Disinformation Detection Methodology
BLUF
The Disinformation Detection Methodology is a structured OSINT process for determining whether a specific claim, content item, or information campaign is fabricated, manipulated, or deliberately deceiving — and, where possible, tracing the origin and attribution chain. This methodology distinguishes three related but operationally distinct outputs: detection (determining that content is false or manipulated), debunking (public-facing correction), and attribution (identifying the actor or network responsible). AI-generated synthetic content has collapsed the production timeline for disinformation from days or weeks to hours, making detection velocity as important as detection accuracy. The methodology applies a three-layer framework: Layer 1 (content verification of individual claims), Layer 2 (network pattern analysis for campaign-level detection), and Layer 3 (attribution methodology). Each layer requires distinct tools, skill sets, and epistemological standards. Attribution is the hardest output and is rarely achievable to High confidence via OSINT alone — it requires corroboration from TECHINT, SIGINT, or HUMINT channels to cross the High confidence threshold.
Conceptual Foundations
Disinformation operates across a seven-type taxonomy developed by Claire Wardle and Hossein Derakhshan (Council of Europe, 2017). Each type requires a distinct detection approach:
| Type | Definition | Detection technique |
|---|---|---|
| Fabricated content | Entirely false material, no factual basis | Cross-reference with primary sources; geographic/temporal verification |
| Manipulated content | Authentic material altered to change meaning | Image forensics (ELA); video frame analysis; audio-visual sync check |
| False context | Authentic content presented with false framing | Source chain tracing; reverse image search; chronolocation |
| Impostor content | Genuine sources impersonated | Domain analysis; WHOIS; visual comparison with authentic outlet |
| Misleading content | Accurate facts used misleadingly | Claim decomposition; context verification; expert source triangulation |
| False connection | Headlines/visuals disconnected from content | Direct text-headline comparison; cross-reference with full article |
| Satire/parody misuse | Satirical content mistaken for genuine news | Publisher origin check; satire disclosure verification |
Operational importance: misidentifying the disinformation type drives the wrong detection technique. Applying image forensics to a false-context operation produces a false negative (the image is genuine); applying source-chain tracing to fabricated content produces a false positive (there is no authentic original to find).
Taxonomy note: distinguish disinformation (intentional, actor-driven) from misinformation (unintentional error) and malinformation (true information weaponized — leaking genuine private data to harm a target). Each requires a different analytical and response framework.
Detection vs. Debunking vs. Attribution
| Dimension | Detection | Debunking | Attribution |
|---|---|---|---|
| Goal | Determine if content is false/manipulated | Correct the record publicly | Identify who produced/distributed the operation |
| Primary audience | Intelligence and analytical teams | Public, media, policymakers | Intelligence, law enforcement, diplomatic channels |
| Primary methodology | Content verification + network analysis | Detection product + accessible narrative | Technical forensics + behavioral analysis + doctrine alignment |
| Timeline | Hours to days | Hours (post-detection) | Days to months |
| Confidence achievable via OSINT | High (for individual claims) | N/A (depends on detection) | Low to Medium (strategic attribution); High rare |
| Output format | Structured assessment with verdict + evidence | Public explainer or fact-check article | Attribution report with confidence rating and caveats |
Assessment (High): Attribution is the rarest and most resource-intensive output. Tactical attribution (who performed the specific operation) requires technical forensics; strategic attribution (who directed it) additionally requires doctrine alignment and independent corroboration. Attributions by Stanford Internet Observatory, DFRLab, and EU DisinfoLab set the institutional benchmark.
Layer 1 — Content Verification
The foundational layer applied to every claim before any campaign-level analysis.
Claim Decomposition
Break the target narrative into discrete falsifiable sub-claims. A single disinformation item may contain 3–7 distinct claims; each must be assessed independently. Record as: Claim → Verification status → Evidence → Source → Confidence.
