A sock puppet is a fake account which can be used to hide the true identity of the owner for operational security reasons (used by both attackers and security researchers).
Developing a convincing persona is key to the success of your sock puppet. Your goal is to create a very unremarkable person (since your person probably won't stand up to intense scrutiny, without resorting to buying illegal fake ID documents on the dark web).
Develop a Set of Baseline Information:
Ideally you'll create all of the following information to make sure it's comprehensive, rather than struggling to think of the answers later when prompted for security questions. A good place to start is Fake Name Generator. If you're looking to build an avatar around an idea (like 'ChristmasFan') rather than an entire fake persona, you probably won't need all of the information detailed below and can create as much or as little as you need:
- Name (first, last, any nicknames, usernames, etc.)
- Gender, weight, height
- Birthdate and place of birth
- Address (ideally a rental property in a large city, which is difficult to verify). You may also want a VPN which you can set to the location of your persona (ideally you would choose a VPN which you can purchase with a gift card (bought in cash of course). I've previously used NordVPN, ProtonVPN, and Private Internet Access. Any you choose should be easy to use and value your privacy.
- School (at least a high school/college and university, if applicable)
- Work/work history
- Relationship status
- Children (if applicable)
- Other relations (parents (particularly mother's maiden name), siblings, neighbors, friends, etc.)
- Pets
- Vehicle (if applicable, ideally including make/model + license plate number)
- Favorites (color, food, etc.) and hobbies (running, knitting, etc.)
- Contact information (phone number, email address, social media usernames). You should already have a phone number and social media usernames. It's time to set up an email account. You can set up a (relatively) secure email via a site like Proton Mail, or blend in and use Gmail (though Google does A LOT of tracking and it will be much harder to hide your identity from them). While you can use PGP or other encryption, that acts as a red flag to a number of intelligence services. Even if they can't break the encryption, they will often save it for the day that they can crack it. Because of that, I don't recommend it for sock puppets (plus it's a giant pain).
Figure out photos:
Most social media sites will require at least one photo, and if you don't have several, it may be difficult for your sock puppet to make friends.
- Extremely Secure: Shoot your own stock photos and remove any metadata from the photos. Then use photoshop or other photo manipulation software to alter the photos so they're not immediately recognizable as being associated with any place or people you know.
- Cutting Corners: Use stock photos, a photo of a fake, AI-generated person, or morph a few photos together in photoshop or on a site like https://www.morphthing.com/. All of these options have fairly significant downsides. Very few photos on free stock photos sites haven't been widely used and the first thing any competent investigator (or millennial on Tinder) will do is reverse image search the photo, quickly discovering that it's clearly a stock photo. Some higher-end stock photo sites will have less widely used photos, but the problem won't be eliminated. For the fake person or a morphed photo, it will be difficult to add other photos later, since the person doesn't actually exist, and it might read as a bit unrealistic for all of your social media accounts to share a single photo.
Start Setting up Accounts:
Building out a network is one of the most time consuming and difficult parts of building out a sock puppet.
- Facebook: Most people are wary of friending people with no friends, so getting the first few connections can be difficult. Start with playing some of the Facebook browser games, then trying to get others playing the games to follow you by posting on the game's Facebook page. Other tactics include spreading out to friends of friends, or pretending to be extremely into a specific hobby (like knitting), joining a Facebook page or group for it and becoming friends with the folks in the community after posting or interacting with others' posts. Sports teams are also good for this, but I know next to nothing about sports (and honestly I'm not willing to learn) so I usually avoid it.
- Once you've established a foothold, you can further spread by looking for friends of the people you've friended, or even looking for events held at the school/workplace/city you're supposedly affiliated with. Once you see who has 'checked in' to those events, you can friend them and spread throughout their friend circle next.
- Instagram: This one is particularly hard given its reliance on unique photos, but it also isn't often needed. If you absolutely need an Instagram account, take lots of photos which are hard to identify and strip out any identifying metadata before posting. Building followers requires heavily using hashtags, and following back any accounts which follow you.
- Twitter: One of the easiest accounts to build out. Add a photo, brief bio, and a couple tweets, and it's relatively easy to get folks to follow back. Look for any accounts which automatically follow back and allow your audience to develop naturally (if you find yourself being followed by a lot of knitting enthusiasts, lean into it!).
- LinkedIn: It's quick and easy to build a network if you start requesting folks who share the same alumni network or work for the same organization Another easy way to build connections is to request recruiters who automatically accept new connections.
- Pinterest, YouTube, Meetup, Reddit: These should be fairly easy to set up as there's little verification of users. However, they are a good (easy) way to build out your personality and indicate interests and hobbies.
- Dating Apps: Tinder, Grindr, Bumble, Hinge, The League, etc. Whether or not theses are useful depends on what type of information you're searching for, but they typically require mid-level user authentication, a few photos, and a couple hobbies.
**A note for the extra cautious: Even if you've managed to set up a clean device, with a VPN, ad-blocking browser extensions, a clean phone number, and virgin stock photos, you still run the risk of being identified by the way you communicate (and most technologically advanced countries' intelligence agencies have the ability to do so). It's quite difficult to hide the way you write, though the Privacy, Security, and Automation Lab at Drexel University has created a tool called Anonymouth which specifically aims to anonymize documents.
Maintenance:
- Ensure that you've built up your sock puppets appropriately before using them - if you use them too early, it will be clear that they are sock puppets, burning the identity, and forcing you to start over (just like Jacob Wohl).
- Ideally you should let your sock puppets age naturally, as there's no real substitute for age (on most social media sites you can't hide or change your account creation date).
- You'll need to regularly login to your various social media accounts to keep them up - playing games, posting content, messaging other users, etc. In order to make this easier, it's probably a good idea to store all the password/login info in a centralized excel sheet or password manager.
- You can use third party sites to auto-post on your behalf as well. Ensure when you do that you continue to keep up the personality (and timezone!) you've adopted for each puppet. This can be quite a time-consuming task, depending on how old and involved you need your socks to be.
Test your puppets:
A final step you can take to test your puppets is to have a friend who's a fan of OSINT do some research on your socks to see if they can link them to each other or back to you. If they are able to link them back, figure out how.
