Metaverse OSINT Part 3: Tracing an Avatar or Asset Back to a Person
Like the blog? Buy the author’s book!
The OSINT Guide - Check it out on Amazon - 4.5 stars!
“Tom Caliendo‘s latest contribution to the field, The Open Source Intelligence Guide stands as a beacon for those looking to delve deeper into the internet’s hidden layers.”
Metaverse to Real-World: Tracing an Avatar or Asset Back to a Person
Now let’s consider the reverse scenario. Suppose you encounter a metaverse identity – maybe you saw an avatar named “CoolCatNFT” hosting a big event in Decentraland, or you found a wallet that owns several pricey virtual lands – and you want to find out who is behind it in real life. The approach uses many of the same tools, just in reverse order:
Profile Clues and Self-Disclosure: Check if that virtual identity has any public profile info. Many platforms let users write a bio. For example, a Decentraland user can set up a profile on the Decentraland site (especially if they link via wallet, they might have a profile page showing their avatar and name). In Roblox, the profile might have a custom “About” blurb written by the user. Look there for clues like “Follow me on Twitter: @somehandle” or “Managed by [StudioName]”. Roblox even allows linking social networks on profiles (users can link their Twitter or YouTube – icons will appear on their profile linking to those sites). If you see those, that directly bridges to a real-world social account. Similarly in VRChat, while profiles are mostly just status, some users mention their Twitch stream or other contact info in their VRChat bio. Always inspect the profile page carefully for any external links or identifying info.
Username Cross-Search: Take that metaverse username and search it on the wider web (the opposite of what we did in person-to-metaverse). People often reuse usernames. Perhaps the host “CoolCatNFT” also uses that handle on Twitter or has an account on NFT forums. A Google search might lead to a GitHub by that name or a LinkedIn username mention. If the username is an email ID (not uncommon in older games), you might search that in breach data search engines (though that goes beyond “free public tools” into gray areas, so stick to open web results). The key is to find any instance where the pseudonym intersects with a real name or an account that has personal info.
Reverse WHOIS on ENS or Domains: If the metaverse identity is tied to an ENS name (say the avatar was literally named CoolCatNFT.eth in-world), then check the ENS records. ENS domains can have text records set by the owner – sometimes including an email, URL, or Twitter handle. You can use the ENS lookup tool (app.ens.domains or Etherscan’s “Lookup ENS” function) to see if that domain has public records. Even if not, having the ENS is a clue – maybe they use that as their brand. Searching that ENS name might show that they’ve used it as a username elsewhere (e.g., maybe they commented on a blog and left that as their website, or they have a personal website at coolcatnft.eth.link).
Investigate Their NFTs and Wallet Behavior: On the blockchain side, analyze that wallet deeply. Look at the transaction history for any identifiable patterns:
Did they interact with a known exchange (sending funds to Coinbase or Binance, which are labeled wallets)? If so, they might have off-ramped money there, but you typically can’t get their identity from that alone (that information is private to the exchange). However, if an address is known (say Etherscan labels an address as “OpenSea: User 12345” or “ENS: coolcatnft.eth”), that’s at least a nickname.
Look at other NFTs they own beyond the metaverse. People often collect NFTs across various projects. Perhaps they own an NFT from a collection that is linked to a Discord community, and in that Discord the person might have claimed ownership publicly. For example, if they own a Bored Ape Yacht Club NFT, they might be in BAYC communities where they revealed which ape they own. Cross-reference such info if available.
See if the wallet has sent NFTs to any known names. Sometimes people send an NFT to their own other address or to a friend. If one of those addresses has an ENS like “AliceWonderland.eth”, you suddenly have a name to chase. Or they might have donated Ethereum to a public fundraiser (some fundraisers post a list of contributors’ addresses or ENS names).
Metaverse Activity Context: Consider what the person did in-world that made you notice them. Were they hosting an event? If yes, event pages might list organizers. Decentraland’s event listings often show the host’s name (which could be a wallet or an avatar name). That host name might correspond to a known community member – perhaps the event announcement on Twitter or Discord mentions “Hosted by [real name or organization]”. Similarly, if you find a user’s virtual property (like a famous art gallery in Somnium Space or a popular game in Roblox created by a certain user), research that property. Many creators promote their work on external channels. A Roblox game developer might have a DevForum post or Gamasutra article about their game, where they use their real name. A Decentraland builder of a museum might have a website for it, crediting themselves. Follow the content.
