Forensic Intelligence

We are a forensic intelligence service.

We map illicit financial networks, confirm beneficial ownership across eight detection layers, and deliver intelligence packages that hold at evidentiary standard — before the transaction clears.

The Argument

Every agency with capability lacks jurisdiction.
Every agency with jurisdiction lacks capability.

VELLARIXX was built to operate in the gap between them.

The financial networks that extracted $10 billion from the Ukrainian economy were engineered to be unreachable by the agencies most capable of acting on them. Jurisdictional boundaries are not an obstacle they encountered. They are an architecture they exploited — offshore ownership resets, nominee layering, captured regulatory channels, and guarantee instruments void at source — each component calibrated to terminate every detection query at the layer where it stops.

That operational knowledge cannot be assembled commercially. It was built over two decades of work conducted from within the financial networks and institutional architectures it now documents. Not from what those environments produced in public record.

What that presence produced follows.

The Structural Failure

The detection infrastructure was not the problem. The question of whether it would ever be pointed at the right place was.

The architecture was not designed to defeat detection. It was designed to ensure detection was never initiated. Five institutional domains. Each one a pathway through which scrutiny enters.

Legislative — the regulatory framework that defines what requires disclosure.
Regulatory — the supervisory function that monitors and refers.
Judicial — the channel through which evidence becomes action.
Enforcement — the apparatus that investigates and prosecutes.
Intelligence — the collection layer that surfaces what the others cannot see.

Every pathway was controlled. Parliamentary positions shaped what the regulatory environment required to be disclosed. Central bank appointments maintained the architecture that needed no scrutiny. The apex judicial channel absorbed referrals before they produced outcomes. The investigation bureau operated under influence that ensured cases did not open. The security apparatus provided the insulation that kept the collection layer blind.

10

Operations

Documented

$10B+

Extracted

Ukrainian Economy

0

Other Detections

Across All Operations

Every institution that would have initiated scrutiny was part of the architecture that made scrutiny unnecessary.

Institutions Operating in This Environment

The same architecture is already positioned inside the $800 billion reconstruction pipeline.

The exposure varies by institution. The failure mode does not.

The documented networks were not designed around a single institutional target. They were designed around the gap between what any single institution can see and what the full structure requires to be visible. That gap is architectural. It applies equally across development finance, supervisory authorities, global financial institutions, and sovereign defense partners — the surface exposure differs, the underlying failure mode does not.

Development Finance

EBRD · EIB · World Bank disbursement teams

The documented networks are already positioned inside the $800B reconstruction pipeline. The pre-disbursement window is the only window — after capital clears, recovery exceeds the dispersal window by design.

Supervisory Authorities

ECB · EBA · EPPO

The cross-operation facilitation architecture VELLARIXX has mapped is the precise cross-border structure the EPPO was created to address — and currently cannot see in full.

Global Financial Institutions

G-SIBs with Eastern European sovereign exposure

Compliance teams see Layer 3. Institutions are exposed at Layer 8. Institutions in the documented correspondent path face mandatory SAR obligations and OFAC IEEPA strict liability regardless of knowledge or intent.

Sovereign & Defense Partners

Allied government agencies · Defense contractors · EPC primes

Illicit-origin ownership confirmed across 14 power grids, 4 allied nations — 43 defence engineers under compromised ownership structures, before any allied government produced a signal.

EPC Contractors

Supply chain subcontractors

Network X entities represent exactly the established regional contractor presence that competes for EPC supply chain subcontracts. Documented exposure across six oblasts where major infrastructure reconstruction is already underway. UAH 10B+ extracted from Big Construction program.

Mission

Every financial intelligence platform was built to read what illicit financial networks produce.

VELLARIXX was built to produce what those platforms can only read about.
Undetected by every compliance system in the environment. · Ten operations.
Extracted in excess of $10 billion.

The Provenance

The ten documented operations were not detected by deploying a platform from the outside.

They were built from inside.

From two decades of direct access to the operational layer where these networks function. The platform is the codification of what that presence found.

In the environments where illicit capital extraction operates at institutional scale, the data required to detect the threat does not exist in any commercial database. It exists in the operational layer — in the financial architectures that exist only inside the networks, in the appointment histories that reveal which referrals will produce outcomes and which will be absorbed, in the institutional capture architecture that no external platform can reach from outside.

Ten illicit financial operations. Not ten independent schemes — one connected ecosystem, eleven documented fraud mechanisms, a shared architecture of extraction and protection. The ten documented here are the cases that can be proven in public — the verifiable fraction of a twenty-year operational record, not its ceiling.

The ten are the proof. The twenty years are the methodology.

The Operational Basis

The provenance claim is not asserted. It is documented against confirmed outcomes.

The twenty-year operational record produced four anchor cases before the outcomes that confirmed them. These are not projections or scenario assessments. They are documented detections — in every case, the intelligence preceded the outcome by months, not days.

