GI Consulting Logo
GI Consulting

Digital Intelligence & OSINT

Case Study: Cyber Stalking and Online Harassment

Unmasking Anonymous Attacker Through Social Media Forensics

Executive Summary

Challenge: Professional photographer received 8 months of escalating online harassment across Instagram, Twitter, and email. Anonymous accounts posted defamatory reviews, sent threatening messages, and contacted clients with false allegations. Suspect: ex-boyfriend. Attorney needed evidence for restraining order and defamation lawsuit.

Solution: OSINT investigation combining social media forensics, writing style analysis, metadata extraction, and temporal pattern correlation to link 7 anonymous accounts to suspect through unique identifiers and behavioral patterns.

Results: Documented 12 unique technical and behavioral indicators linking anonymous accounts to suspect. Attorney filed successful restraining order with 95-page evidence package. Suspect admitted harassment in settlement negotiations. Client received $75K damages + public retraction.

Timeline: 8 days from engagement to court-ready evidence package

Background

Client Situation

  • Client: Professional photographer (small business owner, female, age 34)
  • Harassment Duration: 8 months (escalating pattern)
  • Channels: Instagram (4 accounts), Twitter (2 accounts), Email (1 address), Yelp (reviews)
  • Content: Threats, defamation, client interference, revenge porn threats
  • Impact: Lost 6 clients ($40K revenue), reputation damage, emotional distress

Harassment Pattern

  1. Initial Phase (Month 1-2): Angry messages on Instagram, deleted comments on posts
  2. Escalation Phase (Month 3-5): New fake accounts, threats to release "photos," contact with clients
  3. Defamation Phase (Month 6-8): Negative Yelp reviews, Twitter threads, email to wedding venues

Suspect Profile

  • Relationship: Ex-boyfriend (dated 18 months, ended 10 months before harassment began)
  • Breakup Context: Client initiated breakup, suspect did not accept
  • Known Behavior: Possessive during relationship, monitored client's social media
  • Initial Evidence: Timing (harassment started 2 months post-breakup), knowledge of client's personal details

Attorney Engagement

  • Objectives: Restraining order, defamation lawsuit, potential criminal charges
  • Evidence Needed: Link anonymous accounts to suspect (beyond reasonable doubt)
  • Challenges: Sophisticated OpSec (VPN usage, burner emails, fake names)
  • Timeline: 2 weeks to restraining order hearing

Investigation Approach

Phase 1: Account Enumeration and Timeline Analysis (Days 1-2)

Objective: Map all harassment accounts and establish temporal patterns

Methods:

  • Platform-specific account discovery (Instagram, Twitter, Yelp, email)
  • Creation date analysis (archived versions, registration timestamps)
  • Activity pattern correlation (time-of-day, day-of-week)
  • Harassment escalation timeline

Findings:

Account Inventory:

PlatformUsernameCreatedLast ActivePosts/Messages
Instagram@photo_truth_20242 months post-breakupActive45 comments, 12 DMs
Instagram@exposing_frauds_photo3 months post-breakupActive28 comments, 8 DMs
Instagram@wedding_scam_alert5 months post-breakupActive34 comments, 15 DMs
Instagram@truthabout_photographers7 months post-breakupActive22 comments, 6 DMs
Twitter@PhotoScamWatch4 months post-breakupActive67 tweets, 23 threads
Twitter@WeddingPhotAlert6 months post-breakupActive89 tweets, 31 threads
Emailphotoscamreports@protonmail.comUnknownReceiving5 emails to clients
Yelp"Disappointed Bride"7 months post-breakupInactive3 reviews

Temporal Pattern:

  • Creation Burst: 4 accounts created within 2-week period (Month 4-5 post-breakup)
  • Activity Timing: 90% of posts between 8 PM - 11 PM EST (suspect's known time zone and evening routine)
  • Day Pattern: Increased activity on weekends (when suspect had free time)
  • Holiday Correlation: No activity on Thanksgiving, Christmas (when suspect traveled - confirmed via mutual friends)

Evidence Strength: MEDIUM - Circumstantial timing but highly correlated

Phase 2: Linguistic and Writing Style Analysis (Days 2-4)

Objective: Identify unique writing patterns, vocabulary, and linguistic signatures

Methods:

