IDENTITY · SYNTHETIC CASE

Linking a sock puppet to a real operator via recovery metadata

Fresh Discord account, burner email, VPN IP. The break wasn't a breach dump — it was a partial recovery hint and a reused username from a 2019 forum scrape.

2026-02-04 · 6 min read · Username pivot · Partial recovery · Timeline correlation · OPSEC slip

Outcome: Two accounts tied to same operator with high confidence; no doxxing published.

Investigation log

  1. Step 01Surface

    Target presented clean identifiers — no breaches on primary email.

  2. Step 02Alias reuse

    Same handle on archived gaming forum (2019) with different email domain.

  3. Step 03Recovery

    Microsoft partial hint on alias email matched pattern from forum registration era.

  4. Step 04Validate

    Cross-referenced snowflake ID creation window with forum last-seen — consistent.

This case is synthetic and declassified for training purposes. Methodology reflects how WolfEye analysts work; identifiers and locations are fictional.

← All case files