Find Anyone's Identity, Address & Social Media From Just Their Number

:mobile_phone: How to Track Down Anyone Using Only Their Phone Number โ€” Complete OSINT Guide

:world_map: One-Line Flow: Got a phone number? This guide turns those 10 digits into a name, face, address, social accounts, and embarrassing data breaches โ€” grab your target number and start at Phase 1.


:thinking: What The Hell is Phone Number OSINT?

A phone number isnโ€™t just digits. Itโ€™s a master key.

People use the same number for everything. Banking apps. Social media. Two-factor auth. Job applications. Dating profiles. Every single platform theyโ€™ve ever signed up for.

That means one number connects to:

  • Their real name
  • Their face
  • Where they live
  • Where they work
  • Who they know
  • What accounts they have
  • What data breaches theyโ€™re in

This guide walks you through every method to extract that info. From basic Google tricks to tools that would make a private investigator jealous.


:warning: Before You Start: Donโ€™t Be a Creep

Real talk โ€” this knowledge is powerful. Use it for:

  • Verifying sketchy callers
  • Investigating scams and fraud
  • Journalism and research
  • Checking your own digital footprint
  • Security work with proper authorization

Donโ€™t use it for:

  • Stalking your ex
  • Harassing anyone
  • Doxxing people
  • Any illegal bullshit

Laws exist. GDPR, CCPA, computer fraud acts. Violate them and youโ€™re the one getting investigated.

Now letโ€™s get into it.


:magnifying_glass_tilted_left: Phase 1: Basic Recon โ€” Figure Out What Youโ€™re Working With

Before you go deep, get the basics.

:satellite_antenna: Carrier and Line Type

First question: is this a real cell phone, a landline, or some VoIP burner?

This matters because VoIP numbers (Google Voice, TextNow) are harder to trace. Real mobile numbers link to carrier databases with actual identity verification.

Free tools:

What youโ€™ll learn: carrier name (Verizon, Vodafone, Jio, whatever), whether itโ€™s mobile/landline/VoIP, and sometimes the original registration state or region.

:globe_showing_europe_africa: Format That Number Right

International format matters. Tools choke on weird formatting.

Always convert to: +[Country Code][Number]

Examples:

  • US: +14155552671
  • UK: +447911123456
  • India: +919876543210

Get this wrong and half your tools return nothing.


:bullseye: Phase 2: Google-Fu โ€” Search Engines Are Your First Weapon

Google indexes more than you think. People paste their numbers everywhere โ€” invoices, forum posts, business listings, leaked documents.

:magnifying_glass_tilted_right: The Exact Match Trick

Put the number in quotes. This forces Google to find that exact sequence:

"555-123-4567"

Try every format variation:

"5551234567"
"(555) 123-4567"
"+15551234567"
"555.123.4567"

People format numbers inconsistently. Search all versions.

:puzzle_piece: Combine With Context

Add keywords to narrow results:

"555-123-4567" "invoice"
"555-123-4567" "contact"
"555-123-4567" "resume"
"555-123-4567" linkedin
"555-123-4567" facebook

:prohibited: Filter Out The Garbage

People search sites like Whitepages dominate results with useless previews. Exclude them:

"555-123-4567" -site:whitepages.com -site:spokeo.com -site:truepeoplesearch.com

Now you get the unique mentions โ€” forum posts, business directories, leaked pastebins.

:duck: DuckDuckGo As Backup

Google personalizes results. DuckDuckGo doesnโ€™t. Run the same searches there โ€” youโ€™ll often find different results.


:open_file_folder: Phase 3: People Search Engines โ€” The Aggregators

These sites scrape public records, social media, and data broker databases. Theyโ€™re hit or miss, but worth checking.

The main players:

How to use them:

Enter the phone number. Note any names or addresses that come up. Donโ€™t trust any single result โ€” these databases mix current data with decade-old records.

Treat everything as a lead, not a fact. Cross-reference before you believe anything.

The catch: Most good data is paywalled now. Free tiers show just enough to confirm a hit exists, then demand $20-40 for actual details.


:mobile_phone_with_arrow: Phase 4: Social Media โ€” Where People Actually Live Online

Social platforms are goldmines because people voluntarily connect their real identities to phone numbers.

:blue_circle: Facebook โ€” The Forgotten Password Trick

This is one of the most reliable techniques and itโ€™s been working for years.

