How TWILOX investigates
Last reviewed · 2026-05-18 · public-source intelligence only
1 · Intake
A user provides a single signal: an email address, phone number, username, identity (full name + location), image, social handle, domain, IP, company name, crypto wallet address, or URL. The signal is hashed before transit; we never store plaintext queries.
2 · Fan-out
The orchestrator dispatches isolated worker containers in parallel:
- Sherlock and Maigret — username search across 400+ platforms.
- Holehe — email-to-platform mapping.
- PhoneInfoga — phone OSINT, plus 16-country reverse-directory probes.
- ExifTool — image EXIF and metadata extraction.
- SpiderFoot — domain, IP, and company graph.
- TorBot — dark-web crawling via a local Tor SOCKS proxy (Ahmia, Torch, Haystack).
- FaceCheck.ID, PimEyes — face-recognition reverse search via their HTTPS APIs.
- Google Lens, Bing Visual Search, Surfface — reverse-image search via a Playwright headless-browser worker.
3 · Correlation
Findings stream into a Neo4j AuraDB graph. Aliases are resolved across channels, and a confidence score is computed per finding based on source authority and corroboration count.
4 · Narration
A multi-provider AI layer (Anthropic Claude → OpenAI → Gemini fallback) writes an executive summary anchored to the evidence trail. Every claim links to the public source that produced it.
5 · Rendering
The cinematic dossier UI streams the result. PDF export is one click. Typical end-to-end latency is under 60 seconds.
Public-source only
- Open breach corpora, indexed social platforms, archived web pages, publicly queryable registries, public dark-web indexes.
- No authentication bypass. No paywall scraping. No purchased private datasets.
- Every finding links back to its public source.
- GDPR subject-deletion requests honored within 72 hours.
- Use is logged. Harassment, stalking, or unauthorized surveillance terminates the account and is reported to platform partners.