Somebody is about to tell you to install Osintgram. They read a tutorial from 2021, they bookmarked a YouTube video with forty thousand views, and they are going to send you a tool that has not worked in years. Osintgram is dead. The creator went quiet, Instagram quietly demolished the private API endpoint it leaned on, and the maintainers themselves now tell people it no longer works. It is not the only corpse. The whole golden age of paste-a-username-get-everything Instagram scraping is over, and the people still selling it have not opened a terminal lately.

Here is the part nobody wants to say out loud. Instagram spent 2024 to 2026 bolting the doors. The API lockdown, the anti enumeration crackdown, the rate limits that now throttle you to a crawl, all of it gutted the famous command line toys at once. So if you came here for a magic binary, close the tab. The tools are not the discipline any more. The discipline is method, and the durable signal now lives in the human layer that no API change can patch out. The permanent numeric ID that outlives a username. The social graph. The location tags. The reused handle. The face. Get the method right and a half broken tool will still hand you the answer. Get it wrong and the best scraper on earth gives you nothing.

This is not an article about tools. It is an article about how to think.

Kill The EXIF Fantasy First

Let me put a bullet in the oldest myth before we go a step further, because if I do not, an infosec audience will rip this apart and they will be right to.

You cannot pull GPS coordinates out of an Instagram photo. Instagram strips the EXIF metadata on upload. The latitude, the longitude, the camera make, the timestamp, all of it gets scrubbed before the image ever reaches another viewer. The original with its metadata intact sits on Meta's servers where you will never touch it, and the file you download is sanitised. Anyone who promises you EXIF geolocation on an Instagram post is selling you a technique that died with the platform's first privacy pass. It does not survive the pipeline. Full stop.

So we geolocate a different way, and we will get to it. But burn the EXIF dream now, because chasing coordinates that were deleted years ago is how you waste an afternoon.

TL;DR Instagram deletes the GPS. Stop looking for it.

Lock Onto The Number That Never Changes

Start every Instagram investigation by stealing the one identifier the target cannot edit.

Every account carries an immutable numeric ID, the PK, stamped on it at creation. The @username is paint. The display name is paint. Both can change tomorrow and frequently do. The number underneath never moves, and as a bonus a lower number means an older account, so the ID itself dates the target. This is the single Instagram identifier that survived the entire lockdown, and it is your anchor.

Pull it from the logged in profile's page source. Open the profile, view source with Ctrl+U, search the HTML for profilePage_ or profile_id, and the digits that follow are your PK. As of 2026 this still works, but reliably only when you are logged in, because the logged out HTML is increasingly gated. The Aware Online tutorial walks the method and the web helpers if you want a hand. Once you have the number you can resolve it back the other way, ID to current username and full name, and that is the trick that lets you re find a target who has rebranded their handle to dodge you, deduplicate three sock accounts that are secretly one person, and track an entity across years of cosmetic changes.

Get the PK first. Everything else can be renamed out from under you. The number cannot.

Read The Profile Like A Pivot Board

The profile is not a page to glance at. It is a launch pad, and every field on it fires you somewhere else.

The bio carries hard identifiers if you actually read it, a full name, a city, a profession, sometimes a contact email or phone the target forgot they exposed. The external link is the prize. A Linktree or a Beacons page cascades straight into every other platform they run, and a business booking link very often leaks a real name or a company registration that the Instagram account alone would never give you. Pull every link. Follow each one.

Then take the @username itself and run it as a handle across every other network, because username reuse is the highest yield pivot in all of social media OSINT. People are creatures of habit. The clever pseudonym they picked at nineteen follows them onto Reddit, GitHub, a dating app and an old forum, and one of those will be tied to a real name. Holehe checks an email against 120 plus sites to confirm it maps to an account, though be warned its Instagram module is one of the things that broke when the platform tightened anti enumeration, so date your expectations there too. And screenshot the profile picture at the highest resolution you can grab, because that avatar is your face search ammunition and it is astonishing how often the exact same shot is sitting on a LinkedIn or a dating profile.

Toutatis still squeezes account info, metrics and obfuscated email and phone hints out of a target, and it works often enough in 2026 to be worth a try, but it is fragile, it leans on the private API, and it breaks on Instagram's schedule, not yours. Treat it as a bonus, never the spine.

