Somewhere in the supply chain behind a glossy "deep-web intelligence" report on a Russian counterparty, there is often a bribed clerk. The Russian-language market that trades in that clerk's access has a name — probiv (пробив) — and for the better part of a decade it has functioned as an industrial-scale bazaar for data that no public register lawfully holds: passport files, live mobile geolocation, bank statements, call-detail records, border crossings. Investigative outlets from OCCRP to Bellingcat to Meduza have documented it since roughly 2018.[1][2][3] What has changed since 2022 is the demand side: a wave of new "OSINT" and "due-diligence" vendors selling to Western banks, law firms and family offices, some of whom quietly resell probiv output as their own analysis. This briefing explains what probiv is, how it is sourced and delivered, how it reaches a Western desk disguised as intelligence — and why the legal exposure lands on the firm that buys the report, not the broker who sold the data.
TL;DR
Probiv is Russia's market for brokered access to non-public personal data, sourced from corrupt insiders at telcos, banks and state agencies and delivered largely through Telegram bots, channels and intermediaries. It is not OSINT — OSINT is lawful open-source collection; probiv is bought insider theft. Reporting has documented a full price list, from a few dollars for a phone-to-name lookup to hundreds or thousands for bank statements and live geolocation (reported ranges; verify against primary sources). The danger to a Western buyer is not reputational alone: ingesting probiv-sourced personal data into a KYC, EDD or litigation file engages GDPR Article 6, UK Bribery Act section 7, the FCPA, and — from 10 July 2026 — the EU AML Package, all of which put the duty on the client, not the vendor. The defensive test is simple: if a report hands you a subject's current location, live bank balance, or internal passport scan, it was not built by OSINT, and it is a liability you now own. Legitimate Russia/CIS intelligence reconstructs ownership and risk from primary public records — EGRUL, SPARK, courts, sanctions lists — and states its sources.
What "probiv" actually means
The word пробив comes from the verb пробить — to punch or break through. In criminal slang it means to "look someone up" by breaking through the barrier that is supposed to keep their data private. A probivshchik (пробивщик) is the intermediary who takes a request — a phone number, a name, a car plate, a passport number — and returns whatever the buyer paid for. The market is not a single site or forum; it is a distributed ecosystem of Telegram bots and channels, closed forums, and word-of-mouth brokers, layered on top of a supply chain of corrupt insiders.[1][3]
The crucial distinction, and the one that vendors deliberately blur, is lawfulness of source. Open-source intelligence draws on information that is lawfully accessible: a company's entry in the Unified State Register of Legal Entities (EGRUL), a court judgment, an OFAC or EU sanctions designation, a vessel's AIS track, a published news report. Probiv draws on information that is unlawful to disclose: the contents of a passport file, the position of a mobile handset, the transactions on a bank account. The first is the raw material of a defensible investigation. The second is stolen goods with a receipt.
The taxonomy: what is actually for sale
Reporting over several years has documented a consistent menu of probiv "products," each priced by how hard the underlying access is to obtain and how sensitive the data is. The categories below are drawn from published investigations; treat the specifics as reported rather than independently verified.
| Category | What it exposes | Typical source |
|---|---|---|
| Phone ↔ identity | Name, DOB, and linked accounts behind a mobile number, or the number behind a name | Telco insiders; aggregated breach dumps |
| Passport / identity file | Passport series and number, registration address, issued documents | MVD / migration-service insiders |
| Vehicle & traffic | Car ownership, registration history, fines, traffic-camera hits | Traffic-police (GIBDD) database access |
| Mobile geolocation | Current or historical handset position, sometimes near real-time | Corrupt telco engineers |
| Call-detail records (CDR) | Who a subject called, when, and from where | Telco billing-system insiders |
| Banking | Account existence, balances, statements, card data | Bank employees; call-centre staff |
| Border crossings / travel | Entry-exit records, flight manifests | Border-service and airline insiders |
Two features of this menu matter for anyone assessing a work product. First, none of these categories is reconstructable from open sources — you cannot derive a live handset position from EGRUL. So if a report contains them, it did not obtain them lawfully. Second, the reliability of the data is not guaranteed by its illicit price: probiv records can be stale, partial, mixed up between namesakes, or — because the market rewards a "hit" — quietly fabricated to satisfy a paying request. A file built on this material carries a forensic-reliability problem on top of its legal one.
The supply side: it runs on bribery
The engine of probiv is the corrupt insider. A telecom engineer with billing-system access, a bank call-centre operator, a clerk in a migration office, a traffic-police officer with a database terminal — each can be paid, per lookup or on retainer, to extract records. Investigations have documented the recruitment of such insiders and the internal-security arms races at Russian telcos and banks trying to detect them.[3][4] Where a live insider is not available, the market falls back on breached and leaked databases, which are themselves frequently the product of earlier insider theft or intrusion.
