Throughline Desk · May 5, 2026

M3E1: OSINT Before AI: Bellingcat, Digital Forensics, and the New Tradecraft

Module 3, Episode 1: OSINT Before AI — Bellingcat, Digital Forensics, and the New Tradecraft

The Day the Methodology Changed

On July 17, 2014, Malaysia Airlines Flight 17 (the Malaysia Airlines flight shot down over eastern Ukraine in 2014) was destroyed over eastern Ukraine, killing all 298 people aboard. Within hours, photographs and videos began appearing on Russian social media — ordinary civilians recording what they saw from the roadside as a military convoy moved through separatist-held territory. A Buk TELAR (transporter erector launcher and radar, the mobile surface-to-air missile system later linked to the shoot-down) on a flatbed truck. The images were grainy, fragmented, posted without coordination by people who had no idea what they were documenting. Standard intelligence protocol would have been to treat this as noise: unverified, unattributed, chain of custody nonexistent.

Eliot Higgins and the investigative collective he had assembled did something different. They followed a trail of digital breadcrumbs — spotting and identifying the Russian Buk missile system from those early photographs and videos posted online. Over the next several months, what unfolded was not journalism in any conventional sense, and not intelligence work as institutions had defined it. It was something new: a demonstration that tools freely available to anyone with a laptop and an internet connection could, if applied with sufficient rigor and methodological discipline, produce findings of a quality that classified agencies had assumed was their exclusive domain.

The core argument of this episode is structural. Bellingcat's pathbreaking work on MH17 and on chemical weapons use in Syria led to open-source investigation being recognized as a vital investigative technique precisely because the methodology was rigorous, transparent, and reproducible. Intelligence credibility has never derived from secrecy. It derives from the quality of the chain between raw evidence and analytical conclusion. Bellingcat made that chain visible, which is exactly why it was persuasive — and why the institutions that had monopolized intelligence production for seventy years were forced to take notice.

What Geolocation Is

Start with the Paris Match photograph. On July 25, 2014, the French magazine published an image of a Buk missile launcher being transported on a low-loader truck through the separatist-controlled city of Donetsk. The location was precisely established, showing an eastward direction of travel along the H21 motorway. Using information provided with the video, investigators found the exact location the footage was filmed and showed the Buk launcher continued to travel east.

How do you precisely locate a photograph taken in a war zone with no GPS metadata? You look at everything in the frame that can be cross-referenced: building facades, road markings, utility pole configurations, tree lines, signage visible even at partial resolution. You pull up Google Earth and Google Street View — when Street View imagery exists — and you match. You look for landmarks with unique combinations: a curved road intersecting with a specific building shape, a bridge abutment, a distinctive bend in a tree line. You narrow from country to region to city to street to block. The process is fundamentally about constrained matching: eliminating every possible alternative location until only one remains, then verifying that single candidate against multiple independent visual features.

The Bellingcat MH17 investigation team established the exact location at which images were recorded and the approximate time many of them were captured. From that foundation, investigators mapped the route of the Buk launcher through separatist-controlled territory in eastern Ukraine on July 17. This was not a single match on a single image. It was a sequential chain — each confirmed location feeding the next, building a route with enough redundancy that no single geolocation failure could collapse the broader picture.

The shadow analysis layer adds temporal precision. Shadows are geometric: their length and direction are a function of latitude, longitude, date, and time of day. A shadow falling at a specific angle relative to a known structure, at a confirmed location, constrains the time of observation to a window calculable with precision using tools like SunCalc (a web-based solar position calculator). Bellingcat has since developed a Shadow Finder Tool, built with their Discord community, that helps researchers quickly narrow down where an image was taken by searching the earth's surface for locations matching a specific shadow length at a particular time — removing the manual computational burden that made shadow analysis laboriously slow in the MH17 era. In 2014, analysts were doing this by hand. The principle was the same; the tooling has since been codified and accelerated.

Then comes vegetation and seasonal chronolocation — a technique that sounds almost quaint until you understand its evidentiary power. Deciduous trees in eastern Ukraine behave predictably: leaf-out in spring, full canopy in summer, senescence through autumn, bare in winter. A photograph showing a vehicle in front of a poplar at full leaf, combined with shadow analysis suggesting afternoon sun angle consistent with early July at that latitude, eliminates April and eliminates November. Tire tracks in snow are similarly constrictive: the image was taken after snowfall and before significant additional precipitation. Combine these constraints with confirmed location and the timestamp window narrows from weeks to hours. One image was shared widely during the evening of July 17 — the earliest documented instance was a post made by a user of the Russian social media site VKontakte at 8:09pm Kyiv time. First-share timestamp combined with geolocation combined with shadow analysis: three independent lines of constraint converging on the same answer.

