Tracking the Unseen: The Role of Alternative Social Media in Cyber Intelligence

The rise of alternative social media

Social media platforms can influence public discourse and the formation of individual opinions. The algorithms and social dynamics that build communities create insulated echo chambers, filtering out dissenting views. This environment becomes extremely dangerous when it cultivates and amplifies extremist ideologies. Cybersecurity professionals must understand how the echo chambers of alternative social media can serve as vectors for disinformation campaigns, radicalization, and the coordination of activities that threaten both digital and physical security.

Unlike traditional platforms (Facebook, Twitter, and YouTube) the alternatives—Gab, Truth Social, and Odysee—position themselves as challengers to Big Tech’s control. Some prioritize privacy and decentralization, while others attract users seeking fewer restrictions or a community that shares their ideological beliefs, even if they are extreme. Their emergence reflects broader debates over online speech, corporate influence, and digital governance.

The growing need for alternative social media monitoring

The lack of strict moderation makes them a valuable source of intelligence for use cases like VIP protection and brand monitoring. With fewer restrictions, users feel more comfortable expressing extreme views, issuing threats, or organizing activities that would likely be censored on mainstream platforms.

When it comes to VIP protection, monitoring these platforms helps identify direct threats against public figures, politicians, or executives, allowing security teams to assess risks and take preventive measures.

The next screenshot, taken from Lunar, Webz.io’s dark web monitoring platform, displays a recent post from Rumble. Rumble is an extremist alternative social media platform. This post features a violent threat directed at BlackRock CEO Larry Fink, calling for his execution and labeling him a “deep state traitor.”

The following screenshot from Lunar displays a post from Gab, an extremist alternative social media platform, where a user promotes a conspiracy theory about Apple’s AI investments and calls for a boycott of the company. The poster frames his claim as a fight against oppression.

 Find these threats before they escalate from words into action.

The challenges related to monitoring alternative social media

Despite the valuable insights these platforms offer, monitoring them presents significant challenges. The overwhelming volume and unstructured nature of the data, often resulting in a high noise to signal ratio, makes it difficult to extract the most relevant information.

Identifying key threat actors isn’t straightforward, as conversations occur on sites whose domains change, in closed communities, and between users who frequently change usernames. Tracking individuals and conversations becomes a complex puzzle on platforms designed to maintain the users’ anonymity. When users operate under layers of anonymity, employ throwaway pseudonyms, communicate in coded jargon, and retreat into private or encrypted enclaves. Some platforms even impose access restrictions, requiring users to create accounts, while others demand identity verification or a SIM card from a specific country.

These barriers make consistent monitoring more complex. Limited oversight, obfuscating users’ identities, and other platform features like ephemeral content create an environment where illicit content can thrive, allowing bad actors to operate with reduced scrutiny.

Best practices for monitoring alternative social media

You can deal with the challenges listed above by being proactive and using a tool like Lunar to monitor alternative social media.

1. Define your use case

Clearly specify threat vectors and data requirements for focused monitoring.

2. Identify relevant platforms 

Conduct in-depth research and consult experts to identify pertinent alternative social media sites.

3. Establish and maintain access 

Implement secure account management and utilize API integration for automated data retrieval.

4. Map key threat actors and communities

Employ network analysis tools to identify patterns and connections.

5. Correlate data across platforms

Integrate data across multiple platforms using data fusion techniques for a comprehensive view.

6. Implement continuous monitoring

Automate data collection and analysis for real-time threat detection.

7. Track dynamic conversations

Develop adaptive strategies using machine learning to monitor evolving discussions.

8. Optimize keyword filtering

Refine queries with advanced logic and sentiment analysis to minimize noise.

9. Adapt to platform changes

Maintain ongoing intelligence gathering to stay abreast of platform evolution.

10. Integrate threat intelligence

Enhance monitoring by correlating data with existing threat intelligence platforms.

11. Follow data privacy laws

Adhere to data privacy regulations and document all data handling procedures.

Due to the dynamic and complex nature of these platforms, expert insights and automated analysis are essential for effective monitoring.

