Skip to main content
Synced from an Obsidian vault

For graph and advanced features, download the full Intel Codex Vault and open it in Obsidian.

Financial Crime & AML OSINT

Objectives

  • Identify beneficial owners and entity relationships
  • Screen for sanctions, PEP (Politically Exposed Persons), and adverse media
  • Trace financial flows through corporate structures and payment systems
  • Map cryptocurrency transactions (where applicable)

1. Key Questions

  • Who benefits? Ultimate Beneficial Owners (UBOs), directors, shareholders
  • What entities/wallets/accounts touch the flow? Payment processors, intermediaries, shell companies
  • Are there sanctions/PEP/compliance flags? OFAC, EU, UN sanctions lists
  • What are the red flags? Unusual structures, high-risk jurisdictions, rapid changes
  • What is the money flow? Source → intermediaries → destination

2. Corporate Entity Research

Company Registries (Public)

United Kingdom:

  • Companies House - Free UK company search
  • Lookup: company name, number, directors, filing history, PSC (Persons with Significant Control)

United States:

  • EDGAR (SEC) - Public companies
  • State-level registries (e.g., Delaware Division of Corporations, California SOS)
  • OpenCorporates - Global company search aggregator

European Union:

  • European Business Register - Cross-border company information
  • Country-specific registries (e.g., Netherlands KVK, Germany Handelsregister)

Offshore/High-Risk:

  • Limited public access (BVI, Cayman, Panama, etc.)
  • Use: ICIJ leaks databases (Panama Papers, Paradise Papers, Pandora Papers)

UBO (Ultimate Beneficial Owner) Identification

Steps:

  1. Identify registered directors and shareholders
  2. Trace ownership chains upward (holding companies, trusts)
  3. Look for PSC/UBO disclosures (required in UK, EU)
  4. Cross-reference names with PEP/sanctions databases
  5. Map corporate structure visually

Tools:

3. Sanctions & PEP Screening

Sanctions Lists (Public)

OFAC (US Treasury):

  • OFAC SDN List - Specially Designated Nationals; web search interface
  • Download consolidated list (XML/CSV, updated daily): OFAC File Finder (or the newer bulk endpoint at sanctionslist.ofac.treas.gov)
  • Crypto coverage: SDN list includes Digital Currency Address (DCA) entries tagged by currency code (XBT, ETH, USDT, XMR, etc.). Treat each DCA hit as a high-priority pivot.

European Union:

United Nations:

United Kingdom:

Other:

PEP (Politically Exposed Persons)

Free/Open Resources:

Commercial (subscription):

  • LSEG World-Check (formerly Refinitiv World-Check; LSEG retired the Refinitiv brand starting Aug 2023)
  • Dow Jones Risk & Compliance, LexisNexis Risk Solutions, Moody's Orbis (Bureau van Dijk), Sayari Graph — enterprise screening / corporate-network analytics

Manual checks:

  • Government websites (parliament, cabinet lists)
  • News archives for political appointments
  • LinkedIn for government/state-owned enterprise roles

Adverse Media Screening

Search engines with temporal filtering:

"John Doe" AND ("fraud" OR "corruption" OR "money laundering" OR "embezzlement" OR "bribery")
site:news.com "Company Name" AND ("investigation" OR "charged" OR "lawsuit")

News databases:

  • Google News Archive
  • Bing News (with date filters)

Legal case databases:

4. Payment Systems & Financial Infrastructure

Payment Processors & Merchant IDs

Identifiers to collect:

  • Merchant Category Code (MCC)
  • Payment processor names (Stripe, PayPal, Square, etc.)
  • Bank merchant descriptors (what appears on statements)
  • IBAN/SWIFT/BIC codes (if disclosed)

Pivot opportunities:

  • Search merchant descriptors in scam databases
  • Cross-reference payment processors with known fraud patterns
  • Check processor websites for merchant status/verification

High-Risk Payment Service Providers (PSPs)

Red flags:

  • Offshore registration (BVI, Cyprus, Seychelles)
  • No regulatory oversight or license
  • Known association with fraud/scams (check forums, complaints)
  • Multiple domain names for same processor

Resources:

5. Cryptocurrency Tracing — AML Analyst Quick Reference

Deep on-chain methodology — multi-chain tracing, address clustering, mixer / CoinJoin defeat, cross-chain bridge tracing, and court-admissibility tradecraft — lives in Blockchain Investigation and Mixer & Privacy-Pool Tracing. This section is the AML-analyst entry-point only: surface-level wallet check, sanctions screening, and Travel-Rule context. Hand off any deep tracing work to those SOPs.