None of these techniques require access to classified systems. They require patience, geographic knowledge, and systematic elimination of alternatives. The tradecraft is a form of constrained inference — Sherlock Holmes logic applied to pixels.

The Syrian Chemical Weapons Cases: Munition Identification as OSINT

Syria demonstrated a different dimension of what open-source rigor could achieve. Where MH17 was primarily a geolocation and chain-of-custody problem — where was the weapon system, whose markings did it carry, what route did it travel — the Syrian chemical weapons investigations required something closer to forensic engineering: identifying munitions from their physical characteristics in images and videos taken after attacks, then tracing those munitions through the Syrian military's documented inventory.

Throughout Syria's lengthy conflict, Bellingcat investigated a large number of chemical attacks, including the nature of the weapons deployed, using open-source evidence. From modified chlorine cylinders to locally made surface-to-surface rockets filled with Sarin, the investigations revealed the nature and origin of those weapons. That second category — locally made rockets — is where the methodology became most instructive. The Syrian military had developed what became known as the Volcano rocket: a munition of unusual design, produced in limited quantities, and documented across a range of pre-conflict and conflict-era imagery. The question of whether chemical weapons had been used was not the hard one; victims, medical personnel, and eyewitness accounts established that. The hard question was attribution: who had the capability to build and deploy those specific weapons?

The most notorious chemical attack of the Syrian conflict was the August 21, 2013 Sarin attack in Damascus. Two types of rockets delivered the agent: M14 artillery rockets and Volcano rockets, a design unique to Syrian government forces. "Unique to Syrian government forces" is a conclusion reached only after exhaustive elimination — cataloguing every documented use of a specific munition type, cross-referencing with all known inventories of armed groups in the conflict, and establishing that no non-state actor possessed or had deployed a device of that design. There is also no evidence that either type of munition was captured by Syrian opposition forces, and the Syrian government told the Organisation for the Prohibition of Chemical Weapons (OPCW) and the United Nations that they had not lost control of any of their chemical weapons.

The geolocation component in the Syrian cases worked the same way as MH17 but in denser urban terrain. Investigators compared reference points — buildings, mountain ranges, trees, minarets — with Google Earth satellite imagery, OpenStreetMap data, and geolocated photographs. A minaret visible at a specific angle relative to a crater in a post-attack video constrains location. The same minaret appearing in a second video, at a slightly different angle, allows triangulation. Building heights, rooftop water tanks, satellite dish orientation, and distant terrain features create a fingerprint that survives even severely degraded video resolution.

In the Douma investigation, the cameraman swung around during filming, allowing precise geolocation: the position was identified as the roof of a building at specific GPS coordinates. A still from that video, compared to satellite imagery of the location, confirmed the viewpoint. A distinctive building visible in multiple clips allowed investigators to conclude all six videos were filmed in the same area. That kind of chain — cross-referencing six separate video clips against each other and against satellite imagery to establish both location and physical continuity — is the multi-source verification architecture that makes Bellingcat's conclusions durable. Any single clip could be challenged. Six clips, cross-verified, pointing to the same building on the same roof, collapse the space for alternative explanation.

Bellingcat confirmed the Syrian government's involvement in a range of chemical attacks — and those conclusions were not merely editorial judgments. They were subsequently validated by the OPCW's own investigation teams, which had access to classified sources and in-person forensic collection. The open-source conclusions preceded the official findings, in some cases by years.

The GRU Files: When the Tradecraft Turned to People

The Skripal investigation represents a third mode of OSINT that the MH17 and Syria work had not fully demonstrated: using open-source data to unmask covert intelligence operatives and reconstruct clandestine operational networks. This required not geolocation of physical objects but identity correlation across leaked data, administrative databases, travel records, and behavioral patterns.

When British authorities published photographs of two suspects in the March 2018 Salisbury poisoning — two men who appeared on Russian state television as "Alexander Petrov" and "Ruslan Boshirov," claiming to be sports nutrition tourists visiting Salisbury Cathedral — the cover held for exactly as long as it took Bellingcat to apply database-driven investigation to publicly accessible and commercially available Russian administrative records.