Detection Record — Confirmed Against Outcomes

Operation

Detection Lead

Scale

Allied Power Grid

Pre-disbursement

47 entities · 12 jurisdictions · 14 power grids

Nuclear Enterprise

Pre-enforcement

$4M cash seized · 3yr ledger · 8 indictments

Fictitious Guarantees

Pre-disbursement

~$77M · 10 contracts · 100% void rate

Defense Procurement

Pre-enforcement

40+ shell LLCs · 100+ nominees · ~$122M+

The detection methodology is not derived from what those operations produced in public record. It is derived from inside the operations — before they became a record.

The detection record exists because the operational presence preceded it. Why the architecture cannot be replicated — the ground truth provenance, the sovereign access, the convergence analysis — is examined in full on the Methodology page.

The Detection Record

The architecture is how the detection framework is built. What follows is what it found.

Fourteen networks in the documented registry. The cases that can be proven in public — the verifiable fraction of a twenty-year operational record, not its ceiling.

0 Detections from any other source across all ten documented operations

▸ VELLARIXX · DETECTION RECORD · CONSOLIDATED METRICS · MAY 2026 Data horizon: May 2026 · Prosecution-confirmed · NDA-tier detail available

$10B+

Extraction Mapped at Evidentiary Standard

100%

Prosecution Confirmation Rate

96%

UBO Attribution Confidence (Natural Person)

Capability A · Post-Extraction

Networks I–XI · 10 fully-documented + meta-protection apex

Fully Operational

Reference case: Network VIII · USD 100M+ · November 2025 enforcement

HIGH

Capability B · Pre-Extraction

Network XII · USD 230–280M deployed · no enforcement action

Candidate — Active

3 SDN-patron adjacencies · 30+ nominees · USD 250M reconstruction project April 2026

MEDIUM-HIGH

Capability C · Cross-Sectoral

Networks XIII–XIV · May 2026 integration

v1.7 Integration

Archetype ⑭ · gambling-sector cross-sectoral · Network X re-characterised as multi-sector operating system

MEDIUM

Network Registry

14 total · 21 bridge nodes · 3 super-clusters

I–XI documented · Network X meta-protection apex · XII–XIV candidate designation. Bridge nodes: Institutional Verticals (9) · Oligarchic Convergence (5) · CI/Operational (6).

CONFIRMED

Pattern Library

445+ signatures · 14 archetype classes

All signatures prosecution-derived. Confidence bands: CRITICAL · HIGH · MEDIUM. Case-provenance attributed.

HIGH

Anchor Cases

ONTOLOGY Layer 8 UBO LEAD 11mo

Network VII · Stolen-Capital Re-Entry

$2.4B+ Active 14 Power Grids · 4 Allied Nations 96% UBO Confidence

Every institution in the environment stopped at Layer 3 — the Cyprus reset. VELLARIXX mapped to Layer 8. Natural person confirmed at 96% confidence across 12 jurisdictions, before any allied government produced a signal.

8-layer beneficial ownership traversal · 6th-degree depth · 47 jurisdictions · 96% UBO confidence · round-trip pattern matching · multi-chain de-mixing

$2.4B+

Active

14

Power Grids

96%

UBO Confidence

ONTOLOGY Personnel Pathway PROTECTION MAPPING LEAD 13mo

Network VIII · SOE Barrier Extraction

$100M+ USD $4M Cash Seized 8 Indictments

VELLARIXX mapped the extraction mechanism and the protection architecture that sustained it before either was confirmed in public enforcement. The five-domain assessment identified which channels were clean before the referral was made. The referral produced eight indictments.

SOE barrier extraction mapping · personnel pathway temporal graph · appointment-cycle monitoring · five-domain protection mapping · facilitator density scoring

$100M+

USD

$4M

Cash Seized

8

Indictments

ONTOLOGY Sovereign Registry PROTECTION MAPPING GATE OUTPUT Pre-Disbursement

Network VI · Fictitious Guarantees

~$77M Void 10 Contracts · 100% Void Rate

VELLARIXX identified every instrument as void before disbursement cleared. Approximately $77M across ten contracts. Every instrument legally formatted. Every one void from inception — Class 13 authority required, Class 16 held.

Sovereign registry direct query · Class 13/16 licence verification · guarantee-to-capital ratio analysis · appointment-cycle monitoring · five-domain protection mapping

UAH 3.18B

Void

10

Contracts

100%

Void Rate

Active

Proceedings

The Convergence Finding

The three anchor cases are not three separate detections.
They are three facets of one connected ecosystem — and one actor connects all ten.

A single cross-operation facilitation node has been confirmed across all ten documented operations simultaneously. No single authority has assembled this map. The connecting architecture exists only in the layer where the full ecosystem can be seen simultaneously.

That finding does not exist in any commercial output. It requires presence inside the full ecosystem to produce.

Supporting Cases

LEAD 14mo

Network I · Catalog Distortion

409-item catalog with systematic price distortion at volume-critical line items. 31% extraction rate.

UAH 1.52B+

~31% Extraction Rate

LEAD 14mo

Network II · Substitution Arbitrage

Substandard materials at specification-grade price. 40+ shell entities. 100+ nominee directors.

UAH 1.167B State Damage

Detained

LEAD 14mo

Network III · SOE Commodity Diversion

State property apparatus weaponised as extraction platform. Convergence node confirmed shared across three operations simultaneously.