OSINT on Connected Accounts: If you do find a clue linking the metaverse identity to a likely real-world account (say you suspect a Twitter account belongs to them), apply standard OSINT to that account. For example, if you find a Twitter handle, see what email or website is listed on it, check if that Twitter handle has used the same avatar picture as seen in the metaverse, etc. Oftentimes, people use the same avatar image on Twitter as their in-game avatar – a dead giveaway! They might also talk about their virtual activities in first person, confirming the link.
Through these methods, you aim to connect the dots from an in-game persona to a real person or at least a social media profile. Always ensure you’re using ethically-gathered, public information. If a person has taken steps to remain pseudonymous, it might be difficult or impossible to be 100% sure about their real identity without private data. But you can often narrow down possibilities or find their other pseudonyms.
What Metaverse Data is Public?
It’s important to understand which data in metaverse platforms is publicly accessible by design. Here’s a rundown of common data types and their availability:
Blockchain Assets (Public by design): In Web3 metaverses like Decentraland and The Sandbox, key assets (land, avatars names, wearables, currency) are blockchain tokens. By design, ownership is recorded on the blockchain for anyone to see . This means what someone owns is public (including when they acquired or transferred it). Land ownership is basically a matter of public record (anyone can check the Ethereum ledger and see which address owns which land token). Avatar names (Decentraland NAMEs) are NFTs, so those too are public. Transaction history (buying/selling/gifting an item) is public on-chain . This is a stark difference from traditional games: if you buy a sword in a typical game, only the game company’s database knows; but if you buy a sword NFT for a blockchain game, everyone can see that transaction. So, blockchain metaverses provide a wealth of OSINT-friendly data – you just need the wallet address or NFT ID.
Profile Information (Platform-specific): Most platforms have user profiles that show some info to others:
Roblox: Very public. Username, avatar image, friends (unless hidden), groups, the date joined, last online (this was visible in the past; currently Roblox hides last online to non-friends, as a privacy measure), the “about” bio, and a list of the user’s creations and inventory items (if not set to private). The fact that anyone with an account can view another user’s friends list and groups by default means a lot of social data is exposed. (Roblox has been discussing adding privacy options for these).
Decentraland: If you have the wallet or name, you can see their avatar’s appearance (by observing in-world or using the profile preview on the website). Decentraland’s web profile (if the user has logged in on the website) might show their collectibles or linked wallet. However, Decentraland doesn’t automatically show “friends” publicly. It does show if an avatar is currently online and which instance (realm) they’re in, but only to friends in-world. There is no global directory of who is online. So profile info is minimal: essentially their name, maybe a bio if they added one on a linked dcl profile, and their wardrobe (only observable if you see them in-world).
The Sandbox: Users mostly interact via their wallet accounts. The Sandbox website could display a profile (for example, if they created assets or Game Maker experiences, those might be tied to a username). But a lot of info is still the NFTs they hold. The Sandbox does have leaderboards for certain events, which might list top players by username.
Spatial: Spatial’s user profiles can show galleries they created and possibly an avatar image. Spatial often involves showing artwork or NFT galleries, and users might link their profiles to their crypto wallet or email. If a Spatial gallery is public, the owner’s username is shown and you might find links they share.
VRChat: Profiles are semi-private. By default, you can search for a user by exact name if you’re logged in, and you’ll see their profile which may include status, avatar thumbnail, and maybe tags (like “Trusted User” level etc.), but not much else. Friends are private, and there’s no built-in bio field to list external info (some put info in their status or avatar description though). VRChat does not expose user activity publicly (you can’t see what worlds someone has visited historically, for example). However, VRChat users who create worlds or avatars leave traces: each world has an author (username) visible to anyone visiting that world’s info page. So if the person made a world, their username is on it, and sometimes they include a link to their Twitter or Discord on the world’s description.
