1. Introduction and context

1.1. The investigative need (The “why”)

Amid rising geopolitical tensions and the increasing sophistication of financial crime, monitoring financial flows, assets, and company networks in the public domain is key to accountability.

Open-source documentation and infrastructure can provide journalists with a legal and ethical way to uncover sanction evasion, determine who really owns companies hidden behind shell structures, and report on global procurement fraud.

1.2. Learning outcomes

• Identify and navigate the most valuable global open corporate and property registries.

• Master the use of sanctions list screening and Politically Exposed Person (PEP) databases to generate investigative leads.

• Apply network visualization to map complex ownership structures and cross-correlate addresses, directors, and financial filings.

• Understand the process of data preservation and chain of custody for financial and corporate records.

• Ethically leverage AI for summarizing large financial documents and log files.

1.3. Case study hook

You receive a tip that a company supplying sensitive technology to a sanctioned regime has quietly changed its corporate registration and ownership in three different countries. By analyzing the company’s public business records, shipping manifests, and sanctions databases, you then aim to reconstruct the real beneficial ownership of the company and the supply chain route to expose the network of people and entities that evade global restrictions.

💡 2. Foundational theory and ethical-legal framework

2.1. Key terminology

• Beneficial ownership: The natural person(s) who ultimately own or control a legal entity, even if the entity is held in another name (e.g., a proxy or shell company).

• PEP (Politically Exposed Person): An individual who is or has been entrusted with a prominent public function, as well as their family members and close associates. PEPs pose a higher risk for involvement in bribery or corruption.

• Shell company: A company that exists only on paper and has no office or employees, often used to mask the true ownership of assets or transactions.

• Corporate registry: A government database that stores official records of registered companies, including directors, registered addresses, and annual filings (e.g., the UK’s Companies House).

• Active vs. Passive OSINT:

  • Passive OSINT involves collecting publicly available information without interacting with the target (e.g., searching a corporate registry).

  • Active OSINT involves direct interactions that can be logged by the target system (e.g., pinging a domain or sending a request to a server).

⚠️ 2.2. Ethical and legal boundaries

2.2.1. Consent & privacy

Financial OSINT must strictly adhere to data collected only from public, legally accessible sources (e.g., government filings, official databases, public court records).

⚠️ The “stop at the login” rule: Don’t attempt to guess, bypass, or use leaked credentials in order to gain access to sensitive information, such as password-protected financial databases, email accounts, or private sections of corporate portals. That’s unauthorized access and illegal. Remember, even the public exposure of individuals’ data (e.g., addresses, dates of birth) must be handled with extreme care and only to be used in the public interest, not for harassment or exposure for reasons that are not the public’s intent.

2.2.2. Legal considerations

Consultation with your legal department is paramount when publishing findings related to sanctions evasion, fraud, or the financial activities of individuals or entities. Legal risks include defamation, libel, and unauthorized access. Some jurisdictions restrict the commercial use of public corporate data.

• Disclaimer: This tutorial is for informational and educational purposes only. Always consult with your legal department in the relevant jurisdiction before conducting any investigation or publishing financial findings. We do not endorse or provide instructions for any illegal or unethical activity.

🛠️ 3. Applied methodology: step-by-step practical implementation

3.1. Required tools & setup

• Dedicated Virtual Machine (VM)/OSINT Profile: Use a dedicated browser profile or VM (e.g., a Linux distribution like Kali or a customised browser environment) to separate investigative activity from personal or newsroom accounts. This protects your identity and maintains a clean audit trail.

• VPN/Proxy Service: Use a reputable VPN/proxy to mask your geographic location and IP address when accessing foreign registries or high-risk sites.

• Core OSINT Tools:

  • Browser Extensions: Wayback Machine or Archive.today (for preservation).

  • Network Visualizer: Maltego (commercial) or OCCRP Aleph (free/investigative focus – for mapping entities).

  • Open Databases: OpenSanctions (Sanctions, PEP, Adverse Media lists) and OpenCorporates (Global corporate entities).

👷‍♀️ 3.2. Practical execution (The “How”)

Scenario: Tracing a sanctioned entity’s phantom asset network

The investigative goal is to trace the public-facing and hidden corporate assets of a known sanctioned individual.

Step 1: Baseline search and entity identification

• Search for the individual’s name across major sanctions databases (e.g., OpenSanctions) and global adverse media.

• Collect all variations of their name, dates of birth, known addresses, and listed companies (both current and former).

Step 2: Global corporate registry pivot

Use identified company names, director names, or registered addresses to pivot into national and international corporate registries.

