OSINT Field Notes #9: Nothing Was Really Hidden
A cartel checkpoint frozen in Street View, metadata showing a drone-factory recruiter's "made for kids" flag, WiFi Exposures and web certificate Fingerprinting.
Welcome to edition nine of OSINT Field Notes.
This month has been about discovery, both through genuinely useful vibe-coded tools and through the old-fashioned curiosity of researchers willing to scroll Street View for hours or pull apart a video’s metadata.
I was fortunate enough to share some of these techniques I write about in person this month, speaking with researchers who track the EU’s Most Wanted: fugitives wanted for murder, armed robbery and large-scale drug trafficking. You can see more about that in the video below.
The discovery thread runs through everything else too. This month’s teardown is a case study of how a YouTube channel promoting Alabuga Start, Russia’s programme that recruits young people into its drone factories, had quietly ticked a box on YouTube that says “yes, this content is made for kids.” I’ll walk through how the mattw.io YouTube Metadata tool surfaced it, and what that flag declares about who the content is aimed at.
The rest of the edition is more of the same: open data, and what turns up when someone actually looks. And if you’re finding value in this newsletter, the back catalogue (editions 1–8) is available to paid subscribers. Each new edition stays free. That won’t change.
Ben.
1. Dispatches
A cartel checkpoint, frozen in Street View
X user Elpasadoacolor found June 2025 Google Street View imagery at 25°00’44.9”N 107°19’33.5”W near Tecorito, north of Culiacán, Sinaloa, showing a checkpoint of armed men that the mapping car drove straight through. One fighter’s vest carries CJNG (Jalisco New Generation Cartel) lettering. Google has since restricted the view, though the armed group can still be seen from further back along the road. Sources: Elpasadoacolor | niporwifi
Located Starlink terminals
A Haaretz investigation revealed two Israeli-owned firms (TargetTeam’s Stargetz and Rayzone) that locate Starlink terminals worldwide and track their movements by fusing adtech and mobile data, not by hacking Starlink. When we see images and details like this, the story isn’t just revealing potential locations of Starlink devices, but also where they are being used. The image itself is telling, with many devices seen in Sudan, Yemen, South East Asia and more. Sources: Ben on X | Haaretz | free version (archive.ph)
Reading the damage Iran did, when imagery went dark
After US satellite firms were restricted and imagery was limited over the Gulf, Aric Toler and the NYT verified Iranian strike claims against European providers and confirmed hits on 18 sites across seven countries. When one source goes down, it’s pertinent to think creatively and find workarounds, as opposed to just stopping monitoring. Source: NYT video
The border wall glows at night
Jack Sapoch’s NASA Black Marble timelapse shows fresh nighttime radiance along the Arizona border near the San Rafael Valley and Coronado National Forest, Jan–Mar 2026, lining up with construction staging areas. Nighttime lights catch round-the-clock activity daytime optical misses, so use a glow as a lead and confirm it against daytime imagery. Sources: Jack Sapoch on X | Darklight Viewer
Every plane overhead, projected onto your ceiling
A resident under SFO’s flight path built skylight, an open-source rig that beams overhead aircraft onto the ceiling in real time from a cheap RTL-SDR picking up ADS-B on 1090 MHz. It’s the same feed as FlightRadar24, so use a sub-£30 SDR to pull your own raw ADS-B when you want to verify rather than trust an aggregator. Sources: International Cyber Digest on X | skylight on GitHub | skylightceiling.com
What your WiFi name gives away
Rainbolt’s “change your wifi name” shows how a distinctive SSID signatures can be searched straight back to a specific house. Don’t name a network after yourself, and treat any SSID visible in a photo or screenshot as a geolocation lead. Source: Rainbolt on YouTube
What Strava still leaks
My new OSINT At Home tutorial (part 29) covers three techniques for finding facilities and the people training inside them on Strava, plus five settings to lock your own account down, using published cases like the French carrier and a PM’s security detail. The defensive settings and the offensive techniques are the same knowledge, so I made the tutorial both to investigate and to check what you’re exposing. Source: OSINT At Home #29 on YouTube. I also did a full technical teardown in Episode 7 of OSINT Field Notes along with a resource library.
