By Elena Martynova, EU GLOCTER PhD Candidate, Seconded to CEP

Open-source intelligence (OSINT) has become a key component of modern strategic and operational intelligence work. It is defined as the practice of collecting and analyzing information gathered from publicly available sources, such as newspapers, social media, and published government data, in order to produce actionable intelligence. The impact of OSINT has become clear in recent conflict zones such as Ukraine and Gaza, where digital evidence collected by both professionals and volunteers is being used to document war crimes, verify claims, and create transparency in highly politicized and contested spaces. Its power, however, is equally present in countering extremism. Whether for tracking militant propaganda or tracing financial transactions through blockchain analysis, OSINT has become crucial for understanding and countering extremist networks. This is the first of two blog posts on the use of OSINT in counter terrorism, providing an overview on how it can be constructively used and what the current challenges are. 

Stopping Terrorist Propaganda Dissemination and Providing Insights into Terrorist Communications

One of OSINT’s key contributions is facilitating a better understanding and mapping of how terrorists communicate. Extremists post across a range of platforms, from mainstream social media to lesser-moderated forums and encrypted messaging apps. Analysts can examine group descriptions and recruitment messages, capturing videos, manifestos, instructional guides, and calls for attacks. Metadata from images, timestamps, geotags, and message histories allows for the reconstruction of timelines, identification of locations, and understanding of network structures. This intelligence enables content removal and slows extremist narrative dissemination by identifying and potentially punishing perpetrators. As one example of many, a British man posting pro-Hamas and Hizballah content and antisemitic messages on social media was jailed after authorities were alerted to his activity by an anonymous tip.

In response, terrorist organizations adapt rapidly, by either shifting content and recruitment efforts from high-profile platforms to smaller, lightly moderated apps or adjusting their language to avert content moderation and detection systems. Between November 2020 and January 2023, terrorist material was found on 187 distinct online platforms, many outside mainstream oversight. Tech Against Terrorism and similar organizations routinely use OSINT to detect these emerging networks, giving platforms and investigators early notice to remove harmful content or monitor activity for signs of attack planning. By tracking which tools are being used for recruitment and coordination, OSINT informs preventive strategies and takedown efforts, highlighting coordinated action between regulators, platforms, and civil society.

Following the Money

While cash and hawala systems historically complicated financial tracking, public registries, crowdfunding campaigns, and publication of corporate filings now allow analysts to use OSINT techniques to link businesses, shell companies, and donors to terrorist networks. Cryptocurrencies, increasingly used by groups like ISIS-K, can similarly be tracked. In Tajikistan, TRM Labs identified pro-ISIS fundraising campaigns using Tron USDT to collect approximately $2 million in 2022. By tracing the blockchain transactions, analysts notified the exchange, which helped authorities identify and arrest Shamil Hukumatov, a senior ISIS fundraiser in Turkey in 2023. OSINT, combined with pattern recognition and blockchain transparency, enables investigators to detect intermediaries, cross-border facilitation, and transaction flows sometimes before traditional banking reports would.

Mapping Supply Chains and Network Relationships

Another significant contribution of OSINT is mapping supply chains and logistical networks. Analysts frequently extract serial numbers, lot codes, QR codes, and geotags from publicly posted images and videos to trace weapons, vehicles, and dual-use materials. Conflict Armament Research (CAR), for instance, tracked ISIS’s use of modified rockets, connecting components in propaganda videos to warheads captured from Syrian militias supplied by Western actors. Similarly, OSINT analysis of fertilizers, oxidiser and other explosive material caches demonstrate connections to commercial supply chains, which can prompt policy changes in export controls and interdiction practices. 

OSINT also provides a lens into extremist networks, mapping relationships between individuals, cells, and organizations. Analysts can reconstruct organizational hierarchies and coordination between groups or legitimate institutions. In the US, OSINT practices uncovered a neo-Nazi Active Club secretly training at a youth martial arts school. Telegram videos connected the local activity to a broader decentralized network of Active Clubs across the country.

Tracking Indicators of Attack Planning

Perhaps OSINT’s most powerful function is early-warning detection. Extremist actors have left digital traces such as social media posts, questions on forums to aid with operations, or even ideological manifestos, which can all signal mobilization toward violence. Analysts also use metadata verification and geolocation to confirm the authenticity of images and videos. The digital monitoring group GhostSec identified pro-ISIS accounts planning an attack on tourists in Djerba, Tunisia, harvesting IP addresses and private messages to provide geographic leads that enabled local authorities to arrest the plotters. Similarly, a foiled attacker in London inadvertently solicited input for a potential target on Twitter, and authorities were able to intervene before the plot occurred. 

Democratizing Counter-Terrorism Intelligence

Beyond tangible operational benefits, the widespread adoption and emphasis on the value of OSINT fosters civic participation. OSINT practices are widespread across newsrooms, non-government organizations (NGOs), and volunteer investigators who archive and verify digital evidence, support legal inquiries, and prevent data manipulation. Use of OSINT tools and techniques can also allow public discussion of otherwise classified operational insights. For example, CAR reports enable officials to reference documents that highlight ISIS capabilities without revealing sensitive sources and methods. 

Conclusion

Taken together, these cases demonstrate OSINT’s unique capacity to provide actionable insights across the spectrum of terrorist and extremist activity. From monitoring propaganda and early-warning indicators, to tracing financing and supply chains, to mapping networks and supporting accountability, OSINT equips researchers, policymakers, and law enforcement with a robust, adaptable, and increasingly essential toolkit for understanding and countering both domestic and international terrorism. Its effectiveness, however, depends on strong tradecraft, an emphasis on establishing data reliability and validity, and consideration of ethical implications associated with determining what is considered ‘publicly available’. 

Furthermore, recent changes in regulatory interpretation and enforcement regarding online terrorist content have begun to limit some of the impacts of OSINT work. Technology platforms are reducing both content moderation capacity and fact-checking efforts. At the same time, the U.S. Federal Trade Commission has raised “censorship” concerns to companies such as Google and Meta about implementing aspects of the EU Digital Services Act. This negatively impacts cooperation with law enforcement, leads to slower responses, and generally undermines some of the progress made in detection, takedown, and prevention of terrorism-related content. A renewed commitment to OSINT capacity-building and cross-sectoral collaboration is necessary.

The next article in this series will go deeper into the dark side, the risks, manipulations, and abuses that challenge the legitimacy and safety of open-source intelligence in practice. Understanding both sides is essential as OSINT continues to be a critical tool driving counter terrorism. You can access CEP’s regular reporting of extremist and terrorist content online to platforms and government authorities here.