Cracking the Shells: A Guide to OSINT and Shell Companies

When it comes to corporate structures, shell companies are perhaps the most deceptive. 

Whilst seeming clean on paper, these entities are often used to hide ownership, obscure illicit flows of money, or distance specific identities from controversy. But under the sharp gaze of an intrepid OSINT investigator, even the best-built corporate cover can start to crack.

In this guide, we’ll walk you through the techniques used by OSINT professionals when investigating shell corporations: where to look, and what to avoid. We’ll reveal how to follow the hidden money (without tipping off your targets), and break through even the toughest shell corporations to find the truth within. So no matter how perfect a Fibonacci spiral of fraud your target has built, you’ll understand how to get to the data you need. Let’s get cracking.

What are Shell Companies, and Why Use OSINT?

A shell company is a business entity that exists on paper, but lacks active business operations. Like a shell around the ‘meat’ of an individual’s real activity, a shell corporation can misdirect attention for whatever reason the owner requires. Most shell corporations are designed to be opaque; often involving nominee directors or offshore jurisdictions, and labyrinthine ownership structures. 

Whilst shell companies can be used for legitimate reasons (like corporate restructuring), they’re also commonly used to mask illicit activities: money laundering, tax evasion, bribery, sanctions evasion… the usual suspects. They can even be used for identity protection - severing connections between an individual and their publicly recorded activity, which is attributed to the company instead. This has a number of legitimate applications, like hiding politically exposed persons (PEPs), for example. But it’s easy to imagine nefarious ones, too. 

You can probably already see how OSINT and shell companies might work together. Although difficult for multiple reasons, OSINT investigations are the best, most effective way to burrow under the surface and discover what’s really going on beneath the shell. By leveraging open data sources - from corporate registries to leaks, social media, vessel tracking, and more - you can reveal the people, payments, and patterns that shell structures are built to protect.

(Want to brush up on the basics? For a 101 guide, check out ‘OSINT Basics: What is OSINT?’)

Diving for Treasure: OSINT Techniques for Discovering Shell Corporations

To break through a shell company’s façade, you need structured, repeatable techniques. This section introduces the core OSINT methods used by investigators working with OSINT and shell companies; exposing ownership trails, asset links, and jurisdictional loopholes that are being exploited by the shell-owners. Here’s our step-by-step strategy for OSINT and shell corporations.

1. Map the Company Structure

The first step to breaking into a shell corporation is understanding its structure. How has the owner organised their shell company, and how is it working to obscure their activities? Start with what little you know: like a name, or a rough location. Maybe you know the jurisdiction where the company is administrated, or even its registration number. Take this information and plug it into public corporate registries, like:

• OpenCorporates (for legal-entity data from US and global companies
• ICIJ Offshore Leaks Database (for featured in the Paradise Papers, Panama Papers, Pandora Papers, Bahama Leaks and more)
• Companies House (for UK companies)

While you’re trawling the corporate seabed, always keep your goal in mind: to map out the complex ecosystem of shareholders, directors, parent companies, and registration addresses connected to your target shell corporation. Keep an eye out for red flags that might signify murky waters; like repeated use of different mailboxes or corporate service providers. 

If the company has nominees with dozens of separate directorships, you may have discovered the nexus of a shell corporation network. You can then take this fishy-looking data and combine it with other types of OSINT analysis. The overlap of corporate data with personal details (LinkedIn bios, reused email addresses) could identify the hermit crab hidden within the corporate shell.

2. Hunt for Leaks and Litigation

When investigating OSINT around shell corporations, leaks and legal documents can give you priceless information about who owns what, and what they’re using it for - especially if they’re doing something nefarious. Use tools like the ICIJ Offshore Leaks Database - alongside similar tools for different jurisdictions and purposes - to check if the organisation you’re investigating has been featured in any recent high-profile leaks. Look for data from leaks like: 

• Panama Papers / Paradise Papers - One of the most historic high-profile leaks of offshore entity data, with over 11.5million files exposed. These documents, taken from the archives of an offshore tax law firm, have provided OSINT data to expose countless shell corporations connected to the world’s most powerful figures.
• FinCEN Files - A leak of more than 2500 documents, covering over 2trillion dollars of transactions between international banks and high-net-worth individuals. These leaks exposed OSINT data around shell companies used for sanction workarounds, money laundering, and other suspicious activity. 

