Investigation Colophon · Methodology · Provenance

About this investigation

Full audit trail of how this report was produced — target identification, analytical techniques applied, tools that ran, gaps recorded, and the schema and skill versions used. Reproducibility is a forensic posture.

Confirmed Target · Type: Topic

Global Corruption and Organized Crime Network

Mass-identification OSINT sweep targeting the global ecosystem of corrupt politicians, sanctioned oligarchs, transnational criminal organizations, financial fraudsters, kleptocrats, state-sponsored hackers, and shadow network operators. Seeded from BBEG DORKSCOUT report (87 entities). Two collection runs (Run 1: 139 entities; Run 2: +27 = 166 total). CALZ-analyzed May 27 2026.

Combined dataset: 166 entities across two collection runs
Bybit hack ($1.5B, Feb 21 2025) — largest crypto theft in history — FBI confirmed Lazarus Group
DPRK total 2025-2026 crypto haul: ~$2.6B (Bybit $1.5B + Drift $285M + KelpDAO $290M)
Three kinetic enforcement events: Maduro capture (Jan 3 2026), TdA speedboat strike (Sep 2025), VLCC SKYWAVE seizure (May 2026)
US enforcement geopolitical selectivity: Adani SDNY charges moving to dismissal, Kostin trial on hold, Rodriguez sanctions lifted
Non-US accountability acceleration: Hasina death sentence, Meta arrested, Roussev spy ring convicted
Arkady Rotenberg capturing Rosimushchestvo + Tatspirtprom (Jan 2026) — wartime domestic asset expansion
Jan Marsalek confirmed Moscow GRU handler (PBS Frontline Oct 2025)
Natalia Rotenberg UK footprint: 4 dissolved companies, Upper Ribsden Surrey GU20 6HX
GENIUS Act AML/CFT stablecoin framework proposed FinCEN/OFAC May 2026 — targets Tether

§ 01

Investigation Metadata

Provenance

Investigation ID: bbeg-gcoc-20260527-001
Created: 2026-05-27 00:00:00 UT
Recon Started: —
Recon Completed: 2026-05-27 02:00:00 UT · 120m 0s
Analysis Completed: 2026-05-27 08:00:00 UT · 360m 0s
Total Duration: 480m 0s · within 60-minute walltime budget
Wave Budget: 35 enabled tools × multiplier 3 = 35 tool calls per wave
Stopping Rule M: 20 consecutive empty calls · fired in Wave
Artifact Location: /mnt/user-data/outputs/bbeg_gcoc_20260526

§ 02

Analytical Methodology

Structured analytic techniques · ICD 203

KAC Applied

KAC surfaced five material assumptions. Two HIGH-sensitivity / LOW-confidence dangerous combinations identified: enforcement durability (US case dispositions mutating faster than OSINT tracks — limits KJ_001 confidence to moderate) and completeness (OpenSanctions down, GDELT rate-limited, Brave News exhausted across both runs — limits network coverage claims). Three assumptions confirmed HIGH-sensitivity + HIGH-confidence: Maduro capture (DOD + Brookings + Atlantic Council B1 confluence), Bybit attribution (FBI + Reuters + AP B1), Roussev conviction (UK court records + Balkan Insight + Reuters + BBC B1).

ACH Applied

Three hypotheses tested: H1 (US enforcement geopolitical selectivity), H2 (non-US accountability acceleration), H3 (null/coincidental). H3 eliminated — breadth and simultaneity across 10+ jurisdictions is inconsistent with coincidence. H1 and H2 both retained with comparable evidence support. Leading hypothesis is bifurcated H1+H2: global accountability acceleration in non-US jurisdictions concurrent with US enforcement geopolitical selectivity. These are not mutually exclusive — H1 describes the US dimension, H2 describes the rest of the world.

Premortem Applied

Three material failure modes identified. FM1 (enforcement normalization): career DOJ staff resistance reverts Adani/Kostin patterns; watch for Kostin trial date — generated KJ_007. FM2 (Venezuela reversal): Chavista hardliners remove Rodriguez and reconstitute anti-US posture; watch for hardliner consolidation signals — generated KJ_006. FM3 (DPRK crypto haul inflation): Bybit funds partially frozen, actual DPRK conversion lower than reported; watch for on-chain analysis showing large frozen balances. FM1 and FM2 are the most plausible and materially threaten the leading hypothesis.

Red Hat Applied

Red Hat applied as target type=topic on adversarial actors makes adversary perspective central — the entities themselves constitute the threat surface. Four red vectors generated in order of severity: DPRK DeFi infrastructure targeting (critical), TCO USDT OTC desk exploitation (high), GRU proxy reconstitution post-Roussev (high/moderate confidence), Rotenberg domestic asset expansion (moderate). Seven paired blue controls generated covering technical, regulatory, intelligence, and policy dimensions.

§ 03

Coverage

Schema v1.0

166

Entities

Relationships

Evidence

Judgments

Timeline

Geo

Confidence Distribution · Key Judgments

4 · High

3 · Moderate

1 · Low

High · multi-source, no surviving alternatives Moderate · KAC stress or ACH margin Low · sparse base or explicit caveat

§ 04

Tools Engaged

35 enabled · 9 fired · 3 gap

dork-mcp:serper_news 12

dork-mcp:serper_search 4

dork-mcp:wikidata_sparql 2

dork-mcp:cl_search 3

dork-mcp:icij_offshore_reconcile 2

dork-mcp:coho_company_officers 1

dork-mcp:coho_officer_appointments 1

dork-mcp:gleif_fuzzy 4

dork-mcp:federalregister_search 2

opensanctions_search gap

gdelt_doc_search gap

brave_news_search gap

§ 05

Tool Gaps

3 methodology steps could not run

opensanctions_search: Methodology step · collection · API down — both runs
gdelt_doc_search: Methodology step · collection · rate limited
brave_news_search: Methodology step · collection · monthly limit exhausted

Integrity Hash

sha256:0000000000000000000000000000000000000000000000000000000000000000