This is, by far, my favorite part of the OSINT process. The next two chapters will detail my process for building a threat actor profile matrix. What is a threat actor profile matrix, you ask? It is essentially a giant Excel sheet full of the multiple account names, usernames, fake profiles, URLs, and other personal information related to a target. It is a way to visually organize your account‐related data into one place. Once you are able to do that, you will start to notice patterns in the data.

We will be using characters and personas from The Dark Overlord group for our examples.

Where to Start (with TDO)?

You have to start somewhere, right? So if the goal is to investigate TDO (or any threat actor), the first question is “What do we already know?”

One thing we can use to our advantage is all of the press and media attention that TDO received. Looking at early news articles, we know that the original stolen data was being sold on several different hacker forums by a user named Cr00k.

Figure 17.1 is a screenshot of Cr00k's TDO sales thread from the Russian hacking forum ...