Project Osint Tuesday 9 June
Weekly OSINT, cyber investigations, and practical workflows for analysts, journalists, and curious researchers.
🔥 Tool of the week
What an NFT scam investigation can actually prove
A practical OSINT workflow for preserving evidence, tracing funds and avoiding premature attribution in NFT scam cases.
A victim sends you three screenshots, a dead project website and a long Ethereum address that starts with 0x.
They say they lost money in an NFT collection.
The Discord server is gone. The social accounts have disappeared. The project page no longer loads. The only thing that still exists is the blockchain trace.
That is enough to start.
But it is not enough to conclude.
The common mistake is treating “crypto” as the investigation. In practice, many NFT scam cases are closer to a standard OSINT evidence-chain problem.
The web layer may disappear.
The blockchain layer remains.
The social layer fragments.
The legal layer decides what can become formal identification.
The investigator’s job is to keep those layers separate long enough to understand what each one can prove.
A contract address may help identify the creator wallet or the wallet receiving payments. A transaction path may show where funds moved. Archived pages may show what the project publicly promised. Public abuse reports may reveal whether the same wallet, domain or username appears in other complaints.
None of those layers should be collapsed into a personal accusation too early.
On-chain attribution is not personal attribution. A wallet trail is not intent. A username match is not legal identity. A public report is a lead, not proof.
That is the part of NFT investigations that often matters most: not whether you can follow a wallet, but whether you can document what the wallet trail actually supports.
I put the full workflow together here:
https://projectosint.substack.com/p/how-to-investigate-an-nft-scam-without
The decisive step is not technical. It is methodological: preserve what existed, separate what each trace can prove, and mark what remains unknown.
🧭 THE CASE
Uncovering Extremist Links Through Public Social Media
This week’s OSINT case comes from Bellingcat and Colombian outlet Cerosetenta, who investigated alleged links between Colombian political candidate and businessman Jorge Rodriguez and members of Active Club Bogota, a local branch of the international far-right Active Club movement. The investigation was published on May 11, 2026.
The case began with a public Instagram video posted on February 26, 2026, showing several men painting over graffiti in the Restrepo neighborhood of Bogotá. According to Bellingcat, one of the slogans painted over read “Creole Nazis will not pass,” while the replacement imagery included Rodriguez’s political branding.
What makes this case useful for OSINT practitioners is the methodology. Investigators analyzed publicly available social media posts, archived content, visible tattoos, online interactions, Telegram material, public political records, and location-based clues. They compared visual identifiers from the Instagram video with previously published material linked to Active Club Bogota, while also documenting the group’s public online activity and events.
The investigation also highlights an important ethical and legal dimension of OSINT. Both Rodriguez and the individual Bellingcat associated with Active Club Bogota reportedly responded with legal threats and privacy-related objections. Bellingcat stated that it consulted legal experts in both the Netherlands and Colombia, arguing that the reporting was protected by freedom of expression and public-interest considerations.
Why it matters
This case shows how extremist networks can be investigated using only open sources, without hacking, leaks, or covert collection. It also demonstrates the importance of preserving public posts, documenting methodology, and giving subjects a right of reply before publication.
OSINT lesson
Small visual details can matter. Tattoos, logos, captions, usernames, follows, likes, locations, and event imagery may appear weak in isolation, but when cross-checked across multiple public sources they can help build a stronger evidentiary picture.
Takeaway for analysts
Professional OSINT is not just about finding information. It is about making findings traceable, proportionate, legally defensible, and ethically justified. This case is a strong reminder that investigations involving political figures or extremist networks must combine technical verification with careful editorial judgment.
🔍 OSINT Mistake of the Week
Treating a Viral Post as a Verified Source
One of the most common OSINT mistakes is confusing visibility with reliability.
A video, screenshot, or claim may go viral within minutes, but that does not make it verified. In professional OSINT, the first question should never be: “How many people are sharing this?” The first question should be: “What is the original source, and can I independently verify it?”
This mistake often happens during breaking-news situations, conflicts, protests, natural disasters, or cyber incidents. Analysts see the same content reposted by dozens of accounts and assume that repetition equals confirmation. In reality, many of those posts may all trace back to a single unverified upload. Bellingcat’s verification guidance repeatedly stresses the need to check origin, context, location, and timing before treating social media content as evidence.
Why it is dangerous
A viral post can be:
Old — reused from a previous event.
Mislocated — filmed somewhere else.
Miscaptioned — real footage with a false description.
Edited — cropped or manipulated to remove context.
Amplified — spread by coordinated accounts or partisan networks.
The risk is not only publishing something false. The bigger risk is building an entire intelligence assessment on a weak foundation.
The professional fix
Before using viral content in an OSINT product, apply a basic verification chain:
Find the earliest upload
Search for the first known appearance of the content, not just the most popular repost.Separate source from amplifier
A large account sharing a video is not the source. It may only be repeating someone else’s claim.Verify location
Compare visible landmarks, road signs, terrain, weather, shadows, buildings, and satellite imagery.Verify time
Check metadata when available, but also use environmental clues: daylight, weather, uniforms, vehicles, seasonal details, and event timelines.Preserve the evidence
Archive posts, screenshots, URLs, timestamps, and notes before content is deleted or edited. Bellingcat’s toolkit includes categories for archiving, satellite imagery, maps, and social media verification tools that support this type of workflow.
