Fighting Back: How OSINT is Disrupting Organized Retail Crime
See how OSINT is helping retailers fight back against organized crime and protect their bottom line.
OSINT in Gray Zone Warfare
Date Posted: March 25th, 2025
By Kellen Schollaert, Director of Strategy and Enablement at Penlink
Introduction
Conflict isn’t all about tanks rolling across borders. It’s also about coercion without combat, influence without attribution, and operations that stay just below the threshold of actual war. In this type of “gray zone” warfare, the intelligence community is in a constant battle to stay ahead.
In the gray zone, tactics such as disinformation campaigns, cyber operations, and proxy warfare are often conducted in the open. Adversaries weaponize public information, exploit digital platforms, and blend deception with real-world events. OSINT has rapidly become the front line in detecting, attributing, and countering these operations—and the question for intelligence operatives is no longer whether OSINT is valuable, but whether we’re using it quickly and effectively enough.
The Gray Zone Playbook: How Adversaries Exploit Open Sources
Gray zone warfare thrives in ambiguity. A well-executed campaign allows an adversary to weaken a target politically, economically, or socially while maintaining anonymity and/or plausible deniability.
Take Russia’s use of “little green men” in Crimea, or China’s maritime militia in the South China Sea. These aren’t uniformed soldiers; they’re unofficial actors operating in a legal and strategic gray area. By the time traditional intelligence catches up, the damage is often done, and it’s incredibly hard to repair.
Here are some ways OSINT changes the game:
- Disinformation detection—Monitoring social media, news cycles, and forums to identify coordinated influence operations.
- Geolocation and imagery analysis—Using commercial satellite and location signals data, as well as user-generated and -posted content, to track real-time movements.
- Cyber threat attribution—Analyzing IP traffic, domain registrations, web sessions, and leaked databases to expose digital threat actors.
- Financial tracking—Following illicit networks using blockchain analysis and corporate records research.
Real-World Applications of OSINT
1. Disinformation Warfare in the Digital Battlefield
State actors are no longer just using tanks and missiles—they’re using memes, fake news, and deepfake videos to shape public perceptions. The 2023 Doppelgänger Operation, attributed to Russia, used cloned Western news websites to push disinformation about NATO and Ukraine.
Here are a few ways OSINT can help:
- AI-driven sentiment analysis detects coordinated narratives spreading across platforms.
- Network-mapping tools identify bot-driven amplification and cross-platform influence.
- Fact-checking AI cross-references claims against verified data sources to debunk false narratives in real time.
The challenge is speed. By the time governments identify, plan, and refute disinformation, its often too late. This is why it’s so important for governments to put emphasis on information operations, communications, and global engagement. We are seeing this development firsthand in efforts by the DoD, the DIA, the State Department, and others to counter adversarial influence operations.
2. Tracking Covert Military Movements
During Russia’s invasion of Ukraine, OSINT analysts weren’t just reacting to official briefings or waiting for news—they were predicting troop movements before traditional sources made public statements.
Examples include:
- TikTok videos of military convoys were geolocated by analysts in minutes.
- Satellite imagery from technology companies tracked equipment buildups at border crossings.
- Rail-traffic data indicated logistical preparations days in advance.
- Location signals data showed troop movements and exposed staging areas.
Rather than intelligence analysts leveraging exquisite, state-level capabilities, this involved the use of publicly available information to create intelligence that anyone could verify. From the onset, OSINT played a pivotal role in the Ukraine conflict, demonstrating its exceptional value as an intelligence discipline.
3. Cyber Threat Attribution: Uncovering Digital Breadcrumbs
Cyber warfare is an integral part of the gray zone, and sophisticated adversaries know how to cover their tracks. OSINT continues to provide new ways to attribute attacks without tapping into classified sources or methods.
Attributing cyber-attacks is a complex but essential task in countering gray zone operations. The U.S. government categorizes cyber threats into those by nation-state actors (such as China, Russia, North Korea, and Iran) and those by criminal groups seeking financial gain. Leaning into information highlighted in a Congressional Research Service report on cyber-attacks, the below provides insight into OSINT’s role in this space.
OSINT’s unmasking of adversaries can be accomplished by:
- Tracking attack infrastructure (e.g., domains, Ips, and malware signatures).
- Analyzing dark web activity to monitor cybercriminal chatter, which can include information slippage and self-identification.
- Correlating cyber incidents with geopolitical developments or open-web discussions.
While adversaries use proxy networks, false-flag operations, and an evolving attack infrastructure to evade detection, OSINT-driven cyber analysis enhances attribution confidence and speeds up response efforts.
4. Exposing Sanctions Evasion
“Follow the money” is a common technique and often leads to finding the networks behind gray zone operations. OSINT is now critical in tracking illicit financing, cryptocurrency laundering, and sanctioned asset movements.
As an example, Iran has used maritime deception tactics to bypass international sanctions. They turn off transponders, forge paperwork, and engage in ship-to-ship transfers in neutral waters. OSINT analysts expose these operations using:
- AIS maritime tracking software to identify suspicious tanker movements.
- Locations signals data to illuminate “ghost vessels” that illegally turn off AIS.
- Satellite imagery to verify unauthorized dockings.
- Corporate registry searches to connect front companies to Iranian interests.
Using these methods, analysts uncover sanctions evasions and illegal ship-to-ship oil transfers and provided this intelligence to the government in support of tightening enforcement and disrupting illicit networks.
The Future of OSINT in National Security
OSINT must evolve with gray zone tactics. This demands:
- AI-driven OSINT automation—Reducing analysis time from hours to minutes.
- Public-private collaboration—Leveraging commercial tech firms for real-time access and improved speed-to-intelligence.
- OSINT training for warfighters—Embedding OSINT capabilities at the tactical level.
- Ethical and legal considerations—Defining the limits of surveillance in open-source environments to avoid unnecessary roadblocks.
The U.S. government is already moving in this direction. Recent national intelligence strategies and guidance identify OSINT as a core discipline, mandate its adoption, and provide insight into its implementation:
- 2024 Open-Source Intelligence Strategy, Bureau of Intelligence and Research, Department of State
- 2024-2028 OSINT Strategy, Department of Defense & Defense Intelligence Agency
- 2024-2026 IC OSINT Strategy, Office of the Director of National Intelligence & the Central Intelligence Agency
OSINT Is No Longer Optional
Gray zone warfare has been here for a while. But now the battleground is digital, decentralized, and designed to exploit gaps in intelligence collection.
“All warfare is based on deception.” —Sun Tzu
The nations, agencies, and warfighters that effectively integrate OSINT into their operations will outmaneuver adversaries and expose deception before it translates into strategic advantage. That advantage will belong to those who can see, interpret, and act on information more quickly than their adversaries in the digital space.
Related Articles
Read More >
Analyst Corner: Mark Wasson on OSINT’s Role in Modern Corrections
See how corrections teams use OSINT and GenAI to uncover threats and stay ahead of gang activity.
5 in 5: How AI Really Works
Learn how AI actually works—Scott breaks down the fundamentals behind the technology powering today’s digital investigations.
Carrier Files 101: Working with AT&T, T-Mobile, and Verizon Call Detail Records
Explore how digital location data from apps like Life360, Garmin, Uber, and social media can enhance modern investigations.
Emphasizing the Imperative of Data Integrity in the Digital Age
Discover why data integrity is essential in the digital era—insights from PenLink’s CPO, Udi Levy.
Building Trust with Smart Technology: Why Compliance Matters
AI is transforming public safety, improving efficiency while ensuring compliance and ethical use. See how responsible AI builds trust in law enforcement.