Good Carder
Professional
- Messages
- 751
- Reaction score
- 493
- Points
- 63
Much of the information about a person needed to create a digital twin already exists in the public domain. It doesn't require hacking or sophisticated technical extraction — it requires the ability to find, compare, and interpret it.
OSINT (Open Source Intelligence) is not a hacking skill, but a systematic discipline for collecting and analyzing information from public sources. Its global market is estimated at $11–18 billion in 2025–2026, with growth rates reaching 27% per year. It is a legitimate and extremely effective method for collecting data, especially when preparing a targeted attack.
We will examine both sides of the coin — how attackers use OSINT to collect and compromise, and how financial institutions apply the same methods to identify risks.
What can be extracted:
What to look for:
Popular aggregators of leaked passwords that can be used for OSINT include:
Why are these bots dangerous for users?
The bots themselves collect all the information sent to them: the request's IP address, geolocation, and device data. Bot owners can sell the collected data on shadow markets.
A typical scenario: a carder requests a victim's data through a bot. A week later, the carder's data is leaked because they "exposed" their number in the bot's logs.
With Maltego, you can: input a single known parameter (name, phone number, email), and the program will automatically pull in related data through hundreds of transformations, displaying the relationships in a visual graph.
SpiderFoot doesn't just collect information; it identifies connections between it using a system of correlation rules. If you want to understand what's known about a target from open sources, SpiderFoot is the best starting tool.
The metrics used in such models include:
Analyzing unstructured data from open sources can improve the accuracy of credit models by several percent.
The primary vulnerability of any person is their digital shadow, which they themselves leave behind online. Removing this shadow is the best prevention: hide unnecessary information from social media, check for leaks, use unique passwords and 2FA. Without data, there is no Fullz, and without Fullz, there is no attack.
A quick one-line reminder:
"OSINT starts with a single dot: email, phone number, or photo. From there, a complete victim profile emerges. Remove the dot and break the chain."
OSINT (Open Source Intelligence) is not a hacking skill, but a systematic discipline for collecting and analyzing information from public sources. Its global market is estimated at $11–18 billion in 2025–2026, with growth rates reaching 27% per year. It is a legitimate and extremely effective method for collecting data, especially when preparing a targeted attack.
We will examine both sides of the coin — how attackers use OSINT to collect and compromise, and how financial institutions apply the same methods to identify risks.
Part 1. OSINT Sources: From Social Media to Leaks
1.1 Social networks are the richest source of data
Social media, where the volume of publicly available content is enormous and the combination of text, images, geodata, and social graphs creates a unique evidence base, accounts for over 67% of all data in OSINT research.What can be extracted:
- Personal information. Full name, date of birth, city of residence, place of work/study, marital status, hobbies.
- Contacts. Phone number (often listed publicly or in the "contact information"), email (from blogs, comments).
- Passwords and email addresses. Many services (DeHashed, Have I Been Pwned) can show which leaks this address was involved in using email.
- Social circle. Friends, followers, and interest groups are valuable data for further attacks.
1.2. Forums and the darknet are a source of "fresh" Fullz
Monitoring forums and darknet sites is a key aspect of OSINT.What to look for:
- Advertisements for the sale of ready-made Fullz.
- Screenshots of checkers - they often show partial card numbers, expiration dates, and BINs.
- Discussions of banking vulnerabilities that can be exploited for social engineering.
- Indicators of compromise (IoCs) exchanged between carders.
1.3. Leaked Databases as Password Sources
After every major leak, the database ends up on shadow forums, torrents, and Telegram. There, you can find not only email addresses and passwords, but also full names, phone numbers, addresses, and sometimes even passport details and credit card numbers.Popular aggregators of leaked passwords that can be used for OSINT include:
- DeHashed is a commercial service that shows which databases this account appears in using email or username.
- Have I Been Pwned - Free Email Checker.
- COMB (Combination Of Many Breaches) is the largest archive of leaks (it was made publicly available, then closed, but copies were distributed on the Internet).
1.4. State registers and archives
18% of OSINT data comes from government registries. Publicly accessible data may include: civil registration records, court cases, business registrations, cadastral data, licenses and certificates, and public tenders.1.5. Telegram – a “black hole” of personal data
Telegram has become one of the main platforms for the illegal circulation of personal data. Up to 100 bots engaged in data mining are blocked weekly, but their number is not decreasing.Why are these bots dangerous for users?
The bots themselves collect all the information sent to them: the request's IP address, geolocation, and device data. Bot owners can sell the collected data on shadow markets.