This is the fact that makes probiv legally radioactive downstream: the data originates in a criminal act — bribery of an official or employee, unauthorised access to a computer system, and unlawful disclosure of personal data, each an offence under Russian law itself (among others, Articles 137, 183 and 272 of the Russian Criminal Code). When that data is later bought by a Western intermediary and passed to a Western client, the criminality does not evaporate at the border. It becomes a bribery-and-stolen-data problem inside the client's own compliance file.
The delivery layer: Telegram bots and channels
For roughly the last decade the dominant retail channel for probiv has been Telegram. The pattern, documented repeatedly in reporting, is a lookup bot: the user sends a query — a phone number, a name, a plate — and the bot returns aggregated results, charging per query or via subscription, often bundling genuinely public data with breach dumps and, at higher tiers, insider-sourced records.[1][5] Some of the best-known services were large enough to draw the attention of the Russian regulator Roskomnadzor and law enforcement, with several publicly reported to have been restricted, blocked, or their operators detained — after which functionally similar successors reappeared under new names. The churn is a feature: the ecosystem is resilient precisely because no single bot is load-bearing.
This is also why a cluster of search demand — queries like "osint telegram bot," "leak osint bot," and "osint password leak" — sits directly on top of the probiv market. Much of what is marketed to hobbyists as a free "OSINT bot" is a consumer-facing skin over the same breach-and-insider aggregation. The line between a legitimate breach-notification service (which tells you whether your credentials leaked) and a probiv bot (which tells anyone everything about a target) is exactly the line between a lawful tool and an unlawful one. We are deliberately not naming or linking active services here; the point is recognition, not access.
The reliability trap
Analysts sometimes assume that because probiv data is expensive and illicit, it must be accurate. The opposite incentive is at work. A probivshchik is paid for a result, not for the truth, and the buyer usually cannot verify the return against any authoritative source — that is the whole reason they went to the grey market. Stale positions, transposed namesakes, and outright invention all satisfy the transaction. Any investigative conclusion resting on a single probiv "hit," with no lawful corroboration, is unsafe on evidentiary grounds alone, before the legality question is even reached.
How it reaches a Western desk labelled "intelligence"
The laundering path is short. A grey-market aggregator or a probivshchik supplies raw records; an intermediary vendor — sometimes a one-person "boutique," sometimes a slicker "AI-powered platform" — repackages them into a formatted report, strips or obscures the provenance, and sells the result to a Western customer as "deep web intelligence," "closed-source access," or "proprietary database" findings. A 2024 OCCRP investigation documented exactly this: personal data brokered through the Russian-language probiv ecosystem being resold to Western customers by self-described investigators.[1]
The tells are consistent, and we have written the full procurement teardown separately in how to recognise a fake or low-quality OSINT firm. The short version: a report that contains a subject's current location, live financials, internal identity documents, or call records, with no citable public source and a suspiciously fast turnaround, is not the output of open-source analysis. It is repackaged probiv, and the vendor's invoice is the only thing standing between you and the underlying theft.
Why it is your problem: the buyer is the duty-holder
The instinct of a compliance team handed such a report is that the vendor bears the risk — the client merely commissioned "research." That instinct is wrong under every framework that matters, because each attaches its duty to the party that uses the analytic record.
- GDPR Article 6 (and Articles 5, 10). There is no lawful basis on which a controller can process personal data that was obtained unlawfully. Ingesting probiv-sourced records into a KYC or EDD file is a processing act by the client as controller; "our vendor sourced it" is not a lawful basis. Article 10 adds specific constraints around data relating to offences.
- UK Bribery Act 2010, section 7. A commercial organisation is liable for failing to prevent bribery by an "associated person." A vendor that obtained data by paying a Russian insider is arguably an associated person committing bribery to perform services for the client. The statutory defence is "adequate procedures" — which a firm that never asked how its due-diligence data was sourced will struggle to demonstrate.
- FCPA — anti-bribery and books-and-records. For issuers and US-nexus firms, the accounting-controls and anti-bribery provisions reach third-party intermediaries; a due-diligence supply chain running on bribed foreign officials is precisely the exposure the statute targets.
- EU AML Package (AMLR / AMLD6 / AMLA), applying from 10 July 2026. Obliged entities are assessed on the adequacy and lawfulness of the record they assemble for customer due diligence. A file whose evidentiary spine is unlawfully-obtained personal data is not a compliant record; it is a finding waiting for a supervisor.
The common thread: outsourcing the collection does not outsource the duty. The regulator, the court, and the DPA all look at the file you relied on and ask how it was built. "We didn't know" is not an answer a bank, a law firm, or an issuer gets to give twice.