Surface-level wallet check

  1. Look up the address in a public explorer: Blockchain.com or Mempool.space (BTC), Etherscan (ETH / EVM), Blockchair (multi-chain).
  2. Note inflows / outflows, exchange-deposit patterns, and any vendor-tagged labels (Arkham Intelligence for entity labels, Chainabuse for known-bad reports).
  3. Flag any of: privacy-coin hops (Monero, Zcash shielded), CoinJoin / mixer activity, cross-chain bridge use, peel chains, round-number layering, no-KYC swap services (FixedFloat, ChangeNOW, SimpleSwap), OFAC SDN Digital Currency Address (DCA) hits.
  4. Stop here. Do not transact with the address. Do not pivot deeper without engaging blockchain-investigation methodology — vendor labels are heuristics, not court evidence, and pasting addresses into free analytics surfaces can leak the investigation.

Sanctions screening (crypto-side)

The OFAC SDN list includes Digital Currency Address (DCA) entries tagged by currency code (XBT, ETH, USDT, XMR, etc.). Each DCA hit is a high-priority sanctions exposure. Sanctions designations are time-stamped facts — record both the activity timestamp and the list state at that time (Tornado Cash addresses were SDN-listed 2022-08-08, vacated 2024-11-26, delisted 2025-03-21). EU, UK OFSI, and UN consolidated lists may not mirror US DCA entries; screen all four at minimum.

Travel Rule (FATF Recommendation 16)

VASPs (exchanges, custodial wallets, OTC desks) must transmit originator / beneficiary information for crypto transfers above a jurisdictional threshold. Implementations differ:

  • US (FinCEN): USD 3,000 threshold [verify 2026-04-27]
  • EU (Transfer of Funds Regulation / MiCA): No de minimis for VASP-to-VASP transfers from 2024-12-30
  • UK (FCA): GBP 1,000 originator-side trigger
  • Singapore / Switzerland / Japan: thresholds vary; check the local FIU

Non-compliant VASPs and self-hosted-wallet routes are common AML red flags. Open-source Travel Rule protocols include TRP, IVMS101, and Sygna Bridge / Notabene / Veriscope deployments [inferred — vendor list shifts annually].

Hand-off

  • Multi-chain tracing, address clustering, bridge-event indexing, court-admissibility tradecraftBlockchain Investigation
  • Mixer / CoinJoin / Tornado Cash / Wasabi / Whirlpool / cross-chain-bridge obfuscation defeat, regulatory-event timelineMixer & Privacy-Pool Tracing

6. Financial Red Flags

Corporate Structure Red Flags

  • Rapid director/shareholder changes
  • Mailbox/virtual office addresses
  • Nominee directors/shareholders (names appearing across many companies)
  • Circular ownership (Company A owns B, B owns A)
  • Offshore entities with no clear business purpose
  • Multiple dissolved companies with same directors

Transaction Red Flags

  • Transactions inconsistent with business type
  • Round-number transactions (structuring to avoid reporting thresholds)
  • High-risk jurisdictions in payment flow
  • Funnel accounts (many in, one out or vice versa)
  • Shell companies as intermediaries
  • Invoices with no supporting documentation
  • Goods/services mismatch (declared vs actual)

Payment Processor Red Flags

  • Unregistered or unlicensed PSPs
  • Offshore payment processors for domestic business
  • Frequent PSP changes
  • Merchant accounts in high-risk categories (gambling, pharma, crypto)

7. Investigation Workflow

Example: Suspicious Company Investigation

Target: SuspiciousCorp Ltd (UK)