  • Writing style consistency analysis across accounts
  • Vocabulary overlap detection
  • Grammar/spelling error pattern matching
  • Phrase repetition analysis
  • Comparison with suspect's known social media posts

Findings:

Unique Linguistic Markers:

  1. Misspelling Pattern: "rediculous" (instead of "ridiculous")

    • Found in 6 of 7 anonymous accounts
    • Found in suspect's Facebook posts (3 instances over 2 years)
    • Match Rate: 85% (rare misspelling)

  2. Phrase Repetition: "so-called professional"

    • Used in 5 anonymous accounts
    • Used in suspect's LinkedIn posts (2 instances)
    • Used in suspect's Yelp reviews of other businesses (1 instance)
    • Match Rate: 70%

  3. Grammar Pattern: Overuse of ellipsis "..." for dramatic effect

    • Average 3.2 per post across anonymous accounts
    • Suspect's Facebook posts: Average 2.8 per post
    • General population: <1 per post
    • Match Rate: Highly distinctive

  4. Vocabulary Similarity:

    • 47 unique words used across anonymous accounts AND suspect's social media
    • 12 rare words (e.g., "charlatan," "duplicitous," "hoodwinked")
    • TF-IDF analysis: 89% similarity score

Writing Style Metrics:

  • Average Sentence Length: Anonymous (14.2 words) vs. Suspect (13.8 words) - Close match
  • Punctuation Frequency: Both use excessive exclamation points (2.1 per post)
  • Capitalization: Both overuse ALL CAPS for emphasis (18% of posts)

Evidence Strength: STRONG - Multiple unique linguistic signatures with high match rates

Phase 3: Metadata and Technical Forensics (Days 4-5)

Objective: Extract metadata from posts, images, and documents

Methods:

  • Image metadata extraction (EXIF data)
  • Screenshot metadata analysis
  • Embedded location data recovery
  • Device fingerprinting (if available)

Findings:

Image Metadata Analysis:

Anonymous Instagram Post (@ exposing_frauds_photo):

  • Image: "Proof of scam" - screenshot of client's wedding contract
  • EXIF Data:
    • Camera: iPhone 12 Pro
    • Software: iOS 15.6
    • GPS Coordinates: Removed (manually stripped)
    • Timestamp: 2024-03-15 20:34:12 EST
    • Unique Device ID: Hashed but consistent across 3 images

Cross-Reference with Suspect:

  • Suspect's Instagram (personal account): iPhone 12 Pro confirmed in multiple posts
  • iOS version: 15.6 matches suspect's phone (confirmed via iMessage reactions)
  • Device ID hash: Matches 2 images posted from suspect's personal account (same phone)

Evidence Strength: CRITICAL - Device fingerprint match

Screenshot Forensics:

Several anonymous accounts posted screenshots of client's private messages (claimed to be "evidence")

Analysis:

  • Font rendering: MacOS system font (San Francisco)
  • Screen resolution: 2880x1800 (MacBook Pro 15" Retina)
  • Timestamp format: 12-hour format with EST timezone
  • Battery icon style: MacOS Monterey (specific version)

Suspect's Known Devices:

  • MacBook Pro 15" (2019) - Confirmed via LinkedIn "posted from" metadata
  • Operating System: MacOS Monterey - Confirmed via iCloud Photo Library metadata leaks

Evidence Strength: STRONG - Device and OS match

Phase 4: Social Network Analysis and Connection Mapping (Days 5-6)

Objective: Identify hidden connections between anonymous accounts and suspect

Methods:

  • Follower/following analysis (mutual connections)
  • Engagement pattern analysis (likes, comments, retweets)
  • Account interaction timeline
  • Network visualization

Findings:

Instagram Follower Analysis:

@photo_truth_2024 (Anonymous Account #1):

  • Followed 23 accounts initially
  • 12 accounts are mutual friends of client and suspect
  • Pattern: Only followed these accounts after they posted photos with client
  • Timing: Followed within 24 hours of each person posting with client

@exposing_frauds_photo (Anonymous Account #2):

  • Followed 18 accounts
  • 9 accounts are wedding vendors client works with regularly
  • Pattern: Followed vendors immediately after client tagged them in Instagram posts
  • Knowledge: Only suspect would know specific vendor relationships

