Bad trip: how OSINT tools unmasked members of caravans that traveled to Brazil's capital for the January 8 riots

Part 2 of 2

by Maverick

Last updated 01-27-2023 -- 2439 views

1. Intro


This is the second part of the write up dedicated to detail the OSINT tactics, techniques and procedures (TTP) used to unveil people involved in a Google My Maps entitled “Viagem para Praia” (“Beach Trip”).

Google My Maps “Viagem para Praia” came to public by journalists Amanda Rossi and Lúcia Valentim Rodrigues.

They published an article showing how demonstrators came to Brazil’s capital for January 8 riots. In the article, Rossi and Rodrigues stated that “preparation for the coup act had an online map”.

Google My Maps “Viagem para Praia” (now removed by its creator) had four layers representing four out of five brazilian regions: “Região Sudeste”, “Região Sul”, “Região Centro-oeste” and “Região Nordeste”.

Each layer had several pins inserted in Brazilian cities.

Clicking at a specific pin (or city for that matter) leaded users to find either Whatsapp accounts or a specific Telegram group associated to the people responsible for transporting demonstrators from several cities to Brazil’s capital (Brasília – DF).

Bellow are detailed the OSINT´s TTP that apply to this case and that were used by Black Owl Intelligence to identify people allegedly responsible for transporting demonstrators to Brazil’s capital (Brasília – DF) for the January 8 riots.

If you haven´t read the first part it is recommended to do so before continuing.

2. Scraping Source Code


Aside from clicking in each city individually in My Maps “Viagem para praia”, all Whatsapp accounts and the Telegram group associated with the cities could be found at the source code of the web page and from there were scraped and then parsed.

A total of 20 Whatsapp accounts were identified and OSINT´s TTP were used to identify the people behind each account.

3. Target #1: (83) 98206-****

3.1 Google Search

A Google search (with quotes) for the string “(83) 98206-****” (most common format for Brazilian phone numbers) leads to two URLs.

Figure 1 - Google search


The second one brings a full name (EDI*** CHR*** MED*** FRE***) and a Brazilian “social security number” ("CPF") associated with the phone number (83) 98206-****.”

Full name is consistent with the Whatsapp account display name.

Figure 2 - Display name for +55838206**** Whatsapp account


Pivoting to the full name and googling it brings several results that indicate that EDI*** CHR*** MED*** FRE*** was arrested as consequence of her participation in the January 8 riots.

Figure 3 - Google search results


4. Target #2: (48) 98436-****

4.1 Google Search

Whatsapp account (48) 9843-**** has a profile picture that shows the name of a tourism company at Florianopolis – SC.

Googling the company name allows finding company data, including one of its owner: RODRIGO JOR*** ANA***.

Figure 4 - Google search result for the company associated with Whatsapp account (48) 98436 - ****


4.2 Instagram (IG) search box

Searching his name in Instagram’s search box yields his IG profile which indicates that he is really into the bus transport business.

Figure 5 - Target #2 Instagram post


Target #3: (51) 99969-****

A thorough (including phoneinfoga) open source search for the phone number (51) 99969-**** yielded no results.

An attribution for this phone number was possible though using a method that will not be disclosed here because of two fold: (a) it’s tradecraft and revealing it here could enrich the arsenal used by scammers in Brazil; (b) there’s been some discussion if this specific method is really an OSINT technique.

Anyway, the use of this method showed that the phone number is associated with the following full name: MAR*** DE FAT*** REN***.

5.1 Google Search

Googling the full name leads to several news articles indicating that she was arrested on January 8.

Figure 6 - https://oglobo.globo.com/politica/noticia/2023/01/ex-candidato-doadores-de-bolsonaro-e-cabos-eleitorais-a-lista-dos-presos-apos-os-atos-terroristas.ghtml


Google results indicate that there´s even a crowdsourcing website that intends to pay for her legal defense.

Figure 7 - https://www.vakinha.com.br/vaquinha/despesas-judiciais-kit-cadeia-recomeco


Target #4: (51) 999258-****

6.1 Google Search

Googling the phone number associated with Target #4 leads to a fitness company.

