by Mark Rasch
Unmasking the Online Persona: A Guide to Username Investigation
Introduction
Self-chosen usernames may often serve as an additional identity or point of attribution for someone’s online activity. A chosen username serves as an extension of the physical human beyond the keyboard, almost a second identity. While anonymity online is possible, many individuals, for various reasons, choose to associate themselves to a consistent alias. This secondary identity provides an extremely useful vector for attribution, as, in an effort to maintain their connections online, people are likely to reuse their username across their internet footprint. The need for recognition is an operational security failure, bad for the target, but good for the investigator.
This blogpost serves to show other professional investigators the parts of a username, some special username subtypes, how to investigate them, and ways to improve personal operational security.
Initial Actions
When creating an account on a website, the initial step involves selecting a username. This decision is often a reflection of one's self-expression. Do you opt for something entirely new and anonymous, or do you prefer a name that resonates with friends and followers? As van der Nagel suggests, the choice of a username sets the tone for communication and content flow on the platform. Each website offers a glimpse into the user's personality, with the username serving as the first impression of that persona.
A username serves as a digital representation of one's persona, embodying a unique set of characteristics chosen to be showcased in a specific online domain. Ranging from whimsical and anonymous to deeply personal and meaningful, it functions much like a fashion statement, akin to the graphic tees of the internet. Through usernames, individuals can express their preferences, allude to subcultures, or even commemorate significant dates or moments. Crafting this digital persona sets the tone for how a user engages with online communities and shapes how they are perceived by those within these virtual spaces.
Furthermore, a username acts as a distinct identifier that enables others to recognize and connect with the user across various platforms. This tendency for username reuse is prevalent, as highlighted in a 2011 study by Perito et al. titled "How Unique and Traceable are Usernames?" which revealed that individuals often utilize a limited set of related usernames across multiple online services. In a vast digital landscape where social connectivity is paramount, discovering a single username spanning a network of websites can provide invaluable insights into an individual's online activities, serving as a vital element in attribution-focused investigations.
Dwayne Johnson's Twitter Handle and Display Names
Discord, a popular chat app, implements a unique system of account handles and display names. Users are allowed to choose a distinct display name for each server they are active in, with the flexibility to change it at any time. However, the account handle remains fixed. Not all websites or apps follow this handle + username format; some platforms use the handle as the username, which is not easily changeable.
In investigative work, it is important for researchers to prioritize the account handle as a primary piece of Personally Identifying Information (PII) over the display name. While the display name can offer insights into a user's preferences and interests through its frequent changes, its mutable nature makes it less reliable as evidence for identifying an individual.
Usernames with Discriminators
With the expansion of online communities, companies have introduced numerical discriminators to allow users to share usernames. These discriminators, added at the end of the username following a # symbol, differentiate between accounts. For example, Monday#1234 and Monday#5678 would each represent a unique account. While Discord has moved away from this method of username allocation, opting instead for assigning a single handle per account, other platforms like Xbox, Battle.net, and Bungie continue to utilize this practice.
Typically, users do not have the freedom to choose their own discriminator; it serves as an extension of an internal UUID onto the public-facing username. In most cases, once an account is confirmed to belong to a target, the discriminator becomes less significant. However, on platforms where users can select their own numbers, the chosen discriminator may hold personal importance or significance. If you are unsure about a service's policy regarding chosen discriminators, the best way to clarify is by registering an account yourself.
Special Types of Usernames
Gamertags
A gamertag, originating from Xbox, serves as a unique username specifically tailored for gaming. While initially tied to Xbox, this term has expanded to encompass usernames across various games. Official Xbox gamertags can range from simple names to including an avatar or a brief bio, offering a personal touch to online gaming interactions. In the digital realm of gaming, where socialization predominantly occurs online, a gamertag often becomes a player's primary form of identification. It's common for gamers to be known by their gamertag not just within the game but also in messaging apps, social media, voice chats, and among their gaming circle. With a plethora of platforms and games available, most gamers opt to use the same gamertag across different games, making it easier for friends and teammates to reconnect.
Interestingly, gamers tend to prioritize uniqueness over trendiness when selecting a gamertag, often opting for a personalized, invented word. This individuality makes identifying a target through their gamertag a promising starting point, as the chances of another individual inadvertently duplicating the same spelling, capitalization, and structure are quite slim.
OG Usernames
Studies indicate that users tend to perceive short, simple usernames as more trustworthy compared to longer, number-heavy ones. This preference for concise usernames has turned them into sought-after commodities, often leading to monetary transactions. Given the internet's maturity, such usernames are increasingly rare, as most have already been claimed. This scarcity has given rise to a shadowy market where malicious actors conduct Account Takeover (ATO) schemes using stolen credentials. These compromised accounts fetch high prices on cybercrime forums and are known as "OG Usernames," a term derived from "original gangster" to denote early adopters who secured these coveted names. Particularly unique or "cool" usernames can command even higher sums, with some fetching tens of thousands of dollars in underground exchanges.
Where there is significant profit, there is also significant risk. In their pursuit of valuable usernames, cybercriminals have escalated beyond digital threats to real-life harm.
One of the most infamous incidents involved a 2020 SWAT attack targeting the owner of the "Tennessee" username on Twitter. Perpetrated by a group of cybercriminals, this heinous act resulted in the death of the victim during the assault, leading to a federal prison sentence for one of the attackers. These perpetrators gather personal information on their targets, resorting to threats, harassment, and even physical intimidation to coerce them into relinquishing control of their accounts.
