You don't need a zero-day. You need a name and forty bucks. That's the unglamorous truth about PERSINT.PEOPLESEARCH — the layer of people OSINT that runs entirely on aggregators, data brokers, and the receipts of every "I agree" button a target has clicked since 2008.
This isn't hacking. It's reading the file the broker already built.
What PERSINT.PEOPLESEARCH actually is
PERSINT — Persona Intelligence — is the slice of OSINT that maps a real human: name, address, phone, email, relatives, employers, and the digital exhaust they trail behind them. The PEOPLESEARCH sub-direction is the aggregator layer. Not Twitter scraping. Not face search. The boring, deeply effective work of pulling pre-built dossiers from companies whose entire business is selling them.
Data brokers are private firms that collect personal data, mostly from public records and partner feeds, and sell or license it to anyone with a payment method. They bundle:
- Voter rolls (where legal — most US states, where it's gold)
- Court filings — civil, criminal, divorce, bankruptcy
- Property records — deeds, tax assessments, mortgage filings
- Breach and leak data — emails, passwords, phones from hundreds of public dumps
- Social profiles — scraped, enriched, deduped
- Marketing lists — loyalty programs, sweepstakes, mailers, "free" apps
One broker on its own is a sketchy guess. A dozen brokers stacked on top of each other is a dossier. That's the whole game.
The geography problem: US gold, EU desert
If your target is in the United States, the PEOPLESEARCH stack is a buffet. Voter rolls are public in most states. Property and court records are public by default. Brokers feast on that and sell it back. TruePeopleSearch alone indexes hundreds of millions of court entries and tens of millions of business records, all free.
If your target is in the EU, expect ash. GDPR forces brokers to have a lawful basis for every record they hold, and gives every EU resident the right to access, correct, and delete their data — backed by fines up to €20 million or 4% of global turnover. US brokers either geofence Europeans out, redact them, or quietly hold the data and pray. Coverage of European subjects on US-facing brokers ranges from thin to deceptive — old records, recycled marketing leads, and "matches" that aren't your subject at all.
The takeaway: never apply US instincts to a European target. Different stack, different sources, different legal exposure.
The toolset, sorted by what it's actually good for
Forget the "top 10 free OSINT tools" listicles. Here's how working operators bucket the PEOPLESEARCH stack.
Wide aggregators — start here, validate later
Spokeo, BeenVerified, and Intelius are the three big paid US aggregators. They overlap heavily but never identically. A working private investigator running them head-to-head found BeenVerified the most transparent and best-priced, with Intelius costing more than twice as much for comparable depth. Use them for the wide net — names, age range, prior addresses, relatives, possible emails and phones.
Free workhorses — fast pivots, no paywall
TruePeopleSearch and FastPeopleSearch are the free engines you actually keep open in a tab. Name → addresses → phones → relatives, no login. Their data isn't always current — old phone numbers, addresses from a decade ago — but that's a feature when you're building a timeline. ThatsThem earns its place because it accepts reverse inputs the others don't always allow gracefully: drop in an email or IP, get a name back. That single capability turns it into a pivot machine.
Reverse-direction tools
Whitepages remains the strongest US-only reverse phone lookup, despite the constant paywalls. Radaris pulls in employment history and public mentions. PeekYou indexes social media, blogs, and news mentions across dozens of platforms — useful when you have a real name and want to map online identities back to it. Nuwber is a thinner BeenVerified clone but occasionally surfaces records the others miss.
The premium tier
Pipl is paid-only now, enterprise-priced, and worth it for one specific reason: it does identity resolution rather than directory lookup. Hand it an email or phone, and it tries to bind the identifier to a real human across its entire collection. OSINT Industries plays in the same space — feed it an email or phone, get a one-shot map of associated accounts across hundreds of services. These are the tools that turn a single anonymous handle into a name.
