The Counterparty Who Wasn’t There
The board of a European fintech preparing an early growth round met on a Tuesday and considered, among other items, an unsolicited investor proposal that had landed on the CEO’s desk the week before. The proposed terms were better than the round’s current lead investor by a wide margin. The investor presented as a successful private individual based in the United Arab Emirates with two prior fintech exits in the previous decade. The pitch deck was professional. The introduction had come through a credible third party. The candidate’s personal website was tidy. His LinkedIn record was clean. The standard commercial-database screens against the major adverse-media providers returned nothing.
The fintech’s board, between them, had been around long enough to find this combination — unsolicited, generous, foreign, untraceable in negative-news indices — cause for additional verification rather than relief. The general counsel sent us a single line of instruction: “Tell us anything the standard screens won’t.” The scope was open. The clock was two weeks until the term sheet went to legal. The candidate, in the meantime, was patient and pleasant and made no demands.
“Unsolicited capital from a stranger at better-than-market terms is almost always either nothing or everything. We needed to know which before we put it in front of our existing investors.”
— General counsel, European fintech (Series B-stage)
What the Registries Said
The first pass was biographical. Every claim on the candidate’s CV was tested against contemporaneous public records in every jurisdiction he had lived in. The educational claim held up: the named institution confirmed, in plain reading of its public alumni records, that the candidate had indeed completed a degree in the stated discipline at the stated time. The claimed early-career employment did not. The two firms named on his CV for the first six years of his career had operating histories visible through corporate-registry archives and, in one case, through the cached archive of their own historical staff pages on the Wayback Machine; the candidate’s name appeared on neither. He had been at the educational institution. He had not been at the firms that were the bulk of his stated track record.
The exits, on inspection, were embellished. One had occurred but was substantially smaller than the CV implied; the other had occurred in the sense that the named entity had been wound up rather than acquired, and the cleanest public records of the winding-up did not list the candidate as a beneficial-receiving party. The CV was, in the technical sense, not fabricated; it was selectively edited in a way that would not survive any patient cross-reference. None of these findings was itself disqualifying. They were, however, the early indicators that the candidate’s biographical surface was a polished one and that the underlying record was different.
“A CV that doesn’t survive a Wayback check tells you what the candidate wants you to believe. It also tells you what the candidate is hiding.”
— Senior due-diligence analyst, [0x]INT
The persistent identifier across the candidate’s digital history was a personal phone number first attached to a Russian mobile prefix and ported to a UAE prefix two years before the term-sheet conversation. Phone-number lookups against public-domain breach-data corpora — the kinds of corpora documented at Have I Been Pwned and indexed by various public-domain searchable mirrors — surfaced the number in two breaches dated 2021 and 2023. The 2023 corpus also exposed an email handle the candidate had not disclosed in any of his current-day surface materials.
The Layer Underneath the Layer
The email handle was the pivot. Username re-use enumeration across darknet markets and stolen-data vending forums surfaced a vendor account with sustained activity over an eighteen-month period selling stolen credentials and personal-data dumps. The vendor profile photograph reverse-imaged, via TinEye and additional perceptual-hash searches, to a known-good likeness of the candidate that he had used himself on an earlier (pre-2020) professional website. The photograph had been lightly edited — a different shirt colour, a small adjustment to the background — in a way that defeated some commercial reverse-image tools but did not defeat perceptual-hash matching tuned to skin-region and facial-landmark invariants. The vendor account’s posting cadence, on independent analysis, matched a time-zone offset consistent with Moscow in 2020-2021 and a Dubai offset thereafter, which lined up against the candidate’s documented relocation.
The Russian Federal Bailiffs’ Service enforcement database at fssp.gov.ru returned five open enforcement actions against the candidate’s full name and date-of-birth, with cumulative principal materially in excess of the proposed term-sheet round size. Two of the actions were tax-related — arrears on personal income tax and on a defunct sole-proprietorship trading entity from his pre-relocation years. Three were private-judgement enforcements arising from a Moscow city court matter the candidate’s CV did not mention. The court matter’s case file, retrievable in summary form via the relevant kad.arbitr.ru and mos-gorsud.ru public docket indices, recorded the candidate as named defendant in a commercial-dispute action that had culminated in a judgement against him for breach of a private supply contract. The enforcements were live. The bailiff service had been unable to recover.
“Five live FSSP enforcements against a man who had relocated his domicile and reinvented his professional identity is not a man with a clean record. It’s a man who had reasons to leave.”
— Senior due-diligence analyst, [0x]INT
The fourth pivot was domain history. Passive-DNS records on the candidate’s polished current personal website — pullable through SecurityTrails and via the historical DNS-archive projects mirrored across various public-domain indices — revealed that the current site had been spun up four months before the unsolicited proposal landed. An earlier site on the same domain, fully archived on Wayback, had advertised a substantially different professional identity: a Moscow-based credentials brokerage with a contact form, a pricing page denominated in cryptocurrency, and customer-testimonial content that lined up, on cross-reference, against the darknet vendor account’s public-feedback record. The same apex domain had hosted, four months before the term sheet, a substantively criminal commercial offering, and the operator had simply re-purposed the apex into a clean private-investor page without recognising that the historical content was preserved.
Where the Money Touched Ground
We delivered a structured background-check report identifying every adverse finding with documented citation chain. Each finding was paired with the primary source establishing it, the capture date, the certified translation where required, and an explicit chain-of-inference paragraph for any conclusion that rested on more than direct registry evidence. The board’s decision did not require interpretation of the deliverable; the deliverable was self-evident.