How it works:

  1. Go to facebook.com/login
  2. Click โ€œForgotten password?โ€
  3. Enter the phone number (international format)
  4. Watch what happens

Possible outcomes:

  • โ€œNo account foundโ€ โ€” number isnโ€™t linked to Facebook
  • Partial profile reveal โ€” Facebook shows a blurred photo and masked name like โ€œJo** Sm**hโ€

That partial info is huge. You now know:

  • An account exists
  • First name starts with those letters
  • What they roughly look like (even blurred photos reveal gender, age range, glasses, etc.)

Pro tip: Right-click the blurred image, inspect element, and check the src attribute. Sometimes the actual image URL is less obscured than whatโ€™s displayed.

Donโ€™t actually reset the password. Thatโ€™s illegal. Youโ€™re just using the lookup to confirm association.

:busts_in_silhouette: Facebook Contact Upload Method

Alternative approach:

  1. Create a throwaway Facebook account (use a burner email)
  2. Add the target number to your phone contacts with a fake name
  3. Let Facebook sync your contacts
  4. Check โ€œPeople You May Knowโ€ suggestions

Facebookโ€™s algorithm connects phone contacts to accounts. If the number is linked, their profile appears in suggestions.

:camera_with_flash: Instagram and TikTok

Both platforms have phone-based friend finding:

  1. Add target number to your phone contacts
  2. Open the appโ€™s โ€œFind Friendsโ€ or โ€œSync Contactsโ€ feature
  3. See if their profile appears

This works because these apps encourage connecting phone contacts to find friends. Most people leave this enabled.

:briefcase: LinkedIn

LinkedInโ€™s phone search is garbage through the interface, but Google works:

site:linkedin.com "555-123-4567"

People sometimes list phone numbers in their contact info sections. Recruiters and salespeople especially.

:bird: Twitter/X

Phone search is disabled in the UI, but the data exists in their backend. Try:

site:twitter.com "555-123-4567"

Also useful: if you find a username through other methods, check if theyโ€™ve ever tweeted their number.


:telephone_receiver: Phase 5: Truecaller โ€” The Crowdsourced Monster

Truecaller is the most comprehensive phone directory that shouldnโ€™t exist.

:gear: How It Actually Works

When you install Truecaller, it uploads your entire contact list to their servers. Every name youโ€™ve saved for every number.

Multiply that by 400+ million users.

The result: a database where your number is tagged with whatever name your contacts saved you as. Your mom saved you as โ€œSweetieโ€? That might be in there. Your dealer saved you as โ€œTuesday Guyโ€? Possibly in there too.

:microscope: Using It For OSINT

Web version: Go to truecaller.com/search, enter the number.

What you get:

  • Name (as crowdsourced from contacts)
  • Location (city-level)
  • Spam report count
  • Sometimes a profile photo
  • Sometimes alternative numbers

Accuracy reality check: The name might be a nickname, might be outdated, might be wrong. Someoneโ€™s bitter ex might have saved them as โ€œCheating Assholeโ€ and thatโ€™s what shows up.

Always verify Truecaller results through other sources.

:robot: Truecaller For Automation

TruecallerJS lets you query Truecaller programmatically. Youโ€™ll need to authenticate with a real account, but then you can script bulk lookups.


:link: Phase 6: Epieos โ€” The Account Linker

Epieos is clever as hell.

It doesnโ€™t hack anything. It just queries public APIs and services โ€” like password reset flows and contact lookup features โ€” to see what accounts are linked to a phone number.

:bar_chart: What It Reveals

Enter a phone number and Epieos might show:

  • Linked Google account: Profile name, photo, sometimes last activity
  • Linked Facebook account: Profile ID and name
  • Other services: Depending on what their APIs leak

This works because platforms like Google and Facebook have features that check โ€œdoes this phone number have an account?โ€ โ€” Epieos just asks that question systematically.

:white_check_mark: Why This Is High-Confidence Data

Unlike people search sites that aggregate old data, Epieos queries live platform APIs. If it says a Google account exists for that number, a Google account exists for that number.

The platforms themselves are confirming the link.


:ninja: Phase 7: The Silent Account Checkers

These tools check if phone numbers are registered on platforms without alerting the target. No notifications, no โ€œsomeone tried to log into your accountโ€ emails.

:ghost: Ignorant โ€” The Stealthy One

Ignorant is the most underrated phone OSINT tool.

