Hiding In Plain Sight:
Tracking/Exposing America’s Most Wanted Using OSINT (Part 1)
Disclaimer: A warning before all the ultra-expert, python-script running keyboard OSINT commandos bomb me with hate messages that this is basic plug-n-play investigation work. What this is supposed to be, is an example of a surprisingly super basic investigation utilizing OSINT, with my goal being to lightly scratch the surface of what is possible for ANYONE to do with only a phone/computer and internet connection.
Hiding in plain sight. This is a phrase I’ve read and heard about since my days as a young investigator. I practiced it while doing the grunt work of surveillance cases that would often move from vehicle to foot work in large cities like San Francisco and Los Angeles. The idea that you can make yourself harder to spot or identify when thrown into a group or crowd of other people makes perfect sense to me.
Apparently, this idea of hiding in plain sight also makes sense to at least a handful of characters lucky enough to land their faces plastered on an Interpol Red Notice and even the Federal Bureau of Investigation’s Most Wanted list…specifically their Cyber section…and even more specifically? I’m talking about the 11 Russian intelligence operatives indicted in the 2016 hacking of the Democratic National Committee.
For the majority of us, the pictures in the FBI wanted poster above are the only faces of the operatives at the Main Intelligence Directorate (commonly referred to by the acronym: GRU) many of us will ever see. We’ve read about them in their federal indictment, the Mueller Report and they are regularly mentioned in a very generic fashion every time a blaring news story on “Russian Interference” is featured on the inter-webs or television yet they remain just faces.
I’m going to change that.
These Russians and their famous mugshots have lives, they have families and friends, they get married, they get completely shitty at parties, take lots of shirtless photographs and quite regularly even take an exotic European vacation. You might be thinking none of this is surprising, but would you be surprised if I told you some of these elite Russian agents wanted by the United States share much of this information online just like you and your ultra conservative, religious quote loving Tío Jilberto or your crazy Aunt Trudy and her never ending stream of cat memes?
Yup. Its true.
First, as I alluded in my disclaimer, I regularly complete more complicated investigations in my day job and although the tools are high tech, the information I was able to find floating around on the internet doesn’t require any technical knowledge to obtain. I also don’t speak Russian and depended heavily on Google Translate to help clear up confusing language (which no surprise, sometimes made things even more confusing). It should ALSO be noted that NO illegal techniques were used in developing the information I’m about to share here. Everything I discovered and documented came as a result of investigating what is commonly referred to as Open Source Intelligence (OSINT) found online.
I’m constantly on the hunt for new training opportunities, which this year led me to a week-long OSINT intensive training in August, hosted at the University of California Berkeley School of Law in their Human Rights Center and taught by some very knowledgeable folks from Bellingcat, a great organization that I fully support and you can read more about here. (NOTE: Other than being a fan and supporter, I am in no way affiliated with them)
The Bellingcat course began with three days of visual and interactive training on a wide range of investigative techniques and the last two days were spent on additional training mixed in with the option to work in a group, in coming up with an OSINT investigation project to present on the last day of the class utilizing any of the investigative techniques taught by the instructors and I chose my project fairly quickly.
In my very limited free time, I have been collecting and documenting the social media profiles of a variety of active Mexican drug cartel members and saving the photographs and video content they post online. I haven’t done anything with the information other than collect it and although my Bellingcat project didn’t focus on the cartels, it did give me the idea to see if I could use a Russian facial recognition website (FindClone) introduced to me by the Bellingcat team to locate active social media profiles of individuals wanted by the International Criminal Police Organization (INTERPOL).
INVESTIGATING INTERPOL’S MOST WANTED
Facial recognition is a powerful tool that most people think might just be a gimmick on your phone or something you’ll only see used by large governments and the idea that anyone can utilize it to comb through a large, international social network with the a few clicks of a mouse is chilling. FindClone is a tool that anyone with a phone, computer and internet access can use. I won’t go into an in-depth explanation of what FindClone is, how it works or how to use it because it has already been covered in a detailed and informative article written by Aric Toler and published on Bellingcat in a February 2019.
What I will say about FindClone, is that you will most definitely shit your pants when you realize how powerful and accurate their algorithms work in using facial recognition to match images you provide with photographs uploaded to the Russian version of Facebook: VK.Com.
In order to start using their facial recognition tool, I need some photographs to start feeding into the system, so I opened up INTERPOL’S website and started with manually searching filtering for only Russians in their “Most Wanted” list which they refer to as Red Notices.
“Red Notices…. issued for fugitives wanted either for prosecution or to serve a sentence. A Red Notice is a request to law enforcement worldwide to locate and provisionally arrest a person pending extradition, surrender, or similar legal action.”
I chose Russians as a nationality to filter, not because I have a disdain for them, but because I assumed that Russians would provide me the most results seeing as FindClone is matching my photographs with VK.com profiles, and with the majority of VK users being Russian, I figured I would get a few hits. I wasn’t wrong.
I immediately had over 2500 profiles/photographs to work with, which is great from an available data standpoint but I only had a day and a half to pull something interesting together to present to the class. This is where some Python script writing ability could have come in handy, but since I’m still a programming newb, I manually started clicking and saving the best quality photographs and profiles which amounted to about 90 to 100 individuals to run through facial recognition.
As I started to run my collection of photographs through FindClone, I was getting multiple matching results with several high probability hits with many of the VK.com profiles coming up as being active. The only issue I had was that many of them were wanted by the Russian government for, “Participation in a terrorist organization; participation in an illegal armed formation.” I don’t know about you dear reader, but I don’t have any particular love for the Russian Government and I sure as hell wasn’t going to facilitate the capture of fugitives (mostly women) who were in their cross-hairs, which led me to add a second filter to search for Russians wanted by only the United States and received the following results:
Four measly results.
