OSINT Blog / Post

June 19, 2024

Hunting for Open Secrets: How OSINT Can Help You Intercept a Scandal

For centuries, access to information was limited by human, geographic, and technological limitations. Corruption was typically a conversation behind closed doors. Fast forward to the year 2021, and information is everywhere. That means the conversation is often closer - and more accessible - than you might think. Sometimes it’s held right in the middle of a crowded public domain. The key is knowing what to look and listen for: whether that’s a footnote in a company’s accounts, a closed WhatsApp group, or an open hashtag on Twitter.

As high-profile scandals of the last few years have shown, the data is often out there for the taking. It’s less a question of whether it will be found, and more a question of when. Whether you’re a journalist or analyst looking to get the scoop - or an organization looking to catch and address internal problems before they escalate - the winner will be the person best equipped to locate, retrieve, and interpret it. 

Smoke, Fire, Scandal: How Information Sparks Action

What is a scandal? And how is a scandal exposed? At its most basic, scandal begins life as a concealed activity that transgresses social, cultural, legal, or regulatory rules and norms. It achieves “scandal” status when it is made public, damaging reputations, and exposing those involved to the social and legal consequences of their actions. 

Exposure is a question of information: who knows what, where information lies, how it can be accessed, and - perhaps most importantly - when it is identified, processed, and publicized. Once information is made public, it is no longer under the control of a small group of people. It effectively becomes public property, subject not only to broader legal and regulatory investigations, but to trial by media, and the court of public opinion. The timing, presentation, and agency of information exposure decide its consequences. 

2018’s #AidToo: A Disaster Years in the Making

In February 2018, The Times newspaper published a front-page investigation into sexual exploitation and abuse by Oxfam workers in Haiti. It was the start of a tidal wave of scandal that shook the foundations of major organizations across the humanitarian sector, from Save the Children through to Médecins Sans Frontières, World Vision, and even the United Nations. Within months, Oxfam’s standing and reputation were in tatters: donors and partners were cutting ties, public support had all but flatlined, senior staff was resigning under pressure, and official investigations had been launched by the Charity Commission and the UK parliament’s international development committee.

But this eruption didn’t manifest from thin air. Indications of a brewing storm could be found much earlier: not buried in secret documents or anonymous leaks, but sprinkled across the open source environment. For the last five years, Oxfam’s annual accounts - publicly accessible on UK Companies House - had been reporting rising allegations of sexual exploitation and abuse perpetrated by its staff and partners. Anyone diligent (or nosy) enough to read through 34 pages of small print to reach the section entitled “Safeguarding” would have found that recorded allegations for the year 2016/17 had risen to 87 - compared to just 19 in the year 2012/13.

This fourfold increase in the space of five years should, in itself, present a red flag. But contextualized with wider data, the picture becomes still more interesting. The allegations that broke against Oxfam related to events that had taken place in Haiti in 2011. At the time, figures for sexual abuse allegations were detailed not in the company's annual accounts, but in “Accountability Reports” published annually on their website. 

These figures more than doubled the year of the events in question, from 5 in the year 2010/11, to 12 in the year 2011/12. The same year, the media and the organization's own accounts reported that Oxfam had appointed a “Global Safeguarding Coordinator.” And in 2013/14 Oxfam began including abuse figures in their annual accounts for the first time, starting with those for the year after the scandal (2012/13). Incidentally, 2012 was also the year of their last published Accountability Report. An analyst putting these movements together might question what was driving this sudden flurry of activity around the subject of abuse and accountability. In particular, they might ask why it happened so soon after an internal investigation into vaguely referenced “staff misconduct in Haiti,” which had resulted in the dismissal or resignation of no less than six Oxfam employees - including country director Roland van Hauwermeiren.

2019’s Muddy Waters: Behind the Veil of Corporate Deceit

In 2019, short-seller Muddy Waters issued a report assessing that FTSE 100 company NMC Health had overpaid for assets, inflated cash balances, and understated debt. The resulting scandal knocked NMC off the FTSE 100 index, saw off the large majority of its senior management, threw the company into administration, and triggered official (ongoing) investigations in both the United Kingdom and the United Arab Emirates. 