It silently checks Snapchat, Instagram, and Amazon through password reset endpoint exploitation. The target never knows you looked.

pip install ignorant
ignorant +15551234567

Itโ€™ll tell you which platforms have accounts linked to that number. No alerts sent. Clean reconnaissance.

:france: Phunter โ€” Multi-Source French Connection

Phunter combines multiple lookups including French โ€œPages Blanchesโ€ directory access and Amazon verification with automated CAPTCHA solving.

Good for European numbers especially.

:counterclockwise_arrows_button: Email2PhoneNumber โ€” The Reverse Technique

Email2PhoneNumber works backwards. If you have someoneโ€™s email, it harvests partially-masked phone digits from password reset pages across multiple sites.

Hereโ€™s the clever part: it then uses NANPA (North American Numbering Plan Administration) data to eliminate impossible number combinations and brute-forces the remainder.

Martin Vigo showed at DEF CON that combining eBay and LastPass password resets alone can leak 7 of 10 digits. The remaining combinations are small enough to test.


:hammer_and_wrench: Phase 8: PhoneInfoga โ€” The Open Source Standard

PhoneInfoga is the most comprehensive open-source phone OSINT tool.

:clipboard: What It Does

  • Validates number format and identifies country/carrier
  • Generates Google dorks automatically
  • Checks multiple data sources
  • Provides a web interface for easy use
  • Offers a REST API for automation

:laptop: Installation

# Using Go
go install github.com/sundowndev/phoneinfoga/v2@latest

# Or grab the binary from releases
# Or use Docker
docker pull sundowndev/phoneinfoga

:play_button: Usage

# Basic scan
phoneinfoga scan -n +15551234567

# Start web interface
phoneinfoga serve

# Then open http://localhost:5000

:construction: The Google Ban Problem

PhoneInfoga hammers Google with searches. Google will eventually block you.

The fix: When you get blocked, complete a CAPTCHA manually in your browser. PhoneInfoga can capture the GOOGLE_ABUSE_EXEMPTION cookie and use it to bypass blocks temporarily.


:airplane: Phase 9: Telegram โ€” OSINT Paradise

Telegram is uniquely valuable for phone OSINT because:

  1. Accounts are tied to phone numbers
  2. Privacy settings are often left default
  3. A massive ecosystem of OSINT bots exists
  4. User activity and group memberships are often visible

:microscope: Bellingcatโ€™s Phone Number Checker

telegram-phone-number-checker is the professional standard.

It checks if phone numbers have Telegram accounts and returns:

  • Username (if set)
  • Profile photo
  • Last online status
  • Display name

This is the tool journalists and investigators actually use.

:russia: Russian OSINT Bots

The Russian-speaking OSINT community has built Telegram bots that query parsed breach databases. These return data you wonโ€™t find anywhere else.

Key bots:

  • @Smart_SearchBot โ€” full names, addresses, emails, social networks from phone numbers
  • @Quick_OSINT_bot โ€” similar comprehensive lookups
  • @HimeraSearch โ€” covers phones, emails, vehicle registration
  • @GetPhone_bot โ€” direct leaked database searches
  • @karma_cybersec_bot โ€” Ukrainian bot for Telegram ID and phone correlation

Warning: These bots query breach data. Using them may violate laws in your jurisdiction. The data they return was likely obtained illegally at some point. Understand the legal implications.

:magnifying_glass_tilted_left: Manual Telegram Reconnaissance

Even without bots:

  1. Add the number to your phone contacts
  2. Open Telegram and sync contacts
  3. Check if they appear in your contact list
  4. View their profile for photo, bio, username, last seen

If their privacy allows, you can see their profile photo history by clicking through different photos theyโ€™ve used.


:speech_balloon: Phase 10: WhatsApp โ€” 2.4 Billion Users Canโ€™t Hide

WhatsApp is the worldโ€™s largest messaging platform. Everyoneโ€™s on it. Everyoneโ€™s number is their account.

:mobile_phone: The Contact Save Method

  1. Save the target number to your phone contacts
  2. Open WhatsApp
  3. Go to Contacts, let it sync (or force refresh in settings)
  4. Find the contact

What you can see (depending on their privacy settings):

Setting Everyone My Contacts Nobody
Profile Photo :white_check_mark: :white_check_mark: (if they have you) :cross_mark:
Last Seen :white_check_mark: :white_check_mark: (if they have you) :cross_mark:
About/Status :white_check_mark: :white_check_mark: (if they have you) :cross_mark:

Most people leave defaults, which means โ€œEveryoneโ€ for most settings.