Step 1: Company Registry

1. Search Companies House for "SuspiciousCorp Ltd"
2. Extract:
   - Company number
   - Registration date
   - Directors (current & resigned)
   - PSC (UBO) disclosures
   - Filing history
   - Registered address
3. Screenshot and save PDF of company profile

Step 2: Director Background

1. Extract director names
2. Search for other directorships (Companies House "Search for a director")
3. LinkedIn search for professional background
4. Google News search: "Director Name" + fraud/investigation
5. Cross-reference with sanctions lists

Step 3: UBO Identification

1. Check PSC register (Companies House)
2. If holding company listed, trace upward
3. Use OpenCorporates for international entities
4. Map ownership structure diagram

Step 4: Sanctions & PEP Check

1. Search OFAC SDN: https://sanctionssearch.ofac.treas.gov/
2. Search EU Sanctions: https://www.sanctionsmap.eu/
3. Search OpenSanctions: https://www.opensanctions.org/
4. Check UN Consolidated List
5. Document results with timestamps

Step 5: Financial Infrastructure

1. Identify payment processors (from website, customer complaints)
2. Check FCA register for PSP authorization
3. Search merchant descriptor in scam databases
4. Document payment flow

Step 6: Adverse Media

1. Google News: "SuspiciousCorp" + (fraud OR scam OR investigation)
2. Search Action Fraud / FBI IC3 / FTC complaints
3. Check Trustpilot, BBB, Reddit for complaints
4. Document findings with URLs and timestamps

Step 7: Cryptocurrency (if applicable)

1. Identify wallet addresses (from website, social media, customer reports)
2. Input into Etherscan/Blockchain.com
3. Export transaction history CSV
4. Flag exchanges, mixers, high-value transactions
5. Create timeline and flow diagram

Step 8: Document & Report

1. Create entity relationship diagram
2. Build timeline of key events
3. Compile evidence bundle (screenshots, CSVs, PDFs)
4. Hash all files (SHA-256)
5. Write summary with confidence levels for findings

8. Collection & Evidence Handling

For each source, log:

  • URL/database queried
  • Exact search terms used
  • Timestamp (UTC)
  • Results (screenshot + text export)
  • SHA-256 hash of saved files

File structure:

/Evidence/{case_id}/Financial/
  ├── corporate/
  │   ├── 20251005_CompaniesHouse_SuspiciousCorp.pdf
  │   └── 20251005_directors_list.csv
  ├── sanctions/
  │   ├── 20251005_OFAC_search_JohnDoe.png
  │   └── 20251005_EU_sanctions_results.txt
  ├── adverse_media/
  │   └── 20251005_news_search_fraud.pdf
  ├── crypto/
  │   ├── 20251005_wallet_0x123_transactions.csv
  │   └── 20251005_etherscan_screenshot.png
  └── diagrams/
      ├── entity_map.png
      └── payment_flow.png

9. Legal & Ethical Constraints

Canonical legal framework: see Legal & Ethics. Do not re-derive jurisdiction, statute, or authorization rules here — read them from the canonical SOP and apply.

OPSEC for the investigator (separation of attribution, network egress, wallet/account hygiene): see OPSEC Plan. Crypto investigations leak more than IP — viewing a wallet on a logged-in exchange, transacting from an attribution-tied address, or pasting an address into an analytics service that resells data can each compromise the investigation.

Financial-intelligence-specific guardrails:

  • Never transact with crypto wallets or bank accounts under investigation. Even a 1-satoshi "test" can taint the cluster, alert the subject, and create legal exposure.
  • Do not access darknet markets or illicit platforms to "verify" a finding — open-source pivot only.
  • Bank account / IBAN lookups: retrieving account holder data without lawful authority is a criminal offence in most jurisdictions (e.g. UK Computer Misuse Act, US 18 U.S.C. §1030, EU GDPR Art. 6/9). Use only published / leaked / sanctions-listed identifiers; pivot to a regulated channel (MLRO, FIU SAR, mutual legal assistance) for non-public account intel.
  • Sanctions hits are time-stamped facts. Record both the activity timestamp and the sanctions-list state at that time (e.g. Tornado Cash addresses were SDN-listed 2022-08-08 → vacated 2024-11-26 → delisted 2025-03-21). Liability assessments hinge on the temporal alignment.
  • PII minimization (GDPR / UK DPA / CCPA): collect only what is necessary for the analytical purpose; document lawful basis (legitimate interest / legal claim / public-task) per query.
  • Mandatory reporting / Suspicious Activity Reports: if you are operating inside a regulated entity, route findings through the MLRO. Outside a regulated entity, route serious findings (sanctions evasion, terrorist financing, child exploitation funding) via the appropriate FIU (FinCEN, NCA, FIU-NL, etc.) — see Sensitive Crime Intake & Escalation.
  • Log every query (URL, search terms, UTC timestamp, hash of saved output) — see Collection Log for the canonical format.