On using Strava, there’s a lot of inspiration that can be gleaned from just waking through
2. Toolkit
Building Height Calculator: Estimate a building’s height from a satellite image using shadow length, location and date, even when you don’t know the capture time. Really innovative tool made by Fabian Hinz. Link
Unmanned Systems Tracker: Andro Mathewson’s open-source, CSV-exportable database of unmanned-systems use and Russian losses in Ukraine; independent but focussed on Ukraine in the in the sourcing. Link
Darklight Viewer: My browser viewer for NASA VIIRS nighttime lights via Google Earth Engine, for spotting construction, blackouts and flare activity over time. I covered a bit more on the Darklight Viewer in OSINT Field Notes #6, namely on the export functions to automate discovery of new light patterns. Link
DRISH-X: Detect, count and track truck traffic on any highway from free Sentinel-2 imagery. Link
Also worth a look: War Atlas, an interactive map of 1340 conflicts across 5,000 years. Semantic Splatting, DINOv3 fused with 3D Gaussian Splatting to make queryable 3D scenes from imagery. NGO Shipbreaking Platform, annual lists and flags-of-convenience data for end-of-life vessel research. RUPEP, a PEP database for Russia, Belarus, Kyrgyzstan and Kazakhstan, non-commercial use. 4CAT, the DMI’s social-media capture and analysis toolkit, self-host or university access.
3. Technical Teardown: reading what a channel is really doing with the YouTube Metadata tool
In this technical walkthrough, I’m going to pick apart videos uploaded to YouTube by a channel promoting a deceptive programme that recruits young African women to work for Russia. They’re told they’ll get decent work and be paid. They end up on a production line making Russian military drones.
Alabuga Start markets itself as an international “work-study” programme for women aged 18 to 22, recruiting mostly from Africa and increasingly from Latin America and South-East Asia, with the promise of free flights, Russian language lessons and training in logistics, catering and hospitality. The reality, documented by Associated Press, the Institute for Science and International Security and the BBC, is a recruitment funnel for the Alabuga Special Economic Zone in Tatarstan, where analysts estimate more than 90% of recruits are put to work assembling Shahed-136 drones (the Russian-made Geran-2) that Russia fires at Ukrainian cities.
Recruits describe arriving with no idea they’d be building weapons, signing NDAs, working under surveillance with caustic chemicals, and earning less than promised after deductions. One woman told the BBC her skin was peeling.
It’s a sanctioned (UK, US, EU) war-production site, not a careers programme. The same complex draws on vocational students from Alabuga Polytech as young as 15 to 16, the zone has been hit by Ukrainian strikes including a dormitory housing recruited women, Interpol's bureau in Botswana opened a human-trafficking investigation, and South Africa launched its own probe and warned citizens away.
The recruitment itself runs almost entirely on social media: TikTok, Facebook, Telegram, paid influencers and YouTube. Activist group Pussy Riot shared a Google Sheet, which was an exhaustive list of social media channels and their content that promote and share the Alabuga program. There’s more about what it is in this article from The Insider. While the full list needs to be verified, a majority of the videos I went through appear to either do pieces about it, or have advertising to promote it.
Which brings us to the channel at the centre of this teardown. A channel promoting #AlabugaStart content has set its videos to “yes, made for kids.” That setting isn’t cosmetic; on YouTube it changes how content is treated and surfaced. A channel promoting a hostile-state recruitment pipeline has used it to point content toward children, and the metadata is where that shows up.
The tool we’re using to look under the hood is the mattw.io YouTube Metadata tool, which pulls channel and video metadata that YouTube doesn’t surface by default: tags, publish data, geotags and the “made for kids” flag. While there’s other ways to do this using existing scripts, I wanted to choose this tool as a code friendly, browser-ran option.
The channel in focus is MICHELAWANAATEBA, an individual who has uploaded a number of videos using #AlabugaStart to promote the programme. While it is clear this channel doesn’t really have much exposure in terms of subscribers and views, I chose the channel as a case study to show how this technique can be replicated across other channels.
In one video we see an interview with a mother and her daughter about how her daughter joined the programme. The interview is clearly aimed at convincing other young women to sign up.
Step 1: paste the video URL into the YouTube Metadata tool to load its details.
Step 2: Scroll down the page to the video “Status” data.
One of them is ‘madeForKids’. This video is set to ‘yes’. Further down, the video is also designated as “child-directed.”
Step 3: Let’s see if this is a pattern across the channel using the tool’s bulk analysis feature. At the top of the page, click the option to run a “Bulk” analysis and enter the channel URL.