Public Communications: Chat logs in these platforms are generally not public. If someone had a conversation in-game, that stays in-game (unless someone screenshots it). Forums and Discords, however, are public realms where metaverse users discuss things. For example, Decentraland has a public forum (governance forum) where proposals and grants are discussed – users post with their wallet accounts (which might display as their ENS or name). That means if the person participated in governance, you could find posts by their address or name on the forum, revealing opinions or initiatives they have. Similarly, many platform communities have Reddit subforums (e.g., r/VRChat, r/Roblox) where users ask questions or share content – you might stumble on the person asking a question like “How do I sell my land?” which links their Reddit account to that interest.
Metaverse Commerce Data: Beyond assets, consider that some metaverses have their own transaction ledgers. For instance, Second Life (an older virtual world) had an internal currency and you could look at someone’s store or their seller rating, etc., via the marketplace site. In newer metaverses, most commerce is tied to NFTs or in-app purchases. If a platform isn’t blockchain-based, any purchase they make (like buying Robux or in-app currency) is not public. But any item they own as a result may be visible on their profile (like a game pass or badge).
Linking Identities: A lot of users voluntarily link their metaverse identity to other identities. For example, Decentraland NAMEs are part of ENS . If someone named their avatar “Alice”, they effectively might own alice.dcl.eth (the underlying ENS for Decentraland names). ENS is often linked to Twitter via services like verified ENS Twitter names (some people verify their ENS on their Twitter profile using third-party services so that sites like Etherscan can show a Twitter handle for an address). Also, Roblox’s profile social links feature explicitly connects to Twitter/YouTube as verified links (icon-based), which is an intentional identity bridge. Always check if the platform profile has fields for Facebook, Twitter, Twitch, YouTube etc. Many gaming platforms do (Roblox, Fortnite’s Epic Games account, etc.). If those are filled out, they are goldmines for connecting to a real person or at least a broader online presence.
Platform Comparisons: Blockchain vs. Non-Blockchain Worlds
Different metaverse platforms require different investigative techniques. The major dividing line is whether the platform is blockchain-based (decentralized) or centralized. Let’s compare how some popular platforms differ:
Blockchain-Based Metaverses (Decentraland, The Sandbox, Cryptovoxels/Voxels, Somnium Space, Others): These worlds use cryptocurrency wallets for user login and asset ownership. As a result, the user is essentially an address on the blockchain, and all their in-world possessions (land, items, name) are on-chain assets. For investigation, this means you rely heavily on blockchain explorers and NFT marketplaces to trace activity. Once you have their wallet, you can see everything they own or have owned on that platform. For example, in Decentraland, if you know Alice’s wallet, you can instantly pull up all the LAND tokens and wearable NFTs that wallet holds, because “users truly own their digital assets… with ownership registered on the blockchain” . You can also see every transaction (like transfers of MANA, purchases of items) – nothing is hidden behind the company’s database. The challenge here is connecting the wallet to the human: wallets are pseudonymous by default. But if the person ever linked it to an ENS name or used it on a social platform, you can make that connection. Investigative tools for blockchain worlds often include Etherscan (for Ethereum-based assets), Polygon’s explorer (Decentraland uses Polygon for some assets), Dune Analytics (which has community-made dashboards, e.g., a Dune dashboard might show “Top Land Owners in Sandbox” or “Activity of Decentraland Names”), and NFT aggregators. You typically do not have a built-in notion of “friends list” or chat history to examine, because those social features happen off-chain (e.g., Decentraland chat goes through their servers and is not logged publicly). So you lean on asset and transaction data and whatever the user voluntarily shares externally.
Centralized Metaverses (Roblox, VRChat, Fortnite Creative, Rec Room, etc.): These platforms have traditional account systems (email/username login) and store data internally. Public data is what the platform chooses to expose in profiles or via APIs. Roblox is notably open in some respects: user profiles list creations and collectibles, and Roblox has APIs that return data like a user’s friends, the games they’ve visited recently (if you have an API key or use certain endpoints), etc. There are also fan-made databases of Roblox user stats. VRChat is more closed – no public friend lists or play history. However, VRChat’s API (if one reverse-engineers it) can tell if a user is online and in which world, if you have their API key and account auth (this is more advanced and not in the realm of “public” since it requires login). But VRChat does have public content listings (worlds and avatars that creators choose to share in public portals). Investigating a VRChat user often means looking at where they hang out (maybe they always join a certain DJ night – you find their name on an event flyer) or if they create content. Spatial and similar newer platforms often blend aspects: you can log in with an email or with a crypto wallet depending on user choice. If they logged in with a wallet, you can then do blockchain OSINT; if with email, you rely on what they showcase on their profile.
