Cryptography & OSINT - Can you read Emoji? 🕵️♂️📖❓
Updated: Feb 28
Very often I get the question how cryptography is part of Open-Source Intelligence (OSINT). My answer to that is: It depends on what you are investigating and if you are able to detect a form encryption. In this second blog in the Cryptography & OSINT series we are going to take a closer look at world of emojis
For this blog post series I have asked for help from my friend Sadie, a former NSA cryptanalyst. She has by far more knowledge than I have about this subject matter. This is why we have co-written this blog series from which this is the second blog. The first fundamentals introductionay blog can be found here: Cryptography & OSINT - The fundamentals
Why Emojis matter to OSINT
Emojis are now an essential part of how we communicate online. Emojis have developed into a complex system of symbols that can convey emotions, objects, and even entire phrases. At first, they were created to give our text-based conversations a little personality. However, their adaptability has made them a great tool for criminals, who use them to sell narcotics or communicate through ciphers. In this blog, we will explore how OSINT investigators can find and dissect emoticons on the web, and how they can utilise this information to battle criminal activities.
Criminal use of emojis to sell illegal goods
Let's begin by looking at how criminals use emojis to sell illegal goods. The use of the snowflake ❄️ emoji to represent cocaine is one illustration of this. This seemingly harmless symbol is used to advertise drugs for sale in posts on social media platforms like Instagram, Telegram and Twitter. The use of the pill 💊 emoji to represent prescription drugs like Xanax, Adderall or XTC is another example. Criminals are able to use emojis to sell their goods in a subtle way that authorities can easily miss. These are just two very basic examples of how people online can sell and offer their illicit goods.
Example Advertisement offering drugs from a Telegram channel:
Example Advertisement offering cloned credit cards and more from a Telegram channel:
Example Twitter search for user accounts using two carrots that represent "Two Jabs" also known as got two (or more) COVID-19 vaccinations:
Emojis used as ciphered communications
Emojis aren't just used by criminals to sell illegal goods; they also serve as ciphers for communication. Criminals can communicate in code by assigning specific meanings to various emojis, making it difficult for authorities to decipher their messages. The crown 👑, diamond 💎, and dollar sign 💲emojis, for instance, could signify a scheme to rob a wealthy individual.
Due to the prevalence of this kind of cypher communication in online forums and chat rooms, it is challenging for OSINT investigators to keep an eye on criminal activity. Criminals involved in human trafficking may use emojis to communicate about their illegal activities. For example, a woman 👩 emoji with a shopping bag 🛍 may represent a victim who is being sold for sexual purposes. Keep in mind to include various skin-tones and hair colours. This might help physically identify a person. A suitcase 🧳️ emoji may indicate that a victim is being transported, while a key 🔑 or 📍emoji may indicate the location of a victim.
Cyber Crime criminals may use emojis to communicate about their illegal activities. For example, a computer 💻emoji may represent a device that has been hacked or compromised. Similarly, a key 🔑 emoji may indicate a password or encryption key, while a open lock 🔓 emoji may represent a secure system that has been breached.
Criminals involved in smuggling may use emojis to communicate about their illegal activities. For example, a boat 🚤emoji may represent a vessel used for smuggling contraband goods or people, while a suitcase 🧳️ emoji may indicate that items are being smuggled across borders. Similarly, a truck 🚚 emoji may indicate that smuggled goods are being transported by road. These are some examples investigators can think of during their investigations.
Mindset and critical thinking is key when it comes to trying to "guess" what kind of emojis certain groups are using for their activities. Other examples might be a 🔗 to indicate a URL link or point of contact. Contact phone numbers might also be in the form of emoji's 0️⃣ 1️⃣2️⃣3️⃣which makes it more challenging for investigators to search and find.
Understanding emojis their meanings
So, how are these emoji ciphers solved by investigators? Using Emojipedia, a database with thousands of emojis and their meanings, is one option. Investigators can use Emojipedia to identify and decode potential ciphers by analysing the emoji patterns used in a specific post or message. For instance, if a message contains a series of emojis that appear to be random, investigators can use EmojiNet to look for common meanings for those emojis and then use this information to decipher the message.
Additionally, Emojipedia contains information about the various contexts in which various emojis are utilised, which can assist investigators in comprehending the hidden meanings of particular emojis. Online investigators are able to effectively decipher emoji ciphers and uncover criminal activity by combining this information with their investigative abilities.
