OSINT natives vs ACAB
Case Study: Bad Cops Expose
The BBC has an interesting OSINT operation. There are two related investigations. The first involves a group of women doing old-fashioned gumshoe work, running down every clue using leaked databases and the internet. The second has the BBC applying a combination of traditional public records OSINT and modern face recognition software.
In March, a group of women were arrested at an anti-war rally in Moscow. They set up a telegram group in the police van. At the station, they were held for hours, beaten and abused. They managed to record some of the abuse on their phones. When it was over, they set out to find the cop who abused them. The one they called "the man in black."
His image was seared in their memories, but they could find no sign of him on police websites. And with no name to go on, social media was a dead end. After more than a fortnight of searching, they were close to giving up.
The vast amount of potentially sensitive information publicly available is beyond any human ability to comprehend. In a very real sense the old “never put in email what you wouldn’t want read in public” probably applies to literally every online activity. Never do anything that you wouldn’t want available to the public.
The old staple of private investigators was pizza and Chinese food delivery lists. Restaurants build databases of mobile phone numbers and delivery addresses. These are more accurate than official records because people tell the pizza place where to find them long before the department of motor vehicles. Thanks to credit cards, frequently there is a real name along with the basic address and phone number.
The more up to date version of this methodology is food delivery apps. One of the datasets the group used was a leak of the YandexFood customer orders database, which had only first names and phone numbers.
In late March, there was a massive data leak from the popular Russian food delivery app Yandex Food.
They began raking through the data to see if there had been any orders to Brateyevo police station over the past year. They discovered there had - by nine different customers.
Most of the Yandex data only included first names and a phone number.
Finally they came to one of the last names on the list: Ivan. A popular Russian name, so one of the most difficult to pin down. Ivan's phone number, however, did reveal a trail online - six classified adverts from the Russian trading website Avito.ru. But most of the adverts only gave them the information they already knew - a first name.
There are a few lessons learned here. Firstly, the ultimate hacking technique is persistence. Secondly, the old truism about secrets:
The greatest vice in the game is that of carelessness. Mistakes made generally cannot be rectified.1
The problem, of course, is that it's seldom evident at the time what the mistakes are. Mistakes can quickly arise from activities conducted years before there is a need for secrecy. And on the internet, mistakes are forever.
One, however - for a Skoda Rapid car sold 10 minutes' drive from Brateyevo police station, posted in 2018 - included the seller's full name: Ivan Ryabov.
Boom
BBC Delivers the coup de grâce
The identify his Boss: The Man in Beige.
The BBC obtained an arrest report from 6 March, which was signed by the police station's acting head: Lieutenant Colonel AG Fedorinov.
We then found a local newspaper report from 2012 which mentions an Alexander Georgievich Fedorinov, with an accompanying photograph which seemed to match his image.
But because the photo was 10 years old, the BBC used facial recognition software to double-check - and found images matching the "man in beige" in the video were linked to a social media account in the name of Alexander Fedorinov. That same account was tagged in an online advert for job vacancies at Brateyevo police station.
https://www.bbc.com/news/world-europe-62799246
Allen Dulles, 73 Rules of Spycraft. https://grugq.github.io/resources/Dulles%20on%20Tradecraft.pdf