Tracking a Disinformation Network

Domain: digital

Tools used

  • social-media
  • whois
  • shodan
  • maltego
  • wayback-machine

Outcome

A cluster of 24 accounts and 9 domains was identified as operationally coordinated, documented with shared-infrastructure and behavioural signals.

This case study is an educational composite grounded in the publicly documented methods of the Stanford Internet Observatory, the DFRLab, Graphika, and Bellingcat. No real network, operator, or account is identified. All techniques described are for lawful, ethical use and rely only on publicly observable signals.

Context

A researcher monitoring public discussion of an election-related policy debate noticed a cluster of accounts amplifying a specific framing at unusual volume and coordination. The accounts individually looked ordinary; the aggregate behaviour did not. This case study walks through the OSINT sequence that turns a hunch about coordination into a documented finding.

Question

Is the observed cluster of accounts operationally coordinated (shared operator, shared infrastructure, or automated orchestration), or is it a coincidence of interest among independent users?

Subquestions:

  1. Do the accounts share identifiable behavioural signatures?
  2. Do they link to or from a common infrastructure cluster?
  3. Is the coordination consistent with known coordinated-inauthentic-behaviour patterns documented in published research?

Methodology

Planning. The researcher set a written research question, a four-week timeline, and an acceptance bar: a finding of coordination would require behavioural signals, infrastructure signals, and at least one non-public-appearance signal (for example, a shared analytics identifier in linked sites).

Collection and pivot.

  1. An initial seed set of eight accounts was identified through content-based queries. All eight were archived (profile and most recent 30 posts) via the Wayback Machine and archive.today before any further work, following the social media investigation techniques tutorial.
  2. Posting-time histograms were computed from the public post timestamps. The seed cluster showed a sharp concentration in a four-hour window that did not correspond to the apparent geographic claims in the profiles.
  3. Handle-string searches surfaced sixteen additional accounts with similar naming patterns (stem plus a four-digit suffix) and similar bio templates.
  4. External links in the cluster's posts pointed to nine domains. WHOIS and DNS lookups across those domains showed a shared non-default name-server pair for six of the nine, and overlapping TLS SAN entries in certificate transparency logs for seven.
  5. Shodan searches on the IPs hosting the nine domains showed banner overlap: identical uncommon port configurations across five of the hosts, consistent with a shared templated deployment.
  6. Page-source inspection of the nine sites revealed a shared Google Tag Manager container ID across four of them — a non-trivial shared identifier.
  7. Maltego was used to compose the graph: 24 account nodes, 9 domain nodes, shared NS, shared TLS SAN, shared analytics container, shared posting-time signature.

Tools used

Evidence snapshot

Sources: public profile pages (archived), public post metadata, crt.sh, Shodan, page HTML

Four-week research window. All archives captured within 24 hours of identification.

Exports of the graph, infrastructure map, and archived pages each hashed with SHA-256.

Infrastructure overlap: 6 of 9 domains share non-default NS pair; 7 of 9 share TLS SAN cluster; 4 of 9 share Google Tag Manager container ID. Behavioural overlap: posting-time histogram concentration; shared handle-naming template on 20 of 24 accounts.

Findings

  1. The cluster shows infrastructure signals and behavioural signals consistent with operational coordination.
  2. The strongest single corroborator is the shared Google Tag Manager container ID — an identifier unlikely to be shared by independent operators.
  3. Attribution to a specific real-world operator was not attempted and was not supported by the available evidence.
  4. The finding was written up as a coordinated-behaviour description, not as an attribution claim. Platform trust-and-safety teams were notified through published disclosure channels.

Lessons learned

  • Coordination is a claim about behaviour and infrastructure, not about identity. The strongest published CIB writeups restrict themselves to documented signals.
  • Posting-time histograms are cheap and powerful. They are often the first signal that a seemingly organic cluster is anything but.
  • Shared analytics and tag identifiers are underused. Operators who would never reuse domain infrastructure will routinely reuse a GTM container.
  • Archival before analysis is non-negotiable. Coordinated clusters commonly self-modify once researchers engage.

Ethical considerations

For methodology writeups in this space, see the public work of the Stanford Internet Observatory, the DFRLab, and Graphika. For long-form investigative treatment of disinformation adjacent to financial and political networks, see the Epstein Revealed investigation series. For secondary analysis of any documents that surface in such work, use the Subthesis legal document analysis tool.