Platform: TryHackMe Room: Sakura Category: OSINT Difficulty: Medium Tool developed by author: PRISM — Open Source Intelligence Platform (coming soon)
The OSINT Dojo recently suffered a cyber attack. During forensic analysis, administrators recovered an image left behind by the attacker. The investigation requires applying a range of open-source intelligence techniques — including source code inspection, username enumeration, cryptocurrency tracing, social media profiling, and geolocation — across five tasks to fully identify the threat actor and determine their physical location.
The investigation begins with a single SVG image file hosted on the OSINT Dojo website. At first glance, the image simply reads "You've Been Pwned!" and offers no obvious clues.
Since the file is an SVG — an XML-based vector format — it can be read as plain text. Right-clicking the image in the browser and selecting "View Page Source" opens the raw markup.
The SVG image displayed in the browser — no visible clues on the surface
Right-clicking the page and selecting "Просмотр кода страницы" (View Page Source) to inspect the SVG markup
Inside the source code, the inkscape:export-filename attribute contains the attacker's Linux home directory path, directly exposing their username.
The SVG source reveals the export path: /home/SakuraSnowAngelAiko/Desktop/pwnedletter.png — the username is highlighted in red
Finding — Username: SakuraSnowAngelAiko
SakuraSnowAngelAiko
The attacker reused their username across multiple platforms, making cross-referencing straightforward. The username SakuraSnowAngelAiko was submitted to the Username Search module in PRISM — an OSINT platform developed by the author.
PRISM dashboard — 12 modules, 8 sources, 4 scan types. The Username scan type is selected for this task
PRISM's automated scan returned active accounts on GitHub, Instagram, Twitch, Pinterest, Spotify, 500px, Imgur, HackerRank, Kaggle, Trello, and Duolingo — all tied to the same handle.
PRISM Username Search results — the green arrow highlights the GitHub profile as the most relevant lead
The GitHub account contained a repository with a PGP public key. Decoding the key revealed the attacker's email address.
Decrypted PGP key output: the email SakuraSnowAngel83@protonmail.com is extracted from the key blob
A Google search for the username also surfaced a contact aggregator listing the attacker's real name.
LeadContact search result confirming the identity: Aiko Abe — Self-employed
Finding — Email: SakuraSnowAngel83@protonmail.com Finding — Full Name: Aiko Abe
SakuraSnowAngel83@protonmail.com
Aiko Abe
The task requires tracing the attacker's cryptocurrency activity. The instructions hint that the information lies in the attacker's GitHub account — specifically in content that may have been altered or removed.
Inspecting the GitHub profile reveals a repository named "ETH" with a file called miningscript and two commits. Viewing the commit diff exposes a stratum mining URL that the attacker accidentally pushed before updating it.
The attacker's GitHub repository sakurasnowangelaiko/ETH — 2 commits on the miningscript file
The first commit diff reveals the full mining configuration: stratum://0xa102397dbeeBeFD8cD2F73A89122fCdB53abB6ef.Aiko:pswd@us1.ethermine.org:4444 — circled in red
The stratum URL contains three critical pieces of intelligence: the Ethereum wallet address, the mining pool (Ethermine), and the username. Submitting the wallet address to Etherscan confirms the blockchain and reveals transaction history.
Etherscan block details — "Mined by: Ethermine" confirms the mining pool. The Extra Data field shows ethermine-eu-west1-1-geth (circled)
Scrolling through the wallet's transaction history on Etherscan reveals an outbound transfer involving the Tether stablecoin.
Etherscan transaction log — an outbound transfer tagged "Tether: USDT Stablecoin" from the attacker's wallet
The wallet address was also verified using PRISM's Crypto Address Lookup module.
PRISM Crypto Address Lookup — confirms Ethereum (ETH) type, balance of 0.000232 ETH ($0.48)
Finding — Cryptocurrency: Ethereum Finding — Wallet Address: 0xa102397dbeeBeFD8cD2F73A89122fCdB53abB6ef Finding — Mining Pool: Ethermine Finding — Stablecoin: Tether
Ethereum
0xa102397dbeeBeFD8cD2F73A89122fCdB53abB6ef
Ethermine
Tether
The attacker taunted the OSINT Dojo via Twitter using a different handle than previously tracked. A Google search with the allintext: operator for known aliases surfaces the new account.
The attacker's Twitter/X profile: Aiko @SakuraLoverAiko — joined January 2021, 1 Following, 191 Followers
The attacker's tweets reference saved WiFi credentials including an SSID for their home network: DK1F-G. Submitting this SSID to WiGLE.net returns a single matching record with the full BSSID.
WiGLE Network Search — SSID "DK1F-G" resolves to Net ID 84:AF:EC:34:FC:F8, first seen 2019-04-24
Finding — Twitter Handle: SakuraLoverAiko Finding — Home WiFi BSSID: 84:af:ec:34:fc:f8
SakuraLoverAiko
84:af:ec:34:fc:f8
The final task requires synthesizing all collected intelligence to trace the attacker's travel route home. The attacker's Twitter timeline contains several posts with geographic clues.