Analyst takeaway
In OSINT, repetition is not corroboration. A claim repeated by 100 accounts may still come from one unreliable source.
The correct standard is simple:
Do not report what the internet is saying. Report what the evidence supports.
⚙️ FOCUS
For OSINT, the chatbot is not the whole story
An AI support bot is not dangerous because it can answer questions.
The risk starts when it can change something.
Account details. Recovery flows. Email addresses. Access paths. Internal support actions.
That is the real boundary investigators should watch: where the AI stops talking and starts acting.
The recent Instagram account access case is useful because it shows a wider pattern. AI support systems are moving closer to operational workflows. They are not just conversational interfaces anymore. In some environments, they may become permission boundaries.
For OSINT and platform security, the method is clear:
separate the claim from the mechanism;
map the AI system’s authority;
build an evidence chain;
identify missing controls;
preserve what remains uncertain.
The question is not only “Was the chatbot fooled?”
The better question is:
What was the chatbot allowed to do?
I wrote a longform analysis for ProjectOSINT on AI support agents as a new account access surface.
🔗 Tool AI
Maltego One
This week’s AI-oriented OSINT tool is Maltego One, the newer investigation platform from Maltego. Unlike a simple search engine, Maltego One is designed to help investigators build structured intelligence workflows around people, entities, infrastructure, and relationships. Maltego describes it as a unified browser-based platform for investigations, with built-in data access, guided workflows, end-to-end encryption, and an AI Assistant to support analysis.
Why it is useful for OSINT analysts
Maltego has long been known for link analysis: mapping connections between people, domains, emails, phone numbers, social media accounts, companies, IP addresses, and other entities. Maltego One extends this approach into a more guided investigative environment, initially focused on Person of Interest investigations.
For OSINT teams, the value is not only collecting data, but seeing how separate data points connect. This is especially useful when working on investigations involving online identities, cyber infrastructure, fraud networks, influence activity, or corporate due diligence.
Professional use cases
Person of Interest investigations
Analysts can start from a name, alias, email, username, domain, or other identifier and expand the investigation through connected entities.
Cyber threat intelligence
Maltego can support infrastructure mapping by linking domains, IP addresses, certificates, malware indicators, and related threat intelligence sources.
Fraud and scam network mapping
The graph-based approach is useful when the same phone numbers, websites, accounts, wallets, or domains appear across multiple suspicious entities.
Corporate and reputational due diligence
Investigators can map relationships between individuals, organizations, online assets, and publicly available business information.
Collaborative investigations
Maltego’s newer professional and organization plans include cloud collaboration features, making it more suitable for team-based OSINT workflows.
Where AI helps
The AI layer can assist analysts by reducing manual work during the investigation process. Instead of only clicking through large graphs, analysts can use AI support to summarize findings, highlight relevant connections, guide next steps, and reduce noise.
The strongest use case is analytical acceleration: helping the investigator move from raw entities to a clearer intelligence picture faster.
OSINT value
Maltego One is especially useful when an investigation involves many weak signals. A single username, email, or domain may not prove much by itself, but when connected with other open-source data points, it can reveal patterns that are difficult to see in a spreadsheet or browser tabs.
The key benefit is relationship discovery: turning scattered public information into an explainable graph.
Limitations
Maltego One is not a magic attribution tool. The graph can show links, but the analyst must still assess whether those links are meaningful, current, and legally usable. OSINT teams should avoid treating every connection as evidence of control, ownership, or intent.
There is also a privacy and proportionality issue. Person of Interest investigations should be conducted only when there is a legitimate purpose, clear scope, and appropriate safeguards.
Analyst takeaway
AI-assisted OSINT works best when it helps the analyst ask better questions, not when it replaces judgment.
Maltego One is valuable because it combines structured investigation, link analysis, data enrichment, and AI support in one workflow. But the final intelligence product still depends on human validation, source checking, and careful interpretation.
Breaking news
SpaceX to build a military internet in space for $2.29 billion
SpaceX has been awarded a $2.29 billion contract by the US Space Force. The company will be tasked with establishing the backbone of the Space Data Network, an orbital network through which military satellites, sensors and strike systems will exchange data with virtually no delay.
The network will be deployed in low Earth orbit. The satellites will be linked by optical links, enabling the US military to transmit information more rapidly for surveillance, navigation and combat operations in various parts of the world. The project is likely to utilise advancements from Starlink and Starshield, which SpaceX is developing for the Pentagon’s requirements.
The company is due to deliver a fully functional Space Data Network by the end of 2027. The contract has already raised concerns among lawmakers, as the previous approach was based on competition between different contractors, whereas now a key part of the network is effectively being procured from SpaceX.
Translated with DeepL.com (free version)
If this is useful, share it.
This is the weekly selection. But it’s not the only one.
If you’d like to read more: → full articles on the website
If you’d like to get the latest updates first: → Telegram
👉 https://t.me/osintprojectgroup
Location never lies.
It only waits to be decoded.