After leaks, look into litigation. Search for lawsuits around suspicious transfers, or any mentions of your target shell corporation in publicly-recorded legal disputes. These databases can contain depositions, emails, and affidavits - alongside other documents that could help substantiate your suspicions.

3. Follow the Money (and Assets)

Shell companies are often used to hold or move funds or assets: from cash, to yachts and planes, to real estate. On the less flashy end, they could be moving chemicals, or even counterfeit goods. You can use OSINT to find what a shell company owns, and what they’re doing with it:

• MarineTraffic and VesselFinder show shipping assets tied to a given corporation
• ADS-B Exchange and FlightRadar24 can track corporate jets
• Property databases - from Zillow to land registry portals - are often searchable by company

Also, look for assets, products or funds that could be related to the kind of activities you have suspicions the shell corp may be involved in. For example, OSINT Industries’ platform has been used to uncover shell corporations that were obscuring the Chinese fentanyl trade. OSINT investigator Julian connected chemical asset transports with fentanyl dealing, using OSINT data gathered on Chinese shell corporations. 

Don’t forget to look for incongruities between company and assets, too. A “dormant” company that owns a $25M Gulfstream jet? A “consultancy” that bought four penthouses? Smells like a shell.

4. Correlate Their Digital Footprints

This should be pretty basic if you’re a seasoned OSINT investigator, but it still bears repeating; always correlate your data with other sources. This is how you turn OSINT data into actionable insights; turning your mapped-out ecosystem, public legal-entity documents, and asset info into a provable record of your shell corporation, its activities -  and its owners. It’s the perfect way to link a shell corporation with a specific person. 

• Use LinkedIn, Facebook, and Twitter to look for employees, directors, or relatives.
• Cross-check email addresses for repeats or links to online accounts
• Review company websites and domain registrations for connections with any of the data you’ve gathered so far. 

Some of the best discoveries in OSINT shell corporation investigations happen by mistake: maybe a director forgot to switch LinkedIn profiles before updating a fake consultancy, or a shell firm reused an IP address from another shady entity. Even metadata or a reused phone number can connect multiple entities.

In Deep Water: Legal Risks With OSINT and Shell Companies

Shell companies often overlap with sensitive issues; like financial crime investigations, state secrets, and even disgruntled individuals who might want to put a stop to your digging around in their business. To keep yourself safe while working with OSINT on shell corps. 

• Know your jurisdiction’s privacy and data handling laws: GDPR, CCPA, UK DPA, etc.
• Be wary of “accidental” scraping of protected financial data or login-only environments. 
• Use caution when profiling politically exposed persons (PEPs) or publishing names, especially when linking them to shell structures.

Both OSINT and shell companies are a legal grey zone in some countries; you can land yourself in some serious trouble if you get too involved. To be on the safe side, work with legal counsel or compliance experts if needed, especially before publication. 

As for keeping yourself hidden, the best defense against being discovered by your targets is good OpSec, and clean digital hygiene. Check out our guide to covering your tracks while investigating, and learn how to preserve your OSINT cyber hygiene. It’s especially vital for sensitive missions like OSINT on shell corporations. 

Read more here: Scrubbing Up on OSINT Cyber Hygiene (Best Practices)

Swimming with the Current: OSINT on Shell Corporations is Easier with OSINT Industries

Cracking a shell corporation with OSINT doesn’t have to be difficult - if you have the tools to do it. OSINT Industries can automate queries and do all the heavy lifting for you, in just a fraction of the time a human would take. Plus, by focusing only on public data with clear source attribution, OSINT tools like ours ensure effortless compliance with data protection laws like GDPR, CCPA, and CAN-SPAM. That’s why cutting-edge tools like OSINT Industries are essential for shell corp investigations; they do all the deep-diving and shell-cracking for you, so you can get to work on analysing the pearls.

‍