How to Recognise a Fake or Low-Quality OSINT Firm: A Competitive Teardown Methodology (2026)

In the four years since the February 2022 invasion of Ukraine, the number of vendors marketing themselves as "OSINT firms," "due-diligence boutiques," or "AI-powered intelligence platforms" to Western banks, law firms, and family offices has multiplied by an order of magnitude, while the analytic standard delivered by the median vendor has not. A 2024 OCCRP investigation documented that personal data brokered through the Russian-language Probiv ecosystem — mobile geolocation, bank transaction histories, passport scans, internal call-detail records, sourced from corrupt insiders at state agencies, telcos and banks — was being repackaged by self-described "investigators" and resold to Western customers as "deep web intelligence."[1][2] A 2025 RUSI briefing on third-party risk in financial-crime compliance noted that the procurement gap between what compliance teams believe they are buying when they commission a due-diligence report and what they actually receive has widened materially since 2022.[3] The procurement risk is not abstract. Under the UK Bribery Act 2010 section 7, FCPA's books-and-records and anti-bribery provisions, GDPR Article 6, and the EU 2024 AML Package that takes effect on 10 July 2026, the client — not the vendor — is the duty-holder.[4][5][6] This briefing is a defamation-conscious teardown methodology for any compliance lead who needs to evaluate an OSINT firm before signing the engagement letter. It names patterns, not firms.

A compliance procurement officer holding a glossy vendor deck with the binding labelled OSINT, while the underlying pages show Google search results and unverifiable footnotes.
Composite illustration: the procurement trap. A glossy vendor deck headlined "AI-Powered OSINT" whose substantive content, when audited, resolves to general-web search and unverifiable footnotes. The pattern recurs across the 2022-2026 vendor entrant cohort.

TL;DR

The 2022-2026 OSINT-vendor gold rush has produced a long tail of firms whose marketing claims do not survive even a 30-minute audit. Five public red-flag patterns recur: (1) "AI-OSINT" branding with no methodology disclosure; (2) cited sources that do not exist or do not say what the report claims, detectable by sample-auditing three to five footnotes; (3) "proprietary databases" that are wrappers around free public registers, detectable by paywall comparison; (4) reliance on Probiv-ecosystem and other unlawfully-sourced personal data, dressed as "deep web access" — the most legally dangerous pattern; (5) ownership-control conclusions that omit explicit OFAC 50 Percent Rule citation. Good OSINT, by contrast, looks like OCCRP, Bellingcat, RUSI and CSIS published work: named analysts, primary-source citation by URL with extract dates, reproducible methodology, explicit chain-of-custody, and stated limitations. The vendor invoice does not insulate the client from regulatory liability. Six questions in 30 minutes will separate the analytic firms from the procurement risks.

Why this matters now: the 2022-2026 OSINT gold rush

Three structural shifts after February 2022 reshaped the demand side of the OSINT market simultaneously. EU and US sanctions packages against Russia introduced thousands of newly-designated persons and entities into enhanced-due-diligence scope, including the OFAC 50 Percent Rule aggregation problem that compliance teams had previously been able to triage by exception.[7] The proliferation of secondary sanctions risk — the August 2024 EO 14114 amendment expanding the FFI sanctions regime, and the 2025 expansion of US designations to non-Russian intermediaries — pushed banks, fintechs, commodities traders, and law firms into a new tier of counterparty-screening work for which they did not have internal capacity.[7][8] And the 2024 EU AML Package — the AML Regulation, AMLD6 and the AMLA establishing regulation, all entering into application on 10 July 2026 — codified a higher documentary standard for EDD that was unmistakably designed to force obliged entities to assemble a defensible analytic record, not merely to run a screening tool.[6]

On the supply side, the response was rapid. Established firms expanded their CIS and sanctions desks. New entrants — some legitimate, some opportunistic, some openly fraudulent — positioned themselves as "AI-powered OSINT platforms," "next-generation due-diligence boutiques," and, in the most concerning category, as "deep-web investigators" with access to "non-public intelligence sources." The vendor count grew faster than the analyst supply. The result was predictable: a procurement gap in which the compliance team commissioning the work and the vendor delivering it are increasingly working from different and incompatible mental models of what an OSINT investigation actually is.

