IDENTITY · SYNTHETIC CASE
Linking a sock puppet to a real operator via recovery metadata
Fresh Discord account, burner email, VPN IP. The break wasn't a breach dump — it was a partial recovery hint and a reused username from a 2019 forum scrape.
2026-02-04 · 6 min read · Username pivot · Partial recovery · Timeline correlation · OPSEC slip
Outcome: Two accounts tied to same operator with high confidence; no doxxing published.
Investigation log
Step 01 — Surface
Target presented clean identifiers — no breaches on primary email.
Step 02 — Alias reuse
Same handle on archived gaming forum (2019) with different email domain.
Step 03 — Recovery
Microsoft partial hint on alias email matched pattern from forum registration era.
Step 04 — Validate
Cross-referenced snowflake ID creation window with forum last-seen — consistent.
This case is synthetic and declassified for training purposes. Methodology reflects how WolfEye analysts work; identifiers and locations are fictional.
← All case files