Intelligence notes

Corporate OSINT and Due Diligence

13 min read

Corporate OSINT and Due Diligence

1. BLUF

Fact. Corporate OSINT is the application of open-source intelligence methodology to entities — companies, beneficial owners, counterparties, and supply chains — for the purpose of risk assessment, regulatory compliance, investment due diligence, or investigative journalism. The field sits at the intersection of financial intelligence (Financial Intelligence), KYC/AML regulatory frameworks, and traditional OSINT tradecraft.

Assessment. The core challenge is that sophisticated actors — kleptocrats, sanctioned entities, organized crime, and tax-evading high-net-worth individuals — deliberately obscure beneficial ownership through layered corporate structures spanning multiple jurisdictions. Open-source investigation is the primary tool available to non-state investigators (journalists, compliance officers, civil society) for cutting through that opacity. The Panama Papers (2016), Paradise Papers (2017), Pandora Papers (2021), and FinCEN Files (2020) collectively demonstrated that OSINT-driven investigation, when combined with leaked primary documents, can reconstruct ownership structures that formal regulatory channels failed to penetrate for decades.

Gap. Corporate registries remain heterogeneous globally. Approximately 40% of jurisdictions still lack a public beneficial ownership register as of 2026; FATF compliance is incomplete in roughly half of evaluated jurisdictions; offshore secrecy jurisdictions continue to operate viable opacity products despite international pressure.

2. The Due Diligence Spectrum

Due diligence operates on a tiered escalation model driven by Financial Action Task Force (FATF) standards and national AML/CFT regulations.

2.1 Standard Due Diligence (SDD)

Fact. Routine KYC — identity verification, sanctions screening against major lists, basic corporate registration check. Required for all customers under FATF Recommendation 10. Typically automated via vendor tools (LexisNexis Bridger, Refinitiv World-Check, ComplyAdvantage).

2.2 Enhanced Due Diligence (EDD)

Fact. Triggered by high-risk indicators — PEP status, high-risk jurisdiction, complex ownership, prior regulatory action. Requires deeper source investigation, including documented source of wealth and source of funds verification.

2.3 OSINT-Intensive EDD

Assessment. Investigative-grade research — beneficial ownership reconstruction, adverse media deep dive, litigation history mapping, political exposure analysis, network mapping. Applies to significant transactions, M&A targets, major counterparty relationships, sovereign wealth deals, and politically sensitive jurisdictions. Typically requires a dedicated analyst, 20–80 hours per subject, and use of both open and commercial data sources.

2.4 Trigger Points for Escalation

  • Politically Exposed Person (PEP) designation — domestic or foreign
  • Incorporation in FATF gray/blacklist jurisdiction
  • Beneficial owner in sanctioned jurisdiction (Russia, Iran, DPRK, Syria, Cuba, Venezuela sectoral)
  • Adverse media flags from credible sources
  • Unusual transaction structure (round-tripping, layering indicators)
  • Requests for non-standard payment arrangements (crypto, cash equivalents, third-party payers)
  • Rapid corporate restructuring preceding the transaction
  • Beneficial owners related to or co-located with known sanctioned individuals

3. Corporate Registry Research

The first step in any corporate OSINT investigation is the formal registry. Fact. Every jurisdiction maintains its own register; coverage, public access, and data quality vary enormously.

3.1 Primary Sources by Jurisdiction

JurisdictionRegistryURLNotes
UKCompanies Housecompanies.gov.ukFree; includes PSC register (beneficial owners)
US (federal)SEC EDGARsec.gov/edgarPublic companies; 10-K, 10-Q, 8-K filings
US (state)State SOS portalsvariesLLC/Corp registrations; Delaware especially significant
EUe-Justice Portale-justice.europa.euLinks to member-state registries
PanamaRegistro Públicopanamaregistry.comUsed in Pandora Papers investigations
CaymanCIMAcima.kyInvestment funds, SPVs
BVIFinancial Services Commissionbvifsc.vgOffshore holding structures
SingaporeACRA BizFilebizfile.gov.sgPaid access; comprehensive
Hong KongCompanies Registrycr.gov.hkPaid per document
UAEDIFC / ADGMdifc.ae / adgm.comFree-zone registries; opaque outside zones

3.2 What to Look For

  • Registered address: is it a “brass plate” registered agent address (common in Delaware, BVI, Cayman)? An address shared by thousands of shell companies is itself a red flag.
  • Directors and shareholders: who appears, when were they added/removed? Cross-reference directors across multiple companies to detect nominee patterns.
  • Filing history: annual return gaps, dormancy periods, sudden activity preceding the transaction under review.
  • Person with Significant Control (UK PSC): UK’s beneficial ownership disclosure requirement — the UK was first major jurisdiction to mandate a public registry (2016). Assessment. Despite documented data-quality issues (Global Witness identified thousands of obviously false PSC entries), the PSC register remains the single most useful public BO source.

