By Elena Martynova, EU GLOCTER PhD Candidate, Seconded to CEP

The previous blog post examined how open-source intelligence (OSINT) has transformed modern counter-terrorism. By analyzing data from public sources such as satellite imagery, social media, and government records, researchers, journalists, and security professionals can monitor propaganda and attack indicators, trace financing and supply chains, and map terrorist networks. Yet the very openness that makes OSINT valuable also makes it vulnerable to misuse. Extremist groups and malicious actors have learned to use OSINT for their own purposes. Techniques originally meant to expose violence or disinformation are now being repurposed to enable them. From identifying targets through open data to coordinating harassment campaigns and shaping public narratives, extremist and terrorist actors are turning transparency into a tool of exploitation. This blog entry examines how OSINT is misused by extremist and terrorist actors, focusing on three major patterns: its role in targeting and surveillance, its use in doxxing and online intimidation, and its manipulation in disinformation campaigns. 

Targeting and Surveillance

OSINT is described as a “multiplier” for extremist capability, especially for targeting and surveillance. For example, British prosecutors revealed that arsonists who set fire to a warehouse in East London in 2024 (where equipment for Ukraine was stored) had been guided by operatives linked to the Russian Wagner Group via Telegram. The operatives shared satellite imagery, online maps, and open-source data points to help locate the site. In another case, Hamas operatives assembled detailed “kill lists” of Israeli security personnel by scraping information from LinkedIn, Facebook, Google Earth, and leaked databases, creating profiles that combined personal data with geospatial analysis. In the Red Sea, the Houthis have incorporated publicly available maritime data into their targeting processes. While they receive intelligence support from Iran, they also exploit open Automatic Identification System tracking software to monitor shipping lanes and identify potential vessels for attack. For groups that lack formal intelligence structures, freely accessible resources serve as an effective substitute for traditional reconnaissance. In the United States, the Department of Homeland Security has warned that violent extremists are exchanging methods for attacking electric power stations and other forms of critical infrastructure. In 2021, four men were charged with conspiring to damage energy facilities after studying past grid attacks and researching transformer vulnerabilities online. Extremist and terrorist movements across ideologies thus use publicly available information, such as satellite imagery, social media posts, and online databases, to collect intelligence on adversaries and identify potential targets.

Doxxing and E-Stalking

A second, more personal, form of OSINT misuse involves doxxing and e-stalking. These practices entail collecting and publishing personal information about individuals without consent, often as a form of intimidation. Distinguishing between lawful exposure and criminal doxxing depends largely on intent and consequence. Public-interest reporting that identifies perpetrators of hate crimes or extremist violence aims to reduce harm and increase accountability. By contrast, criminal doxxing is the deliberate release of information in a way that could reasonably be expected to cause harm, whether through harassment, stalking, or violence.

In recent years, far-right extremists have repeatedly turned to doxxing as a means of harassing target groups or silencing opposition. One of the most widely reported incidents involved Andrew Anglin, the publisher of the neo-Nazi website The Daily Stormer. Anglin posted the contact details and photographs of a Jewish real estate agent and her family, resulting in antisemitic threats directed at them. Russian-linked operatives have also reportedly systematically doxed both foreign volunteers in Ukraine as well as their families abroad. Overall, while OSINT methods can legitimately be used to identify members of extremist organizations or expose human rights abuses, they can also be weaponized to harass journalists, researchers, and ordinary citizens.

Mis/Disinformation

The third major way OSINT is misused involves disinformation. As the term “OSINT” has gained authority, it has increasingly been co-opted by state and non-state actors to lend credibility to misleading or false narratives. The language of “verification” and “analysis” can give the appearance of neutrality, obscuring propagandistic intent.

OSINT-based disinformation can take several forms, including malign actors posing as extremist or terrorist groups to reduce traceability. One case occurred in 2015, when Russian hackers impersonating members of the Islamic State unit threatened the families of U.S. military personnel. 

The rise of social media accounts that self-identify as OSINT analysts has further complicated the information environment. Some high-profile accounts, such as OSINT Defender and Open Source Intel, have amassed large followings while frequently posting unverified or speculative claims about conflicts in Gaza and Ukraine. Their posts frequently feature maps, timestamps, and technical language, giving an impression of professionalism even when the information is false or biased. This trend is not limited to conflict zones. In India, politically aligned accounts such as @TheHawkEyeX and @OsintUpdates use the OSINT label to investigate and accuse journalists and civil society groups of being “anti-India.” The term “OSINT” has thus become a rhetorical tool that can be used to validate both accurate and false information.

Although OSINT is often described as democratizing, its effective use requires growing technical expertise. Geolocation, metadata analysis, and satellite image verification are increasingly complex. The majority of social media users lack the training and technical understanding to critically assess whether a piece of “OSINT” content is authentic. This asymmetry creates space for disinformation to thrive under the pretence of transparency.

Policy Recommendations

Awareness of how OSINT is framed, interpreted, and deployed is imperative. Improving OSINT literacy should focus on developing critical awareness. It’s not just about teaching technical skills but understanding how easily “OSINT” itself can be used as a buzzword to fake authority. Extremist and terrorist actors as well as propagandists exploit this by presenting selective or fabricated content as “open-source analysis” to avoid scrutiny. Researchers, journalists, and policymakers should prioritize methodology over branding, viewing the term “OSINT” as a claim that requires evaluation like any other.

At the same time, legislation around doxxing and e-stalking must evolve to reflect how online exposure operates in practice. Several European countries, including the Netherlands, have introduced specific laws, but many jurisdictions still lack clear thresholds for when sharing public data becomes criminal. Clarifying intent-based standards, focused on foreseeable harm rather than data type, would protect individuals from targeted exposure while preserving space for legitimate investigation and accountability.

Finally, legal frameworks such as the EU’s General Data Protection Regulation (GDPR) are designed to balance the right to privacy with the responsible use of public information, yet their application to OSINT remains inconsistent. In practice, enforcement has largely concentrated on the platforms that host content, particularly social media companies, rather than on the tools and intermediaries that extract, aggregate, and analyze it. A growing number of OSINT-branded companies now function as data brokers, selling aggregated open-source information to private sector clients and government entities alike. However, there is limited transparency regarding the due diligence these firms conduct on their customers or the safeguards in place to prevent misuse. Establishing clearer legal and technical boundaries for the use of open-source data would help close these regulatory gaps. Policymakers could require disclosure of aggregation practices, mandate impact assessments for tools capable of large-scale scraping or geospatial mapping, and extend liability to entities that enable data misuse. The problem is not the absence of legal frameworks but their lack of precision and enforceability within the OSINT environment that leaves accountability gaps that both extremist and state actors can exploit.

Looking ahead, the significance of OSINT will depend less on the amount of information collected and more on the trustworthiness of that information. As open data continues to grow, so do the risks of misuse and distortion. Efforts should focus on enhancing OSINT's resilience through better verification methods, understanding legal boundaries, and adhering to ethical standards in data collection and sharing. Collaboration among governments, researchers, and tech platforms on these principles can make OSINT, as an intelligence collection discipline, more mature while mitigating the main risks posed by its