Let's Get On With Mastodon
Updated: May 2
We have seen an explosion in growth and increasing interest in Mastodon – so, what is it and how do we investigate the platform? In this blog, we’ll focus on tools and techniques to investigate both the users, and those who host Mastodon servers (also known as ‘Instances’).
What is Mastodon?
Mastodon is a social network, but there are some key points that make it different. For starters, it’s an open-source platform – unlike Twitter or Facebook. Mastodon is decentralized, meaning that there is no one server, company or person running it. Posts are limited to 500 characters and are displayed in chronological order (not based on an algorithm).
How does decentralisation work?
Anyone can create their own version of Mastodon (called an Instance) and set their own rules. Those who join that particular instance will be required to comply to the moderation and rules applied by the owner and community that creates them.
How do these Instances communicate with one another?
Users can also follow users within other instances – this is referred to as ‘Federation’. While each instance of Mastodon is privately operated, their users can still communicate with members of other servers, kind of like email (you can communicate with other people using different email providers). Some instances are invitation-only and communities who want to remain private don’t have to communicate with other Instances.
As an example, go to https://fediverse.party/en/portal/servers/ to see the different types of themes applied to servers – each of these servers is geared towards something specific, but can still see posts from other servers.
What about attribution?
Operational security (OPSEC) encompasses the infrastructure, tools, and techniques you use to manage your online footprint or your "attribution". In an online context, this is largely referring to the ability of a third party to identify who you are, who you work for, and your intent and capability, among other things.
For Mastodon, there are a few things to keep in mind:
Data is not end-to-encrypted, and administrators of servers can potentially see that content/information. This could include subscriber information for your account – the email address you signed up with, your name and phone number, IP address, and details about your browser and device.
Mastodon does not collect and conduct monetization of user data, like mainstream social media platforms, but this does not stop a server administrator collecting user data to sell or use for nefarious purposes.
Physical and cyber security of servers is likely lower than commercial platforms.
As with any public-facing social platform, users who expose details of their lives online open themselves up to various risks.
Remember, anyone can set up a Mastodon instance. This means that it’s hard to know if a server owner is truly who they say they are.
What are the implications of using of this platform?
Mastodon is different, and these differences have implications:
Anti-abuse tools exist, but don’t operate from a central authority and therefore, there is not an established set of rules across the entire Mastodon community. This is different to platforms such as Facebook.
The server administrator is responsible for setting and enforcing rules on his/her instance, and those rules can vary. For example, a Mastodon community that promotes violent extremism, or a group of users associated with human exploitation, can establish their own rules and server standards, and this creates another online setting that can facilitate illegal activity.
Most mainstream social media platforms usually have established processes for responding to subpoenas and requests from law enforcement agencies. Whilst some more popular Mastodon instances will support law enforcement data requests, others will not.
Instances and users can obfuscate information about who they are, making investigations difficult.
To sign up, a user only needs to have an email address, and the ability to verify that email.
The sites https://joinmastodon.org/servers or https://instances.social provide various servers that you can join (you need to make an account with at least one server) – you can choose to join a generic or topic-specific server depending on your operational requirements and accessibility.
In most cases, you can follow any other person on the Mastodon network, regardless of which server their account is hosted (unless that server has been made private). Within Mastodon, you can easily move your profile to a different server at any time without losing any followers e.g., you receive an invite to join another server of higher interest.
Searching for a User
Searching for a particular user generally requires a combination of third-party tools, and native searching with an account, like most social media. To search natively within the platform, you may require the username and the server to find a person of interest. Even if you don’t know the server, however, it is still worth attempting to locate the profile with just the username. Keep in mind that Mastodon servers are designed to bring back limited results, and only allow limited filtered searching.
Two third-party tools to conduct key word searches across different Mastodon instances are https://search.noc.social/ and https://fediverse.info/explore/people. It is important to note that these are not strictly username searches, but keywords that may appear on a person’s profile. These tools have significant limitations, one being the inability to search within posts (called Toots on Mastodon)
As reported by many sources any people have moved to Mastodon from Twitter. Fortunately for the purpose of OSINT, many people have kept the same username. In order to maintain persistent monitoring of persons or groups of interest the following tools can be used to identify the Mastodon server a Twitter user has migrated to, and therefore locate them on the new platform. They both require you to have a Twitter account, but are easy to use and can be found at