Right now a rusty bulker flying a Panamanian flag is offloading crude into a lightering fleet outside Kalamata. The bill of lading says “Malaysia,” the insurer is a one-man shop in St. Kitts, and the buyer’s domain was registered in Moscow—48 hours after the EU embargo hit. If you’re still grep-ing for “sanctions” in CSV dumps, that cargo is already sold and the money’s hopping through four crypto exchanges. OSINT is the only thing that moves faster than they do.
What’s Breaking Right Now
May 2024: OFAC dropped another 300+ entries on SDN and the ink isn’t dry before the evasion playbook spins up. Same week, a red-teamer in Kyiv pings me—he’s watching a TikTok of a Russian kid bragging about his dad’s new “Turkey office.” OSINT geolocation puts the office inside a freight forwarder that shares an address with three shell companies already flagged by Tracking Crypto Laundering via Open Source Intelligence. That’s the speed you need to operate at.
How Attackers Actually Run the Shell Game
Forget the Hollywood “one offshore account” trope. Real sanctions evasion tracking looks like this:
- Vessel dark-flipping: AIS spoofing, MID flag swaps, and re-registry to Comoros or Gabon inside 24 h.
- Trade-finance loop: over-invoice the goods, under-ship the volume, pocket the difference as a clean loan.
- Crypto wash stack: deposit → privacy coin → cross-chain DEX → casino site → stablecoin → fiat off-ramp in a CIS Neobank.
- Director recycling: same three people listed on 200+ companies, each dissolved before the compliance refresh cycle.
They win because banks still screen against yesterday’s list. OSINT wins because we chase tomorrow’s metadata.
OSINT That Punches Through the Fog
Start with the vessel IMO you found in a Telegram channel. Pivot:
- Scrape MarineTraffic historical AIS for 300 nm radius gaps—those lanes hide ship-to-ship transfers.
- Pull the Equasis PDF—look for last surveyor; if it’s “International Naval Surveys LLC” with a Gmail, you found the flag-of-convenience laundromat.
- Hash the bill-of-lading number, drop it into Panjiva or ImportGenius; mismatching weights = price padding.
- Grab the corporate officer name → Uncover Hidden Assets with OSINT Techniques for yachts, condos, and kids in Swiss boarding schools.
Need it faster? Feed the entire data stack into Kindi, click “Link Analysis,” and watch it draw the same spider-web you just spent two nights building by hand—minus the Red Bull and eye strain.
Practical Workflow: From Zero to Seizure Warrant
Last month a Europol intel guy follows this exact script:
Step 1: Monitor #graindeals on VK, scrape new photos. YOLO-v8 detects a logo on a truck—matches a Syrian entity on the OFAC list.
Step 2: Google Lens the logo → Kazakhstani logistics firm created 30 days after the invasion.
Step 3: Pull WHOIS for the firm’s domain—email is “admin@yandex.ru,” same on 14 other flagged sites.
Step 4: Dump corporate registry PDFs, convert with pdftotext, grep for “authorised capital.” A sudden 2000% bump the week sanctions hit? That’s your classic share-inflation trick to look legit.
Step 5: Slap everything into a timeline, hand it to the financial crime unit; they freeze $37 M before the next charter payment clears. Total elapsed time: 6 days.
Rookie Mistakes That Kill Cases
- Trusting AIS data without checking for GPS spoofing—always correlate with satellite imagery (Sentinel-1).
- Forgetting to snapshot social media—posts vanish, and screenshots without SHA hashes don’t impress judges.
- Ignoring language variants: searching “Oleg” but not “Олег” misses half the Russian corporate registry hits.
- Using commercial VPN exit nodes for scraping—some trade sites geo-block known ranges, killing your source.
| What You Do | What They Do | OSINT Counter |
|---|---|---|
| Flag new domain reg | Use .tk or .cf for free, private | Monitor DNS .tk zone file via CIRCL passive DNS |
| Track crypto TX | Hop through Monero | Cluster by timing + scrape Reddit for “xmr.to” mentions |
| Check vessel flag | Re-register in Gabon | Query Gabon’s ANRP site daily with a headless scraper |
Sanctions Evasion Tracking: Tools Worth Paying For
Free tier is great until you hit a 302 redirect captcha loop. For heavy lifting, Kindi ingests ADS-B, AIS, crypto mempool, and corporate registry dumps into one graph. Tag an entity once, get alerts when a new domain, wallet, or vessel pops up—no manual pivot hell. Teams can share live boards so the analyst in the SCIF and the field officer outside Odessa see the same picture without e-mailing Excel.
External Reference
For the legal side, bookmark the FinCEN March 2023 advisory on virtual currency and sanctions evasion—it’s the only U.S. doc that explicitly lists red flags like “mixing services advertising no-KYC.”
To build stronger OSINT skills, begin with our free hands-on OSINT courses. For teams that need faster investigations and better collaboration, Kindi delivers AI-powered OSINT automation and link analysis.
FAQ
Q1: What’s the fastest indicator of a ghost vessel?
A: AIS “zombie” gap >12 h followed by a 5+ knot speed spike—means they flipped the transponder off for a STS transfer.
Q2: How do I prove two shell companies are linked?
A: Match IPv6 /64 subnets in mail-server headers, overlap in director passport numbers, and sequential domain registration IDs at the same registrar.
Q3: Which crypto assets still leave breadcrumbs?
A: ERC-20 tokens on Ethereum; even via Tornado Cash, gas payments deanonymize wallets 60% of the time.
Q4: Is screenshot enough for court?
A: No. Always pair with a SHA-256 hash, source code, and Wayback Machine archive.
Q5: One tool to start tomorrow?
A: Use HARPA AI plugin with your Chromium browser—combines page change monitor, OCR, and JSON export for quick sanctions evasion tracking.