A typical scenario: a carder requests a victim's data through a bot. A week later, the carder's data is leaked because they "exposed" their number in the bot's logs.
Part 2. OSINT Tools: From Search Engines to Specialized Platforms
2.1. OSINT Framework – a navigator across hundreds of tools
This isn't a tool, but a structured map that groups resources by category: email, username, phone number, domain, social media, etc. When opening a domain or searching for an email, the OSINT Framework displays dozens of services that can be applied to that object — from "check email in leaks" to "find accounts by username."2.2. Maltego — visualization of connections
Transforms analysis from a flat to a multidimensional relationship space.With Maltego, you can: input a single known parameter (name, phone number, email), and the program will automatically pull in related data through hundreds of transformations, displaying the relationships in a visual graph.
2.3. SpiderFoot – an automated "spider"
Collects and analyzes data on targets from over 200 sources.SpiderFoot doesn't just collect information; it identifies connections between it using a system of correlation rules. If you want to understand what's known about a target from open sources, SpiderFoot is the best starting tool.
2.4. Recon-ng — a modular web reconnaissance tool
A Python framework with over 100 modules, running in an interactive mode similar to Metasploit, with a built-in API to other services. Perfect for automating a chain of actions.2.5. Shodan – a search engine for devices
Allows you to search for servers by their banners. It can reveal the bank's IP address, open ports, and software versions used. Knowing the victim's antivirus or firewall can be crucial for social engineering.2.6. Specialized services for leak detection
| Tool | Purpose |
|---|---|
| DeHashed | Search leak databases by email/username/nickname |
| Have I Been Pwned | Free email verification |
| Hudson Rock | Searching for compromises through infestiler logs |
| LeakCheck | Paid verification by email or phone number |
Part 3. Assembling a Digital Profile of the Victim
To create a complete data set (Fullz), information must be systematically collected and verified. A complete threat profile includes not only technical indicators of compromise (IOCs), but also operational methods, objectives, and organizational structure.3.1. Building a data graph
- Primary information collection (known entry points):
- The victim's email is the starting point. We check it using Have I Been Pwned, DeHashed.
- Phone number - we search through Telegram bots, social networks, Whois.
- Extension (cascade search):
- From the found emails and phone numbers, we extract full names, addresses, and relatives.
- We look for relatives and partners — they often post more personal information on social media than the victim themselves.
- Comparison and verification:
- The date of birth found must match in different sources.
- The address specified in the social network must match the one found in Whois.
3.2. How OSINT helps bypass KYC on exchanges
Data collected through OSINT allows for the creation of a synthetic identity: a dummy profile is created for verification based on a real person. AI-KYC verification can be skipped if documents and selfies are generated by a neural network (including using real data from open sources), and the account holder's behavior is tailored to match that of a real person.Part 4. The Other Side: How Banks Use OSINT to Assess Client Risk
4.1. Non-financial scoring
Banks are actively implementing non-financial scoring methods — automated trustworthiness assessments based on OSINT. Banks' algorithms analyze:- The client's social circle: are there any connections with individuals who are wanted or have a bad credit history?
- Geolocation: a client states one address, but their social media posts and check-ins show another.
- Lifestyle: posts about expensive cars, holidays in the Maldives, but the official income is minimal.
4.2. OSINT-based scoring models
OSINT-based scoring models can include several hundred parameters when calculating the final credit score.The metrics used in such models include:
| Data category | What is being analyzed | What the bank sees |
|---|---|---|
| Social media | Mentions of money problems, posts about casinos, debts | Increased risk of default |
| State registers | Search, bankruptcy, court decisions | Automatic refusal |
| Business connections | Disqualified directors, mass registrations | Signs of a shell company |
| Phone number | Multiple SIM cards per person, linked to gray numbers | Fraud flag |
Analyzing unstructured data from open sources can improve the accuracy of credit models by several percent.
Conclusion: Knowledge is power, but also responsibility
OSINT is a double-edged sword. Carders use it to gather victims, bypass KYC, and prepare targeted attacks through social engineering. Banks and fintech companies use OSINT to assess risks, detect fraudulent schemes, and prevent compromise.The primary vulnerability of any person is their digital shadow, which they themselves leave behind online. Removing this shadow is the best prevention: hide unnecessary information from social media, check for leaks, use unique passwords and 2FA. Without data, there is no Fullz, and without Fullz, there is no attack.
A quick one-line reminder:
"OSINT starts with a single dot: email, phone number, or photo. From there, a complete victim profile emerges. Remove the dot and break the chain."
