OSINT Lab Leaders: Bellingcat, CIT Russia, Citizen Lab and Ukraine War

Open Source Intelligence — the systematic collection and analysis of information from publicly available sources including social media, satellite imagery, flight tracking, ship tracking, corporate databases, and leaked documents — transformed from a niche investigative journalism technique into a mainstream intelligence discipline through the Ukraine war. The investigation of MH17 (by Bellingcat and others), Russia's 2014 Donbas intervention, and the Salisbury poisoning operations established OSINT as a credible investigative method before 2022; the full-scale invasion created demand for OSINT analysis at unprecedented scale, providing public audiences, policymakers, and legal investigators with documented evidence of Russian military operations, war crimes, and systemic deception that Russian information operations attempted to deny. Organizations including Bellingcat, Conflict Intelligence Team (CIT Russia), and the University of Toronto's Citizen Lab contributed distinct methodological approaches to this documentation effort.

Bellingcat: Eliot Higgins and Christo Grozev

Bellingcat — founded by British journalist Eliot Higgins in 2014, initially as a blog documenting Syrian war weapons use — evolved into a sophisticated investigative newsroom specializing in OSINT investigation of state actors. Eliot Higgins's foundational methodological insight was that social media posts from conflict zones could be geolocated using satellite imagery comparison, allowing verification of where and when specific events occurred — a technique applied to document Russian Buk missile system movement to the MH17 shoot-down site in 2014. Christo Grozev — Bellingcat's lead Russia investigator — applied this methodology combined with Russian open source databases (phone records, vehicle registration, passport databases accessible through Russian commercial data brokers) to identify and document individual Russian military and intelligence personnel responsible for specific operations. Grozev's identification of the Salisbury poison team and FSB surveillance and assassination operations (including against Alexei Navalny) established his reputation as the preeminent open-source Russia investigator. During the Ukraine war, both Higgins and Grozev operated under credible death threats from Russian intelligence services.

Key OSINT Organizations

CIT Russia: Casualty Tracking and Equipment

The Conflict Intelligence Team (CIT Russia), founded by Ruslan Leviev, established itself as the most systematic tracker of Russian military casualties and equipment losses through detailed analysis of Russian social media — primarily VKontakte (VK), Russia's domestic social network, and later Telegram. CIT monitored death announcements posted by families and units, tracked funerals in Russian regional cities, analyzed equipment losses photographed by combat participants, and maintained public casualty databases that provided alternative estimates to official Russian data (which consistently undercounted losses). CIT's methodology was painstaking: individual case research tracking each named soldier from unit to death to grave, cross-referenced with official and unofficial sources. The organization maintained operational security — publishing under pseudonyms and limiting identifying information — given the hostile legal environment in Russia (where casualty documentation was designated a criminal act) and the specific personal risks Leviev and his team faced.

Citizen Lab: Internet Freedom and Spyware

The Citizen Lab — a research center at the University of Toronto's Munk School of Global Affairs, directed by Ron Deibert — focuses on the intersection of information technology, global security, and human rights, with particular expertise in tracking government-sponsored spyware (including NSO Group's Pegasus) and information operation infrastructure. During the Ukraine war, Citizen Lab documented Russia's digital repression in occupied territories — network blocking, forced SIM registration, surveillance of Ukrainian-language internet use — and tracked information operation infrastructure used in Russian disinformation campaigns targeting both Ukrainian populations and Western public opinion. Citizen Lab's technical methodology (network scanning, SSL certificate analysis, DNS investigation, forensic analysis of compromised devices) provides evidence that complements the social media and imagery analysis that other OSINT organizations emphasize.

Legal and Accountability Application of OSINT

The Ukraine war has been the most extensively OSINT-documented conflict in history, and this documentation has direct legal consequence. ICC prosecutors, Ukrainian domestic prosecutors, and international law teams at the European Court of Human Rights and ICJ have incorporated OSINT evidence — geolocated photographs, verified video, satellite imagery analysis — into their case files. Bellingcat has been specifically acknowledged by international legal institutions as a credible source of verified visual evidence. The evidentiary standards applicable to OSINT in international criminal proceedings are an evolving area of law: questions of authenticity, chain of custody, and expert witness requirements for OSINT evidence are being resolved (partly through Ukraine cases) in ways that will shape international criminal law for decades. The intersection of investigative journalism methodology and legal evidentiary standards is a domain in which Bellingcat and similar organizations have invested significant effort to ensure their methods meet legal admissibility requirements.

Frequently Asked Questions

What personal risks do OSINT investigators face?

