3 min readJust now
–
Introduction
In the wake of a recent compromise at a major Managed Service Provider (MSP), my task as part of a law enforcement intelligence unit was to track a high-priority person of interest (POI). The subject, known online as @sp1ritfyre, was suspected of attempting to sell stolen credentials on the clear and dark web.
This investigation relied entirely on Open Source Intelligence (OSINT) to pivot from a single Twitter handle to a complete real-world identity.
[https://d2y9h8w1ydnujs.cloudfront.net/uploads/content/files/cfd0bb8f0473f468b8c65821d633d2f118054a3356eea89b3063160f983e1ef106d66638d7d9f77cc7cea0af177b.txt](https://d2y9h8w1ydnujs.cloudfront.net/uploads/content/files/cfd0bb8f0473f468b8c65821d633d2f118054a3356eea89b3063160f98…
3 min readJust now
–
Introduction
In the wake of a recent compromise at a major Managed Service Provider (MSP), my task as part of a law enforcement intelligence unit was to track a high-priority person of interest (POI). The subject, known online as @sp1ritfyre, was suspected of attempting to sell stolen credentials on the clear and dark web.
This investigation relied entirely on Open Source Intelligence (OSINT) to pivot from a single Twitter handle to a complete real-world identity.
Step 1: The Initial Pivot (Twitter/X)
The investigation began with the handle @sp1ritfyre. While the account had minimal activity, the bio contained a cryptic link: cmVkaHVudC5uZXQK.xyz
Recognizing this as Base64 encoding, I used CyberChef to decode it, which revealed the domain redhunt.net.
Step 2: Broadening the Scope (Google Dorking)
A search for the unique alias "Sp1ritFyre" across Google surfaced two major leads:
Press enter or click to view image in full size
The Blogger profile provided the first major break: A location field containing a long string of hexadecimal code.
Press enter or click to view image in full size
https://www.blogger.com/profile/08313689826885886832
Location: 68747470733a2f2f73616d6d6965776f6f647365632e626c6f6773706f742e636f6d
Press enter or click to view image in full size
https://sammiewoodsec.blogspot.com
Step 4: Connecting the Dots (The Blogs)
Further investigation into two specific blogs — sammiewoodsec.blogspot.com confirmed the identity. By reviewing the "About Me" sections and technical posts, I was able to verify her employment, age, and residence.
Press enter or click to view image in full size
Intelligence Profile: Sammie Woods
Based on the evidence gathered ANSWERS are:
[1] What is the hacker’s first name?
Sammie
[2] What is the hacker’s last name?
Woods
[3] What is the hacker’s age?
23
[4] What country does the hacker live in?
United Kingdom
[5] What are some of the hacker’s interests? (choose 5)
Security, Photography, Gaming, Camping
[6] What company does the hacker work for?
PhilmanSecurityInc
[7] What is the hacker’s position within the company?
Junior Penetration Tester
[8] What is the full url of the website owned by the hacker?
[9] List any full URLs of websites not owned, but used by the hacker (Blogs only)
https://sammiewoodsec.blogspot.com** and **https://sp1ritfyrehackerstories.blogspot.com/
[10] What email address has been used by the hacker?
Conclusion & Evidence
The subject’s own “Hacker Stories” blog served as a primary link to the investigation, containing narratives that mirrored the timeline and nature of the MSP data breach. By failing to properly anonymize her online footprint — reusing avatars and handles across professional and personal accounts — the subject allowed a single social media handle to compromise her entire real-world identity.
Lessons Learned: Reusing handles (even “hacker” aliases) and leaving encoded links in public bios are critical OpSec failures that OSINT analysts can exploit to de-anonymize targets.