:framed_picture: Profile Photo Intelligence

That profile photo is gold. Save it and:

  • Reverse image search with Yandex Images (better for faces than Google)
  • Check backgrounds for location clues โ€” landmarks, workplaces, car models
  • Note metadata if lucky (rare on WhatsApp but worth checking with exiftool)

:door: The Group Addition Bypass

Hereโ€™s a trick that sometimes bypasses privacy settings:

  1. Create a new WhatsApp group
  2. Add yourself and the target number
  3. Before sending any messages, observe their profile info
  4. Exit the group immediately

During group creation, WhatsApp sometimes shows profile information that would normally be hidden from non-contacts.

This is inconsistent โ€” WhatsApp patches it periodically โ€” but worth trying.

:memo: Status Analysis

Profile name patterns tell stories:

Pattern Likely Meaning
โ€œJohn Smithโ€ Real name โ€” high value
โ€œJS Plumbingโ€ Business owner
โ€œ~J-S~โ€ Personal nickname
:nigeria: Lagos Location flex
โ€œAvailable 24/7โ€ Business or hustle

The โ€œAboutโ€ section often contains LinkedIn handles, Instagram usernames, business info, or philosophical quotes that help build a profile.

:alarm_clock: Last Seen Patterns

If visible, last seen reveals lifestyle patterns:

  • Consistently online at 2am? Night owl or different timezone
  • Active during business hours only? Probably a work phone
  • Last seen a week ago? Inactive account or dead phone
  • Never shows last seen? Privacy conscious (notable in itself)

:money_bag: Phase 11: African FinTech Apps โ€” The Identity Goldmine

OPay, PalmPay, and similar apps dominate African mobile finance. Theyโ€™re OSINT goldmines because financial regulations require real identity verification.

:money_with_wings: The โ€œSend Moneyโ€ Reconnaissance Method

These apps verify recipients before transfers complete. You can exploit this:

OPay Method:

  1. Install OPay (use a burner device if paranoid)
  2. Go to Transfer โ†’ To OPay User
  3. Enter the target phone number
  4. Before confirming payment, observe what appears

What you might see:

  • Full registered name (KYC verified)
  • Username if they set one
  • Verification badge
  • Sometimes profile photo
  • Sometimes location

Cancel before sending anything. You just wanted the lookup.

PalmPay Method:

Same flow. Send Money โ†’ Enter number โ†’ Note the recipient name that appears for confirmation.

:antenna_bars: Airtime Purchase Verification

Another technique using the same principle:

  1. Go to โ€œBuy Airtimeโ€ in any financial app
  2. Enter the target phone number
  3. The app shows โ€œConfirm: Send to [FULL NAME]?โ€
  4. Cancel the transaction

Youโ€™ve just confirmed their registered name with their carrier. MTN, Airtel, Glo โ€” they all do KYC. That name is government-ID verified.

:globe_showing_europe_africa: Regional App Coverage

This technique works across multiple apps:

Africa:

  • MTN Mobile Money (35+ countries, 95-100% accuracy)
  • Airtel Thanks/Money (Africa, Asia)
  • M-Pesa (Kenya, Tanzania, etc.)
  • OPay, PalmPay (Nigeria)

India:

  • Paytm, PhonePe, Google Pay โ€” UPI IDs often ARE the phone number (phonenumber@paytm)
  • Start a UPI transfer, see the registered name

Brazil:

  • PIX system โ€” keys can be phone numbers
  • Mercado Pago, PicPay show recipient names

Southeast Asia:

  • GrabPay, GCash (Philippines), Maya, Touch 'n Go (Malaysia)

:bullseye: Why This Works

Financial regulations (KYC/AML) require these apps to verify identity. When you โ€œsend moneyโ€ to a number, the app confirms youโ€™re sending to the right person by showing their verified name.

Youโ€™re not hacking anything. Youโ€™re using a consumer protection feature for reconnaissance.


:satellite_antenna: Phase 12: HLR Lookups โ€” Telecom Infrastructure Intelligence

HLR (Home Location Register) lookups query carrier infrastructure directly. This is how telecom companies validate numbers internally.

:gear: What HLR Actually Does

When you run an HLR lookup, the system sends an SRIforSM (Send Routing Info for Short Message) query through SS7 infrastructure to the carrierโ€™s database.

