WHOMST - A Sometimes useful Twitter Investigation Tool

CLASSIFICATION: UNCLASSIFIED // FOR NICE GUY USE ONLY

A proof-of-concept anti-fraud investigation tool that uses the DeHashed API to map relationships between Twitter aliases, email addresses, and IP addresses found in data breaches available via Dehashed API (you'll need a Key).

Legal Notice

This tool is for defensive security and anti-fraud purposes only. Users must:

• Only investigate accounts with proper authorization
• Comply with all applicable laws and regulations
• Respect privacy and data protection laws
• Use responsibly and ethically

Features

• 2022 Twitter Breach Entry Point: Only investigates targets found in the 2022 Twitter breach database (BBC report)
• Recursive Mapping: Maps Twitter alias → email → IP → other emails through breach data
• Relationship Mapping: Builds graph of connections between identities discovered through recursion
• Intelligence Briefing: Generates professional intelligence reports on discovered relationships
• Password Analysis: Extracts passwords and hashes, organizes by hash type
• Hashcat Integration: Generates ready-to-use hashcat commands and wordlists
• Interactive Visualization: Web-based graph explorer with filtering
• Logic Logging: Tracks investigation flow and decisions through recursion depth

Quick Start

1. Download Pre-compiled Binary

Download the appropriate binary for your platform from the releases/ directory:

• Windows: whomst-windows-x64.exe
• macOS Intel: whomst-macos-intel
• macOS Apple Silicon: whomst-macos-arm64
• Linux: whomst-linux-x64

2. Configure

cd src
cp config.yaml.example config.yaml
# Edit config.yaml with your DeHashed credentials

3. Run Investigation

# Using pre-compiled binary
./whomst-<platform> -target <twitter_username>

# Or build from source
cd src
go build -o whomst
./whomst -target <twitter_username>

Repository Structure

whomst/
├── README.md              # This file - main project overview
├── docs/                  # Complete documentation
│   ├── SETUP.md          # Detailed setup guide
│   ├── SECURITY.md       # Security policy and best practices
│   ├── RELEASES.md       # Platform guide for binaries
│   └── ...               # Additional documentation
├── src/                  # Source code
│   ├── main.go           # CLI entry point
│   ├── config.yaml.example # Configuration template
│   ├── go.mod            # Go module definition
│   └── ...               # Core implementation files
└── releases/             # Pre-compiled binaries
    ├── whomst-windows-x64.exe
    ├── whomst-macos-arm64
    ├── whomst-linux-x64
    └── ...               # All platform binaries

Documentation

• SETUP.md - Complete installation and configuration guide
• SECURITY.md - Security policy and legal considerations
• RELEASES.md - Platform-specific binary usage guide

How It Works

flowchart TD
    A[Twitter Username Input] --> B{Search DeHashed for Username}
    B --> C{Found in 2022 Twitter Breach?}
    C -->|No| D[Investigation Terminated]
    C -->|Yes| E[Extract Initial Data]
    E --> F[Emails, IPs, Names, Phones]
    
    F --> G{Recursion Depth < Max?}
    G -->|No| M[Generate Outputs]
    G -->|Yes| H[Search Each Email in DeHashed]
    
    H --> I[Extract Connected Data]
    I --> J{IP Recursion Enabled?}
    J -->|Yes| K[Search Each IP in DeHashed]
    J -->|No| L[Skip IP Search]
    K --> I
    L --> I
    
    I --> N{More Entities to Process?}
    N -->|Yes| G
    N -->|No| M
    
    M --> O[Intelligence Report]
    M --> P[Relationship Graph]
    M --> Q[Interactive Visualization]
    M --> R[Hashcat Files]
    
    O --> S[Complete Investigation]
    P --> S
    Q --> S
    R --> S
    
    style C fill:#ff6b6b
    style G fill:#4ecdc4
    style J fill:#45b7d1
    style M fill:#96ceb4

Investigation Flow

1. Twitter Breach Entry: Searches DeHashed for username in 2022 Twitter breach
2. Initial Validation: Only proceeds if target exists in 2022 Twitter breach database, takes the email, searches the whole dataset on that email
3. Data Extraction: Extracts emails, IPs, usernames, names, phones, addresses from Twitter breach entry
4. Recursive Mapping:
   • Searches each discovered email address for other breaches
   • Searches each discovered IP address for other accounts
   • Maps IP addresses to additional email addresses
   • Continues recursion to configurable depth
5. Intelligence Analysis: Builds comprehensive graph of all discovered relationships
6. Report Generation: Creates intelligence briefing documenting the complete investigation thread

Building from Source

Prerequisites

• Go 1.21 or later
• DeHashed API account with credits

Build Instructions

cd src
go mod download
go build -o whomst

API Usage & Costs

• Each search consumes DeHashed credits based on results returned
• Monitor usage at https://www.dehashed.com/
• Default rate limit: 1 second between requests
• Deeper recursion = more API calls = higher costs

Contributing

1. Fork the repository
2. Create a feature branch
3. Make your changes in the src/ directory
4. Test thoroughly
5. Submit a pull request

License

This tool is provided under the MIT License with additional terms for security tools. See LICENSE for details.

Disclaimer

This tool is a proof of concept for nice guy investigation. Users are responsible for ensuring compliance with all applicable laws and regulations. The authors assume no liability for misuse.

---

CLASSIFICATION: UNCLASSIFIED // FOR OFFICIAL USE ONLY