Intelligence notes

Dashboard

Eliot Higgins

6 min read

Eliot Higgins

BLUF

Eliot Higgins (b. 1979) is the founder of Bellingcat — the open-source investigative organization that has produced the most consequential public OSINT investigations of the past decade, including the attribution of the MH17 shootdown to Russian military unit 53rd Anti-Aircraft Missile Brigade (Kursk), the identification of the Skripal poisoning team as GRU officers of Unit 161 (FSB cover), the chemical weapons use in Ghouta (2013), and the reconstruction of Alexei Navalny’s poisoning operation by FSB officers from the Criminalistics Institute.

Higgins matters for this vault on two levels: (1) his investigations are primary-source material for multiple active cases involving Russian military and intelligence operations; and (2) the Bellingcat methodology — systematic cross-referencing of open sources: satellite imagery, geolocation, social media video verification, official document analysis — is the most developed public OSINT methodology currently available and the operational model against which 08 Guides & Manuals/OSINT Methodologies should be benchmarked.

Higgins began his career as an unemployed citizen analyst posting on forums under the pseudonym “Brown Moses,” tracking Syrian weapons flows from YouTube videos and leaked documents before the concept of “OSINT” had mainstream currency. He represents the institutionalization of citizen OSINT into a professional, legally rigorous investigative practice.

Methodology: The Bellingcat Approach

Bellingcat’s operational methodology is not primarily distinguished by access to specialized tools (though it uses them) but by the systematic combination of publicly available information types that institutions with classified access often underutilize. The core method:

Geolocation and Chronolocation

Ground-level photographs and videos can be precisely located by matching visible features — buildings, shadows, vegetation, terrain — to satellite imagery and mapping data. Once located, chronolocation establishes when an image was taken by analyzing shadow angles, seasonal foliage, and verifiable event markers.

Bellingcat routinely geolocates videos from conflict zones — establishing that a claimed event occurred at a stated location, or refuting a false location claim. This methodology was developed primarily against Syrian conflict footage (2012–2015) and has been applied across Ukraine, Gaza, and Yemen.

OSINT Chain Analysis (MH17 Paradigm)

The MH17 investigation is the methodological landmark. Bellingcat established the travel route of the 9M38 Buk missile launcher from Kursk (Russia) to the separatist-controlled Donbas and back — using social media photographs and videos posted by ordinary witnesses along the route, cross-referenced with satellite imagery, commercial vehicle tracking, and official military documentation — months before any government had publicly made this attribution.

The methodology: collect every public artifact (photograph, video, social media post) related to a target; geolocate each; establish a chronological chain; cross-reference against satellite imagery and independent data sources; calculate confidence on each link in the chain.

Evidentiary standard: Bellingcat’s MH17 report was subsequently confirmed by the Joint Investigation Team (Netherlands, Australia, Belgium, Malaysia, Ukraine) using classified intelligence. The open-source conclusion preceded and was validated by the classified one. This outcome established that systematic OSINT methodology can reach intelligence-grade conclusions about covert military operations.

Entity Identification (Skripal / Navalny Paradigm)

Using Russian passport databases, commercial flight records, hotel registrations, and official military records obtained through data leaks and public access, Bellingcat identified the Skripal poisoning team as Colonel Anatoliy Chepiga and Dr. Alexander Mishkin — GRU Unit 161 officers — within months of the 2018 attack.

The Navalny poisoning investigation (2020) went further: Bellingcat identified eight FSB officers who had surveilled Navalny for three years. One of them, Alexei Alexandrov, was then called by Navalny himself — with Bellingcat and CNN present — and recorded confessing the operational details of the poisoning under the mistaken assumption he was reporting to a superior.

Significance for vault methodology: The entity identification methodology — constructing an identity from data fragments scattered across different official and unofficial databases — is replicable with open-source Russian and Chinese military datasets. The technique requires patience, cross-referencing discipline, and Russian-language access, not specialized intelligence tools.

Chemical Weapons Verification (Ghouta 2013)

Bellingcat was one of the first analytical actors to establish the geographic impossibility of Syrian government claims about the Ghouta attack — demonstrating through trajectory analysis that the rockets could only have been fired from a Syrian army-controlled area, not from opposition positions as the government claimed.

The analysis contributed to the UN investigation and preceded by months the conclusions of classified assessment.

Institutional Contribution: Bellingcat

Bellingcat (founded 2014) has institutionalized OSINT investigation in three ways:

  1. Published methodology guides — Bellingcat’s methodology blog documents specific techniques (geolocation workflows, reverse image search, OSINT for beginners) that have become standard reference material for OSINT practitioners globally

  2. Training programs — systematic training of journalists, NGOs, human rights organizations, and government analysts in Bellingcat methodology; this has multiplied the community of practice far beyond Bellingcat itself

  3. Publication standard — Bellingcat’s reports establish an evidentiary standard (show your sources, show your methodology, calibrate confidence explicitly) that pressures other investigative journalism to match

Analytical Positioning Against Institutional Intelligence

The Bellingcat model’s most significant institutional implication is the demonstration that classified intelligence access is not required for high-confidence attribution of covert state operations. This has three consequences:

  1. Accountability function: State actors can no longer assume that covert operations in the social media age will remain unattributed. The marginal cost of operational signature — photographs, videos, social media posts, passport records — has dropped to near zero, and the marginal cost of OSINT analysis has dropped with it.

  2. Speed advantage: Bellingcat’s MH17 and Skripal analyses preceded government attribution. OSINT can move faster than intelligence institutions that must protect sources and methods.

  3. Verification problem: Bellingcat’s methodology is replicable — including by adversaries and state information operations. The same techniques can be used to generate false attribution as genuine attribution. The methodology validates; it does not automatically authenticate the validator.

Key Connections

Key Works

  • Higgins, Eliot. We Are Bellingcat: An Intelligence Agency for the People. Bloomsbury, 2021. [Primary — methodological narrative]
  • Bellingcat Investigation Team. “MH17 — The Open Source Investigation Three Years Later” (2017). [Primary report, High]
  • Bellingcat Investigation Team. “Identity of Third Salisbury Suspect Revealed” (2019) — GRU Colonel Anatoliy Chepiga. [Primary report, High]
  • Bellingcat Investigation Team. “The Navalny Poisoning” (2020). [Primary report, High]

Sources

  • Higgins, Eliot. We Are Bellingcat. Bloomsbury, 2021. [Primary, High]
  • Bellingcat.com — published investigation reports (2014–present). [Primary, varies by investigation]
  • Pomerantsev, Peter. “The Open-Source Revolution.” The New Statesman, 2021. [Secondary, Medium]

Graph View

Backlinks