Reverse Image and Video Search
- Google Images (drag-and-drop or right-click): broad coverage; weak for non-English content
- TinEye: specialized for exact-match reverse image; best for tracking image reuse timelines
- Yandex Images: strongest coverage for Russian-language and Eastern European contexts; frequently identifies original sources that Google misses
- InVID/WeVerify plugin (Firefox/Chrome): keyframe extraction from video; metadata reading; reverse search of individual frames — the primary tool for video content verification
Geolocation and Chronolocation
Match geographic markers (architecture style, signage, vegetation, terrain) and temporal markers (shadow angle/length → sun position → approximate time and date; seasonal indicators; event-specific markers) to verify claimed location and time.
Tools: Google Earth Pro (3D and historical imagery), Sentinel-2 (free multispectral baseline imagery via EO Browser), Wikimapia, Bellingcat Geolocation Guide (standard reference).
Source Chain Tracing
Identify the earliest traceable publication of the claim and map the subsequent amplification cascade. The first publication is the primary attribution evidence. Tools: Google search with before: and after: date operators; Wayback Machine; CrowdTangle (archived; methodologically reproducible via platform APIs); social media advanced search.
Cross-Reference
Consult established fact-checking databases before investing in original verification: Snopes, PolitiFact, Bellingcat, AFP Fact Check, Reuters Fact Check, First Draft, IFCN-affiliated fact-checkers. If the claim is already verified, cite the existing fact-check and document it; do not duplicate work.
Layer 2 — Network Pattern Analysis
Moving from single-claim verification to campaign-level detection — determining whether an information operation is coordinated rather than organic.
Coordinated Inauthentic Behavior (CIB) Indicators
- Posting time clusters: organic viral spread follows human activity patterns; coordinated amplification shows posting bursts at statistically anomalous hours (infrastructure-scheduled posting)
- Lexical fingerprinting: near-identical phrasing across multiple accounts suggests copy-paste coordination; identify using cosine similarity or manual comparison
- Avatar similarity: GAN-generated profile images show characteristic artifacts (background blending, asymmetric earrings, glasses lens irregularities at borders); reverse image search + ThisPersonDoesNotExist comparison
- Account creation date clusters: coordinated networks often show registration dates in tight clusters; check with Botometer historical data or platform transparency reports
- Engagement ratio anomalies: follower-to-engagement mismatches; follower:following ratio extremes
Bot Detection
- Botometer (Indiana University, Observatory on Social Media): scores Twitter/X accounts 0–5 on bot probability; requires Twitter API
- SparkToro Fake Follower Audit: follower quality analysis
- Behavioral signatures: posting velocity >100 posts/day; no sleep period; retweet-heavy with minimal original content; account age vs. activity level
Infrastructure Analysis
When accounts are linked to external websites or coordinated domains:
- WHOIS / passive DNS: identify registrant email, nameserver, registration dates; pivot on shared infrastructure across multiple domains
- Shodan/Censys: identify server infrastructure shared across multiple domains; SSL certificate pivot (same certificate → same operator)
- Maltego: graph visualization of domain relationships, registrant connections, IP hosting clusters
Network Visualization
- Gephi: open-source network analysis; import edge lists from platform data; identify clusters, bridge nodes, and amplification hubs
- Graphistry: GPU-accelerated for large networks
- NodeXL: Excel-based; lower barrier for analysts without Gephi experience
Layer 3 — Attribution Methodology
The hardest layer. Rarely achievable to High confidence via OSINT alone.
Tactical Attribution (Who Performed the Operation)
- Persona network analysis: account creation patterns, linguistic analysis of written content (idiolect — distinctive grammatical patterns consistent with L1 speaker of a specific language)
- Infrastructure forensics: shared hosting, SSL certificate reuse, registrant email pivots
- Linguistic fingerprinting: syntactic patterns, false-cognate errors, transliteration artifacts that reveal the author’s native language
Strategic Attribution (Who Directed the Operation)
Requires alignment with three additional evidence streams:
- Doctrine alignment: does the operation’s characteristics match documented adversary doctrine? Russian Firehose = high volume without consistency; PRC Spamouflage = coordinated low-quality amplification; Iranian = hub-and-spoke proxy with FA/EN framing delta
- Event timing correlation: does operation timing align with specific diplomatic, military, or political events that an adversary had incentive to exploit?