Twitter Interaction Pattern:

@PhotoScamWatch:

  • Retweeted 47 accounts
  • 8 accounts are suspect's known friends/colleagues
  • Never retweeted any accounts client follows (avoiding obvious connection)
  • Engagement timing: Retweeted suspect's personal account once (immediately deleted - cached version recovered)

Network Map Discovery:

  • Anonymous Account #3 (@wedding_scam_alert) followed Anonymous Account #1 (@photo_truth_2024) within 1 hour of creation
  • Pattern suggests same operator (forgot to hide connection)
  • Both accounts used identical bios: "Exposing Wedding Photography Scams in [City]"

Evidence Strength: STRONG - Network patterns show operational security failures

Phase 5: Temporal Correlation and Behavioral Analysis (Days 6-8)

Objective: Correlate harassment activity with suspect's known schedule and life events

Methods:

  • Activity timeline vs. suspect's known schedule (work, travel, social events)
  • Cross-platform simultaneity analysis
  • Event-driven harassment spikes
  • Silence period correlation

Findings:

Activity Correlation with Suspect's Life:

Work Schedule:

  • Suspect works 9-5 (confirmed via LinkedIn)
  • Anonymous account activity: Near-zero during 9-5 (99% outside work hours)
  • Lunch break pattern: Brief activity spikes at 12:30-1 PM (suspect's known lunch time)

Travel/Absence:

  • Thanksgiving 2024: Suspect traveled to parents (Ohio) - Zero harassment activity for 4 days
  • Christmas 2024: Suspect abroad (Europe trip per Instagram geotag) - Zero harassment activity for 10 days
  • Conference 2025: Suspect attended industry conference (Vegas) - Harassment paused 3 days

Breakup Anniversary:

  • March 10, 2025: 1-year breakup anniversary
  • Harassment spike: 23 posts/messages in single day (10x normal volume)
  • Content: Emotional, references to "being wronged" and "time wasted"
  • Timing: Suspect's known behavioral pattern (emotional on anniversaries)

Client's New Relationship:

  • February 14, 2025: Client posted Instagram photo with new partner
  • Harassment spike: 45 posts/messages over next week (15x normal volume)
  • Content: References to "moving on too fast" and "replacement"
  • Emotional tone: Jealousy-driven language

Event-Driven Pattern:

  • Client's wedding bookings: Harassment increased within 48 hours of client posting wedding content
  • Client's awards/recognition: Harassment spiked after client won industry award (suspect knew she submitted)
  • Mutual friend interactions: Harassment spiked when mutual friends posted with client

Evidence Strength: CRITICAL - Near-perfect temporal correlation with suspect's schedule and emotional triggers

Phase 6: IP Address and Technical Attribution (Days 7-8)

Objective: Identify IP addresses and technical infrastructure used by harasser

Methods:

  • Email header analysis (for direct emails to client and businesses)
  • VPN detection and pattern analysis
  • ISP correlation with suspect's known location
  • Platform metadata extraction (when available)

Findings:

Email Header Analysis:

Email from photoscamreports@protonmail.com:

  • Originating IP: 38.12.95.142 (NordVPN exit node - detected)
  • Timestamp: 2024-08-15 22:14:06 EST
  • VPN Detection: NordVPN US server (common VPN service)

Pattern Analysis:

  • All emails sent via VPN (sophisticated OpSec)
  • However: VPN server selection pattern revealed geographic preference
  • VPN Servers Used: 90% selected "US East" region (closest to suspect's location)
  • Timing: Emails sent during suspect's known evening hours (8-11 PM EST)

Platform IP Leakage (Yelp):

Yelp Review ("Disappointed Bride"):

  • Posted from: 73.94.XXX.XXX
  • ISP: Comcast Cable (residential)
  • Geolocation: Suspect's city (5-mile radius)
  • Cross-reference: Suspect's known ISP is Comcast (confirmed via data breach)

Instagram IP Pattern:

Instagram does not provide IP logs to users, but client reported harassment to Instagram:

  • Instagram Safety Team confirmed: "Accounts show coordinated behavior from same IP range"
  • Instagram internal action: Disabled 2 accounts for "inauthentic behavior"
  • Implication: Instagram's internal systems detected same-source pattern

