People rotate phones. They scrub their Facebook. They burn email addresses every six months. The one thing they almost never change is the handle they picked at 14. That handle is still on their Steam profile, their abandoned LiveJournal, the GitHub repo they started in college, and the forum where they argued about Warhammer in 2011. PERSINT.USERNAME is the discipline of finding all of it — and tying it back to one human.
What PERSINT.USERNAME actually is
PERSINT — People / Persona OSINT — is the branch of open-source intelligence focused on profiling a specific person. The USERNAME sub-direction is the entry point most investigators reach for first, because a single handle is a portable identifier that survives between platforms in a way that a face, an email, or a phone number rarely does.
The discipline has two halves. Enumeration: which sites does this username exist on? Mutation: what variants of this username belong to the same person? Both halves are needed. Enumeration alone gives you a list of profiles. Mutation is what gets you the LiveJournal account from 2009 that the target forgot existed.
Pattern recognition does the connective work. As Social Links puts it, "since usernames tend to represent the user, it is very uncommon for each one to be completely unrelated to the others." A unique handle like xxx_d3m0n_777 is statistically more valuable than a clean j.smith, no matter how unprofessional it looks. Uniqueness is the signal.
How the brute-search actually works
Strip away the marketing on the GitHub READMEs and the workflow is mechanical. Take the candidate username. Plug it into the canonical user-page URL pattern of every site in a list — github.com/{user}, twitter.com/{user}, steamcommunity.com/id/{user}. Fire HTTP requests in parallel. Parse the response: 200 with profile content vs 404 vs custom error string vs login-redirect. Hits go in the dossier. Misses get logged.
The trick — and the reason every tool in this category needs a maintained config — is that "user not found" can mean a hundred different things. Soft-404s where the site returns 200 with "user not found" buried in the body. Captchas. Geoblocks. Cloudflare 403s on datacenter IPs. The WhatsMyName project exists precisely because the JSON file describing what success looks like on each platform is the actual hard problem. Everything else is a thin async wrapper around it.
The toolbox
Sherlock. The starting point. Sherlock checks a handle against 400+ sites and ships as a pipx-installable Python package. No API keys, no logins — it constructs the expected profile URL and reads the response. Limited site list compared to its descendants, but the cleanest output and the easiest to script around.
Maigret. A Sherlock fork by soxoj that grew into something larger. Maigret covers 3000+ sites and runs against the top 500 by popularity by default. It also parses profile pages to extract IDs and usernames, then kicks off recursive searches with the new identifiers it pulled. Tor and I2P routing are first-class, which matters when half your targets are on .onion forums anyway.
WhatsMyName. Less a tool than the canonical data file. Micah "WebBreacher" Hoffman has been maintaining wmn-data.json since 2015, and most modern username checkers — Blackbird, Spiderfoot, recon-ng — pull from it. The hosted browser version lives at the WhatsMyName web app, which is what most analysts actually use when they don't want to drop into a terminal.
Blackbird. A modern username + email checker written in Python. Blackbird integrates the WhatsMyName dataset for low false-positive rates, exports clean PDF/CSV reports, and ships an AI module that builds a behavioral profile from the sites where the handle is found. Useful when you need a deliverable, not just terminal output.
Browser-based namecheckers. When you don't want to install anything, three osintbay-listed tools cover most of what Sherlock does without the setup tax: Namechk, Namecheckr, and Username Online. The last one — also reachable directly at https://usernameonline.com/ — checks up to ten usernames at once against the WhatsMyName dataset and runs as a mobile app on iOS and Android. Browser-only is also a feature: leaves no install footprint on the analyst's machine.
The supporting cast. NExfil, Profil3r, Userrecon, Social-analyzer, Snoop Project — they all do the same core thing. Different default site lists, different dependencies, different output formats. Run two or three in parallel; their hits rarely overlap completely, and the union catches things a single tool misses. Other osintbay-listed alternatives worth keeping in the rotation: Instant Username, CheckUsernames, and usersearch.org.
