VKontakte – Key Findings

When most people speak of social media, the have the ‘Big 3’ in mind: Facebook, Instagram & Twitter. But social media is so much more than just these three platforms, especially when it comes to OSINT on intelligence targets that don’t speak English.

In OSINT investigations we often end up scavenging social media to find information on our intelligence targets. Who are they connected to? Where have they been? What are their interests? These and many more questions can be answered by having a look a person’s profile. However, social media is constantly evolving and platforms that were relevant yesterday may not be relevant tomorrow. When I ask my daughter about Facebook, she says: “Facebook is for old people”. Thus, she does not have an account there. You would most likely find her dancing in TikTok videos, as with many other Generation Z youths. So age clearly defines which social media platforms are used. Another defining factor is the cultural background someone has. Maybe Facebook was never that big in that person’s country. The following graphic shows the evolution of social media worldwide and how Facebook became the most used platform. However, in some countries other platforms still have the upper hand and not all ‘legacy’ platforms overtaken by Facebook have been shut down. In this article I would like to give a brief overview of some of the lesser known platforms that may be useful for OSINT investigations.

VKontakte & Odnoklassniki

If your intelligence target is from a Russian-speaking country or has a Russian cultural background (or is a right-wing idiot that thinks he is being censored on Facebook), chances are high you might find this person on one of the Russian Facebook clones. The platforms VKontake (‘in contact’) and Odnoklassniki (‘classmates’) are very similar to Facebook when it comes to the functionality offered and the basic OSINT research techniques that can be applied here.

Above you can see a VKontakte profile. A profile picture, some more detailed information including a birthdate and current residence city, a friend list as well as posts and pictures. Pretty much what you can find on an average Facebook profile. As with other social media platforms, a user can choose to alter the privacy settings to hide information, so some profiles may not have an open friend list or may not share all posts with the overall public. An interesting feature on VKontakte is in the top right of the image: information when the profile was last active. In OSINT this is really helpful to figure out if a user is still active on the platform, even if no current content is posted. In many cases this last activity will lead back to the use of VKontakte as a messenger. People might not post content anymore, but will stay В Контакте (in contact) with others through this platform. The search functionality of VKontake is in some ways superior to what we now have on Facebook. At the top of the page is a search box. Filling in a search term here will enable us to browse through different categories of results and narrow these down by adding additional filters.

As you can see, you can filter people by age range, birth date information and even their views on smoking an alcohol. Posts can be sorted by the number of likes or the mentioning of specific links. All in all, there are some pretty neat filters in here.

Odnoklassniki is very similar, having friend lists, a date of birth on most profiles and information when the user was last active. The good thing with both VKontakte and Odnoklassniki, is that they accept multiple language settings, so you can use the platform in English and also a couple of other languages. If you search for names in Latin script, it will also show you corresponding results in Cyrillic script.

The last activity is right underneath the profile name and the searches in Odnoklassniki offer filters just like in VKontakte. They even allow users to add holiday destinations, which are also a filter criteria.

As I mentioned, this article is just a quick overview of some foreign social media platforms. There lots of other cool OSINT techniques that can help research here, including third-party sites to search by profile pics or sites that help with geo-referenced searches. But let’s leave that for future blog posts. Another example I want to show is very popular in the Persian-speaking community.

Facenama

Facenama is a big social media platform mainly used in Iran. At quick glance on SimilarWeb shows that this site is also accessed from other countries, as there are Iranian communities throughout the world.

Facenama looks very much like Facebook. Even the coloring scheme is identical (to the old Facebook UI).

Unfortunately, there is no way to change the language settings, but luckily the Google translate browser extension works quite well here.

The search bar in the top right of the page will enable you to search for user profiles. Just remember that the default language is Farsi, so most profiles will be in Arabic script (including profile names) and typing will occur from right to left.

The profiles will have the same type of information we have seen in the Russian sites: date of birth, friends, posts and much more (if these aren’t hidden due to privacy settings). Remember that dates will be shown in Persian, so you’ll probably have to use a calendar converter to make sense of these dates.

I could go on for hours listing and showing social media platforms: Gab for right wing nut jobs, Stayfriends for old German people, NK for Polish people and don’t even get me started on Chinese social media. The bottom line is, that there is more out there than just the ‘Big 3’ (Facebook, Instagram, Twitter). Before you start investigating someone, you should figure out where you might find these people online. Their age, culture, language, country of origin and personal taste will affect their choice of which web platforms they use and these might not always be in English. So, in the ongoing discussion of what I would like to get better at in OSINT, I didn’t choose to learn programming languages such as Python to automate tasks. I’d rather get a better grasp of languages (Arabic, Farsi, Russian, etc.) in general and master tools that help translate to help bolster my research efforts.

MW-OSINT / 04.10.2020

How to start investigations on right-wing extremists? Work your way through multiple social media platforms and combine information to generate leads!