3.3 Key Aggregator: OpenCorporates

Fact. OpenCorporates aggregates 200+ corporate registries globally; free search, API for bulk research, Reconcile API for OpenRefine integration. The primary global aggregator for corporate registry data outside commercial vendors.

4. Beneficial Ownership Tracing

Fact. The core challenge: sophisticated actors use layers of corporate structures across multiple jurisdictions to obscure the natural person who ultimately owns or controls an entity. FATF defines a Ultimate Beneficial Owner (UBO) as a natural person who ultimately owns or controls (directly or indirectly) >25% of an entity, or who otherwise exercises effective control. For the general cross-source identity disambiguation methodology applicable across person and entity types, see Entity Resolution Methodology.

4.1 Common Opacity Structures

  • Nominee directors: directors who act on instructions but are not the real controller; common in BVI, Seychelles, Belize
  • Bearer shares: physical share certificates; now banned or immobilized in most FATF jurisdictions but legacy structures persist
  • Offshore holding chains: BVI → Panama → Delaware → operating entity; each layer obscures the upstream owner
  • Trust structures: settlor, trustee, beneficiary; beneficiary may not appear in any corporate registry; common-law trust opacity remains a major UBO gap
  • Charitable or foundation structures: Liechtenstein Anstalt, Panamanian Fundación de Interés Privado used as wealth-holding vehicles
  • Civil-law fiducia equivalents: legal arrangements outside common-law trust frameworks that produce similar opacity (Liechtenstein, Curaçao, Andorra)

4.2 OSINT Technique — Structure Reconstruction

  1. Start at the operating entity (the counterparty)
  2. Trace upward through ownership layers using corporate registries
  3. Identify UBOs per FATF definition (>25% ownership or effective control)
  4. Corroborate with sanctions databases, adverse media, PEP databases
  5. Map the complete structure as a network graph (see Network Analysis Methodology and Link Analysis; tools include Maltego and NetworkX)
  6. Re-run the trace after a 90-day interval — structures change, and a refresh often reveals churn that itself signals risk

4.3 Leaked Database Resources

  • ICIJ Offshore Leaks Database (Pandora Papers, Panama Papers, Bahamas Leaks, Offshore Leaks combined) — 2.9M entities; free search at offshoreleaks.icij.org
  • FinCEN Files (ICIJ, 2020) — suspicious activity reports from US banks; coverage of laundering patterns
  • Luanda Leaks (ICIJ, 2020) — Isabel dos Santos / Angolan elite wealth; demonstrated state-capture mechanics
  • Suisse Secrets (OCCRP, 2022) — Credit Suisse client data
  • OpenLux (Le Monde / OCCRP, 2021) — Luxembourg corporate registry mass-scrape

Assessment. Leaked databases are powerful but carry verification requirements — data may be outdated (most leaks are point-in-time snapshots), contain errors, or represent incomplete pictures (e.g., one law firm’s client base does not equal the offshore world). Corroborate leaked data with primary registry sources and current open data before publication or report inclusion.

5. Sanctions and PEP Screening

5.1 Primary Sanctions Databases

  • OFAC SDN List (US): ofac.treas.gov — most impactful; US dollar clearing means global exposure for any USD-denominated transaction
  • EU Consolidated Financial Sanctions List: data.europa.eu
  • UN Security Council Consolidated List: scsanctions.un.org
  • UK OFSI List: gov.uk/government/publications/financial-sanctions-consolidated-list-of-targets
  • HM Treasury Sanctions List
  • OFAC 50% Rule: entities owned 50%+ by SDN-listed persons are automatically sanctioned even if not separately listed — major OSINT investigation trigger. For the strategic architecture of financial statecraft underlying these lists, see Financial Warfare and Sanctions Architecture.

5.2 PEP Databases

  • OpenSanctions (open-source): opensanctions.org — aggregates 30+ sanctions and PEP lists; free API; full data dumps available; primary tool for non-budget compliance teams
  • World-Check (Refinitiv / LSEG): commercial; broadest commercial PEP coverage
  • Dow Jones Risk & Compliance: commercial; strong adverse media integration
  • LexisNexis WorldCompliance: commercial; deep historical archive

Assessment. Commercial PEP databases remain more comprehensive than open alternatives but cost $20K–$100K+ annually. OpenSanctions provides a viable open-source alternative for most use cases and has rapidly closed the coverage gap since 2022.

