GI Consulting Logo
GI Consulting

Digital Intelligence & OSINT

Case Study: Business Email Compromise Investigation

Tracking International Fraud Ring Through Digital Breadcrumbs

Executive Summary

Challenge: Regional healthcare company lost $430K to business email compromise (BEC) scam. CFO received spoofed email from "CEO" requesting urgent wire transfer. Attorney needed to identify perpetrators for criminal referral and civil recovery action.

Solution: OSINT investigation combining email forensics, cryptocurrency tracing, social media profiling, and international network analysis to identify fraud ring members and asset recovery opportunities.

Results: Identified 3 perpetrators across 2 countries, traced $180K in recoverable funds, provided evidence package that led to FBI investigation and Interpol notice. Client recovered $165K through frozen accounts.

Timeline: 10 days from engagement to criminal referral package

Background

Client Situation

  • Client: Regional healthcare provider (4 locations, 300 employees)
  • Loss Amount: $430,000 USD
  • Method: Business email compromise (spoofed CEO email)
  • Transaction: Wire transfer to "vendor" account (actually fraud ring)
  • Discovery: 5 days after transfer (vendor called asking about real invoice)

Fraud Mechanics

  1. Reconnaissance: Attackers researched company via LinkedIn, website, public filings
  2. Email Spoof: Created ceo@healthcarec0mpany.com (zero instead of O)
  3. Urgency: "Confidential acquisition - wire funds immediately to escrow"
  4. Social Engineering: Timing during CEO's known travel (found via LinkedIn posts)
  5. Verification Bypass: CFO emailed "CEO" for confirmation (went to spoofed address)

Attorney Engagement

  • Criminal Referral: Need evidence package for FBI/Secret Service
  • Civil Action: Identify perpetrators and recoverable assets
  • Bank Fraud Claims: Documentation for wire recall and insurance claim
  • Timeline: Funds moving fast - need to identify destination accounts within 7-10 days

Investigation Approach

Phase 1: Email Forensics & Infrastructure Analysis (Days 1-2)

Objective: Analyze fraud email headers, domain registration, and email infrastructure

Methods:

  • Email header extraction and IP analysis
  • Domain WHOIS lookup and registration history
  • Mail server identification and SPF/DKIM analysis
  • Typosquatting domain enumeration

Findings:

Fraudulent Domain Analysis:

  • Domain: healthcarec0mpany.com (zero instead of O - classic typosquat)
  • Registration Date: 18 days before fraud attempt
  • Registrar: Namecheap (privacy protection enabled)
  • DNS History: Created MX records 2 days after registration
  • Hosting: Shared hosting (HostGator, US-based server)

Email Header Analysis:

  • Originating IP: 197.156.240.12 (Lagos, Nigeria)
  • Mail Server: Roundcube webmail (HostGator shared hosting)
  • Timestamp: Sent at 2:47 AM local time (11:47 PM Nigerian time)
  • User-Agent: Mozilla/5.0... (Android mobile device)

Related Infrastructure:

  • 6 similar domains registered same day: healthcarec0mpany, healthcarecompanyy, heaIthcarecompany (capital I instead of lowercase L)
  • Same IP accessed all 6 domains within 24 hours of registration
  • Pattern: Professional fraud operation targeting multiple companies

Evidence Strength: STRONG - Clear fraud infrastructure with attribution to Nigerian IP range

Phase 2: Wire Transfer & Banking Intelligence (Days 2-3)

Objective: Trace wire transfer destination and identify intermediary accounts

Methods:

  • Wire transfer documentation analysis
  • Receiving bank identification and fraud reporting
  • Beneficiary account holder research
  • Secondary transfer tracking (if available from bank cooperation)

Findings:

Initial Wire Transfer:

  • Receiving Bank: Wells Fargo (US account)
  • Account Name: "Pacific Trade Solutions LLC"
  • Account Opened: 12 days before fraud (new account)
  • Address on File: Commercial mail forwarding service (Mailbox Etc., Los Angeles)

Company Research (Pacific Trade Solutions LLC):

  • Formation: Delaware LLC, registered 15 days before fraud
  • Registered Agent: Commercial service (Wyoming Agents, Inc.)
  • Business Purpose: "Import/Export" (generic)
  • Operating Agreement: Not filed (minimal documentation)
  • EIN: Obtained but no tax filings yet
  • Website: None
  • Social Media: None
  • Reviews: None
  • Verdict: Shell company (classic money mule operation)

Secondary Transfers (via bank cooperation):

