Bellingcat: The Osint Gatekeepers Who Can't Secure Their Own Site

The OSINT Gatekeepers Who Can't Secure Their Own Site: A Bellingcat Investigation Patrick Quirk Subscribe Sign in The OSINT Gatekeepers Who Can't Secure Their Own Site: A Bellingcat Investigation 173 Gravatar Hashes Extracted. 89 Emails Cracked. 32 Gravatar Profiles Harvested. All From bellingcat.com Using the Methodology They Claim to Teach. Patrick Quirk Feb 18, 2026 ∙ Paid 4 Share Introduction Bellingcat has built a reputation as the gold standard of open-source intelligence. They’ve investigated Russian military operations, tracked chemical weapons, and positioned themselves as the authority on OSINT methodology. They run a Discord community, offer paid workshops, and cultivate an image of openness and collaboration. I was kicked from their Discord for posting a gif in an inactive channel. Not malware. Not doxxing. Not harassment. A gif. The self-appointed hall monitors — none of whom held moderator roles — lectured me about rules I hadn’t broken, and within minutes I was banned. The reason logged by their system? “Discord ToS/Threats.” It didn’t stop there. Bellingcat operates a crossban system that propagates bans across affiliated OSINT communities. I was automatically banned from Project Owl: The OSINT Community — a server I had never opened, never posted in, and never interacted with. The Dyno bot message read: BC Crossban: Discord ToS/Threats . Posting a gif became a “threat.” A single server ban became an ecosystem-wide exile. So I did what any OSINT practitioner would do: I investigated the investigators. What I found: 173 Gravatar email hashes sitting in Bellingcat’s public WordPress sitemap, completely unprotected. The organization that teaches OSINT workshops and gatekeeps community access couldn’t be bothered to disable basic author enumeration on their own website. I didn’t stop at extraction. I cracked 89 of those hashes back into the original email addresses. I pulled 32 full Gravatar profiles containing real names, locations, social media accounts, and bios. I scraped all 1,318 published articles for author intelligence and cross-referenced everything against Gravatar’s public API. Over half of Bellingcat’s staff and contributors were de-anonymized from a single sitemap. The Discord Incident What Happened I joined the Bellingcat Discord and posted a gif in a channel that was largely inactive. Within minutes: Mlep (no moderator role): “You are not going to want to be posting memes here, new friend” th0ma5 suggested I contact @ModMail — a bot that requires permissions to view all your other Discord servers I replied: “This whole thread looks dead & You dont have a role in here. Don’t worry about it” ant_on_hunt (no moderator role): “It might be beneficial for you to read the rules before posting.” I replied: “Same to you ~ it’s all good” None of these users held moderator positions. The actual moderators never intervened, never issued a warning, never engaged. The Ban Kicked from Bellingcat Discord. Reason: Discord ToS/Threats. A gif and two mild responses became a Terms of Service violation and a “threat.” No warning. No appeal process. No moderator contact. The Crossban The next day, a Dyno bot message: You were banned in Project Owl: The OSINT Community. | BC Crossban: Discord ToS/Threats “BC Crossban” — Bellingcat Crossban. Their ban system automatically propagated to Project Owl, a server I had never joined, never posted in, and never interacted with in any capacity. Bellingcat doesn’t just moderate their own community — they control access to the broader OSINT ecosystem through shared ban lists. Get flagged in one server, lose access to all affiliated communities. The ModMail OPSEC Problem Before the ban, I was directed to verify through ModMail — a Discord bot that requires the guilds OAuth2 scope. This permission grants the bot visibility into every Discord server the user has joined . For a regular gaming Discord, this is a minor privacy tradeoff. For an OSINT community — a community whose members may include journalists, researchers, activists, and people investigating hostile governments — exposing your full server membership list is a significant operational security risk. Your server list is metadata. It reveals: What topics you research What communities you belong to What governments or organizations you may be investigating What political or activist groups you associate with An OSINT organization asking members to hand over this metadata as a condition of entry is either ignorant of the risk or indifferent to it. Neither is acceptable from people who position themselves as security experts. The Investigation: bellingcat.com After being banned for a gif and crossbanned from communities I’d never touched, I turned Bellingcat’s own methodology back on them. Methodology Target: bellingcat.com Method: WordPress sitemap enumeration, Gravatar API profiling, article scraping (all passive, no authentication) Tools: Custom Gravatar hash extraction, automated email pattern cracker (~160M candidates tested), Gravatar profile scraper Source: Public WordPress author sitemap, author-sitemap.xml, 1,318 published articles Date: February 9-18, 2026 What WordPress Sitemaps Expose WordPress generates XML sitemaps that list all published authors. Each author entry includes a Gravatar URL containing an MD5 hash of their email address . This is a well-known enumeration vector that any security-conscious WordPress administrator should mitigate. Gravatar hashes can be: Cracked back into email addresses using name-based pattern generation Queried against Gravatar’s public profile API to recover real names, locations, bios, and linked social accounts Cross-referenced with breach databases Used to build profiles of contributors and staff Phase 1: Hash Extraction 173 unique Gravatar MD5 hashes extracted from bellingcat.com’s public WordPress sitemap and author pages. These hashes belong to every author who has ever published content on the site — investigators, analysts, contributors, editors, and staff. The WordPress REST API and sitemap were