Open-source sleuths are already unmasking the Capitol Hill mob

Lev Radin / Pacific Press / LightRocket via Getty Images

In early November, Derrick Evans was elected as a Republican state delegate in West Virginia. Two months later he was part of the mob that stormed the US Capitol. As he walked through the corridors, Evans streamed live on Facebook. “Derrick Evans is in the Capitol!” he shouted. “Oh my gosh, I can’t believe we’re in here right now!”
Then the video was deleted. Evans, who later posted a Facebook statement saying he didn’t have any “negative interactions” with police or damage any property, was far from the only person streaming from inside the building. White nationalist Tim Gionet, who is also known as Baked Alaska, streamed himself inside the office of House speaker Nancy Pelosi. As the protests turned into a violent siege of the Capitol which killed five people, almost every minute from almost every angle was captured and broadcast on social media. And not just by journalists. This was a social media mob hell-bent on insurrection and incriminating selfies.


“The striking thing about so many of these images of rioters in the Capitol is that what they’re doing – all of them – is creating content for social media,” Elise Thomas, am open-source intelligence (OSINT) researcher tweeted. “This event was organised largely online, by online communities, and exist as part of a broader fabric of Trump supporters who connect primarily over social media,” Thomas tells me. “It’s not surprising that the people participating in the rally wanted to weave the online and offline strands of the protest together.”
As well as Facebook, livestreams from around the Capitol appeared on YouTube and Twitch – with the companies working to proactively remove some of them in real-time. Some streams were monetised and allowed viewers to send in donations while other streamers asked for payments to be made on other platforms such as PayPal.
The video purge started not long after people left the building – either by the social media platforms detecting breaches of their policies or the streamers themselves. “There’s definitely already content that’s disappearing,” says Eliot Higgins the founder of investigative journalism website Bellingcat. “Quite a few of the live streamers have already removed their streams.” As part of its response to the violence, Facebook has said it will delete photos and videos from the Capitol that encourage violent behaviour.
History hasn’t been lost though. While the mob was still in the Capitol building multiple groups, including Bellingcat, started to scrape everything being posted – a vast digital archive of the riots. Reddit users created a 12GB tranche of videos, Bellingcat’s spreadsheet has more than 100 examples of streams or videos and a database by search engine and data archive Intelligence X has more than 1,300 files totalling 83GB.


“It is hugely important that independent organisations back up this data,” says Peter Kleissner, the founder and CEO of Intelligence X. “If you look at the history and incidents like the 1812 breach of the Capitol as well as the 1933 German Reichstag fire it highlights the need for accurate and original data in historical context.”
Previously, third-party groups archiving and cataloging video and photo evidence has been crucial in the process of identifying war crimes happening in Syria. The algorithms of YouTube and other social media platforms have removed violent content and forced researchers to try and save it before it’s taken down. In the case of the Capitol, some Republican politicians and right wing media have already tried to change the facts of what happened and who was there.
As well as creating a record of unfolding events, the captured live streams and video footage are likely to be crucial for law enforcement officials investigating the attack. Police have already released images of people wanted for criminal behaviour, including unlawful entry and handling stolen goods, and asked for help identifying them. In one instance police also offered a reward for the identification of Jake Angeli, a QAnon believer who has been widely profiled in the media. The FBI has also asked people to send it their pictures and videos to help with the identification of protesters.
The forensic work has already started. The process of pinning down what happened and who was at the Capitol is complex. But, like the riots themselves, it is also playing out online in real-time. OSINT investigations using publicly available photos, videos, social media accounts and the data associated with them has boomed in recent years and helped people to understand news events from plane crashes to unmasking Russian intelligence operatives. It’s a powerful tool for identifying people and places.


Bellingcat’s Higgins says its journalists and investigators will build up a timeline of what happened around the Capitol using the footage and that it may show new evidence from the riots. It has already pulled together four synchronised graphic videos that show the shooting of Ashli Babbit, who later died from her injuries.
John Scott-Railton, a research at the Canadian Citizen Lab, has trawled through footage of those dressed in military style clothing and protective gear. This includes breaking down the types of clothing worn, items held, and the process of identifying logos and fabric patches. Scott-Railton says he has provided details of potential suspects to the FBI and no names have been posted publicly. In one case a company has fired one of its employees seen wearing a work ID badge while entering the Capitol.
“I am anticipating a slew of arrests will be based on the photo and video evidence and those that aren’t arrested may face being ousted by the internet,” says OSINT analyst Rae Baker. Where arrests take place, trained law enforcement officials are likely to have assessed multiple pieces of evidence and corroborated different sources. The FBI used one person’s Etsy profile, LinkedIn and internet history to identify them in protests following the death of George Floyd last year. Another person taking part in a Black Lives Matter protest was partly identified by law enforcement because of what they were wearing.
But online investigations can sometimes go wrong when they’re conducted by groups looking for justice. “Oftentimes in high stress situations the want for internet justice takes precedence over verification,” Baker adds. In April 2013, Reddit was forced to apologise as people on the platform wrongly named several individuals as suspects following the Boston Marathon bombing.
“When verifying a person based on a photo or video, I look for identifying marks such as tattoos and birthmarks,” Baker says. “Additionally, I look for things they may be wearing such as a work ID or clothing with specific logos that might also be identifiable in photos from their social media. The key is to verify via several different sources before identifying someone in a situation that might endanger them.”
Getting the process right is important. “I think the number one point to keep in mind is to not carelessly post whatever identification you might make onto social media,” says Thomas. “If you think you have a solid lead on who someone is, give that tip to law enforcement and let them look into it.”
Matt Burgess is WIRED’s deputy digital editor. He tweets from @mattburgess1
More great stories from WIRED
🐧 The mystery of the world’s loneliest penguins
🎲 Forget Monopoly. These are the best board games for adults and families
💻 Take control and stop yourself getting hacked in 2021


🔊 Listen to The WIRED Podcast, the week in science, technology and culture, delivered every Friday
👉 Follow WIRED on Twitter, Instagram, Facebook and LinkedIn

Like this article?

Share on Facebook
Share on Twitter
Share on Linkdin
Share on Pinterest

Leave a comment

Why You Need A Website