Quirky legacy and analyst-grade
FamilyTreeNow is the cheat code nobody talks about. It's a genealogy site, but its public records search returns relatives, prior addresses, and associates with no login and no paywall. For tracing family graphs, it's frequently better than the paid aggregators. Nextdoor is a hyper-local social network — useful when you've geolocated a target and want to see neighborhood activity. Lampyre and the IntelTechniques tool suite sit at the analyst tier — orchestrators that fan a single identifier across dozens of services in one shot.
The methodology: cross-validate, or you're just guessing
One broker hit means nothing. The number to internalize is three: any claim worth putting in a report should be confirmed by at least three independent sources. Verification through independent sources is a core OSINT principle, not an optional polish step. Brokers buy each other's feeds, so two "independent" hits often share a source. Triangulate properly: an aggregator, a free engine, and a primary record (court filing, property deed) is a real three.
The pivot ladder that works in practice:
- Name + city → wide aggregator → list of addresses, age, relatives
- Address → property record → owner of record, purchase date, value (independent confirmation that it's your subject, not a namesake)
- Voter record (where public) → DOB, party affiliation, exact registered address
- Relatives list → repeat the loop on each relative — relatives often have weaker OPSEC than the target and confirm the family graph
- Phone/email → reverse lookup on ThatsThem, Pipl, OSINT Industries → bound social accounts
- Email → breach data (HIBP and adjacent) → linked usernames, leaked passwords that often reuse across accounts
Quirky pivot worth memorizing: when an aggregator has nothing on your subject, run the search on a known relative. Family graphs lock in identity faster than identifiers do. Adversaries routinely exploit weak-OPSEC relatives to anchor a target's identity — it's a documented OSINT principle, not a parlor trick.
The opt-out trick: adversarial OPSEC, weaponized
This is the part the broker industry doesn't advertise. Every aggregator has a public opt-out page where, in theory, you can request your record removed. Privacy guides treat this as defensive hygiene. Operators read it differently: the opt-out page is a diagnostic checklist for which brokers carry data on a target.
Run a target's name through a removal service's public scanner, or just walk the major opt-out forms manually. Where does the data appear? What categories show up — address, phone, employer, relatives? A 2024 Consumer Reports study found that even the best-performing removal services only cleared 68% of exposed profiles within four months, and most cleared closer to 35%. That gap is your map. The data the target couldn't get rid of is the data you can still pull.
Reverse the same logic for self-defense: if you're hardening someone's footprint, treat the broker list as an attack surface. Opt out, then re-check quarterly, because brokers re-ingest from public feeds and your record will reappear.
What kills investigations
Three failure modes show up in 90% of weak PEOPLESEARCH reports:
- Namesake collapse. Two people with the same name, similar age, same metro. The broker merges them. You don't notice. Half your dossier is about the wrong human.
- Stale data treated as current. A 2014 phone number on FastPeopleSearch is a clue, not a contact. Broker freshness varies wildly — assume nothing without independent confirmation.
- Single-source confidence. "Spokeo says so" is not a finding. It's a lead.
Build the verification habit early, or your reports will not survive contact with anyone competent.
Who to follow if you want to stay current
The PEOPLESEARCH ecosystem rotates constantly — sites change owners, get bought up, get sued, change scraping practices, get sanctioned. Michael Bazzell at IntelTechniques remains the reference point: ex-FBI Cyber Crimes Task Force, author of OSINT Techniques (now in its eleventh edition) and Extreme Privacy. His weekly newsletter and podcast log changes to the broker landscape in something close to real time. Round it out with @osintcurious, @osinttactical, and @hatless1der on social — the operator-grade signal, not the marketing fluff.
The unglamorous bottom line
PEOPLESEARCH is not glamorous. There's no flag in a CTF, no Maltego graph that wins a conference talk. It's the layer that quietly settles half of every PERSINT engagement — who the person is, where they live, who they're connected to, which digital identifiers belong to them. Master it before you reach for anything fancier. The "advanced" OSINT you see online is mostly people who skipped this layer compensating for the gap.
And if you're on the other side of this — protecting yourself or a client — start with the assumption that everything in this post has already been run on you. The work isn't whether the data exists. It's how much of it you can claw back, and how often.