paint-brush
How to Make Sock Puppet Accounts for OSINT in 2021by@MattyBv3
20,392 reads
20,392 reads

How to Make Sock Puppet Accounts for OSINT in 2021

by Matty Bv3March 20th, 2021
Read on Terminal Reader
Read this story w/o Javascript

Too Long; Didn't Read

Follow this guide step-by-step, in chronological order, and learn the process for the future. As of March, 2021, these are the exact steps I’ve found to be most successful when trying to create a new sock puppet account from scratch. As long as they want to stay in business and grow, the services have to let new users sign up. As you create new accounts you’ll have to enter a lot of details about ‘you’ Your name, passwords, phone numbers, date of birth, security questions, etc.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - How to Make Sock Puppet Accounts for OSINT in 2021
Matty Bv3 HackerNoon profile picture


Everyday it seems to get harder and harder to make sock puppet (i.e. ‘fake’) accounts for OSINT research. Services want more information. They require real (non-VOIP) phone numbers. They assume using a VPN = sketchy.

Personally, I blame Russian troll farms.

Regardless of the reasons and restraints, there’s good news for us OSINT investigators. As long as they want to stay in business and grow, the services have to let new users sign up. So all we have to do is convince them that that’s what we are — legit, new users.

As of March, 2021, these are the exact steps I’ve found to be most successful when trying to create a new sock puppet account from scratch. Keep in mind, things change quickly. Websites go down. Apps change. Services adapt. Just like during an investigation, we have to be able to pivot as well.

Follow this sock puppet creation guide step-by-step, in chronological order, and you’ll not only build your accounts today, but learn the process for the future. I’ll try to keep this updated but if you come across any errors, or outdated instructions, feel free to email me at [email protected].

Plan the Persona

Don’t be tempted to come up with stuff on the fly. At least have these basics figured out beforehand:

  • Name/Age/Gender
    - FakeNameGenerator can help with this
  • Photo
    - This Person Does Not Exist can help with this 
    - Zoom closely into the photo to look for flaws
    - If you need to edit, but don’t have Photoshop, use Photopea directly in the browser
  • Banner
    - Image search for a generic banner your persona would likely use
    - e.g. If ‘you’ are a 25-year old recruiter in the U.S., image search ‘motivational quote banner’ and download one



Use a Password Manager

As you create new accounts you’ll have to enter a lot of details about ‘you’. Your name, passwords, phone numbers, date of birth, security questions, etc. Free and open-source password managers like Bitwarden (cloud-hosted) or KeePassXC (locally hosted) can be a great way to keep track of it all.


Get a ‘Burner’ Phone

Yes, you actually need a physical phone.
No, ‘burner’ phones are not illegal.
In fact, anyone without a landline should have an extra phone available at all times anyway. What if there was an emergency and your primary phone gets dropped in water, freezes for no reason, or you just can’t find it?

I digress.

Nowadays, it’s nearly impossible to setup accounts (and keep them alive) without having a non-VOIP phone number. Buy a cheap, used Android as anonymously as possible. I know that’s vague, but a detailed explanation is beyond the scope of this article. Do some research, get creative, and figure out how to buy one with cash. Then wipe it clean a few times.


Get a SIM card

A new SIM card gives you a new phone number. It does not make you anonymous. The physical device has a hardware ID that cannot be changed, so tracking different SIMs back to a single device isn’t hard. Hence, the reason you paid cash for a new device in the last step.

Currently, if you live in the U.S., the best deal on SIM cards is Mint Mobile’s 7-day trial for $0.99 on Amazon. You can buy that anonymously, too, if you create a new account, pay with a privacy.com masked credit card, and have it shipped to an Amazon locker. But again, beyond the scope here.

Shut down your device, change to the new SIM card, then boot it back up again. Just for the fun of it, go ahead and wipe that used device one more time. Can’t be too over-cautious.


Go to Public Wi-Fi

You don’t want to do any of this at home or work where you’re sharing your real IP address. You also can’t use a VPN as that will almost always prevent you from creating accounts. Use a local library, mall, or coffee shop. Try to choose a location that’s not right next to your house, but is close enough to travel to. You’ll be coming back here in the future.


