I go by marroxo. I've spent the better part of six years turning publicly available data into actionable intelligence — chasing digital footprints across social platforms, leaked datasets, WHOIS history, BGP tables, and forgotten forum posts from 2009. I got into this through CTFs (shoutout to the old OSINT Ironman days) and never really left.
Day-to-day I work on corporate threat intelligence: brand monitoring, executive exposure mapping, and third-party vendor risk. Outside of work I participate in TraceLabs missing persons CTFs, contribute to community tooling, and write about methodology when I have the time.
I care about reproducibility. Screenshots fade, pivots get lost, and memory is unreliable — so I document obsessively. If I can't show my work, I didn't do the work.
People whose work I read religiously: Bellingcat, Michael Bazzell, Sector035, OSINTCurious, NixIntel. If you're new and haven't read Bazzell's book, stop what you're doing.
He/him. Based somewhere in central Europe. PGP key below.
Working on a post about using FOFA as a Shodan alternative for non-US infrastructure. Re-reading We Are Bellingcat by Eliot Higgins — third time. Running a TraceLabs warm-up this weekend with a few people from the infosec.exchange crowd. Currently annoyed at how many "OSINT courses" on Udemy are just repackaged YouTube tutorials from 2019. Latest rabbit hole: Maigret edge cases on federated platforms.
Methodology-first writeups. I try to document what actually worked, including the dead ends. No "top 10 OSINT tools" listicles here.
A walkthrough of an anonymized identity resolution case. Starting from a suspicious recruiter LinkedIn profile, using Sherlock for username enumeration, reverse image search via PimEyes, certificate transparency logs on a linked domain, and WHOIS history to connect the persona to a real operator. Covers the full pivot chain methodology and — importantly — why you should document dead ends as carefully as successful pivots.
Deep dive into using crt.sh, Certspotter, and Facebook's CT log aggregator for subdomain enumeration, infrastructure pivot points, and historical company asset discovery. Includes a real-world example of finding a company's internal staging environment exposed to the public web via a wildcard cert entry. If you're not starting every corporate OSINT job with CT logs, you're leaving data on the table.
Detailed breakdown of my approach to the TraceLabs missing persons OSINT CTF. Pre-competition prep (VM snapshot discipline, sock puppet readiness, tool checks), live triage methodology, which platform searches yield the highest flag density per minute, and what first-timers consistently miss. Ends with some honest notes about the emotional weight of working on real missing persons cases — it's not a game, even when it's framed as one.
An opinionated list of Shodan search queries for real investigative use — not the "find webcams" tutorial content that gets recycled every six months. Focuses on: finding exposed industrial control systems, identifying infrastructure belonging to a specific org via ASN + SSL cert fingerprinting, tracking C2 infrastructure overlap, and correlating results across Shodan, Censys, and FOFA for non-US-hosted assets.
Given only an email address, how far can you get? Full pivot chain walkthrough using Holehe (platform presence check), GHunt (Google account details), HaveIBeenPwned API, IntelX breach search, Hunter.io for domain correlation, and WHOIS registrant matching. The Bazzell methodology applied end-to-end. Spoiler: further than most people expect, and faster than it has any right to be.
Solving a geolocation challenge using only a photo of an interior view out a window. Methodology: sun angle analysis via SunCalc, visible architecture style (building era, regional construction conventions), partial street signage, reflection analysis in glass, cross-referenced with Google Street View historical imagery and Mapillary. Solved to a specific block in Łódź, Poland. Good reminder that passive environmental details are data too.
Practical, paranoid guide to investigative OPSEC. Topics: browser fingerprinting during OSINT work (Canvas, WebGL, timezone leaks), why a VPN is not enough, VM snapshot and rollback discipline, sock puppet management (email aging, behavioral consistency), and the specific risk of logging into investigation platforms from your real accounts. Not a beginner guide — I assume you already know the basics. Inspired by watching too many people get burned by fixable mistakes.
Corporate infrastructure discovery beyond basic Shodan searches. Uses BGP routing tables (bgp.he.net, BGPView) for ASN discovery, reverse IP lookups, SSL cert fingerprinting, passive DNS history via SecurityTrails and VirusTotal, GitHub employee account enumeration for internal tooling mentions, and LinkedIn job postings as a technology stack oracle. Anonymized real case study: a mid-size SaaS company that thought they were invisible. They were not.