Clubhouse for OSINT Investigations
Clubhouse is a new type of social network based entirely on voice rather than text, images, or videos. Clubhouse allows people to join clubs and have conversations with each other in real-time. It’s mobile-based, iOS only, and is gaining in popularity very quickly. With any new social networking platform, it’s important to understand how the platform works, how users behave when on it, and what type of content is available passively. In this guide, we’ll take a look at Clubhouse through the lens of Open Source Intelligence (OSINT) investigations including desktop and mobile tools, tactics, and techniques. Let’s get started…
Don’t have time to read this blog now? Download our Definitive Guide: Clubhouse for OSINT Investigations and drive into the content later.
Clubhouse is still technically in beta and requires you to be invited by an existing user to join. Early on, these invites were difficult to come by; however, with its gaining popularity, the number of available invites has gone up significantly, and receiving an invite code is usually as easy as asking for one from anyone in your social network. That said, it’s an iOS-only platform, so if you don’t have an iPhone, iPad, or an M-chip Macbook, you’ll have difficulty getting online.
Once you find someone who has an available invite code, they’ll have to text it to your phone number in order for you to register. This means that your account is tied to your mobile number and there’s no other way around this. You can’t register with an email as we see with other platforms, and you can’t remove your phone number after registering either. This distinction will become very important later on.
Operational Security (OPSEC) Consideration
Registering with your mobile number has a variety of OPSEC considerations. Not only will users be able to see who referred you to Clubhouse on your profile, but Clubhouse maintains a record of all users on its platform, including their name and number. Even if you don’t ultimately register or log into Clubhouse, they’ll have your mobile number and name through the contact lists of other users in your network. Using an alias or sock puppet might not reduce your risk entirely. Clubhouse still collects your real name and phone number from other users who have your information in their contact list.
Once you’ve received an invite code and have weighed the OPSEC risks, it’s time to register an account and set things up. It’s very important to understand the full scope of what type of content is available on Clubhouse if you intend to perform investigations on the platform efficiently and holistically. Here’s the type of information that can be found on Clubhouse across all user types:
Clubhouse allows you to upload a single profile picture. Because Clubhouse isn’t a traditional social network that allows you to post content, one photo is all you get. It can be changed very easily and there’s no archive of previous photos. If you see something important during an investigation, make sure to capture it before it’s gone.
Although Clubhouse explicitly encourages real names, it allows users to change their name one time. This includes an option for a “creator alias” which must be a name you are widely known by and is intended only for public futures. Because an account is tied to a phone number and the name can only be changed once, names on Clubhouse can be considered a reliable data point.
Unlike the name field, usernames can be changed as many times as you want. Clubhouse, by default, will try to set your username to <firstlast> if available, which is something to consider if you’re looking for profiles with unique names. You can change this as many times as you want after the fact so usernames may be less reliable than real names as a data point, even though usernames, in general, are more unique.
Followers (people only)
Followers are straightforward and operate much like followers you see on other platforms. Later in this guide, we’ll cover how many followers you can view and more nuanced ways of analyzing follower lists. From an initial analysis, we’ve observed that followers do not appear in chronological order. Your follower list will appear in chronological order through your account; however, it will appear differently to an external user.
Following (including people and clubs)
Following Lists on Clubhouse are a bit different. The following count displayed on a user’s profile is only a count of the users that the account follows and doesn’t reflect the number of clubs they follow; however, you can view both types when you open the following list. Keep in mind: someone who has a low following count might follow hundreds of clubs.
This section of Clubhouse can either be extremely valuable or very unremarkable. At the lower end, we’ve seen one or two sentences describing who the person is and why they’re on Clubhouse. On the higher end, we’ve seen phone numbers, email addresses, personal websites, and a variety of other information. Make sure to not overlook this section when reviewing a profile.
Social Media Handles
Clubhouse allows you to link two social media platforms to your profile: Twitter and Instagram. From an OSINT perspective, this is incredibly valuable and gives you an instant pivot point from a Clubhouse profile. It allows you to establish a timeline of user activity on Twitter or Instagram as it relates to their activity on Clubhouse. It also allows you to see if user’s Clubhouse username matches their other social media handles.
Clubhouse takes note of the person that nominated you (sent you the invite link) on Clubhouse. It lists the date they joined and a link to the nominator’s Clubhouse profile. This reveals a few things: who is close enough in someone’s network to have their personal phone number and who they might interact with most on Clubhouse. It is the first link to a verifiable social network of your subject.
