Cross-platform identity correlation: how it actually works
Resolving the @handle on Telegram to the LinkedIn profile to the GitHub repo isn't magic — it's a layered confidence model. Here's the version that survives in court.
Cross-platform identity correlation — confirming that the username on Telegram is the same person as the LinkedIn profile and the GitHub repo — is the workhorse operation of modern OSINT. Done well, it's the difference between a useful report and an unfalsifiable one. Done badly, it puts you on the wrong side of a defamation suit.
The four signal classes
**Direct linkage.** The platform itself shows the connection. LinkedIn lists the personal website. GitHub commits use the work email. Twitter bio mentions the Telegram handle. These are 99% reliable when present, and they're rare.
**Cryptographic identity.** Same SSH public key on different GitHub accounts. Same PGP fingerprint signing emails from two addresses. Reuse of the same gravatar hash. Strong signal — the underlying identity primitive is hard to forge.
**Behavioral coupling.** Posting cadence on two platforms matches at the second. Geo-tagged posts at the same coordinates within minutes. Same writing tics + vocabulary across long posts. Statistical signal — needs enough sample size to be meaningful.
**Identifier reuse.** Same email across services (often surfaced via breach corpora). Same phone. Same alias on a username probe. Common but circumstantial — username collisions are real, especially for short common handles.
How to combine them
The version of cross-platform correlation that survives cross-examination uses all four classes and weights by reliability: direct linkage = high confidence single-source confirmation; cryptographic + identifier-reuse + behavioral together = high confidence; identifier-reuse alone = low confidence (it's a lead, not a conclusion); behavioral alone = informational, not actionable.
The fatal mistake is treating identifier reuse as a conclusion. "Both accounts use the email j.smith@gmail.com" is consistent with same-person, but also consistent with name collision, with shared family email, with a hijacked account. Treating it as proof of same-person identity is what gets investigators sued.
Where the source list helps
The breadth of the username probe matters more than the depth of any single platform. A subject who's careful about LinkedIn might be sloppy on Reddit; another careful on social platforms might leave a fingerprint on GitHub. Querying 30 platforms in parallel surfaces the signal that one of them got wrong.
What Tracelight does
Tracelight runs the username probe + email-to-account discovery + breach-corpus identifier-reuse check + GitHub key fingerprint check + behavioral activity heatmap as part of every subject enrichment. The cross-platform identity findings end up in evidence rows with confidence scores reflecting their signal class. The "verified by N sources" badge surfaces when the same identity claim was confirmed by 2+ independent workers.
The output is structured: here are the candidate cross-platform identities, here's the confidence model behind each, here's the evidence chain you'd present in a deposition. Not "trust us, it's the same person."
The reality check
Even with all four signal classes lined up, cross-platform identity correlation produces probabilistic conclusions, not deterministic ones. The professional move is to write the report with confidence intervals, not assertions. Anyone who tells you they have a 100% deterministic cross-platform identity tool is either selling you something or about to lose a libel case.