Evidence Strength: MEDIUM-STRONG - VPN complicates direct attribution, but patterns + Yelp IP leak significant

Deliverables

Executive Summary for Attorney (6 pages)

  • Harassment timeline and escalation pattern
  • 12 unique identifiers linking anonymous accounts to suspect
  • Evidence strength assessment (technical, behavioral, linguistic)
  • Restraining order recommendations
  • Defamation lawsuit viability

Technical Reports

1. Account Analysis Report (18 pages)

  • Complete account inventory across platforms
  • Creation dates and activity patterns
  • Temporal correlation with suspect's schedule
  • Network connection mapping

2. Linguistic Analysis Report (22 pages)

  • Writing style comparison (anonymous vs. suspect)
  • Unique misspelling patterns
  • Vocabulary overlap analysis
  • Phrase repetition documentation

3. Metadata Forensics Report (15 pages)

  • Image EXIF data extraction
  • Device fingerprinting (iPhone 12 Pro match)
  • Screenshot forensics (MacOS indicators)
  • Technical attribution summary

4. Behavioral Pattern Report (20 pages)

  • Temporal correlation analysis
  • Event-driven harassment spikes
  • Travel/absence correlation
  • Emotional trigger identification

5. IP and Technical Intelligence (12 pages)

  • Email header analysis
  • VPN detection and pattern analysis
  • Yelp IP geolocation
  • Platform internal action documentation

Evidence Package for Court

95-Page Comprehensive Report Including:

  • Annotated screenshots of all harassment (200+ images)
  • Side-by-side writing style comparisons
  • Timeline visualizations (harassment vs. suspect's life events)
  • Device fingerprint analysis
  • Expert declaration on linguistic match probability (89% confidence)

Appendices:

  • Archived web pages (all anonymous accounts)
  • Email headers (5 threatening emails)
  • Instagram/Twitter export data (API pulls where available)
  • Yelp review documentation
  • Witness statements (2 mutual friends confirming suspect's behavior)

Results & Legal Outcome

Restraining Order Hearing

  • Attorney filed: 9 days after receiving OSINT report
  • Evidence presented: 95-page report, timeline visualization, linguistic analysis
  • Hearing duration: 45 minutes
  • Judge's ruling: Granted 3-year restraining order
  • Judge's comments: "Overwhelming circumstantial evidence... pattern is unmistakable"

Suspect Response

  • Initial denial: "Not me, anyone could have done this"
  • After evidence review: Suspect's attorney advised settlement
  • Admission: Suspect admitted harassment in settlement negotiations (not public admission)

Settlement Agreement

  • Damages: $75,000 payment to client
  • Public retraction: Suspect required to post apology on personal social media
  • Account deletion: All 7 anonymous accounts permanently deleted
  • Non-contact: Permanent restraining order (no expiration)
  • Criminal charges avoided: Client agreed not to pursue felony charges in exchange for settlement

Platform Actions

  • Instagram: Permanently banned suspect's personal account + 4 anonymous accounts
  • Twitter: Suspended 2 anonymous accounts for coordinated harassment
  • Yelp: Removed 3 fake reviews, flagged suspect's account
  • ProtonMail: Account disabled for terms of service violations

Business Impact for Client

  • Reputation recovery: Negative reviews removed, settlement included SEO cleanup
  • Client retention: 4 of 6 lost clients returned after settlement announcement
  • Revenue recovery: Booked 12 new weddings within 3 months (reputation restored)
  • Emotional closure: Restraining order and settlement provided peace of mind

Key Takeaways

For Attorneys

1. Circumstantial Evidence Can Be Overwhelming

  • No single "smoking gun" but 12 corroborating indicators
  • Temporal correlation + linguistic analysis + device fingerprinting = strong case
  • Judges understand statistical improbability of coincidence

2. Emotional Context Matters

  • Breakup anniversary harassment spike = emotional fingerprint
  • Jealousy-driven content after client's new relationship = motive evidence
  • Judges are persuaded by behavioral psychology evidence

3. Platform Cooperation

  • Instagram's internal confirmation of "coordinated behavior" was key
  • Yelp IP leak provided only direct technical attribution
  • Most platforms will cooperate with restraining order requests

Cost-Benefit:

  • OSINT Investigation: $8,500
  • Settlement Recovery: $75,000
  • ROI: 9x return on investigation investment