Walk The Graph, Not The Grid

Here is the shift that matters most. The relationship graph is now worth more than the post content, and it is the part of Instagram OSINT that no lockdown can take away, because connections are the product.

Who follows a target, who they follow back, and crucially who consistently likes and comments on their posts, that is the map of their real life. The serial likers are family, colleagues, the close friends. Export the followers and following with a purpose built tool like sterraxcyl, which dumps the lists to CSV with a function to infer the close circle and a diff mode to find what two accounts have in common. Run that diff against a known organisation or a known location and the co workers, the unit, the friend group cluster out of the noise on their own.

This is not theory. This is exactly how Bellingcat cracked open the Trinidad and Tobago oil spill in 2024. They started from photographs tagged at a site of interest, identified the workers who had geotagged themselves there, and then, this is the masterstroke, they walked those users' followers and liked posts to surface additional employees who had photographed the same place but had not tagged a thing. The careful ones who left no location were caught by the social graph of the careless ones. That is the entire lesson of modern Instagram OSINT in a single move. The metadata was optional. The graph was not. The full investigation into the mystery vessel at the spill shows how those pivots slot into a real case alongside satellite imagery.

Expect friction. Follower lists on large accounts are paginated and rate limited, and scraping them at volume from a logged in account will earn you a challenge or a ban. Go slow. Reuse a saved session. Single thread it. The graph is the richest seam on the platform and it is guarded accordingly.

Since the EXIF is gone, you geolocate two ways, and neither involves a magic box.

First, Instagram's own location tags. Bellingcat's instagram-location-search resolves the location IDs near a given latitude and longitude and exports every post tagged at those places as an interactive HTML map plus CSV, JSON and GeoJSON. Reverse the workflow the way Bellingcat did, find everyone who tagged the site, identify them, then expand outward through their graph to catch the ones who did not. It needs your Instagram session ID to run, and you treat that session ID like the password it effectively is, because reusing it carelessly across machines can invalidate all your sessions at once.

Second, when there is no tag at all, geolocate the pixels. AI geo estimators like GeoSpy and Picarta read the signage, the skyline, the architecture, the road markings and guess a region from the image content alone. They are the practical replacement for the dead EXIF approach, and they are genuinely uncanny. They are also confidently, catastrophically wrong often enough that you never trust one on its own. Use the model as a hypothesis generator, let it point at a country, then do the real work with your eyes, matching the fixed landmarks frame by frame the way Bellingcat taught the whole field. The AI gives you a direction. Verification gives you the answer.

The Map Is New, And It Cuts Both Ways

There is exactly one genuinely new data surface on Instagram worth your attention, and you need to understand it precisely because it is so easy to misread.

In August 2025 Meta shipped Instagram Map, passive last active location sharing built into DMs, rolling out across the US and Canada and then India. Where a connection has opted in, it is a live feed of roughly where they last were. On a connected research account that is a surface worth checking. But read this twice. It is opt in and off by default. So the absence of someone on the map proves absolutely nothing, and an investigator who treats an empty map as evidence of anything is fooling themselves. It tells you where it tells you, and it stays silent everywhere else.

It is also, predictably, a stalking vector, and the people who design these features keep learning this the hard way. Child safety experts warned about Instagram Map within days of launch, and by October 2025 Meta had to ship an update just to make it clearer to users whether they were broadcasting their location at all. The tool we would use to locate someone is the same tool used to hunt them. Hold that thought, because it runs through everything that follows.

Search The Face, Not The File

Run the profile picture through a face engine, and understand why that is a completely different act from a Google image search.

A normal reverse image search finds copies of the same file. A face engine builds a facial embedding and matches the same person across different photographs, different lighting, different angles and years apart. That is the difference between finding where one JPEG was reposted and finding every place a human being's face appears online. FaceCheck.ID skews toward social profiles and is strong on ordinary Instagram users and catfish detection, even with a poor or angled face. PimEyes casts a wider net across the open web and surfaces press and public figure coverage. They run different indexes, so you use both. This is how you break a pseudonym, find the real name LinkedIn behind a faceless handle, confirm a catfish, or tie five scattered accounts to one person.

Now the caution, and it is the heaviest in this entire article. Both engines are paid for full results. Both produce false positives. And running them on a private individual carries the gravest ethical and legal weight of any technique here.

