OSINT investigation patterns
What emerges when an email address goes through a serious OSINT investigation — the findings that recur, the ones that matter most, and the patterns practitioners look for.
Methodology
This report synthesises industry research on OSINT investigation outcomes with observational patterns from BLACKEYES sample investigations. It describes the kinds of findings that typically surface and the relative frequency of each — expressed in qualitative bands (Most / Common / Frequent / Less common) rather than claimed precise percentages. A quantitative update with full-volume statistics from in-production reports will be published once the platform has accumulated significant live use.
Six recurring patterns
Findings that surface in most serious OSINT investigations on a subject with an established digital footprint. These aren’t breakthroughs — they’re the baseline that a good investigation is built on.
Emails appear in multiple breach records
For subjects with a decade or more of online history, appearance in several historical breach archives is the norm rather than the exception. Breach records are valuable as identity anchors — name, DOB, and address data that can be cross-referenced with other sources.
Usernames reuse across platforms
The local part of an email (before the @) is frequently reused as a username across social platforms, forums, and services. Subjects who segregate their identities cleanly across accounts are the minority; most leave discoverable trails.
Professional identity is consistently findable
LinkedIn remains the single most-useful source for employment-history cross-reference. Inconsistencies between declared employment (on a CV or application) and LinkedIn history are among the most common investigative findings.
Social posts contain more location data than subjects realise
Geotagged photos, check-ins, and contextual location details (landmarks, weather references, time-of-day patterns) combine into a surprisingly strong geographic picture — even when explicit location sharing is disabled.
Undeclared directorships or dissolved companies
UK Companies House cross-references surface commercial history the subject hasn’t declared, particularly relevant in financial-services screening and matrimonial hidden-asset work. The incidence is lower than breach findings but the impact per case is high.
Alias accounts are rarely fully hidden
Even when a subject maintains pseudonymous accounts separate from their main identity, shared usernames, connected profile photos, or overlapping content themes usually connect them through at least one cross-reference.
What matters in interpretation
The patterns above are raw material. How you interpret them determines whether a report is a useful investigation outcome or a set of loosely-connected data points.
Identity triangulation beats single-source findings
A name match on LinkedIn alone isn’t verification. The same name combined with a matching Companies House directorship, breach-record DOB, and consistent location pattern is verification. Professional OSINT work hinges on cross-referencing.
Absence of a finding is not absence of the fact
If an investigation doesn’t surface a social presence, it doesn’t mean the subject doesn’t have one — it may mean they use a different email, or have privacy settings tightened. Absence of evidence isn’t evidence of absence.
Timestamps are non-negotiable context
A 2013 breach record tells you about historical exposure, not current posture. A 2022 LinkedIn profile may be long-abandoned. Every finding lives in a time context; losing that context loses the meaning.
The hardest cases are people with minimal presence
Investigations of subjects with very little public footprint — older demographics, privacy-conscious individuals, or deliberate evaders — return legitimately thin reports. That’s a useful finding in itself, not a failure.
Wrong-person attribution is the largest risk category
Two subjects with the same name, similar ages, or overlapping employers can be conflated in automated OSINT. Verification gating — demanding multiple cross-references before a finding is included — is the main defence.
Patterns by use case
The findings that emerge most often, and matter most, varies by the purpose of the investigation.
Recruitment screening
Undeclared previous employment, alias social accounts, social-content inconsistency with claimed experience, breach exposure where relevant to role risk.
Tenancy vetting
Location history contradictions, employer authenticity questions (domain verification), declared affordability versus public-record lifestyle signals.
Insurance fraud
Social-media contradictions with claimed injury or incapacity, undisclosed alternate identities, repeat-claimant network links, location mismatches at time of claim.
Legal due diligence
Director history and dissolved companies, matrimonial hidden-asset signals, commercial-interest conflicts, reputational signals not captured by formal checks.
PI and tracing
Location signals for current-address inference, network and associate mapping, historical-address reconstruction through breach metadata and social history.
Takeaways
A serious OSINT investigation on an email address — from a recruitment-screening, tenancy-vetting, fraud-investigation, or due-diligence perspective — will reliably surface a rich baseline of information. Breach records, social presence, professional history, corporate interests, location signals, and identity aliases are the standard material.
Where the investigation earns its value is in the synthesis — connecting findings across sources, verifying consistency, and surfacing contradictions between what a subject claims and what the public record shows. Any automated platform that only runs lookups and reports results misses this step; a platform that triangulates and challenges findings before reporting them produces investigation-grade output.
The typical ceiling is human judgement, not data availability. For the edge cases — ambiguous attribution, privacy-conscious subjects, subjects with minimal digital footprint — a trained investigator remains the final interpretation layer. Automated OSINT platforms like BLACKEYES are the foundation; the interpretation layer is where the professional adds value.
Run an investigation
See the patterns in action. One email, fifteen minutes, an eleven-section source-cited report.
Reports are tools, not conclusive judgements — verify material findings before reliance. See the FAQ