Type a handle into an enumeration tool and, in about eight seconds, you can have a list of two hundred sites where an account by that name exists. It is the most satisfying trick in open-source intelligence and the single most common way analysts reach a confident, wrong conclusion. A shared username is a lead, not an identity: the same string can belong to different people, be recycled by a stranger, or be squatted by an impersonator. This briefing is the forensic version of username OSINT — how cross-platform correlation actually works, the open-source tools that run it, and, more importantly, the confidence-scoring discipline and failure modes that separate a defensible attribution from a guess dressed up as a finding.
TL;DR
Username enumeration (Sherlock, Maigret, WhatsMyName) checks one handle against hundreds of sites and returns where accounts exist. That is step one, not the answer. To turn hits into an attribution you must corroborate each candidate account with independent linking evidence — a shared email or phone artifact, consistent biography, cross-posted content, matching avatar image hashes, or behavioural patterns (timezone, cadence, writing style) — and assign a confidence level. The failure modes that produce false attributions are predictable: common-handle collisions, handle recycling on abandoned accounts, deliberate impersonation, and tool false-positives from soft 404s. The discipline that prevents them is equally predictable: treat every hit as unverified, hunt for the disconfirming account, score by evidence not by tool output, and never report a probability as an identity. Try the concept with our username lookup tool; commission the rigorous version as a deanonymization engagement.
Why username correlation is the backbone of digital-footprint work
People are consistent in ways that are useful to an investigator and invisible to them. A handle chosen at nineteen gets reused on a new platform at thirty; a gaming tag becomes a dev-forum name becomes a crypto-exchange login. Each reuse is a thread, and pulling the threads together is how a scattered online presence resolves into a single subject: their interests, their network, their timeline, and — in a due-diligence context — the exposure and affiliations that a corporate register will never show. This is legitimate, high-value tradecraft, and it is exactly what a deanonymization or digital-footprint due-diligence engagement is built on.
The reason it goes wrong is that the first step is so easy that analysts mistake it for the whole job. Enumeration is cheap; correlation is expensive; and the gap between them is where false attributions live.
The tooling: what actually runs the search
Three open-source projects do most of the enumeration work in the field. They are complementary, not interchangeable.
| Tool | What it does | Where it fits |
|---|---|---|
| Sherlock | Checks a single handle against several hundred sites and reports existing accounts, fast. | First-pass breadth. The quick "where does this name exist" sweep. |
| Maigret | Enumerates, then parses profile content and extracts metadata (names, bios, linked accounts, IDs). | Second pass. Turns a hit into evidence you can actually correlate. |
| WhatsMyName | A community-maintained detection dataset (site list + match logic) that many tools and web UIs build on. | The shared substrate. Accuracy of any tool depends on how current this is. |
| Web front-ends | Hosted UIs that wrap the above for non-CLI users, including our own username lookup. | Convenience and triage; still requires manual corroboration. |
All of these answer one question — does an account with this name exist here? — and none of them answers the question that matters — is it the same person? Vendors and hobbyist write-ups routinely blur the two. The tool output is the raw material; the analysis has not started yet.
From hit list to attribution: the correlation ladder
A hit becomes evidence only when something independent ties it to the subject. These linking artifacts, roughly in ascending order of strength:
- Shared registration artifact. The same email address or phone number tied to two accounts (via password-reset reveal patterns, public profile fields, or breach-notification checks on your own domains) is strong. This is where a lawful breach check or phone lookup supports the link — provided the data source is lawful, not probiv.
- Consistent biography. The same city, employer, birth year, languages, or self-description across accounts. Weak alone, meaningful in combination.
- Cross-posted content. The same photo, the same text, the same external link posted under two handles. A matching image (compare by perceptual/pHash, not just filename) is one of the more reliable single artifacts.
- Network overlap. The same friends, followers, or group memberships recurring across accounts.
- Behavioural signature. Posting timezone and cadence, characteristic spelling and phrasing, recurring interests. Individually soft, collectively distinctive.
The rule is cumulative: no single artifact should carry an attribution on its own, and a conclusion should name the specific evidence that ties each claimed account to the subject. A report that lists twelve accounts and asserts they are all "the target" without saying why each one is has skipped the only part that mattered.