The cost of getting it wrong is not theoretical. Three regulatory channels make the client pay, not the vendor. First, the FCPA's accounting-controls and anti-bribery provisions, and the UK Bribery Act 2010 section 7's "associated person" liability, attach to the principal — the company or bank — for the conduct of its third-party investigators.[4][9] A vendor that paid a bribe, or that procured data through bribery, implicates the client unless the client can demonstrate "adequate procedures" of due diligence on the vendor itself. Second, the August 2025 OFAC GVA Capital settlement and a series of European national-AML supervisor enforcement actions in 2023-2025 established that the regulator evaluates compliance on the adequacy of the analytic record assembled and retained, not on the brand identity of the vendor who assembled it.[10] Third, GDPR Article 6 (lawful basis) and Article 28 (processor obligations), restated and tightened by the 2024 AML Package's data-governance provisions, make the ingestion of unlawfully sourced personal data into a regulated counterparty file a controller act for which the client is directly accountable.[5][6]

The procurement question is therefore not "which vendor has the best brand." It is "which vendor will produce a record that, when a regulator or a Reuters reporter asks how I know what I know, I can defend in writing." That question has a methodology answer. It does not have a price answer.

Five red flags you should know

Each of the five patterns below is documented publicly through OCCRP, Bellingcat, the CSIS Transnational Threats Project, RUSI's Centre for Financial Crime and Security Studies, the European Court of Auditors' 2024 special report on EU sanctions implementation, and primary press reporting in Reuters, the Financial Times, and Meduza.[1][2][3][11][12] No specific vendor is named. The patterns are the diagnostic.

Red flag 1 — "AI-OSINT" claims with no methodology disclosure

Since GPT-4's public release in March 2023, "AI-powered OSINT" has become the most over-marketed positioning in the vendor space. The pattern is recognisable. The pitch deck or website foregrounds a proprietary "AI engine," a "machine-learning classifier," or a "generative intelligence agent." It does not disclose: which model family or models are being used (proprietary, OpenAI, Anthropic, Mistral, an in-house fine-tune); what the training corpus is; how hallucination is filtered; whether the AI output is human-reviewed before delivery; what the false-positive and false-negative rates are on a published benchmark; and, most importantly, whether the AI is doing the analytic work or merely formatting it.

The Stanford Internet Observatory's 2024 OSINT-tooling assessment, and a separate 2025 evaluation by the Centre for Information Resilience, both documented a recurring pattern in which vendors marketed as "AI-OSINT platforms" were, on inspection, wrapping public-search APIs and a general-purpose LLM prompt in a glossy interface.[13][14] The underlying analytic work was either non-existent or performed by junior analysts whose output the LLM was paraphrasing. The distinguishing test is straightforward: ask the vendor to disclose the methodology in writing. A vendor that has built genuine analytic tooling can describe it. A vendor that has not, cannot.

The AI-OSINT category is not inherently fraudulent. Several published platforms — Bellingcat's open methodology pieces on geolocation, the OpenSanctions FollowTheMoney data model, the OCCRP Aleph indexing pipeline — document genuine analytic tooling.[15][16][17] The diagnostic is the disclosure, not the claim. A vendor that markets AI capability and refuses to describe it is selling theatre, not capability.

Red flag 2 — Sources that don't exist (the footnote audit)

The most efficient single test of any OSINT vendor is the footnote audit. Take a sample report, a pitch deck, or a redacted client deliverable. Pick three to five footnotes at random. Open each URL. Read the cited page. Confirm that the page actually exists, that it actually says what the report claims it says, and that the cited extract date is consistent with the page's revision history.

This test eliminates a measurable share of the vendor population. Common failure modes documented in the published methodology literature include: footnotes that link to a domain that no longer exists; footnotes that link to a page that does not contain the quoted material; footnotes that aggregate-cite an entire database (for example, "Russian Federal Tax Service") without specifying the query, the extract date, or the response; and, in the most concerning cases, footnotes that fabricate a source entirely — an LLM-generated citation to a paper or page that has never existed. The LLM-fabrication failure mode is now sufficiently documented in the legal-research literature that several US federal courts have issued show-cause orders against attorneys filing briefs with hallucinated citations.[18] The same failure mode appears, less visibly, in OSINT reports.

For a compliance lead, the footnote audit is a 20-minute exercise on any pitch sample. A vendor whose footnotes survive the audit is not necessarily good. A vendor whose footnotes fail it is necessarily not good enough. The audit is the floor, not the ceiling.

A monospace terminal showing a footnote audit table: source URL, claim, page status, match status, extract date verified or not.
Schematic footnote-audit table. The exercise: take three to five citations from any vendor sample, verify URL liveness, claim match, and extract-date plausibility. A 20-minute test that eliminates a measurable share of the 2022-2026 vendor cohort.