The response contains:

Data Point What It Means
Valid/Invalid Does this number actually exist?
Active/Inactive Is it currently in service?
Carrier Which network owns the number
Roaming Status Are they traveling internationally?
Connected Network If roaming, which foreign carrier?
Porting Status Has number been transferred to different carrier?
IMSI (sometimes) International Mobile Subscriber Identity

:bullseye: OSINT Value

The roaming detection is powerful. If someone claims theyโ€™re in New York but their HLR shows theyโ€™re roaming on a carrier in Dubai, thatโ€™s valuable intelligence.

:wrench: HLR Services

Deep-HLR combines HLR data with reputation scores, social media correlation, and portability status in one tool.


:identification_card: Phase 13: CNAM โ€” Caller ID Names

CNAM (Caller ID Name) is the system that makes your phone display โ€œJOHN SMITHโ€ when someone calls instead of just a number.

:shushing_face: The Dirty Secret

Thereโ€™s no central CNAM database. About 12+ independent databases exist, and each carrier only updates one of them.

This means:

  • The same number returns different names depending on where you query
  • Updates are inconsistent (some carriers refresh monthly, others weekly)
  • About 50% of lookups return actual names, the rest show โ€œWireless Callerโ€

:white_check_mark: Why Itโ€™s Still Useful

When CNAM returns a real name, itโ€™s often the actual registered account holder name โ€” not a crowdsourced nickname like Truecaller.

Free CNAM tools:

  • Quality Voice Dataโ€™s Caller ID Testing Tool
  • Various VoIP providers offer CNAM dips in their APIs

:counterclockwise_arrows_button: Technical Flow

When a call comes in:

  1. Originating carrier sends only the phone number
  2. Terminating carrier queries their LIDB (Line Information Database)
  3. LIDB returns a 15-character max name string
  4. Your phone displays it

The 15-character limit is why names often appear truncated.


:skull: Phase 14: Data Breaches โ€” The Dark Goldmine

Every major breach contains phone numbers. Check if your targetโ€™s number appears in leaked datasets.

:magnifying_glass_tilted_left: Breach Search Tools

Have I Been Pwned โ€” haveibeenpwned.com

  • Primarily email-based but some breaches include phone data
  • Free, legitimate, widely trusted

Intelligence X โ€” intelx.io

  • Searches across pastes, breaches, darknet sources
  • Phone number search available
  • Freemium with limited free searches

DeHashed โ€” dehashed.com

  • Full breach database search by phone number
  • Paid service, but comprehensive

Snusbase โ€” snusbase.com

  • 16+ billion records
  • Direct phone number search
  • Paid subscription

LeakCheck โ€” leakcheck.io

  • 7+ billion records
  • Freemium model

:package: What Breaches Reveal

When a phone number appears in breaches, you often get:

  • Associated email addresses
  • Passwords (that people reuse everywhere)
  • Physical addresses
  • Full names
  • Account usernames
  • Whatever else that service collected

One phone number in one breach can give you the key to finding all their other accounts.

:clipboard: Pastebin and Paste Sites

Hackers dump data on paste sites. Search them:

  • Pastebin โ€” search directly
  • psbdmp.ws โ€” Pastebin dump search engine
  • grep.app โ€” searches GitHub and paste sites

Search formats:

"5551234567"
"+15551234567"

:recycling_symbol: Phase 15: Number Recycling โ€” The Haunted Numbers

Phone numbers get reassigned. When someone gives up a number, after 45 days (in the US) carriers can give it to someone new.

:warning: Why This Matters For OSINT

You might be investigating a number that now belongs to someone completely different.

A Princeton study found:

  • 66% of sampled available numbers were still linked to accounts on Amazon, Facebook, PayPal, etc.
  • 100 numbers had associated email addresses in breach databases
  • Within one week, 19 of 200 test numbers received sensitive communications meant for previous owners

:magnifying_glass_tilted_right: Detecting Recycled Numbers

Conflicting information is the red flag. If Truecaller says โ€œJohnโ€ but Facebook says โ€œMariaโ€ and breach data shows โ€œAlexโ€ โ€” that number has likely been recycled through multiple owners.

Check porting history through HLR services that show porting dates. A number thatโ€™s been ported multiple times has had multiple owners.