UAH 10B+ Assessed

LEAD 13mo

Network IV · Offshore Extraction

Six-jurisdiction network. Cyprus/BVI endpoint. FSB exposure confirmed.

$2.1B+ Extracted

FSB Exposure Confirmed

LEAD 14mo

Network V · Advance Diversion

97% of advance payment captured within 72 hours across six jurisdictions before non-delivery registered.

UAH 1.5B+ Assessed

Detained

LEAD 12mo

Network IX · Reconstruction Advance Loop

Scheme accelerated, not contracted, under scrutiny. The live template for reconstruction fund diversion at scale.

UAH 1.9–2.0B Assessed

Proceedings Active

ACTIVE — Live Intelligence

Network X · Infrastructure Procurement Capture

The only documented live reconstruction fund capture. Full documentation available at named analyst briefing stage under NDA.

Active

Assessment Ongoing

The Protection Architecture

The detection failure was not episodic.
It was architectural.

A single apex node provided protection across five institutional domains simultaneously. The channels were not absent. They were structurally unavailable — captured at the point of referral before any outcome could be produced.

The Same Architecture · Stated Differently

The same five-domain capture architecture established on the home page protected every operation in this record. No referral routed through any of the five domains produced an outcome before VELLARIXX-derived intelligence was introduced.

Zero detections from any other source, across all ten operations, is the same fact stated from a different angle. The protection architecture and the detection vacuum are not two findings. They are one architecture viewed from inside it and from outside it.

The cases that can be proven in public. Not the totality of what was seen.

Operational Footprint

Not a database coverage list. An active intelligence map.

Active

Reconstruction Pipeline

$800 Billion

Documented Extraction

>$10B

Ukraine — Active Operational Foundation

Ten documented operations — the confirmed evidentiary layer of the broader operational history in this environment. The operations that extracted in excess of $10 billion are already positioned inside the $800 billion reconstruction pipeline.

The detection framework that produced the ten documented cases does not degrade at the border. The same sovereign registry access, the same archetype library, the same protection mapping architecture — all operational in the same environment where the capital is now being directed. The pipeline is the next deployment. The methodology is already there.

Network X alone spans six oblasts — Khmelnytsky, Rivne, Kherson, Vinnytsia, Zhytomyr, Chernivtsi — creating the jurisdictional fragmentation that standard single-jurisdiction enforcement cannot address. Any road, bridge, or infrastructure reconstruction contract in these oblasts has documented exposure to Labaziuk network entities.

Documented

Active Proceedings

2 Jurisdictions

Confirmed Gaps

4 Jurisdictions

Eastern Europe — Documented and Active

The same capability operating across the broader geographic reality of how the documented networks actually function. Each jurisdiction confirmed through sovereign registry query, not inferred from public record.

A single cross-operation facilitation node confirmed across all ten documented operations simultaneously.

The gap across Eastern Europe is not hypothetical. It is mapped. Each authority sees one fragment. VELLARIXX sees the complete architecture. Allied government channel relationships are established across the region. EU member state FIU relationships are active. This is not the next deployment. It is the current operational reality.

Confirmed

The Balkans — Next Structured Deployment

Structural homology to Ukraine confirmed. EU accession procurement vulnerabilities. The same Cyprus and BVI offshore architecture. The networks that operated in Ukraine are present in the Balkans.

The Active Window

Comparator Pipeline Rate

Iraq · SIGIR 2013 ~$60B 10–15% documented

Afghanistan · SIGAR 2010–21 ~$145B 15–30% documented

Ukraine — Ten Operations $800B 10–31% extraction rate

Working estimate range $80–248B Scenario range only

The active window is open. The question is whether it closes with or without a gate.

The deployment window is now.

The documented networks are already positioned inside the reconstruction pipeline. The question is whether the institutions disbursing into that pipeline will see them before the transaction clears.

Methodology

The Rosetta Stone did not find new script.
It rendered legible what was already there.

VELLARIXX is that instrument — built for the operational layer every other tool can see but cannot read.

What This Is Not

Not a compliance platform. Not a screening tool. Not a vendor with better database coverage. Not a risk scoring system.

The outputs are not the product. They are the delivery mechanism — the translation layer between intelligence produced at the layer where the threat actually exists and the frameworks every institution must operate inside.

Analytical platforms analyse what exists in commercial databases. VELLARIXX produces what does not — at the operational layer where illicit capital extraction actually functions, before it becomes a record that any database can hold.

The Architecture

Eight Detection Layers

Detection Architecture · Eight Layers

Layer 1 — Multi-script entity resolution

2.3M+ entities · 95%+ accuracy · 47 jurisdictions
Confirms the entity exists and where. Every jurisdiction. Every script.

Layer 2 — Sovereign guarantee validation

Class 13/16 authority · capitalisation · reinsurance class
Confirms the instrument is valid at source — before disbursement, not after failure.

