The modern battlefield is not just physical; it is fought in the open-source domain. This is the OSINT (Open Source Intelligence) Playbook designed to hack the intelligence of a complex target like Hamas in Gaza.Our mission is to map the enemy’s architecture, track their cash flow, and anticipate their actions with an average lead time of 72 hours. <\/p>\n\n\n\n
Prepare your environment. <\/p>\n\n\n\n
The deployment starts now.<\/p>\n\n\n\n
Mental Grid: Deconstructing the Target<\/p>\n\n\n\n
To dismantle the target, we first define its network structure. Hamas is not a single entity; it is a cluster of three vectors: <\/p>\n\n\n\n
Vector 1: Family-Clan Structure (The support base).<\/p>\n\n\n\n
Vector 2: Military Wing (Al-Qassam Brigades) (The attack payload).<\/p>\n\n\n\n
Vector 3: Political Bureau (The external interface, split between Ismail Haniyeh’s diaspora and Yahya Sinwar’s internal cell).<\/p>\n\n\n\n
Every operation leaves a digital trace. The enemy operates across two primary channels: <\/p>\n\n\n\n
Money (Qatar suitcases, crypto, hawala) and Media (Telegram, Rocket.Chat, Gaza Now, Al-Aqsa TV). Our Task: Turn those two traces into predictive time-lines (7-day, 30-day, 90-day).<\/p>\n\n\n\n
Tool-chain: Disposable Gmail, Proton VPN, Firefox Multi-Account Containers, 4G SIM rotation, KeePass, Maltego CE, Hunchly, Telegram-scraper, Python + pandas, free OCR (tesseract), Google Earth Engine.<\/p>\n\n\n\n
Legal Cover: Everything is open-source; no intrusion, no malware, no account takeover.—<\/p>\n\n\n\n
The Operational Plan: Step-by-Step OSINT<\/p>\n\n\n\n
Step 1 \u2013 Build the \u201cGaza Phone Book\u201d (48 h)<\/p>\n\n\n\n
1. Data Dump: Dump every public Hamas Telegram channel since 2020.<\/p>\n\n\n\n
python3 telethon_snippets\/bulk_scraper.py -c list_of_300_channels.txt -o hamas_msg.ndjson<\/p>\n\n\n\n
2. Regex Extraction: Use regex to extract unique identifiers: phone numbers (`+972 59`), `@usernames`, crypto addresses (`bc1`, `0x`, `TX`), and lat\/long inside photo EXIF (using `exiftool`).<\/p>\n\n\n\n
3. Enrichment: Cross-reference data via HaveIBeenPwned & Coincidence.info API to get real e-mails, breach passwords, and cluster wallets.<\/p>\n\n\n\n
4. Neo4j Storage: Store data in a graph database: node = phone, edge = \u201cappears_in_same_post\u201d. <\/p>\n\n\n\n
Expected Output: 12 k unique phones, 1.8 k wallets, 600 geo-tags.<\/p>\n\n\n\n
Step 2 \u2013 Map the Clan Money (24 h)<\/p>\n\n\n\n
1. Qatar Grant Tracker: Scrape `@GazaNow` & `@QatarCommittee` tweets using regex for \u201c$\u201d + \u201cmillion\u201d date.<\/p>\n\n\n\n
2. Hawala Ledger: Use OCR on photos of money-exchange shops (Al-Baraka, Al-Huda) posted on Facebook to extract dollar amounts and serial numbers.<\/p>\n\n\n\n
3. Crypto Cluster: Feed the 1.8 k addresses into the Blockchair API. Filter for incoming > 10 k USDT after 1 Oct 2023 to identify 120 \u201chot\u201d wallets.<\/p>\n\n\n\n
4. Time-Series Analysis: Pandas time-series show spikes 3 weeks pre-rocket barrage (correlation 0.78).<\/p>\n\n\n\n
Predictive Rule: > 2 M USDT inflow in 72 h \u2192 high probability of major attack within 10 days.<\/p>\n\n\n\n
<\/p>\n\n\n\n
Step 3 \u2013 Weapon Supply SIGINT (36 h)<\/p>\n\n\n\n
1. Import Tracking: Monitor cement & dual-use imports via UNOPS open data. A sudden 4x spike in \u201chollow aluminum pipes\u201d is a signature for Grad body material.<\/p>\n\n\n\n
2. Satellite Surveillance (NDVI): Use Sentinel-2 L2A (10 m) every 5 days. <\/p>\n\n\n\n
An NDVI anomaly (drop in vegetation) in orchards near Beit Lahia indicates trenching (tunnel vent hidden under trees).<\/p>\n\n\n\n
3. Satellite Surveillance (Soil): Use PlanetScope to compare 2023 vs 2024 soil piles near Rafah. A new 30 m-long mound is a launch site berm.<\/p>\n\n\n\n
4. Cross-Validation: Cross-reference the orchard coordinates with Telegram \u201c#AlQassam\u201d videos for visual confirmation. <\/p>\n\n\n\n
Predictive Rule: New berm + pipe import spike = expect salvo direction southwest toward Ashkelon.<\/p>\n\n\n\n
Step 4 \u2013 Intent Classifier (12 h)<\/p>\n\n\n\n
1. Pre-processing: Translate the last 1 k comms (Google-Trans-no-key).<\/p>\n\n\n\n
2. Model: Use a fastText model trained on prior ops (2014, 2021) with the labels: 0 = political, 1 = military-training, 2 = imminent-attack.<\/p>\n\n\n\n
3. Features: The model is fed features like emoji density (\ud83d\udca5\u2694\ufe0f), Qur’an sura refs (Al-Anfal = war chapter), and future-tense verbs ratio.<\/p>\n\n\n\n
4. Yellow Alert: Probability > 0.65 for class 2 triggers the alert.<\/p>\n\n\n\n
5. Human Check: Hebrew-speaking analyst reviews the top 20 posts for downgrade or escalation.<\/p>\n\n\n\n
<\/p>\n\n\n\n
Step 5 \u2013 Human Terrain & Morale (16 h)<\/p>\n\n\n\n
1. Internal Pressure: Scrape Gaza Facebook marketplace. A Spike > 30 % in flour price in 7 days signals internal pressure. Hamas will need a \u201cvictory photo.\u201d<\/p>\n\n\n\n
2. Social License: Monitor Telegram polls in public \u201cGaza Youth\u201d groups. > 80 % “yes” to armed struggle is a social license to escalate.<\/p>\n\n\n\n
3. Cadre Preservation: Daily count of funeral hashtags (`#\u0634\u0647\u062f\u0627\u0621`). A sudden drop means they are preserving cadres. This suggests a high-cost op ahead (hostage raid, tunnel breach).<\/p>\n\n\n\n
<\/p>\n\n\n\n
Step 6 \u2013 Timeline Synthesis (4 h) Build a Living Intelligence Board (Miro template) with the following indicators:<\/p>\n\n\n\n
<\/p>\n\n\n