My main job is helping people to build great companies. Often that involves figuring out what licenses apply, obtaining them, and helping to build out long-term compliance programs. Sometimes that involves international structures or working with lawyer colleagues in other jurisdictions. But every once in a while, someone hires me to investigate a large financial fraud. Typically these are investment frauds, and usually I'm acting for a victim but it can also be for a regulated platform that is involved in the issue (e.g. customer thefts carried out by insider or a partner company fails suddenly). When it comes to investigating fraud and wrongdoing, it's very helpful to know what the right thing looks like, because then the wrong thing jumps out. This blog post explains some of the ways I do this.
What Do I Know?
I've worked on many large-scale frauds and wrote the expert report for the Indexed Finance, the largest civil case in Canada involving crypto theft. I've also worked on a few large investment frauds that the victims would rather not publicize. And I've worked on some very small, often sad, cases. These experiences, and my knowledge of how to do things properly, has led to this guide that explains some of my tips and tricks for doing investigatory work that anyone with a laptop can do.
The key people of businesses (even if they're scams) are often on LinkedIn. And if they're not, the junior people who work for them are. Someone's on LinkedIn. This is often a great first source of information because it helps to build their work history and the past is usually prologue. If someone was involved in a past fraud, they're way more likely to be involved in a current fraud. Bad luck doesn't strike that often.
Junior People On LinkedIn
Junior people can be great for filling in the pieces. A junior person will post that they worked in one place and then another and then another, and you can see that actually those three workplaces were connected. The work history of junior people sometimes allows the flow of crime to be observed because the people doing the work moved (whether knowing about the wrongdoing or not). This can sometimes expose details about the companies in their descriptions or it can discover new connections that the perpetrators have hidden. Never ignore the little guys, because they often tell you about the big fish.
Court Searches
Court databases are typically not accessible through Google. Canada, the UK, and Australia have free legal search services like CanLII that can be used to find court cases that Google won't. Once you know the names of the people and their companies, search them up and see what you can find. Often a bankruptcy will be tinged with crime even where there was no wrongdoing, or a civil case for one reason exposes something else about the business. Court cases often have very useful recitations of the facts, and it's possible someone else has already done some of the work with investigating the crooks years ago. People are rarely first offenders. Criminals start off small and work there way up, just like everyone else. A craft needs to be practised to be perfected, and it's generally only the more successful crooks that end up warranting serious legal and police attention.
Australia: https://austlii.edu.au/databases.html
UK: http://www.bailii.org/
Canada: https://www.canlii.org/
Corporate Registers
Corporate registers are a gold mine of information. They often go back several decades, and they usually show dissolved companies. Services like OpenCorporates are good, but registry searches should still be done. Delaware is a good place for the US, but also search the home states of the people. In Canada, there's a barely known service for searching all of the corporate registers, even the paid ones: https://www.ised-isde.canada.ca/cbr-rec/.
Always go to the beginning of the company's history. That's who started the business, and often founders will be taken off the paperwork later. In some countries, like the UK, these filings can reveal financial dealings too.
Even if the people are international, they often end up incorporating some part of the crime in the UK or America. They also tend to not be creative, and they name different companies according to a similar naming scheme. The company names can give an intuitive sense of who was behind it, or which groups did what parts.
EDGAR
The US has a very large securities filing database called EDGAR that's often a good source of information about American dealings. Sometimes this is useful even for foreign companies, if they raised money in America.
Trademark Searches
Trademarks often say a lot about a company. They can reveal who their legal counsel is, because if it's a big firm they just use the same firm for the trademark work. It can also reveal the structure of the companies, or sometimes show old information because the trademark (or patent) filings have the history from the beginning of the filing.
Wayback Machine
Google and Bing used to offer archival access for old pages but not anymore. Wayback Machine is one source for this, and it often has many versions of obscure websites. Smart criminals can request the archives be deleted (and do!) but most of the time they don't know that or don't care. Old versions of websites show press releases, blog posts, and "About Us" pages that show how it was before they got buttoned up. Almost every large fraud/scam started off more amateur than it finished. Along the way, the crooks get representation from large law firms that help them to do things well, and doing things well means deleting the old stuff.
