Back
Anti-Trafficking · OSINT Tooling
Active Development
Linux · Python · OSINT
2025–Present

Operation
US-One

Type
Analyst Tooling · Capstone Research
Environment
Linux
Domain
Anti-Trafficking OSINT
Scope
Collection · Analysis · Reporting
Environment
Linux (CLI)
Approach
Public-Source Collection
Domain
Anti-Trafficking OSINT
Status
Active Development
Program Overview

An operational framework for
open-source trafficking analysis.

Operation US-One is an OSINT collection and analysis program developed to support anti-human trafficking intelligence work. The program ingests publicly accessible data from the open and deep web — forums, classified advertising platforms, public indexing services, and sanctioned data redistributions — and produces structured output formatted for analytical review and, where appropriate, referral to law enforcement partners.

The program is operated by a single OSINT analyst and serves a dual role: as tooling that reduces the time cost of routine collection tasks, and as the research foundation for graduate work examining the application of open-source methods to community-level anti-trafficking analysis.

"The analytical problem is not a shortage of public information; it is the absence of systems to collect, normalize, and surface it at operational tempo."
Automated collection — replaces manual review of known platforms with repeatable, schedulable collection runs across defined target sets
Structured output — raw content is parsed, normalized, and organized for analyst review rather than returned as unstructured text
Operator-defined targets — collection targets, keyword lists, and filter logic are maintained in plain-text configuration, supporting rapid adjustment as the landscape shifts
Linux-native implementation — developed for command-line execution with minimal dependencies, suitable for scheduled automation or analyst-initiated runs
Operational Context

Manual collection does not
meet operational tempo.

Anti-trafficking analysts face a signal-to-noise problem that manual collection cannot resolve at any useful scale. The volume of content produced daily across relevant platforms exceeds what any individual can review by hand, and those platforms shift in structure, location, and access controls on an ongoing basis. Traditional review workflows do not keep pace with the operational environment.

Commercial and institutional intelligence tooling exists, but access is substantially constrained by licensing costs and by procurement pathways that are unavailable to independent analysts and community-level organizations. Operation US-One occupies that gap: purpose-built, operator-maintained, and directly informed by the analytical requirements of the work it supports.

"The limiting factor in community-level intelligence is analyst time, not available source material."
Collection volume — relevant platforms produce thousands of new records daily; manual review at operational scale is not achievable
Platform drift — target platforms shift structure, migrate, or lose accessibility without notice; automated tooling is updated more rapidly than manual workflows can adjust
Access disparity — institutional OSINT platforms require licensing or agency affiliation; independent analysts and NGOs operate without comparable capability
Collection Methodology

From target configuration
to structured output.

The program executes as a set of modular Python scripts invoked from the Linux command line. Each stage of the collection and processing pipeline is independently inspectable, adjustable, and re-runnable, supporting both scheduled execution and ad-hoc analyst tasking.

01
Target Identification
Collection targets are defined in plain-text configuration files and include forums, classified advertising sites, and other open- and deep-web platforms of analytical interest. Target definitions are version-controlled and revised as the operating landscape evolves.
02
Collection
Scripts issue structured requests against defined targets, observe rate-limiting and robots directives where applicable, and write raw response content to staged collection files. Each collection session is logged with timestamp and target identifiers for traceability.
03
Parsing and Filtering
Raw content is processed through parsing logic that extracts analytically relevant fields — contact identifiers, keyword hits, geographic references, and language patterns associated with exploitation advertising. Non-relevant content is discarded; analytically useful material is retained and normalized.
04
Structuring and Output
Processed results are written to structured output formats — CSV and JSON — with consistent field definitions and timestamping. Output is designed to support downstream review by analysts without specialized tooling and to be portable into reporting workflows.
05
Iteration and Refinement
Collection results inform subsequent runs. Keyword lists, target configurations, and parsing logic are revised based on observed output, producing incremental improvements in precision and coverage across successive collection cycles.
Technical Stack

A minimal stack,
optimized for iteration.

The technical stack is intentionally minimal. Dependencies are limited to well-supported, auditable libraries; GUI and framework overhead is excluded where not operationally necessary.

Language
Python 3
Primary implementation language for collection, parsing, and output modules. Selected for ecosystem maturity in web tooling and for operator-accessible readability.
HTTP & Parsing
BeautifulSoup & Requests
BeautifulSoup for structured HTML and DOM navigation; Requests for controllable HTTP sessions with explicit handling of headers, timeouts, and error conditions.
Browser Automation
Selenium / Playwright
Headless browser automation for targets requiring JavaScript rendering. Operates without a display server, enabling execution in CLI and containerized environments.
Operating Environment
Linux (CLI)
Development and execution environment. Command-line implementation supports scheduling via cron and systemd timers, and is portable across bare-metal, virtualized, and containerized hosts.
Output Formats
CSV / JSON
Structured output in standard analyst-accessible formats. Compatible with spreadsheet tools for direct review and with downstream data-processing pipelines without conversion.
Version Control
Git / GitHub
Full development history with discrete commits per capability. Remote hosting provides backup, version traceability, and controlled release of program extensions such as corridor-canary.
Scope & Ownership

Single-analyst design
and development.