Services detecting recycling:

  • Telesign โ€” detects reassignment through carrier data
  • TMT ID โ€” number deactivation and recycling APIs
  • GSMA is developing a standardized Number Recycling API

:russia: Phase 16: VK and Russian Platforms

If your target has any connection to Russia or former Soviet states, VKontakte (VK) is essential.

:mobile_phone: VK Phone Lookup

The password recovery page reveals partial information:

  1. Go to connect.vk.com/restore/
  2. Enter the phone number
  3. See partial email/phone associated with account

Additional VK tools:

:robot: Russian Data Bots Revisited

The Telegram bots mentioned earlier are particularly effective for Russian/CIS numbers because:

  1. Russian data protection enforcement isโ€ฆ different
  2. Massive historical breach data exists
  3. The OSINT community there has been building these tools for years

:antenna_bars: Phase 17: SS7 โ€” The Protocol That Exposes Everyone

SS7 (Signaling System 7) is the protocol that makes phone networks work globally. It was designed in the 1970s-80s when โ€œany network participant was implicitly trusted.โ€

:unlocked: The Problem

Thereโ€™s no authentication. If you can send SS7 messages, carriers trust them. This allows:

  • Location tracking with just a phone number
  • SMS interception
  • Call interception
  • Voicemail access

:globe_with_meridians: Whatโ€™s Actually Accessible

You personally canโ€™t send SS7 messages (probably). But:

  • Some countries sell SS7 access via โ€œGlobal Title leasingโ€
  • Government agencies use it routinely
  • Commercial surveillance vendors offer it as a service
  • Criminal organizations have access

SRLabs research found location tracking succeeds approximately 70% globally with just a phone number.

:shield: 2024-2025 Bypass Attacks

Carriers deployed SS7 firewalls after earlier disclosures. Researchers then found that manipulating the TCAP layer with โ€œextended tag encodingโ€ bypasses these firewalls.

Itโ€™s an arms race.

:light_bulb: OSINT Implications

You wonโ€™t be doing SS7 attacks unless youโ€™re a nation-state or working for one. But knowing this exists helps you understand:

  • Why phone-based 2FA is considered weak
  • Why high-value targets use Signal/secure messengers
  • What capabilities exist for well-resourced adversaries

:bell: Phase 18: Ring Patterns and Voicemail Reconnaissance

Low-tech but revealing.

:telephone_receiver: Call Analysis

Pattern What It Means
1 ring โ†’ busy Likely blocked or manually rejected
Multiple rings โ†’ voicemail Normal behavior
Multiple rings โ†’ busy Conference call or forwarded to busy line
Fast busy (reorder tone) Network issues or terminated service
Endless ringing Voicemail disabled, phone off, or abandoned number

T-Mobile lets users set call rejection to return busy signals instead of voicemail โ€” intentional obfuscation.

:studio_microphone: Voicemail Intelligence

SpyDialer retrieves voicemail greetings. The greeting often reveals:

  • The personโ€™s voice (confirms identity)
  • Their name (if they recorded a personal greeting)
  • Their workplace (professional greetings)
  • Their personality and communication style

Warning: SpyDialer causes a brief ring on the targetโ€™s phone. Not invisible.

:satellite_antenna: Carrier Fingerprinting

Default voicemail prompts vary by carrier:

โ€œThe person you are calling is not available. Please leave a message after the tone.โ€

vs.

โ€œHi, youโ€™ve reached the Verizon voicemail ofโ€ฆโ€

The specific wording can confirm carrier even when other methods fail.


:framed_picture: Phase 19: Reverse Image Search From Profile Photos

Found a photo through any of these methods? Now trace it further.

:wrench: Best Tools

Yandex Images โ€” yandex.com/images/

  • Far superior to Google for faces
  • Russian platform = less privacy filtering
  • Upload the image or paste URL

Google Images โ€” images.google.com

  • Good for finding the same image on different sites
  • Weaker for face matching

TinEye โ€” tineye.com

  • Finds exact and modified matches
  • Shows oldest instance (helps find original source)

PimEyes โ€” pimeyes.com

  • Facial recognition search engine
  • Controversial but effective
  • Paid service

:bullseye: What Youโ€™re Looking For

  • Same photo on other platforms โ€” Instagram pic also on LinkedIn means same person
  • Photo background clues โ€” office logos, street signs, landmarks
  • EXIF data โ€” GPS coordinates, camera info, timestamps (usually stripped but worth checking)
  • Oldest instance โ€” where did this photo originate?