Mutation tradecraft — the part the tools won't do for you
Sherlock will check jdoe1985. It will not check j_doe1985, jd0e1985, jdoe85, doe.j, or dzhon_dou. That's the analyst's job, and it's where amateurs lose targets and pros find the buried account.
Transliteration. Soxoj's username generation guide hits this hard: a person named Aleksandr might have a passport spelled Alexandr and a working login that starts with alexsandr — three different handles for one human, all driven by inconsistent transliteration rules between Cyrillic and Latin. Same problem with Arabic, Mandarin pinyin, Korean romanization. If the target's name doesn't natively use Latin script, generate every plausible spelling before running the tools.
Leet substitution. 3 for E, 4 for A, 7 for T, 0 for O, 1 for I, $ for S. CatLover becomes C@7L0vr. Looks like a joke; it's how a non-trivial percentage of older accounts were registered when the clean form was already taken.
Common prefixes and suffixes. real_, the_, im_, _official, _irl, _yt. Birth years (_92, _1987). Random digit padding (_777, _42). Country codes for users registering on platforms after their preferred name was taken in their region.
Hash-style suffixes. Discord-era handles often carry four-digit discriminators or random alphanumeric suffixes. Worth permuting separately because most checkers strip them.
Profile-derived inputs. Once you've found two accounts that you're confident belong to the same person, generate handles from the union of identifiers exposed on those profiles — display names, real names, email prefixes from password-reset flows. This is where Maigret's recursive mode pays for itself.
From username to email — and back
Username searches alone leave money on the table. The pivot worth running every time: extract probable email addresses from the profiles you've already found (bios, contact pages, Gravatar lookups), then run those emails through registration-checkers. Holehe abuses password-reset flows on 120+ services to confirm whether an email is registered, without sending a notification to the target. Epieos does the reverse-lookup version commercially, hitting 140+ services and integrating with Maltego for graph visualization. Mosint and Toutatis cover the gaps for email and Instagram metadata respectively.
The loop closes back on itself. New email finds a new platform. New platform leaks a new username. New username feeds back into Sherlock and Maigret. A real persona dossier is three or four iterations deep — not one tool run.
Most exotic platform first
The rule sounds wrong until you've used it. When verifying that two accounts belong to the same person, the strongest evidence is not a hit on Twitter, Instagram, or LinkedIn — those handles are taken by thousands of people. The strongest evidence is a hit on a niche forum, an obscure gaming platform, a dead-but-archived community. The base rate of collisions on some_dead_swedish_metal_forum.net is essentially zero.
This is also why deleted accounts matter as much as live ones. Old captures via the Wayback Machine often preserve profile pages that the target deleted years ago. Hash leaks from breached services — searched against the username, not the password — frequently surface old handles that no current namechecker will find because the platform itself is gone.
The community worth following
This field moves fast and almost all of it lives on Twitter and GitHub. The handles below are not a popularity contest — they're the people whose tools and writeups actually update: @webbreacher (WhatsMyName maintainer), @soxoj (Maigret, the username generation guide), @hatless1der, @sector035 (Week in OSINT), @cyb_detective, and @i_am_osint. Follow them, read what their tools break on, and you'll know about a new mutation technique two weeks before the next blog post about it.
What separates a working analyst from a tool-runner
Anyone can install Sherlock. The output of Sherlock is not a finding — it's raw input. The work is in the parts the tools refuse to do: generating the right mutations, recognizing which exotic-platform hit is the load-bearing one, pivoting cleanly between username and email, and checking the archive when the live site comes up empty. A good username investigation is iterative, multi-tool, and ends with an attribution that survives review. A bad one is a 200-line text file of green checkmarks that proves nothing.
The handle is the cheapest piece of evidence you'll ever collect. Treat it that way — as a starting point, not the answer.