In this blog, we’ll be investigating the social media platform Bluesky and exploring some tradecraft and techniques for searching content and monitoring profiles. Chances are that if you conduct online investigations, you’ve heard of Bluesky. Although the platform has existed (first in invite-only beta form) since 2023, it has seen a massive uptake in users since in 2024. As of December 2024, it has nearly 25 million registered users.
The surge in Bluesky’s popularity means that it may become a new platform of focus for social media trends monitoring and investigations, although there are still plenty of unanswered questions about what kind of content will emerge on the platform.
Who Uses Bluesky?
The most recent surge in Bluesky’s popularity has been linked to the US election on 5 November 2024, with some new users citing concerns about X’s (previously known as Twitter) terms of service and lack of moderation of far-right content and hate speech. New Bluesky users include journalists, celebrities, and media entities who have highlighted their dissatisfaction with X.
Bluesky has developed a reputation as platform with a left-leaning userbase, and this continues to be supported by data following the November surge in registrations. Google Trends data shows a dramatic increase in searches for the keyword ‘bluesky’ around and following the US election, and the interest by subregion information reflects greater interest from ‘blue’ states.
However, like every social media platform, Bluesky’s userbase isn’t homogenous and with its growth in popularity, it is likely to attract a varied range of users and content. In November 2024, Bluesky reported that it was increasing its moderation resources, noting an increase in illegal content including child sexual abuse material (CSAM). There have also been indications of a surge of fake and scam accounts on the platform in the wake of its growth.
So, will Bluesky continue to grow?
It’s hard to say, at this point, but it is unlikely to overtake Threads or X in numbers of users anytime soon. Meta’s Threads platform, launched last year (read our blog on Threads here) was heralded by some as an existential threat to X – so far, X continues to have roughly twice as many active monthly users, although Threads reportedly achieved 275 million active monthly users by October this year.
Bluesky has far, far fewer users than both platforms, at around 25 million. Bluesky statistics suggest that there has been a decrease in user activity and engagement since the initial surge around the US election, and this may continue as a trend.
Understanding the usage and userbase of a social media platform is an important step in OSINT investigations – it helps us to gauge whether or not we should prioritise searching that platform for content of interest, particularly if we are researching topics and trends related to extremism and disinformation. For person-of-interest investigations, all social media accounts linked to a person should be investigated, as each of them might hold a missing piece of the puzzle.
The Platform
Bluesky is a microblogging platform like X. It functions, and looks, very similar to X. Posts have a limit of 300 characters, and users can choose to follow other Bluesky accounts to curate the content they see.
The interface of Bluesky is visually almost identical X, and users are presented with timelines of content that functions in much the same way as X timelines. Features like user mentions, hashtags, reposts and replies also mimic X’s functionality.
Unlike X, though, Bluesky offers a decentralized approach to user data. Users can set up their own custom domains (this is why some Bluesky handles have a different domain) and wield greater control over the content that they see. There is no verification tier (‘blue tick’ accounts) and, at least for the time being, Bluesky doesn’t support any kind of paid subscriptions or premium features.
Over the past two years, X has heavily restricted unauthenticated access to content—these days, it is quite difficult to search without an account unless using an alternative X frontend like Nitter. Bluesky, on the other hand, does not require authentication to view public content, and there are an emerging set of robust tools to collect and analyse content from the platform (we’ll talk more about these later, too).
Searching Bluesky
One of the first steps to exploring a new social media platform is understanding the search functions. For OSINT practitioners already familiar with X’s advanced search language, you will find, unsurprisingly, a number of similarities in Bluesky search. Notably, Bluesky does not support location-based searches (beyond searching keywords or hashtags for a location). So, while the ‘near:’ and ‘geocode:’ won’t work on Bluesky, there are a number of other useful operators to target specific content.
You can also search for content and profiles on Bluesky externally. The platform is far more heavily indexed by Google than Bing or Yandex.
For example, the search site:bsky.app “pizza” yielded around 40 000 results on Google, but fewer than one hundred on Bing and Yandex. Most of the indexed content was from user profiles, but it also included hashtag feeds as well.
Profile information and monitoring
Monitoring social media user profiles and extracting profile metadata is often a key tactic in OSINT or Person-of-Interest investigations. Some social media platforms are more difficult to retrieve data from, particularly if you are not an authenticated user, but for the time being, most of the information about an account is readily visible on a Bluesky user’s profile page.
Unlike X, unauthenticated users can generally view following and follower lists, as well as content posted by a Bluesky account. Just click on either ‘followers’ or ‘following’. And, of course, any posts made by a user will be visible under ‘posts’.
As with most social media platforms, users have both a display name and a handle. The display name is not necessarily unique, and can contain spaces and special characters. The profile handle – i.e. @username.bsky.app – is unique and forms the profile URL. Users can also use a custom domain for their Bluesky profile, which will change the handle and URL.
Some profile metadata isn’t visible on the user’s page, though – for example, the account creation date. We can use our browser’s developer tools to find this out, along with other metadata and user settings. Please note that the steps below use Google Chrome’s developer tools. Depending on your browser, information may display a little differently.
User profile and metadata
Right-click on a user’s profile and select ‘Inspect’ or use the keyboard shortcut Ctrl + Shift + I to open the developer tools pane. Select the ‘Network’ tab, which allows you to view the network requests for a webpage. You can add some filters here to cut down on your results – toggle on the ‘Fetch/XHR’ filter, and then add the word ‘getProfile’ in the filter field on the left. Refresh the page (Ctrl + R).
