Applying Open Source Intelligence to Cyber Crime Investigations

By Stuart Clarke

Cyber Crime Investigations blog image

    Get the latest news and insights sent straight to your inbox

    Cyber crime is now the fastest-growing type of crime globally. 

    According to a recent study, over 71 million people fall victim to cyber crime each year, and this figure is set to increase. To put its growth in context, cybercrime rates have already increased by 300% over the last few years.1 

    It’s not just a crime that affects individuals, either. Some 64% of companies worldwide have suffered at least one form of cyber attack, and in December 2023 alone companies reported up to 1351 incidents of data breaches and cyber attacks.2 

    To respond to this threat, law enforcement and businesses alike need to take advantage of all the tools and techniques available to battle cyber crime. One such strategy is open source intelligence (OSINT), which seeks to mobilise publicly available data in the fight against cyber criminals.

    In this article, we’ll discuss the role of OSINT within cyber crime investigations and the impact it can have when applied correctly.

    Suggested reading: To learn more about how Law Enforcement can get the most out of OSINT, read our free eBook, The OSINT Handbook for Law Enforcement.

    What is open source intelligence?

    Open source intelligence is the product of open source data (OSD) that has been collected, processed and analysed before being used to drive decision-making processes in open source investigations.

    OSD refers to publicly available information that can be extracted from a wide range of sources. These can include:

    • Government data sources
    • Crime statistics
    • Live internet data
    • Corporate data sources in countries where this data is publicly available 
    • Cyber threat intelligence

    Deployed across both the private and public sectors, OSINT is used in many types of investigations, from anti-money laundering, to fraud, to counter-terrorism.

    OSINT investigations are becoming more commonplace across all of these use cases. This is largely due to an increase in internet activity, which means there is more OSD available to investigators. 

    On top of this, the increase in internet activity also means it’s more crucial than ever that investigators use OSINT – criminals are moving their operations online, meaning that investigators need to use online data to trace their activity and stop them in their tracks. 

    As a consequence, the importance of OSINT is increasingly being recognised outside of the public sector, with compliance requirements beginning to encourage businesses to make the most of this technique.

    Suggested reading: Learn more about the different sources of OSD available in our guide on OSINT sources.

    The role of OSINT in cyber security investigations

    Cyber crime poses a real threat, costing organisations £3 billion from April 2021 to 2022 in the UK alone.3 It’s clear that this crime needs to be taken seriously: not only by ensuring robust measures are in place to hinder attempts at cyber crime, but also by implementing investigation best practices if an attempt should be successful.

    OSINT has significant benefits in a cyber crime investigation context, allowing investigators to unlock insights that aren’t present on official or curated databases. Some of the key benefits of OSINT are:

    • Unmasking criminals: The criminals behind cyber crime often act anonymously, taking significant steps to conceal their identities. With OSINT, investigators can begin to draw connections to a subject of interest’s real-world identity, for example by analysing where the same usernames are used across the web.
    • Tracking online activity: The fact that cyber criminals operate online makes the use of OSINT essential. Although sources like internet forums and publicly available social media accounts might seem less reliable, criminals may have left clues about their identities or operations there.
    • Leveraging dark web data: Criminals talk more openly about their activities on the dark web, which isn’t easily accessible through standard search engines like Google. Whether it’s sharing their techniques or selling the data obtained in cyber attacks, cyber criminals congregate on the dark web, making it a key OSINT data source for investigators.

    We’ll delve into the dark web as a source further later in the article, as well as exploring the other ways OSINT adds value to cyber crime investigations.

    Suggested reading: Sceptical of how reliable OSINT can truly be? Find out more in our article: How reliable is Open Source Intelligence?

    Identifying potential threats

    Cyber crime investigations can be reactive (conducted in response to an incident) or proactive (aiming to identify potential threats before they develop and facilitate evasive action). OSINT helps investigators in both instances. In this section, we’ll focus on its use within proactive investigations.

    Leveraging dark web data

    The dark web is a key data source for cyber crime investigators. Up to 87% of dark web listings are related to some form of criminal activity,4 and cyber criminals often use the dark web to list the personal information and credentials obtained in attacks. For example, one survey of dark web data identified the credentials of 25.9 million Fortune 1000 business accounts and 543 million sensitive employee credentials.5

    Data being listed on the dark web means a breach has already taken place, but it doesn’t necessarily mean this breach has been detected. Therefore, such intelligence gleaned from the dark web can form part of a proactive investigation to prevent further crimes, such as social engineering and fraud. 

