top of page
Search
Jemma Ward

Pulling Threads: An OSINT Guide

Meta’s new text-based application Threads has been proclaimed as a rival and even an existential threat to Twitter, especially in the wake of controversial anti-scraping measures introduced to Twitter. We’ve seen been plenty of reporting on the launch and uptake of the platform, but this blog will explore the implications of Threads for OSINT practitioners.


What is Threads?

Threads is a standalone app that uses Instagram credentials – so any user on Threads must also have an Instagram account. While Threads users can still post pictures and short videos, the focus is connecting users through text-based conversations. Threads allows 500 characters per ‘thread’, while Twitter limits Tweets to 280 characters. Like Twitter, Threads encourages users to like, repost (retweet), and quote content.


Threads and OSINT

Threads adds yet another app to the already vast array of social networks, and while it might have experienced record growth since its inception, it probably doesn’t change the OSINT landscape drastically when it comes to person-of-interest (POI) investigations.


Basic user profile information mirrors Instagram accounts – username, vanity name, bio, and profile picture can be used to confirm or refute a potential match in a POI investigation. Content and user engagement analysis helps to profile networks, hobbies, pattern-of-life, and locations.


Unauthenticated Viewing

While engaging with Threads content is limited to registered users, public profiles and content are still viewable in desktop browsers. Search engines are already indexing content, and Google, unsurprisingly, returns more results than Yandex or Bing at this stage.

To target Threads posts, use:

site:threads.net/t/ “keyword”

To target Threads profiles/bios, use:

site:threads.net/@ “keyword”

Keep in mind that Threads content indexed by search engines (so far) barely scratches the surface. A recent Google search for Threads users returned approximately 80 000 results, but there are now more than 100 million users on Threads. As with Instagram and Facebook, OSINT practitioners who seek to identify specific users or groups on Threads will likely need accounts to search profiles and content.


While Threads is read-only via desktop, it currently allows unauthenticated viewing of recent user threads and replies (usually the last 20-30). At this stage, there is no login prompt or pop-up to prevent viewing all the loaded threads or replies – this might suggest a more open platform than Meta’s other apps, but it is still early days.


Threads User Information

We can use browser developer tools to access larger versions of user profile pictures and images in much the same way as we can with Instagram accounts:

  1. Open your browser developer tools and select the ‘Network’ tab. This tab shows the requests made by the page you’re visiting, including image files.

  2. To refine the network activity requests that we can see, filter on ‘Img’ and refresh the page in your browser.


3. The account profile picture (along with the other images on the page) will appear in the request list. Identify the image you’re after and save or copy the image URL.


Threads user IDs are the same as the user’s Instagram account ID. Recording unique user identifiers is a useful way of correlating user accounts in the event of a name change (particularly when monitoring an account over a longer period). The account ID is also useful in seeking records from Meta Platforms (law enforcement officials only).


On a Threads profile of interest, right-click and view Page Source. Use Ctrl+F to search for “user_id” – there may be a couple of results here, but the actual user ID will appear twice, following the lower-case version of the search string.

Like Instagram, Threads uses the GraphQL API – generating HTTP POST requests using GraphQL can retrieve Threads user data including threads, likes, replies, and profile data. This is likely to be of more interest to developers looking to fetch specific data from Threads, rather than individual OSINT practitioners. For more information about querying Threads’ using GraphQL, check out m1guelpf’s work on reverse engineering Threads here: https://github.com/m1guelpf/threads-re


If you’re interested in scoping out the structure of underlying Threads user and media data, you can see this using the ‘Network’ tab of your browser developer tools as well:

  1. Open your browser developer tools and select the ‘Network’ tab. This tab shows the requests made by the page you’re visiting, including API calls.

  2. To refine the network activity requests that we can see, filter on ‘Fetch/XHR’ or ‘XHR’ and refresh the page in your browser.

3. Two POST requests labelled ‘graphql’ will appear in your request list – one of these

contains ‘user data’ (user profile information) and the other contains ‘media data’

(information about the threads that the user has posted). In Chrome, select the ‘Preview’

tab to expand and view this data. In Firefox, this data is found in the ‘Response’ tab.

Authenticated Viewing

At this stage, users with Threads accounts won’t find in-app searching particularly effective for content discovery and trends analysis. Username searching is supported, but keyword and hashtag searching aren’t (yet). Threads will likely add a host of new features soon, including hashtags and in-app keyword searching. The main advantage of authenticated Threads usage for OSINT practitioners is unlimited scrolling and viewing of profiles, follower/following lists, and user engagements.

Follower and following lists are visible to authenticated users.

The Threadiverse?

In our earlier blog, Let’s Get On With Mastodon, we discussed the concept of the ‘Fediverse’ – a decentralised federation of servers or ‘instances’ that can interact with each other for web publishing, social networking and content sharing. Mastodon – often described as a Twitter alternative – is one of the best-known micro-blogging platforms in the Fediverse. Meta plans to integrate Threads with the Fediverse in the future, which would mean that Threads users could follow and interact with users on other servers, and vice versa.


Attribution Considerations

Following the arguable demolition job carried out on Twitter by Elon Musk, will Threads be the platform of choice for disgruntled Twitter users? Perhaps – but the jury’s still out for some.

In terms of privacy, Threads – like Meta’s other applications – presents concerns for users. Meta hasn’t yet rolled out the app in Europe due to concerns about compliance with EU legislation and regulation of tech companies. While Twitter isn’t exactly perfect when it comes to digital hygiene, Threads (like Instagram) collects a lot of personal data, including user contact information, browsing history, purchases, location data, and more. This might have an impact on the number of Twitter users who are prepared to move to Threads.


For OSINT practitioners, it’s crucial to consider whether the subjects and topics that you investigate are likely to migrate to Threads – at this stage, we’re all waiting to see what kind of subcultures and content might emerge there. If it seems likely that Threads will be a useful information-gathering tool for your investigations, consider your attribution and operational security requirements.


If you already have an Instagram account as part of your online persona, there’s no real harm in adding Threads (although it’s worth noting that to delete a Threads account, you will need to delete the associated Instagram account as well). As always, never directly link a personal social media account to an online persona you use for OSINT.


If you want to minimise your digital footprint when searching for content on Threads, we suggest unauthenticated searching and profile viewing via the desktop version of Threads in a privacy-focused browser like Brave. For those practitioners who require an account, installing Threads on an Android device provides more control over the data that is shared with the app. For Apple iPhone users, employ the App Tracking feature to stop data access to other apps on the device.


Key Takeaways

  • Threads has been touted as a threat to Twitter – it offers similar (and potentially even better) functionality as a micro-blogging social platform, but (like Meta’s other applications) there are privacy trade-offs.

  • The arrival of Meta’s Threads app is unlikely to be a barrier to POI investigations for OSINT practitioners. Instead, it offers an opportunity to correlate user data and profile markers across yet another platform.

  • A limited amount of Threads profile and activity information can be retrieved without authentication, but a Threads account will help OSINT practitioners view even more.

  • Content discovery on Threads is currently difficult. We expect that this will change with the addition of keyword searching and hashtag support.

  • As always, keep your attribution in mind, particularly when creating or linking social media accounts to an online persona.


To support your OSINT collection and analytical capability uplift, please don’t hesitate to contact us at training@osintcombine.com to learn about our off-the-shelf and bespoke training offerings.

Comments


bottom of page