DEFCON / ALPHA

Section III

Battlefield OSINT

OSINT (Open-Source Intelligence) on the Ukrainian front is a double-edged weapon. This chapter describes how the enemy uses it against you and which defensive principles to adopt. It does NOT contain offensive OSINT techniques against people or targeting procedures via open sources.

What OSINT is on the modern battlefield

OSINT is systematic collection of information from public sources (social media, commercial satellite imagery, daily-life recordings, forums, civilian sensor data). On the 2022-2026 front it plays both strategic and tactical roles, in compressed times.

  • Social media: Telegram, Twitter/X, Instagram, TikTok — primary public source
  • Commercial satellite: Maxar, Planet, ICEYE SAR — 30-50 cm resolution
  • Maps and crowd-sourcing: OpenStreetMap, OSINT-channel geo-confirmation (GeoConfirmed, OSINTtechnical)
  • OSINT communities: volunteer analysts aggregate evidence, some high quality
  • AI-assisted geo-localisation: tools identifying locations from photos in minutes
  • Civilian phones: anomalous cellular-traffic patterns identifiable from public sources

How the enemy uses OSINT against you

The enemy collects OSINT in a structured way. Publicly documented cases show targeting obtained directly from friendly publications.

  • Published photos / selfies: geo-confirmed to identify unit position
  • Training videos: reveal equipment, tactics, numbers
  • Unit stories on Telegram: pattern of life, commanders, strength
  • LinkedIn / Facebook profiles of volunteers: identification, background, network
  • Obituaries and decorations: identify losses, assess brigade
  • Foreign-volunteer tracking: entry routes, destination brigades
  • Civilian crowdsource: Russian/occupied citizens flag friendly positions on Telegram
Documented example

Command posts, logistic hubs, ammunition depots have been publicly compromised by social-network photos from personnel or residents. OSINT-driven losses documented on both sides of the conflict are significant.

OPSEC against OSINT — defensive principles

Defensive OPSEC against OSINT is not 'publish nothing' (impractical for many volunteers) but 'publish with discipline, outside operational context, with neutral metadata'.

  • No photos in operational zone, no photos during op, no photos identifiable as such
  • No EXIF metadata — always stripped before any sharing
  • No identifiable backgrounds (known buildings, unique landscapes, road signs)
  • No uniform with identifying patches on public account
  • No precise dates / times (minimum weeks of delay for any publication)
  • No teammate names, even nicknames indicating brigade link
  • No geographic mentions, even generic ("near Donbas")
The 30-day rule

A guideline adopted by experienced volunteers: publish nothing referring to less than 30 days of age. Pattern of life has aged, targeting is less useful. Works only if applied by the whole squad.

Publication discipline

  • Public personal profiles: pre-2022 content, nothing recently operational
  • Unit profiles: only brigade-authorised official material
  • Private photos to family: via encrypted apps (Signal), not social
  • Pattern: vary hours and contexts to avoid revealing theatre presence
  • Squad coordination: nobody publishes without tacit or explicit approval
  • Periodic review: remove historic content that retrospectively becomes compromising

Friendly OSINT — ethical and operational principles

Friendly OSINT exists — Ukrainian services, brigades, public OSINT communities work on open enemy material. For the volunteer, understanding principles is part of the culture, but active employment is specialist.

  • OSINT-based targeting: your own brigade may receive intel produced by OSINT — knowing means respecting the source
  • Source verification: OSINT is subject to deception, sources must be triangulated before action
  • Ethics: no civilian identification, no targeting of non-combatants, legal distinction
  • Discipline: friendly OSINT must operate within legal framework (LOAC, IHL)
  • Reporting: OSINT contributions from individual volunteers go via brigade channels, not published
  • Awareness: every piece of info on social may be part of enemy PsyOp / deception

Deception and counter-OSINT

OSINT is not only collection — it is also manipulation. Both sides conduct deception operations via OSINT channels.

  • Fake profiles: social accounts designed to attract friendly contacts and harvest data
  • Manipulated photos: deepfakes and out-of-context images to influence perception
  • False patterns: publish material suggesting inaccurate positions as active deception
  • Phishing: messages sent to OSINT-identified volunteers, seeking further access
  • Counter-narrative: fabricated testimonies to undermine morale or reputation
  • Healthy suspicion: any unsolicited contact asking operational details is potentially hostile

Common mistakes

  • Uniform selfie on Instagram "for friends" — private account is not private
  • Telegram story with location tag on
  • Group photo with identifiable backdrop (specific building, unique landscape)
  • Brigade public-video publication with identifying data visible
  • LinkedIn updated during deployment with "volunteer in Ukraine"
  • Teammate obituary with unit and location details
  • Trusting encrypted DM to discuss operational detail (app is encrypted, device is not)

Lessons learned Ukraine

Public experience of the 2022-2026 front has shown OSINT as an autonomous weapon — no longer only an intelligence tool but a primary targeting source. Ukrainian and Western OSINT communities have tracked Russian units from social media, produced public BDA, identified commanders. Mirroring, Russian OSINT has hit Ukrainian brigades through social analysis of volunteers. Brigades that introduced strict public OPSEC policy — no social in deployment, only old content, periodic profile review — significantly reduced losses documented as OSINT-driven targeting. Message is univocal: the first enemy of your unit is your phone. The second is your teammates' phones. Discipline is collective or doesn't exist.