Confidence scoring, not binary claims
Every attributed account should carry a stated confidence — for example HIGH (multiple independent linking artifacts including a hard identifier), MEDIUM (consistent biography plus one corroborating artifact), or LOW (handle match only, retained as a lead). This is the same discipline our intelligence briefs apply to every factual claim. A confidence tag does two things: it stops a lead from being read as a finding, and it makes the report defensible when a subject or a court asks how you know.
The four failure modes that produce false attributions
Almost every wrong username attribution traces to one of these. Knowing them is the difference between a method and a liability.
- Common-handle collision. "mikhail," "shadow," "alex1990" — high-frequency handles belong to thousands of unrelated people. A hit on a common handle is worth almost nothing until a second, distinctive artifact ties it. The fix: measure handle rarity before you weight the hit.
- Handle recycling. Platforms release abandoned usernames; a handle your subject used in 2015 may be held by a stranger in 2026. The fix: check account registration and last-activity dates, and treat any account created after the subject's known departure as a different person until proven otherwise.
- Impersonation and squatting. Adversaries, fans, and critics deliberately reuse a target's exact handle. The fix: look for the authoritative account (verified, cross-linked from a known-good property) and treat look-alikes as suspect by default.
- Tool false-positives. Enumerators infer "exists" from HTTP responses; sites that return soft 404s, generic profile pages, or rate-limit blocks produce phantom hits. The fix: manually confirm every load-bearing account exists and belongs to a real profile, never trust the green checkmark alone.
The single most important habit: hunt the disconfirming account
The analyst's instinct is to collect accounts that fit the hypothesis. The discipline is to actively search for the one that breaks it — the profile with the same handle but a different face, city, or timeline that proves you are looking at two people. If you cannot find a disconfirming account after genuinely looking, your attribution is stronger. If you never look, your attribution is just confirmation bias with a tool log attached.
The Russia/CIS wrinkle
For the counterparties we work on, username OSINT has particular texture. Handles frequently mix transliterations (ivanov / иванов / ivan0v), so enumeration must run Latin and Cyrillic variants and common leetspeak. VK, OK, Telegram, and Russian-language forums carry footprints that Western-centric tool lists under-cover, so the WhatsMyName substrate has to be extended. And the temptation to close a hard attribution by buying probiv data is strongest here — which is exactly the shortcut that converts a lawful investigation into a GDPR-and-bribery liability. The rigorous path is slower and it is the only one that survives scrutiny: correlate on lawful, citable artifacts, and state the confidence.
What this method cannot do
It cannot turn a common handle into a person on its own. It cannot confirm an account is current without checking activity. It cannot defeat a careful subject who compartmentalises handles per platform — good operational security genuinely defeats naive enumeration. And it cannot lawfully reach inside private accounts; the moment an investigation depends on account access or purchased personal data, it has left OSINT and entered a different, regulated legal category.
Methodology & sourcing discipline
The tools named here are public open-source projects; the techniques are established OSINT tradecraft published by practitioners and training bodies. Consistent with our standard, every attribution in our own client work carries named linking evidence and a confidence tag, and no link is ever made using leaked, brokered, or insider-sourced data. This briefing describes lawful correlation only and is not a guide to circumventing anyone's privacy or platform terms.
Companion reading
- Telegram OSINT Investigation: The Analyst's Playbook — handle and channel work on the platform where CIS footprints concentrate.
- Probiv: Inside Russia's Leaked-Data Economy — the unlawful shortcut this method exists to avoid.
- 5 Steps to Reduce Your Digital Footprint — the same techniques, read from the defender's side.
- What is OSINT? Open Source Intelligence Guide — where username work sits in the wider discipline.
Sources and further reading
- Sherlock — open-source username enumerator: github.com/sherlock-project/sherlock.
- Maigret — enumeration with profile parsing: github.com/soxoj/maigret.
- WhatsMyName — community detection dataset: github.com/WebBreacher/WhatsMyName.
- GDPR (Regulation (EU) 2016/679), Articles 5 and 6 — lawful basis for processing personal data assembled during an investigation; consult counsel for any regulated use.
Need a person resolved across platforms — defensibly?
Our deanonymization and digital-footprint engagements run cross-platform correlation to an evidentiary standard: every attributed account cited to its linking artifact, every conclusion confidence-tagged, and nothing sourced from leaked or brokered data. Usable in a compliance file, a dispute, or a board decision.
Commission a Deanonymization Engagement