Red flag 3 — "Proprietary databases" that are wrappers around public ones

A significant share of the entrant-vendor cohort markets access to "proprietary databases" of corporate records, beneficial-ownership filings, sanctions cross-references, or litigation history. On inspection, a large share of these are thin wrappers around public registers that the client could query directly: the UK Companies House public data, the US SEC EDGAR system, the EU Business Register Interconnection System (BRIS), the German Bundesanzeiger, the French INPI Registre national des entreprises, the Russian Federal Tax Service EGRUL, Equasis, IMO GISIS, OpenSanctions, the OCCRP Aleph aggregator, and the ICIJ Offshore Leaks Database.[15][16][17][19][20] Most are free; several are aggregated under permissive licences specifically to enable third-party use.

The diagnostic is the paywall comparison. Take a vendor's claimed database coverage. Match it against the publicly-available register equivalent. If the vendor's coverage is substantively the same as what the public register exposes, the "proprietary" framing is marketing, not capability. The legitimate value-add of an aggregator is in cross-database linkage, normalisation, entity resolution, and historical snapshots that the public register does not retain. A vendor that cannot articulate which of those four it actually performs — with examples — is selling repackaged free data.

This pattern is not unique to OSINT. The 2024 European Court of Auditors special report on EU sanctions implementation noted that several Member State competent authorities were paying material annual sums for commercial screening products whose underlying data was, in substantial part, derived from the same EU Official Journal feeds the authorities themselves published.[11] The same dynamic exists in private-sector procurement. The procurement question is what the vendor adds, not what the vendor wraps.

Red flag 4 — Probiv-ecosystem and leaked-data dependencies dressed as "deep web access"

This is the most legally dangerous pattern in the entire vendor space, and the one that procurement teams most consistently misunderstand. Probiv — from the Russian "пробив," loosely "to break through" — is the Russian-language criminal services market for brokered access to data that is supposed to be confidential. It operates principally through Telegram channels and dedicated marketplaces, and its inventory is sourced from corrupt insiders at the Russian Ministry of Internal Affairs, the FSB, the Federal Tax Service, mobile telecommunications operators (MTS, Beeline, MegaFon, Tele2), and major Russian banks (Sberbank, VTB, Alfa-Bank, Tinkoff).[1][2] Typical inventory includes: mobile geolocation histories; bank transaction extracts; passport-and-document scans; internal call-detail records; traffic-police records; tax-resident histories; and, in some sellers' inventory, real-time mobile location.

OCCRP, Meduza, the Dossier Centre, and Bellingcat have documented the Probiv ecosystem extensively since 2018. A 2024 OCCRP investigation traced specific Probiv brokers and quantified the per-record pricing.[1] A 2023 Meduza investigation documented the corruption of Russian state agency insiders as the source layer.[2] The data is real. It is also unlawfully obtained, and its acquisition typically involves bribery of public officials and unlawful disclosure of personal data — both criminal acts under Russian law (Article 138.1 of the Russian Criminal Code on unlawful disclosure, Article 290 on receiving bribes, Article 291 on giving them), and equivalent criminal acts in every relevant Western jurisdiction.

For an OSINT vendor, repackaging Probiv inventory as "deep web intelligence," "non-public sources," "premium HUMINT-OSINT hybrid access," or any similar euphemism converts a marketing claim into a regulatory liability that the client inherits. Under the UK Bribery Act 2010 section 7, the corporate client is criminally liable for the conduct of an "associated person" — including a third-party investigator — that obtained property or advantage through bribery, unless the client can demonstrate "adequate procedures" to prevent it.[4] The FCPA's anti-bribery provisions apply equivalently to US issuers and domestic concerns whose third-party intermediaries bribe foreign officials.[9] GDPR Article 6 and Article 28 make the controller (the client) liable for the lawful basis of personal data ingested into a processing operation, regardless of which party performed the acquisition.[5]

The diagnostic question for the vendor is therefore explicit: "Does this report use any data sourced from Probiv channels, Telegram brokered-data marketplaces, leaked-database aggregators, or any source that involved the unauthorised disclosure of personal data by a state official, telco employee, or bank insider?" A vendor that answers no in writing is providing a contractual representation against which the client has recourse. A vendor that hesitates, hedges, or refuses is telling you the answer is yes.

Red flag 5 — Control claims without explicit OFAC 50 Percent Rule citation

The OFAC 50 Percent Rule states that any entity owned, directly or indirectly, fifty per cent or more in aggregate by one or more blocked persons is itself blocked, even if not separately named on the SDN list.[7] The rule is the central operational tool of US sanctions enforcement against ownership-structured evasion, and its August 2025 expansion through OFAC FAQ updates and the Russia-related framework reframed the aggregation question for entities with multiple blocked owners.