Select one of the requests that load, and expand the user metadata fields in the ‘Preview’ tab.
Along with exact follower/following counts, links to profile images, and other user metadata, the account creation data is visible in the ‘createdAt’ field. You can also expand the ‘associated’ field to find out a user’s chat settings to see whether they accept direct messages or not.
As with X, Bluesky users can change their handle—which has implications for monitoring accounts over time, because when the handle changes, so does the profile’s URL. However, the unique account identifier – in Bluesky’s case, this is called an account DID – doesn’t change. Recording the account DID will allow you to locate Bluesky profiles even when the user changes their name or adds a custom domain. There are a couple of ways to find the Account DID for a user.
Method One
Use the Bluesky handle resolver to retrieve the DID by adding a user’s handle to this URL: https://bsky.social/xrpc/com.atproto.identity.resolveHandle?handle=username.bsky.app
It will return the DID, which should look something like this:
Method Two
Using the same technique as we discussed for finding the account creation time, we can extract the DID by loading in the network requests (and filtering on the word ‘actor’ to narrow down our results).
You will find the DID just below the account description and creation date fields.
Method Three
You can also extract the account DID from the page source of a Bluesky user’s profile. Right-click and select ‘View Page Source’, or use the shortcut Ctrl+U, and then use Ctrl+F to search for ‘account DID’.
Once you have recorded a user’s account DID, you can locate the profile by pasting it into the Bluesky URL instead of the handle: https://bsky.app/profile/did:plc:z72i7hdynmk6r22z27h6tvur
This will allow you to retrieve user profiles even if the owner changes their handle or adds a custom domain.
RSS Monitoring
Although RSS (Really Simple Syndication) has largely been replaced by individual applications for news monitoring, it still functions as a way to stay updated on new content from websites of interest without visiting them individually.
RSS feeds are small files on websites that list the latest updates to the content. To subscribe to and read RSS feeds, you need an RSS reader. There are lots of options for RSS feed readers available, although most will require some kind of registration. A simple option that doesn’t require an account is the Chrome extension Feedbro.
Once you’ve set up Feedbro or another RSS reader of your choice, you can import RSS feeds of interest using a special URL. The RSS reader then checks these feeds regularly and shows you all the new content in one place.
So, how does this relate to Bluesky?
Some readers might remember that, once upon a time, X allowed RSS feeds of user profiles. This allowed for convenient monitoring of content without creating an X account. As of June 2024, though, unauthenticated X RSS monitoring no longer worked due to platform changes. Bluesky, however, supports RSS.
Finding an RSS feed for a Bluesky account is easy – simply add ‘/rss’ to the end of a user’s profile, and then load the URL into your feedreader of choice.
Notice how the RSS URL resolves to the account DID rather than the user’s handle? This means that even if the handle changes, you will still see updates from the user’s feed in your RSS reader.
Subscribing to RSS feeds does, of course, take a little longer than simply following accounts of interest, but it has a couple of benefits. Firstly, you do not need to register for your own Bluesky account. Secondly, and more importantly for OSINT practitioners, you may want to monitor accounts without alerting them to your interest. Using RSS feeds means that any accounts of interest won’t ‘see’ you following them. OPSEC and attribution should always be key considerations in OSINT.
Tools for Bluesky
Currently, Bluesky as a platform is quite open (especially compared to similar platforms like X and Threads), and other websites and tools can use its API to collect and aggregate data. As a result, there is good availability of free, effective tools for Bluesky monitoring and analysis. The list below isn’t exhaustive, but here are some of the ones we found useful:
Hoaxy - https://hoaxy.osome.iu.edu/
Hoaxy is a tool designed to look at the spread of information. OSINT practitioners might remember the days when Hoaxy was primarily a tool for collecting and analysing X content. These days, it can still retrieve X posts, but it does require an API key. The good news is that it can now be used to query live Bluesky content. Enter keywords of interest and then explore the network of profiles and posts to better understand conversations on the platform.
Bluesky Meter - https://blueskymeter.com/
Bluesky Meter is a profile analytics tool that retrieves statistics including activity and engagement over time for Bluesky accounts. It is useful for generating a quick overview of a user’s profile to gauge how they use the platform. It may also assist with understanding patterns of behaviour and timelines for user activity.
Open Measures - https://public.openmeasures.io/
While the publicly available version of Open Measures’ analysis toolkit has some limitations and restrictions (for example, the date range of queried data), it features a useful suite of tools for understanding trends and conversations on social media platforms including Bluesky. Query on keywords of interest to understand the timeline of conversations and topics and understand how particular hashtags or keywords have been used on the platform.
If you are keen to explore the full range of tools and plugins available, the Bluesky directory contains a list of varied tools and applications for collecting and curating content from Bluesky.
Summary
The microblogging platform Bluesky has seen a recent surge in users, and its popularity means that it is likely to be of greater interest to OSINT practitioners and researchers.
Bluesky is (at the time of writing this blog) a particularly open platform. Viewing and collecting content and user information does not require authentication, and Bluesky’s inbuilt advanced search language makes it straightforward to identify posts of interest.
We can also investigate and monitor specific Bluesky user profiles using a range of tools and OSINT techniques, while also managing our attribution considerations and online signature.
To support your OSINT collection and analytical capabilities, contact us at info@osintcombine.com to learn more about NexusXplore, our all-in-one, investigation-agnostic software platform, or our training courses.
And, yes, you can find us on Bluesky too - follow us at @osintcombine.bsky.social.