Investigator Use
Canarytokens is a free honeypot-as-a-service tool that generates unique, trackable URLs, documents, images, and other file types that silently notify the creator when they are opened or accessed. When a Canarytoken is triggered, the creator receives an alert including the accessing IP address, browser information, and timestamp.
For OSINT investigators and security researchers, Canarytokens provide active intelligence gathering capability — rather than passively discovering what a threat actor is doing, investigators can deploy tokens that generate alerts when the threat actor interacts with them.
Document tracking is a primary investigative application. When a Canarytoken-embedded Word document or PDF is sent to a suspect or delivered via a scenario that would cause them to open it, the token fires when the document is opened, revealing the subject's IP address, location, and approximate ISP. This is particularly useful in authorized sting operations or when trying to locate a subject who is otherwise hiding.
Email-based tokens alert when an email with the embedded token is opened — providing evidence that a specific email was received and read, along with the IP from which it was accessed.
Infrastructure monitoring: Canarytokens can be placed in sensitive locations (network shares, web directories, application source code) to alert when those locations are accessed — immediately detecting unauthorized access to protected resources.
DNS-based tokens generate alerts when a specific hostname is queried — useful for embedding in documents or configurations where the hostname would only be queried if someone was examining the content.
Canarytokens are deployed legitimately in security monitoring and authorized investigations. Their use in unauthorized entrapment or deceptive scenarios outside authorized investigative contexts raises legal and ethical concerns that investigators must carefully navigate.
Document any Canarytokens created for investigations with the token type, deployment context, intended subject, and all alerts received including IPs and timestamps.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
Account Killer
Privacy & Security OSINT
AccountKiller provides direct deletion links and step-by-step instructions for removing accounts on hundreds of websites and social platforms.
AlgoVPN
Privacy & Security OSINT
Algo VPN automates deployment of a personal WireGuard or IKEv2 VPN server in the cloud for private, secure OPSEC browsing.
Blokada
Privacy & Security OSINT
Keep all your devices protected with Blokada content filtering and encryption.
Certificate Search
Privacy & Security OSINT
crt.sh searches certificate transparency logs to uncover domains, subdomains, and infrastructure from TLS certificate data.
Cover Your Tracks
Privacy & Security OSINT
EFF Cover Your Tracks reveals how ad trackers and fingerprinters see your browser to help investigators strengthen OPSEC and anonymity.
DNS Leak
Privacy & Security OSINT
DNS Leak Test checks whether your VPN or proxy is leaking DNS requests, exposing your real IP address during anonymous browsing.