Welcome to 3rd issue of OSINT Pros. This post is technical and it’s about the risks of using these so-called OSINT Platforms.

Did you read the last post, Exercise: Testing your fundamentals? where link of a LinkedIn post was given and i asked you to check if it’s OSINT or not. Let’s talk about the solution of that exercise.

LinkedIn Post link

To be honest, no one can clearly tell you what exactly Aadhar card is and why it exists. Every Authority in India interprets it in a different way, some consider it a proof of identity while don’t, some consider it a proof of citizenship while others don’t, some consider it a proof of DOB while others don’t. It’s a very messed up situation from legal perspective, so let’s go from the technical perspective.

Aadhar is a unique 12-digit identity number allocated to each Indian citizen or NRIs. Consider it to be similar to Social Security Number in USA. It is usually accepted as proof of identity in most KYC. Technically, each person should have only have one Aadhar, but when the Aadhar was launched, the system was too flawed that a person can have multiple Aadhar. Additionally, it’s data can’t be trusted as truth. For example, one of close relative has a D.O.B of 01/01/1985 in their Aadhar, they have a different DOB in other documents. It’s not their fault, the authority who created that Aadhar card just filled the D.O.B themselves. So, if it’s a case with one person, there would be many more cases like that. It’s very common.

Pro Tip - If you have money and you know the right person, you can legally steal someone’s identity very easily. You can get your name, picture, fingerprint, DOB, address, anything can get changed till a few years back. I don’t know about the current situation but back then, it was just a matter of money. Most of the cybercrimes that happen in India uses forged identity of someone else.

I believe that much context is enough to get you a rough idea about Aadhar. Aadhar card is just a printed card with Aadhar data.

Use of Leaked Data is not allowed in India legally.

In 2023, Indian government introduced a new act, DPDP act (Digital Personal Data Protection Act). It mandates lawful, transparent data handling, grants individuals’ rights over their data, and establishes the Data Protection Board of India.

If you get Aadhar data of someone from anyone without their permission, you are committing a crime, you are doing a violation of DPDP act. so, a legal action can be taken against you for this. So, you can’t use anyone’s Aadhar data until obtained from a legit source with permission. If you use any platform like as mentioned in that post, i don’t know about what will happen to that individual but you can surely be sued in a legal case for violating their individual rights and DPDP act.

Aadhar data has been leaked multiple times. In 2025, someone found a vulnerable API from which Aadhar data of any user can be fetched. They scrapped the entire dataset and started selling it. A lot of telegram bots uses this dataset to find details of Aadhar just by knowing the individual number. Apart from that, there was one more data leak, Hi-Tek Group. All these telegram bots, websites, platform etc are just using querying these two datasets.

One step ahead, some endpoints in Aadhar system are still vulnerable, so some people are just fetching the data in real time which is a kind of system breach. It’s a criminal activity.

Apart from that, the data obtained from these can’t be trusted. Based on my own research, they can’t a lot of false positives. I have tested this multiple times and can say with confidence, some of the data is outdated. A few of them is false or wrongly matched.

Before using any platform. Always check who’s the developer, from what’s the source of the data, is that applicable legally, can that data be trusted?

Don’t trust any platform blindly, most of them are just evil. Built to monetize rather than doing something good.

While LinkedIn post mentions that this platform is only available for LEA, it changes nothing. Everything i mentioned above is still valid. LEAs are also not allowed to use any such platform. In fact, there are the ones who are responsible to stop these kinds of things, it’s irony in itself that they are selling leaked data to law enforcement whose responsibility is to prevent selling of leaked data. Good joke, I think you should laugh.

We now have 18subs in this newsletter.

Feel free to drop a comment or reply to share your opinion.

Enjoy your day.