5.3 Fuzzy Matching Challenge

Fact. Names in non-Latin scripts transliterate differently (Cyrillic/Arabic/Chinese names have multiple valid romanizations: Mohammed/Muhammad/Mohamed; Kadyrov/Qadyrov; Xi/Hsi). Use multiple name variants and phonetic matching. Tools: Levenshtein distance matching in Python (fuzzywuzzy, rapidfuzz); Soundex; Double Metaphone; Jaro-Winkler.

5.4 Family and Associate Screening

Fact. FATF Recommendation 12 requires screening “family members and close associates” of PEPs. This requires OSINT investigation beyond name-list matching — social network analysis of the PEP’s documented relationships (spouses, children, business partners, advisors, named proxies in leaked documents). Commercial databases capture only a fraction of this; investigative OSINT fills the gap.

6. Adverse Media and Reputational Research

  • Litigation history: court records (PACER US, CourtListener, BAILII UK, jurisdiction-specific portals), judgment databases, insolvency proceedings
  • Regulatory actions: SEC enforcement, FCA enforcement, banking regulators (Federal Reserve, OCC, BaFin, FINMA, MAS, HKMA)
  • Investigative journalism: OCCRP, ICIJ, ProPublica, Bloomberg Businessweek, Financial Times, Reuters Investigates, Der Spiegel, Le Monde
  • Social media: executive conduct, labor disputes, public statements, geolocation evidence
  • Industry blacklists: World Bank Listing of Ineligible Firms, ADB, EBRD, AfDB cross-debarment lists

6.2 Search Methodology

  1. Full name + “fraud” OR “corruption” OR “sanction” OR “money laundering” OR “indictment”
  2. Company name + “regulatory” OR “enforcement” OR “fine” OR “penalty” OR “consent decree”
  3. Run in multiple languages (target’s home language + English; for non-English principals always include native-language press)
  4. Search in Factiva, LexisNexis, ProQuest for premium media archives
  5. Time-bound searches: recent (12 months) + historical (5 years) + lifetime for major adverse findings
  6. Reverse-image search executive photos to detect identity fraud or sock-puppet personas

6.3 Red Flags

  • Unexplained wealth relative to known income (private aircraft, real estate disproportionate to declared assets)
  • Regulatory action in one jurisdiction with subsequent business migration (“jurisdictional arbitrage” of regulatory history)
  • Corporate structure changed rapidly following regulatory inquiry
  • Directors appearing in multiple failed or liquidated companies (serial nominee or phoenix patterns)
  • Associations with known sanctioned individuals — even tangentially via social media
  • Auditor turnover or downgrade to a less reputable firm
  • Bank relationship changes from tier-1 to high-risk correspondent banking jurisdictions

7. Supply Chain Intelligence

Fact. Supply chain OSINT is increasingly required for:

  • ESG compliance — forced labor, human rights in supply chain — German Supply Chain Act (LkSG, 2023), EU CSDDD (2024), US UFLPA (2022)
  • Dual-use export control — technology diversion to sanctioned/embargoed destinations
  • Anti-corruption compliance — high-risk jurisdiction sourcing under FCPA, UK Bribery Act

7.1 Methods

  • Import/export databases: ImportYeti (free), Panjiva (acquired by S&P Global), Import Genius — US Customs manifest data; provides shipper/consignee/HS code/port pairs
  • Bill of lading analysis: identify shipping routes, consignees, shipper relationships; detect transshipment through sanction-evasion hubs
  • Port state control inspection records: Paris MoU, Tokyo MoU — vessel detentions for flag state violations; predictive of shadow fleet activity
  • Corporate registry tracing for suppliers in high-risk jurisdictions (see Section 3)
  • Satellite imagery of production facilities (labor camp structures, forced labor indicators); see OSINT for Human Rights and OSINT for Legal Proceedings

7.2 Case: Uyghur Forced Labor Prevention Act (UFLPA, US 2022)

  • Fact. Rebuttable presumption that goods from Xinjiang involve forced labor
  • Importers must trace supply chains to exclude Xinjiang-origin materials at all tiers
  • Satellite imagery (ASPI’s Xinjiang Data Project) and shipping manifest data (BuzzFeed/NYT Xinjiang investigations 2020–2022) provide the OSINT backbone for compliance evidence
  • Assessment. UFLPA shifted the burden of proof onto importers — corporate OSINT became a compliance necessity, not a discretionary investigation

7.3 Case: Russia Sanctions and Component Diversion

Assessment. Post-February 2022, OSINT investigators (RUSI, KSE Institute, ICIJ partners) used customs manifest data to trace Western semiconductors arriving in Russian military equipment via Turkey, UAE, Kazakhstan, and Armenia. ImportYeti-class data combined with battlefield component teardowns (Conflict Armament Research) provides actionable supply-chain leakage evidence.

