Somebody is about to paste a username into Sherlock, watch four hundred green ticks scroll past, and call that an investigation. It is not. It is the first ten percent of one, and the nine investigators out of ten who stop there are the reason innocent people get named for things they did not do. A namechecker does not find a person. It finds a pattern in an HTTP response, and the distance between those two things is somebody's reputation, sometimes somebody's liberty.

Here is the truth that makes this whole discipline worth learning. A reused handle is the cheapest, most durable identity leak a human being owns. People anchor on one name because they want to be recognised, they want the same word to mean them on every platform they touch, and that small act of vanity is an operational security failure you can pull a whole life out of. The catch is that the tools everyone reaches for are loud, blunt, and wrong often enough that the scan is the easy part. The real work, the part that separates an investigator from a person spraying a username at the internet, is what you do after the ticks stop scrolling. So this is not an article about which scanner to run. It is an article about the two halves of the job, and why almost everyone only does the first.

Scope Wide, Then Validate Narrow

There are two phases and they are not optional. Phase one is enumeration. You take the handle and you cast a wide automated net to find out where on the internet that string returns a profile. This is breadth work, and it should take you about ninety seconds. Phase two is validation. You take every single hit the net dragged up and you confirm, by hand, one profile at a time, that it actually belongs to your subject before you write it down. That is it. Scope wide, then validate narrow.

Almost nobody does phase two properly. They run the scanner, they get a list, they paste the list into a report and call it findings. That is malpractice. A found result is not a person, it is an HTTP response pattern that a tool decided looked like a profile, and Bellingcat's OSHIT framework, the seven deadly sins of bad open source research, names this exact sin: tool results should not be treated with complete certainty without corroboration. The scanner is a lead generator. You are the investigator. Do not confuse the two, and never skip phase two because the tool looked confident. Confidence is not a feature of the truth, it is a feature of the user interface.

TL;DR The scan gives you leads. You give you the answer.

The Attribution Checklist

So you have a hit. A profile on some platform with the right handle. Before that becomes a node in your report, it has to survive a checklist, and you are looking for at least two independent signals that say yes, this is the same human, before you let yourself believe it.

Start with the avatar, because cross platform photo reuse is the single strongest linker there is. Reverse image search the profile picture and see where else it lives, and remember that a great many platforms pull avatars from Gravatar, so the same face stamped across a dozen accounts is a loud signal that one person is behind them. Read the bio next, hunting for repeated phrasing, a reused personal URL, the same handful of links, a location, a signature line, the little verbal tics people copy and paste from profile to profile without thinking. Look at the account creation date and the activity timeline, because a handle that was registered in 2015 and went silent the precise week another account of the same name woke up is a continuity story, and a timeline that overlaps when it should not is an argument against the link, not for it. Follow the outbound links the subject placed themselves, a Linktree, a pinned my other socials post, a GitHub profile README, because a self declared link is worth ten name collisions. And read how they write, because consistent slang, the same obsessions, the same posting hours that betray a timezone, the same communities, all of it corroborates across platforms.

Two independent signals minimum before you call it confirmed. Corroboration is still not proof, but single signal attribution is exactly how an innocent person with a common handle ends up wearing somebody else's crimes.

False Positives Are The Design, Not The Bug

You need to stop thinking of false positives as a glitch to be patched and start understanding them as a structural property of how these tools work. Every namechecker on earth, Sherlock, Maigret, WhatsMyName, Blackbird, returns false positives by design, because they are matching the shape of a server's response, not the existence of a human. Three things generate the noise. Reserved and placeholder usernames that exist on a platform but belong to nobody. Name collisions, where a different human, or a bot, grabbed the same handle years before your subject was born. And lazy server engineering, where a not found page returns HTTP 200 instead of a clean 404, so a naive matcher reads success and plants a flag where there is nothing.