Step 3: Address and network correlation

Use unique identifiers (like an unusual address or a unique director name) as a “pivot point” across registries. If 10 companies have the same registration address, they probably have a common relationship and constitute a corporate cluster.

Step 4: Ship and aircraft tracing (Supply Chain OSINT)

If the entity is involved in logistics or trade, use their corporate name or known vessel/tail numbers on public tracking sites.

💾 3.3. Data preservation and chain of custody

Mandatory step for all financial OSINT: Every key piece of evidence must be captured and logged to maintain a legally defensible Chain of Custody.

1. Archiving: Use a browser extension (like Wayback Machine or Archive.today) or a dedicated tool (Hunchly) to create a full-page, archived copy of the source URL (e.g., the corporate filing). Include a screenshot with a timestamp overlay.

2. Logging: Record every search query, the date/time (in UTC), the URL, and a brief description of the finding in a secure, encrypted log file (e.g., an encrypted spreadsheet).

3. Hash Generation: For any downloaded document (e.g., a PDF of an annual report), immediately generate a cryptographic hash (SHA-256) of the file. This mathematically proves that the file has not been altered since the moment of download.

   Command Line Example (Linux/macOS): sha256sum my_evidence.pdf

🧠 4. Verification and analysis for reporting

4.1. Corroboration strategy

Financial OSINT is high-risk and requires rigorous verification. Corroborate technical data with at least two independent sources or methods.

• Method 1 (Internal Consistency): Cross-reference the same name/address in the corporate registry with the information on the sanctions list and an associated WHOIS record.

• Method 2 (Physical Corroboration): Use a public satellite or map service (like Google Maps or Yandex Maps) to verify the physical existence and nature of a registered address (e.g., is the multi-billion dollar holding company registered to a residential home or a mailbox?).

4.2. Linking data to narrative

Translate complex financial findings into clear, verifiable journalistic facts.

🤖 4.3. AI assistance in analysis

AI/LLMs can be a powerful, ethical tool for processing high-volume, public OSINT data.

• Summarizing large documents or log files: Upload non-sensitive, public documents (e.g., a large, published annual report or a log of vessel movements) to an LLM to quickly extract the core business purpose, key dates, or main financial figures.

• Identifying key entities, dates, and relationships (clustering data): Use an LLM or dedicated AI entity recognition tool to process unstructured data (e.g., a batch of public news articles) to identify and cluster recurring names, dates, or financial amounts.

• Translation of foreign language material: Use AI to translate corporate filings or news articles from foreign registries to quickly assess their relevance before investing in professional human translation.

⚠️ AI warning: Do not submit source-provided data, confidential documents, or sensitive data on private individuals to public LLMs (like ChatGPT or Google Gemini) due to privacy and data leakage concerns. All information found by an AI needs to be checked by a person against the original document, as there is a high chance the AI could make mistakes or create false information.

🚀 5. Practice and resources

5.1. Practice exercise

Challenge: A news report mentions that “Alpha Shipping LLC” owns a vessel named M.V. Freedom. Use open sources to find:

1. The vessel’s IMO number.

2. The full name and jurisdiction of the company that currently owns the vessel.

3. The vessel’s last reported port call (before the current date).

5.2. Advanced resources

• OCCRP Aleph: Search a massive repository of leaks, court records, and public documents curated by investigative journalists.

• OpenSanctions: Consolidated database of sanctions lists, PEPs, and high-interest individuals/entities.

• OpenCorporates: The largest open database of companies and corporate entities worldwide.

• MarineTraffic / VesselFinder: Global real-time and historical tracking of ships using AIS data.

• GHDB (Google Hacking Database): A community-maintained list of advanced search queries for finding publicly exposed documents on the web.

✅ 6. Key takeaways and investigative principles

• Pivoting is key: Successful financial OSINT means constantly pivoting from one data point (e.g., an address) to locate a new entity (e.g., a new company) and repeating the search.

• Correlate the identifiers: Focus on the cross-referencing of unique identifiers—names, addresses, vessel/tail numbers, and shareholder names—to build an undeniable network.

• Prioritize preservation: Adopt a “log everything, hash every document” policy to ensure a defensible Chain of Custody for your evidence.

• Respect the boundary: Adhere strictly to the “Stop at the Login” rule and ensure all data is from public, legally accessible sources.

• AI is an assistant, not a fact-checker: Use LLMs for summarization and translation of public data, but rely on human verification for all final facts and figures.

👁️ Coming next week…

Unearthing public court and legal records

Navigating local, national, and international court databases. Using key search terms and specialized databases to find records, property deeds, and administrative filings.