Only four individuals with Red Notices out of 7,142 were Russian and wanted by the United States. These are slim pickings for sure, but you work with what you’ve got.
After three of the four did not yield easy to filter results after running their profiles through FindClone, I started with my last possibility, Mr. Sergey Linnik, whose charges included, “ 1) Robbery in the first degree 2) Robbery in the second degree 3) Robbery in the second degree causing physical injury 4) Assault in the second degree 5) Criminal possession of a weapon in the fourth degree.”
My first impression was that he looked very young and the photograph looked old. I wasn’t sure what kind of results I’d get on FindClone but before I ran his photograph, I used one of my favorite investigative tools available to find out more about Mr. Linnik and why he was on an INTERPOL Red Notice: Google.
The simple Google search with his name in closed quotes resulted in quite a few promising results and after sifting through things I ended up having to pull up a cached version of the Richmond County District Attorney’s office “Most Wanted Page,” since it has changed in the last few years and is no longer something they publish anymore. The payoff was I was able to find additional details and the origin of how Mr. Linnik found himself a fugitive on INTERPOL’S website:
My immediate thoughts were, 1) Mr. Linnik was just a kid when this happened 2) Shit, this case is 15 years-old 3) These kids must have really needed Vodka badly and 4) As unfortunate as it was that someone was mugged and stabbed, they survived it. It would seem odd that a mugging where one of the two parties was arrested and presumably did a little bit of time in custody would result in the second person being named as a wanted fugitive listed on an INTERPOL Red Notice…but what do I know, I’m just an investigator.
The next step was actually running Mr. Linnik’s mugshot through FindClone and the website quickly provided a couple of results:
Pretty sweet, right? Now, being a private citizen with very little free time on my hands, I’m fairly limited as to what I can do to confirm if the profiles I now have access to are in fact the same person or not. If this was something I was working on for work, I would have access to databases to help in confirming an identity and also a reason to interview the individual if the scenario permitted, but this is not the case.
So what can I do to verify? As just a simple citizen OSINT Investigator, I can see the birthdate of March 7, 1988 on both VK profiles match the birthdate on his INTERPOL Red Notice, his place of birth was listed as Kyzylorda, Kazakhstan which matched one of the profiles, the names are similar and although 15 years have passed and he has gained a few pounds, the resemblance of young juvenile Sergey and adult Sergey is uncanny.
I can say with a high degree of certainty the VK profiles produced by FindClone, for a now fully grown, Sergey Linnik are the same person as the wanted INTERPOL fugitive and that as of 11:53PM on December 6, 2019 both profiles were still listed as public profiles (although December 2018 was the last recorded date of activity).
From Mr. Linnik’s profiles we can do quite a bit to drill down a bit deeper and for the sake of brevity, I will touch on a few things I was able to quickly do. Presumably Mr. Linnik, or whoever set the VK.com accounts up for him uploaded a variety of photographs which help us to further confirm his identity and just for fun, I ran them through a reverse image search on Yandex, the Russian version of Google:
The results are impressive and also disturbing. Impressive that there is a duplicate match (top left) and disturbing that so many people decide to post not only their shirtless selfies but shirtless selfies while on their backs!
Who am I to judge? The point is, we were also able to come up with Mr. Linnik’s Sexyboo dating profile:
In addition to the fun dating profile, one of Mr. Linnik’s profiles also lists a telephone number which may or may not be current, and as I have no intention of reaching out to him, I did nothing to confirm it. The phone number does provide us an additional avenues of investigation as it gives us a way to reach him, run the number through breached data and also use it to see if he has any other social media accounts set-up using that same number.
Most important in this not quite treasure trove of information we are able to pull off of the VK profiles is that one of Mr. Linnik’s photographs which was uploaded in 2018 was not stripped of GPS data. This means that we know where he took the photograph that was uploaded to his account.
I don’t really have a quick method, without knocking on the door of this apartment/medical building (according to Yandex) to find out if he still lives there, or if he ever lived there. Either way, I would bet that this is as close to locating Mr. Linnik anyone has ever gotten since he was put on the local Most Wanted list for the Richmond County District Attorney’s Office in New York.
A PREVIEW OF PART 2
Part 1 got a bit longer than I had planned and I hope this has been at least somewhat interesting to a few readers to follow along with. I’m hoping to finish Part 2 of Hiding In Plain Sight: Tracking/Exposing America’s Most Wanted Using OSINT later this week (if my school and work schedule permit) and it should be shorter and more focused and instead of targeting INTERPOL’S Most Wanted, I want to focus only on the 11 Russian intelligence operatives indicted in the 2016 hacking of the Democratic National Committee that are listed on the Most Wanted pages of the Federal Bureau of Investigation website.
The information I was able to find is not some groundbreaking data that is going to magically locate all of them and I would imagine that this is just a snippet of the information our government is already aware of, but again, this is only to show you that this something anyone of us can do using basic OSINT techniques.
Here is a sneak peak of 3 of the (non-Ukrainian) hackers on FBI Cyber’s Most Wanted list that have caused more havoc in our US political world than anything I’ve seen in my lifetime:
If you are impatient and don’t want to wait for Part 2, try doing some of these searches yourself! You have the photos from the FBI page along with the new photographs I added and I’m curious to see what results everyone is able to pull together.
Thank you for reading and hope to see most of you back for the next update!
Part 2 is available here: https://medium.com/@Defensewerks/hiding-in-plain-sight-68715cd6e57b