The federated platforms are the worst offenders by a mile, and there is a perfect teaching case for why. Every Mastodon instance is a separate server, and many of them serve a generic HTTP 200 error page for accounts that do not exist. Older tools read that 200 as a hit and cheerfully reported your username as present on dozens of instances where it had never existed. Maigret only fixed this in version 0.5.0 in August 2025, by adding per instance regex validation that actually reads the page instead of trusting the status code. Older versions and the swarm of abandoned forks still get it wrong this minute. So when two tools disagree on a platform, you do not pick a favourite, you open the URL yourself and read the page with your own eyes. Watch for homoglyphs while you are at it, the Cyrillic a standing in for a Latin a, a zero wearing the coat of an o, an underscore quietly added, because a username that looks identical can be a different account or a deliberate impersonator wanting to be mistaken for the target. And when a hit does not fit your subject, discard it. The urge to make it fit, what OSHIT calls cheerleading and the rest of us call confirmation bias, is the single biggest reason username work fingers the wrong person.

The Pivot Is The Point

Now the part that actually builds an identity, and the part the tutorials skip because it cannot be automated into a one liner. The scan is not where the intelligence is. The pivot is. A scanner hands you a scatter of accounts. An investigator turns one account into a thread and pulls until a name falls out.

Walk the chain. A username leads to an email, because old forum profiles, GitHub commit metadata and dusty about pages leak addresses constantly. Take that email and run it through a registration checker like Holehe, which quietly asks 120 plus sites whether the address is registered without ever alerting the owner, and through Gravatar, and watch it surface accounts the username search never touched. Then reverse the move, strip the local part off the email and run it as a brand new username, because people grab their favourite handle on platforms their email never saw, and your surface jumps from fifty sites to thousands. Do not search only the exact string either. Generate permutations, the bare handle, the handle with a trailing underscore, handle123, handle photography, firstname lastname, because the human you are chasing was not consistent and neither should your search be.

This is where Maigret stops being a Sherlock fork and becomes the strongest engine in the box. When it confirms a profile it parses the page for other usernames, IDs and links, then automatically goes and searches those too, building an identity graph by recursion. Sherlock and WhatsMyName have no equivalent, they check and stop, Maigret checks and then chases what it found. Document every node as you go, every handle and every URL, because a forgotten account three pivots deep is usually where the real name is sitting in plain sight. And archive as you pivot, screenshot and Wayback every profile the moment you see it, because accounts go private or vanish the second a subject senses attention, which OSHIT lists as its own deadly sin. This whole approach has a patron saint. The Silk Road did not fall to cracked cryptography. It fell to a reused handle. IRS investigator Gary Alford traced the name altoid, used in the earliest Silk Road promotion and again in a Bitcoin forum post begging for programming help, a post that carried an email address with Ross Ulbricht's full name inside it. One handle, reused, collapsed the pseudonymity of an entire darknet empire. The pivot is the point.

The namechecker landscape is a graveyard, and that is the most important sentence in this article. Most of the tools you will find recommended in a 2019 blog post are abandoned forks that no longer detect what they claim to, and running a dead scanner gives you false negatives you will never notice. So before you trust any tool's coverage, check it against soxoj's namecheckers list, the continuously updated catalogue that tracks site counts and, more usefully, which tools are maintained and which are corpses. It flags a long roll of once popular names as dead: nexfil, tookie-osint, sagemode, GhostTrack, Userrecon, sherlock-go and more. Consult it before you believe anybody, including me.