A good alternative to Emojipedia is FastEmoji because it will not only show emoji's that are standard on most mobile devices. It will also show self-made emojis that are built out of keyboard characters .
For example this means:
( •́⌣ •̀)⌐╦╦═─ "I'll use my rifle".
Another example could be that people show their support to Nazi oriented thoughts:
ಠ▄ಠ = Hitler
(∩ ͡° ͜ʖ ͡°)⊃卐 = Nazi boy
People can also use it express their current mood or state:
(๑′◉﹏◉๑) = Popped A Molly, I'm Sweating, Woo!
ʕOᴥOʔ (づ￣ ³￣)づ[̲̅$̲̅(̲̅ ͡° ͜ʖ ͡°̲̅)̲̅$̲̅] = When you hit that blunt
┣▇▇▇═──(╯︿╰)つ = Anti Vaccination OR No needles please
Searching for emoji's in search bars
To effectively search for ciphered emojis investigators will have to input one or more emojis in the search bars of social media platforms. On a mobile device it is easier to pull up emoji keyboards. On a Desktop or Laptop it may be a bit more challenging.
To pull up a standard emoji keyboard on a Windows operating system the key command is:
During text entry, press Windows logo key + . (period)
To pull up a standard emoji keyboard on Apple OSX operating system the key command is:
Click in the text field for that app and press Command + Control + Space
To pull up a standard emoji keyboard on a Linux operating system the key command is:
Press Control - Shift - E , then press Space .
Alternatively you could also install a browser extension which will let you search by keyword for specific emojis and then will let you paste them in a search bar.
For Chrome or Chromium browsers you can use : Emoji Keyboard - Emojis For Chrome
For Firefox browsers you can use : Emoji Keyboard - Emojis For Firefox
In some search engines you can search for the Unicode representation of an emoji. This can be useful because emojis look different on different OS but the unicode is mostly uniform across OS. A good resource to learn more about emoji Unicode is the Emoji chart on Unicode.org
Find contact details with Emojis
How could someone share his or her phone and email contact details without exactly spelling out the words: contact details, email, e-mail, phone or phone number?
They can use emoji’s!
From a OSINT perspective this is also a good way to find details that often is used to find people their online presence. For example if we find someone their mail or phone we can now use mail or phone search tools to find their addresses or social media accounts.
Here are some steps you can take to find someone's contact details using their name or username and emojis:
Start with a Google search: Use the person's name or username along with relevant emojis in a Google search. For example, if you're looking for John Smith, you could try searching for "John Doe 📧📱" or "Jane Doe contact information 📞📧". Make sure to try different variations and combinations of emojis to see if it yields better results.
Use social media: Search for the person on social media platforms like LinkedIn, Twitter, or Facebook. Use the emojis to narrow down your search. For example, if you're looking for John Smith's email, you could search for "John Doe 📧" on LinkedIn or Twitter. If you're looking for his phone number, you could try "John Doe 📱" on Facebook.
Use advanced search operators: Most search engines offer advanced search operators that can help you refine your search results. For example, you can use the "site:" operator to search for a specific website, such as "site:linkedin.com Jane Doe 📧". You can also use the "intitle:" operator to search for a specific word or phrase in the title of a webpage.
Different cultures and world regions different emoji interpretation
Emojis are a form of communication that can be interpreted differently across different regions of the world and cultures. It is important to be aware of these differences when using emojis to communicate with people from different cultural backgrounds, as misunderstandings can occur if the intended meaning of an emoji is different from its perceived meaning.
Here are some examples of how emojis can be differently interpreted in different regions of the world and cultures:
Hand gestures: Hand gestures are a common form of communication, but the interpretation of certain hand gesture emojis can vary widely across different regions of the world and cultures. For example, the "OK" 👌hand gesture is commonly used in Western cultures to indicate that everything is good or satisfactory, but in some countries, such as Brazil and Turkey, it is considered an offensive gesture. Similarly, the "thumbs up" 👍 gesture is commonly used in Western cultures to indicate approval or agreement, but in some countries, such as Greece and the Middle East, it is considered an insulting gesture.
Food and drink emojis: Food and drink emojis can also be interpreted differently across different regions of the world and cultures. For example, the "eggplant" 🍆 emoji is commonly used in Western cultures to represent the vegetable, but in some Asian cultures, it is considered a symbol of male genitalia. Similarly, the "beer" 🍺 emoji is commonly used in Western cultures to represent an alcoholic beverage, but in some Muslim countries, it is considered taboo and offensive.