Social Media Accounts
If you find a username, try it on Reddit and Github. People often reuse usernames. Check Telegram channels to see what the oldest posts look like - people forget to delete that because it's hard to find in Telegram. Crooks often delete tweets, but then leave Telegram posts in the history. Always scroll back to the oldest point in time, becauase that's often where the most interesting things are. Do this step after looking into all of the above things, because you have to know what's going on to understand what an otherwise-innocuous tweet means.
Google and Bing
Google and Bing have different archives because they each run their own crawlers. Basically every other search engine just uses their indices, so you just need to use these two. But use both, because sometimes they're different. One might show you an old forum post that another didn't.
Try to search for obscure phrases or specific company names that won't result in a lot of hits. Try a variety of searches. Comb through the results for the names of key people.
Regulator Databases
Regulators often require companies and individuals to file lots of information, and they make some of that available. These are especially good because they're usually accurate, or at least not obviously fake. Regulators like the FCA in the UK, FINRA in the US, or CIRO in Canada are quite useful. Individual registrants are usually the more useful thing to look at, because the people move around and their work history may be listed. This is a great supplement to LinkedIn and official biographies, because often crooks, like everyone, tell a truncated story. Regulatory filings can show the whole thing.
Interviews And YouTube
Old interviews are often great because the people aren't yet guarded. They're trying to get the word out, and they're saying things that they might not say later once they understand how to do their own scheme. At the start, most criminals are like anyone else, trying to find their legs. They're trying to figure out how to get more money, and what to say. They make mistakes, and they say too much. The older the interview, the better. These interviews sometimes reveal people who are deleted later from the official story.
Figure Out The Scheme
There's not many ways to get rich from other people without providing value. Criminals are largely restricted to two basic ideas: stealing money from customers and stealing money from investors.
Were they stealing from the customers? If so, how? Did a crooked insider help them by giving them access to systems or information so they could gain entry? Usually it's not sophisticated hacking, it's a man on the inside (and yes, it's usually a man). Did they have fictitious accounts that showed profits or showed sales that never happened? That's a very common type of fraud.
Were they stealing from investors? These investment frauds can get creative, but there's basically two ways to do it. Criminals can pretend to have entered into bad deals, where really they're on the other side of the deal. Or, criminals can simply pocket the investor's money and make up a story. The latter can be paying themselves high wages or bonuses, so that they're extracting cash the longer it goes on, while appearing to be trying to run a legitimate business. Bad deals can be either a pretend criminal who took the money (i.e. pretending that they're being victimized), or can be a deal with a third-party that's in on it and pays them a kickback somewhere else. The goal is to pretend that the loss was due to normal business activities, while really it's a nefarious operator.
Construct A Timeline
Once the basic scheme is understood, and the players in the drama are known, the next step is to assemble this in chronological order, because the order reveals more about the scheme. Crimes have a rhythm to them, like real businesses, and they have stages where it gets bigger. Did a key person join that made that happen? Did they figure out a way to divert money into their own hands?
Did they start stealing from customers to cover up for the losses from their poorly run business that originally targeted investors? Criminals often don't confine themselves to one way of doing bad things, and they'll mix and match as opportunities arise. And sometimes the criminals are stealing from each other - unsurprising considering who they went into "business" with!
Terms Of Use Agreements And Privacy Policies
All startups are careless with terms of use agreements and privacy policies. Criminal businesses are similarly lazy, and sometimes they put too much information in these agreements. Or, the agreements are copied between sites, so they reveal who is behind it by the structure of the text that they copied. Legal terms often reveal entities and they're usually accurate, even when the crooks are the authors! They take care to list the right company name, most of the time. Sometimes there's no company name identified and it just says you're making a contract with "the website", and that itself is a tell - this is not a legitimate enterprise.