Layer 3 — Beneficial ownership traversal

6th-degree depth · 47 jurisdictions · 96% UBO confidence

⚠ Standard compliance architecture stops here

Layer 4 — Enforcement-confirmed pattern matching

445+ signatures · cross-domain · real-time
Sees coordinated operations that produce no transaction anomaly.

Layer 5 — Cryptocurrency de-mixing

BTC→ETH→Monero→fiat · Tornado Cash IEEPA flag
Traces capital through obfuscation chains. Confirms IEEPA strict liability before it is created.

Layer 6 — Political protection mapping

Five-domain capture · facilitator density · appointment-cycle
Maps which channels are compromised before any referral is made.

Layer 7 — Forward-looking sanctions scoring

87–93% match rate · 90-day horizon · pre-flight detection
Identifies who will be designated before the list is published.

Layer 8 — Sovereign cross-database query

18 database types · 47 jurisdictions · simultaneous
Assembles the complete ownership picture no single registry holds.

The eight layers above describe how the detection architecture operates. The fourteen archetypes below describe what it was built to find — derived from the operations that confirmed each detection pattern before it entered the library.

Fourteen Detection Archetypes

The fourteen archetypes are not categories. They are the documented mechanics of how capital was extracted across the documented corpus — each one encoded into the detection library from the operation that produced it.

Six operate in domains where existing compliance architecture has partial detection pathways. Six operate in domains existing compliance architecture cannot reach at all — personnel workflows, institutional appointment cycles, sovereign procurement barriers, infrastructure tender dominance. None of the documented operations was detected by any system deployed in the same environment.

Two carry CANDIDATE designation — documented at evidentiary tier in source material, requiring additional collection for elevation to fully-confirmed status. Candidate archetypes are surfaced explicitly; the platform reasons under uncertainty rather than asserting flat conclusions.

Standard Detection Surface

① Catalog Distortion

② Substitution Arbitrage

③ Commodity Diversion

④ Offshore Extraction

⑤ Fictitious Guarantees

⑥ Advance Diversion

Beyond the Detection Surface

⑦ Stolen-Capital Re-Entry

⑧ SOE Barrier Extraction

⑨ Reconstruction Advance Loop

⑩ Appointment-Cycle Capture

⑪ Infrastructure Procurement Capture

⑫ Legal-Professional Network Capture

      
      Archetypes ⑬ & ⑭ · Candidate Designation · May 2026 Integration
    

2 of 14 total archetypes · evidentiary tier documented · additional collection required

⑬ CANDIDATE

Sanctioned-Patron Proxy Asset Acquisition

Capital deployed through OFAC/SDN-designated patron adjacencies into landmark asset positions — cultural, hospitality, media, esports — during a pre-extraction positioning phase. No criminal proceedings. No documented losses. Architecture surfaced at the configuration stage before extraction commences.

MK-series patterns · Network XII · 22+ signatures

⑭ CANDIDATE

Sanctions-Vector Market Removal

Enforcement architecture weaponised to remove a market participant using a sanctions instrument — while simultaneously positioning the sanctioned entity's competitor. The same enforcement infrastructure documented in energy procurement operates in the gambling and payment-infrastructure sectors with identical mechanics.

HT/SH/GM-series patterns · Networks XIII–XIV · 28+ signatures

Archetype ⑪ — Infrastructure Procurement Capture [New Detail Block]

Multi-oblast tender dominance through political patronage, coordinated bidding, and administrative resource capture. Extraction via substandard materials substitution. Six-oblast geographic spread creates jurisdictional fragmentation that standard single-jurisdiction enforcement cannot address.

Primary Network Labaziuk / VITAGRO (Network X) Documented Scale ~$241M+ (Big Construction 2020–2021) · ~$24M (Reconstruction Attempt) Detection Patterns LB-001 Multi-Oblast Dominance · LB-002 Family Proxy Architecture · LB-003 Materials Substitution EPC Exposure Bechtel Tier 1 subcontract pathway · documented across six oblasts

The Structural Moat

01

Ground Truth From the Operational Layer

Four hundred eight signatures. Each one derived from within the networks — not from the records those networks subsequently produced. One pattern: two nominally independent bidders share a nominee director registered within 90 days of contract announcement, with overlapping registered addresses across three jurisdictions. Standard monitoring sees two clean entities. The detection framework sees one coordinated operation.

02

Sovereign Access

Eighteen sovereign database types. Forty-seven jurisdictions. Direct query at sovereign registry level. The Fictitious Guarantee detection — UAH 3.18 billion, ten contracts, 100% void rate — was produced by this access. Not discoverable any other way.

03

Convergence Analysis

The architecture maps operations, not entities. Shared nominees, overlapping appointment histories, coordinated registration timing — assembled across nominally independent networks into a single operational picture. A single facilitation node confirmed simultaneously across all ten documented operations — connecting MoD procurement, energy SOE extraction, fictitious guarantee architecture, offshore layering chains, infrastructure procurement capture, and the institutional capture mechanism that sustained all of them. No single enforcement authority has assembled this map. Each holds jurisdiction over one fragment. The connecting architecture exists only in the layer where all ten can be seen simultaneously — and where this record was produced.

The Five-Domain Protection Architecture

Detecting capital movement is necessary. It is not sufficient.