An OSINT report that concludes an entity is or is not subject to US sanctions, without explicitly citing the 50 Percent Rule, without showing the ownership-aggregation arithmetic, and without distinguishing direct from indirect ownership, is performing pattern-matching rather than legal analysis. The same applies to UK equivalents (the UK's joint-control test and the 50 percent aggregation test under the Russia sanctions regulations) and EU equivalents (the "control" test under Council Regulation 269/2014 Article 2(1)).[21] A vendor whose conclusions are not legally grounded is exposing the client to the gap between what the vendor claimed and what the regulator will subsequently find.

Our companion briefing on the OFAC 50 Percent Rule sets out the public methodology in detail; the methodology explainer sets out the analytic chain. A vendor whose deliverables do not reflect that chain is not doing the work the client is paying for.

A 5x3 matrix mapping the five red-flag patterns against the three regulatory exposure vectors of FCPA, GDPR, and AML 6.
Schematic mapping: the five red-flag patterns against the three primary regulatory exposure vectors (FCPA / UK Bribery Act; GDPR Article 6/28; EU AML 6 / OFAC analytic record). The Probiv-dependency row scores high across all three.

What good OSINT actually looks like

The positive criteria are not exotic. They are the criteria that the published methodology literature — Bellingcat's open-methodology pieces, the OCCRP investigative archive, RUSI's Centre for Financial Crime and Security Studies briefings, the CSIS Transnational Threats reporting, and the FATF Recommendation 10 and Recommendation 22 guidance on customer due diligence — converge on.[3][11][15][22] Five features in common.

Feature 1 — Primary-source citation by URL and extract date

  • Every substantive claim is footnoted to a primary source: the original press release, the original court filing, the original registry extract, the original satellite image, the original AIS track, the original sanctions designation. Not the secondary summary, not the trade-press paraphrase, not the aggregator's normalised record.
  • The citation includes the URL, the extract date, and, where the source page is volatile, a contemporaneous archive snapshot (Wayback Machine, archive.today, or an internal evidence locker).
  • The Bellingcat methodology corpus, particularly the geolocation and verification chapters of the Bellingcat Online Investigations Toolkit, models this standard at the open-source end. The OCCRP investigative pieces and the ICIJ collaborative projects model it at the team-investigation end.

Feature 2 — Named analysts with verifiable credentials

  • The report identifies the analyst or analysts who produced it. Not "our research team." A name, a role, a verifiable byline. Where the analyst's identity must be redacted for operational-security reasons (a defensible posture in CIS-region investigations), the redaction is explicit and the firm's principal stands behind it.
  • Verifiable credentials means a LinkedIn profile or equivalent with prior publication or employment that the client can confirm. It means a prior body of work the client can read. It means the analyst has, somewhere, written something the client can evaluate before commissioning the engagement.
  • Conflict-of-interest disclosure: the analyst (or firm) discloses any prior or current relationship with the subject of the investigation, any adverse parties, or any party with a financial interest in the outcome.

Feature 3 — Replicable methodology section

  • The report has a methodology section that names every dataset queried, every search term applied, every transformation performed, and every analytic inference drawn. A second analyst, with the same datasets, should be able to reproduce the same conclusions.
  • Where the methodology is judgement-laden — for example, where a control inference is being drawn from indirect ownership signals — the report distinguishes the observable facts from the analytic inference and discloses the basis for the inference.
  • The methodology section is not boilerplate. It is specific to the engagement. A vendor that uses the same methodology section across every report is not doing engagement-specific work.

Feature 4 — Chain-of-custody documentation

  • For evidence intended for legal, regulatory, or insurance use, the report includes chain-of-custody documentation: when each piece of evidence was acquired, by whom, from what source, in what format, with what hash or integrity stamp where applicable.
  • This is the difference between an investigative report that is admissible in a regulatory proceeding and one that is not. The 2025 GVA Capital settlement and the European supervisor enforcement actions of 2023-2025 demonstrate that the analytic record is the regulator's primary inspection target.[10]
  • For evidence sourced from open registers that may change or disappear, chain-of-custody includes the archive snapshot, not merely the live URL.

Feature 5 — Lawful-sourcing representation

  • The engagement letter and the deliverable both include explicit representations that the work was performed using lawful sources, that no leaked, brokered, or coerced personal data was used, and that the FCPA, UK Bribery Act, and applicable AML and data-protection regimes have been observed.
  • The representation is contractual. It survives delivery. It gives the client a documented basis on which to defend the analytic record before a regulator, and it gives the client recourse against the vendor if the representation later proves false.
  • A vendor that resists giving this representation in writing is telling the client something important.

Six questions to ask any vendor before signing

These six questions can be asked, and answered, in thirty minutes. They are not a substitute for a procurement review, a security questionnaire, or a contract negotiation. They are the floor. A vendor that cannot satisfy them in thirty minutes is not a candidate for a regulated-client engagement.