The company’s auditors, Ernst & Young LLP (EY), had never publicly raised concerns over NMC’s statements and became the focus of a separate probe by the UK accounting regulator. Just how did Muddy Waters pick up on the glaring problem that EY, with their extensive resources and privileged access to NMC’s data, appeared to have missed?

Unlike the auditors, Muddy Waters’ research was based entirely on “publicly available information, field research, inferences, and deductions.” Their comparison of NMC’s own reported figures with wider data, to reveal glaring overpayments in the case of two major investments, is a slick example of how open source intelligence (OSINT) can show up the fabrications of corporate deception against a clearly drawn factual landscape.

Scrutinizing NMC’s much-trumpeted opening of Brightpoint Hospital (later renamed NMC Royal Women’s Hospital) in 2014, and the acquisition of Premier Care Home Medical and Health Care LLC in 2018, Muddy Waters’ analysts declared themselves “incredulous” at the extent to which NMC appeared to have inflated payments. 

Setting NMC’s reported build costs for Brightpoint (an estimated $7,686 per square meter) against those of existing hospitals in the UAE, they assessed them to be 106% above the standard average (between $3,000 and $4,000 per square meter). Digging further into the background of Modular Concepts LLC - the primary contractor for the redevelopment, and therefore the primary beneficiary of these exaggerated building costs - they found that it was, in fact, controlled by NMC’s own shareholder, Bavaguthu Raghuram Shetty. They further deduced that NMC was the company’s top customer, comprising 80% of its revenues. Modular Concept’s minority shareholder, one Kukinadi Pradeep Kumar Rai, was found to be NMC’s Head of Procurement, Pradeep Rai, whilst its main Dubai office was registered to the UAE Exchange Building, which is named after a key subsidiary of NMC’s sister company, Finablr. 

These “substantial entanglements” enabled Muddy Waters to identify Modular Concepts as a de facto related party of NMC. They also identified the involvement of the KBBO Group in the development: another entity that turned out to be controlled by an NMC representative, in this case, vice-chairman Khalifa Bin Butti. Muddy Water’s sources, thoroughly footnoted in their final report, ranged from publicly available company documents, through to credit reports, open source satellite imagery, and employee profiles on LinkedIn. 

A significant part of Muddy Waters’ report was given over to a damning assessment of NMC’s financial statements. They were able to cast significant doubt on the integrity of these statements, not by relying on the financial figures alone, but by setting them against critical context drawn from a broad range of accessible sources. This included corporate registries, media reporting, industry data, Security & Exchange Commission (SEC) filings, source interviews, and even archived web pages that appeared to have been deleted in a potential cover-up attempt. It’s worth noting that human source interviews are often fundamentally OSINT-dependent: without the ability to research, identify, and profile well-placed and reliable sources, there can be no source interview. 

Going further still, Muddy Waters were able to shed some light on possible explanations for EY’s striking oversights in their role as auditor. They scoured media reporting and LinkedIn to flesh out the background of some of NMC and Finablr’s supposedly “independent” directors, two of whom were found to be former EY partners. What’s more, EY had given NMC three different Senior Statutory Auditors (or "engagement partners”) in the space of four years, in stark contrast to the standard five-to-seven year term served by a single audit partner. Such high turnover might suggest a desire to prevent the development of an overly rigorous approach to the figures.

From the vantage point of a substantial, well-documented burden of proof, the report was able to conclude on a confident note: “We are unsure how deep the rot at NMC goes, but we do not believe that its insiders or financials can be trusted.”

Into 2020: Social Media Shows its Hand

In a sense the “Wild West” of the information world, social media is a terrain well worth understanding, and mastering, for anyone caught up in the twenty-first century information gold rush. Although rife with inaccurate, misleading, or indeed useless information, it also contains seams of gold for those with the know-how, tools, and mindset to sift through the noise and locate them. 