The same institutional capture architecture that extracts capital also protects the extractors. VELLARIXX maps which channels are clean before any referral is made. Without it, finished intelligence packages route to captured channels and produce no outcome.

I

Legislative

Statutory barriers embedded in regulatory framework

II

Regulatory

Capture of monitoring bodies · suppressed referral

III

Judicial

Weaponised proceedings · coercion architecture

IV

Enforcement

Infiltrated investigation channels · absorbed referrals

V

Intelligence

Counter-intelligence posture · compromised collection

Why No Other Instrument Reaches Here

The leading sovereign analytics platform was deployed in the same environment. It produced zero detections across ten documented operations.

Not because the platform failed. Because the data it needs does not exist in the layer it queries.

No existing compliance architecture queries the layer VELLARIXX operates in. The data required to detect sovereign-grade illicit capital extraction does not exist in any commercial database. It exists only in the layer where the operations actually ran — and where the detection record was produced.

The detection ontology is not a better algorithm. It is the only instrument capable of making legible what every other system can see but cannot read.

Insights

Analytical perspective on the threat environment.
From inside it.

Intelligence Analysis

Why AML Stops at Layer 3 The $800 Billion Problem The Compliance Record Request Briefing

Intelligence Analysis · Financial Crime Architecture

Why AML Stops at Layer 3 — And What Lives in the Gap

Ten confirmed financial crime architectures extracted $10 billion from a national economy. Every standard AML, KYC, and UBO tool in the environment cleared every transaction. This is not a failure story. It is a design story.

Vellarixx Intelligence · March 2026

The question that follows every major financial crime case is always the same: how did existing compliance systems miss it? The systems worked as designed. The schemes were built to operate in the space the design left open.

The Layer 3 Problem

Standard UBO traversal terminates at the offshore reset layer. The compliance system confirms the offshore entity is registered and in good standing, and closes the query. The beneficial owner at Layer 8 is invisible.

In the Allied Power Grid detection, a 47-entity ownership structure across 12 jurisdictions routed stolen capital into control of 14 power grids across four allied nations. The offshore reset terminated every standard UBO query at Layer 3. VELLARIXX continued to Layer 8. The natural person was confirmed at 96% confidence — before any allied government produced a signal.

What Lives at Layers 4 Through 8

Commercial pattern matching runs against transaction anomalies. It is ineffective against financial crime architectures designed to produce no statistical anomalies at the transaction layer. These patterns could not be derived from open-source data. They were built over twenty years of operational presence inside the cases that produced them.

Every compliance framework assumes that referral channels are operationally clean. This assumption fails when those authorities are participants in the network. Across ten documented operations, a single apex node provided protection simultaneously across five institutional domains. Zero detections from any other source across all ten operations.

The gap is not a malfunction. It is a design. The only question is whether your compliance record was built to close it or to document that it was open.

The Convergence Implication

The Layer 3 problem explains why individual operations went undetected. The convergence finding explains something more significant: why success against individual operations has been systemically ineffective.

When a single facilitation node connects all ten documented operations simultaneously, the ecosystem is not ten independent criminal enterprises. It is one architecture with ten expressions. When one node is disrupted, the others adapt. Standard efforts run against operations. The ecosystem survives by design.

The compliance framework that screens entities in isolation is not inadequate. It is answering a different question from the one the ecosystem is posing.

The convergence finding and full cross-network documentation are available at the named analyst briefing stage under NDA.

Continue the Conversation

These analyses are drawn from the same detection architecture available under NDA. If the problem described here applies to your institution, the briefing goes deeper.

Request Briefing

Engage

The briefing begins with a condition precedent screen.
The same standard applied to every counterparty.

VELLARIXX applies the same verification standard to the institutions it works with that it applies to the counterparties those institutions are screening. The briefing requires fit in both directions.

The Condition Precedent

The screen is not a sales qualification process.

It is the same architecture applied to a different counterparty.

Institutional mandate, operational context, and engagement type are assessed before any classified material is shared. The screen determines whether the scope of a new engagement aligns with the operational framework under which existing mandates are conducted.

VELLARIXX operates under active engagement across development finance, supervisory authority, and allied government mandates. New engagements are assessed for fit within that operational framework before the briefing is scheduled — not after.

The first conversation carries no commitment. The screen begins within 24 hours of the briefing request. The screen either clears or it does not. If it clears, the briefing follows. If it does not, VELLARIXX will say so directly.

Arriving Via Introduction

If this document was delivered to you directly, your response goes back through the same channel. No form required. The condition precedent screen begins within 24 hours.

Arriving Independently

If you reached this page without a prior introduction, the briefing request below begins the engagement screen. The screen determines fit for the engagement type before any classified briefing is scheduled.

Engagement Protocol

24 hours Condition precedent screen initiated · senior analyst contact

5 days Screen complete · briefing scope established · NDA executed

NDA tier Full pattern library · named actors · network ecosystem · case documentation

Engagement Named analyst team assigned · delivery timeline confirmed

Full Name Professional Email Organization Engagement Type Message

Condition precedent screen applied to all engagements · Response within 24 hours

The Operational Team

Six operators across six disciplines.