For Investigators

1. Multi-Modal Evidence

  • Technical (metadata, IP) + Linguistic (writing style) + Behavioral (timing) = comprehensive case
  • No single evidence type sufficient for sophisticated OpSec
  • Operational security failures (network connections) often most revealing

2. Temporal Correlation is Powerful

  • Harassment pause during suspect's travel = near-smoking gun
  • Activity patterns matching suspect's schedule = strong indicator
  • Event-driven spikes (client's new relationship) = emotional fingerprint

3. Linguistic Analysis

  • Unique misspellings (e.g., "rediculous") are highly distinctive
  • Vocabulary overlap across 7 accounts = same author
  • Writing style metrics (sentence length, punctuation) surprisingly consistent

4. Device Fingerprinting

  • iPhone EXIF data provided unique device ID match
  • MacOS screenshot forensics showed same laptop
  • Even with EXIF scrubbing, device patterns leak through

For Victims

1. Evidence Preservation

  • Screenshot everything immediately (accounts get deleted)
  • Use archive.org and archive.today for web pages
  • Document your own schedule/travel (for alibi if needed)

2. Platform Reporting

  • Report harassment to platforms immediately
  • Platform internal investigations provide corroborating evidence
  • Instagram's "coordinated behavior" detection is sophisticated

3. Professional Investigation Value

  • OSINT investigation strengthens restraining order application
  • Comprehensive evidence package deters suspect (settlement more likely)
  • Expert testimony on linguistic analysis persuasive to judges

Technical Methodology

Tools & Techniques

Social Media Forensics:

  • Instagram/Twitter archive tools (export data, deleted post recovery)
  • Wayback Machine, archive.today for deleted accounts
  • Social network analysis (Gephi, NetworkX for visualization)
  • Follower/following analysis (automated scraping within ToS)

Linguistic Analysis:

  • Text similarity analysis (TF-IDF, cosine similarity)
  • Vocabulary overlap detection (Python NLTK)
  • Writing style metrics (average sentence length, punctuation frequency)
  • Misspelling pattern matching (manual review + regex)

Metadata Forensics:

  • EXIF extraction (ExifTool, online analyzers)
  • Device fingerprinting (unique IDs in image metadata)
  • Screenshot forensics (font rendering, screen resolution)
  • Timestamp analysis (timezone correlation)

Temporal Correlation:

  • Activity timeline visualization (Python matplotlib)
  • Statistical correlation analysis (Pearson correlation coefficient)
  • Event-driven spike detection (manual review + automated alerts)
  • Silence period mapping (travel, work schedule correlation)

IP and Technical Intelligence:

  • Email header analysis (MX Toolbox, Google Admin Toolbox)
  • VPN detection (IP reputation databases, known VPN ranges)
  • ISP identification (WHOIS, ARIN lookups)
  • Geolocation services (MaxMind, IP2Location)

Legal & Ethical Standards

  • Public sources only: No illegal access to private accounts
  • Platform ToS compliance: Scraping within rate limits and rules
  • Privacy laws: No unlawful surveillance or tracking
  • Expert standards: Linguistic analysis methods peer-reviewed and court-tested

Conclusion

OSINT investigation successfully linked 7 anonymous harassment accounts to suspect through combination of linguistic analysis, device fingerprinting, temporal correlation, and behavioral patterns. The 95-page evidence package resulted in successful restraining order and $75K settlement within 3 weeks of investigation completion.

Key Success Factors:Multi-Modal Evidence: 12 unique identifiers across technical, linguistic, and behavioral dimensions
Temporal Correlation: Near-perfect alignment with suspect's schedule and emotional triggers
Device Fingerprinting: iPhone and MacBook metadata provided technical attribution
Linguistic Analysis: 89% similarity score and unique misspelling patterns
Outcome: 3-year restraining order, $75K settlement, business reputation restored

This case study is a composite of common cyber harassment scenarios. Technical methods and linguistic analysis techniques are representative of actual investigations.

GI Consulting | Professional OSINT Investigation Services
jason@giconsulting.com

Need Similar Investigation Services?

Contact us to discuss your OSINT investigation needs. We deliver court-admissible evidence with proven methodologies and exceptional ROI.

Request ConsultationView All Case Studies