Download Apps

Download and install the following apps in this order:

  • F-Droid: Think of this like the Apple App Store or Google Play, but for free and open-source apps.
  • Aurora Store: Download this from inside F-Droid. This is your replacement for Google Play. From inside Aurora Store, you can download all of the apps below (and any other you’d normally find on Google Play) without Google tracking it.
  • Mint Mobile: Use this to activate your new, real phone number.
  • Authy (by Twilio): You will use this to setup two-factor authentication (2FA) for all of your upcoming accounts. That way, you won’t need the Mint Mobile phone number after the trial expires. Feel free to substitute Authy for the software-token generating 2FA app of your choice.


Set Up 2FA

Ideally, you’ll use a hardware token like YubiKey when possible. It’s not only the most secure method of using 2FA, it’s the most convenient in my opinion. Unfortunately, not every service uses it, so setup Authy (or your chosen alternative) as well.


Make Your Pillar Email Account

This is your central email account. You may setup forwarding services or other email accounts later, but you’ll want to have one primary, centralized email account everything else forwards to.

What email service should you use? Well, that’s debatable. You want an account that looks normal (making account creation easier). Privacy-centric email providers like ProtonMail or Tutanota often get flagged. Temporary email services are out of the question, too, as you’ll likely need it in the future. I hate to say it, but my recommendation is:

Gmail

Yes, I know, it’s Google. Yes, it’s spying on you. Yes, ProtonMail and Tutanota are better. Yes, it hurts me personally to recommend it, hence the lack of bold text.

But if you followed the steps above, it’s not connected to you anyway. And since you’re only using it for sock puppet accounts, you shouldn’t really care what information it has about ‘you’. Plus, you’ll probably ending up using a Google Voice number here soon, so bite the bullet and set up a Gmail account.


Create a VOIP Number

See, I told you you’d be setting up Google Voice. Yes, there are better options like MySudo. You could even go through the hassle of manually purchasing numbers direct from Twilio. If you have the time and patience to, feel free. But Google Voice is quick, easy, free, and you don’t care if your personas info is tracked anyway. Just pick your poison and create a VOIP number you so you’re not reliant on Mint Mobile.


Set Up Your Sock Puppet Accounts

You should have everything you need to build your accounts, be it on Facebook, Twitter, LinkedIn, Instagram, etc. Take your time, create each account from start to finish, and store all the information in your password manager during creation, in this order:

  • Create the account
    - Your want to look as ‘normal’ as possible to the service
    - use public Wi-Fi
    - do not use a VPN
    - use your true (Mint Mobile) number for verification
  • Once the account is created, immediately navigate to the privacy and security settings
  • Change the phone number from your Mint to your VOIP number
  • Setup 2FA using Authy
  • Completely log out of the account
  • Log back in with your username/password from your password manager and Authy 2FA code

Only once you’ve created your account, and have confirmed you can log in using Authy for 2FA, should you move on to building the profile.


Build Your Account Profile

Spend some time building up your profile. Imagine you were actually that person you’re pretending to be… what would they do? Do those things. At the very least, be sure to:

  • Add applicable personal information
    - e.g. name, job, interests, etc.
  • Add the profile picture created earlier
  • Add the generic banner you downloaded earlier
  • Like or Follow a few topics relevant to your persona
  • Find a few other users interested in similar topics, like a few of their posts, and follow them (5–10 people is suffice)

Now stop. Don’t overdo it.

Log out of this account and move on to the next account you want to create. Wash, rinse, repeat.


Age Your Accounts

Congrats, you did it! You have working sock puppet accounts! Now, do you want to have to go through all that again in a day or two?

Didn’t think so.

Nothing will completely prevent your accounts from getting shut down, but you can make it less likely by aging them. Try not to use them for a few days, ideally a week. Let them simmer.

Then, go back to the same place you created them. Connect to that same public Wi-Fi. One by one, log in to each account and engage other users like your persona would.
Follow more topics. 
Like and share posts. 
Make some comments. 
Follow people and request connections. 
Teach the service provider that ‘you’ are a normal person, doing normal things, and it will be less likely to lock you out in the future. Once you’ve done all that, log out of everything and let it age for another week.

You should now be good to go. Your accounts are created and reliant only on your VOIP number and software-token 2FA. Your profiles look real to humans and pretty legit to algorithms as well. Feel free to go forth and OSINT.