Whether you’re a journalist or private investigator, maintaining anonymity during online investigations is crucial not only for privacy reasons but also for the sake of protecting both yourself and the target of your investigation—especially in the scenario where collected evidence leads to a dead-end case. A common way to maintain anonymity during online investigations is by creating a fake online identity, aka an avatar or sock puppet.

What’s the secret to creating a successful sock puppet? We learned a lot from this post on the topic by Open Source Intelligence (OSINT) analyst and blogger Jake Creps. In fact, we liked it so much that we decided to boil down his advice to a few key steps.

Step 1: Have the right setup

When getting started conducting anonymous online investigations, Jake recommends having the following setup:

1. A dedicated computer only used for investigations
2. Encrypted Email
3. A burner phone or wifi phone number
4. A social media profile where your target is most active
5. A couple of different virtual machines
6. A blog or website (e.g., WordPress, Blogger, or Medium)
7. A VPN 

Step 2: Choose a sock puppet style

According to Jake, when getting started creating a sock puppet for anonymous online investigations there are two main options to choose from: A fake person, or an avatar that is clearly fake.

The first option entails creating a person with a name and an entire identity around them in order to make the account feel authentic. In the worst case, if your cover is blown, you will have to delete everything and start over. Jake advises that, while the first option is the most effective way to operate, the second option is probably the easiest approach for most:

“Option 2 is creating an avatar that’s focused around an idea rather than a unique identity,” Jake writes. “Examples of this include @ShakiraSecurity on Twitter or @DutchOSINTGuy.  Everyone knows Shakira isn’t involved in the infosec community. They also know that that account isn’t Shakira.  But that account is still a trusted source on Twitter when it comes to OSINT and infosec conversations. That account [has] over 500 followers. That account has a function and has built trust. That account was easier to create than a blank slate.”

Step 3: Check yourself

Before deploying your sock, Jake advises investigating yourself to ensure that your account is as unique as possible and that it cannot be easily traced back to you.

“Constantly collect OSINT on your sock puppet and reverse engineer your own creation,” Jake writes. “Have a friend or colleague take a look at it and see if they can find a way in.” 

And don’t forget to check the big giveaways like your image data and domain registration.  

Step 4: Stay active but grow authentically

Once your tools are in place and you’ve ensured your identity is untraceable, you can let your sock out in public. It’s time to create your social media profiles and start posting unique content and status updates, as well as interacting with people in your target group niche.

But in order to build trust and maintain credibility, it’s important to start slow, Jake warns.

“Since you’re starting from scratch, it’s important you start interacting in an organic way,” Jake writes.  “…This process will take a long time if you do it right. If you’re really skilled, your target will come to you. I recommend creating multiple avatars with multiple emails and phone numbers to decrease your risk and to deploy them in different ways.”