Over the past couple of months, Citizen Lab researcher John Scott-Railton and I have been navigating the hall of mirrors created by a mysterious group of undercover operatives, one of whom — a former Israeli intelligence officer named Aharon Almog-Assouline — we ambushed at a Manhattan restaurant in January while he was masquerading as a French consultant.
I have a new story out today about how another undercover operative — using a very similar modus operandi — has been discovered targeting opponents of Kaspersky Lab, the Russian anti-virus firm. I encourage you to read it, but I also wanted to explain how I’ve gone about dispelling the corporate ghosts created by Almog-Assouline and his colleagues.
The set up
Almog-Assouline’s employers — whoever they are — understood that the first thing a target does when they’re approached by someone they don’t know is turn to a search engine. So when Almog-Assouline assumed the identity of Michel Lambert, a French consultant specializing in agricultural technology, the spy’s team set about populating the Google’s first page of search results with material that supported the idea that Lambert — and his company — were the real deal. In his introductory emails and initial phone call with Scott-Railton, Lambert claimed to be a company director with CPW Consulting, which was about to embark on a major project in West Africa. A casual search would have found fast evidence for that story.
Here, for example, is a partial snapshot of Lambert’s LinkedIn page as it appeared at the time:
Looks convincing! More than 500 connections, a LinkedIn premium account, and a plausible resumé. EM Strasbourg is one of France’s top business schools. It isn’t visible in the partial snapshot above, but the LinkedIn profile claimed Lambert had spent years working for Bolloré and EIFFAGE, French logistics firms with extensive business in Africa — exactly the job history you’d expect from a senior French consultant working on a major African project. So let’s go to CPW’s website:
Nice! A pretty website with all the right corporate jargon & a cool corporate logo. On their contact page, you could find a telephone number and addresses for offices in Paris and Senegal — I’ll get to that — but no real red flags.
There was more. Take Crunchbase, for example, the online directory of startups. It listed CPW Consulting, along with a volley of convincing information about the firm’s “deep knowledge of agricultural ventures.”
A blog post helped round out the search. CPW was mentioned as part of a brief Medium article about the African agritech sector:
There was plenty more information on LinkedIn too, with a company page, other purported employees, and even a job opening for a digital mapping analyst. It got more than 200 applicants!
None of this was real. Not the job post — which Scott-Railton discovered had been lifted nearly word-for-word from a UK job ad — not the Crunchbase entry, which has since been altered to make it point to “CPP Consult,” not the website— which vanished when the AP published my story — and not the LinkedIn pages, which melted away soon after. Even the stray Medium post was deleted. As for Lambert, his real identity was exposed within days.
CPW’s phantom facade disappeared within hours of my story’s publication. But the challenge I had was proving the firm was ghost before my story went to print. Here’s how we did it — and how you can do it too.
Show up
Companies have — or should have — physical addresses, somewhere you can rap your fist against a door. A missing address is a big red flag, but even an address needs to be checked out. CPW Consulting, the firm where Lambert claimed to be a director, listed its address as 77 Avenue Parmentier, down the street from Paris’ Place de la Republique. Typically, a first visit to such an office will be virtual: services such as Google Maps, Yandex.Maps and OpenStreetCam all offer street-level photography. In this case, the virtual visit was inconclusive, offering no evidence the company existed but no guarantee it wasn’t just invisible from the road.
So a team of reporters in France physically visited — twice. As Google Street View suggested, there was no sign of CPW on the building’s stone facade. But there was no sign of it inside either; there was no CPW, for example, on the building’s interior intercom.
Interviews gave us the final piece of evidence we needed. Residents had never heard of CPW and neither had the building’s caretaker. My colleague Lori Hinnant took a photo of building a couple of hours before I confronted Almog-Assouline. In the video above, you can see me showing him my phone — here’s the picture that was on screen:
This kind of verification gets trickier when an address is located inside a secured office building or a closed business park. This was the case, for example, with another fake company, FlameTech, linked to another undercover operative, this one calling himself Gary Bowman. Like Lambert and CPW, Bowman and FlameTech had it all: a snazzy website, a Crunchbase entry and a fulsome presence on LinkedIn.
FlameTech, which listed its address as being inside Madrid’s Torre de Cristal at 259C Paseo de la Castellana. Some office buildings list their tenants publicly, but the Torre de Cristal does not. But while turnstiles may prevent you from snooping around, nothing stops you from asking questions of the receptionist, the building manager or other employees.
But let’s say that, unlike the AP, you don’t have a team of international journalists at your disposal. What then?
Call up
Phone calls can sometimes give you a bit of information. If the company doesn’t display a phone number, consider it a red flag. If the number does exist, but doesn’t pick up during business hours, doesn’t have answering service, or is invalid, consider it another.
