigator, instructed matter-by-matter, cannot reasonably accumulate.
The international dimension of our practice
The disclosure work we carry out regularly crosses jurisdictions. The English Norwich Pharmacal route reaches into US-headquartered platforms through 28 U.S.C. § 1782(a) and direct US subpoenas. Recent court decisions on cross-border disclosure have made the technical structure of these applications more demanding, and have made the supporting evidence the application rests on more important. An in-house OSINT capability allows us to build the evidence base for the combined English and US route from the start, rather than constructing it backwards from a stand-alone investigator's deliverable.
The natural progression of being a specialist internet-law firm
As the legal architecture around identification has matured, the technical capability the route relies on has grown alongside it. The conventional outsource-and-coordinate model works less well as the underlying matters become more complex and more time-sensitive. Investing in the capability internally is the move that flows from the specialism, rather than a departure from it.
The result we want for our clients
The combination of speed, privacy, no failed-application risk, integration with the substantive route and a more predictable cost picture is what brings real outcomes with minimal exposure on the litigation side and on the cost side. The whole shape of the offering is built around that.
Lawyers' thoughts on OSINT and identification work
The rise of skilled OSINT investigation has been the most significant practical change in this area for our clients over the past few years. The reason is partly that the internet now carries far more usable open-source signal than it did even five years ago, and partly that the analytical tools have become powerful enough to find structure inside that signal at a speed that was not realistic before. Where a court order used to be the only realistic route to a name, it is now the second move where one is needed at all. Most law firms still treat identification as a procedural problem the court solves. We treat it as an investigative problem the court sometimes helps with, and we have set ourselves up to handle it that way.
Two developments are reshaping how identification works as we write this. The first is the spread of AI-generated and AI-edited imagery, which means an impersonator is no longer limited to photographs the victim has actually put online. New, realistic-looking content can be produced long after the victim has made their own accounts private. The second is the rise of multi-platform impersonation, where a single perpetrator operates accounts across Instagram, TikTok, Snapchat, dating applications and other services at the same time. Taking down one account no longer solves the problem. The remaining accounts stay live, and new ones can be created quickly. OSINT is how we keep up with both.
For anyone reading this in the middle of an attack from an anonymous account, the practical message is short. Stop trying to identify the person yourself, preserve what you can see, and get specialist advice early. The earlier the investigation begins, the more digital traces are still available to find, the more the cost picture sits in our favour rather than against it, and the cheaper and faster the outcome is likely to be.
Frequently asked questions
Is OSINT legal?
Yes. OSINT relies on information that is already publicly available or that is accessible through regulated databases under proper professional access. It does not involve hacking, deception or unlawful access to private accounts. The OSINT pass is governed by data-protection rules and by professional conduct requirements on lawyers and licensed investigators.
How quickly can OSINT identify an anonymous person?
It varies. In many matters we have a credible identification within days. In others the trail takes longer because the person has taken steps to obscure their identity at the point each account was opened. The honest position is that some matters resolve in days, others take longer, and a small number cannot be resolved by OSINT alone and need a court order.
What information does OSINT typically produce?
It depends on the matter. A typical OSINT pass will tie an anonymous account to other accounts the same person operates, narrow the candidate pool to a small group or a single individual, surface the real name where the person has been less careful at some point in their online history, and produce supporting evidence of the wider pattern of conduct that the substantive claim is going to rely on.
How does OSINT sit alongside a Norwich Pharmacal order?
OSINT often replaces the need for a Norwich Pharmacal order entirely. Where it does not, it narrows what the court application has to ask for, strengthens the evidence base the application rests on, and tracks the disclosed data down to a real person once the order returns. For the court-route detail see our note on Norwich Pharmacal orders.
Can OSINT identify someone who used a VPN and a burner email?
Sometimes. A truly disciplined operator who uses a VPN, a burner email, a fresh device and never reuses a username or a photograph is hard to identify through OSINT alone. In practice few people maintain that discipline for long. The investigation looks for the moment the operator slipped, because almost everyone slips at some point. Where they did not, the court route is the fallback.
Will the person know we are looking for them?
Properly conducted OSINT work is not visible to the person being investigated. We do not contact them, we do not engage with their accounts, and we do not leave traces in places they would see. They only learn that an investigation has happened when the matter moves to letter-before-action or to a court application, and by that stage we are doing so deliberately.
Is OSINT admissible in court?
Yes, provided the OSINT pass has been done to evidential standards. Each page captured is preserved with a timestamp, a hash and a record of where it came from. The chain of inferences from raw material to identified person is documented so that another person reviewing the file can follow the logic. Done properly, an OSINT report is the evidence base on which a witness statement is built.
What if the OSINT work does not produce a name?
Then the court route is the next step. The work done in the OSINT phase usually shortens and sharpens the court application, because we know which platform or institution is most likely to hold the missing piece. We are honest with you on the initial call about whether OSINT alone is likely to produce the name, or whether the matter is one where the court route is probably going to be needed.