Operation US-One is developed and operated by a single OSINT analyst. Architecture, collection rules, and parsing routines are owned by the operator, which concentrates accountability for output quality, ethical posture, and operational risk in a single point of decision-making.

System Architecture
Design of the end-to-end collection and processing pipeline, including module boundaries, data flow, configuration schema, and execution patterns supporting both scheduled and ad-hoc runs.
Collection Module Development
Per-target collection modules addressing structural, rendering, and rate-limiting differences across platforms. Modules are self-contained and independently testable, enabling updates without pipeline-wide changes.
Parsing & Filter Logic
Keyword, pattern, and structural filters informed by open research on exploitation-advertising language patterns. Filter outputs are designed to be analyst-interpretable without requiring subject-matter expertise of the reviewer.
Systems & Deployment
Full-stack Linux systems work including environment provisioning, dependency management, scheduled execution, log review, and operational troubleshooting, all conducted without a GUI layer.
The Extension

Extending the program into
sanctioned public-source collection.

corridor-canary is an operational extension of Operation US-One that broadens the program's collection posture to include sanctioned, publicly redistributed data streams. The utility monitors the National Center for Missing & Exploited Children (NCMEC) public RSS feed and filters incoming missing-child alerts against a configurable watchlist of municipalities along the U.S. Route 1 corridor, from the Maryland/Pennsylvania border south to Key West, Florida. Matching alerts are delivered to the analyst as a single deduplicated notification via a private ntfy endpoint.

The operational value of corridor-canary is not the individual alert. It is the structured, timestamped, geolocated dataset that accumulates across the corridor over time. That dataset supports clustering analysis around specific municipalities and transit nodes, correlation against known indicators of trafficking activity — truck stops, interstate exits, transient lodging, bus terminals, and event venues — and the development of temporal baselines against which anomalous activity becomes identifiable.

When cross-referenced with additional open-source holdings, including court records, licensing databases, zoning data, and prior NGO reporting, the accumulated corridor dataset supports pattern-of-life analysis, the development of actionable tips for referral to law enforcement partners, briefings for community and agency stakeholders, and longitudinal reporting products that case-by-case awareness cannot produce. corridor-canary functions as the ingestion layer for a regional intelligence picture; analysis and dissemination remain the responsibility of the analyst.

View repository on GitHub

"Situational awareness is built on accumulated signal, not individual alerts."
Sanctioned collection — ingests only publicly redistributed data from NCMEC's RSS feed, consistent with the organization's terms of use
Geographic scoping — configurable municipality watchlist with strict City/State validation to prevent cross-jurisdictional false positives
Operational discretion — deduplicated, non-audible notification delivery to a private endpoint, appropriate for analyst workflow
Longitudinal dataset — structured output supports trend analysis, corridor-wide clustering, and referral-ready intelligence products
Program Direction

A methodological shift toward
correlation and analysis.

The initial iteration of Operation US-One relied on adversarial collection against non-sanctioned targets. That approach produced useful output, but proved operationally unsustainable; access to the primary collection target was revoked within weeks of deployment, and sustained scraping of hostile platforms was assessed as a long-term architectural liability rather than a capability.

The current program direction reorients around sanctioned, publicly redistributed data streams and toward analytical methods — correlation, pattern-of-life development, and longitudinal baselining — that extract operational value from legitimate source material rather than from volume of unauthorized collection. corridor-canary is the first operational expression of this reorientation; additional extensions targeting adjacent sanctioned streams are in development.

The program also serves as the foundation for the operator's Master's capstone research in Criminal Justice and Counter-Terrorism, which examines the role of open-source methods in community-level anti-trafficking analysis.

Legal & Ethical Posture

Public sources,
defined purpose.

All data processed by Operation US-One is drawn from publicly accessible sources. The program is operated exclusively in support of anti-human trafficking research and for the development of analytical products suitable for referral to law enforcement partners. Output is not distributed outside of this defined purpose.

Collection activities observe platform terms of service and applicable legal constraints; where a target's access posture changes, collection against that target ceases. The program does not store personally identifying information beyond what is required for analytical correlation, and does not retain raw collection output beyond working-analysis windows.

All Projects Get in touch