ShareTrace

Finding Patient 0. A forwarded link still carries the fingerprint of whoever first pressed Share. Paste it here to reveal them.

Original tool by @soxoj · Source: github.com/soxoj/sharetrace · This page is only a web wrapper — all OSINT logic, platform support and maintenance by soxoj.

How it works

Every time someone taps Share → Copy link inside an app — TikTok, Instagram, Telegram, SharePoint, Pinterest, Substack and others — the platform quietly stitches a tracking token into the URL. The token is there so the platform can count shares, but it's also a fingerprint of the sharer.

When the link gets forwarded — in WhatsApp groups, in tweets, in screenshots, in anonymous emails — the token comes along for the ride. The person in front of you may be hop #7, but the link still knows hop #1.

ShareTrace decodes those tokens, either by inspecting URL structure (SharePoint, Telegram, Microsoft) or by making a lightweight request to the platform (TikTok, Instagram, Pinterest) to fetch the sharer's profile data. It returns user_id · username · display name · avatar — whatever the platform leaks. That's Patient 0.

When Patient 0 matters

Forwarded leaks. A SharePoint doc lands in your inbox from an anonymous address — the URL path contains the uploader's Microsoft username.
Viral reposts without credit. A reel spreads on X/Twitter as a screenshot + share URL — ShareTrace names the original Instagram account.
Anonymous admins. A Telegram join-link is dropped into a public channel by a pseudonym — decoded, it exposes the inviter's numeric user_id.
Chain-of-custody. An image arrives via a forwarded TikTok share — you learn whose app first generated that link.
Source vetting. A tipster sends you a Pinterest or Substack referral link — the referral code identifies them even without a signature.