As the world digitalizes, individuals and entities are inevitably leaving a larger digital trace. Using open source intelligence (OSINT), investigators can leverage these traces and transform them into substantial intelligence used to solve crimes committed in the digital sphere.

Rise in Cybercrime

Cybercrime profits account for approximately 1% of the world’s Gross Domestic Product (GDP). Cybercriminals are quickly adapting to exploit individuals’ fear of exposure and potential shame, to coerce countless victims to comply with their demands. Blackmail, ransom, and other forms of extortion are by no means a new phenomenon, however, data from recent years has shown a massive spike in online blackmail activities. The internet, online dating, social media, and cryptocurrency have propagated cyber blackmail, making more users around the world susceptible to this type of crime known as ransomware.

Ransomware Email Attack in February 2020

In February 2020, a ransomware attack occurred when several individuals received a threatening email message demanding a payment sum of USD 300. Victims were instructed to carry out the payment to an Ethereum cryptocurrency address within 48 hours or compromising information and images would be leaked to the internet. Due to the nature of the crime, some individuals complied while others reported it to authorities. The only information investigators had was the ransom message. Their investigation starting point was the Ethereum cryptocurrency address (wallet).

Solving a Cybercrime Investigation with OSINT

Employing proprietary technology, investigators began examining the origin of the Ethereum cryptocurrency address and the email related to the ransom message, through the ProFoundTM platform. Blockchain analysis, meaning an automated collection of open source cryptocurrency transactional data, allowed the investigators to analyze the entire transactional history of the electronic wallet referred to in the email. It was clear from the data that the sole purpose of the Ethereum cryptocurrency address was delinquent as spikes in its activity correlate with reported ransomware attack dates. Investigators then uncovered an additional Ethereum address connected to the account, who cashed out the exact amount of the bribery scheme payment through a cryptocurrency exchange. As the next step, investigators used the platform’s mass collection capabilities and automatic entity extraction to gather information concerning the Ethereum addresses from the surface, deep and dark web as well as social networks and other unstructured data sources. The analysis of the results provided insight into the origin of the attack, Egypt, and steered the investigation towards a related deep web forum offering money-laundering services. A dedicated crawler specific to the forum was created using the platform’s Robot StudioTM. Information collected tied the money laundering activities to an Egyptian company, thus collaborating information that the attack had originated from Egypt.

Through the information provided on the company’s website, investigators were able to determine that it is a family business run by three brothers. Analysis of the contact phone number provided on the site revealed the identity of a fourth brother, not previously mentioned, connected to the business. Digital Clues’ ProFilerTM reports that included names, phone numbers, emails, locations, social media connections, and more, were generated within minutes. The information was then mapped out and visualized using the ProFoundTM platform to be presented to relevant stakeholders. In conclusion, within just a few hours, Digital Clues’ full suite of products enabled investigators to successfully collect and analyze large amounts of unstructured and structured data and trace back a ransomware crime to its perpetrators.

Leveraging OSINT

OSINT tools provide investigators access to vast amounts of structured and unstructured data that can be analyzed and leveraged to combat crime as a standalone capability or combined with other intelligence collection methods. Regarding the case outline above, the OSINT collected could be leveraged to obtain tangible evidence for the apprehension of the members of the network. The intelligence can also serve as evidence for a subpoena to freeze the suspects’ accounts.