Step 4: This loads 69 videos for the channel. Select the columns dropdown to view additional metadata fields. I want to find out how many of the videos promoting Alabuga Start are marked as targeting children. We can also filter those results by using the ‘search’ bar on the right.
The pattern is clear: of the 69 videos on the channel, 63 carry the ‘made for kids’ status, and every video mentioning ‘Alabuga’ is among them.
The ‘made for kids’ status is a setting YouTube prompts for on every upload: the uploader decides whether the content was made for kids or not. YouTube’s guidance includes numerous considerations, but the central one is whether children are the primary audience.
There’s a boring explanation available here: plenty of uploaders might mis-set this flag, out of confusion or because it disables comments. But that doesn’t change what the metadata declares. A channel promoting recruitment into a sanctioned weapons-production programme has formally designated that content as directed at children, on a platform whose own guidance says the central question is whether children are the primary audience.
Before reporting, archive. Save the channel page, the video URLs and your metadata exports, because successful reporting will likely remove the evidence along with the content.
Then report the channel. A visual of how to do that is below.
4. Case File: how Bellingcat linked Viory to Ruptly through their infrastructure
Source: Bellingcat, Elise Thomas, 4 June 2026.
What it is, and why it matters
Viory presents itself as the independent “video news agency of the Global South,” registered in Abu Dhabi as Darpo Vision FZ LLC, and it has signed at least 30 agreements across more than 22 countries with national broadcasters, press and government agencies, universities and journalism bodies. It even markets verification training to newsrooms.
Bellingcat transparently assembled evidence showing how Viory’s digital infrastructure is entangled with Ruptly, the video agency controlled by Russia Today (RT), whose owner ANO TV-Novosti has been on the EU sanctions list since December 2022 for pro-Kremlin propaganda and support the full-scale invasion of Ukraine.
How they did it
Bellingcat looked at the shared technical infrastructure, on the logic that two genuinely unrelated organisations don’t keep sharing private plumbing. The threads were:
SSL certificate reuse: Viory’s domain darpo.vision was using a wildcard SSL certificate registered to ruptly.video, which normally requires the private key for ruptly.video that only Ruptly’s own hosting operators would hold. Wilson judged a stolen-key scenario theoretically possible but hard to credit, since using the certificate on a domain it didn’t cover should have thrown browser errors.
Shared IP addresses: Several IP addresses (including the Russian address 158.160.132.25) resolved concurrently to both Viory and Ruptly domains between May 2025 and May 2026, and VirusTotal showed some apparently used only by the two.
Cross-domain data and branding: Multiple Ruptly domains sent error and performance data to Viory’s Sentry monitoring project, and one Ruptly Sentry login page redirected to a Viory auth path and carried “Viory” as its title. Each used a distinct Sentry key, which points to deliberate setup rather than careless copy-paste.
Leftover references. A Viory developer test page carried a Ruptly title and description in its source, weak alone but consistent with the rest.
No single item is conclusive, and the report says so. The method is triangulation: stack independent findings until the innocent explanations run out, then have an expert (networking engineer James Wilson) test each alternative.
What were some of the tools referenced in the investigation?
VirusTotal, for historical SSL certificates, IP resolution history and passive DNS.
Archived Whois records (found on Archive.is), which placed darpo.vision’s December 2022 registration through a Russian registrar with a Moscow phone number.
Corporate registries: the Abu Dhabi Creative Media Authority, a Hong Kong company once named Ruptly Limited and later Lotus Production Limited, and a US trademark filing.
Prior reporting it built on: Felix Huesmann at RND, who first flagged an email on Darpo Vision’s filing whose username matched Ruptly’s managing director, and OSINT For Ukraine on staff movement between the two.
5. Closing Note
What ties this edition together is that almost none of it was really hidden. The cartel checkpoint had been sitting on Google Street View for anyone scrolling past, the Alabuga promoter channel declared its audience in its own metadata, and Viory’s tie to a sanctioned Russian outlet was written into its certificates and the telemetry passing between its sites. Some of it took a creative approach. Most of it just took someone curious enough to actually look.
One community note to close on: Samir (@obretix), whose IMINT work many of you know, from pulling landing strips out of Sentinel imagery (see post below) to geolocating strikes and USAF crash sites, has a donation page to support his valuable work. If his analysis has ever saved you time, his Ko-fi is here.
If this edition turned up something you didn’t know was findable, forward it to a colleague who’d put it to work.