  • $180,000 transferred to Coinbase account (same day as receipt)
  • $150,000 transferred to Zelle account (next day)
  • $100,000 withdrawn via ATM (Los Angeles area, 15 transactions over 3 days)
  • Remaining balance: $0 (account cleaned out within 72 hours)

Evidence Strength: CRITICAL - Shell company with rapid fund dissipation pattern

Phase 3: Cryptocurrency Tracing (Days 3-5)

Objective: Follow Bitcoin transfers from Coinbase to identify cash-out points

Methods:

  • Blockchain analysis (Bitcoin public ledger)
  • Exchange identification (where BTC moved)
  • Wallet clustering and attribution
  • Cash-out venue identification (ATMs, P2P exchanges)

Findings:

Coinbase Transfer:

  • Amount: $180,000 worth of Bitcoin (BTC)
  • Destination Wallet: bc1q7x3... (Bitcoin address identified)
  • Transfer Pattern: Immediate split into 12 smaller amounts (structuring to avoid detection)

Blockchain Analysis:

  • Wallet Cluster: 47 associated addresses (professional operation)
  • Historical Activity: $2.3M in total inflows over 6 months (multiple victims)
  • Cash-Out Venues:
    • Binance (international exchange): $110,000 worth
    • LocalBitcoins (P2P exchange): $45,000 worth
    • Bitcoin ATMs (Los Angeles area): $25,000 worth

Binance Intelligence:

  • Withdrawal Method: Wire transfer to account in United Kingdom
  • Beneficiary Bank: Barclays Bank (London)
  • Account Holder: "Digital Marketing Solutions Ltd" (UK company)
  • Pattern: Another shell company in money laundering chain

LocalBitcoins P2P Trades:

  • Seller Profile: "CryptoKing213" (Los Angeles area)
  • Trade History: 450+ trades, $1.2M volume (professional cash-out service)
  • Phone Number: +1-213-xxx-xxxx (LA area code, VOIP number)
  • Meeting Locations: 3 coffee shops in Downtown LA (consistent pattern)

Evidence Strength: STRONG - Blockchain trail provides irrefutable transaction history

Phase 4: Social Media & OSINT Profiling (Days 5-7)

Objective: Identify individuals behind shell companies and crypto accounts

Methods:

  • LinkedIn company page analysis
  • Facebook/Instagram location correlation
  • Phone number reverse lookup (VOIP traces)
  • Email address correlation across data breaches
  • Naming pattern analysis (typosquat domains)

Findings:

Pacific Trade Solutions LLC:

  • LinkedIn Profile: Company page created 10 days before fraud
  • Employee: Single profile - "Marcus Johnson" (fake LinkedIn)
    • Photo: Reverse image search = stock photo (Shutterstock)
    • Experience: Generic claims, no verifiable companies
    • Connections: 12 connections (all appear fake/inactive)

Digital Marketing Solutions Ltd (UK Company):

Breakthrough - Nigerian Connection:

  • Email pattern analysis: Typosquat domain registrations used same email pattern
  • Leaked credentials: Email address found in data breach (LinkedIn 2021)
  • Real name extracted: Breach data revealed password hint: "initials_DOB"
  • Cross-reference: Searched Nigerian LinkedIn profiles with matching initials
  • Match found: Chukwuemeka O. (Lagos-based, digital marketing background)
  • Social media: Facebook profile with photos at known fraud hotspot (Computer Village, Lagos)

LocalBitcoins "CryptoKing213":

  • Phone number: VOIP trace to email: cryptoking213@gmail.com
  • Email search: Gmail found in Reddit posts (cryptocurrency subreddit)
  • Reddit history: Discussed "cash out services" and LA meetup locations
  • Instagram: Account with same username, photos at LA coffee shops (matches trade locations)
  • Real name: Instagram tagged by friend → David R. (LA resident)

Evidence Strength: MEDIUM-STRONG - Circumstantial but multiple corroborating data points

Phase 5: International Network Mapping (Days 7-10)

Objective: Map fraud network connections across jurisdictions

Methods:

  • Cross-platform account correlation
  • WhatsApp/Telegram group identification
  • Professional network analysis (LinkedIn connections)
  • Geographic pattern analysis (IP logs, social media check-ins)

Findings:

Network Map:

