Protecting financial investigators: best practices for fraud investigations

Learn best practices to protect your identity and stay secure during high-risk financial fraud investigations.

The vast amount of digital data accessible for public use presents numerous opportunities for financial fraud investigators to uncover evidence and track illicit money flows. However, just because data is publicly available does not ensure risk-free collection. Many financial fraud investigations involve inspecting sophisticated criminal networks, money laundering operations, and state-backed financial schemes from countries like North Korea, Iran, and Russia. These entities possess vast resources to track online investigators and uncover their plans. When investigating high-value targets like international money laundering networks or large-scale financial fraud operations, investigators face direct threats if their identity is exposed. Criminal organizations often employ skilled hackers and advanced tracking technology to identify and counter those investigating their financial activities. Modern technology and protection techniques have become important in preventing external observation during financial fraud investigations, especially when dealing with well-funded and organized criminal entities that can retaliate against investigators.

Methods to anonymize online activities

The cornerstone of protecting digital identity during online operations lies in anonymizing activities and personas. Two primary technologies serve this purpose:

Virtual Private Networks (VPNs)

A VPN is a technology that creates secure connections between two points or destinations online. For example, between a user computing device and the web server hosting the website they are visiting. VPN uses secure encryption protocols, such as IKEv2/IPSec, OpenVPN and WireGuard, to scramble the connection data so external observers can not record the connection contents. When a user utilizes a VPN service, the VPN provider's IP address appears instead of the user's IP address.

In the OSINT context, a VPN is used to anonymize an investigator’s geographical location by anonymizing their IP address. VPNs are also used worldwide to facilitate remote work schemes, such as providing secure access to corporate resources for home workers. This work scheme could also apply to OSINT investigators, as some OSINT investigation cases could involve OSINT investigators working from different locations and needing to exchange collected information between the team.

Despite the widespread adoption of VPN technology and easiness of getting a service (actually, many VPN providers offer free access to their users), VPN is not considered a reliable technology for OSINT gatherers for the following reasons:
 

• VPN is considered outdated technology that struggles to keep up with modern work environments that include a large number of applications and storage spread across cloud and on-premise data centers
• VPN providers tend to log their users' activities or at least record their entry (original IP address) to the VPN network. This is very dangerous for OSINT gatherers if hackers successfully breach the VPN provider data, this could reveal investigators' true identity. Besides, many VPN providers have servers in countries controlled by non-democratic states, such as China and Russia, and such countries can easily access VPN logs, which jeopardizes the entire OSINT investigation
• Online trackers employ advanced tracking techniques such as browser fingerprinting and super cookies, which can detect and track online users using their computing device technical specifications, such as screen resolution, installed fonts and add-ons installed on the web browser and many more. This allows trackers to distinguish your device from millions of connected devices without considering the IP address element
• VPN providers are subject to data protection laws in the country in which they work. For instance, some countries have tough data retention laws that require keeping a log of VPN users for a long time, which could result in disclosing VPN users' anonymity
• Many VPN providers use open-source software, such as OpenVPN Connect, as the core of their VPN client. Such software is subject to security vulnerabilities that could reveal their user's true IP address.
• Finally, VPNs have a bad reputation for being used by cybercriminals to execute various attacks, such as ransomware

The Onion Router (TOR)

The TOR network provides robust anonymity compared to VPN. While a central authority or operator controls VPN, TOR does not have such a central hub as it is operated by volunteers spread all over the world. TOR works by routing traffic across different layers (at least three), and each layer takes a different IP address until reaching the final destination

Using the TOR is easy; all you need to do is download the TOR browser, which is a hardened version of Mozilla Firefox that comes bundled with the TOR software. While TOR is used mainly to access the TOR darknet, the TOR browser can also be used to anonymize internet traffic when browsing the surface web.

