ProtOSINT - Python script that helps you investigate Protonmail accounts and ProtonVPN IP addresses


ProtOSINT is a Python script that helps you investigate ProtonMail accounts and ProtonVPN IP addresses.

Questions? Problems? Visit main page:


This tool can help you in your OSINT investigation on Proton service (for educational purposes only).
ProtOSINT is separated into 3 sub-modules:

  • [1] Test the validity of one protonmail account
  • [2] Try to find if your target has a protonmail account by generating multiple addresses by combining information fields inputted
  • [3] Find if your IP is currently affiliate with ProtonVPN

⚠️ Important update of the ProtonMail API [2021-11-07] ⚠️

For several days, we observe an update in ProtonMail's API:

  • The API now seems to be limited to a few queries (ten/fifteen requests).
  • The blocking time is one hour (the limitation seems to be by IP address).
  • Even if an email is not valid, the API will return a result that seems valid with a random timestamp.
  • However, if the email is really valid, the timestamp returned is still good.

Advice for using ProtOSINT nowadays

  • Use only modules 1 and 3.
  • Before using module 1, first, test the validity of your email with a third party tool or with the recipient field directly in the ProtonMail web interface:

Then, using ProtOSINT, get additional information (the public key attached to the email, the date the PGP key was created and the encryption used).


Python 3




The account name in the protonmail is case-insensitive and ProtonMail considers the "." "_" "-" symbols as transparent. Additionally, any words put after a "+" sign are not taken into account. It means that all of these email addresses below are the same as [email protected]:

All of these emails have the save timestamp and refers to the account [email protected].

This technique does not always give you the creation time and date of the ProtonMail account itself, but the time and date when the email address itself was created (thanks to @sector035 for the tip:

Email encryption keys

ProtOSINT allows you to know which encryption key is used for a protonmail account:

  • RSA 2048-bit (Older but faster) - high security
  • RSA 4096-bit (Secure but slow) - highest security
  • X25519 (Modern, fastest, secure) - State-of-the-art


Feel free to clone this project. For major changes, please open an issue first to discuss what you would like to change.

January 13, 2022


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023