offensive-osint-methodology

# SKILL: OSINT Methodology

## Metadata
- **Skill Name**: osint-methodology
- **Folder**: offensive-osint-methodology
- **Source**: https://github.com/SnailSploit/offensive-checklist/blob/main/osint-method.md

## Description
Structured OSINT methodology framework: target definition, source selection, collection workflows, data correlation, timeline reconstruction, and reporting. Use to guide systematic OSINT campaigns or teach OSINT methodology.

## Trigger Phrases
Use this skill when the conversation involves any of:
`OSINT methodology, open source intelligence, target profiling, data correlation, OSINT workflow, intelligence collection, OSINT campaign, recon methodology`

## Instructions for Claude

When this skill is active:
1. Load and apply the full methodology below as your operational checklist
2. Follow steps in order unless the user specifies otherwise
3. For each technique, consider applicability to the current target/context
4. Track which checklist items have been completed
5. Suggest next steps based on findings

---

## Full Methodology

# OSINT Methodology

## OpSec

### Create a Sock Puppet

- Fake account that cannot be linked to you
- Build a posting history (post stuff, etc.)
- Resources
  - [Effective Sock Puppets](https://medium.com/@unseeable06/creating-an-effective-sock-puppet-for-your-osint-investigation-95fdbb8b075a)
  - [Ultimate Guide to Sock Puppets](https://osintteam.blog/the-ultimate-guide-to-sockpuppets-in-osint-how-to-create-and-utilize-them-effectively-d088c2ed6e36)
  - [Fake Name Generator](https://www.fakenamegenerator.com/)
  - [This Person does not Exist](https://thispersondoesnotexist.com/)
  - Use separate browser profiles or isolation tools (e.g., **Firefox Multi‑Account Containers**) for any sock‑puppet activity.
  - Acquire disposable VoIP/SMS numbers (e.g., **Burner**, **Silent Link**) to satisfy platform verification without exposing real phone numbers.
  - Audit every browser extension before installation; supply‑chain attacks on popular add‑ons have targeted investigators since 2024.
  - Use dedicated browser profiles/containers per case and persona; avoid logging into personal accounts.
  - Prefer hardware‑backed passkeys for critical accounts; store recovery codes offline.
  - Maintain a minimal chain‑of‑custody: timestamp actions, hash key artifacts, and record tool versions per case.

## Cryptocurrency Investigation

### Transaction Analysis

- Track transaction flows between wallets
- Identify clusters of related addresses
- Monitor large transfers and whale activity
- Use block explorers to trace fund movements
- Tools:
  - Cielo: Multi-chain wallet tracking (EVM, Bitcoin, Solana, Tron)
  - TRM: Create relationship graphs for addresses/transactions
  - Arkham: Multichain explorer with entity labels, graph creation, and alerts
  - MetaSleuth: Transaction visualization for retail users
  - Range: CCTP bridge explorer
  - Socketscan: EVM bridge explorer
  - Pulsy: Bridge explorer aggregator
  - Chainalysis: **Horizon 2.0** cross‑chain tracing suite (paid)
  - Elliptic: **Lens** visual link explorer (launched Dec 2024)
  - Most compliance suites now provide **real‑time bridge‑risk scoring** dashboards (e.g., TRM, Chainalysis)

#### Layer 2 / Rollup Analysis

- **zkSync Era / Polygon zkEVM**: Zero-knowledge proofs hide transaction details on L2; only deposit/withdrawal bridge events visible on L1. Use [zkSync Era Block Explorer](https://explorer.zksync.io/) and [PolygonScan zkEVM](https://zkevm.polygonscan.com/).
- **Arbitrum / Optimism**: Transactions batched and compressed; L2 state reconstructed from L1 calldata. Use [Arbiscan](https://arbiscan.io/) and [Optimistic Etherscan](https://optimistic.etherscan.io/). Check [L2Beat](https://l2beat.com/) for risk framework and technology stack.
- **StarkNet**: Cairo VM with STARK proofs; different address derivation. Use [Voyager](https://voyager.online/) or [StarkScan](https://starkscan.co/).
- **Base / Blast / Scroll**: OP Stack or ZK-rollups; similar challenges to above.
- **Privacy protocols on L2**:
  - Aztec Network: Programmable privacy with noir circuits; limited block explorer visibility.
  - Railgun: Privacy system for DeFi on Ethereum/Polygon/BSC; shielded pools obscure sender/receiver/amount.
  - Privacy Pools: Proposed Tornado Cash successor with association sets; not yet deployed at scale.
- **Challenges**:
  - Bridge mixers (Hop Protocol, Across, Stargate) create synthetic liquidity pools that break direct tracing; funds enter/exit via pool swaps.
  - Cross-rollup transfers further obfuscate trails; requires tracking via bridge contracts and relayer infrastructure.
  - Many L2s lack mature analytics tools; explorers show transactions but relationship graphs are sparse.
- **Methodology**:
  - Start with L1 bridge events (deposits/withdrawals); these anchor L2 activity to known addresses.
  - Use L2-specific explorers to trace activity within the rollup.
  - For privacy protocols, focus on timing analysis, deposit/withdrawal clustering, and off-chain metadata (transaction memos, Tornado Cash-style notes).

#### Cautions (bridges and heuristics)

- Bridges/mixers/wrappers introduce mint/burn semantics; avoid assuming 1:1 flows without on‑chain proofs.
- MEV/sandwich and aggregator paths can create false "direct" trails; validate with multiple datasets.
- Cross‑label sanity: vendor labels can disagree; treat labels as hypotheses, not ground truth.
- **L2 finality**: Optimistic rollups have 7-day challenge periods; zkRollups finalize faster but proofs can be batched/delayed.

### Wallet Profiling

- Analyze wallet age and activity patterns
- Check for connections to known entities
- Monitor balance changes over time
- Identify associated exchange accounts

### Exchange Investigation

- Track deposits/withdrawals
- Monitor trading patterns
- Identify linked accounts
- Check for regulatory compliance

### NFT Investigation

- Track ownership history
- Monitor sales and transfers
- Analyze