Financial Intelligence (FININT)
BLUF. Financial Intelligence (FININT) is the discipline that draws intelligence from financial flows — corporate registries, banking records, sanctions designations, beneficial-ownership disclosures, on-chain cryptocurrency transactions, leak corpora, and trade-data anomalies. Its distinctive strength is publicly mandated disclosure: regulatory regimes across most jurisdictions require entities to file ownership, transactional, or beneficial-interest data, and significant fractions of that data are accessible to open-source analysts. FININT’s analytic value is realised when financial artefacts are linked to specific operational questions — who funded this attack, who owns this oligarch’s asset, which proxy network channels Iranian money to Hamas — that other disciplines can only answer indirectly. Open-source FININT, anchored on the post-Panama-Papers ecosystem of investigative platforms and the radical transparency of public blockchains, has materially shifted the asymmetry between adversary financial opacity and analyst capability over the 2016–2026 decade.
Scope and Adjacent Disciplines
FININT in the intelligence sense is distinct from two adjacent functions with which it is often conflated:
- Law-enforcement financial investigation. LE work targets prosecutable financial crime (money laundering, fraud, tax evasion) and rests on subpoena and warrant access to bank records. FININT may consume LE outputs (indictments, asset seizures) but operates from disclosure-based and open-source data.
- Commercial AML / KYC compliance. Bank-internal compliance work that filters transactions against sanctions lists and SARs (Suspicious Activity Reports). FININT consumes the outputs of this ecosystem (notably FinCEN SAR disclosures via leak) but is analytically distinct.
FININT-as-intelligence asks operational and strategic questions: who controls this entity, where is the money flowing, what does the financial pattern reveal about intent, capability, and sponsorship.
Open-Source FININT — The Disclosure Ecosystem
| Source | Content | Coverage | Access |
|---|---|---|---|
| ICIJ Offshore Leaks Database | Panama Papers (2016), Paradise Papers (2017), Pandora Papers (2021), Cyprus Confidential (2023) | 800k+ offshore entities; beneficial owners; intermediaries | Free at offshoreleaks.icij.org |
| ICIJ FinCEN Files | 2,100 leaked SARs from FinCEN (2020) | $2T+ in flagged transactions, 1999–2017 | Free at icij.org/investigations |
| OFAC SDN List | US Treasury Specially Designated Nationals | Sanctioned individuals, entities, vessels, aircraft | Free at treasury.gov |
| UK OFSI Consolidated List | UK financial sanctions designations | UK-listed sanctioned persons and entities | Free at gov.uk |
| EU Sanctions Map | EU CFSP financial restrictive measures | EU-listed sanctioned persons and entities | Free at sanctionsmap.eu |
| Companies House (UK) | UK corporate registry with beneficial-ownership (“PSC”) data | All UK-incorporated companies; mandatory filings | Free at companieshouse.gov.uk |
| OpenCorporates | Aggregated corporate registry data | 200M+ companies across 140+ jurisdictions | Freemium |
| SEC EDGAR | US public-company filings | All SEC registrants; 10-K, 10-Q, 8-K, proxy, beneficial-ownership filings | Free at sec.gov |
| GLEIF LEI | Legal Entity Identifiers | 2M+ entities globally with standardised legal identifiers | Free at gleif.org |
| Orbis (Bureau van Dijk) | Commercial corporate data | 400M+ companies; deep beneficial-ownership chains | Paid (enterprise) |
Corporate Intelligence Methodology — Beneficial Ownership Tracing
The canonical FININT analytical procedure is the beneficial-ownership trace: starting from a named entity, resolving the chain of corporate ownership upward to the ultimate beneficial owner (UBO).
Seven-step procedure:
- Anchor entity identification. Confirm the target entity’s legal name, jurisdiction of incorporation, and registry number. Variant spellings and transliteration (Cyrillic, Arabic, Chinese) are frequent failure points.
- Direct shareholder enumeration. Pull current and historical shareholder filings from the registry of incorporation. Note share-class differences (voting vs. economic).
- Nominee identification. Flag corporate-services-firm nominees (TrustNet, Mossack Fonseca successor firms, Trident Trust, etc.) which conceal rather than identify UBOs.