  1. Name the analyst. Who, specifically, will perform the work? Provide a name, a LinkedIn profile or equivalent, and at least one prior publication or engagement the client can independently verify. If the analyst must be redacted, who is the named principal who stands behind the work?
  2. Cite three primary sources for a single claim in the sample. Take any substantive claim from the sample report or pitch deck. Ask the vendor to provide three primary-source citations by URL with extract dates. Test those URLs in real time. The exercise will be revealing.
  3. Disclose the proprietary databases by name and access tier. Which specific databases does the vendor pay for? Bloomberg, Refinitiv World-Check, Sayari, Dow Jones Risk & Compliance, Kharon, Castellum.AI, Moody's Orbis, LexisNexis Diligence, OpenSanctions Pro, ICIJ collaborative access? At what subscription tier? Match the answer against published price lists and access-tier descriptions. A vendor whose "proprietary databases" turn out to be free public registers has misrepresented the engagement. Our comparison of World-Check and primary-source workflows documents the underlying capability differences.
  4. Confirm in writing the no-Probiv, no-leaked-data representation. Provide a contractual representation that no Probiv-ecosystem data, no leaked-database aggregator content, and no source involving the unauthorised disclosure of personal data by a state official, telco, or bank insider has been or will be used. A vendor that adds this representation to the engagement letter has earned a degree of trust. A vendor that refuses has answered the question.
  5. Disclose the chain-of-custody documentation. What chain-of-custody documentation will accompany the deliverable? Hash-stamped evidence files? Archive snapshots? An evidence log? A vendor whose deliverable is a Word document with no underlying evidence package is not producing a record that will survive a regulatory inspection.
  6. Provide three client references whose general counsel will speak on the record. Not marketing references. General-counsel references. The general counsel of a regulated client is the person who will have evaluated the vendor's deliverables against the regulatory standard the client must meet. A vendor that cannot provide three such references is not yet a regulated-client vendor.

The six-question test is a procurement filter, not an audit. It cannot guarantee quality. It can reliably exclude the bottom decile of the vendor population in less than an hour. For most compliance teams, that filter alone changes the procurement outcome.

A funnel diagram showing 100 vendors entering the top and progressively narrowing through each of the six questions, with a small number reaching the bottom.
Schematic procurement funnel: the six-question filter applied to a notional pool of one hundred candidate OSINT vendors. The named-analyst, primary-source, and lawful-sourcing tests cumulatively eliminate the bottom decile within an hour of vendor contact.

Three documented loss cases where bad OSINT cost the client

The three cases below are drawn from public regulatory actions and published reporting. They are presented at a level of generality consistent with the public record. The point is not the identity of the parties; the point is the structure of the failure.

Case A — The 2018 EN+ delisting preparation: divergent UBO reconstruction

In the months following the April 2018 OFAC designation of Oleg Deripaska, EN+ Group plc — the UK-listed aluminium and energy group through which Deripaska held his Rusal stake — entered a structured process culminating in OFAC's January 2019 delisting decision, conditioned on a Barker Plan that materially restructured Deripaska's ownership and voting rights.[7][23] A significant subsidiary feature of the process, surfaced in subsequent reporting and in litigation between the parties, was that the principal beneficial-ownership reconstruction supplied to OFAC by various advisors diverged from independent reconstructions in non-trivial respects: the percentage holdings, the voting-rights aggregation, the treatment of trust structures, and the application of the OFAC 50 Percent Rule aggregation test were each contested at the margin.[23] The cost of the divergence was procedural delay: a regulatory review that should have been resolvable in weeks consumed months while OFAC reconciled the inconsistencies. For the issuer and its institutional shareholders, the delay translated into market-cap exposure measured in hundreds of millions of dollars.

The pattern lesson: where multiple advisors deliver materially different ownership reconstructions to the same regulator, the divergence itself becomes the regulatory issue. A vendor whose ownership analysis cannot be reconciled with the regulator's independent view becomes a procurement liability even where the vendor is technically competent. Replicable methodology is not an academic standard; it is the standard the regulator will subsequently apply to the work.

Case B — A 2023 European credit institution: brokered personal data in KYC files

In a 2023 enforcement action by a European national AML supervisor, a mid-sized European credit institution was fined a material sum after an inspection determined that its enhanced-due-diligence files on a tranche of CIS-region high-net-worth clients contained personal data — mobile geolocation extracts, internal bank transaction records from non-EU institutions, traffic-police records, and personal identification documents not lawfully obtainable from the named open sources cited — that the supervisor determined was inconsistent with lawful KYC sourcing. The supervisor's finding was not that the underlying KYC conclusions were wrong; it was that the inputs were unlawfully sourced, and that the bank had not performed adequate processor due diligence on the third-party investigators who had supplied the data. The fine was assessed under the national transposition of GDPR Article 6 and Article 28 in addition to the AML supervisor's own framework.