One important note: centralized platforms sometimes have developer forums or user communities where people use the same username. For instance, Roblox has the DevForum where developers discuss and often their DevForum username is the same as their Roblox username (and sometimes they sign posts with their real name or link their portfolio). VRChat has a community forum and many users there might reveal more about themselves. Including these in your search can help bridge identities (e.g., a Roblox user might have a DevForum thread where they announce a game and provide a Discord link or personal website).Privacy Differences: Generally, blockchain metaverses are more transparent about assets, while traditional platforms are more transparent about social connections. In a blockchain world, I can easily see what you own but not who you talk to. In Roblox/VRChat, I can often see who your friends are or what group you’re in, but not the details of your inventory unless it’s made public. Each platform also has its terms of service and privacy rules, so keep in mind that just because you can see something publicly doesn’t mean the user realizes it’s public. Always use information responsibly.
To illustrate, consider an example comparison: If Alice has a foot in both Decentraland and Roblox, an investigator can see her Decentraland wallet bought two land parcels and a rare hat (since those are on Ethereum), and also see that her Roblox account (say, “Alice_Wonder”) is in the “VR Enthusiasts” group and has 50 friends visible, one of whom is likely her alternate account (maybe named AliceDev). The investigator would use blockchain tools for the former and the Roblox website or API for the latter. Both streams of information together provide a fuller profile of Alice’s virtual life.
Tips, Tools, and Resources (Free) for Metaverse Investigations
Finally, let’s compile a list of free tools and resources that can aid your metaverse sleuthing. These tools require no paid subscriptions:
Search Engines & Operators: Google, Bing, DuckDuckGo – use keywords, quotes for exact username searches, and platform-specific operators (site:roblox.com, site:decentraland.org, etc. to narrow results). Don’t underestimate simple searches.
Blockchain Explorers:
Etherscan (for Ethereum) and Polygonscan (for Polygon) – indispensable for looking up wallet addresses, token holdings, ENS names, and transaction history. You can input an address and see all ERC-20 tokens (like MANA, SAND) and ERC-721/1155 NFTs it holds, along with past transactions. Look at the “Analytics” tab on Etherscan for any unusual spikes in activity.
Blockchair or Solscan – if you need to search other chains (Blockchair can search across multiple blockchains for an address or transaction).
ENS Lookup: Use Etherscan or the official ENS App to find info about an ENS domain (owner address, and any text records it might have).
NFT Marketplaces and Aggregators:
OpenSea – search by wallet address or username. Many users have OpenSea accounts that show their collections. You can also search collections like “Decentraland LAND” or “Decentraland Names” or “Sandbox’s LAND” and then filter for the owner’s address to see which ones they own.
LooksRare, X2Y2 – other NFT marketplaces if OpenSea doesn’t show something (but OpenSea is the broadest).
RARIBLE – sometimes people list items on Rarible or have a profile there.
Nonfungible.com – a site that tracks NFT markets and can sometimes let you look up an address to see what NFTs it has across several collections.
Dune Analytics – community-made dashboards (free to use). Search the Dune site for dashboards related to Decentraland or Sandbox; for example, there might be a dashboard listing top landowners or recent sales, which can save you time.
Metaverse Platform Tools:
Decentraland Atlas / Marketplace – the official Decentraland marketplace (market.decentraland.org) lets you search for names, view accounts (addresses) and their assets (under the “Account” section if you plug in an address or name). The Atlas view shows land parcels and their owners.
The Sandbox Map – on sandbox.game, the interactive map lets you click owned lands to see owner addresses or names (some lands are owned by known partners and show a name). The Sandbox also has a section for user profiles if you know the nickname (some creators have public profiles).