The honest complication: journalism is not compliance
No serious treatment of probiv can skip the most famous cases in which grey-market Russian data was used for unambiguous public good. Investigative outlets have reported purchasing leaked telephone, travel and passport records to attribute the 2018 Skripal poisoning and the 2020 Navalny poisoning to named officers of the GRU and FSB.[2] That work exposed state assassination programmes. It is not the same activity as a bank screening a commercial counterparty, and it does not sit under the same duties: public-interest journalism operates with exemptions and a proportionality calculus that a regulated obliged entity does not have. The lesson for a compliance reader is not "probiv is fine because Bellingcat used it." It is that the identical data category which can be defensible for a journalist exposing a murder is a direct GDPR, anti-bribery and AML liability when it lands in your KYC file. Context and duty decide, and your context is regulated.
The defensive checklist: is this report probiv-tainted?
Run any Russia/CIS work product you receive through these questions before it enters a file. A "yes" to the first group is a stop-work signal.
Red flags of unlawful sourcing
- Does it contain the subject's current or recent geolocation? No open register holds this.
- Does it contain live bank balances, statements or card data? Not lawfully public anywhere.
- Does it contain internal passport-file scans, call-detail records, or traffic-police histories? These are insider-database products.
- Does it claim "deep web," "closed database," or "special access" for Russia without stating a lawful basis?
- Was the turnaround implausibly fast for data that lawfully requires registry requests?
- Are there no source URLs, no extract dates, no chain of custody — just assertions?
What a lawfully-sourced report shows instead
- Ownership reconstructed from EGRUL / EGRIP, SPARK-Interfax, Rosstat filings, each citable.
- Sanctions exposure mapped against OFAC SDN, the EU Official Journal, UK OFSI with the 50 Percent Rule applied explicitly.
- Litigation and enforcement history from court and bailiff records.
- Every load-bearing fact carries a source, an extract date, and a confidence tag, and unverifiable claims are labelled as such.
This is the standard we hold our own intelligence briefs to, and it is why every one of them ships with an auditable source register rather than a set of unsourced assertions. If you want to see the discipline applied end to end, our how to trace a Russian company's beneficial owner brief reconstructs a full ownership chain using only citable public records — the lawful alternative to buying a passport scan.
Contractual defence: the one clause to add
The single most effective procurement control is a written representation and warranty in the engagement letter that the vendor has not used, and will not use, any leaked, brokered, coerced, or insider-sourced personal data (probiv-ecosystem or otherwise), that all personal data was obtained from lawful sources, and that the vendor will disclose its primary sources on request. A vendor that resists this clause is telling you something. A vendor that signs it and breaches it has handed you a contractual and indemnity position you would not otherwise have. Either way, asking the question is itself part of the "adequate procedures" defence.
What this briefing cannot do
It cannot certify any specific vendor as clean or tainted — that requires a source-level review of the actual work product. It does not quantify the current size of the probiv market, which is unmeasured and shifting. The prices and service patterns described are drawn from published reporting across several years and should be verified against primary sources before being cited as current. And it is not legal advice: the regulatory analysis here is a compliance-risk map, not a substitute for counsel on a specific matter.
Methodology & sourcing discipline
This explainer synthesises public reporting on the Russian data-broker market from investigative organisations listed in Sources below. Consistent with our all-Reported policy, no figure or service detail here is asserted as independently confirmed; each is attributed to public reporting and flagged as reported. We name no active probiv service and provide no access pathway. The legal framework is stated as it applies to regulated obliged entities and should be confirmed with counsel for any specific engagement.
Companion reading
- How to Recognise a Fake or Low-Quality OSINT Firm — the full procurement teardown, including the footnote audit and database-claim tests.
- Telegram OSINT Investigation: The Analyst's Playbook — how lawful Telegram investigation actually works.
- Dark Web Threat Landscape 2026 — where breach and leak markets sit in the wider picture.
- How to Verify Russian Company Ownership — the lawful, citable alternative workflow.
Sources and further reading
- OCCRP — Organized Crime and Corruption Reporting Project: investigations into the Russian data-broker market and its resale into Western due-diligence products. Start at occrp.org.
- Bellingcat: reporting on the use of purchased Russian telephone, travel and passport data in the Skripal (2018) and Navalny (2020) attributions. Start at bellingcat.com.
- Meduza and The Insider: Russian-language reporting on probiv services, Telegram lookup bots, and insider recruitment at telcos and banks. meduza.io; theins.ru.
- IStories (Важные истории) and other independent Russian outlets: coverage of data leaks, insider markets, and law-enforcement action against probiv operators.
- UK Bribery Act 2010 (section 7); US FCPA; GDPR (Regulation (EU) 2016/679), Articles 5, 6 and 10; EU Anti-Money-Laundering Package (AMLR/AMLD6/AMLA), applying from 10 July 2026 — consult primary legislation and counsel.
Need a Russia/CIS investigation you can put in a regulated file?
We deliver lawfully-sourced, fully-cited intelligence on Russian and CIS counterparties — ownership, sanctions exposure, and risk reconstructed from primary public records, with an auditable source register and explicit confidence tagging. No probiv, ever. If you have received a report you are not sure you can rely on, we also review third-party work product for unlawful sourcing.
Commission a Sourced Investigation