How AI and OSINT Tools Can Uncover Fraud Risk in UK Companies - Why Verification Matters

How AI and OSINT Tools Can Uncover Fraud Risk in UK Companies - Why Verification Matters

In today’s digital economy, anyone can register a UK company online within minutes. However, determining whether that company is legitimate, dormant, fraudulent, or linked to more nefarious activity can require hours of research and adept investigative work. Increasingly, cybersecurity professionals, journalists, due diligence teams, and financial analysts are utilising open-source intelligence (OSINT) powered by Artificial Intelligence (AI) to make connections that would otherwise remain buried in paperwork or obscured by layers of corporate opacity.

This article examines the application of AI and OSINT in detecting risks within UK-registered companies, the tools and methods investigators utilise, the role of overseas cybercrime data, and the importance of verifying every insight before drawing any conclusions.

A Quiet Address and a Questionable Company

Consider, for example, a now-dissolved company suspected of involvement in investment fraud, anonymised here as HHL Ltd, which was registered to a quiet residential property in Kent. It existed for less than three years and failed to file meaningful financial accounts, both of which are early signs that raise suspicions. On the surface, the company had a single listed director at incorporation, was not linked to any other entities, and left a minimal visible footprint in the UK business ecosystem.

That said, the company’s simplicity itself became a cause for deeper inspection. Using a combination of tools and intelligence sources, researchers initiated an investigation into the company's background, its digital connections, and the identity of the individuals behind it.

Tools That Turn Data into Intelligence

To gain an understanding of the company's nature, investigators accessed Companies House, the UK government's official business register. This resource offers public access to incorporation details, director appointments, filing histories, and even downloadable PDFs of submitted documents. However, when targeting sole traders, investigators must cast a wider net since these individuals typically don't appear in traditional corporate registries.

For sole trader identification, researchers employ multiple complementary approaches. LinkedIn serves as a primary intelligence source, allowing investigators to search for individuals who list themselves as "self-employed," "freelancer," or "consultant" within specific industries. These profiles frequently reveal business activities, client relationships, and operational scope. Professional licensing databases prove invaluable for regulated sectors, as medical, legal, and financial practitioners must maintain public registrations regardless of their business structure.

Local business registers and VAT databases often capture sole traders who have registered for tax purposes, while industry-specific directories maintained by trade associations provide sector-focused intelligence. Digital footprint analysis, conducted through WHOIS domain searches, social media business profiles, and online marketplace presence, helps investigators map the full scope of a sole trader's operations.

From there, researchers turned to Cavalier, a cybercrime intelligence platform by Hudson Rock, which specialises in data harvested from infostealers—malware that exfiltrates browser-saved credentials and other sensitive information from compromised machines.

Further context was added using OpenCorporates, the world’s largest open database of companies and their officers, which helps identify whether a person of interest is a serial director, nominee, or operator of a shell company. Additional traces were gathered from search engines using advanced queries and from public-facing scam complaint boards.

These logs often provide insight into which identities, devices, and accounts have been compromised, as well as when they were compromised. For sole traders, this intelligence is particularly valuable, as their personal and business digital identities often overlap significantly, making the compromise of credentials especially damaging to their operations.

When AI Is Wrong — A Lesson in Verification

During this investigation, an initial AI-generated lead identified the director of HHL Ltd as someone we'll refer to as “M.G.” (MG). However, upon reviewing the official Companies House documents, including the original incorporation filing, it became evident that this was incorrect. The director was a completely different individual, with no publicly recorded connection to the name previously assumed.

This is a critical lesson: OSINT tools, especially those that utilise historical snapshots or scraped metadata, can be prone to error. In this case, the name MG likely originated from a cached third-party listing or auto-filled data that was not backed by original filings.

When investigators rely on secondary sources or summaries instead of primary documents, such as official PDFs, these misattributions can and do occur. Experienced investigators will be aware of this and take additional verification steps to mitigate; however, not everyone treats verification as a golden rule.

Signals from the Underground: Breach Data as a Hidden Map

While the company in question showed minimal corporate activity on paper, the investigation became more illuminating once cybercriminal intelligence was consulted. Using Hudson Rock’s Cavalier OSINT platform, analysts searched for usernames linked to the director of HHL Ltd. One anonymised identity, let’s call it Kit Jackson (KJ), returned four distinct breach records over five years.

Each breach originated from a different stealer malware strain, including Azorult, Raccoon, and several generic stealers. The infected devices ranged in configuration, location, and date. Yet, the credentials exposed in each case were often linked to email addresses, cloud storage, and even what appeared to be corporate portals.

Notably, one machine identified itself with the hostname “HOMEBASE-1 (Kit Jackson),” strongly suggesting the real name of the user. This was more than a technical leak; it was a trail of identity. That same name corresponded with login credentials used across multiple domains, some free (like Gmail), others potentially tied to organisations.

In total, these infections exposed various user services and at least three corporate accounts. This pattern, repeated across numerous machines over several years, illustrated either a persistent digital compromise or the intentional reuse of compromised credentials, a common tactic in online fraud ecosystems.

