Case 2025-001: Example Investigation

⚠️ IMPORTANT: This is a DUMMY CASE for demonstration purposes only. All data is fictional.

Difficulty: 📕 Advanced (comprehensive reference case) Best For: Understanding complete investigation structure Time to Review: 2-3 hours

Quick Links

📋 Case Overview & Summary
👤 Subject Profiles & Dossiers
📊 Evidence Collection Log
📁 Evidence Files: 03-Evidence/
📄 Reports: 04-Reports/
🗂️ Admin: 05-Admin/

Case Summary

Case Number: 2025-001 Status: 🟢 Active (Example) Type: Social Media Fraud / Cryptocurrency Scam Priority: Medium Estimated Loss: $75, 000 -$ 150,000 USD

Threat Actor: “Alex Morgan” (pseudonym)

Twitter: @crypto_scammer_example
Telegram: @crypto_alex_official
Instagram: @crypto.alex.trades (suspended)

Key Findings:

Impersonation of verified crypto influencer
Phishing website (crypto-presale-exclusive[.]com) - now taken down
50+ victims identified
Funds laundered through Tornado Cash mixer

Directory Structure

2025-001-Example-Investigation/
│
├── 00-Case-Overview.md           ← Start here
├── 01-Subject-Profiles.md         ← Threat actor details
├── 02-Collection-Log.md           ← Evidence tracking
├── README.md                      ← This file
│
├── 03-Evidence/                   ← All collected evidence
│   ├── screenshots/
│   │   ├── twitter/
│   │   ├── instagram/
│   │   └── telegram/
│   ├── domains/
│   │   ├── whois-crypto-presale.txt
│   │   └── dns-history.json
│   ├── social-media/
│   │   └── instagram-archive.html
│   ├── blockchain/
│   │   ├── wallet-txlist.json
│   │   └── tx-graph.png
│   ├── victim-reports/
│   │   ├── victim-001-dm.png
│   │   └── interviews/
│   └── network/
│       └── passive-dns.json
│
├── 04-Reports/                    ← Investigation reports
│   ├── final-report.md (pending)
│   ├── executive-summary.pdf (pending)
│   └── evidence-package.zip (pending)
│
└── 05-Admin/                      ← Case administration
    ├── engagement-letter.pdf
    ├── evidence-hashes.txt
    ├── chain-of-custody.pdf
    └── case-notes.md

How to Use This Case

For Training/Learning

This dummy case demonstrates:

Proper case file structure for OSINT investigations
Evidence collection and documentation best practices
Subject profiling techniques for social media threat actors
Timeline reconstruction from digital evidence
Legal and ethical considerations throughout investigation

As a Template

You can use this case as a template for real investigations:

Copy the directory structure
Replace dummy data with real evidence
Follow the same documentation format
Maintain chain of custody and hashing procedures
Reference appropriate SOPs from the vault

SOPs Referenced in This Case

This example case demonstrates the application of these SOPs:

Legal & Ethics:

Legal & Ethics SOP - Authorization, data protection
Sensitive Crime Escalation - Law enforcement referral

Operational Security:

OPSEC Planning - Investigator protection

Platform-Specific:

X OSINT - Social media analysis
Telegram OSINT - Messaging platform investigation

Technical Analysis:

Web, DNS & WHOIS - Domain/infrastructure analysis
Financial & AML - Cryptocurrency tracking
Image & Video OSINT - Profile picture analysis

Documentation:

Collection Logging - Evidence tracking
Entity Dossier Building - Subject profiling
Reporting & Disclosure - Final report preparation

Investigation Timeline

Date	Milestone
2024-11-28	Fake Twitter account created
2024-12-15	Phishing domain registered
2024-12-20	First victim deposits funds
2025-01-10	Investigation initiated
2025-01-12	Instagram account suspended
2025-01-13	Phishing domain taken down
2025-01-15	Case file created

Key Evidence Highlights

Digital Footprint

3 social media accounts across Twitter, Instagram, Telegram
1 phishing domain (now suspended)
52 blockchain transactions totaling 87.3 ETH
15 victim statements with supporting evidence

Attribution Indicators

Timezone: UTC+3 (Eastern Europe suspected)
Language: Non-native English speaker
Infrastructure: Tor, ProtonMail, Cloudflare (anonymity-focused)
Technical skill: Medium (can clone websites, use privacy tools)

Financial Impact

Victim count: 50+ identified
Total stolen: ~$150,000 USD equivalent
Recovery potential: Low (funds laundered through mixer)

Next Steps (If This Were Real)

Complete victim interviews (5 pending)
Prepare evidence package for law enforcement
File IC3 report (FBI Internet Crime Complaint Center)
Coordinate with platforms for additional account takedowns
Monitor for rebranding (suspect likely to create new personas)

Learning Objectives

After reviewing this case, you should understand:

✅ How to structure and organize an OSINT investigation ✅ Proper evidence collection and documentation procedures ✅ Building comprehensive subject profiles from public data ✅ Blockchain analysis for cryptocurrency fraud investigations ✅ Legal and ethical boundaries in OSINT work ✅ Timeline reconstruction from multiple data sources ✅ Preparing evidence for law enforcement handoff

Disclaimer

This is a fictional case created for training purposes.

All names, handles, addresses, and transaction hashes are invented
The threat actor “Alex Morgan” does not exist
No real individuals were harmed or defrauded
Domain names and IP addresses are examples only
Any resemblance to real persons or cases is coincidental

Do not attempt to contact or investigate any entities mentioned in this case.

Questions or Feedback?

This example case is part of the OSINT & Security Reference Library.

For more information:

Return to Main Index

Case Created: 2025-01-15 Last Updated: 2025-01-15 Status: 📚 Training Material Classification: UNCLASSIFIED / EXAMPLE

Le Codex

Explorer

README