left in their default configuration with no hardening applied. Phase 2: Hash Cracking Using name-based email pattern generation against ~160 million candidate emails at ~1 million hashes/second: 89 of 173 hashes (51.4%) cracked back into the original email addresses. Recovered emails include @bellingcat.com corporate addresses, personal Gmail/Protonmail/Hotmail accounts, university emails (.edu, .ac.uk), and international providers. Several investigators were found using personal email addresses that link directly to their real identities across multiple platforms. Phase 3: Gravatar Profile Harvesting Each hash was queried against Gravatar’s public API. 32 profiles returned data including: Real names and display names Geographic locations (Groningen NL, London UK, Alexandria VA, Istanbul) Linked social accounts (Twitter/X handles, Facebook profiles, Flickr, YouTube) Bios and professional descriptions Alternative usernames that were then used to crack additional hashes Phase 4: Article Intelligence All 1,318 published Bellingcat articles were scraped, extracting 232 unique author bylines . These names were fed back into the cracker, yielding additional matches including university email addresses at King’s College London, Stanford, and UC Berkeley. Sample Findings [REDACTED] (89 cracked emails + 32 Gravatar profiles — see paid section) The Irony Let’s summarize what Bellingcat — the self-proclaimed authority on open-source intelligence — has demonstrated: 1. They Can’t Secure Their Own WordPress Site 173 contributor email hashes exposed through default WordPress configuration. 89 cracked into email addresses. 32 Gravatar profiles harvested with real names, locations, and social accounts. This is not an advanced attack. This is not a zero-day. This is basic WordPress hardening that any junior sysadmin knows to do. Disable author enumeration. Strip Gravatar hashes from sitemaps. It takes minutes. Bellingcat runs paid OSINT workshops teaching people how to investigate targets. They didn’t apply the most basic defensive measures to protect their own people. Over half their staff were de-anonymized in a single afternoon. 2. They Demand Your Metadata to Enter The ModMail verification bot requires visibility into every Discord server you’ve joined. An OSINT community — where members may be investigating hostile state actors — asking for a complete map of your online affiliations as a condition of entry. 3. They Gatekeep a Ghost Town The channel I posted in was inactive. The users who lectured me held no moderator roles. The actual moderators were absent. But the ban was swift, the escalation was immediate, and the crossban was automatic. 4. They Weaponize Bans Across the Ecosystem A gif in a dead channel became “Discord ToS/Threats” — and that label was propagated to every affiliated OSINT community through their crossban system. You don’t just lose access to Bellingcat — you lose access to the OSINT community at large. 5. They Got Investigated by Someone They Banned I used publicly available, passive OSINT techniques — the exact kind of work Bellingcat claims to champion — to enumerate their own contributors. The tools they teach about in workshops are the same tools that exposed their failures. What Should Have Been Done For an organization of Bellingcat’s profile, the following are minimum-standard security measures: Disable WordPress author enumeration — Remove author archives from sitemaps Strip Gravatar hashes — Use local avatars or disable Gravatar integration entirely Disable the WordPress REST API user endpoint — /wp-json/wp/v2/users should return 403 Implement proper moderation — Warnings before bans, moderator involvement, appeal processes Audit the ModMail bot permissions — Do not require server list visibility from an OSINT community Review crossban policies — Automatic ecosystem-wide bans for minor infractions are disproportionate None of this is advanced. None of this requires specialized knowledge. These are the basics. Collection Statistics Domain: bellingcat.com Hashes Extracted: 173 unique MD5 Gravatar hashes Hashes Cracked: 89 (51.4% success rate) Gravatar Profiles Harvested: 32 Articles Scraped: 1,318 Unique Authors Identified: 232 Email Candidates Tested: ~160,000,000 Source: WordPress sitemap + author pages (publicly accessible) Hash Type: MD5 (Gravatar standard) Scan Date: February 9-18, 2026 Conclusion Bellingcat positions itself as the gatekeeper of the OSINT community. They run workshops. They lecture at conferences. They moderate who gets to participate in open-source intelligence. But they can’t secure their own WordPress site. 173 email hashes — belonging to their investigators, analysts, and contributors — sat exposed in their public sitemap. 89 of those were cracked back into email addresses. 32 Gravatar profiles were harvested with real names, locations, and linked social accounts. The same organization that kicked me for a gif, labeled me a “threat,” and crossbanned me from communities I’d never visited left their own people’s data wide open to the exact techniques they claim to teach. This isn’t about a Discord ban. This is about an organization that has confused authority with competence. They gatekeep access to the OSINT community while failing to apply the most basic OPSEC to their own infrastructure. I bend the knee to no one. Especially not to people who can’t practice what they preach. Tools Used: WordPress sitemap enumeration Gravatar hash extraction and cracking (~160M email candidates) Gravatar profile API harvesting Full article scraping (1,318 articles) Discord screenshot documentation No exploitation. No hacking. No authentication bypass. Just publicly accessible information and the OSINT methodology Bellingcat claims to own. Bellingcat OSINT Investigation — February 2026 All data collected from publicly accessible sources without authentication bypass or system compromise. This post is for paid subscribers Subscribe Already a paid subscriber? Sign in © 2026 Ringmast4r · Privacy ∙ Terms ∙ Collection notice Start your Substack Get the app Substack is the home for great culture