The investigation exposed a glaring hole in the GRU's (Russia's military intelligence agency) tradecraft: for nearly a decade, the GRU had furnished their officers with consecutively numbered passports, allowing investigators who had acquired data commonly leaked onto Russia's black market to uncover other officers by tracing batches of sequential numbers. The method was elegant in its simplicity. Russian passport databases, portions of which circulate on data markets in Eastern Europe, record the issuing authority for every document. Cover passports issued to intelligence officers showed issuing authority 770001 — a unit that exists nowhere in the civilian registry. "Boshirov" had all three markings that helped identify "Petrov" as a security-service asset: "Top Secret" annotations, a blank biographical page referring to a secret attached letter, a "do not provide information" stamp, and issuing authority unit 770001, exclusively used for state VIPs and intelligence officers.

From passport anomalies, the investigation pivoted to biography. Working deductively — on the assumption that the two suspects were GRU officers focused on West European covert operations, knowing their approximate age — Bellingcat and The Insider (a Russian investigative outlet) contacted former Russian military officers to ask what specialized schools would have provided appropriate training. One source identified the Far Eastern Military Command Academy as the institution with the best reputation for foreign-language training and overseas clandestine operations at the turn of the century. The graduation years for both suspects were estimated between 2001 and 2003. Investigators browsed multiple yearbook photos and reunion galleries from those classes. What they found was not a match but an absence: a decorated officer who should have appeared in graduation photographs was systematically missing from every image. That systematic omission — which Bellingcat had previously observed in the case of GRU General Oleg Ivannikov — pointed to Colonel Chepiga as a covert officer whose visual record had been scrubbed.

The third suspect — the operational commander who traveled to London ahead of the poisoning team — was identified through telephone metadata. Bellingcat obtained telephone metadata logs confirming that the poisoning was supervised and coordinated by Denis Sergeev, an active GRU officer. Sergeev operated out of a hotel near Paddington station in London, communicating eleven times by telephone during the weekend of the attack with a contact in Moscow who used an "unregistered" prepaid SIM card without a documented owner — a number from a special series used by Russia's security services.

Using four different airline booking, passenger name record (PNR), and border-crossing databases, Bellingcat collated and analyzed travel records for the cover persona "Sergey Fedotov" for the period 2012 to 2018. He used two different consecutive passports during this period — both issued by the same 770001 passport desk and with numbers from batches identified as containing other GRU undercover officers. Consecutively numbered cover documents. Consistent behavioral signatures in hotel and travel records. Telephone metadata placing the same person in proximity to multiple poisoning operations across different European countries. Each data point was independently public or commercially obtainable. Their combined pattern was devastating.

Based on the array of information sources consulted — all independent from each other, drawn from different time periods — Bellingcat concluded with certainty that the person identified by UK authorities as "Ruslan Boshirov" was Colonel Anatoliy Vladimirovich Chepiga, a highly decorated senior GRU officer awarded the highest state honor in late 2014.

The IC took note. Not because Bellingcat beat them to the answer — classified agencies almost certainly knew the identities of these men — but because an open-source team working with no cleared access reached the same conclusion, documented every step publicly, and made it legally actionable in a way that classified intelligence cannot be. The Dutch prosecution of MH17 suspects, which resulted in convictions in November 2022, relied heavily on open-source evidence precisely because it could be introduced in court without compromising classified sources and methods.

Credibility Without Secrecy: Why the Method Is the Product

The establishment intelligence view, for most of the postwar period, treated classification as a proxy for credibility. A finding was trusted because it derived from sources that adversaries couldn't access and methods that adversaries couldn't replicate. This was a reasonable assumption in an era when the primary intelligence collection advantages were technical: satellite imagery, signals interception, access to denied areas. Those advantages still matter. But the epistemological underpinning — that access equals credibility — was never correct, and the proliferation of open-source data has made that misunderstanding expensive.

Bellingcat's credibility derives from methodological transparency. Every major Bellingcat investigation publishes not just conclusions but the chain of inference — which images were geolocated, what landmarks were used, how shadow angles were calculated, which databases were consulted, what the alternative hypotheses were and why they were rejected. Prosecutors in the MH17 trial stated that experts from the Netherlands Forensic Institute conducted an extensive forensic examination of photographs and videos and concluded these were genuine recordings that had not been tampered with. Investigators from the Joint Investigation Team (JIT, the multinational criminal investigation team formed to prosecute MH17 suspects) validated small details from intercepted conversations by comparing them with other sources. No evidence emerged that the intercepted recordings had been compromised.

That is the structure of legitimate intelligence production: independent corroboration from sources that cannot have been coordinated. When shadow analysis, satellite imagery, eyewitness accounts, and intercepted communications all point to the same location, the probability that they are all simultaneously wrong is not additive — it is multiplicative, approaching negligibility. Transparency of methodology is what allows external parties to perform that multiplication and reach their own confidence assessments.