8. Digital Footprint and Cyber OSINT

8.1 Domain and Infrastructure

  • WHOIS registration history: DomainTools, SecurityTrails — reveals registrant changes, redaction patterns, and registrant emails reused across malicious infrastructure
  • SSL certificate transparency logs: crt.sh — reveals all subdomains ever registered, including those not publicly linked
  • Shodan/Censys: exposed services, infrastructure fingerprinting; see Shodan-Censys Guide
  • BuiltWith, Wappalyzer: technology stack of company websites; track infrastructure migrations
  • Passive DNS: PassiveTotal, DNSDB — historical resolution data for infrastructure attribution

8.2 Email and Identity

  • Hunter.io, Voila Norbert: corporate email pattern discovery
  • HaveIBeenPwned, DeHashed, IntelligenceX: check corporate domains for data breach exposure
  • LinkedIn: corporate structure, employee network, organizational changes; LinkedIn departures often precede public regulatory announcements

8.3 Social Media and Executive Behavior

  • Executive LinkedIn/Twitter/Facebook: personal associations, political affiliations, geographic presence; cross-reference declared travel against sanctioned jurisdictions
  • Glassdoor, Blind, Indeed reviews: internal culture, management concerns; sometimes whistleblower-adjacent information surfaces in employee reviews
  • Instagram, TikTok: geolocation evidence — luxury assets, undeclared travel — useful for unexplained wealth investigations

9. Output and Reporting Standards

Fact. Corporate due diligence reports must meet evidentiary standards that may later be tested by regulators, courts, or transactional counterparties.

9.1 Required Report Components

  • Source log: every source used, with URL, access date, archive snapshot (Wayback / Archive.today), and confidence rating (apply Source Verification Framework evaluation standards for source-quality assessment)
  • Uncertainty flags: explicit identification of where corporate structure remains opaque after investigation — never paper over gaps with assumption
  • Recommendation tier: Low / Medium / High / Unacceptable risk with specific finding basis tied to numbered sources
  • Legal caveats: clear separation of investigative findings (“our research identified X”) vs. legal conclusions (“this constitutes a violation of Y”) — investigation informs; legal counsel concludes
  • Retention policy: GDPR-compliant data retention periods for personal data collected; see OSINT Ethics and OSINT Legal Framework
  • Methodology section: describe what was searched, what was not, and why — defensible reproducibility

9.2 Confidence Rating Convention

Adopt a three-tier confidence framework consistent with intelligence community standards (see Attribution and Intelligence Confidence Levels):

  • High confidence: multiple independent primary sources corroborate
  • Moderate confidence: single primary source or multiple correlating secondary sources
  • Low confidence: single secondary source, leaked data unverified, or significant analytical inference

10. Sources

  • Financial Action Task Force (FATF) — International Standards on Combating Money Laundering (Recommendations) — High
  • FATF — Guidance on Beneficial Ownership for Legal Persons (2023) — High
  • FATF — Who Cares Who Owns It? Transparency of Beneficial OwnershipHigh
  • ICIJ Offshore Leaks Database documentation (offshoreleaks.icij.org) — High
  • OpenSanctions documentation (opensanctions.org) — High
  • OpenCorporates documentation (opencorporates.com) — High
  • US Department of Treasury, OFAC FAQs and 50% Rule guidance — High
  • Global Witness — Companies We Keep and PSC register analysis — High
  • Ryle, Gerard et al. — Panama Papers / Pandora Papers investigative archive (ICIJ) — High
  • Burgis, Tom — Kleptopia: How Dirty Money is Conquering the World (2020) — High
  • McCrum, Dan — Money Men: A Hot Startup, a Billion Dollar Fraud, a Fight for the Truth (Wirecard) — Medium
  • Bullough, Oliver — Butler to the World (2022) — Medium
  • RUSI / KSE Institute — Russia sanctions evasion supply chain studies (2022–2025) — High
  • ASPI Xinjiang Data Project — High

Cross-References

Graph View

Backlinks