AI agents are more dangerous than you think: the OSINT reality and what to do about it
A recent Reddit post is doing the rounds because it strips away the hype and shows what autonomous AI agents can actually do today. The author describes a multi-agent system running on Kali Linux that performs aggressive OSINT (open-source intelligence) against a person using only a name and an old username – and builds a frighteningly complete dossier in minutes.
This isn’t a hand-wavy demo. It’s a sober look at the convergence of three trends: rich public data, easy-to-orchestrate agent frameworks, and cheap model inference. For UK readers, the specifics differ from the US data landscape, but the underlying risk absolutely lands here too.
“An autonomous AI system can build a more complete profile of you in 15 minutes than a professional investigator could in a week.”
What the Reddit author built: parallel, persistent, and relentless
The post outlines a system that:
- Spawns multiple autonomous agents, each with its own terminal and browser session, running in parallel.
- Uses shared persistent memory (vector databases and graphs) so every partial clue can be cross-referenced and revisited later.
- Continuously re-plans based on results, corroborates weak signals, and kills dead ends fast.
From a basic input (name + legacy username), the system mined public records and data broker sites, then moved to social media, breach databases, and metadata. Before opening a single profile page, it had already resolved addresses, relatives, phone numbers, property details, voter registration (US), and historical emails via breached datasets. Social streams added routines, social circles, and behavioural patterns. The result: a joined-up view that no single platform reveals, assembled by software that never forgets.
UK angle: different data sources, same exposure
Some US-specific examples (county assessor sites, voter history by election) do not map one-to-one in the UK. But we have our own highly revealing public records:
- Companies House – historical director roles, registered office addresses, filings.
- HM Land Registry – title information and ownership history (available for a small fee), plus Property Alert.
- Electoral register – the open register can be searched and sold; you can opt out of the open register.
- Planning applications, local authority committee papers, school catchment maps, FOI disclosures.
- Professional registers – medical, legal, financial, engineering and more.
| Data category | Typical US availability | Typical UK availability |
|---|---|---|
| Voter history | Often public (not the vote itself) | Not disclosed; open register exists but limited detail |
| Property records | County assessor/recorder portals | HM Land Registry titles for a fee; price paid data public |
| Business entities | State registries | Companies House is widely accessible and detailed |
| Breach exposure | Global | Global (e.g. check via Have I Been Pwned) |
Combine those with social footprints (LinkedIn endorsements, Instagram followers and tagged photos, event RSVPs, forum posts) and you have enough signals to triangulate home/work areas, social circles, interests, and routines – even when individual accounts are private. The UK is not immune; we just leak in slightly different places.
Beyond surveillance: synthetic identities and manipulation
The post goes further than data collection. With a well-formed dossier, an agent can:
- Clone a plausible voice using text-conditioned voice synthesis APIs that do not require a verification sample.
- Generate photorealistic stills and videos of a target using modern image and video models.
- Write messages in your style via stylometry, then automate personalised outreach at scale.
In the UK, sharing intimate or abusive deepfakes can attract criminal liability, and platforms have duties under the Online Safety Act. But the technical bar to generating convincing content has dropped. The gap between a “creepy spearphish” and a compelling, in-voice message referencing real friends and venues is now inches wide.
Why this matters for UK organisations
The post also highlights a different threat: people self-hosting agent frameworks with system-level permissions on everyday laptops or VPSs. If an agent has shell and browser access on your primary machine, it often inherits your most sensitive assets: cookies, SSO tokens, SSH keys, API secrets, cloud creds, and synced files. A misconfigured control plane or a compromised plugin becomes an everything-bagel breach.
Model guardrails are not a security boundary. Treat agents like any privileged automation:
- Isolate – run in a dedicated VM or separate host, not your daily driver. Use containers and non-root users by default.
- Constrain – bind control interfaces to localhost and require VPN or SSH tunnelling for remote access.
- Least privilege – use throwaway browser profiles and scoped credentials; deny access to personal email, banking, password managers, and SSH agents.
- Egress control – restrict outbound network destinations where possible; log and monitor agent actions.
- Supply chain hygiene – pin dependencies, review extensions, generate an SBOM, and scan for known vulns.
- Data minimisation – don’t feed proprietary corp data or PII unless you can lawfully, securely, and verifiably contain it.
Useful guidance: NCSC Guidelines for secure AI system development and the ICO’s AI and data protection. If you process personal data, UK GDPR and the Data Protection Act 2018 apply – from lawful basis and fairness to DPIAs, rights of access/erasure, and security of processing.
What individuals in the UK can do today
- Reduce easy correlations – review your public profiles, tagged photos, and old groups/events. Ask close contacts to limit public tags.
- Electoral register – opt out of the open register to reduce resale of your details.
- Companies House – if you’re a director, use a service address and review ways to protect personal information.
- Property – sign up to HM Land Registry Property Alert to monitor changes against your address.
- Breach hygiene – check Have I Been Pwned, rotate reused passwords, enable MFA everywhere, and consider a password manager.
- Be sceptical of “you-sounding” messages – voice notes and in-style texts can be synthesised. Validate via a second channel for anything sensitive.
A balanced take: power, risk, and responsible use
OSINT is not inherently malicious. Investigative journalists, due diligence teams, threat intel analysts, and safeguarding professionals use similar techniques lawfully and ethically, often to protect people. The concern here is scale and autonomy: cheap agents coordinating dozens of tools at once, persisting every finding, and improving over time – all without human sense-checking.
If you’re exploring automations, start with low-risk workflows, keep them isolated, and think hard about permissions. For example, simple reporting or spreadsheet pipelines are far less risky than giving an agent unfettered access to your browser and filesystem. If you are new to safe automation, my guide on connecting ChatGPT to Google Sheets shows how to ship value without handing over the keys to your kingdom.
Should the author post a demo video?
Transparency helps the community learn, but it cuts both ways. If shared, it should be a red-teaming demo with strict guardrails, synthetic data, and clear ethical boundaries – not a recipe that lowers the bar for abuse. Coordinated disclosure to security teams and researchers is more valuable than viral shock.
Final thought
The uncomfortable truth is that nothing “magical” is happening here. It’s just software doing what software does best: correlating lots of small, public fragments into a coherent story. In the UK, our regulatory environment gives individuals and organisations rights and obligations, but technical reality moves fast. Treat agents like power tools: incredibly productive in the right hands, dangerous in the wrong context, and not something you run unguarded next to your most valuable assets.