:bust_in_silhouette: Phase 20: Username Correlation

Found a username through any method? Trace it everywhere.

:brain: The Logic

People reuse usernames. john_smith_87 on Instagram is probably john_smith_87 on Twitter, GitHub, and that sketchy forum they forgot about.

:wrench: Tools

Sherlock โ€” github.com/sherlock-project/sherlock

sherlock john_smith_87

Checks 400+ sites for that username.

WhatsMyName โ€” whatsmyname.app

  • Web-based username search
  • Good for quick checks

Namechk โ€” namechk.com

  • Username availability checker
  • Shows which platforms have that username taken

Social Searcher โ€” social-searcher.com

  • Searches social media content by keyword
  • Can find posts mentioning specific usernames

:classical_building: Phase 21: Government and Regulatory Databases

Public records often include phone numbers.

:united_kingdom: UK

Ofcom Numbering Data โ€” ofcom.org.uk/numbering-data

  • Weekly updated, 54MB download
  • Complete telephone number allocations
  • Shows carrier assignments for every UK number range

:canada: Canada

Canadian Numbering Administrator โ€” cnac.ca

  • CO code status lookups
  • Area code complex maps
  • Shows carrier assignments for Canadian numbers

:united_states: US

NANPA (North American Numbering Plan) โ€” nationalnanpa.com

  • Number allocation data
  • Area code assignments
  • Porting administration records

:balance_scale: Court Records

CourtListener RECAP Archive โ€” courtlistener.com/recap/

  • Millions of federal court documents
  • Searchable by text content
  • Phone numbers appear in filings, exhibits, contracts

This is huge. PACER only searches by party name. RECAP lets you search actual document text โ€” including phone numbers mentioned in evidence.


:high_voltage: Phase 22: Automation and Pipelines

For serious OSINT work, automate everything.

:crystal_ball: Maltego Transforms

Maltego is the professional OSINT visualization platform. Phone number transforms:

  • PhoneSearch Transforms โ€” returns names, social profiles, related persons (law enforcement grade)
  • LoginsoftOSINT Transforms โ€” detects disposable numbers, finds registered apps
  • IPQualityScore Transforms โ€” fraud scoring and phone validation

:counterclockwise_arrows_button: n8n Workflows

n8n-nodes-osint-industries integrates phone enrichment into workflow automation.

Build pipelines that:

  1. Take a phone number input
  2. Query multiple sources automatically
  3. Aggregate results
  4. Generate reports

:desktop_computer: PhoneInfoga REST API

phoneinfoga serve
# API available at http://localhost:5000
# POST to /api/v2/numbers

Script it into your existing tools.

:snake: Python Libraries

  • phonenumbers โ€” Googleโ€™s library for parsing, formatting, validating
  • truecallerpy/truecallerjs โ€” Truecaller API access
  • ignorant โ€” silent account checking

:puzzle_piece: Phase 23: Building The Complete Profile

Youโ€™ve gathered fragments from a dozen sources. Now synthesize them.

:bar_chart: The Confidence Framework

Rate each piece of information:

Confidence Criteria Example
High Multiple independent sources agree Name from Truecaller matches Facebook partial matches LinkedIn
Medium Single reliable source or partial corroboration Name from Epieos alone, or Truecaller + breach data match
Low Single unreliable source, no corroboration Name from one people-search site only

:file_folder: The Final Dossier

For each investigation, document:

Confirmed:

  • Full name (confidence level)
  • Location (city/state)
  • Verified accounts (with profile URLs)

Likely:

  • Workplace
  • Associated emails
  • Social connections

Possible:

  • Additional names (aliases, maiden names)
  • Previous addresses
  • Family members

Contradictory Data:

  • Conflicting names from different sources
  • Evidence of number recycling
  • Possible confusion with similar numbers

:memo: Source Documentation

Always note:

  • What tool/method found each piece
  • When you found it
  • The exact data returned

This matters for verifying your work and understanding reliability later.