How Attribution Mistakes are Made in OSINT

Despite the clarity of the cyber trail, caution remains paramount. Attribution, the process of linking a digital footprint to a real-world identity, is one of the most error-prone elements in OSINT. Early in this investigation, a misattributed individual was mistakenly believed to be the company's director. This occurred because an automated tool surfaced a name associated with a similarly titled company. That name, which was not listed in any official filing, was incorrectly linked to the dissolved company.

This type of error highlights a systemic flaw in the way AI-enhanced OSINT tools are sometimes used. Tools that rely on scraped or cached data, or that aggregate results from outdated sources, can often surface false positives. Without cross-checking the original records, like incorporating PDFs from Companies House, it’s dangerously easy to misidentify individuals.

False attribution doesn’t just derail investigations; it can lead to reputational damage, flawed legal action, or breaches of institutional trust. This is why verification must be central to every OSINT workflow, not a final checkbox.

Verifying the Truth: Building Confidence in OSINT Leads

Verification in OSINT isn’t a single action; it’s a layered process that validates an identity, behaviour, or association. In this case, verifying the true director required retrieving and reading the original incorporation document, which definitively named the person responsible for HHL Ltd. Only through primary-source review was it possible to rule out the wrongly attributed name and confirm the legitimate one.

In addition to official filings, other verification techniques were employed. The usernames and email addresses identified in breach records were compared over time, as well as across IP ranges and device metadata. Device names like “DESKTOP-HJ0T7TA” or “SECRE01”, which appeared consistently with similar credentials, added a layer of credibility to the threat profile. The recurrence of login patterns over the years made it statistically unlikely that the data belonged to an unrelated individual with a coincidental naming pattern.

Even so, no investigative lead should be regarded as conclusive until at least two independent sources have verified it. Generally, triangulation, which involves multiple angles of verification, is more important than speed when accuracy is paramount.

Why International Breach Data Changes the Game

One of the most significant evolutions in OSINT over the past decade has been the increasing accessibility of breach data originating from devices worldwide. In the case of HHL Ltd., some devices linked to compromised credentials were operated from IP addresses based in France, Nigeria, and Latin America. This is important because these infections may never be identified in traditional UK-centric searches.

Many UK companies are now created by individuals operating abroad, whether for legitimate remote business or, more often, to exploit the UK's relatively permissive incorporation system. Intelligence platforms like Cavalier collect infostealer data that is frequently traded in underground marketplaces or leaked on dark web forums. Analysts with ethical access to this data can uncover associations that would otherwise remain invisible to national regulators.

This kind of intelligence isn’t speculative; it reveals actual devices infected by malware, exposing real usernames, passwords, session cookies, and software logs. It's one of the few windows into what’s happening behind the scenes, especially when a company appears dormant on the surface.

AI is a Force Multiplier, not a Truth Machine

AI and OSINT tools are transforming the landscape of business intelligence, compliance, and cybercrime investigation. But they are not foolproof. Mistakes are easy when the goal becomes chasing connections rather than confirming identities.

The case of HHL Ltd illustrates the strengths and limitations of modern investigative tools. While AI assisted in identifying potential risks, it was human verification and careful analysis of original records that rectified early misconceptions. Meanwhile, overseas breach data provided vital signals indicating that the director's credentials may have been compromised over an extended period, suggesting potential misuse.

Whether you're an investigator, journalist, analyst, or compliance professional, remember: every red flag is just a lead until it's verified, cross-checked, and placed in the proper context.

📌 All personal information in this article has been anonymised. This report is written for educational and journalistic purposes and does not make accusations against any real individuals or entities. Always consult a legal or compliance expert when using OSINT for actionable decisions.

Authored by: The Coalition of Cyber Investigators

Paul Wright (United Kingdom) & Neal Ysart (Philippines)

With contributions from guest author Lajos Antal, Managing Director and co-owner at RavenForTech, and former Deloitte Partner.

©2025 The Coalition of Cyber Investigators. All rights reserved.

The Coalition of Cyber Investigators is a collaboration between

Paul Wright (United Kingdom) - Experienced Cybercrime, Intelligence (OSINT & HUMINT) and Digital Forensics Investigator; and

Neal Ysart (Philippines) - Elite Investigator & Strategic Risk Advisor, Ex-Big 4 Forensic Leader.

With over 80 years of combined hands-on experience, Paul and Neal remain actively engaged in their field.

They established the Coalition to provide a platform for collaboration and the sharing of expertise and analysis on topical issues in the converging domains of investigations, digital forensics, and OSINT. Recognising that this convergence has created grey areas around critical topics, including the admissibility of evidence, process integrity, ethics, contextual analysis, and validation, the coalition is Paul and Neal’s way of contributing to a discussion that is essential if the unresolved issues surrounding OSINT-derived evidence are to be addressed effectively. Please feel free to share this article and contribute your views.

The Coalition of Cyber Investigators, with decades of hands-on experience in investigations and OSINT, is uniquely positioned to support organisations facing complex or high-risk investigations. Our team’s expertise is not just theoretical—it’s built on years of real-world investigations, a deep understanding of the dynamic nature of digital intelligence, and a commitment to the highest evidential standards.