[Nigeria - Chukwuemeka O.] 
    ↓ (Initiates fraud, registers domains)
[US - Money Mule - "Pacific Trade Solutions"]
    ↓ (Receives wire, converts to crypto)
[US - Cash-Out Service - David R. "CryptoKing213"]
    ↓ (Converts crypto to cash via P2P)
[UK - Shell Company - "Digital Marketing Solutions"]
    ↓ (Final destination for Binance cash-out)

Communication Channels:

  • Telegram Group: "BEC Hustle" (discovered via leaked chat export on cybercrime forum)
  • Group Members: 23 participants (Nigerian, US, UK, Canada)
  • Discussion Topics: Target selection, email templates, money mule recruitment
  • Chukwuemeka's Role: "Team lead" (coordinates operations)

Additional Victims Identified:

  • Blockchain analysis: Same wallet cluster received funds from 8 other BEC scams
  • Total Losses: $2.3M across 9 victims (6 months)
  • Geographic Pattern: All US victims, all healthcare or professional services
  • Method Pattern: Identical typosquat technique, CEO impersonation

Evidence Strength: STRONG - Establishes organized criminal enterprise

Deliverables

Executive Summary for Attorney (8 pages)

  • Fraud timeline and mechanics
  • Identified perpetrators (3 individuals across 2 countries)
  • Fund tracing results ($180K recoverable via Binance/UK account)
  • Criminal referral recommendations (FBI, Secret Service, Interpol)
  • Civil recovery options (frozen accounts, asset seizure)

Technical Reports

1. Email Forensics Report (12 pages)

  • Email header analysis with IP attribution
  • Domain registration history and infrastructure
  • Related typosquat domains (6 total)
  • Mail server analysis and authentication failures

2. Wire Transfer Intelligence (15 pages)

  • Initial wire transfer documentation
  • Shell company research (Pacific Trade Solutions)
  • Bank account activity timeline
  • Secondary transfer tracking

3. Cryptocurrency Tracing Report (20 pages)

  • Blockchain transaction analysis
  • Wallet clustering and attribution
  • Exchange identification and cash-out analysis
  • Bitcoin ATM locations and surveillance opportunities

4. OSINT Profiling Report (18 pages)

  • Social media intelligence (LinkedIn, Facebook, Instagram, Reddit)
  • Phone number and email correlation
  • Real name identification (Chukwuemeka O., David R.)
  • UK shell company analysis

5. Network Mapping and Criminal Enterprise (25 pages)

  • International fraud network visualization
  • Communication channel analysis (Telegram group)
  • Additional victim identification (8 other BEC scams)
  • Geographic and operational patterns

Law Enforcement Package

  • Criminal Referral Memo (10 pages) - Summary for FBI/Secret Service
  • Interpol Notice Recommendations - Red notice for Chukwuemeka O.
  • Evidence Index - Organized by jurisdiction and evidence type
  • Asset Recovery Opportunities - $180K in Binance/Barclays account

Results & Legal Outcome

Criminal Referral

  • FBI Acceptance: Cybercrime division opened investigation within 3 weeks
  • Secret Service: Coordinated on financial fraud aspects
  • Interpol: Red notice issued for Chukwuemeka O. (Nigeria)
  • DOJ Cooperation: Worked with UK authorities on shell company

Asset Recovery

  • Binance Account: Frozen by exchange (cooperated with law enforcement)
  • Barclays Account: UK court order froze $180K
  • Client Recovery: $165K returned after legal fees and currency conversion
  • Recovery Rate: 38% of original loss (above average for BEC cases)

Additional Outcomes

  • David R. Arrested: LA-based cash-out service operator (federal charges)
  • LocalBitcoins Cooperation: Platform banned "CryptoKing213" and related accounts
  • Additional Victims Notified: FBI contacted 8 other victims using our intelligence
  • Total Recovery (All Victims): $620K across 9 cases

Evid Evidence Impact

  • Blockchain Analysis: Provided irrefutable fund trail for prosecution
  • Email Forensics: Established Nigerian attribution and fraud infrastructure
  • Network Mapping: Showed organized criminal enterprise (enhanced charges)
  • OSINT Profiling: Identified real names for previously anonymous actors

Key Takeaways

For Attorneys

1. Speed is Critical for Asset Recovery

  • Funds move within 72 hours (wire → crypto → cash)
  • OSINT investigation in 10 days allowed for Binance account freeze
  • Delay = permanent loss (cash-out services are fast)

2. Multi-Jurisdictional Approach

  • BEC fraud always involves international actors
  • Coordinate FBI (US), Interpol (international), local police (cash-out)
  • UK cooperation critical for final asset seizure