Here is the live portfolio in 2026. Sherlock is the classic command line namechecker, building expected profile URLs across 400 plus sites and checking the response, no API keys, fast, scriptable, and it shipped v0.16.0 in September 2025 so it is genuinely maintained. Install it with pipx or Docker, and ignore the ParrotOS and Ubuntu 24.04 packages, which are flagged broken. It does URL existence only, no page parsing, with a moderate false positive rate, so it is your quick first net and nothing more. WhatsMyName is the community maintained detection dataset, wmn-data.json, 700 plus hand curated sites, the quiet engine that powers half the ecosystem including Blackbird and Spiderfoot and a stack of Maltego transforms. Micah WebBreacher Hoffman has kept it alive since 2015, the hand curation keeps its false positive rate low, and the free in browser tool at whatsmyname.app runs stateless in about ninety seconds with nothing to install, which makes it the perfect phase one for someone who does not want a Python environment. Maigret is the heavyweight, 3,000 plus sites with the top 500 checked by default, real profile parsing, recursive search, HTML and PDF and graph reports, permutations, an optional AI summary mode, the lowest false positive rate and the slowest run, and v0.5.0 is the one you want for the Mastodon fix. Blackbird searches by username and email across 600 plus platforms on the WhatsMyName data and bolts a free AI profiling pass over the hits, just make sure you are running the p1ngul1n0 original and not one of the dead forks. And Enola, Sherlock's sister, is a single Go binary across 407 sites with a slick interface when you want speed and no Python at all. Every one of these is free and open source. Tool selection and ruthless validation matter more in 2026 than running yet another scanner.

The 2026 Gotchas Nobody Updated

The ground has shifted under the old guides and they have not noticed. Telegram removed People Nearby in 2024, which shoved everyone toward username centric methods, so validate a Telegram handle by hitting t.me slash username directly: a redirect to telegram.org means the handle is unclaimed, a profile means it exists, and capture the permanent numeric Telegram ID while you are there because that never changes even when the public username does, which makes it your stable anchor. Instagram and Facebook now gate profile views behind login walls and rate limit anonymous enumeration hard, so an unauthenticated namechecker will miss them or report them wrong, and you verify those by hand from a logged in sock puppet account. The fediverse you only trust from a tool with per instance validation, Maigret 0.5.0 and up, never an older build or a random fork. And remember that detection rules rot, platforms change their HTML and their status codes constantly and quietly break a tool's site rule, so a not found today can be a stale rule lying to you, which is why Maigret auto pulls its site database from GitHub every 24 hours and why you cross check anything that matters against a second, freshly updated tool.

Mind Your Own Shadow

Two things the tool tutorials never mention, and both can hurt you. First, every namechecker fires its requests straight at the target platforms from your IP address. Run a sensitive investigation off your home or office connection and you have signed your name to it. Use a sock puppet, a clean browser profile carrying no cookies and no autofill and no identifying extensions, and a VPN, and know that Tor exit nodes are routinely rate limited or outright blocked by the very sites you are trying to check, so Tor is not the free pass people assume. Second, the act of looking can tip off the target. Aggressive scanning, a profile view from a logged in account, a careless follow request, any of it can wake the subject who then locks everything down or deletes it, which is precisely why you archive to Wayback or archive.today before you risk being seen, not after.

And the legal line, because an infosec audience of all people should not need reminding that ignorance is not a defence. Enumerating public profiles is generally lawful. Logging into platforms with sock puppets, scraping, pretexting, those can breach a platform's terms of service and, depending where you are and what you intend, brush up against computer misuse or harassment and stalking law. Operate under a documented authorisation, a defined purpose, and the law where you stand. This is investigation. It is not a licence to hunt a person, and the same handle that lets you find someone is the handle that lets a stalker find them too. Never lose track of which one you are.

The Last Word

Burn the idea that the scanner is the work, because it never was. Username OSINT is two jobs wearing one coat: the loud, fast, automated scope that any tool can do, and the quiet, patient, manual validation that only you can do and that almost nobody bothers with. The investigators who attribute correctly are not the ones with the longest site count. They are the ones who treat every green tick as a question, who pull the pivot thread until a real name falls out of a forgotten account, who archive before they look and disconfirm as hard as they confirm, and who know in their bones that a match is not a name until two independent signals say so. Ulbricht was undone by one reused handle. Your target probably has one too. Go and find it, then go and prove it, and never confuse the two.