Firm Provenance · Public-Confirmable

20+

Years operational record

10

Documented operations

$10B+

Extraction documented

47

Sovereign jurisdictions

18

Sovereign DB types

0

Detections from any other source

The Team

M

Mosche

Founder
Chief Intelligence Architect

Verified · Identity under NDA

Forensic intelligence operations background. Founded the firm. Authored the detection ontology.

Tradecraft

445+ enforcement-confirmed signatures · 14 archetype classes

Archetype framework — ①–⑦ standard surface · ⑧–⑫ beyond

Guarantee gate — Class 13/16 licence verification · capital ratio

Sovereign access — 18 DBs · 47 jurisdictions · direct registry

Ground truth — derived inside operations before outcomes recorded

D

David

Chief Technology Officer
Detection Architecture & Predictive Engines

Verified · Identity under NDA

Engineering and forensic-platform background. Architected the platform. Designed the graph-native pipelines. Engineered the predictive sanctions engine.

Tradecraft

UBO traversal — 8-layer ownership · 96% natural-person attribution

Cross-operation knowledge graph & convergence ontology

Five-domain capture assessment · clean-channel routing

Sanctions evasion forecasting · 87–93% match · 90-day horizon

Zero-trust pipeline · 18+ sovereign DBs · 47 jurisdictions

O

Oliver

Head of OSINT Unit
Investigation Architect

Verified · Identity under NDA

Background in financial intelligence and decision sciences. Operates across contested-information environments.

Tradecraft

Investigation scope & calibration against the 11-archetype hierarchy

OSINT collection ontology · source-tier classification · SOPs

Final dossier sign-off · Bayesian confidence scoring

OSINT platform requirements · CTO pipeline integration

HUMINT source relationships · MLAT / Egmont / FATF mapping

T

Tom

OSINT Analyst
Legal Qualification & Evidentiary Logic

Verified · Identity under NDA

Legal background. Translates detection findings into statutory violations.

Tradecraft

Multi-jurisdictional statutory & case-law analysis

Criminal-law qualification of detected conduct

Evidentiary architecture — admissibility, sufficiency, chain-of-custody

Sanctions designation logic · civil & administrative pathways

Enforcement pathways · jurisdictional venue analysis

S

Sarah

OSINT Analyst
Link Analysis & Network Mapping

Verified · Identity under NDA

HUMINT/SIGINT background. Builds entity link graphs. Maps network topology. Reconstructs deleted source material.

Tradecraft

HUMINT-derived OSINT — source-validated open & semi-open environments

Conflict-zone intelligence assessment — actor mapping & situational analysis

Entity link graphs, network topology & affiliation ontologies

Pattern-of-life & behavioural signature extraction

Archive reconstruction — Wayback, regional caches, snapshot diffing, deleted-content recovery

R

Rachel

OSINT Analyst
Deanonymization & Digital Footprint

Verified · Identity under NDA

Economics and cybersecurity background. Recovers digital trace material. Resolves pseudonymous subjects to natural-person identity.

Tradecraft

Non-public source material — restricted, non-indexed, controlled-access

Advanced search-operator & dorking discipline

Selector pivot — handle → email → phone → identity

Cross-platform digital footprint reconstruction

Natural-person attribution at confidence-graded output

Intelligence Architecture

The intelligence architecture
behind the detection record.

Eight kill-chain layers. Fourteen archetype classes. Three analytically distinct capabilities. The structural argument for why Layer 4–8 detection cannot be replicated from outside the operational environment that produced it.

445+

Pattern Signatures

14

Archetype Classes

14

Documented Networks

21

Bridge Nodes

100%

Prosecution Confirm Rate

Detection Architecture

Eight layers.
Layers 1–3 are where every other platform stops.

The commercial surface — entity resolution, sanctions cross-reference, 1st/2nd-degree beneficial ownership — ends at the offshore reset vehicle. Layer 3 is the terminal boundary of every commercial counterparty-screening platform in this environment.

Layers 4–8 are the prosecution-derived operational intelligence layer: 6th-degree UBO traversal, 445+ enforcement-confirmed pattern signatures, cryptocurrency de-mixing, five-domain protection mapping, and 18-category sovereign cross-database query across 47 jurisdictions. Full architecture detail is documented on the Methodology page.

L1–3

Commercial surface

Entity resolution · Sanctions · 1–2° BO

← All platforms stop here

L4–8

Exclusive layer

6° UBO · 445+ patterns · Protection mapping · 47 jurisdictions

VELLARIXX only →

Network VII · The evidence

Every institution in the environment stopped at Layer 3 — the Cyprus reset. VELLARIXX mapped to Layer 8. Natural person confirmed at 96% confidence, before any allied government produced a signal.

Archetype ⑦ — Reference Architecture

Stolen-capital re-entry · five operational windows

Archetype ⑦ documents the closed-loop mechanism by which extracted state-sector capital is layered offshore and re-enters the infrastructure procurement environment as foreign direct investment. Five discrete operational windows — each with a distinct detection surface. Click each window to expand analytical detail and the gate output it produces.