Clubhouse allows you to follow different types of clubs, but that doesn’t mean you are a member. To see the list of clubs that a user follows, check their following list (detailed above); however, if you want to see what groups they’re actually a part of and have been invited to by the admin, you’ll find it in the “Member of” section. This also includes clubs that a user has created.
At the time of this writing, Clubhouse doesn’t just let anyone create a club. Clubhouse restricts club creation to only the most active community members with a limit of 2 per month. If a user has created several clubs that are visible on their profile, that is a good indication that they are very active on the app.
Despite Clubhouse being a mobile-first, and in many ways a mobile-only, platform there is information that can be gathered from a desktop view. While you can’t see specific profiles on Clubhouse, you are able to search for and view group invitations. This will give you a slight glimpse into Clubhouse data. Here’s how you do it.
Using the site: operator, you can filter your Google search results to only show Clubhouse links using the joinclubhouse.com domain. This will show you mostly historical content from previous conversations and meetings; although, it does give you a few data points to work from including a few users, date/time, and context. Using advanced techniques, which we will discuss later, you’ll be able to begin your investigation before registering for Clubhouse or opening the app.
site:joinclubhouse.com intitle:<keyword> OR intext:<keyword>
Adding the intitle: or intext: commands to the end of your site: query will allow you to be more specific in your search. If you’re looking for a specific topic, person, or company, etc. you can add keywords for those concepts within the title of Clubhouse events or within the text of them. It’s important to use the OR operator in between to maintain a broad enough search to find different types of content.
Reverse Image Search
Once you find an event page of interest, one way to pivot is to conduct a reverse image search on any user profiles you find. This may generate a lead on other social media platforms for a person who uses the same image across multiple social networks. There’s only one problem. If you try to right-click the image and reverse search it, you won’t see that option. You’ll have to isolate the image in the source code first. Here’s how.
Right-click the image of interest, and find the URL of the image within the HTML element:
Copy and paste the URL into a new tab.
Right-click and reverse search the image.
Make sure to use all reverse image search tools available, including Google, Bing, Yandex, etc. to make the most of the image. Advanced Reverse Image Search
Reverse image searches are often a shot in the dark. Because most search indexes use an image match method rather than facial recognition, there has to be another image almost identical to the one you're looking for in order to get a positive result. Because of this, we have to point the search engine in the right direction.
In addition to the profile image of the user in the Clubhouse event, it also gives you their name. In this case, we see “Tianwei Yue” listed. By adding that name to the reverse image search, you’ll give the search engine more instruction, leading to a positive match.
Here’s a look at the results before (default):
And here’s a look at them after:
Finally, a regular Google search without the image. As you can see, it’s broader.
After a quick review, we can confirm that the Instagram found matches the same person in the Clubhouse event.
Because there are limitations to investigating Clubhouse on desktop, we have to rely on mobile investigations to get the full value of the platform. However, unlike desktop, extracting valuable information from mobile is very difficult and requires significant manual work without custom tools. With Clubhouse, those constraints are even more problematic due to the age of the platform and the operating system requirements. Let’s unpack this a bit more...
Clubhouse is iOS only. This means you need an iPhone, iPad, or an M1 chip MacBook that runs iOS apps natively. Alternatively, there are iOS emulators out there but they are facing a variety of legal challenges and, as a result, are difficult to acquire. Many emulators require you to be a developer or pay a subscription to access.
Once you’ve secured a Clubhouse-friendly device or emulator to begin your investigation, it’s time to start searching...
Planning your Investigation
The key to any OSINT investigation is good planning. As the first phase of the intelligence cycle, planning helps set the scope of your investigation, allowing you to avoid rabbit holes or an unexpected expansion of your intelligence requirements. Knowing what types of information is available on Clubhouse can help set those boundaries. Earlier in this guide, we discussed what types of information you can find on Clubhouse, now it’s time to put that knowledge into practice…
Clubhouse has two different search options: people search and club search. People search is very basic, allowing you to only search for a single data point. There is no advanced search option. It seems that Clubhouse only indexes display name, Clubhouse username, and biography. This means you won’t be able to search by Twitter username or Instagram username. However, since Clubhouse doesn’t allow users to change their display name more than once, insisting users show their real name, this is still a reliable data point. Additionally, many Clubhouse users will have the same username as they do on Twitter and Instagram, allowing for a partial search capability.
Club search also allows you to search by keyword; club description looks like it is indexed by Clubhouse. This allows you to search by club name OR club description. If you search by person within club search, you’ll likely get no results unless the club has the same name as the person you’re searching for. If the ultimate goal is to find individuals who are interested in or discussing a specific topic but don’t mention that topic in their profile, it’s easier to find clubs that match the requirements of your investigation and pivot to members within that club for a more refined result.