- Jurisdiction pivot. For each corporate shareholder, repeat the procedure in that entity’s jurisdiction. Offshore jurisdictions (BVI, Cayman, Cyprus, Marshall Islands, Seychelles) routinely terminate the trace without UBO disclosure.
- Leak corpus cross-reference. Query ICIJ Offshore Leaks across every name in the chain — including nominees and intermediaries — for prior leaked beneficial-ownership data.
- Adjacent-evidence triangulation. Property records, vessel/aircraft registrations, court filings, media reporting, and sanctions designations frequently disclose UBOs that registry data conceals.
- Confidence-graded report. Produce a beneficial-ownership graph with per-edge confidence grading (high / medium / low / unknown) and explicit gap statements where the trace terminates without UBO resolution.
Case — Russian oligarch asset tracing post-2022. Following the Russian invasion of Ukraine and the resulting US/UK/EU sanctions cascade, investigative networks (OCCRP, Bellingcat, The Insider, ICIJ partners) produced beneficial-ownership traces on sanctioned oligarchs that tracked yachts, properties, and shell-company portfolios. The work demonstrated both the reach of the disclosure ecosystem and its limits: physical assets (yachts, properties, art) were traceable; financial assets routed through unsanctioned jurisdictions remained largely opaque. OCCRP’s Russian Asset Tracker, launched March 2022, aggregates this open-source attribution work. See Ukraine War.
Cryptocurrency FININT
Public blockchains invert the conventional financial-secrecy assumption: every transaction is permanently recorded, pseudonymous rather than anonymous, and globally readable without authorisation. This produces a FININT environment unprecedented in the discipline’s history.
Five-step on-chain analysis methodology:
- Address anchoring. Identify a wallet address tied to the target via leak, court filing, exchange KYC disclosure, public donation appeal, or pattern attribution.
- Transaction history extraction. Pull complete on-chain history for the address from a blockchain explorer (Etherscan, Blockchain.com, Mempool.space).
- Cluster expansion. Apply heuristics (common-input ownership, change-address detection, peeling chains) to expand from one address to the wallet cluster.
- Counterparty enrichment. Identify counterparties via known-address databases — exchange deposit/withdrawal clusters, sanctioned addresses (OFAC publishes blockchain addresses on SDN), known illicit-services addresses (mixers, darknet markets).
- Off-ramp identification. Trace funds to exchange deposits where KYC enables real-world identification, or to mixer/cross-chain bridge use, which signals laundering intent and triggers targeted sub-investigations.
Blockchain analytics platforms:
- Chainalysis — dominant commercial platform; primary supplier to US Treasury and Five Eyes governments
- TRM Labs — second-tier commercial; growing market share in private sector
- Elliptic — UK-headquartered commercial; strong on cross-chain analytics
- Breadcrumbs — independent platform; lower-cost tier
Case — Hamas cryptocurrency fundraising (2019–2023). The Izz al-Din al-Qassam Brigades operated a public donation appeal on Telegram and a campaign website, advertising Bitcoin (later expanded to Tether/USDT on Tron) addresses for direct donations. Open-source on-chain tracing — corroborated by US DOJ seizure actions — mapped donor flows, exchange off-ramps, and consolidator-address patterns. US DOJ seizures against Hamas crypto addresses in August 2020, August 2021, and following the October 2023 attacks demonstrated the reach of FININT-driven sanctions enforcement against non-state armed groups.
Case — DPRK Lazarus Group (2022–2026). The Lazarus Group (DPRK Reconnaissance General Bureau cyber elements) has executed multi-hundred-million-dollar cryptocurrency thefts — Ronin Bridge ($625M, March 2022), Harmony Horizon ($100M, June 2022), Atomic Wallet ($100M, June 2023), and Stake.com ($41M, September 2023). Chainalysis attribution traced the proceeds through Tornado Cash (subsequently OFAC-sanctioned August 2022), Sinbad mixer (sanctioned November 2023), and a rotating set of cross-chain bridges. DPRK crypto theft has become a primary regime hard-currency source under sanctions pressure.
Gap — privacy coins. Monero (XMR) is cryptographically opaque to on-chain analysis; ring signatures, stealth addresses, and confidential transactions defeat the heuristics that work on Bitcoin and Ethereum. Zcash shielded transactions present similar properties when used. Adversary migration to privacy coins is the principal degradation pathway for crypto FININT capability.