Window 01

⚡

State-Sector Extraction

Procurement mechanism activated · advance disbursement · catalog distortion · barrier extraction

Window 02

🏝

Offshore Layering Reset

Cyprus · BVI · Cayman · 6th-degree nominee chain · crypto de-mixing phase

Window 03

📈

FDI Re-entry

Capital returns as foreign direct investment · clean-origin narrative constructed · KYC surface legitimate

Window 04

🏗

Infrastructure Acquisition

Power grids · utilities · real estate · reconstruction-adjacent assets · cultural landmarks

Window 05

🛡

Protection Lock-In

Five-domain capture secures acquired assets · enforcement absorption · loop restarts at Window 01

Mechanism

State procurement channels activated through insider placement. Mechanisms: catalog price distortion at volume-critical line items (Archetype ①), advance-disbursement timing exploitation, SOE barrier extraction via personnel pathway manipulation (Archetype ⑥), fictitious guarantee instruments (Archetype ②). Documented: 10+ extraction networks, $10B+ aggregate throughput.

Detection surface

Layer 5 pattern matching activates at signature density threshold. Relevant patterns: advance-disbursement timing anomalies, nominee rotation velocity, guarantee-to-capital ratio, procurement catalog distortion index. Operation Midas (Network VIII): detected before NABU/SAPO enforcement action November 2025.

Gate output

Pre-disbursement counterparty flag with archetype association and signature density score. Formatted for FinCEN SAR submission, OFAC designation referral, or EPPO evidentiary package depending on recipient jurisdiction and mandate.

✓ Detection window: pre-extraction

↩ Protection architecture closes the loop → Window 01 extraction cycle resumes under protection cover

Every institution in the environment stopped at Layer 3 — the Cyprus reset. VELLARIXX mapped to Layer 8. Natural person confirmed at 96% confidence. Eleven months before any allied government produced a signal.

That result is either replicable or it isn’t. The buyer either has a platform that produced it or they don’t. The question is not which features appear in which column of a comparison table. The question is whether any other platform has produced a documented detection record at this standard, in this environment, against these networks.

The eight-layer stack is the architecture that produced that result. The layer-tier divider in the table above marks precisely where commercial platforms terminate and where VELLARIXX collection begins. That is the only structural comparison that matters.

Where commercial platforms stop

Layer 3

Corporate registry · 1st–2nd degree beneficial ownership · the offshore reset vehicle. Every institution in the Network VII environment stopped here.

Where VELLARIXX detection operates

Layer 8

Natural person. 96% UBO confidence. 47 jurisdictions. 6th-degree traversal. Network-of-networks convergence. Documented before any allied government produced a signal.

Who We Serve

The right buyer already knows
how financial crime works.
They are asking: show me something
no platform I currently have can do.

Select your institutional context below. Each framing is drawn directly from the capabilities assessment and the engagement tracks documented in the platform walkthrough guide (v1.7 · May 2026).

DFIs · IFIs · Sovereign Wealth Funds

You control the disbursement decision.
The extraction network is already positioned to capture it.

The USD 800B reconstruction pipeline is the largest projected capital-deployment event in the European corridor for the next decade. The documented extraction rate across the corpus is 10–31%. At that rate, the scenario exposure range is USD 80–248B — capital that enters your disbursement architecture as EPC contracts, sovereign guarantees, or FDI vehicles, and exits as captured infrastructure assets.

The only viable control point is pre-disbursement. After disbursement, the recovery window closes within 72 hours in most documented architectures.

What your current tools do not reach

⚡

Fictitious guarantees — Class 13/16 sovereign authority verification is not performed by any commercial EDD platform. Approximately $77M (UAH 3.18B) across 10 instruments: every one void from inception, every one passed standard enhanced-due-diligence screen.

🔄

Closed-loop FDI re-entry — extracted capital returns as foreign direct investment with a clean KYC surface. Your investment-gate screen sees the FDI vehicle, not the extraction network it funds. Layer 4–8 traversal is required to surface the connection.

🏗

Tier 1 positioning — reconstruction-adjacent assets are being acquired now, before disbursement begins. Network XII: USD 250M central-Kyiv project announced April 2026. No criminal proceedings. Your current screening does not surface this configuration.

🏦

EPC supply chain exposure — the same extraction architecture documented in energy procurement operates identically in EPC sub-contracting, material supply, and financial-infrastructure provision. Sector-siloed screening misses cross-sectoral bridge nodes.

Gate Output A

Guarantee Validity Screen

Direct sovereign registry query at Class 13/16 authority level. 24-hour turnaround. Output: guarantee validity determination, authority class confirmation, capitalisation ratio, reinsurance class status. Formatted for pre-disbursement gate decision.

Gate Output B

Counterparty Origin Trace

Layer 4–8 beneficial ownership traversal of FDI vehicle, EPC contractor, or material supplier. 6th-degree depth, 47 jurisdictions, 96% UBO confidence. Surfaces closed-loop re-entry linkage to documented extraction networks. 24–72 hour turnaround.