The pattern lesson: a bank does not insulate itself from GDPR liability by outsourcing data acquisition. The processor-controller relationship under GDPR Article 28 requires the controller to verify the lawful basis on which the processor obtained the personal data. A KYC file containing Probiv-sourced inputs is a controller act with respect to that data, even if the file was assembled by a third party. The 2024 EU AML Package tightens this further: the AMLA's direct supervision of high-risk obliged entities from 10 July 2026 will, in practice, mean that EU supervisors hold a stronger documentary expectation on processor due diligence for every CIS-region EDD file.[6]

Case C — A 2024 family office: the "due-diligence report" that was a Google search

In a 2024 commercial dispute, surfaced in the disclosure phase of subsequent litigation, a European family office had commissioned a "due-diligence and risk assessment" report on a counterparty for a contemplated investment of several hundred million euros. The report, delivered in PDF, ran to over 200 pages with apparent footnotes, methodology disclosure, and an executive summary. The family office's general counsel, conducting a routine post-deal review after the counterparty subsequently entered insolvency proceedings, sample-audited the footnotes and determined that a substantial share of the underlying material was paraphrased from the first page of Google search results for the counterparty's name and from a single press-archive aggregator. The report contained no primary-source registry extracts, no court-record searches, no UBO reconstruction, and no engagement with the counterparty's litigation history outside the press summaries. The family office's recovery action against the vendor settled on confidential terms.

The pattern lesson: report length is not a quality signal. A 200-page report whose underlying citations resolve to a Google search is shorter, analytically, than a 20-page report whose footnotes are primary-source registry extracts. The footnote audit (Red Flag 2 above) would have surfaced this failure in 30 minutes at procurement. The family office paid a significant sum for the report and a larger sum for the consequence of trusting it.

A 2x2 matrix plotting OSINT vendors against the axes of methodology disclosure and lawful sourcing, with quadrants labelled investigative grade, compliance theatre, legal liability, and procurement filter.
The OSINT vendor quality matrix. Vertical axis: methodology disclosure. Horizontal axis: lawful sourcing. Top-right quadrant (investigative grade) is the only quadrant a regulated client can defensibly procure from. Bottom-right (legal liability) is the Probiv-dependency category.

The legal liability question: if your vendor used Probiv, are you the deep pocket?

The structural answer is yes, and the structural reason is that every relevant regulatory regime — FCPA, UK Bribery Act 2010, GDPR, EU AML 6, OFAC's evidentiary expectations — attaches the duty to the principal, not to the agent. The vendor invoice does not transfer the obligation. The vendor's contractual representation against unlawful sourcing is recourse, not insulation.

UK Bribery Act 2010 section 7

Section 7 creates the corporate offence of failure to prevent bribery by "associated persons." A third-party investigator commissioned to perform due diligence is, on the standard construction, an associated person. If the investigator obtained data through bribery of a Russian state official, a telco employee, or a bank insider — the standard Probiv supply chain — the commissioning company is liable unless it can show "adequate procedures" of due diligence on the investigator.[4] "Adequate procedures" is not satisfied by an engagement letter; it requires demonstrable verification of the investigator's sourcing practices. A compliance lead who commissioned a Probiv-dependent vendor without verification has, on the standard reading, failed the section 7 test.

FCPA anti-bribery and books-and-records provisions

The FCPA's anti-bribery provisions attach where a US issuer or domestic concern uses a third-party intermediary to make a corrupt payment to a foreign official, including under the "knowledge" standard's conscious-disregard branch. A US-listed issuer that commissioned a third-party investigator whose data acquisition involved corrupt payments to Russian state-agency insiders is exposed under the anti-bribery provisions. Separately, the books-and-records provisions require accurate categorisation of payments; a vendor invoice for "due diligence research" that funded brokered-data acquisition is, on the SEC's pattern interpretation, a books-and-records issue independent of the underlying bribery question.[9]

GDPR Article 6 (lawful basis) and Article 28 (processor obligations)

GDPR Article 6 requires a lawful basis for every processing operation on personal data. Article 28 requires that a controller using a processor verify the processor's compliance with GDPR. A bank that ingested Probiv-sourced personal data into a KYC file is, on the data-protection authority's standard reading, the controller of that processing operation; the third-party investigator was acting as processor on the controller's instruction. The lawful basis under Article 6 for Probiv-sourced data is, in practice, unavailable: legitimate interest (Article 6(1)(f)) cannot be made out for data acquired through criminal disclosure. The 2024 EU AML Package's data-governance provisions, applying from 10 July 2026, reinforce this: the AMLA's expectations for high-risk obliged entities include processor due diligence as a documentary requirement.[6]