This is where Bellingcat's model departs most radically from traditional intelligence practice. Classified intelligence products say: trust us, we have evidence we cannot share. Bellingcat investigations say: here is the evidence, here is the reasoning, here is how you would falsify the conclusion if it were wrong. The second model is more epistemically honest, and in contexts where findings need to survive public scrutiny, legal challenge, or adversarial counter-narrative, it is also more durable.

MH17 and Syria forced a reckoning with how open-source evidence functions in courts — a domain where no one had previously tested it at scale. Geolocation findings became a pathway to witnesses, original source documents, and corroborating details. A focus on building justice and accountability capability emerged, with Bellingcat sharing methodology with other organizations pursuing open-source investigations.

The adversarial response is instructive. When Russia's Ministry of Defense held its July 21, 2014 press conference presenting satellite imagery purportedly showing Ukrainian military activities around MH17, the James Martin Center for Non-Proliferation Studies at the Middlebury Institute of International Studies used forensic image analysis software to examine the materials. Images showing the Buk missile launcher and smoke from the launch showed no signs of digital alteration. The satellite imagery presented by the Russian Defence Ministry was "so heavily manipulated that it lacks any credibility as evidence." An open-source team with publicly available forensic tools demonstrated that a nation-state's official intelligence product was fabricated. In a world where methodology equals credibility, the fabrication was exposed by the same logic that exposes any fabrication: the evidence doesn't match the claim.

The Institutional Reckoning: How the IC Absorbed the Lesson

The classified world resisted this lesson for longer than it should have. Over twenty years ago, two commissions investigated the surprise 9/11 terror attacks and the IC's erroneous assessments of Iraqi weapons of mass destruction. Both found shortcomings in the IC's exploitation of publicly available information. The 9/11 Commission recommended the creation of an OSINT (open-source intelligence) agency, while the WMD Commission faulted the absence of "any broader program to gather and organize the wealth of global information generated each day and increasingly available over the Internet." The recommendations were acknowledged, partially implemented, and then largely set aside as the IC returned to the collection disciplines it was institutionally configured to prioritize.

The Ukraine invasion made avoidance impossible. IC officials had been considering the place of OSINT for several years, especially after Russia's 2022 invasion. Officials acknowledged OSINT's value while struggling to standardize open-source tradecraft across agencies. The struggle wasn't technical; it was cultural. Agencies built around the management of secrets have structural difficulty institutionalizing a discipline whose value depends on transparency. Classification creates barriers to sharing, barriers to external validation, and barriers to the kind of competitive peer review that makes methodology strong over time.

The comparative success of nongovernment OSINT organizations — particularly Bellingcat — added weight to the critique. A 2022 RAND study concluded that "open-source is not working, it is not getting better, and the Open-Source Enterprise had ample opportunity to change." The study drew on interviews with, among others, the recently departed principal deputy Director of National Intelligence (DNI), the deputy DNI, the chair of the National Intelligence Council, and the Defense Intelligence Agency's director of analysis.

The formal response came in March 2024. The Office of the Director of National Intelligence (ODNI) and the Central Intelligence Agency (CIA) released the Intelligence Community OSINT Strategy for 2024-2026. OSINT — defined as intelligence derived exclusively from publicly or commercially available information that addresses specific intelligence priorities, requirements, or gaps — is described as vital to the IC's mission, providing unique intelligence value and enabling all other collection disciplines. The strategy outlines a process to "professionalize the OSINT discipline, transform intelligence analysis and production, and create new avenues for partnering with brilliant American innovators and like-minded foreign partners."

The titling is telling. The new OSINT strategy, signed by DNI Avril Haines and CIA Director William Burns, aims to make open-source "the INT of first resort" — a tacit recognition that spy agencies have traditionally favored highly secretive sources such as human intelligence, spy satellites, and electronic signals rather than open-source data. "INT of first resort" is a deliberate phrase. It reorders the epistemological hierarchy. Open sources are the starting point from which classified collection supplements and extends — not the fallback when secrets fail.

Prominent voices including former Principal Deputy Director of National Intelligence Sue Gordon and former National Geospatial-Intelligence Agency (NGA) Director Robert Cardillo have publicly advocated for more investment in technologies that enable OSINT. That advocacy from former principals represents an acknowledgment that the cost structure of classified collection is increasingly difficult to justify when the same analytical conclusions can often be reached from public sources, and when findings from public sources can be shared with partners, presented in court, and disseminated to policymakers without clearance requirements.