3. Cryptocurrency Tracing

  • Bitcoin is NOT anonymous (public ledger = audit trail)
  • Professional blockchain analysis identifies cash-out points
  • Exchange cooperation is key to asset freezing

Cost-Benefit:

  • OSINT Investigation: $12,500
  • Asset Recovery: $165,000
  • ROI: 13x return on investigation investment

For Investigators

1. Email Forensics First

  • Headers reveal originating IPs and infrastructure
  • Domain registration patterns identify fraud networks
  • Related domains show scale of operation

2. Shell Company Research

  • Delaware/Wyoming LLCs are red flags (privacy states)
  • Mailbox forwarding services = money mule indicator
  • New companies with immediate large transactions = fraud

3. Blockchain Analysis

  • Track Bitcoin through exchanges to cash-out points
  • Wallet clustering reveals criminal network scale
  • P2P exchanges (LocalBitcoins) often involve local cash-out operators

4. Social Media Attribution

  • Data breaches + LinkedIn + Facebook = real name identification
  • Instagram geotags confirm physical locations
  • Reddit history reveals criminal techniques and intentions

For Corporate Clients

1. BEC Prevention

  • Email authentication (SPF, DKIM, DMARC) prevents spoofing
  • Dual authorization for wires >$10K (phone + email)
  • CEO travel schedules should not be public (LinkedIn posts = reconnaissance)

2. Response Protocol

  • Contact bank immediately (wire recall within 24 hours possible)
  • Engage OSINT investigator within 48 hours (while funds still traceable)
  • File FBI IC3 complaint (creates case number for investigation)

3. Insurance Claims

  • Cyber insurance often covers BEC losses
  • OSINT investigation report strengthens insurance claim
  • Document all prevention measures taken (shows due diligence)

Technical Methodology

Tools & Techniques

Email Forensics:

  • Email header analyzer (MX Toolbox, Google Admin Toolbox)
  • WHOIS lookups (ICANN, DomainTools)
  • DNS history (SecurityTrails, DNSDumpster)
  • Typosquat domain generators

Financial Intelligence:

  • Wire transfer documentation analysis
  • Company formation research (OpenCorporates, State databases)
  • EIN verification (IRS database)
  • Commercial address verification (Google Street View, Mailbox Etc. databases)

Cryptocurrency Tracing:

  • Blockchain explorers (Blockchain.com, Blockchair.com)
  • Wallet clustering tools (CipherTrace, Chainalysis concepts)
  • Exchange identification (Binance, Coinbase, Kraken)
  • Bitcoin ATM locators (CoinATMRadar)

OSINT Profiling:

  • Reverse image search (Google, TinEye)
  • Data breach databases (HIBP, Dehashed)
  • Social media correlation (LinkedIn, Facebook, Instagram, Reddit)
  • VOIP number reverse lookup (Twilio, Google Voice)

Network Mapping:

  • Cross-platform username search (WhatsMyName, Maigret)
  • Communication channel monitoring (Telegram, Discord, cybercrime forums)
  • Geographic correlation (IP logs, social media check-ins)
  • Professional network analysis (LinkedIn connections, industry forums)

Legal & Ethical Standards

  • Public sources only: No illegal access to private accounts or databases
  • Law enforcement coordination: FBI/Secret Service approval for sensitive techniques
  • Chain of custody: Timestamped evidence with URLs and screenshots
  • Admissibility: All evidence presented to FBI without challenges

Conclusion

OSINT investigation successfully identified international fraud ring, traced funds through cryptocurrency, and enabled $165K asset recovery (38% of loss). The combination of email forensics, blockchain analysis, and social media profiling provided law enforcement with actionable intelligence that led to arrests and Interpol notices.

Key Success Factors:Speed: 10 days to comprehensive criminal referral package (before funds fully dissipated)
Blockchain Expertise: Traced $180K through Bitcoin to Binance account (frozen)
Multi-Jurisdictional: Coordinated US, UK, and Nigerian authorities
Asset Recovery: $165K returned to client (13x ROI on investigation cost)
Criminal Justice: 1 arrest (US), 1 Interpol notice (Nigeria), 8 additional victims identified

This case study is a composite of common BEC fraud scenarios. Technical methods and blockchain tracing techniques are representative of actual investigations.

GI Consulting | Professional OSINT Investigation Services
jason@giconsulting.com

Need Similar Investigation Services?

Contact us to discuss your OSINT investigation needs. We deliver court-admissible evidence with proven methodologies and exceptional ROI.

Request ConsultationView All Case Studies