OFAC analytic-record evidentiary standard

The August 2025 GVA Capital settlement and the OFAC enforcement-priorities reframing of 2024-2025 established that OFAC evaluates compliance on the adequacy of the analytic record assembled by the obliged entity, not on the screening-tool output alone.[10] A compliance file that records a vendor-supplied ownership conclusion without recording the underlying methodology, the source citations, and the analytic chain is, in practice, a file the regulator can find inadequate even where the screening conclusion was correct. A file that records a vendor-supplied ownership conclusion built on Probiv-sourced personal data is a file the regulator can find both inadequate and affirmatively problematic. The downside risk is asymmetric.

EU AMLD6 / AMLR and the AMLA, applying 10 July 2026

The 2024 AML Package — the AML Regulation, AMLD6, and the AMLA establishing regulation — enters into application across EU Member States on 10 July 2026, with AMLA's direct supervision of selected high-risk obliged entities phasing in through the second half of 2026 and 2027.[6] The package codifies a higher documentary standard for EDD and a tightened processor-due-diligence expectation for outsourced KYC and customer-due-diligence work. The Cyprus-UAE corridor reconstruction we published in our Cyprus-to-UAE Russian deposit exodus briefing sets out the corridor-level implications; the vendor-procurement implications are the subject of this briefing.

The cumulative effect of the five regimes is a single procurement conclusion: the cost of commissioning a vendor whose sourcing the client cannot defend is greater than the cost of commissioning a vendor whose sourcing is documented and lawful. The pricing differential between the two categories is rarely large enough to invert that calculus.

What this briefing cannot do (limitations)

Five things this briefing cannot do, stated explicitly:

  • This briefing cannot name specific firms negatively. The defamation risk of naming a vendor as falling into any of the five red-flag categories, where the assertion would require evidence the briefing does not present, is asymmetric and unmanageable. The briefing names patterns. A compliance lead applying the patterns to a named vendor is doing the analytic work themselves, on the basis of their own observation of the vendor.
  • This briefing cannot prove a negative. A vendor that satisfies the six-question test on the day of procurement may, in subsequent engagements, drift. Procurement diligence is not one-off; it is recurring, and the framework here applies at each renewal.
  • This briefing cannot replace specific legal advice. The discussion of FCPA, UK Bribery Act, GDPR, and EU AML 6 above is a structural map, not a legal opinion. Compliance teams should obtain jurisdiction-specific legal advice on the vicarious-liability question as it applies to their specific vendor relationships.
  • This briefing cannot quantify the vendor population. Estimates in the trade-press literature of the proportion of the entrant-vendor cohort that falls into one or more of the five red-flag categories range widely. We have not made a count, because no public dataset supports one with adequate confidence. The patterns are real; the proportions are estimated.
  • This briefing cannot substitute for an actual procurement review. A complete vendor review includes information-security questionnaires, financial-stability checks, sub-processor disclosure, data-residency analysis, and indemnification negotiation, none of which are addressed here. The methodology framework above is the analytic-quality layer; it is one layer of a multi-layer procurement diligence.

Methodology disclosure

This briefing relies exclusively on public sources: OCCRP and ICIJ investigations into the Probiv ecosystem, Bellingcat's published open-methodology materials, RUSI's Centre for Financial Crime and Security Studies briefings, CSIS Transnational Threats Project reporting, the FATF Recommendations 10 and 22 and the FATF Methodology for assessing technical compliance, the European Court of Auditors' 2024 special report on EU sanctions implementation, the OFAC Frequently Asked Questions on the 50 Percent Rule, the UK Bribery Act 2010 statutory text and the Ministry of Justice's Guidance, the FCPA Resource Guide (Second Edition) published by DOJ and SEC, the 2024 EU AML Package legislative texts (AMLR, AMLD6, AMLA Regulation) as published in the Official Journal, GDPR Articles 6, 28 and 32, and primary reporting in Reuters, the Financial Times, Meduza, and the Dossier Centre. Where a case discussion relies on a specific public action (the EN+ delisting, the GVA Capital settlement, the European supervisor enforcement actions of 2023-2025), the action is cited; where the case discussion is generalised from multiple analogous public actions (the family-office Google-search example, the European credit institution KYC fine), the generalisation is explicit and the underlying public action types are sourced.

No specific vendor is identified as falling within any of the five red-flag categories. The categories are diagnostic. The application of the diagnostic to a specific vendor is the work of the procuring compliance team, on the basis of the vendor's own materials, the vendor's responses to the six-question test, and the procuring team's own observations. Our companion methodology landing page sets out the broader analytic standard from which this briefing derives.