Even if the number rings through, or is answered by a machine, that may not be the end of a story. When I called Lyndon Partners, ostensibly a Swedish wealth management firm, I got a young man named Daniel who spoke with a noticeable Israeli accent. He kept his cool, saying my reporter colleague — who was downstairs at the time — was welcome to come up to the office if he desired. That never happened: the building manager confirmed that Lyndon Partners did not exist and calls to Lyndon’s number immediately began ringing through unanswered. My call to CPW Consulting was similarly inconclusive. When I called their office, the phone’s answering service had a man speaking in what sounded like an African accent.
So phone calls can be misleading, especially if they’re synthetic or disposable numbers routed through to an office somewhere else. Try asking to be put through to a named person, ask them about the weather where they are, or ask for details about the company that you’ve already verified.
Look up
If physical visits aren’t an option and phone calls don’t provide the certainty you need, you still have the internet at your disposal. One basic step is to see whether there’s any record of the company in the national register. In Britain, this is called Companies House. In Hong Kong it’s the Integrated Companies Registry Information System. Some countries, such as the United States and Canada, make corporate information available at the state level, for example through the Delaware’s Division of Corporations or Quebec’s Registraire des entreprises.
The quality of national and state-level databases varies widely and can change suddenly. In Britain, Companies House used to charge 1 pound per search and run visitors through a laborious interface. Now searching for companies — and even by director — is a breeze (and is free of charge.) Paying for records through Hong Kong’s Cyber Search Center, by contrast, involves squinting your way through a maze of shopping carts and hard-to-read download screens while juggling a variety of gratuitous reference numbers.
Some services, such as Orbis, Dun & Bradstreet,and Arachnys act as global corporate record search engines, allowing you to make fine-grained searches for companies across several countries. Others, such as Interfax-Spark or ClairifiedBy, are more regionally focused.
While Orbis and its ilk are geared toward corporate clients and typically charge hefty fees, their databases are sometimes available free of charge from major national libraries, such as the British Library in London, or from business school libraries in places such as New York, Los Angeles or Boston (you’ll likely need a reader card.) Other companies, like the anti-money laundering technology provider Arachnys, offer discounts for NGOs or media organizations.
If you don’t have access to a paid service or a library, you’ll have to settle for whatever various registries put directly online. The best source for what’s freely available remains OpenCorporates, which carries information about some 160 million companies worldwide.
Company registry data isn’t foolproof. Although the undercover operatives I’ve been hunting never seem to bother actually registering the fake companies they dream up, it wouldn’t necessarily take much effort to do so. Registering a company in Britain, for example, costs a measly 12 pounds and can be done literally overnight. Whoever is registering ostensibly has to provide accurate information, but oversight is weak and criminals, pranksters and campaigners alike have shown it is easy to fake director and shareholder names.
Don’t neglect other registries. Does an organization claim a trademark or copyright at the bottom of their site? Check the trademark registries to see if it actually has one. Does it claim to be a charity? Check the local charity regulator to see if they have it on file. Does the company claim business with the government? See if you can find government contracts on sites like the U.S. Federal Procurement Data System or Britain’s Contracts Finder.
Finally, don’t forget the phone book. FlameTech’s Gary Bowman, for example, claimed to be based in Madrid, but there was no record of a Madrid-based Gary Bowman in Spain’s Páginas Blancas. The man who claimed to work for Stockholm’s Lyndon Partners, Marwan Al Haj, couldn’t be located in Eniro, Sweden’s white pages. Ditto Cristian Ortega of the supposed APOL Consulting in Zurich; no sign of him in local.ch, Switzerland’s online phone directory.
Mix it up & ask around
If you’re investigating a suspect company, it’s unlikely that just one of these methods will yield the answer that you need. Konstantin Pishchik of Arachnys told me it was important to use overlapping techniques and work systematically. Here’s some of his advice, which he shared in an email (and which I’ve lightly edited for clarity):
Have a template to collect information on the fly — collect websites, phone numbers, addresses and names of related individuals into one document or platform that you will work on through the whole investigation)
Work from low-cost/low-risk methods towards high-cost/high-risk — even if you have the resources and the time to conduct site visits, this might alert the target of your investigation so first try to exhaust the non-invasive checks such as corporate registry checks
Understand your budget — know how much money you can spend and steer your investigation accordingly. If your budget is 0 probably you will have to put all of your effort into open source research and triangulation
After collecting the information conduct a basic analysis by cross-referencing and looking for discrepancies — you’re looking for discrepancies in information that you collected from different sources and flag them (e.g. the company claims on its website to exist for 10 years but was registered 3 weeks ago or its website exists only for a week; the company claims to be an agricultural consultancy but is registered as medical equipment distributor)
I’d add two more: Ask around and ask for help. If a company, like FlameTech, claims to be a Spanish fintech accelator, don’t be shy about calling other Spanish fintech companies to ask if they’ve ever heard of it. If a company, like CPW, claims to work in farm technology in Africa, ring an NGO to see if they’re active in the field. Finally, don’t hesitate to ask for help. Exposing phantom firms can be frustrating — it’s hard to prove a negative — but you’re not the only ghost buster out there.