The recent Iron March Leak once again showed the extent of right-wing extremism within our society. This leak provided a massive mount of data to conduct online investigations. While Iron March was shut down, the individuals behind it still use many other platforms to disseminate their thoughts and ideas and to communicate among each other. Of course, the new communication channels they use won’t be found with a mere Google search. In order to find such sites, we will have to follow the digital breadcrumbs across various social media networks. In this article, I would like to show starting points for OSINT research and how to work your way through different platforms to identify potentially relevant information when tracking down right-wing extremists.

Looking through social media, we will unfortunately find lots of people that follow a racist or fascist ideology. These people might not be the actual targets we are looking for, but they could lead us to them. Especially in Germany and other central European countries, many people have left Facebook and Twitter after their accounts were temporarily suspended or deleted upon sharing hate speech, which under certain circumstances is a criminal offence. They found refuge on the Russian Facebook-clone VKontakte (short: VK) and Gab, as an alternative to Twitter. In order to access information on these platforms, we will of course have to create sockpuppets. VK also allows logging on with a Facebook-account, as do many other social media platforms.

Let us start our research from scratch. First, we will have to identify individuals that might be worth investigating. Since many of these individuals think of themselves as “patriots” in Germany, searching for this term might lead to some initial results on VK.

Et voilà, the first VK-group to investigate. As you can see, this group also cites a Facebook-page. However, the Facebook-presence has been deleted and does not exist anymore. Going through the posts on this page and having a look at the members clearly shows that we are on the right track. Below are profile pictures of some of the members. Many images shown here, such as the swastika, are banned by law in Germany. Yet, on VK German citizens are free to display their ideology without any notable repercussions.

While the information posted within the VK-Group “German Patriots” might not lead to real extremist sites, the information shared by members of the group on their personal profiles could get us there. With no way of automating the next step, one of the most important OSINT traits is now needed: perseverance. This means we will have look at a number of these personal profiles manually to find new leads. Instead of going through all 2000+ member-profiles, let us concentrate on the ones with the most disturbing profile pictures. One interesting aspect during this investigation, is the fact that many people that can be found here have Russian-ancestry. This means we might also find information on another Russian social platform called Odnoklassniki (short: OK). Keep this in mind when conducting OSINT on people of Russian origin.

It doesn’t take long and we find hints towards the use of other platforms and communication channels outside of VK. Some individuals have posted their Skype-usernames, some link Telegram channels. One post from January 2018 describes an independent message board outside of Facebook and VK. The author invites people to join this outside platform by commenting or liking the post, after which he will get in contact with them and invite them to the newly created site. Interestingly, he doesn’t disclose the name or URL of his VK and Facebook alternative.

The author hasn’t publicly been active on VK since this post, although he did access it just two days ago. VK displays the last time of user activity, a useful feature to determine if the account is still active, even if nothing is publicly posted.

Regarding the unspecified platform mentioned above, I remembered stumbling upon such a site while conducting a similar search on Facebook. There I had also started by looking for profiles and pages containing derivations of “patriot”. This led me to a page called “Patrioten-Treff”, promoting a Facebook-like platform.

It turns out that this project started in early or mid-2017 and by December 2017/January 2018 it had opened to public. It was exactly the type of right-wing extremist forum I was looking for.

Online shops, racist discussions, team speak servers, organized events; “Patrioten-Treff” had it all. By linking the information I had found on VK and Facebook, it is likely that the person I had come across on VK was actually part of the team behind this new right-wing social media alternative. By early 2019 it was offline, but the content displayed there was more radical than anything seen on standard social media. Regarding the reason it shut down, it could be out of lack of funding. Before “Patrioten-Treff” was taken down, they requested funding to cover the expenses. Payment could be made by Bitcoin, direct transfer, Alipay and Paypal. Again, providing further leads to conduct OSINT investigations.

Patrioten-Treff had 2,500 users and was not even able to raise 80 Euros a month. I guess right-wing extremists are a bit stingy. Next to financial support, content moderators were needed. These moderators would communicate using WhatsApp.

While Patrioten-Treff is currently offline, the Facebook-page continues to be active every once and while. A recent post from September 2019 shared a Telegramm channel of the German neo-Nazi party Der III. Weg.

In this cross-domain investigation, manually searching for information on one social media platform led us to a plethora of new starting points to dive into. From VK to Skype, from Facebook to Telegram, from Bitcoin to WhatsApp; there are now plenty of leads to follow up upon. Not all leads can be investigated with OSINT, but this type of intelligence might provide the information we need to conduct Virtual HUMINT (VUMINT), enabling an infiltration of the new message board, Telegram channels or WhatsApp groups. I didn’t go that far, but I’m sure someone or some organization did.

By the way, the methodology described above can also be used to track other extremist groups. I wonder if other groups are just as cheap as the right-wing that couldn’t raise 80 Euros to host a website?

MW-OSINT / 01.12.2019