Companion reading

Flagship investigations: The procurement question this briefing addresses is downstream of the substantive analytic standard. The four flagships set the analytic standard. Russia's Shadow Fleet: How 287 Sanctioned Tankers Keep Urals Crude Flowing reconstructs the maritime methodology. The 50 Percent Rule, Examined reconstructs the ownership-control methodology. EU Crypto Sanctions on Russia: The CASP Ban, Decoded reconstructs the crypto-sanctions screening methodology. Cyprus to UAE: The 18.4B Russian Deposit Exodus reconstructs the cross-border-banking methodology.
Methodology explainers: OFAC 50 Percent Rule · OFAC General Licenses · Flag of Convenience · Ship-to-Ship Transfers · AIS Gap Analysis · CASPs under MiCA. Services: Sanctions Compliance · CIS Intelligence · Russia OSINT. Procurement contrast: World-Check vs. Primary-Source Workflows.

Sources and further reading

  1. The Russian Data Brokers Selling Everyone's Secrets. OCCRP investigation into the Probiv ecosystem.
  2. 'The Information Nation': Kremlin researchers and forensic journalists intersect at Russia's black market for leaked personal data. Meduza investigative reporting on Russian state-data brokerage and insider corruption.
  3. Centre for Financial Crime and Security Studies. Royal United Services Institute (RUSI).
  4. UK Bribery Act 2010, Section 7: Failure of commercial organisations to prevent bribery.
  5. General Data Protection Regulation (GDPR) Article 6: Lawfulness of processing.
  6. EU Anti-Money Laundering Package: AMLR, AMLD6, AMLA. European Commission, 2024.
  7. OFAC Frequently Asked Questions: 50 Percent Rule. U.S. Department of the Treasury.
  8. Russian Harmful Foreign Activities Sanctions Program. U.S. Department of the Treasury, OFAC.
  9. FCPA Resource Guide. U.S. Department of Justice and U.S. Securities and Exchange Commission.
  10. OFAC enforcement actions and settlement agreements archive. U.S. Department of the Treasury.
  11. European Court of Auditors special report on EU sanctions implementation. ECA, 2024.
  12. CSIS Transnational Threats Project. Center for Strategic and International Studies.
  13. Stanford Internet Observatory OSINT-tooling research.
  14. Centre for Information Resilience — evaluations of OSINT platforms and methodologies.
  15. Bellingcat Online Investigations Toolkit and Open-Methodology Resources.
  16. OpenSanctions consolidated sanctions dataset and FollowTheMoney data model.
  17. OCCRP Aleph — investigative dataset and corporate records aggregator.
  18. Documented federal court orders on attorney filings with hallucinated case citations. Volokh Conspiracy and similar legal-practice archives.
  19. ICIJ Offshore Leaks Database.
  20. UK Companies House public data.
  21. Council Regulation (EU) 269/2014, Article 2(1) (control test). Consolidated text.
  22. FATF Recommendations 10 and 22 on Customer Due Diligence and Designated Non-Financial Businesses and Professions.
  23. OFAC announcement of delisting decisions concerning EN+ Group, UC Rusal, and JSC EuroSibEnergo. January 2019.
  24. SEC EDGAR public filings system.
  25. German Unternehmensregister (Federal Gazette corporate register).
  26. French INPI Registre national des entreprises (RNE).
  27. EU Business Register Interconnection System (BRIS).
  28. Equasis — IMO-backed ship information database.
  29. EDPB Guidelines on the concepts of controller and processor under the GDPR.
  30. UK Information Commissioner's Office: Lawful Basis for Processing.
  31. DOJ/SEC FCPA Resource Guide (Second Edition, 2020) and subsequent enforcement updates.
  32. UK Ministry of Justice, Bribery Act 2010 Guidance on adequate procedures.
  33. International Consortium of Investigative Journalists (ICIJ).
  34. Dossier Centre — investigative archive on Russian elite and state-data ecosystems.
  35. Kharon — example of an analytics provider with disclosed methodology on sanctioned-network resolution.
  36. Castellum.AI — example of a screening-data provider with published source disclosure.
  37. Sayari — example of a commercial corporate-records platform with disclosed registry sourcing.

Considering an OSINT vendor and want a third-party teardown?

We perform vendor-evaluation reviews using the methodology framework above: footnote audit on the vendor sample, database-claim verification against published paywalls, methodology-disclosure assessment, and contractual-representation drafting on lawful sourcing. Written to be usable by procurement, compliance, and legal counsel.

Request a Vendor Teardown