A Face Match Is A Question, Not An Answer

I will say this as plainly as I know how, because people get it dangerously wrong. A face recognition hit is a lead. It is not an identification.

The engine is telling you these faces look similar. It is not telling you they are the same person, and the distance between those two statements is somebody's life. People have been wrongly accused in public by amateurs who saw a similarity score, saw a green tick, and mistook a probability for a fact. Do not be that person. When a face engine hands you a candidate, you treat it as a hypothesis to disprove. You go and find corroboration somewhere that is not the face, a reused username, a detail in a bio, a mutual connection, a matching location tag, anything independent. If the only thread tying your target to a name is a similarity percentage, you do not have an identification. You have a guess wearing a lab coat. We have said it on Secjuice before and it will be true forever. OSINT is not evidence until you have corroborated it into evidence.

Collect Without Leaving Fingerprints

Two things about how you actually pull the data, because doing it wrong burns you, not them.

For footprint free viewing, anonymous web viewers like Imginn and the Picuki clones let you browse public profiles, stories and hashtags without logging in, so no seen marker lands on a story and no follow appears. But treat them as disposable and untrusted, because the original Picuki degraded and the space is now a shifting field of clones and redirects of wildly varying safety. Some will happily serve you malware or harvest whatever you type. Verify the domain, expect nothing, and never paste anything sensitive into one.

For durable archiving, Instaloader is the most reliable open source downloader still standing, with releases and commits into 2026. It pulls posts, stories, highlights and profile pictures and writes the caption, timestamp and any surviving metadata to JSON sidecars. Run it with a saved login session, not anonymously, because anonymous access has been throttled to roughly one or two requests every thirty seconds, and a logged in session both unlocks more and lifts the ceiling. One instance at a time, delays between runs, and never point it at volume from an account you cannot afford to lose. Stories are deliberately transient, so saving them is sometimes the only way to keep evidence that was designed to evaporate.

Never Use Your Own Face

This is the rule that protects you, and it is not optional.

Never run Instagram OSINT from your personal account. Viewing a profile, following, liking by accident, scraping, any of it ties the target straight back to you and can deanonymise your real identity in a single careless tap. You work from a sock puppet, a dedicated research account, and you build it properly. SANS lays out the discipline: age the account gradually, give it realistic posting and following behaviour, and never use a stock photo as the avatar because the platforms flag reverse searchable stock images on sight. Isolate it in a separate browser profile or container, a dedicated email, ideally a separate device or VM, and keep the session files so you are not constantly re authing, because every re auth risks a checkpoint.

Then assume you will lose it. Any account doing collection at volume eventually catches a challenge or a ban, so never store a single thing on it you cannot walk away from. Plan for the burn before it happens. Authentic8's guide is good on running the whole thing from a managed, attributable browser if you want the professional setup.

Know Where The Law Stands

Public does not mean free. This trips people who should know better, so let me be blunt about it.

A profile being visible does not put it outside the law. Platform terms of service carry contractual weight, and GDPR and CCPA can absolutely apply to publicly visible personal data. As Proelium Law spell out, an investigator needs a lawful basis, and the liability bites hardest not at collection but at dissemination, the moment you publish or share what you found. Document your proportionality and your purpose. And the face engines sit right in the centre of that hot zone, because running PimEyes or FaceCheck.ID on a private individual is the single most legally exposed thing in this whole playbook. The OSINT tool graveyard of 2026 is full of services that went paid, went dark, or got regulated out of reach, and the legal walls around biometric data are only getting taller. An infosec audience of all people does not need telling that ignorance is not a defence.

The Last Word

So bin the idea that Instagram OSINT is a tool you download, because the tools that promised that are mostly dead and the ones still breathing are on borrowed time. The lockdown did not end this work. It just stripped away the shortcuts and left the craft. You anchor on the permanent ID that cannot be renamed, you read the bio as a pivot board, you walk the social graph the way Bellingcat walked it until the careful target falls out of the careless one's followers, you geolocate by tags and pixels because the EXIF was never there, and when a face stares back at you wearing a confidence score, you remember it is asking a question, not giving an answer. The investigators who find people on Instagram are not the ones with the best scraper. They are the ones who pivot wider, corroborate harder, and refuse to call a maybe a name.

Now go and find something, and protect the people you find.