// Adverse-finding summary
- Biographical embellishment. Two of the three named pre-2020 employers had no record of the candidate; one of two stated exits was overstated, the other was a wind-up not an acquisition.
- Persistent personal phone. Russian mobile prefix ported to UAE prefix two years before the proposal; surfaced in two breach corpora.
- Undisclosed email handle. Surfaced in 2023 breach corpus; tied via username re-use to a darknet-market vendor account.
- Darknet vendor account. Eighteen months of sustained activity selling stolen credentials and personal-data dumps; reverse-image match to lightly-edited likeness of the candidate.
- Five FSSP enforcements. Two tax-related, three from a Moscow city court breach-of-contract judgement; cumulative principal materially above the round size.
- Pre-existing apex domain. Same domain had hosted a Moscow-based credentials brokerage with cryptocurrency-denominated pricing four months before the term sheet; current polished site spun up immediately after that brokerage went dark.
The fintech’s board declined the proposed investment at the next session. The legal team escalated nothing because nothing needed escalation: the candidate withdrew the term sheet within two business days of receiving the board’s polite decline. The candidate did not ask why. The fintech’s standard pre-investment due-diligence checklist now incorporates the breach-corpus, darknet-vendor-cross-reference, FSSP-enforcement and apex-domain-history steps documented in this matter. No subsequent investor in any of the fintech’s rounds has surfaced any related adverse indicator on screening.
“He withdrew the term sheet within forty-eight hours of our decline. That, by itself, told us everything we needed about whether the decline was the right call.”
— General counsel, European fintech (Series B-stage)
What We Took Away
Three patterns from this Dark Leaks engagement that have generalised across our subsequent pre-investment due-diligence work, particularly against candidates with a Russia-nexus and a recent UAE relocation. In each, the decisive adverse findings came from breach corpora and dark-web leaks the standard commercial screens never index.
The standard commercial adverse-media tools are not enough on their own. The major commercial PEP and adverse-media databases are excellent at surfacing what has been formally reported in indexed media. They are weak at surfacing darknet-vendor pseudonyms, FSSP enforcements (which are public but unstructured for non-Russian-language ingestion), and historical apex-domain re-purposing. A candidate who has been deliberately polished for an unsolicited approach will have been polished against precisely the inputs the commercial tools rely on. The check has to extend to the unindexed corners of the internet: breach corpora, darknet markets, FSSP, archived apex domains. Our enhanced due-diligence brief at /services/due-diligence/ walks through the integrated workflow.
Reverse-image matching has to be perceptual-hash-aware. A candidate who has uploaded a lightly-edited variant of his own likeness to a darknet vendor account, four years before reinventing himself for a private-investor approach, will defeat most commercial reverse-image tools that depend on exact-pixel match or on shallow feature extraction. Perceptual-hash matching tuned to facial landmarks survives crops, shirt-colour edits, background substitutions, and modest filter alterations. Free tools (TinEye, Google Images) provide the first pass; perceptual-hash libraries from the open-source forensic community handle the cases the consumer tools miss.
The apex domain is a witness against its owner. The internet is unforgiving about archived content. The candidate had assumed that overwriting the contents of a domain would erase the prior contents. The contents were preserved on Wayback. The passive-DNS history was preserved across multiple commercial and public providers. The Certificate Transparency log indices, including crt.sh, recorded every TLS certificate the apex had ever issued. Any candidate whose current personal website is less than twelve months old, in our experience, warrants an aggressive historical pull on the same apex. The cost of the pull is twenty minutes. The cost of missing the pull, as this engagement demonstrated, is substantially larger.
// Result
Hidden darknet-vending account, five open FSSP enforcements, biographical embellishments and a re-purposed apex domain surfaced before close; investment declined, no capital deployed, term sheet withdrawn by the candidate within forty-eight hours, due-diligence checklist updated.
External public-record sources referenced in this methodology
- Federal Bailiffs’ Service of Russia (FSSP) — enforcement-action database.
- kad.arbitr.ru — Russian commercial-court (arbitrazh) case-file index.
- Internet Archive Wayback Machine — archived web content.
- SecurityTrails — passive-DNS and domain-history archive.
- crt.sh — Certificate Transparency search interface.
- Have I Been Pwned — aggregated breach-corpus index.
- TinEye — reverse-image search service.
- OpenSanctions — consolidated sanctions and PEP dataset (used as a complementary cross-check).
About this engagement
Case identifiers, the fintech’s sector and jurisdiction, the candidate’s nationality and named relocation history, and all individually identifying details of the candidate’s named former employers, the specific Moscow city court matter, and the apex-domain history have been adjusted to protect client confidentiality. The methodology, the role of passive-DNS history and Wayback in surfacing apex-domain re-purposing, the use of perceptual-hash reverse-image matching against lightly-edited likenesses, the FSSP enforcement-database pivot, and the substantive shape of the adverse-finding profile are accurate to the engagement.
Need a similar investigation?
Pre-investment background checks against candidates whose surface profile is too clean for the stated history are one of our most-requested engagements. We run the full integrated workflow — biographical, breach-corpus, darknet, FSSP, apex-domain-history — inside a single deliverable suitable to support a board decline note. Typical turnaround for an enhanced pre-investment due-diligence report is seven to fourteen working days.
Request a Case Brief