Image Searches
Occasionally, images search engines like TinEye.com can be useful. Unique images can be found on other sites, connecting the dots. This doesn't usually help, but it can be a useful tool for the right lead.
Document Metadata
Most people are unaware that Word documents provide the author information and other details in the metadata. There are command line tools like ExifTool (https://exiftool.org) that can extract information that can't be seen in operating systems or even the programs that made the documents. Presentations and Word documents are the best for this, but PDFs can be good too. Sometimes they show the actual creation date of a file too, which can be useful as part of investigating some particular document or claim. Very few professionals scrub the metadata from files. Very few people know ExifTool exists.
Blockchain Data
Obviously only relevant in my area of the law, but blockchain data is very helpful for uncovering what happened. Crypto leaves records forever, to be investigated at someone's leisure. Bank records disappear and are private. If there's ever crypto addresses involved, the investigations are always easier. Usually a block explorer is enough to figure out what happened, especially using filters on Etherscan.io, such as amount and date filters, which can search every transaction ever for the particular telltale signs of your situation. Sometimes these searches can uncover other addresses and patterns that feed back into the steps above to build up the full picture.
Reverse DNS
It's sometimes possible to find out what websites are being served from an IP address by reversing the URL back to the IP, and then taking the IP and reversing that back to the domains/subdomains being hosted. This doesn't work for cloud services usually, but it does work for the cheap shared hosting and bulletproof hosting used by criminals. I once saw an attack server with subdomains for rival companies, obviously also targets of the same criminal group that targetted my client (and the compliance department warned the other companies about this and shared what we'd gathered). DNS records can be hard to interpret, and they're only sometimes useful, but there's more out there than people think. There are also services with historical archives of this data, so even otherwise-deleted identifiers of an Internet-based crime can be restored, viewed, and connected back to the puzzle.
Does It Look Legitimate?
Optimistic businesspeople and scammers can look the same. Scammers pretend to be optimistic businesspeople. They impersonate the cluelessness, lack of paperwork, and odd direction changes. But there's a difference between the two: one steals your money and the other doesn't. By carefully looking at the people, history, documents, and structure, it's often possible to show enough clues that a proper litigation process or police process will be able to do the rest. The key to this is to compare what you're seeing to how legitimate businesses operate. There's usually smoke in a few places, especially when looking backwards, now that the fire has happened. The money's gone, that's clear. Who did it? How?
Concluding Remarks
I get calls weekly about investment frauds, often pig-butchering scams. Most of these are done by overseas criminals who are professionals, and the chance of recovery is very low or zero. But sometimes, the fraud was done by a known person or known group of people. These are the people who pretend for years or decades to merely be legitimate businesspeople, and they don't launch their scams from a remote city in Laos. They're not associated with the mafia. These are people or groups of people who live in our communities and don't have the appearance of criminals. People find it hard to believe that they exist because they seem normal and are so brutal in what they do. They steal from people who trust them, and then spin lies for months or years afterwards, and too often; they get away with it.
Crimes dressed up as businesses are a scourge in North America right now. The police say it's a civil matter. The courts aren't prepared to deal with the lies and difficulties of pursuing fundamentally dishonest people. Criminals know this, and they take advantage of the lax approach that exists right now where there's no physical violence involved. But most people would rather be punched and lose their wallet than be scammed out of a million dollars. I've had clients who have lost $10m to criminals.
The losses are devastating and the criminals are remorseless. Thanks to the Intenet, they can network with one another, and learn from the many examples out there. Fortunately, criminals are not very creative. Accordingly, by looking for the recurring patterns, and carefully scrutinizing the people/companies involved, familiar patterns can often be seen. Once the scheme is fully understood, it can be handed off to a litigation team or perhaps the police (or both) and recovery might happen. But if the scheme is never understood, the scammers often get away with saying how sorry they are that things didn't work out, despite their best efforts.