How Investigative Journalists Use OSINT (Real-World Examples)

Real-world investigative journalism built on OSINT — Bellingcat, ICIJ, Reuters, and the techniques that produced award-winning stories from public records.

The clearest way to learn OSINT is to study investigations that used it. The field's published canon — Bellingcat, the International Consortium of Investigative Journalists (ICIJ), Reuters, OCCRP, ProPublica, and a long list of regional outlets — is a training library if you read it with the methodology in mind.

This post walks through six real-world investigation patterns, the OSINT techniques each one relied on, and where you can apply the same approach.

Pattern 1: Geolocation for Conflict Reporting

Bellingcat's reporting on Syria, Ukraine, and Yemen depends on geolocating user-posted video and images to specific coordinates, often within meters. The technique is public and replicable:

  1. Strip the video or image down to identifiable features: signage, building silhouettes, vegetation, shadows.
  2. Reverse image search components against Yandex, Google Lens, and TinEye. See /tools/reverse-image/.
  3. Match features against Google Earth Pro historical imagery and Mapillary street-level imagery.
  4. Cross-reference shadow angle with SunCalc for date and time constraints.
  5. Archive everything with hashes before platforms delete or modify it. See /blog/preserving-digital-evidence-screenshots-archives-hashing/.

The same techniques apply to domestic reporting — placing a politician at a rally, verifying the location of a labor action, or corroborating a survivor's account with a named backdrop.

Pattern 2: Corporate Network Mapping

The ICIJ's Panama Papers, Paradise Papers, and Pandora Papers combined leaked data with public-records OSINT to expose cross-border ownership networks. Investigators without access to leaks use the same techniques against public registries.

Method:

  1. Identify an anchor entity (company, officer, or registered agent).
  2. Pull its full filing history from the relevant registry — OpenCorporates, UK Companies House, state secretaries of state, Luxembourg RBE, Denmark CVR.
  3. Expand via siblings (entities sharing registered agent, address, or officers on the same date).
  4. Cross-link with SEC EDGAR for any US-regulated entities in the network.
  5. Layer in court records (PACER, state dockets) for relationship disclosures.
  6. Visualize in Maltego or Gephi.

Reuters' "Hidden Wealth" series and OCCRP's work on post-Soviet financial networks demonstrate the same pattern against different targets. See /blog/how-to-trace-company-ownership-using-public-records/ for the step-by-step.

Pattern 3: Deepfake and Manipulation Detection

When AP, Reuters, and AFP verify user-submitted imagery from conflict zones, they apply reproducible manipulation detection:

  • Error-level analysis (JPEG compression artifacts)
  • Reverse image search for earlier versions
  • Metadata extraction with exiftool (see /tools/metadata/)
  • Source-chain audit — who posted this first, where, when, with what commentary
  • Cross-reference with contemporaneous reporting

Content authenticity tooling (Content Credentials, the C2PA standard) is starting to produce verifiable provenance chains for new content, but the verification bench for user-submitted material remains largely manual and OSINT-driven.

Pattern 4: Background Checks on Public Officials

When a journalist covers a newly appointed official, the OSINT background pass is a standard workflow:

  1. Bar admission and license check (where applicable).
  2. PACER for litigation history — including as plaintiff, defendant, and counsel.
  3. State corporate registries for personal business interests.
  4. FEC and state campaign-finance databases for political contributions.
  5. Property records in states of known residence.
  6. SEC EDGAR for any public-company ties.
  7. OpenSanctions.org for any regulatory exposure.
  8. LinkedIn and archived LinkedIn (via the Wayback Machine) for resume claims.
  9. Published writing via Google Scholar, SSRN, and academic databases.
  10. Social media footprint, documented via archive and hashing.

See /blog/osint-for-journalists-verifying-sources-and-claims/. The full pass takes half a day per subject and catches material that confirmation hearings miss.

Pattern 5: Historical Investigations

Historical investigative journalism — work that reconstructs events from public records and archival material years or decades after the fact — has benefited enormously from digitization. The Epstein Revealed investigation series is an example: the underlying documents were always technically public (court filings, deposition transcripts, flight logs), but were scattered across systems until someone did the systematic collection.

Historical-investigation workflow:

  1. Inventory every public filing across every relevant jurisdiction.
  2. OCR any scanned records.
  3. Build a structured database linking entities, dates, and events.
  4. Cross-check claims against contemporaneous reporting via newspaper archives (Newspapers.com, ProQuest, local library archives).
  5. FOIA historical agency records where gaps exist. See /tools/foia/.
  6. For large document sets, triage with structured review — many newsrooms use DocumentCloud; the Subthesis legal document analysis tool handles legal-document-heavy sets consistently.
  7. Publish with a full source matrix so the work is auditable.

Pattern 6: Dark-Money and Political Network Reporting

OpenSecrets, Issue One, and investigative outlets like Mother Jones and Sludge trace political influence networks through:

  • FEC filings (federal)
  • State campaign-finance databases (varying quality)
  • IRS Form 990 and 990-PF for nonprofit flows (ProPublica Nonprofit Explorer)
  • Lobbying disclosures (LDA filings, state-level equivalents)
  • Corporate ownership linking donors to regulated industries

The pattern, applied to a specific 501(c)(4):

  1. Pull Form 990s for the last 7+ years.
  2. Extract grantors, grantees, officers, contractors.
  3. Cross-reference grantors in their own 990s for upstream funding.
  4. Check officer ties to lobbying firms, corporate boards, or PACs.
  5. Map the network; identify pass-through patterns.

See /domains/financial/ for the expanded treatment and /blog/financial-osint-tracing-money-through-public-data/ for the source inventory.

What These Patterns Share

Every pattern above shares the same underlying discipline:

  • A specific, falsifiable question.
  • A source inventory driven by the question, not by tool availability.
  • Rigorous preservation with archiving and hashing.
  • Entity-resolution care in the analysis phase.
  • Confidence levels attached to every claim.
  • Published sourcing that would allow a competent peer to reproduce the work.

In other words, the OSINT methodology framework: planning → collection → analysis → reporting. The tools vary; the method does not.

What These Patterns Don't Share

Investigations that look superficially similar but lack methodology produce fundamentally different output. Social-media-driven "OSINT" that jumps from tweet to tweet without a collection log, without archiving, and without confidence levels produces viral threads but rarely survives legal or editorial review.

The published work above survives because its authors treated OSINT as a discipline, not a genre.

How to Use This Post

Pick one investigation from any of the sources mentioned — Bellingcat, ICIJ, OCCRP, Reuters, ProPublica — and reverse-engineer it. For each factual claim in the story:

  1. Identify the source it cites.
  2. Verify the source is still accessible (or find an archive).
  3. Attempt to pull the same finding from the source yourself.
  4. Log where your pivoting diverges from theirs.

This exercise, run on three published investigations, produces more practical OSINT skill than any amount of passive reading. See /case-studies/ for curated examples on this site.

Where to Go Next

If you have read this post and the preceding 14 in this series, you have the conceptual map. Turning it into practice requires doing the work:

Investigators who publish good work are the ones who run many small investigations before they attempt a big one. The Epstein Revealed investigation series and the published canon referenced above are the visible output of thousands of hours of unglamorous, disciplined collection. That is the work. The rest is tooling.

More from the blog