An LLM can't
investigate.
A trained one can.

---
name: alias-and-handle-pivoting
description: Use when an authorized investigation needs to move between known and unknown handles owned by the same person, using shared bios, avatars, social graph, writing style, and posting patterns. For licensed PI, journalist source mapping, fraud, brand-abuse, attorney discovery, or authorized OSINT.
---

# Alias and Handle Pivoting

## Overview
People bleed identity across accounts even when they think they are compartmentalized. The discipline is to collect weak signals across many surfaces and let convergence — not any single signal — confirm attribution.

## When to Use
- You have one confirmed account and suspect the subject runs others under different names.
- A throwaway account is suspected to belong to a known user.
- Mapping a coordinated-inauthentic-behavior cluster.
- Linking a public persona to an anonymous one for journalistic accountability of a public figure.

## Core Workflow
1. Catalog every artifact attached to the known handle: bio text (verbatim), avatar (file hash + perceptual hash), banner, linked URLs, pronouns, location field, join date, follower/following lists, pinned post, language, timezone of activity, devices/clients used.
2. Avatar pivot. Compute perceptual hash (`imagehash` aHash/pHash/dHash) and exact MD5. Search reverse-image across Google Lens, Yandex, Bing, TinEye. Search the exact hash on platforms that expose CDN URLs. Many people reuse the same avatar across LinkedIn, Twitter, Reddit, Discord.
3. Bio-text pivot. Lift a 5-10 word distinctive phrase and quote-search Google, DuckDuckGo, Bing. Lift email or website fragments. Lift uncommon emoji combinations.
4. Social-graph pivot. Mutuals overlap is the strongest single signal — sort the known account's interactions by recency and look for the same set of accounts around a suspect handle. On X use advanced search `from:A @B`. On Reddit use the user-comparison heuristic: do two accounts post in the same niche subs within minutes of each other?
5. Writing-style (stylometry). Compare function-word frequency, punctuation idiosyncrasies (Oxford comma, em-dash, double space after period), typo signatures, slang, ALL-CAPS habits, sentence-length distribution. Tools: JStylo, Stylo R package; for casual use, JGAAP. Treat results as suggestive, never dispositive — adversarial obfuscation is easy.
6. Temporal-cadence pivot. Plot posting timestamps in UTC; the diurnal gap reveals timezone. Two accounts with identical sleep windows on the same days of week are correlated. Burst patterns around specific events (sports, market opens, news) further narrow.
7. Cross-platform username variants. Apply leetspeak, casing, and suffix variants from `seed-discovery-from-username` and run through Sherlock, Maigret, WhatsMyName.
8. Metadata leaks. Image EXIF (rarely intact on social), unique image dimensions or compression signatures, URL shortener accounts (bit.ly public stats), Google Doc share IDs, Calendly handle, Cash App/Venmo cashtag, Strava activities.
9. Linked-service pivots. The same email shows up on Gravatar, GitHub, Keybase; pivot via `seed-discovery-from-email`. The same Steam, Spotify, Last.fm profile if linked.
10. Build a weighted attribution matrix: rows are candidate alt accounts, columns are signal types (avatar match, bio overlap, mutuals overlap, stylometry, cadence, metadata). Require multiple independent signals before asserting same-person; record confidence as low/medium/high with evidence.
11. Preserve snapshots (archive.today, screenshots with URL and timestamp) before accounts are deleted. Route admissible attributions through `chain-of-custody-documentation`.

## Quick Reference
| Signal | Tool / Method |
|---|---|
| Avatar | imagehash, Yandex, TinEye |
| Bio phrase | Google verbatim, DuckDuckGo |
| Mutuals | X advanced search, Reddit user pages |
| Stylometry | JStylo, Stylo (R), JGAAP |
| Cadence | timestamp plotting, sleep-window analysis |
| Handle variants | Sherlock, Maigret, WhatsMyName |
| Linked accounts | Gravatar, Keybase, GitHub, Steam |
| Archive | archive.today, Wayback, screenshots |

## Common Mistakes
- Single-signal attribution. Same avatar alone is not proof — image theft and copies are common.
- Confirmation bias. Once you suspect an alt, every coincidence looks confirming. Pre-register what would falsify the hypothesis.
- Ignoring base rates. In a niche subreddit, posting in the same threads is not informative; in a generic sub, it is.
- Failing to preserve. Subjects often delete within hours of noticing scraping.
- Mis-attributing shared-team accounts (PR firms, assistants, partners) to a single person.

## Ethical / Legal Limits
Doxxing or unmasking a private individual for harassment is prohibited and may be criminal under cyberstalking statutes. Unmasking is defensible for public figures acting in public capacity, accountability journalism, fraud investigation under retained counsel, or court-ordered discovery. Platform ToS may forbid creating sockpuppet research accounts; some jurisdictions treat sockpuppet creation against ToS as a CFAA gray area (Van Buren narrowed but did not eliminate this). Document the engagement basis and route findings through `chain-of-custody-documentation`.