OSINT Checklist For Company Investigations

Modern open-source intelligence techniques can reveal who controls companies, who finances them, and those who don't want anyone to know. PDF LINK

7 min readSep 26


One example of a company mentioned in the Paradise Papers Leak

Who earns the money? Who owns a business? Who’s responsible for crimes or dodgy business operations? Who signs off sanction-breaching deals? Who avoids paying taxes with opaque company constructs, costing the finance authorities gazillions? Well, who…?

These are often the central questions for journalists and financial crime investigators of our times. Sometimes the answers are plain obvious. Often they aren't. And that’s often intentional. Money launderers, corrupt positions and their connection with businessmen, it helps to play in secret. What we can do as online forensic investigators, we use the open, the deep and dark web, unindexed online registries and data leaks. That isn't new, but a tools and methods change constantly. New holes open, other close. This guide will offer you a checklist to run through when working on company investigations.

What are we looking for?

Law enforcement investigations often hunt for the “beneficial owner” — the person who reaps the benefits if there is an outright illegal or ethically questionable business. Over the past two decades, open-source intelligence has become increasingly useful for company investigations. Whether it's for law enforcement, journalism, commercial due diligence, or short selling.

In the latter, the self-serving company evaluation, one could argue, by U.S.-based Hindenburg on the Indian conglomerate Adani, citing evidence on “improper use of offshore tax havens and stock manipulation by the group”, was nothing else than a well executed intelligence analysis.

There is much to consider when chasing the data trail of companies. Data scraped from the open, the deep and or dark web can often draw connections that reveal illegal or questionable business.

Sometimes we have to dig deeper. Where once company information lay in the open, there is now less transparency. Shell companies in tropical island spots and protective rules on the information of founders’ businesses in some jurisdictions made it harder to understand who pulled the strings in a business.

Is there a “method to the madness” of researching business operations?

I think there is. You are here because you want to learn about it. You read “checklist” in the title. Here, you will get your checklist. As an OSINT investigator, I am a big fan of checklists. They allow you to handle large data, and prevent forgetting important steps.

The benefit of a checklist is that you can always jump items. But eventually, you can be certain, when you checked off all the boxes, you have done the job investigating a company, its business operations and its key people. You asked most of the relevant questions a journalist would venture to ask.

The second is visualization. I believe that is key. Visualizing is an important step in the research. Hence, it is perhaps unsurprising that also my checklist is coming in the form of a visualization. There are 17 steps at this point. The PDF you can found here: companyinvestigationsv1.tiiny.site

A universal checklist approach on OSINT company investigations (©BH)

A short note on visualization: As investigative journalists, it is often our job to untangle and unmask these individuals. That often means mapping, while uncovering their entire company network, stakeholders and shareholders. It's most often a mammoth task. But it can be rewarding, as examples such as Wirecard AG and Mossack Fonseca show. In 2016, Valdis Krebs, an analyst interested in money laundering, drew in his blog post some valid connections between companies and individuals across countries, found in the massive leak of the Panama Papers. It's only one in a million of other examples.

The Checklist (version 1)

Item 1: Get a quick and general overview of the company

With GoogleDork Website, Wikipedia, with a number of Bellingcat company search tools; Company Research OSINT Tool, the Corporate Wiki, and databases such as Brownbook and others, get a quick overview with what sort of entity you are dealing with.

Item 2: Firm Name/official registration

It depends a little bit on the jurisdiction and on the type of entity, but a quick check in what business register your company might be listed under, will provide access to databases that allow searching for your company. A list is provided here. Once you know the jurisdiction, you can from here go a long way deep into the rabbit hole of corporate open-source data. An industrial property register will provide you with details about a firm's trademarks, service marks, layout-designs of integrated circuits, commercial names, and patents. This could answer questions whether the company has affiliations with other entities.

2. Check the official registration details. Access details via transparency registers. If you know the region/country, check Gazettes, or industry. Check @OCCRP catalog for research databases. If a private company @opencorporates or national databases (SEC, NorthData, Drimble….

3. Companies and business owners own land: often a good lead to find names (sometimes the beneficial owners). Check #cadastre. Check for entries in databases s.a landportal/landmatrix or national registries. If it’s a mine, check DB on mining concessions…

4. Check for leaked data on the company and owner/managers: If you are suspecting a shell company, check OCCRP and @ICIJ Offshore leaks. If personal company data, search for ransomware leaks or country specific DBs (e.g for Russia). A list of my favourites included.

5. Company website: There is much to hunt for. Probably most noteworthy, check for connections to other entities (unfurl, or redirects); Domain registration (WHOIS data), and content (track changes with Webarchive), & archive data (s.a. video, old PR releases)…

6. Legal history/Court cases/allegation — has the entity or its founders smelled fishy in the past, e.g human rights breach allegation…? Check country/region, and perform in platform searches or e.g. #bankruptcies with names (https://neu.insolvenzbekanntmachungen.de/ap/suche.jsf)

7. Sanctioned or on a black list? That can be on an official (trading) sanction list, a blacklist for an industry (e.g for shipping) or on the web (website scams or crypto scam abuse databases)…

8. check Intellectual property of company/owner. Country -> IP databases, in platform search or Google Dork for Patent/tech/trademark…

9. and 10. deals with import/export trading data — has the company done suspicious deals with abroad clients? Trace containers if needed. Or If traded publicly, try tradint (trading OSIINT)

11. Identify traces of toxic lobbying of a company and its partners. There are various #lobbying registries I check, such as @ProPublica‘s, the one by the EU, Germany (latest added database)

12. Check on corruption — there is a broader approach checking in various money laundering DBs, incl. the “Troika Laundromat”, in Bird ind Bulgaria, and others, depending on what sort of jurisdiction the company is in…. In any case, worth signing up to https://aleph.occrp.org

13. Data on Environmental and social issues: check ESG data, Corp Resp. reports of companies and TCFD reports, or if the company purchased voluntary carbon credits from a questionable source…

14. Investment analysis: Can be done by #socint (does a company owner have a boat in the Canary Islands or the company has other investments that dont appear on paper, but on social media), has the company questionable investors (start up funding pages?)…

15. Worth checking if there has been already a “Public data request” on a specific company, with information already shared online. There are a few databases I check regularly, such as Muckrock (US database), Fragdenstaat (German) or advanced search on http://asktheeu.org, EU

16. Employees, they can be sources if things go wrong, eyewitnesses for crimes/bad behavior (sometimes via anonymous feedbacks by employees, s.a. http://Kununu.com), drawing networks (https://littlesis.org) or on Linkedin via “interests” of a person. But especially via domain and emails addresses, we end up finding sources within the company (http://Hunter.io, http://experte.com/email-finder, or this.

Link https://twitter.com/OSINT_Tactical/status/1677405835041841152

17. Visualize connections! Company networks can span pages. In the end, connect the most important dots. Owners with business operations -> crimes/breaches. Neo4J, Gephi, Spiderfoot results, Maltego, Miro — all can be useful in bringing it all together:

A short note on visualization: As investigative journalists, it is often our job to untangle and unmask the complex network these individuals concocted. That often means mapping them out, uncovering their entire company network, stakeholders, shareholders.

It’s most often a mammoth task. But it can be rewarding, as examples such as Wirecard AG and Mossack Fonseca show. In 2016, Valdis Krebs, an analyst interested in money laundering, drew in his blog post some valid connections between companies and individuals across countries, found in the massive leak of the Panama Papers. It’s only one in a million of other examples.




Investigative journalist with a technical edge, interested in open source investigations, satellite imgs, R, python, AI, data journalism and injustice