    Once an investigator has identified that an organisation or individual’s sensitive information appears on the dark web, they can take proactive action. In a Law Enforcement context, this might mean alerting a company to their compromised information; within a business, this could mean taking the relevant steps to proactively counter further criminal action. Either way, the key series of steps for the compromised organisation to take are the same:

    • Firstly, organisations need to enforce and expand educational procedures and training programmes to do their best to ensure that company or employee information is not leaked onto the dark web.
    • However, when a breach does occur, organisations can start by using OSINT tools or techniques that make it possible to extend investigative work into the dark web in a secure manner. 
    • Researchers can then recover leaked or stolen information that may put an organisation at risk of a cyber attack in the future.
    • Alongside the recovery of data, organisations should work to plug security vulnerabilities or gaps in organisational protocol. Depending on the type of data leaked, a warning may be distributed to the affected individuals with details of the risk presented and steps towards mitigation. 
    • Messages and communications on dark web forums can expose both internal and external threats through correlations between message tone and language use, usernames, forum signatures, profile images and metadata. 

    Suggested reading: To learn more about how OSINT best practices are developing, read our blog – open source investigation best practices in 2024.

    Uncovering hidden cybercriminal networks

    Reacting appropriately to the discovery of leaked data is an important part of preventing further instances of crime. However, it’s not the only potential outcome of proactive cyber crime investigations.

    Increasingly, cyber criminals are banding together to execute more elaborate attacks. Although the stereotypical image of a cyber criminal might be a lone hacker, in reality cyber crime now looks more like traditional organised crime, with large groups of individuals working together.6

    Investigators can use OSINT to trace connections between the individuals in these groups before they make their next attack. Using leaked data or forums on the dark web as a starting point, investigators can map out criminal networks and even, in certain cases, begin to draw connections to real-world identities. This can theoretically be done manually, but technology such as visualisation tools will increase the effectiveness of investigations and allow investigators to get the most out of OSINT.

    The importance of information sharing

    It’s crucial to remember that cyber crime facilitates other forms of crime. This makes it even more important to ensure effective response systems and investigative processes are in place. Furthermore, this means that anti-cyber crime teams should work collaboratively with teams who are investigating other forms of crime, and are likely already using OSINT in their operations. Taking a holistic approach is essential – this requires:

    • Learning and developing intelligence to drive improvements.
    • Addressing problems by looking at various sources of data and not point solutions.
    • Leveraging education and sharing intel as it is found.

    Criminals do not make the same distinctions between different forms of crime – such as cyber crime and fraud – that Law Enforcement do. If the teams addressing these crimes do not work together and share intelligence, criminals can exploit the gaps to maximise the profits of their activities. By ensuring information sharing between teams, anti-cyber crime investigators can increase the effectiveness of their OSINT investigations. Combining OSINT with the relevant tooling and other important investigative techniques will help increase effectiveness further.

    Stay resilient in an ever-evolving threat landscape with Videris

    OSINT is a crucial asset for any modern anti-cyber crime investigator, offering them a means to investigate potential evidence left behind by criminals and their associates.

    Investigators can enhance their anti-cyber crime operations further by using OSINT tools, such as Videris, which solve many common investigative challenges. For example, accessing the dark web can be extremely risky, and applying the necessary security measures manually is time-consuming and convoluted. OSINT solutions allow investigators to use dark web resources from within a secure ecosystem, saving them time and ensuring safety of operations.

    By using Videris, investigators can benefit from: 

    • Enhanced search capabilities: Videris search extends into all three layers of the web — the surface, dark, and deep web. Investigators can access data from each layer, alongside other key sources, without having to switch platforms.
    • Network mapping: Videris’ cross-matching tools expose links between individuals and associated parties and networks. Researchers can quickly discover links between named entities, creating visualisations to help them understand criminal networks and identify threat actors.
    • Notes and reporting: Videris provides team working and reporting tools to communicate results between teams and other relevant stakeholders. 
    • Multiple integrations: Videris integrates data from premium third-party sources like Moody’s Orbis and LSEG World-Check. It’s also possible to access additional sources from the platform by connecting to a data repository with an API.

    Videris offers an end-to-end, cutting-edge OSINT platform for cyber security professionals and investigators. All of these features are accessible within the same seamless, secure ecosystem, with flexible deployment options to meet your specific needs. Book a demo today to find out more.

    New call-to-action







    More insights