The most common argument for establishing a dedicated OSINT agency is that this is the only way to ensure the discipline obtains sufficient resources and weight within a hypercompetitive IC. Scholar Amy Zegart argues that "as long as open-source intelligence remains embedded in secret agencies that value clandestine information above all, it will languish" because those agencies won't prioritize or champion OSINT. The counterargument — that the IC should simply rely on the private sector — understates the extent to which intelligence requires directed collection against specific requirements. Bellingcat operates opportunistically, investigating what is investigable and what is newsworthy. The IC needs OSINT that answers specific collection requirements on timelines driven by operational need, not publication schedules.

The IC's own OSINT Strategy acknowledges that the OSINT community is already pioneering new uses of artificial intelligence, machine learning, and human language technologies for the OSINT mission. The IC must expand and accelerate these efforts to sustain a competitive edge. Speed of innovation will be a critical measure of success, and the IC must embrace the ability to test new capabilities on unclassified systems that present fewer risks and barriers.

Sit with that last phrase: unclassified systems as the testbed for the next generation of intelligence capabilities. The logic of secrecy as a proxy for capability has inverted. The most advanced tools are being developed in the open, by commercial companies, using open-source data, in ways that classified networks are too constrained to adopt quickly.

Bellingcat's investigations can save resources otherwise spent on classified collection, since agencies need not expend them on conclusions already verified through OSINT. Open-source work exposes vulnerabilities and affects the credibility of rival countries internationally. Reaching conclusions solely through OSINT can also expose gaps in the work of IC agencies — cases where they reached the same conclusions more slowly, more expensively, or not at all.

The Inheritance: What the New Tradecraft Demands

The Bellingcat model did not emerge from a research program or a doctrine review. It emerged from a single blogger — Eliot Higgins, working from his home in Leicester while unemployed, tracking weapons in the Syrian conflict before anyone called it OSINT — developing habits of verification that happened to scale. Set up in 2014 as a citizen journalism platform, the techniques for which Bellingcat became known, particularly geolocation, have since become a staple of journalistic practice. The institutionalization followed the practice by a decade, which is roughly how long it takes large organizations to recognize that an external actor has developed a capability they need.

What the new tradecraft demands from practitioners is not exotic technology access. It demands discipline about verification chains — the willingness to treat every evidentiary claim as provisional until independently corroborated by a source that could not have been contaminated by the first. It demands geographic literacy deep enough to recognize landmarks that non-specialists would ignore. It demands comfort with tools that range from the mundane (Google Earth, SunCalc, reverse image search) to the specialized (commercial synthetic aperture radar (SAR) imagery, database cross-referencing, forensic metadata analysis). And it demands what intelligence tradecraft has always demanded but rarely made explicit: the intellectual honesty to document alternative hypotheses, to show your reasoning, and to acknowledge the boundaries of what the evidence supports.

The most important lesson Bellingcat taught is not about technology. The JIT independently verified Bellingcat's MH17 findings as part of an investigation that included intercepted phone calls, eyewitnesses, and forensics. Dutch investigators were also given access to top-secret U.S. spy satellite material — but only to verify other accounts. Because of its classified nature, that material would not be presented as evidence in court.

That condition is the essential point. The classified material was real, presumably accurate, and ultimately unusable in the most consequential venue — a criminal prosecution that resulted in convictions more than eight years after the shoot-down. The open-source material built the case that put men on trial. The lesson for intelligence professionals is not that classified collection is obsolete; it is that intelligence without a methodology that can survive public scrutiny is intelligence that cannot be used when accountability matters.

The Ukrainian analyst watching Russian satellites photograph military bases three times in four days before an attack is doing Bellingcat-style pattern recognition from commercial and open sources, not waiting for a classified product. The Dutch journalist who spent five euros on a Bluetooth tracker to follow a NATO frigate for twenty-four hours — as Omroep Gelderland's (a Dutch regional broadcaster) Just Vervaart did in April 2026 — demonstrated that passive technical collection from open sources can produce geospatial intelligence that defeats hundreds of millions of euros in operational security investment. The tradecraft Bellingcat codified didn't stay in civil society. It migrated into every domain where rigorous method applied to public information produces actionable intelligence.

The question for the intelligence professional engaging with this material is not whether to incorporate OSINT methodology into their practice. That question was settled in a field in eastern Ukraine in the summer of 2014. The question is whether to do it with the methodological rigor that makes conclusions durable — or to treat open sources as background material, confirmatory of preexisting assessments, handled with the comfortable informality that marks exactly the kind of analytical failure the OSINT revolution was supposed to correct.

That choice has consequences. And they compound.