How we used open-source intelligence to identify the people behind a hostile online campaign against a theatre
Someone is attacking your business online. They are posting in a private group, appearing under unfamiliar names, commenting on your public pages and discouraging potential customers from dealing with you. Some of the accounts look real. Others look fake. You know the damage is happening, but you do not know who is responsible.
This case study is about how we acted for a theatre client in exactly that position. What had begun as complaints about one of its productions developed into a sustained hostile campaign on Facebook, which then started to bleed across to public pages promoting a forthcoming production. The immediate legal question was not whether any individual post was defamatory or harassing. It was more basic. Who were the people behind the accounts? Until that question was answered, no targeted legal response was possible at all.
What follows is how open-source intelligence (OSINT) helped us identify the key individuals, focus the legal response and avoid treating every negative commenter as if they were the same. For the wider toolkit, see our notes on how to unmask someone behind anonymous online posts and on how we identify anonymous internet users using open-source intelligence.
What happened to our client
To protect the privacy of our client, the identifying details in this account have been changed.
Our client is a theatre that produces a regular programme of public-facing productions. Like any organisation that puts its work in front of an audience, it expects criticism, and it is perfectly used to receiving it. A person who attends an event is entitled to say they did not enjoy it. A negative review is not, by itself, unlawful, and nothing about this case is about silencing legitimate complaint.
The matter we were asked to look at was different. After one particular production, what had started as ordinary online discussion shifted into something more sustained. A private Facebook group, which had grown out of audience reaction to that production, became a central hub for repeated hostile posts about the theatre, its productions and the individuals behind it. Some posts appeared to make serious false allegations. Others encouraged further hostile engagement from members of the group.
The problem then escalated. The hostile activity began to spill out of the private group and onto public pages promoting a forthcoming production. People were responding to promotional posts, warning others not to buy tickets and directing them back to the Facebook group. That spillover changed the matter from a reputational concern into a commercial one. If potential customers were being actively discouraged from buying tickets for a production they had not yet seen, the harm was no longer just to reputation. It was also to the next production's box office.
Why identification was the question that had to be answered first
Before any properly framed legal action can be effective, you need to know who is actually responsible. An account name is rarely enough. A person may use a nickname, a partial name, a false profile or an alias. Our client had suspicions about a small number of individuals, but suspicion is not enough for legal correspondence and is well short of what a court would expect to see.
The picture our client gave us was mixed. Some of the people involved appeared to be using what looked like real names. Others were harder to trace, or had clearly chosen aliases. There was also a reference to an alias the client believed was connected with AI-generated or AI-edited material being posted in the group. The first task was therefore not to take legal action, but to separate the reliable identifications from the weaker leads, so that whatever we did next could be directed at the right people.
This is the point at which OSINT became essential. The court route on its own is not a realistic answer to a mixed-anonymous, mixed-named group of accounts, because a single Norwich Pharmacal application across a long list of names is hard to frame and expensive to bring. A properly conducted open-source investigation tells you which names need court-ordered disclosure to confirm them, which can be acted on without it, and which need to be left out altogether for lack of evidence.
How the OSINT investigation worked
Open-source intelligence is the structured gathering and analysis of information from lawful, publicly available or legitimately accessible sources. It does not involve hacking. It does not involve breaking into accounts. It does not involve impersonation or deception. The "open" in open-source means the information is available to anyone who knows where to look and how to read it.
The investigation focused on a list of seven social media accounts the client had identified as the principal offenders. The starting material was what the client already had in their own records: profile links, account names, screenshots, posts and comments, complaint correspondence and notes on which online identities the client believed were connected to which real people.
For each account, the question we asked was the same. Could the online identity be linked to a real and traceable individual strongly enough to support legal correspondence in that person's own name? Our in-house OSINT investigator, working alongside the solicitor on the file, tested that question across a number of dimensions, including whether the profile name matched a real and locatable person, whether contact details could be located through regulated investigative databases, whether enough public information existed to support identification, whether different online material pointed to the same person, and whether writing style or post content matched material the client had received elsewhere.
Equally important, the investigation tested the limits. Where an account remained too private or too thinly populated to identify with confidence, we said so. Good OSINT work is not about forcing every lead into a conclusion. It is about saying, clearly, which identifications are strong, which are likely, and which are not yet good enough to act on.
What the investigation found
The investigation produced different levels of confidence for different accounts, and that was the point. We did not need every account to come back with the same answer. We needed each one to come back with an honest answer.
Several accounts were linked confidently to real people. In those cases, the investigator was able to connect the profile to enough identifying material to support targeted legal correspondence in the person's own name and at the address we had on file for them.
