An OSINT and Maltego Case Study from India đź”—︎
The investigation did not begin with a raid, a whistleblower, or a tip-off. It began with something subtler: a design pattern. While monitoring online spaces for illegal wildlife trade (IWT), our team at WTI, noticed that three separate websites selling so-called “spiritual” products looked almost identical. Two of them even used the exact same product photograph. All three claimed to offer “Hatha Jodi,” a rare plant root believed to bring prosperity. But what was being sold was not botanical at all.
The items matched the appearance of dried hemipenies of the Bengal monitor lizard — a protected species under Indian law (Schedule I of the Indian Wildlife Act, 1972). The trade in these body parts has long been documented in India, often masked as spiritual or ritual artefacts to obscure their true origin. Over a 12-month monitoring period, we tracked 1,245 social media and e-commerce posts linked to illegal wildlife trade. Approximately 9% were associated with Bengal monitor lizard body parts.
From Open Advertising to Concealed Networks đź”—︎
In the early phase of monitoring, sellers operated with surprising openness. Phone numbers were publicly displayed. Some even included postal addresses in website contact sections. Transactions were initiated through visible WhatsApp numbers.
As enforcement efforts by Indian authorities intensified, behaviour shifted. Phone numbers and addresses disappeared from public listings. Sellers increasingly moved conversations to private direct messages. On websites, visible contact information was reduced to generic email addresses.
This evolution created a significant challenge: surface-level monitoring was no longer sufficient. We needed to move from observation to structured open-source intelligence (OSINT) collection and analysis.
The Digital Thread: Pivoting Through Infrastructure đź”—︎
The three visually similar websites became our entry point. Closer inspection revealed that all three were powered by the same e-commerce platform provider. Two reused the same product image. This strongly suggested operational overlap rather than coincidence.
From earlier monitoring, we had collected three phone numbers linked to these sites. These became our initial pivot points. Through the Maltego Grants Program, we used Maltego to query those phone numbers and surface additional identifiers. From just three initial numbers:
- Two returned rich results
- Three additional phone numbers were uncovered
- Four previously unseen email addresses were identified
- Five total phone numbers were linked to one specific website
One email address, used repeatedly as a “support” contact, became a critical anchor. It was connected to multiple domains, phone numbers, and communication channels. What began as three suspicious websites evolved into a growing digital infrastructure map.
Geographic Spread: Not a Local Operation đź”—︎
Prior contextual clues suggested that the traders were operating from a specific Indian city. However, by correlating:
- Telecom provider data
- Location fields from mapping services
- Profile metadata
- Platform-linked identifiers
We identified connections extending into two additional Indian cities in entirely different regions. This was not an isolated local seller. It was a distributed operation. The geographic spread pointed to organized networks operating across urban centres, increasing both scale and complexity.
The Human Layer Behind the Network đź”—︎
Digital infrastructure tells only half the story. By combining caller ID labels, communication platform profiles, and professional networking traces, we identified three likely individuals behind the activity — two women and one man. In one case, a professional networking profile linked to a key email address revealed employment details that helped us understand how legitimate and illicit digital footprints intersected.
Multiple phone numbers, multiple emails, overlapping social accounts — these patterns pointed toward an organised and adaptive structure rather than opportunistic selling. The actors were not merely listing products. They were managing infrastructure.
With these findings, WTI works closely with law enforcement agencies to disrupt illegal activity and protect vulnerable wildlife. In our investigations, Maltego significantly reduced investigative time, playing an essential role in identifying networks and supporting enforcement action.