- TTP overlap: does the operation overlap with previously attributed operations by the same actor (documented in DFRLab, SIO, EU DisinfoLab reports)?
Four-Source Attribution Rule
Assessment (High confidence): technical artifact + behavioral pattern + doctrine alignment + independent institutional corroboration from a recognized attribution body
Fewer than four: downgrade to Medium or Low. Single-source attribution to a state actor is never High confidence in OSINT products.
AI-Generated Disinformation — Detection Addendum
See AI-Content Detection Methodology for the full synthetic media detection framework. Disinformation-specific addendum:
LLM-generated text: high fluency, low idiosyncrasy, generic vocabulary, absence of authentic personal voice. Detection tools: GPTZero, Originality.ai, Copyleaks, Binoculars (academic). Limitation: state-of-the-art LLM text detection approaches 50% accuracy against SOTA models — text detection must be supplemented by network-level analysis, not relied on independently.
Synthetic persona factories: GAN/diffusion-generated profile images (check: background blending artifacts, earring symmetry, glasses lens edges, hair-background boundary); PimEyes facial search; Google Image search with exact crop.
Hybrid operations (most common pattern 2023–present): LLM-drafted narrative copy + authentic imagery misattributed to a false event. The image passes Layer 1 image forensics (it is authentic); detection requires chronolocation/geolocation mismatch analysis and source chain tracing to the true original context.
Lateral Reading — The Primary Verification Heuristic
Lateral reading (Mike Caulfield, Web Literacy for Student Fact-Checkers, 2017; operationalized in SIFT framework) is the primary heuristic for rapid source assessment.
The core insight: expert fact-checkers do not read deeply into an unfamiliar source first. They immediately open additional tabs to read what others say about the source before engaging with the source’s content. This is the structural opposite of the “close reading” taught in academic contexts.
SIFT Framework operationalized for OSINT analysts:
- Stop — pause before sharing or acting on the claim
- Investigate the source — open lateral tabs: “[outlet name] reliability”, “[outlet name] funding”, Media Bias/Fact Check, NewsGuard, IFCN signatory list
- Find better coverage — search for the same claim in established outlets; if only fringe sources carry it, flag accordingly
- Trace claims, quotes, and media — find the original, earliest source; assess what was added or removed in amplification
Application to state media: RT, Xinhua, Press TV, TASS, Sputnik, and Granma require explicit [state-aligned] label. Lateral reading confirms this classification in under 90 seconds for any outlet. Never label state-aligned sources as [authoritative primary source].
Prebunking vs. Debunking
Debunking after a narrative has reached mass amplification is assessed to be 40–90% less effective than prebunking before it spreads (inoculation theory — Lewandowsky, Ecker, Seifert, et al., Psychological Science in the Public Interest, 2012; Cook et al., 2017).