A second Google search, this time with the company name and the string (without quotes) “CNPJ” (acronym for brazilian companies registration number) yields results that include the owner of the company: JUL*** OLI*** DA SIL***.

Figure 8 - Google search result for the phone number (51) 99258-****


Googling the name of the company along with the word “ciborg” (part of 51 99258-**** Whatsapp account display name) leads the investigation to a Facebook page that has several selectors (email address, website, cell phone, etc) including the username “ciborg46”.

Google Search


Facebook Page


6.2 Whatsapp profile picture

Must be highlighted that the first picture that Google associates with this company depicts a very similar fitness equipment that is seen on (48) 9843-**** Whatsapp account profile picture.

Figure 9 – Similar fitness equipment


6.3 Instagram (IG) search box

Searching the hashtag #ciborg46 (Facebook’s username) in Instagram’s search box leads to two posts.

Figure 10 - Posts with the hashtag #ciborg46


The post on the right comes from Instagram profile @col*** . This profile published a post with pro-Jair Bolsonaro content on 12/31/2023 (Brazil’s election day).

Figure 11 - Post from from Instagram profile @col***


7. Target #5: (51) 99959-****

7.1 Google Search

Googling the phone number (51) 99959-**** leads to a company name.

A second Google search (with the company name and the string “CNPJ” without quotes) yields results that include the full name of the company owner: MAT*** FRA*** ALV***.

Figure 12 - Google search result for the company associated with Whatsapp account (51) 99959-****


8. Target #6: (47) 9186-****

8.1 Who posted what

Target #6 brings one more OSINT’s TTP: website Who Posted What?

Who posted what “is a non public Facebook keyword search”.

It’s an interesting tool because experience shows that it brings more results than Facebook’s search box.

For example, searching Target #6 phone number (47 99186-****) on Facebook’s search box yields no results; searching it on whopostedwhat.com brings 4 results that contain the phone number searched for.

Figure 13 - Who posted what versus Facebook embbeded search box


It should be noted that all of the 4 results bring the phone number in a screenshot of a Telegram group post that announces “seven free buses leaving from Blumenau – SC”.

This indicates that Optical Character Recognition – OCR is a reality in Facebook’s pictures.

8.2 Skypehunt

Skypehunt is a deprecated script that pulls data from Skype accounts and accepts the following inputs: phone numbers, usernames and email addresses.

Skypehunt used to be found at this github page but it was removed by its creator (“8C”).

That was a serious loss for the OSINT community and a particular tragedy for Black Owl Intelligence since our experience shows that Skypehunt brings quality data points and was directly responsible for some serious attributions in law enforcements cases.

Hey “8C” hear our prayers and bring Skypehunt back to life! LoL

Hopefully we have saved a copy of the script and it´s still working… (although we don´t know until when it will be working…).

We ran Target #6´s phone number in Skypehunt and it brought a username, a display name, a profile picture, gender and location.

Figure 14 - Skypehunt results


But nothing more substantial came from that so (same as Targets #3) an attribution was achieved by means of a method that won’t be exposed here.

This method showed that the phone number is associated with the following full name: MAR*** LUC*** FER*** DOS SAN***.

9. Target #7: (62) 99617-****

9.1 Google search

A Google search with the phone number associated with Target #7 (62 9617-****) leads to a website (highlighted in the picture below) that associates the phone number to a full name: HELENO INA*** DA SIL***.

Figure 15 - Google search results for (62) 9617-****


Pivoting to the full name and googling it it´s possible to find several articles pointing out that HELENO INA*** DA SIL*** “organized a caravan” that went from Goiânia – GO to Brasília - DF.

Figure 16 - Google search result for “HELENO INA*** DA SIL***”


His Facebook page even announced the caravan to Brasília – DF.

Figure 17 - https://www.facebook.com/helenoin***


10. Target #8: (66) 99979-****

10.1 Who posted what

A traditional open source search for the phone number (66) 99979-**** yielded no results.

Who posted what though brings something: a Facebook post announcing a caravan to “take Brazil back".