Because there are only 2 different types of searches you can do on Clubhouse, most of your investigation will rely on pivoting across data points you find during your investigation. The bulk of this guide will cover different ways you can pivot to build out a full investigation across Clubhouse and beyond.
We will refer to pivoting in this context. as moving from one data point to another to discover information that isn’t searchable. There are so many options for pivoting across and beyond Clubhouse, we’ll only cover a few.
For the sake of this guide, I’m going to be using a generic search for “john”. The profiles shown in this guide are for demonstration purposes only.
Person to Club
One way you can pivot across Clubhouse is by moving from a person of interest (POI) to a club of interest. As mentioned earlier, you can find what types of clubs a person is a member of or is following by checking the Member of list or by checking the following list.
Person to Username
If you know the first and last name of a person you are searching for, but you don’t have a username for any social media platform, Clubhouse can be a great place to start. By searching for a person’s name, you’ll find a Clubhouse username. If it’s unique, meaning it’s not just @john or @sam, you can easily reverse search this username to build out a basic digital record. If the person of interest on Clubhouse doesn’t have a connected Twitter or Instagram, reversing the Clubhouse username might be the only opportunity to find additional social media platforms.
Person to Twitter
If the Clubhouse profile of interest has linked a Twitter profile, you can easily navigate to it through the app. It’s important to note any differences between the Clubhouse username and the Twitter username. Because many users got onto Clubhouse early, many are able to secure more desirable usernames. In the example above, John Exley, who secured @johnexley on Twitter, was able to get @john on Clubhouse. Because @john is very generic, the Clubhouse username is likely not useful.
Make sure to check the linked Twitter account for any additional information you can use in your case.
Person to Instagram
Just like with Twitter, navigating to a connected Instagram profile is easy. Likewise, noting the differences between Twitter, Instagram, and Clubhouse usernames can help you build out a footprint of usernames you can reverse across all platforms online. The more unique a username, the more valuable it is. In the example above, @__sbb__ is much more unique than @john, so reverse searching on @__sbb__ should likely be your first consideration.
Person to Nomination
Clubhouse, in many cases, will show you the person who nominated your person of interest on Clubhouse. This means that person texted your POI the referral code that allowed them to register for Clubhouse. This nominator is likely in this person’s personal network, enough to have that person’s cell phone number. When building out a social network, this is the first link in your investigation.
Person to Nomination to Club
If your POI is new to Clubhouse, they might not have joined any clubs or created any of their own. If your investigation warrants monitoring activity over time, a good place to start is to pivot from the POI to the person that nominated them and check the clubs they follow or are a part of. There’s a good chance that the nominator will invite them to check out the same clubs if the POI has any real interest in using Clubhouse. Add those clubs to your list and take a look at what type of members they have.
Person to Nomination to Twitter or Instagram
If your POI doesn’t have a connected Twitter or Instagram profile, that’s not a dead end. Try pivoting from your POI to their nominator and see if they connected their Twitter or Instagram. If so, you can search within the follower and following list of the nominator’s Twitter or Instagram to find your POI’s profile. Just because someone hasn’t connected a profile doesn’t mean it doesn’t exist.
Person to Nomination to Username
If you run into a case where your POI and their nominator don’t have Twitter or Instagram linked and a reverse username search on your POI resulted in false positives, make sure to also do a reverse username search on the nominator. If that fails, go to the nominator’s nominator. Continue until you find a positive hit and work backward toward your POI.
Club to Person
If you’re in a situation where you’re monitoring a topic with the expectation of finding a POI through a community, pivoting from a club to a person is likely in your workflow. Not all clubs on Clubhouse show a list of members; however, the ones that do show up to 200 through the app. The member list can be easily sifted through. It shows the display name, username, and a preview of the biography. This means you don’t have to open each individual profile to do an initial analysis.
Clubhouse is a difficult platform to access and navigate but it can be an incredible resource for any OSINT investigation. There are many ways Clubhouse can be used in an investigative workflow. Investigators can find people, what clubs they are in, who nominated them to Clubhouse, and if they have connected Twitter or Instagram profiles. You can even join clubs yourself and sit in on active discussions about any topic. The mobile-first or mobile-only social media platform is a growing trend that requires attention. We hope this guide will help you bridge the gap between a desktop-first workflow and a mobile environment and give you the tools and mindset necessary to stay ahead of the curve.
Like this blog article? Download our Definitive Guide: Clubhouse for OSINT Investigations.
post content here…