OSINT investigators working on Russia and the Ukraine war face significant personal risks calibrated by their prominence and the sensitivity of their work. Christo Grozev publicly disclosed FSB surveillance of his location and movement, required personal security measures, and relocated from his home country to reduce exposure. Ruslan Leviev and CIT team members have operated under pseudonyms with limited public profile to reduce targeting. Russian law criminalizes the documentation and dissemination of Russian military losses as "discrediting the armed forces," making team members who could be identified subject to Russian criminal prosecution if they travel to jurisdictions with extradition considerations. The broader pattern of Russian intelligence services targeting journalists (Politkovskaya, Golunov, others) and OSINT investigators (multiple near-miss incidents) establishes the context in which these risks are calibrated rather than hypothetical.

How does Bellingcat verify sources?

Bellingcat's verification methodology uses the "layered verification" approach combining multiple independent data sources. For a video or image purportedly showing a Russian military vehicle in Ukraine: the geolocation team uses satellite imagery (Google Earth, Maxar, Sentinel) to identify visual landmarks in the background that match a specific location; the timestamp is verified through shadow angles (which indicate sun position specific to time and location) or correlating with known weather or vegetation conditions; the equipment is identified through markings, chassis features, and unit insignia cross-referenced against known Russian order of battle; and the posting account is assessed for credibility indicators. Each element is independently verified and the combination provides high-confidence attribution. This systematic methodology distinguishes Bellingcat from social media rumor propagation, even when both examine the same raw source material.

What is Citizen Lab's role in occupied territory internet freedom?

In Russian-occupied Ukrainian territories, Russian forces systematically dismantled Ukrainian mobile and internet infrastructure and replaced it with Russian telecommunications systems — requiring residents to obtain Russian SIM cards and submit to Russian data collection requirements as a condition of communication access. Citizen Lab documented this infrastructure replacement process through network scanning and analysis of internet routing data (BGP announcements showing which telecommunications providers' networks served specific territories). The shift to Russian telecommunications controls meant that communications from occupied territories became subject to Russian SORM (surveillance) requirements, losing the privacy protections that had applied under Ukrainian law. Citizen Lab's documentation of digital occupation — the replacement of one jurisdiction's internet with another's — contributed to the broader documentation of Russia's forced integration of occupied territories.

How does OSINT intersect with official military intelligence?

The relationship between public OSINT and official military intelligence is complex. Western intelligence agencies — whose satellite capabilities and signals intelligence access vastly exceed what public OSINT organizations can access — don't publish most of what they know about Russian military operations. OSINT fills the public knowledge gap: providing verified, publishable evidence for journalists, courts, and public audiences that official intelligence cannot provide due to classification requirements. In some cases, OSINT organizations have published findings that official intelligence agencies knew but did not release; in others, OSINT has identified things that official intelligence missed or de-prioritized. Ukraine's military intelligence (HUR) has its own analytical relationship with OSINT organizations — some Ukrainian official intelligence findings are shared with OSINT communities informally, while OSINT findings inform Ukrainian intelligence assessments. The boundary between journalism, intelligence, and legal investigation has become blurred in the Ukraine OSINT ecosystem.

What happens to OSINT archives after the war ends?

The archival preservation of the enormous volume of OSINT evidence documented during Ukraine's war is a significant challenge and opportunity. Individual social media posts are ephemeral — platforms delete accounts, users take down posts, and information that is publicly available today may be unavailable in five years. Organizations including the Internet Archive (archive.org), Ukrainian academic institutions, and specialized war documentation projects are systematically archiving social media, websites, and other open source materials for long-term preservation. The evidence value persists for decades: ICJ, ICC, and domestic court proceedings stemming from the war will continue for many years after the fighting ends, and evidence that has been archived and authenticated now will be necessary for prosecutions occurring years in the future. Archival methodology that preserves not just content but verification metadata (hash values, timestamps, capture provenance) is essential for evidentiary use.

Sources

1. Bellingcat. Ukraine Investigation Portfolio and Methodology Documentation. bellingcat.com, 2022–2024.
2. Conflict Intelligence Team (CIT Russia). Russian Military Casualty Database. citeam.org, 2022–2024.
3. Citizen Lab. Ukraine and Russia Digital Rights Reports. citizenlab.ca, 2022–2024.
4. InformNapalm. Russian Military Equipment Identification Database. informnapalm.org, 2022–2024.
5. ICC Office of the Prosecutor. OSINT Evidence Standards in Ukraine Proceedings. icc-cpi.int, 2022–2024.