Cyber-Hunter
“We’re an information economy. They teach you that in school. What they don’t tell you is that it’s impossible to move, to live, to operate at any level without leaving traces, bits, seemingly meaningless fragments of personal information. Fragments that can be retrieved, amplified…”
— William Gibson, “Johnny Mnemonic.”
My work requires me to become someone new every day.
What do I do? I’m an online investigator and I hunt bad money. That is to say, I track businesses that are breaking the law or skirting the rules and regulations of their countries.
A quick search reports that there are nearly 24 million online stores. That’s a lot of electric acres to cover. I can’t audit them all, so I’m selective. Pharmacies selling drugs that should require prescriptions. Deepfake websites and bots that face-swap and nudify anyone’s picture into pornographic scenes. Individuals or entities inciting violence. Unlicensed financial trading platforms. Online casinos. It’s a rogue’s gallery of digital offenders.
How do I do this? I’m a very secret shopper, but I’m not interested in customer service. To do this well, I must blend in with the traffic, camouflage, obfuscate. Never the same IP. Never the same device. I use VMs, containers, and other digital tricks. Always changing my digital fingerprint.
New name, new address, new phone number for every target. The only trail I leave is the one I want you to see.
It’s a great job, but keeping up with the pace of technology, making sure I’m always able to hide in plain sight, and tracking sites that pop up like cyber-whack-a-moles requires constant study. Good tradecraft always evolves. Every day demands an upgrade, forcing me to switch tactics and strategies.
Like a tiger tracking its prey, I tend to catch the slower ones. The serious baddies get smarter after they get popped and evolve. It’s an arms race, and I have to follow the rules. The bad guys? They don’t.
That’s why I returned to Wild West Hacking Fest this year in Deadwood, South Dakota. I needed to up my game. To do that, I chose to study with Mishaal Khan and attend 16 hours of his Next Level OSINT class.
I wasn’t looking for a traditional certification or a shiny new badge. I wanted something else—something deeper. A new kind of black belt for information combat, and Mishaal Khan is, as they say, a man of certain skills. The Liam Neeson of OSINT. A privacy sifu, if you will. Well-practiced in the cyber martial art of—let’s call it “The Revealing Fist.”
A master shadow dispeller, Mishaal knows where the internet hides all our secrets. He’s a finder of lost souls—the missing, the stolen, and he offers a much-needed shield from the prying eyes of stalkers and cyberbullies…because roaches scurry when the lights come on.
Quickly, some history and context. I’ve been an online investigator for four years and got my private investigator’s license ten months ago. OSINT—Open Source Intelligence—is what every online investigator needs to do their job; and I’ve been following Mr. Khan for a while now because he’s proven himself to be the savviest of search artists.
By following, I mean I’ve watched every video of his I could find: People Hunting: A Pentester Perspective; Security BSides 2020; The Power of Social Engineering; How to Erase Yourself from the Internet; OSINT Uncovered; When OSINT met Privacy; Go Stalk Yourself; GEOINT; Offensive OSINT. I even bought his book, Phantom CISO. Simply put, I’ve been impressed with all his offerings, and if anybody could help me build my research skills, it was him.
This was my second time at Wild West Hacking Fest. In 2021, I traveled to Reno and studied web-app pentesting with BB King. It was like jumping into the deep end of the pool. Mishaal offered a whole different kind of swimming lesson. We weren’t trying to abuse applications with Burp Suite this time.
This time, we were hunting humans.
In my day job, I track businesses, not people. Hunting people is a different game—a more intimate affair.
Approximately 24 students made the trek to the tiny casino town and filled up a small conference room, two to a table, laptops open and burning bright. I was highly caffeinated, wide-eyed, and once again in a room full of people who seemed way smarter than me.
Pentesters, Threat Intelligence Specialists, and Blue Teamers, oh my. Everybody seemed on the edge of their seats, anticipating the next info quest.
Mishaal didn’t spend time bragging about his past or his accomplishments. He offered a couple of personal/professional experiences, he’d been a pentester way back when the moniker didn’t exist. For the past bit he had been focused on consulting. For the most part, the class was all business. He shared his tactics, techniques, and tools. He was modest and considerate, answering every question like a straight shooter. No fluff, no ego.
In the first couple of hours, he laid out his utility belt of browser add-ons, search engines, websites, and databases. After introducing the tools of his trade, he broke out a most-wanted list and we began hunting bad guys.
Mishaal is professionally private to the extreme. Some might call him paranoid, but you’re only paranoid if no one’s after you. And let’s be honest: today–in the cyber age–we’re all being hunted.
In 2024 alone, over three billion records have been breached. I’d make a list for you but it would be too long and it would just make you numb. Here’s the easy math, there are approximately 5 billion people online. Chances are 50/50 your personal information is on the dark web where it can be used to profile you for social engineering.
The most common and efficient form of cyber attack is phishing, and the easiest way to make a phishing attack work is to tailor it to an individual or group. With all the data that’s been leaked, it isn’t hard to imagine how that information can be used in identity theft, spear phishing, and countless other scams.
So much leverage and so much time to use it. And there are literal factories of people working on social platforms looking for victims. Have you heard of pig butchering?
Businesses should be more concerned because their employees are the targets. The digital terrain is wild and outlaws are everywhere and can be anyone.
This is where I offer you the good news, the cyber gospel if you will: Mishaal has built a service for anyone to help protect their online privacy. It’s called OperationPrivacy.com.
A small light in an ever darker world.
By the end of the second day, I realized the real deal of any cyber hunt. Sure, the tools Mishaal handed us were sharp, but it wasn’t about the gear—it was about will. There isn’t one key and there isn’t one lock. There is more than one way to skin a cybercat, but you have to make sure it’s the right cat as well. The trick is persistence and resilience through redundancy. It’s about the time you are willing to put in to find the answer and verify your discoveries. Something has to motivate you. You have to want to keep digging through the data. There has to be a feeling in your gut that won’t let you give up. That’s where the mojo comes from. Know your dopamine trigger, pick your target, and squeeze.
When class wrapped, I slipped my laptop into my backpack and slung it over my shoulder. My eyes burning and mind whirling, I headed into the streets of Deadwood. The town’s streets were lined with casinos. Their lights blinking and swirling. 80’s rock music spilled from speakers. AC/DC’s “Another One Bites the Dust”.
Deadwood is a town with a long memory, and the ghosts of outlaws lurk in the dark corners of my imagination, reminding me there’s always someone looking to game the system.
But the real outlaws? They aren’t in Deadwood—the real ones are out there hiding behind fake domains and stolen identities, thinking they are safe. Thinking they can hide in the neon shadows of the net.
But someone is hunting them. And the thing about hunting? It’s a game of patience. Eventually, everyone leaves a trail.