Figure 18 - Who posted what result


However, nothing beyond that was found.

Same as Targets #3 and #6 an attribution was made possible by means of a method that won’t be exposed here.

This method showed that the number is associated with the following full name: VAN*** CON*** DA SIL*** DON***.

10.2 Google search

Pivoting to the full name and searching it on Google leads to several data associated with a company owned by VAN*** CON*** DA SIL*** DON*** including a gmail address.

Figure 19 - Company owned by Target #8


Pivoting to the Gmail username and searching the words that are used in it leads to a Facebook page.

Figure 20 - Facebook profile wan***.con***.7


This Facebook Page shows that VAN*** CON*** DA SIL*** DON*** is married to RIC*** DON*** a pro-Bolsonaro local politian at Sinop – MT.

His Facebook account has several pro-Bolsonaro posts.

Figure 21 - RIC*** DON*** Facebook post


11. Target #9: (66) 99911-****

11.1 Google search

A Google search with the phone number associated with Target #9 (66 99911-*****) leads to two Facebook pages and a page that associates the phone number to a partial name: ESTER VAR***.

Figure 22 - Google search


First Google result is related to a professional photography business and has a link for a Facebook account that allows to conclude that ESTER is a photographer.

The Facebook page presents an old business website.

Figure 23 - Facebook page associated with Target #9


11.2 Historical whois

The website is now down and whois is a no go but historical whois confirms the name ESTER VAR*** and allows pivoting to a gmail account: estervar***@gmail.com

Figure 24 - Historical whois from osint.sh/whoihistory


11.3 Epieos

Again, Ghunt would be a life saver and would provide a face picture. But let's add a tool to the toolbox.

Epieos is a search engine that can pull data from Gmail accounts.

Running estervar***@gmail.com in Epieos yields estervar***@gmail.com profile picture along with other associated details.

Figure 25 - estervar***@gmail.com account data pulled by Epieos


11.4 Twitter search box

Using Twitter search box with the input EST*** VAR*** and looking for a similar profile picture leads to Twitter account @EsterVar*** which has several pro-Bolsonaro posts.

Figure 26 - Post from twitter.com/EsterVar***


12. Target #10: (62) 99909-****

12.1 Who posted what

A traditional open source search for the phone number (62) 99909-**** yielded no results but Who posted what brings several Facebook posts announcing a caravan to Brasília - DF.

Figure 27 - One of Facebook posts associated with Target #10 phone number


An username can be seen bellow the phone number: danraf***7.

Pivoting to the username and running Maigret leads to an Instagram profile of a self-described right-winger.

Figure 28 - Instagram profile @danraf***7


But this time we have a problem. The method used with Targets #3, #6 and #8 lead to a different attribution: QUE*** NAY*** DE SOU***.

Extra digging is necessary.

12.2 Data breaches

A Google search with the full name QUE*** NAY*** DE SOU** yields 0 results.

Figure 29 - Google search


Pivoting to data breaches…

The full name can be found in a specific data breach that also has a CPF number (it´s accurate to say that CPF is the Brazilian equivalent to social security number), gender and a date of birth (dob) associated with the full name in question: 28/08/19**.

Dob was a key data point because using Instagram´s search box with the string “QUE*** NAY***” (without quotes) led to the following Instagram account.

Figure 30 - @****nay*** Instagram account


@****nay*** Instagram account conveys several pro-Bolsonaro posts.

Figure 31 - - @****nay*** Instagram post


13 Target #11

Target #11 is a Telegram Group and won´t be detailed here.

14. Target #12: (17) 99138-****

14.1 Caller ID apps

An open source search for the phone number (17) 99138-**** yielded no results.

Another OSINT´s TTP related to phone number is to take advantage of caller ID apps.

Going down this road shows that the phone number (17) 99138-**** is associated with the full name MAR*** BOR*** FIO***.

Figure 32 - Caller ID app


14.2 Google Search

12th Google search result obtained with the input “MAR*** BOR*** FIO***” shows her name alongside with the name SELMA BOR*** PER*** FIO***.