10. Resources Quick Reference

ResourceTypeURL
OpenCorporatesGlobal company searchopencorporates.com
Companies House (UK)UK registryfind-and-update.company-information.service.gov.uk
OpenOwnershipBeneficial ownership registerregister.openownership.org
OCCRP AlephInvestigative document graphaleph.occrp.org
OFAC SDN SearchUS sanctionssanctionssearch.ofac.treas.gov
OFAC Sanctions List ServiceUS sanctions data feedssanctionslistservice.ofac.treas.gov [verify 2026-04-25]
EU Sanctions MapEU sanctionssanctionsmap.eu
EU Financial Sanctions DBEU consolidated listwebgate.ec.europa.eu/fsd/fsf
UK Sanctions ListUK OFSI consolidated listgov.uk/government/publications/financial-sanctions-consolidated-list-of-targets
UN Security Council SanctionsUN consolidated listun.org/securitycouncil/sanctions/information
OpenSanctionsAggregated sanctions/PEP/CRIMEopensanctions.org
ICIJ Offshore LeaksLeaked offshore dataoffshoreleaks.icij.org
EtherscanEthereum exploreretherscan.io
BlockchairMulti-chain explorerblockchair.com
Mempool.spaceBitcoin mempool & explorermempool.space
Blockchain.comBitcoin explorerblockchain.com/explorer
ChainabuseCrypto scam databasechainabuse.com
Arkham IntelligenceOn-chain entity labelsarkhamintelligence.com
BreadcrumbsFree blockchain visualizationbreadcrumbs.app
FATFStandards & VASP guidancefatf-gafi.org

11. Output Deliverables

1. Entity Relationship Diagram

  • Visual map showing UBOs → Companies → Subsidiaries → Assets
  • Use tools: draw.io, Maltego, or simple diagrams

2. Financial Flow Diagram

  • Source → Intermediaries → Destination
  • Label with amounts, dates, entities, confidence levels

3. Counterparty Table

  • Entity name | Role | Jurisdiction | Sanctions/PEP Status | Confidence | Source

4. Timeline

  • Chronological events: registrations, transactions, director changes, adverse events

5. Evidence Bundle

  • All screenshots, exports, search results
  • Hash manifest (SHA-256 for each file)
  • Chain of custody log

12. Common Pitfalls

  • ❌ Relying on single-source data (cross-verify across registries)
  • ❌ Missing historical changes (directors, addresses, ownership) — corporate registries surface "current state" by default
  • ❌ Not checking sanctions lists thoroughly (OFAC + EU + UK OFSI + UN at minimum; many SDN crypto entries are not present in non-US lists)
  • ❌ Stating sanctions status without a timestamp — Tornado Cash designation status changed three times between 2022 and 2025; report what was true at the time of activity
  • ❌ Assuming privacy = guilt (legitimate reasons for offshore structures exist)
  • ❌ Transacting or interacting with suspect wallets/accounts (taints clusters and may be a criminal offence)
  • ❌ Not documenting sources and timestamps (breaks chain of custody)
  • ❌ Overlooking adverse media in non-English sources
  • ❌ Treating commercial blockchain-analytics labels as ground truth — they are heuristic clusters, not court evidence; corroborate before publishing
  • ❌ Stopping at the first mixer / bridge hop instead of continuing on the receiving side
  • ❌ Pasting target addresses into free analytics services without checking whether they resell or log queries (operational leak)

Last Updated: 2026-04-27