Alternative social media as a cybercrime intelligence source

The presence of illicit content on alternative social media platforms has drawn the attention of extremist groups, hackers, and cybercriminals.

Alternative social media has emerged as a significant space for monitoring cybercriminal activity, supplementing traditional underground forums and darknet marketplaces. On these platforms, you can now find open discussions involving TTPs, vulnerability exploitation, recruitment, target reconnaissance, and ads for services like MaaS or DDoS. These platforms often face less scrutiny than dedicated hacking forums, allowing conversations about cybercrime trends, and potential targets to take place more openly.

By tracking these discussions, organizations can gain critical insights into emerging threats and identify sectors that may be at increased risk.

Tracking Cybercriminal Activity and Identifying Threat Actors

Alternative social media platforms provide an opportunity to monitor cybercriminals who openly offer their services, including hacking, data breaches, and exploit sales.

Monitoring these interactions can provide valuable intelligence on potential clients and collaborators. Additionally, cross-referencing usernames across multiple platforms helps identify individuals involved in illicit activities, and offers opportunities for proactive defense tuning based on actor capabilities, predictive threat modeling, targeted counter-intelligence efforts, reporting to law enforcement, or identifying potential insider threats.

This screenshot from Pitch, a dark web social media platform, shows a recruitment post for a hacking group seeking individuals with expertise in social engineering, reconnaissance, malware development, and web/server exploitation.

Leveraging ransomware-tracking groups for early threat detection

Another effective approach to tracking cyber threats is monitoring profiles of groups that actively follow ransomware operations. Some of these tracking groups maintain a presence on alternative social media platforms, where they share up-to-date information about ransomware activity and newly identified victims.

The speed and accessibility of social media enable these updates to surface quickly, often fostering real-time discussions reinforced by notification systems that keep users engaged. By monitoring these profiles, organizations can identify sectors under attack, anticipate emerging threats, and implement proactive security measures.

Screenshots from Mastodon.social and Bsky display posts from RansomLook’s profiles, a group dedicated to tracking ransomware groups’ activities. The posts provide updates on the Nightspire ransomware group, mentioning a new victim, Far East Consortium (Hong Kong), and engagement metrics. These updates highlight how ransomware tracking groups use alternative social media to share real-time insights on cyber threats.

RansomLook’s has a social media profile on Bsky and Mastodon.social. RansomLook is a group dedicated to tracking ransomware groups’ activities. The posts provide updates on the Nightspire ransomware group, mentioning a new victim, Far East Consortium (Hong Kong), and engagement metrics. These updates highlight how ransomware tracking groups use alternative social media to share real-time insights on cyber threats.

The ripple effect of cyberattacks on public perception

Beyond direct cyber threats, ransomware incidents can escalate if widely discussed on social media. Public exposure can pressure companies into paying ransoms or taking drastic actions. Likewise, if discussions suggest a specific sector is under attack, panic may spread, leading customers to delete accounts, cancel subscriptions, or distance themselves from affected businesses.

This fear-driven reaction isn’t limited to ransomware; discussions about other cyberattacks can also spark widespread concern, amplifying the crisis and increasing pressure on targeted organizations.

The example below shows recent discussions about alleged cyber threats to water utilities. These threats quickly gained traction across multiple alternative social media platforms, raising alarms about critical infrastructure security and potentially fueling public anxiety.

At the same time, users may also use these platforms to share information about ongoing attacks, warn others, and provide advice on how to mitigate risks. 

The need for expertise in monitoring cyber threats

This growing cybercriminal presence adds another layer of risk to these platforms, making them not only a space for ideological discussions but also a marketplace for illegal activities.

Alternative social media platforms offer valuable context that complements insights from forums, helping to track emerging threats and shifting cybercrime trends. Their rapid updates can serve as an early warning system—if a company or sector gains attention, it may become a target. However, effective monitoring requires expertise due to the sheer volume of data and the challenge of identifying relevant threats. Organizations looking to stay ahead must leverage the right tools and intelligence.

 Learn how to use Lunar to find these threats before they escalate from words into action.