Figure 33 - https://www.escavador.com/processos/131935/processo-0010175-132013***-do-trt-da-3-regiao?


Searching Google for "SEL*** BOR*** FIO***" leads to the information that she runned for local elections at Monte Azul Paulista – SP in 2016.

Figure 34 - https://www.diariocidade.com/sp/monte-azul-paulista/eleicoes/2016/candidatos/vereador/sel***-bor***-fio***x-313***/


At this point must be recalled that Google My Maps “Viagem para praia” (“Beach Trip”) had the codename “Festa da Selma” (Selma´s Party”).

14.3 Who posted what

Same attribution can be reached by Who posted what.

Who posted what brings two Facebook posts announcing buses to Brasília – DF. In these two posts phone number (17) 99138 – **** is associated with the name SELMA.

Figure 35 - Facebook post associated with phone number (17) 99138 - ****


The Facebook profile that made the post above has SELMA BOR*** among its friends.

Figure 36 - Facebook profile mar***mar***.sim***


Pivoting to SEL*** BOR*** Facebook profile allow us to find her Instagram account.

Figure 37 - Facebook profile selma***


15. Target #13: (12) 98111-****

15.1 Google search

A Google search for "(12) 98111-****" (with quotes) leads to the full name DAN*** ELA*** DA CUN*** TEI***.

Figure 38 - Google Search


The technique used with Targets #3, #6, #8 and #10 points out to a slightly different full name: DAN*** ELA*** CUN*** CAR***.

A Google search with this full name (without quotes) leads to a third slightly different full name: DAN*** ELA*** CUN*** DA CAR***.

Finally another Google search with the latter full name allows landing at a webpage that indicates she´s married with a LOU*** PAR***.

Figure 39 - https://www.universal.org/noticias/post/***


Pivoting to him… Googling his name yields to a page maintened by Etersec (an Anonymous´ cell) that was used to doxx people who allegedly financed January 8 riots.

Figure 40 - https://etersec.com/pt-br/financiadores-do-caos/


In Google My Maps “Viagem para praia” DAN*** is associated with the bank account of VALETUR TRANSPORTES LOCACAO E TURISMO LTDA.

It´s a bus rental company that made an Instagram post stating that they rentes “a vehicle to Brasilia” but they “are not responsible for the attitudes of passengers”.

Figure 41 - Valetur Instagram´s post

However a news article states that Valetur charged below market value to transport demonstrators to Brasília – DF for the riots.

Figure 42 - https://g1.globo.com/sp/sao-paulo/noticia/2023/01/11/relatorio-da-prf-aponta-que-empresas-de-onibus-de-sp-suspeitas-de-apoiar-atos-golpistas-cobraram-valor-abaixo-do-mercado.ghtml


16. Target #14: (16) 99464-****

16.1 Google search

Searching (16) 99464-**** on Google leads to a company website.

Figure 43 - Google search


16.2 Who is

Website´s whois yields a full name (ANA MAR*** ANJ*** CAR***), CPF number (“social secutity number” in Brazil) and a Gmail account.

Figure 44 - Website´s whois


A Google search with the full name yields an Instagram account with pro-Bolsonaro content.

Figure 45 - Instagram account @anamar***anj***car***


17. Target #15: (16) 98235-****

17.1 Google search

Googling Target #15 phone number (without quotes) brings us to only one result and several Bolsonaro related images. Pretty much a dead end.

However the method used the technique used with Targets #3, #6, #8 and #10 brings us a full name: CAS*** REG*** MAR***.

Pivoting to the full name and googling it leads to two Twitter accounts with pro-Bolsonaro content.

Figure 46 - Twitter accounts associated with the full name CAS*** REG*** MAR***


Another Twitter profile (consistent with the previous ones) has a profile picture.

Figure 47 - Twitter profile @cas***reg***M10


18 Target #16: (31) 99366-****

18.1 Caller ID apps

Caller ID apps were particularly handy with this target since one of them brought a Gmail account and a profile picture.

Figure 48 - Caller ID app


The technique used with Targets #3, #6, #8, #10 and #15 brings a full name for target #16: BRU*** MAR*** DE SOU*** CAM***.

