Using OSINT to Investigate Disinformation Campaigns
How open source investigators trace false narratives, identify coordinating accounts, and map the infrastructure behind influence operations.
Using OSINT to Investigate Disinformation Campaigns
Disinformation is not a new problem, but the scale at which false narratives now spread and the infrastructure that supports their spread has changed significantly. What used to require state-level resources to execute can now be done by small groups or individuals with access to social media accounts, a little patience, and some familiarity with how platform algorithms amplify content. The investigative response to that shift has also matured, and open source techniques now form the backbone of how researchers, journalists, and analysts trace where false narratives come from, how they move, and who is coordinating their spread.
This is applied OSINT work. It is not abstract analysis of a trend. It is methodical collection and analysis against a specific target: the network and infrastructure behind a piece of disinformation, and the people operating it.
Starting with the Narrative
Disinformation investigations typically start with a claim. Something is circulating that is demonstrably false or significantly misleading, and the question is where it came from and how it got to where it is now.
The first analytical task is to establish what the claim actually says, in its most precise form, before attempting to trace it. This sounds obvious and gets skipped constantly. A claim that gets paraphrased or summarized before it is traced will produce a different search trail than the actual language of the original claim. Disinformation often spreads in specific formulations, and those formulations are what you search against.
Once the claim is precisely documented, the tracing process begins. The goal is to find and date the earliest instance of the specific claim in the form it is currently circulating. This is not the same as finding the first time the underlying subject was discussed. It is finding the first documented instance of this specific false narrative in this specific form. The difference matters because disinformation often layers false framing onto real events, and confusing the origin of the event with the origin of the false narrative is a common analytical error.
Tools like reverse image search, Google’s verbatim search, and archive services including the Wayback Machine and archive.today are essential here. Platform search with precise date filtering helps establish the timeline. The goal is to build a chronological record of the claim’s documented appearances, working backward from the current circulation to the earliest traceable instance.
Identifying Coordinating Accounts
Once the timeline of the narrative is established, the next layer of investigation focuses on the accounts amplifying it. Organic spread and coordinated spread look different when you examine them at the account level, and the techniques for distinguishing between them are well-established.
Account age relative to the current activity is one of the first signals. An account created recently that is posting at high volume on a specific topic, or an account that was dormant for an extended period and then suddenly became active around a specific event, warrants closer examination. Neither pattern proves coordination, but both appear consistently in documented influence operations.
Behavioral clustering is more diagnostic. When multiple accounts post the same content within a narrow time window, use identical or near-identical language, follow the same accounts, or engage with each other’s content in ways that suggest coordination rather than independent discovery, the pattern is worth mapping. One account doing this is noise. A cluster of accounts doing it simultaneously is a signal.
Profile construction tells a story when examined carefully. Accounts built for inauthentic amplification tend to have specific characteristics: profile photos that do not withstand reverse image search, bios that are either generic or suspiciously well-constructed, follower-to-following ratios that suggest artificial inflation, and posting histories that show either suspicious uniformity or gaps inconsistent with organic account use. None of these characteristics is conclusive on its own, but a cluster of them on a cluster of accounts engaged in the same behavior pattern is meaningful.
The tools available for this layer of investigation include network visualization platforms like Gephi and Maltego for mapping relationship patterns, Botometer and similar services for behavioral scoring, and manual examination of account histories through platform-native search and archived captures of profile states over time.
Mapping the Influence Network
Individual accounts are rarely the full picture. Disinformation campaigns typically involve a distribution architecture: a set of accounts or pages that originate content, a set of amplifiers that push it to wider audiences, and downstream accounts that pick it up organically after it has gained enough apparent momentum to look credible. Mapping that architecture is the third layer of the investigation.
The origination layer is often the most difficult to identify because sophisticated operations deliberately obscure the true origin. Content may be introduced through low-profile accounts or obscure pages before being picked up by larger amplifiers, making the amplifiers appear to be the original source. Tracing backward through the share and repost chain, using timestamps to establish the actual order of propagation, is the method for getting past that misdirection.
Infrastructure analysis adds depth to the account-level mapping. Websites that host the original content or that multiple accounts in the network link to can be investigated through WHOIS records, registration history, hosting patterns, and cross-referencing against known disinformation infrastructure databases maintained by organizations like the Stanford Internet Observatory and the Digital Forensic Research Lab. Accounts that share the same external links, the same website references, or the same contact information in their profiles are connected in ways that transcend platform-level relationship mapping.
Metadata analysis of images and documents shared across the network can surface additional connections. Images shared by nominally independent accounts that share the same creation metadata, the same editing software fingerprint, or the same geographic EXIF data were likely produced from the same source. Documents with shared authorship metadata or creation timestamps that cluster around the same narrow window suggest centralized production regardless of how the distribution was structured.
Financial infrastructure is an underexplored area of disinformation investigation in the open source space. Accounts and pages that monetize engagement, that run advertising, or that solicit donations leave traceable financial infrastructure that can connect nominally independent operations to common ownership or funding.
What This Looks Like in Practice
A completed disinformation investigation of this type produces several distinct outputs. A timeline of the narrative’s spread, from first documented instance to current circulation, with the key amplification events identified. A network map of the accounts and infrastructure involved, with the origination layer, amplification layer, and organic downstream spread distinguished from each other. An assessment of whether the pattern reflects coordinated inauthentic behavior or organic spread of a false claim, with the evidence base for that assessment documented. And an identification of any infrastructure, accounts, or coordination patterns that connect this specific instance to prior documented campaigns.
That last element is where the investigative work connects to the broader intelligence picture. Disinformation operations rarely operate in isolation. Accounts, websites, and coordination patterns that appear in one campaign often appear in others, and documenting those connections is what transforms a single-incident investigation into an understanding of the actors and infrastructure behind a sustained effort.
It is also worth noting what this type of investigation does not produce without additional collection. It can establish that coordination occurred. It can map the infrastructure and accounts involved. It can identify the timeline and amplification pattern. It cannot, on open source collection alone, definitively identify the human beings behind the operation or their institutional affiliations without additional evidence. Overstating what the open source evidence supports is one of the more common and consequential errors in this field, and the standard of evidence for attribution claims should be treated with the same rigor applied to any other high-stakes analytical judgment.
The Tradecraft Foundation
The techniques described in this post are applications of standard OSINT tradecraft to a specific target set. The timeline reconstruction is source reliability and corroboration analysis applied to a narrative chain. The account analysis is entity profiling applied to social media infrastructure. The network mapping is link analysis applied to a coordination problem. None of it requires specialized tools that are unavailable to a trained open source practitioner. The methodology is the same. The target is different.
What it does require is analytical discipline, patience with a methodical process, and careful documentation of findings in a form that can withstand scrutiny. The subject matter is contested and the stakes for accuracy are high. An investigation that incorrectly attributes a disinformation campaign causes real harm to the people or organizations it misidentifies. The same standards of evidence, confidence calibration, and sourcing discipline that apply to any intelligence product apply here with at least as much force, and probably more given the public visibility this work often receives.
The OSINT community is well-positioned to contribute meaningfully to this space. The tradecraft is there. The analytical frameworks developed for entity investigation, network mapping, source reliability, and finished intelligence production map directly onto the disinformation investigation workflow. The application is a choice about where to direct skills that are already developed and a discipline that is already mature enough to do the work rigorously.
Some links in this post may be affiliate links. If you purchase through them, I may receive a small commission at no additional cost to you. This helps keep the blog running and the content free.