:toolbox: Complete Tool Reference

:laptop: GitHub Tools

Tool URL Purpose
PhoneInfoga github.com/sundowndev/phoneinfoga All-in-one phone OSINT
Ignorant github.com/megadose/ignorant Silent account checking
Phunter github.com/N0rz3/Phunter Multi-source + European directories
email2phonenumber github.com/martinvigo/email2phonenumber Reverse phone from email
Deep-HLR github.com/e-m3din4/deep-hlr HLR + social correlation
telegram-phone-number-checker github.com/bellingcat/telegram-phone-number-checker Telegram account lookup
TruecallerJS github.com/sumithemmadi/truecallerjs Truecaller API
PhoneIntel github.com/phoneintel/phoneintel Batch processing
NumSpy github.com/spyboy-productions/numspy Indian number OSINT
Sherlock github.com/sherlock-project/sherlock Username search
HLR-Lookups github.com/SigPloiter/HLR-Lookups DIY HLR queries

:globe_with_meridians: Web Services

Service URL What It Does
Epieos epieos.com Account linking via APIs
Truecaller truecaller.com/search Crowdsourced caller ID
Intelligence X intelx.io Breach/paste/darknet search
HLR Lookup hlrlookup.com Carrier infrastructure queries
FreeCarrierLookup freecarrierlookup.com Basic carrier ID
Yandex Images yandex.com/images/ Reverse image search
WhatsMyName whatsmyname.app Username search

:robot: Telegram Bots

Bot Purpose
@Smart_SearchBot Full profile from phone
@Quick_OSINT_bot Comprehensive lookups
@HimeraSearch Phones, emails, vehicles
@GetPhone_bot Breach database search

:world_map: The Methodology Flowchart

๐Ÿ“ฑ Phone Number Input
       โ†“
๐ŸŒ Format to International (+1...)
       โ†“
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  ๐Ÿ” Basic   โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”˜
       โ†“
๐Ÿ“ก Carrier ID (FreeCarrierLookup)
       โ†“
๐ŸŽฏ Google Dorks (all format variations)
       โ†“
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ โšก Quick    โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”˜
       โ†“
๐Ÿ“ž Truecaller โ†’ Name lead
๐Ÿ”— Epieos โ†’ Linked accounts
๐Ÿ› ๏ธ PhoneInfoga โ†’ Comprehensive scan
       โ†“
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ ๐Ÿ“ฒ Social   โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”˜
       โ†“
๐Ÿ”ต Facebook password reset โ†’ Partial profile
๐Ÿ’ฌ WhatsApp contact add โ†’ Photo, status, last seen
โœˆ๏ธ Telegram checker โ†’ Username, profile
๐Ÿ‘ป Instagram/Snapchat (Ignorant) โ†’ Account exists?
       โ†“
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ ๐Ÿ”ฌ Deep     โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”˜
       โ†“
๐Ÿ’€ Breach databases โ†’ Emails, passwords, addresses
๐Ÿ“ก HLR lookup โ†’ Carrier, roaming, porting
๐Ÿ’ฐ Financial apps โ†’ KYC-verified names
       โ†“
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ ๐Ÿ”„ Correlateโ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”˜
       โ†“
๐Ÿ–ผ๏ธ Reverse image search on found photos
๐Ÿ‘ค Username search (Sherlock)
๐Ÿงฉ Cross-reference all data points
       โ†“
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ ๐Ÿ“ Report   โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”˜
       โ†“
โœ… Confidence-rated profile with source documentation

:shield: Protecting Yourself

Run every technique in this guide against your own phone number. Seriously.

:magnifying_glass_tilted_left: Audit Yourself

  1. Search your number on every tool mentioned
  2. Check breach databases for your number
  3. See what Truecaller shows
  4. Try the Facebook password reset on yourself
  5. Check WhatsApp privacy settings

:locked: Reduce Your Exposure

Use separate numbers:

  • Primary number for trusted contacts only
  • Secondary number for signups and services
  • Burner numbers for anything sketchy

Privacy settings:

  • WhatsApp: Set photo, last seen, about to โ€œMy Contactsโ€
  • Telegram: Same approach
  • Facebook: Remove phone from searchable info

Financial apps:

  • Use different numbers if possible
  • Disable social features
  • Review what info appears when others send you money

Consider:

  • Google Voice for a free secondary US number
  • Prepaid SIMs for compartmentalization
  • MySudo or similar for multiple identities

:bullseye: Final Thoughts

A phone number is an identity anchor. Every service connects to it. Every login texts it. Every contact list uploads it.

The tools and techniques here arenโ€™t secret โ€” theyโ€™re just not obvious. Anyone willing to spend an hour can find more than most people realize is public.

Use this knowledge to protect yourself. Use it for legitimate investigations. Donโ€™t be the reason someone needs protection from people like you.

Now go audit your own digital footprint before someone else does.

6 Likes