Roblox Website & APIs: The Roblox profile page itself is a primary tool (just go to roblox.com and search the username). For deeper info, Roblox has APIs (for example, you can fetch a JSON of a user’s friends by a call to friends.roblox.com/v1/users/[userid]/friends). There are third-party wrappers and tools like RoSearcher (a browser extension to find which game server a user is in) that can be used to see if they are currently playing something. Rolimon’s (rolimons.com) is a fan site listing Roblox inventories (especially limited items) and user value rankings. It’s free to use and great for seeing if someone has rare items.
Namechk / Sherlock – as mentioned, for scanning username availability across platforms (this can hint if the person likely reserved their name on multiple sites).
Social Media Search: Use Twitter’s search and even advanced search. Many metaverse projects have official hashtags (e.g., #Decentraland, #RobloxDev). If you search the username or wallet address on Twitter, you might find posts like “my wallet 0xABC… got a new NFT” or someone asking for help with something.
Discord Communities: Many metaverse communities live on Discord (Decentraland, Sandbox, etc. have official servers). While Discord messages aren’t indexed on search engines, some servers have public channels that are visible or are logged by bot websites. You can also join these servers (free) and use the Discord search within them. Searching for the username or ENS there could show if they said anything or if others mentioned them (like @username).
Forums and Q&A: Reddit, StackExchange (there is a StackExchange for Ethereum where sometimes people discuss ENS and such, possibly revealing their addresses), and platform-specific forums (Decentraland Forum, Roblox DevForum, etc.). Use their internal search or Google’s site search to find the alias.
POAP Tools:
POAP Scan (poap.scan or the POAP app) – enter an Ethereum address or ENS and see the list of POAPs (event badges) it holds .
POAP Gallery – a visual way to see collections of POAPs by address .
These help confirm event attendance and sometimes the POAP itself has clues (the artwork or title might reveal what kind of event or which community hosted it).
OSINT People Search Tools: If you’ve moved from the virtual identity to a real name, tools like BeenVerified, Spokeo, etc., are beyond our scope (and often paid). But you can use free resources like simply Googling the real name with “gamertag” or using LinkedIn to see if they mention metaverse skills. This is more if you already suspect a real person behind the avatar and want to verify. For example, if the username is unique, search it on LinkedIn – some developers put their gamer tag in their profile.
Wayback Machine (Internet Archive): If you suspect a user profile or marketplace listing was changed or removed, the Internet Archive might have snapshots. For instance, if a Decentraland land was listed for sale and then delisted, a cached page might still show the price or owner at that time.
On-chain Analysis Tools: If you want to go deeper and the free resources above are not enough, there are advanced (sometimes freemium) tools like Breadcrumbs.app (for visualizing connections between crypto addresses) or OnChain analytics platforms. However, these might be overkill for simple investigations and can have costs. Wherever possible, rely on the free basics first (the blockchain is free to query!).
Example Use of Tools: Let’s say you have a crypto wallet address from a tip that “Alice is into metaverse stuff.” You plug it into Etherscan – you find the address has an ENS name alicewonder.eth and holds 2 Decentraland LAND tokens, 5 wearable NFTs, and some MANA. You use OpenSea to see those LAND tokens – they correspond to parcels (10,10) and (10,11) in Decentraland. You visit the Decentraland Atlas, find those parcels are adjacent and form an estate named “Wonderland Gallery.” You go to Decentraland (even without logging in, you can use a guest login) and visit that location – you see a gallery build with a sign “Wonderland Gallery by Alice (Twitter: @AliceArt)”. Now you have her Twitter handle. You check her Twitter, and indeed she often posts about her Decentraland gallery and also mentions her Roblox game development. You search her Roblox username (which you guess might be “AliceWonder” from her Twitter bio) on Roblox.com and find a matching account with several games published. This cascade of discoveries was done with simple tools: Etherscan, OpenSea, the Decentraland client, and web searches – all free and open.
In summary, investigating a person’s metaverse activity involves a mix of blockchain sleuthing and traditional OSINT techniques. By following asset trails on public ledgers, scouring user profiles on gaming platforms, and connecting the dots through social media, you can often build a comprehensive picture of someone’s virtual world footprint. Always remember to respect privacy and use this knowledge responsibly – everything we’ve discussed is about using publicly available information, which the person themselves has either deliberately shared or is inherent to how these platforms operate. Happy exploring, and may your searches unveil the virtual footprints you’re looking for in the ever-expanding metaverse!