18.2 Google search

A Google search with the full name (with quotes) leads to a news article stating that he had his assets freezed because was funding the riots.

Figure 49 - https://www.metropoles.com/colunas/grande-angular/invasao-saiba-quem-sao-alvos-do-pedido-de-bloqueio-de-r-65-milhoes


19. Target #17: (27) 98166-****

19.1 Google search

Phone number associated with Target #17 is linked to a Facebook page according to a Google search.

Figure 50 - Google search


The most recent post of this Facebook pages brings a name to Target #17 phone number.

Figure 51 - Facebook page


A Google search with the words “jho*** san*** direita sensata” (without quotes) leads to a news article indicating that Target #17 chartered two buses for the January 8 attacks.

Figure 52 - https://eshoje.com.br/2023/01/exclusivo-lider-de-onibus-fretado-para-brasilia-e-ligado-ao-pastor-fabiano/


20. Target #18: (11) 97871-****

20.1 Google search

A Google search with Target #18 phone number (11 97871-****) shows lots of social media posts announcing caravans to transport right-wing demonstrators to Brasília-DF.

In these posts, phone number (11) 97871-**** is associated with the name LEA*** LOU***.

A slightly different Google search with other phone number format (1197871****) leads to a Facebook post where a full name can be found.

Figure 53 - Google search


This is an interesting case because it shows how phone number formats impact Google search results.

A way to get around this would be Phoneinfoga, a script that takes Google Dorks to its full extension when it comes to phone number lookups.

Although it doesn´t cover all Brazilian phone number formats, Phoneinfoga leads to the same Facebook post that has Target #18 full name in it.

Figure 54 - Phoneinfoga


21 Target #19: (22) 98842-****

21.1 Google search

This is a curious one.

Googling Target #19´s phone number renders one and only result: a restaurant in Araruama – RJ.

Figure 55 - Google Search result


A Google search with the restaurant´s name leads to a Google review made by a “SIMONE OLI***”.

Figure 56 - Google Review


This is important because Target #19´s phone number was accompanied by the name “SIMONE” in Google My Maps “Viagem para praia”.

But is “SIMONE OLI***” Target #19?

21.2 Phone number to GAIA ID

Thanks to Aware Online it´s possible to check if a particular phone number is associated with a GAIA ID.

Well.. we did that. And guess what?

It happens that the GAIA ID associated with phone number (22) 98842-*** is the same GAIA ID that appears in the aforementioned Google Review.

Figure 57 - GAIA ID correlation


21.3 Facebook search

Searching Facebook with the string SIMONE OLI*** and looking for a similar profile picture leads to a Facebook profile with several right-wing posts.

Figure 58 -


22. Target #20: (19) 98108-****

22.1 Google search

This one was pretty straight forward because Target #20´s phone number was associated with a full name that is not a common name in Brazil: RIE*** MUN*** MAR***.

A Google search with the full name (without quotes) leads to several news article stating that she had his assets freezed because was funding the riots.

Figure 59 - https://www.acidadeon.com/campinas/cotidiano/Empresarias-da-regiao-de-Campinas-sao-processadas-por-financiar-atentado-em-Brasilia-***.html


23 Target #21: (31) 99520-****

23.1 Google search

This one was also pretty straight forward because Target #21´s phone number was associated with a partial name that is not a common name in Brazil: DAN*** BUS***.

A Google search with this partial name (without quotes) leads to several news article stating that she had hers assets freezed because she was funding the riots.

Figure 60 - https://g1.globo.com/mg/minas-gerais/noticia/2023/01/12/agu-identifica-5-moradores-de-bh-suspeitos-de-financiar-transporte-para-atos-terroristas-em-brasilia-***.ghtml


24. Conclusion

Part 2 is basically a phone number lookup write-up.

Considering that, it is amazing to observe how good and old Google search still plays an important role these days.

In a world of Artificial Intelligence chat bots, OSINT customized Virtual Machines and other fancy solutions keeping it simple still is the path of less resistance.