Sanctions Intelligence
OFAC SDN designations function as declassified intelligence endpoints: a name appearing on the SDN list is the result of an internal Treasury Office of Intelligence and Analysis (OIA) finding, supported by classified collection. FININT analysts use SDN designations both as direct inputs (sanctioned entities flagged in transactional data) and as inference inputs (the act of designation implies underlying intelligence).
Secondary sanctions analysis. Secondary sanctions (Iran, North Korea, Russia) penalise third-country entities for dealing with primary-sanctioned persons. Tracing which third-country entities risk secondary exposure reveals the proxy-network architecture sanctioning authorities seek to disrupt.
SWIFT exclusion tracking. Following the Russian sanctions cascade of 2022, SWIFT messaging-network exclusions and the corresponding migration to alternative settlement (SPFS, CIPS, bilateral correspondent banking) became a tracked indicator of regime adaptation. Bank-by-bank exclusion lists are public; substitution patterns must be inferred from trade-data anomalies and correspondent-banking disclosures.
Asset-freeze evasion patterns. Common evasion pathways include nominee restructuring (transfer to non-sanctioned family members), shell-company replacement on a faster cadence than sanctioning authorities can list, jurisdiction migration to non-cooperating states, physical-asset relocation (yacht repositioning to non-cooperating ports), and barter/non-currency settlement.
FININT and Proxy Warfare
State proxy networks rely on financial architectures that are simultaneously their operational backbone and their FININT vulnerability.
Iranian proxy financial architecture. IRGC Quds Force funding to Hezbollah, Hamas, Iraqi Shi’a militias, and the Houthis routes through a combination of:
- Direct cash transfers via couriers (low FININT visibility)
- Hawala networks across the Gulf and Levant (medium FININT visibility)
- Cryptocurrency (rising; subject to on-chain attribution where exchanges are involved)
- Trade-based money laundering, particularly through Iranian oil sales to Syria and Lebanon (high FININT visibility via tanker AIS data)
- Front-company networks across the UAE, Turkey, and Lebanon (medium-high FININT visibility via corporate-registry analysis)
US Treasury OFAC designations against named Iranian and proxy financial facilitators provide the principal public corpus of attribution work; the underlying intelligence is classified, but the designations themselves are open-source FININT inputs.
OCCRP Russian Asset Tracker. The Organized Crime and Corruption Reporting Project (OCCRP) tracker, launched March 2022, aggregates open-source beneficial-ownership work on sanctioned Russian persons and is the canonical example of crowdsourced, investigative-journalism-led FININT operating in near real time.
Key Connections
- OSINT — parent discipline
- Open-Source Intelligence Manual — operational doctrine
- OSINT Toolkit Essentials — tooling
- Source Verification Framework — evidence-quality discipline
- Social Media Intelligence — sibling discipline
- Cyber Threat Intelligence — sibling discipline (DPRK crypto theft, ransomware payments)
- Covert Action — financial-channel context for state covert support
- Hybrid Warfare — strategic frame for proxy financial architectures
- Attribution — beneficial-ownership tracing as attribution
- Intelligence Cycle — workflow context
- Ukraine War — sanctions and asset-tracing theatre
- USAID — related public-finance flows tracking
Sources
- US Treasury OFAC SDN List, treasury.gov — High confidence
- ICIJ, Offshore Leaks Database (Panama, Paradise, Pandora, Cyprus Confidential), icij.org — High confidence
- Chainalysis, 2023 Crypto Crime Report — Medium confidence (vendor-aligned but methodologically transparent)
- ICIJ / BuzzFeed News, FinCEN Files (September 2020) — High confidence
- European Union, Anti-Money Laundering Directives (AMLD4 2015, AMLD5 2018, AMLD6 2018) — High confidence (primary source)
- US Department of Justice, Hamas cryptocurrency seizure actions (August 2020, August 2021, post-October 2023) — High confidence
- CISA / FinCEN Joint Advisory on DPRK Cryptocurrency Theft (2023) — High confidence
- OCCRP, Russian Asset Tracker, occrp.org/russian-asset-tracker — High confidence
- Bellingcat, The Insider, and partner investigations on Russian oligarch asset tracing (2022–2026) — High confidence