As the fallout from #AidToo continues to make waves, for example, campaigners are becoming increasingly aware of the power of social media to create spaces in which internally suppressed information can escape the organizational veil: to be voiced, shared, and amplified. Those with an ear to the ground will be able to spot and verify valuable information contained in these conversations, help it break out of the social media pen, and into mainstream awareness.

In March this year, the UK’s Charity Commission published a damning report into 2018’s allegations of sexual harassment by senior executives at Save the Children. Those named in the report included former CEO Justin Forsyth and former director of policy Brendan Cox. The complaints against Forsyth dated back to 2012, and those against Cox to 2015. According to an analysis by journalist and academic Glenda Cooper, the conversation was fierce on social media long before it broke into the mainstream media. For years, women working in the humanitarian sector had been using WhatsApp and Facebook groups to share information. These include the “Fifty Shades of Aid” Facebook group, launched in 2015. Initially a forum for tales of “lighthearted stories” of dating in the field, its nature changed drastically when one poster shared a serious account of harassment and abuse - triggering an outpouring of similar tales.

To an investigator, such conversations would be a critical source of information, source or witness identification and development. And they are not limited to closed groups. Off the back of the #MeToo campaign in 2017, an #AidToo hashtag emerged, specifically focused on tales of harassment, exploitation, and abuse in the humanitarian sector. Humanitarian website Devex even hosted a public tweetchat around the hashtag, as did UK national newspaper The Guardian

2021 and Beyond: A World of Open Secrets

Perhaps more shocking than scandal itself, in today’s world, is the availability of the information that can break one. Gone are the days when an intricate surveillance operation, a man on the inside, or indeed a botched robbery was needed to flag up clandestine activity. In 2021, information has become a fundamental part of our everyday environment. In that environment, perpetrators leave tracks, and victims plant red flags.

All information, of course - particularly as misinformation and disinformation become ever more prolific - needs to be rigorously interrogated, analyzed, verified, and substantiated before it can be considered to be reliable. Fortunately, OSINT technology is keeping pace with the rapid evolution of the information environment to provide advanced methods not just for locating information, but for interpreting, validating, and synthesizing it into actionable intelligence. 

In the cases explored above, researchers would have benefited from the ability to search not just the surface web, but the deep web where company documents are often held - including internal documents that an organization may not realize it’s put online, or documents that have been taken off the front-facing website for one reason or another. Social media coverage, in complement to this, would provide important means for comparing official data with ground truth, and for the identification and profiling of sources. The ability to rapidly perform large numbers of targeted string searches - that’s to say, indicative phrases, words, combinations, and variations of these, that can be used in search engines to help pin down specific reporting or documents - and to create real-time alerts based on these searches, would flag up noteworthy events and activities as they happen. Nuanced geographic and linguistic search capabilities would enable investigators to cover widespread jurisdictions in their research, and allow for informational variations or errors: for example, the misspelling of a subject’s name in a document, or press coverage in a foreign language, which would not otherwise be flagged. Locating archived evidence - deleted documents or images, edited web pages, etc - can be critical, as well as the ability to document the development and timeline of any changes or attempted removals. 

As with all intelligence, more important than anything else is the ability to connect the dots: to identify obscure or non-apparent connections between data, events, entities, and individuals. Identifying and collecting the puzzle pieces is one thing: putting them together correctly is another thing entirely. Whilst it’s hard to replace human intuition in this final mile of the intelligence process, the most advanced contemporary technologies make use of artificial intelligence to help analysts and investigators draw connections they would not otherwise have seen. 

In a world full of open secrets, comprehensive but well-targeted OSINT is a vital capability for anyone looking to identify valuable information before the rest of the crowd. Those who are best equipped will be the first to spot important information when they see it, to gather it at the necessary scale and pace, with rigor and discernment, and to analyze it in such a way as to see the bigger picture. Whether or not you believe the old saying that “where there's smoke there’s fire,” information is the real dynamite. The difference between a fizzle and a bang is in the quality and quantity of the information behind it. And of course, as ever, timing.