Given the underground market for OG Usernames and the dangers faced by owners of high-value accounts, any profile with such a username warrants thorough investigation to verify ownership and potential involvement in illicit activities. Typically, individuals with OG Usernames are closely associated with the community involved in account theft and resale, making them prime targets for scrutiny in attribution-focused investigations.
Practical Application: Username OSINT & Attribution
Since usernames are the “fashion” of the internet and show what the person wants to present, they can divulge a lot of information just from a first look. For example:
- The user’s self-perception
- Just as a person who dresses in high fashion would likely not walk out of the house in an outdated outfit, a person’s username can show how the person views themselves. Some people will have cute names, some will have intimidating names, some will have clever names. These can show what aspects of themself the person wants to be perceived as.
- “King” could be a masculine, dominant individual. “SweetPrincessPea” could be a gentle, feminine individual.
- Language
- What language is the username in? If it does not look familiar, it is worth inputting into Google Translate to see what language the person is using. This can give an idea of a target’s potential point of origin or current location.
- “RayonDeSoleil” could indicate the individual is located in a French speaking country, or comes from a French speaking family.
- Cultural References
- What is the username referencing? Is it a football team? A game character? These hints can point a researcher in the right direction for the next steps of attribution.
- “RavensFan500” could indicate that the individual is a fan of the Baltimore Ravens, which could provide potential further insight into the person’s location.
- Significant Numerals
- Many people use years in their username, often their birth year, especially if they are not particularly internet savvy with an appreciation for operational security. Whether or not the number is their birth year, however, it is still important enough for them to include, so it is imperative to look for references to that number elsewhere. Note, however, that significant numerals are distinct from discriminators if they are in use. The user Monday92#5419 for instance may place significance on “92,” while the “5419” following the hash character would likely be a randomly assigned number.
- “JackMiser1990” could be referencing the year 1990, which could be a birthday year or an anniversary date.
- Some numerals are significant in other ways - for example, “88” or “1488” are Nazi hate symbols, with the 14 referring to a Nazi ideology slogan containing 14 words, and 88 referring to “Heil Hitler”, as H is the 8th letter of the alphabet.
Sometimes people do change their usernames, for a variety of reasons. The key to attributing multiple usernames to one person with OSINT is pattern recognition. Since usernames tend to represent the user, it is very uncommon for each one to be completely unrelated to the others. A few main things to look out for are:
- Character Substitution
- Sometimes, people will make a username that has a letter changed, or substitutes a number for a letter, especially if their preferred username has already been taken. They still want to have the same word, and will do anything to keep it.
- “Monday” vs “M0nday” or “Мonday” (the M is the Cyrillic Em).
- Numerical Patterns
- If someone uses the same unique number across usernames, it is likely they will continue to use that number. For example, if a target’s username is john423, and you locate other possible usernames of theirs that are jwick423, j423, and sharpshooter423, you can take an educated guess that pewpew423 could also be them, if that username is engaged in similar activities.
Some tricks for username enumeration include:
- Simple Google searches, especially if the username is particularly unique. If the username is a more common word, more advanced searches can yield better results, for example, including relevant keywords or websites in the search.
- Even if the email is unknown, searching for a known username as an email address can be fruitful. This works best for unique usernames, and should be corroborated - a simple username with a common word is much more likely to be a false positive. Many email addresses can be tied to real world names, so basic email enumeration tools are extremely useful.
- There are several websites that check if a username is in use over an array of websites - inputting a target username into one of these tools can show a footprint of online activity.
- Skype remains a powerful OSINT tool. Many people still have Skype accounts, despite not using it for years, and many of those accounts were created in a time when cybersecurity and operational security were not a public priority. Real names are often tied to usernames on Skype even if they have been properly scrubbed elsewhere.
- Review online gaming profiles associated with the usernames you do know. Frequently, multiple accounts, such as Twitch.tv, Discord, or Spotify, are connected to game accounts and may provide useful pivots to real world attribution. Note that for many of these game services, a username search is an internal action on their website or community hub, and searching through Google will not yield results.
It is important to note, however, that just because someone uses one username does not mean that it is the same person across all platforms. The username may be shared, especially if it is a common word or phrase. If a target is famous, or infamous, they may have others impersonating them. Corroboration is key, and it is important to couch assertions in words of estimative probability—reporting the wrong person just because they happen to share a username with a bad actor can lead to severe consequences.
OpSec Practices
To safeguard oneself from potential risks associated with revealing personal activities through usernames, a delicate balance must be struck between online recognition and personal safety. Various strategies can aid in this endeavor.
A straightforward approach to prevent easy tracing is to assign a distinct username to each account. While this method may limit visibility, especially if recognition is desired, individuals can discreetly share their new account names with trusted contacts for identification purposes.
Opting for randomly generated usernames or creating entirely unique ones can further enhance anonymity. Steer clear of using identifiable numbers or details that could be linked back to you.
For individuals seeking recognition, particularly for branding purposes, it is advisable to establish a separate account and username dedicated solely to the brand. Avoid intertwining personal accounts with branding initiatives.
Lastly, to minimize exposure, consider deleting obsolete accounts. The fewer instances of a particular username in circulation, the lower the risk of unwanted associations or implications.
Conclusion
As usernames hold a deeply personal significance, they serve as a key tool for attribution, offering valuable insights into their creators. With the increasing shift towards an online society, the relevance of usernames only continues to grow. Notably, research indicates that Gen Z prioritizes crafting intricate identities and embracing authenticity. Given that Gen Z constitutes the largest demographic of internet users, comprising 75% of the global online population, usernames will remain critical data points well into the foreseeable future.
In your research endeavors, pay close attention to the messages conveyed by usernames and their usage history. This awareness can significantly facilitate the progression of your investigations.