Other accounts required a more cautious analysis. One account did not use the suspected person's real name, but the written content of the posts and other complaint material received separately by the client appeared to match. That did not create the same certainty as a direct account-to-person match, but it was still a useful lead that informed the wider picture.
Another alias was more difficult. The investigation located email addresses associated with the account but did not produce enough material to identify a real name or address. That was an important finding, because it stopped the client acting on an unsupported assumption. A further account was difficult because of strict privacy settings and a lack of public posts. The investigation pointed at a possible person behind it by comparing what the account had said with complaint material received separately, but the conclusion was treated with care and the account was not on the list we acted against in the first round.
The report also preserved its supporting material to evidential standards. Each captured search result page carried a timestamp, a record of its source and a digital hash. A hash, in plain terms, is a unique digital fingerprint of a captured item that lets us show later that the material being relied on has not been quietly altered after the event. In online cases, posts are often deleted, accounts are renamed and groups are made private. A legal strategy is only as strong as the evidence behind it, and that evidence-preservation routine is what allows OSINT findings to support a witness statement if the matter ever has to be put before a court.
Why targeted letters were better than a blanket threat
In a hostile online group, it can be tempting to write to everyone. That is rarely the best first move. A group of that kind will usually contain people with very different levels of involvement. Some will have posted lawful criticism. Some will only have reacted to other people's posts. Others will have repeatedly targeted the client, discouraged customers or published more serious false allegations.
A blanket threat looks heavy-handed, and it can also be screenshotted, shared inside the group and used to inflame the dispute. The better approach is targeted. Identify the people whose conduct appears to cross the legal line. Preserve the evidence. Write to them clearly, individually and proportionately.
The OSINT report allowed us to do that. The accounts the report had identified confidently went into the first round. The accounts with weaker links were held back pending further evidence. The accounts that could not be identified at all were left alone unless and until material arrived that changed the picture. The result was a legal response that was both stronger (because each letter went to a person we were sure of) and narrower (because we were not writing to people whose conduct, on the evidence, did not warrant it).
Good OSINT work is not about forcing every lead into a conclusion. It is about saying clearly which identifications are strong, which are likely, and which are not yet good enough. The legal response is then targeted at the people the evidence supports.
The cease and desist letters and the outcome
Once the identified individuals were in front of us as a list, the first formal step was a cease and desist letter to each. A cease and desist letter is a formal written warning that requires the recipient to stop a particular course of conduct, and that explains the legal consequences if it continues. It is often used before a full letter of claim and well before any court application.
The letters were carefully drafted. They were not designed to prevent genuine reviews or honest criticism, and they did not try to. They focused on specific conduct that appeared to go beyond ordinary criticism, including false or misleading statements, repeated attempts to deter customers from a future production, abusive conduct and publication of private or identifying information about people connected with the theatre.
The recipients received their letters individually. None of the letters was published or made public. Each was personal correspondence, sent to the person at the address we had identified, in the person's own name.
Following receipt of the cease and desist letters, every recipient removed the relevant content. The hostile activity on the public-facing pages around the forthcoming production stopped. The client did not need to issue any court proceedings, and no further escalation was required.
What this case shows about OSINT in defamation and harassment matters
Three points from this case are worth taking away for anyone in a similar position.
The first is that identification is the lever. Many of the people who came to us in this matter felt the situation had been intractable for months precisely because they had no way of putting a name to the conduct. Once names and addresses are on the table, a proportionate legal response becomes available, and the response that follows is often quieter and more effective than anything that goes on public record.
The second is that OSINT can frequently do this without court applications. In this case, a Norwich Pharmacal application against Facebook would have been a slow, expensive and uncertain route to a small group of identifications, none of which would have been guaranteed to come back with usable data. The open-source pass produced names that supported targeted action without the platform having to be approached at all. The court route remained available as a fallback, but it was not needed.
The third is that honest scoping protects the client. Not every account that posts something hostile is worth pursuing, and not every account that the client suspects can in fact be identified. A report that gives the client a clear "no" on some leads is doing its job. It saves the client from writing to people the evidence does not support, and it saves them from the secondary reputational risk of overreach.
Lawyers' thoughts on Facebook pile-ons
Theatres, arts venues and other public-facing businesses tend to attract more of this kind of matter than other types of business, in our experience, because the productions themselves invite strong reactions and the people who attend them are already inclined to discuss them online. Most of those discussions are entirely fine, and many are not even critical. The problem starts when a single Facebook group becomes the gathering point for the small number of voices that move from criticism into something more sustained, and then becomes the place from which they coordinate. That dynamic is a particular feature of Facebook, more than of any other major platform. Private groups make it easy. The same people see each other's posts every day, the posts build on each other, the tone hardens, and what started as one frustrated audience member's complaint becomes a months-long campaign against the business behind the productions.
