Published: 2026-05-24

Email addresses get burned and replaced — investigators regularly encounter subjects cycling through throwaway Gmail accounts. Usernames get abandoned when platforms ban accounts or personas shift. Phone numbers behave differently. Number portability means that changing carriers does not change the number. People keep the same mobile number for years, sometimes for the duration of an entire adult life. This persistence makes phone numbers high-value identity anchors in OSINT investigations.

A phone number, properly investigated, can be linked to: the issuing country and original geographic region, the carrier (current and historical, before and after porting), the line type distinguishing mobile, landline, VoIP, and toll-free numbers, and increasingly, a verified real identity through social platform reverse lookup. Platforms that use phone numbers for 2FA essentially create a permanent binding between a number and an account — and by extension, an identity.

This persistence also makes phone OSINT sensitive. Unlike searching a username on a public platform, phone number lookups often query carrier infrastructure or crowdsourced databases built on contact sync. Understand the legal landscape in your jurisdiction before beginning any phone number investigation. Authorized investigation is the prerequisite, not an afterthought.

E.164 is the ITU-T standard for international phone number formatting: a plus sign, country code, and subscriber number with no spaces or dashes. Before making a single API call, the E.164 number itself encodes meaningful intelligence.

+14155552671: Country code +1 indicates North America (NANP). Area code 415 is the San Francisco Bay Area — assigned by NANPA (North American Numbering Plan Administration). The NPA-NXX (415-555) could be further cross-referenced against the NANPA database to identify the original carrier assignment for that block, though this reflects the original assignment, not the current carrier after porting.

+447911123456: Country code +44 is the United Kingdom. The leading 7 after the country code means mobile (UK mobile numbers begin with 07 in domestic format, which becomes +447 in E.164). UK carriers are identifiable to some degree from number ranges: 07700-07799 was historically Vodafone, 07800-07899 was O2, though number portability has eroded this mapping considerably.

+81-90-1234-5678: Country code +81 is Japan. The 090/080/070 prefix identifies mobile numbers from the major carriers (NTT Docomo, SoftBank, au). 050 prefix indicates IP phone (VoIP) services in Japan.

This structural analysis is entirely passive — no network request required. Google's libphonenumber library performs this parsing and is available as a Python package:

import phonenumbers
n = phonenumbers.parse("+14155552671")
print(phonenumbers.carrier.name_for_number(n, "en"))
print(phonenumbers.geocoder.description_for_number(n, "en"))

OpenOSINT's search_phone tool runs this local analysis as the first pass before any network queries.

HLR (Home Location Register) lookups query carrier infrastructure databases. An HLR is the database within a GSM network that stores subscriber information. HLR queries were traditionally used by carriers to route calls and SMS — commercial HLR lookup services exposed this capability to external clients, making it useful for OSINT.

What an HLR lookup can return: the currently serving carrier, the original carrier (before any number porting), line type classification (mobile, landline, VoIP, toll-free, premium rate), and in some cases roaming status indicating the subscriber is currently using a foreign network. The distinction between original and current carrier is specifically relevant for OSINT: a number that was originally issued by AT&T but ported to a VoIP provider later suggests deliberate anonymization steps.

Line type carries particular intelligence value. VoIP numbers indicate a specific class of service:

• Google Voice numbers (US): often used for anonymous registration on platforms that require phone verification, because they accept SMS but are not tied to a physical SIM.
• Skype numbers: internationally registered VoIP DIDs that route calls to the Skype app.
• TextNow, Burner, MySudo: apps that provision disposable US mobile numbers on VoIP infrastructure. These are frequently used by subjects attempting to evade identification.
• Twilio/Vonage DID blocks: if a number falls in a known Twilio or Vonage range, it may be a programmatically provisioned number used for SMS campaigns, fraud, or API-driven services.

Commercial HLR APIs include Numverify, Twilio Lookup, and Telesign. These require API keys and incur per-lookup costs. phoneinfoga can use Numverify when the NUMVERIFY_API_KEY environment variable is configured.

phoneinfoga is the primary open-source tool for phone number OSINT. It operates in two modes: local scan and remote scan.

The local scan runs purely from the number structure using libphonenumber: format validation, country extraction, geocoding, and carrier assignment from number range databases. This never touches the network and produces results instantly. The remote scan queries multiple external sources: Google dork URLs generated for the number, Numverify (if key is configured), and the phoneinfoga REST API server (which can optionally be self-hosted).

OpenOSINT's search_phone wraps phoneinfoga's output and structures it for the AI agent:

$ openosint phone +14155552671

Phone intelligence for '+14155552671':
[+] Country: United States
[+] Region: California
[+] Carrier: AT&T
[+] Line type: Mobile
[+] Valid: Yes
[+] International format: +1 415-555-2671
[+] Local format: (415) 555-2671

The full phoneinfoga CLI also generates Google dork URLs for the number in various formats (with and without country code, with dashes, with spaces) that you can run manually to surface forum posts, profiles, or documents mentioning the number. This dork generation is the same pattern used by OpenOSINT's generate_dorks tool for other identifiers.

phoneinfoga's remote scan requires caution: the full remote mode in phoneinfoga v2 uses a headless browser to scrape carrier lookup sites. Some of these lookups generate reverse query logs on the carrier side. For sensitive investigations, the local scan plus a manually-run HLR API call is preferable to the automated remote scan.

Several major platforms historically allowed or still allow reverse lookup of accounts by phone number. The mechanism varies: some platforms expose an API endpoint that accepts a phone number and returns whether an account exists; others allow account lookup when adding to contacts (exploited via contact sync enumeration); others return profile data directly in search results when queried with a phone number.

Platform-specific notes as of 2025:

• Telegram: Contact sync still exposes account information. If you add a number to your device contacts and sync with Telegram, any Telegram account registered to that number becomes visible. Telegram's privacy settings allow users to restrict this, but the default allows it. Investigators have historically used mass contact sync to enumerate Telegram accounts at scale — this is against Telegram's ToS and rate-limited.
• WhatsApp: Changed privacy settings in 2023 now restrict profile information returned to non-contacts. The registration check (does this number have a WhatsApp account) is still possible via the unofficial API libraries, but against Meta's ToS.
• Truecaller: A crowdsourced name database built from address book submissions. If a subject's number appears in enough contact books under a consistent name, Truecaller returns that name. High false positive rate for common names, but useful for confirmation.
• Twitter/X: Phone-to-account lookup was available via the API until 2023 when it was restricted. Archived data from that period may still be queryable through third-party data brokers.

Legal constraints are non-negotiable. GDPR (EU) prohibits processing personal data of EU residents without a lawful basis — legitimate interest may apply in authorized security investigations but requires documentation. The TCPA (US) governs commercial contact via phone but does not directly restrict lookup. Australia's Privacy Act, Canada's PIPEDA, and equivalent frameworks in other jurisdictions all impose constraints on collecting personal data tied to phone numbers. The rule: document your authorization before you begin, keep records of what queries were run and why, and restrict use of findings to the stated investigation purpose. OpenOSINT's tools are built for authorized research only — the same applies to every technique described here.

• Email OSINT Guide — Parallel techniques for investigating email addresses with holehe and HIBP
• What Is OSINT? — Framework overview including legal and ethical constraints on intelligence collection
• OpenOSINT Tools — Full reference for all 14 OSINT tools including search_phone