The first post shows cherry blossom trees with the caption "Checking out some last minute cherry blossoms before heading home!"
Tweet from @SakuraLoverAiko dated Jan 25, 2021 — cherry blossom photo taken before boarding a flight
A Google Lens reverse image search identifies the location as Long Bridge Park in Arlington, Virginia.
Google AI Overview: "The place in the image is likely Long Bridge Park in Arlington, Virginia"
Long Bridge Park sits directly adjacent to Ronald Reagan Washington National Airport (DCA). Google Maps confirms the proximity.
Google Maps annotation — the park is marked at the top, DCA airport is immediately to the south
Ronald Reagan Washington National Airport — IATA code: DCA
A second tweet shows a photo of the "JAL First Class Lounge — Sakura Lounge" with the caption "My final layover, time to relax!"
Tweet from @SakuraLoverAiko — photo of the JAL First Class Lounge / Sakura Lounge entrance with 5-Star Airline SKYTRAX plaque
A reverse image search confirms this lounge is located at Haneda Airport in Tokyo.
Google AI Overview: "The image shows the entrance to the JAL First Class Sakura Lounge located at Haneda Airport (HND)"
A third tweet shows a satellite map image with the caption "Sooo close to home! Can't wait to finally be back! :)"
Tweet from @SakuraLoverAiko — satellite imagery showing a coastline, an island (Sado Island), and an inland lake
Cross-referencing the satellite image against Google Maps — using the island and lake shapes as geographic anchors — identifies the lake as Lake Inawashiro in Fukushima Prefecture.
Google Maps — Lake Inawashiro confirmed by matching the lake shape and surrounding geography
Finally, the home WiFi SSID (DK1F-G) identified earlier via WiGLE pinpoints the attacker's home city. Clicking "Map" on the WiGLE result shows the network location in Hirosaki, Aomori Prefecture.
WiGLE Network Location — the red pin marks Hirosaki, Aomori Prefecture, Japan
Finding — Nearest Airport: DCA (Ronald Reagan Washington National Airport) Finding — Final Layover: HND (Haneda Airport, Tokyo) Finding — Lake: Lake Inawashiro Finding — Home City: Hirosaki
DCA
HND
Lake Inawashiro
Hirosaki
| # | Question | Answer |
|---|---|---|
| 1 | What username does the attacker go by? | SakuraSnowAngelAiko |
| 2 | What is the full email address used by the attacker? | SakuraSnowAngel83@protonmail.com |
| 3 | What is the attacker's full real name? | Aiko Abe |
| 4 | What cryptocurrency does the attacker own a wallet for? | Ethereum |
| 5 | What is the attacker's cryptocurrency wallet address? | 0xa102397dbeeBeFD8cD2F73A89122fCdB53abB6ef |
| 6 | What mining pool did the attacker receive payments from? | Ethermine |
| 7 | What other cryptocurrency did the attacker exchange with? | Tether |
| 8 | What is the attacker's current Twitter handle? | SakuraLoverAiko |
| 9 | What is the BSSID for the attacker's Home WiFi? | 84:af:ec:34:fc:f8 |
| 10 | What airport is closest to the attacker's pre-flight photo? | DCA |
| 11 | What airport did the attacker have their last layover in? | HND |
| 12 | What lake can be seen in the map shared by the attacker? | Lake Inawashiro |
| 13 | What city does the attacker likely consider "home"? | Hirosaki |
- SVG files are XML-based and can be opened as plain text — embedded metadata fields such as
inkscape:export-filenamemay leak local filesystem paths and usernames. - A single username pivot across platforms (GitHub, Twitter, LinkedIn, contact aggregators) is sufficient to build a comprehensive identity profile including real name and email.
- Cryptocurrency wallet addresses accidentally committed to public GitHub repositories remain visible in the commit history even after being overwritten.
- All blockchain transactions are public by nature — a single wallet address enables full transaction history analysis, mining pool identification, and token exchange tracking.
- WiFi SSIDs submitted to wardriving databases like WiGLE can expose a subject's precise physical home location and MAC address.
- Reverse image search combined with satellite imagery cross-referencing enables geolocation of travel routes from social media posts.
PRISM is an open-source intelligence platform developed by the author of this writeup. It consolidates multiple reconnaissance modules — including WHOIS, DNS enumeration, Shodan, VirusTotal, social account lookups, Google Dorks, cryptocurrency address analysis, and file metadata extraction — into a single unified interface. In this exercise, PRISM's Username Search and Crypto Address Lookup modules were used for identity resolution and wallet verification.
PRISM v2.0 — 15+ modules · 10+ sources · 5 scan types · Coming soon
Completed The Case: Sakura room on TryHackMe — a comprehensive OSINT investigation involving SVG metadata extraction, cross-platform identity resolution, cryptocurrency wallet tracing, blockchain forensics, social media profiling, WiFi network geolocation, and multi-source travel route reconstruction.
Investigation conducted on March 31, 2026 in 3.5 hours.