The phenomenon has a name. It is usually called a pile-on, or sometimes "dogpiling": multiple individuals collectively targeting one person or one business, generally on social media, with negative comments, personal attacks and, in worse cases, the publication of private information about the target. The combination of perceived anonymity, the echo-chamber structure of a private group, and the speed at which content spreads inside a tight network is what gives a pile-on its weight. A single hostile comment from a single person is rarely a problem the law treats as serious. The same comment, repeated in coordinated form by twenty people in the same private group, addressed to the same target, with the same factual claims, becomes a different kind of problem entirely. Our colleagues on our sister site have written more widely about what pile-on harassment and doxing look like in law, and the Law Commission has signalled that pile-on harassment may move toward being a specific criminal offence in the United Kingdom.
For a theatre, an arts venue or any business in this position, the practical message is that the early move matters more than the later one. A pile-on tends to organise itself in the first few weeks. The same people gather, the same talking points are agreed, and the group's centre of gravity settles. Acting at that stage, when the picture is still forming and the participants are still individually identifiable through their own posts, is significantly easier than acting after the pile-on has stabilised and its core members have got used to the protection they think the group gives them. The open-source pass narrows the field quickly. The cease and desist letters that follow address the small number of people whose conduct has crossed the legal line and leave alone the larger number whose criticism, however sharp, is lawful. The pile-on rarely survives that intervention intact, because what holds it together is the perception of safety in numbers and in anonymity, and a letter arriving in the recipient's own name at the recipient's own address removes both at the same time.
The last thing worth saying is that, in our experience, the people behind theatres and arts businesses in this position often hesitate to involve a specialist firm because they do not want to be seen as the business that sued its own audience. That instinct is understandable, and the whole shape of the response we deliver is built around it. The cease and desist letters go privately, in the recipients' own names, to the recipients' own addresses. They are not public, they are not published anywhere, and they do not appear in any court list unless and until a recipient chooses to ignore them and force the matter further. In the substantial majority of these matters, no part of the response is ever public. The result is that the dispute ends quietly, the next production goes ahead, and the business's relationship with the much larger audience that had nothing to do with the pile-on stays exactly as it was.
Frequently asked questions
What does OSINT cost in a case like this?
Across our disclosure cluster, a structured OSINT identification pass starts from £2,500. The figure varies with the number of accounts being investigated and the complexity of the trail. A precise quote follows the initial assessment, and we are honest about what is realistic before any work is committed.
Is OSINT legal?
Yes. OSINT relies on information that is already publicly available or that is accessible through regulated databases under proper professional access. It does not involve hacking, deception or unlawful access to private accounts. The work is governed by data-protection rules and by professional conduct requirements on lawyers and licensed investigators.
Why a cease and desist letter rather than a court application?
Where the identified person has a real address and a real reputation of their own, a properly drafted letter is often the most effective single step. People who feel invulnerable behind an alias often behave very differently when a letter arrives in their own name. Court proceedings remain available where the letter does not produce the right response, but the letter is usually tried first.
What if someone in the group has only posted lawful criticism?
Then no letter goes to them. The whole point of conducting the OSINT pass and scoping the response carefully is to separate lawful criticism, which the client accepts as part of putting work in front of the public, from conduct that crosses the legal line. A targeted response protects the client and respects the legitimate views of those whose comments did not cross that line.
What if the people behind the group cannot be identified at all?
Some cannot. In that case, the court route is the fallback. A Norwich Pharmacal order against the platform, or against another third party that holds the relevant data, becomes the next step. The OSINT work usually shortens and sharpens the application, because the open-source pass has already narrowed the candidate field.
Does Facebook tell the user that an OSINT investigation has happened?
No. A properly conducted OSINT investigation is not visible to the user being investigated. We do not contact them, we do not engage with their accounts, and we do not leave traces in places they would see. They only learn that an investigation has happened when the cease and desist letter arrives in their name, which is when we want them to know.
What if the conduct continues after the cease and desist letter?
The next step depends on the conduct. A defamation claim under the Defamation Act 2013, a harassment claim under the Protection from Harassment Act 1997, or a privacy claim where photographs or private information are being used without consent, are all available. The advantage of starting with the cease and desist letter is that, where the person ignores it and the matter has to go further, the letter is part of the file the court sees, and the court takes a poor view of someone who has been warned in detail and chosen to carry on.
Could a court order against Facebook have identified everyone in the group?
A Norwich Pharmacal application against Facebook can produce account-holder data on identified accounts, but the data Facebook holds is not always enough to put a name on every account. Some accounts are opened with throwaway emails, some with non-UK mobile numbers, and the data the platform discloses may then need further work to convert into a usable identification. That is why OSINT and court orders work better together than either does alone. For the platform-specific detail, see our note on getting disclosure from Facebook.