Despite the advanced features of using TOR Browser to anonymize surface internet traffic, it is not considered an optimal choice for OSINT gatherers for the following reasons:

• TOR is relatively slow because it directs traffic through different computers or TOR nodes. Each one could be located in a different country, which makes it very slow regardless of how fast your internet connection is. For OSINT gatherers, this can be a major drawback when gathering large amounts of data or conducting time-sensitive investigations
• Many websites block TOR traffic, which makes OSINT gatherers unable to browse all information and hence creates obstacles for them to conduct comprehensive data-gathering activity
• The TOR Exit node is the last computer TOR uses before traffic leaves the TOR network. State nation actors and other threat actor groups commonly monitor this node. Monitoring it makes it easy to inspect your traffic
• For junior OSINT gatherers, using the TOR browser gives them a false sense of security because they will consider it completely hiding their digital traces and forget about other vulnerabilities that could reveal their true identity. It is important to remember that TOR is regarded as one tool in the OSINT gatherer arsenal and not the only tool, so we should understand its limitations before using it

Web browser isolation

Investigation isolation provides critical protection for financial fraud investigators by creating secure boundaries between their actual computing work environment and potential threats found online. This isolation approach operates on two essential layers:

• Physical isolation: Creating a secure virtual environment completely separates investigation activities from the local investigator computing device and corporate network. This means that when investigators access suspicious websites (e.g., phishing or compromised websites) or download malicious files from the internet during their research, any threats remain contained within the isolated environment and cannot compromise the investigator's local computing infrastructure or spread to infect the corporate resources.
• Identity isolation: Investigation isolation platforms provide network management capabilities beyond simple IP address hiding. These platforms connect isolated workspaces to global networks, allowing investigators to precisely control their digital identity, including specific geographic locations, regional characteristics, and network connection types. This level of control helps investigators overcome geographic restrictions imposed by some countries and avoid detection mechanisms that criminal groups employ to identify investigation activities. Unlike basic browser isolation or traditional tools like VPN and TOR, which only provide basic IP address masking, advanced isolation platforms allow investigators to appear as genuine users from specific countries with legitimate network profiles matching their investigation requirements.

Modern investigation isolation solutions provide several critical capabilities that enhance investigation security through the following:

• Disposable investigation environments that are completely destroyed after each browsing session. This eliminates any possibility of correlating different investigation activities to the same investigator or organization
• The ability to create multiple isolated environments with different digital identities makes it impossible for targets to connect separate investigations to the same source. For instance, one investigation could appear to come from a personal user in Asia using Windows, while another appears as a business user from Europe using MacOS
• It provides seamless access to various online platforms, including social media websites and dark web sites such as TOR and I2P, without revealing the investigative nature of the activity. This allows investigators to gather critical evidence about financial fraud schemes while maintaining complete anonymity

The advantages of the Silo platform offered by Authentic8

Silo by Authentic8 is a cloud-based platform that provides enhanced security and anonymity capabilities for OSINT gatherers. The platform allows OSINT investigators to conduct their research activities using isolated browser sessions that are entirely separated from their local computer device, and these sessions are automatically destroyed after use, ensuring complete removal of investigation digital traces.

Despite being an advanced security solution, Silo is very easy to use as OSINT gatherers can access it from any device without installing complex software or requiring any configuration. This is particularly useful for OSINT teams working from different locations, as they can easily access their research environment regardless of location.

Silo offers several important features that make it a reliable solution for OSINT investigations:

• The platform completely masks OSINT gatherer identity by isolating all browsing activities in a cloud environment. This means that websites cannot detect the investigator's true location or identity, which provides enhanced protection against advanced tracking techniques such as digital fingerprinting and super cookies
• All browsing sessions are conducted in an isolated cloud environment, which means that even if the OSINT gatherer accessed a malicious website during an investigation, any potential malware will be contained in the cloud environment and cannot reach the investigator's computer
• The platform does not store any data on the investigator's local device, as all investigation activities, including browser cache and cookies, are stored in the cloud environment and wholly removed after the investigation session ends
• Silo maintains detailed logs about investigation activities which helps OSINT teams to demonstrate compliance with data protection regulations and also allows team leaders to monitor investigation progress