Shortened URLs in OSINT: How to Investigate Them

Quick lesson on shortened URLs!

What Are Shortened URLs?

Shortened URLs are compact versions of normal long web addresses. They're often used to make links more readable or shareable, especially on platforms with character limits such as X (Twitter) or messaging apps. You'll often see the same popular URL shorteners, which are Bitly, TinyURL, t.co (used by X/Twitter), and goo.gl (that is now discontinued).

Why They Matter in OSINT

Shortened URLs hide the true destination of a link, which makes them interesting—and potentially dangerous. In open-source investigations, they can appear in leaked documents, social media posts, emails, etc. We want to know what's behind them, without clicking and risking redirection to a malicious page.

How to Expand Shortened URLs Safely

• Bitly trick: Add + at the end of a Bitly URL to preview its destination (e.g., https://bit.ly/example+).
• Online tools: Use unshorten.me or checkshorturl.com to expand links without clicking them.
• Command line: Use curl -I <url> to view HTTP redirects.

Example with the following link: https://bit.ly/3Bg19uM+ (notice the '+' at the end of the ID):

We retrieve the date, the title and the destination link of the URL, simply by adding a '+' at the end of the URL.

You can find a list of URL shorteners on this Github repo

Interpreting the Results

Most expanders will show you the final destination URL and sometimes metadata such as the domain title, description, or preview image. This can reveal clues about the sender, the campaign, or the intent behind the link.

Best Practices

• Never click shortened links directly.
• Use a safe environment (sandbox/VM) when investigating unknown URLs.
• Archive interesting results with archive.ph or other archive websites.

Shortened links are everywhere, and handling them safely might not seem like a big deal but it's actually an OSINT skill.