For intelligence products feeding public-facing outputs:
- Flag narratives pre-virality as warning intelligence — the detection product should include a recommended prebunking message
- Prebunking should explain the manipulation technique without repeating the false claim (repeating the claim increases its familiarity and thus perceived truth — “continued influence effect”)
- The backfire effect (debunking strengthening false beliefs) is real but context-dependent and less universal than originally reported (Wood & Porter, 2019); it is more pronounced in highly polarized audiences with strong partisan identity
Operational Protocol — 6-Step Disinformation Assessment
| Step | Action | Output |
|---|---|---|
| 1. Claim decomposition | List all discrete falsifiable sub-claims in the target item | Numbered claim list |
| 2. Layer 1 verification | Apply content verification techniques to each sub-claim | Per-claim verdict (True / False / Misleading / Unverifiable) + evidence |
| 3. Source chain map | Trace from current exposure back to earliest traceable publication | Source chain diagram or table; first publication identified |
| 4. Layer 2 pattern check | Apply CIB indicators, bot detection, infrastructure analysis | Campaign assessment: organic vs. coordinated; coordination confidence level |
| 5. Attribution assessment | Apply Layer 3; explicitly state if attribution is beyond OSINT scope | Attribution verdict with confidence rating and method justification |
| 6. Structured output | Complete assessment template (below) | Final product |
Assessment Template:
| Field | Content |
|---|---|
| Claim | [Exact text of the claim being assessed] |
| Claim type | [Wardle-Derakhshan type] |
| Verdict | False / Misleading / Unverifiable / Partially true |
| Key evidence | [2–4 bullet evidence points with source citations] |
| Source chain | [First publication → key amplification nodes] |
| Campaign indicators | [Organic / Coordinated / Inconclusive + basis] |
| Attribution | [Actor if attributable / “Attribution beyond current OSINT scope”] |
| Confidence | High / Medium / Low / Unverified |
| Recommended action | [Prebunk / Monitor / No action / Escalate] |
Case Studies
Case Study 1: Russia’s Firehose of Falsehood — MH17 (2014)
Following the downing of Malaysia Airlines MH17 over eastern Ukraine on 17 July 2014, Russian state media and affiliated social media networks deployed four competing narratives within 72 hours: Ukrainian military aircraft shot it down; Ukrainian forces mistook MH17 for Putin’s presidential plane; a Ukrainian Su-25 shot it from below; a rogue Ukrainian unit acted independently. The simultaneous deployment of mutually contradictory narratives is the operational signature of the Firehose doctrine (RAND, Paul and Matthews, 2016) — saturation of the information environment defeats fact-checking capacity by creating a “fog of war” that prevents consensus attribution.
Detection methodology applied: The Joint Investigation Team (JIT), using OSINT-derived evidence (social media video of the BUK TELAR moving through Donetsk, metadata-verified photographs placing the launcher at Pukhiv-based 53rd Anti-Aircraft Missile Brigade, Bellingcat geolocation of images), achieved strategic attribution to Russia over 2016–2019 via the four-source rule (technical artifact + behavioral pattern + doctrine alignment + corroboration from independent investigations). Detection lesson: map narrative volume vs. evidence quality — disinformation operations produce an inverse correlation. High-volume competing narratives with low individual evidence quality is the Firehose signature.
Case Study 2: PRC Spamouflage Network (2019–present)
Meta’s Threat Intelligence Bulletin (August 2019, updated 2022) and Stanford Internet Observatory co-documented the Spamouflage network: a coordinated inauthentic behavior operation on Facebook, Twitter/X, and YouTube amplifying PRC government positions. Detection methodology:
- Account creation date clustering: large proportions of accounts created within days of each other
- Avatar analysis: mix of GAN-generated faces and stock photography
- Lexical fingerprinting: near-identical post text across hundreds of accounts
- Low organic engagement: accounts with thousands of followers receiving near-zero organic likes/shares — engagement was intra-network (coordinated accounts liking each other’s content)
Key lesson: low-quality coordinated amplification at scale is detectable even when individual accounts appear superficially authentic. The campaign’s weakness was its reliance on quantity over authenticity quality — enabling network-level detection despite individual account sophistication.
Key Connections
Conceptual parents: Disinformation — conceptual framework and theory Active Measures — Soviet/Russian doctrine lineage Cognitive Warfare — strategic context
Complementary methodologies: Non-Western OSINT Traditions — adversary doctrinal fingerprints for attribution AI-Content Detection Methodology — synthetic media detection layer Source Verification Framework — lateral reading and source chain SOP Social Media Intelligence — SOCMINT as primary collection environment Network Analysis Methodology — Layer 2 technical complement Attribution — attribution methodology framework
Legal and ethical constraints: OSINT Legal Framework — jurisdictional constraints on collection