Facial expressions: Facial expression emojis can also be interpreted differently across different regions of the world and cultures. For example, the "smiling face with smiling eyes" 😊emoji is commonly used in Western cultures to represent happiness or contentment, but in some Asian cultures, it is interpreted as a sign of embarrassment or shyness. Similarly, the "face with tears of joy" 😂 emoji, which is commonly used to represent laughter and humor in Western cultures, is often used in Japan to indicate sadness or disappointment.
Animal emojis: Animal emojis can also be interpreted differently across different regions of the world and cultures. For example, the "monkey" 🐒 emoji is commonly used in Western cultures to represent playfulness or mischief, but in some Asian cultures, it is associated with the Chinese zodiac and is considered to have different meanings depending on the year in which a person was born. Similarly, the "cat" 🐈 emoji, which is commonly used in Western cultures to represent cuteness or playfulness, is often associated with bad luck in some Asian cultures.
Since emojis are visual, humans may make mistakes (not maliciously). OSINT researchers should try to verify this information if possible.
For example, country flags: USA 🇺🇸 and Puerto Rico🇵🇷 flags might look similar especially on small smartphones.
Can You Use Emojis in Encryption?
Thus far, we’ve shown that emojis are used to encode messages - but can we take this one step further? Many applications that use encryption require the user to enter a password (or key) in order to authenticate the message, decrypt, or both. Since a password is generated and entered by an end-user, could we slip an emoji into our cryptosystem?
Let’s walk through a possible scenario using Python programming. While we recognize 😀, the computer only sees bits and bytes. Emojis can be represented using the Unicode Standard, which aims to list every character used in human language giving each a unique code. Luckily, Python 3.0 recognizes Unicode characters within Python strings. The code snippet below shows emoji defined as a string with one single unicode character. While defined as a string, Python’s print function recognizes unicode and prints the visual emoji to the screen.
We’re going to use this emoji as part of our user-entered key (password). For this example, we’ll be using the Salsa20 stream cipher system via the Python package PyCryptodome. We’ll forgo the details of exactly how this encryption system works and stick to the following scenario and facts.
Scenario: Sadie wants to send an encrypted message to Nico using the Salsa20 stream cipher. They must both decide on a key (for this crypt algorithm a minimum length of 16 bytes is required). They decide to use 😀😀😀😀 as the key.
While Python recognizes the Unicode characters in a string, the Salsa20 algorithm only accepts keys that are Python bytes objects. To convert our string to a bytes object, we’ll have to encode our string to UTF-8 using Python’s encode() function.
Notice we can use the Python function decode() to get back to our original emojis. Now that we have our key in the correct format, Sadie creates a message (called original_msg) for Nico (which also happens to have emojis in it)*, initializes the crypt system with their agreed upon key, and encrypts the message. She then sends Nico the encrypted message (called message)**.
* The message will also have to be encoded to UTF-8 due to the emojis.
** Salsa20 requires a nonce value, but for this example we’re glossing over what that is and how it’s used. For more information on Salsa20 as implemented by this Python package, click here.
Now, it’s Nico’s turn. He receives a message (message) from Sadie and tries to print it to the screen. The message makes no sense, so he decides to try to decrypt the message using their agreed upon key.
Nico prints the decrypted (plaintext) message to the screen, but it still doesn’t look human-readable. He notices the format of the byte string and remembers that Sadie LOVES using emojis. He suspects UTF-8 so he uses the Python decode() function and reveals the original, emoji-filled message.
While in theory, we’ve shown that emojis can be incorporated into encryption, in practice it’s not a common practice. The characters allowed in a password/cryptographic key are often restricted by the application itself (think of those extensive password creation requirements). However, from an attacker or pentesting standpoint, entering emojis to see if they’re accepted by the application and the encoding of unicode characters is correctly handled may provide some valuable insight.
Emojis are used for lawful and illegal (encrypted/cipher) communication. Online investigators can utilise sources such as Emojipedia, FastEmoji and PyCryptodome (Python) to decipher these messages and uncover criminal activities. Investigators must keep up with the most recent tools and methods for analysing emojis and other digital communications due to the ever-changing nature of technology and online communication.
Extra Emoji Sources:
https://emojis.wiki/ = Emoji meaning lookup database
https://getemoji.com/ = Emoji lookup tool
https://emojiguide.com/ = Emoji meaning lookup database
https://emojitracker.com/ = Realtime Twitter emoji usage tracker