Gate Output C

Reconstruction Tier Exposure Report

Tier 1–4 supply-chain exposure mapping against documented active-capture mechanisms. Identifies which networks are positioned at which supply-chain tier for your specific portfolio and disbursement program. Pre-engagement-tier scoping output.

~$77M

Fictitious instruments detected pre-disbursement (Network VI · 10 contracts · 100% void rate)

USD 80–248B

Reconstruction pipeline scenario exposure range (10–31% extraction rate × $800B)

USD 250M

Reconstruction-adjacent re-entry vehicle (Network XII · April 2026 · Tier 1 exposure)

Engagement pathway for DFIs / IFIs / SWFs

Standard engagement sequence: initial discussion (calibrate ontology to your disbursement program and jurisdiction exposure) → scoping engagement (identify applicable networks and archetypes for your portfolio) → NDA-tier counterparty intake → portfolio screening deployment. Engagement timelines: weeks for intelligence-product subscription · months for custom ontology development with full data-infrastructure integration.

G-SIBs · Regional Banks · Financial Crime Risk

Your correspondent banking exposure
runs through captured channels.
Your SAR workflow sees the invoice.
Not the architecture behind it.

The extraction networks documented in this corpus operate through correspondent banking infrastructure — including institutions with existing G-SIB relationships. The fictitious guarantee mechanism is the exact failure mode embedded in correspondent banking and EPC supply chains. The five-domain protection architecture is the mechanism by which these relationships persist without triggering existing transaction-monitoring rules.

Layers 1–3 of the detection stack — the reach of your existing KYC/AML platforms — are systematically defeated by Layers 4–8 of the extraction architecture. The pattern library documents how.

What your AML/KYC stack does not reach

🔍

Layer 4–8 beneficial ownership — your transaction-monitoring rules fire on 1st/2nd-degree signals. The extraction architecture is designed at 3rd–6th degree. 96% UBO confidence requires petabyte-scale graph traversal across 47 jurisdictions — not commercial data aggregation.

📊

Prosecution-grounded vs. statistically-inferred risk — your existing platform generates risk scores from statistical inference. The 445+ pattern library is prosecution-derived: every signature calibrated against a court-adjudicated enforcement outcome. False-positive management is built into the methodology, not applied post-processing.

🏛

Channel integrity for SAR routing — which institutional channels remain clean for SAR/referral submission vs. which are captured? The five-domain protection assessment determines this. Routing a referral through a captured enforcement channel is documented as an active adversarial technique in the corpus.

⚡

Cross-sectoral bridge nodes — the same individual (or institutional fixture) appears across energy procurement, gambling, payment infrastructure, and cultural assets. Single-sector screening misses the bridge-node architecture. 21 bridge nodes documented across 14 networks in the current corpus.

Sub-Report B · Output 1

Pre-Disbursement Gate Output

Counterparty pattern-match against 445+ enforcement-confirmed signatures at pre-disbursement gate. 24–72 hour turnaround. Output: archetype association, confidence band, signature density score, prosecution-provenance attribution. Formatted for FinCEN SAR submission workflow.

Sub-Report B · Output 2

Channel Integrity Assessment

Five-domain protection mapping for the relevant institutional channel. Determines which enforcement channels, regulatory contact points, and SAR routing pathways remain clean vs. captured. Prevents referral into an adversarially-controlled channel.

Sub-Report B · Output 3

Enforcement-Submission Package

Finished-intelligence package formatted for FinCEN/OFAC/DOJ/EPPO submission. Named analyst authorship, evidentiary standard documentation, prosecution-grade sourcing. Eliminates the translation layer between intelligence product and enforcement intake.

445+

Prosecution-confirmed pattern signatures · case-provenance attributed · 14 archetype classes

100%

SAR-to-prosecution confirmation rate on fully-adjudicated cases (through May 2026)

21

Bridge nodes spanning 14 networks — the cross-institutional linkage your screening misses

Engagement pathway for G-SIBs / financial crime risk

The standard G-SIB engagement integrates VELLARIXX gate output as a pre-disbursement overlay to existing KYC/AML workflow — zero change to core investment architecture. Counterparty screening queries run before equity commitment clears. Gate outputs route to existing SAR/compliance pipeline in FinCEN-formatted output. Engagement scope: scoping discussion → KYC integration design → NDA-tier counterparty intake → production deployment.

Federal Partners · Government Agencies · Counter-Intelligence

Every agency with capability lacks jurisdiction.
Every agency with jurisdiction lacks capability.
VELLARIXX built the only ontology
capable of crossing that gap.

The three-layer federal architecture — OFAC/FinCEN domestic enforcement · MLAT/judicial international · intelligence IC layer — contains a structural gap that no single federal authority bridges. VELLARIXX Layer 1 collection operates across all three layers simultaneously in the Ukrainian corridor. The Intelligence Community has capability but lacks prosecution-grade evidentiary standard. Law enforcement has jurisdiction but lacks the operational presence to detect at Layer 4–8 depth. VELLARIXX produces both.

The structural gaps Sub-Report A documents

⚖️

MLAT velocity constraint — MLAT requests for beneficial ownership documentation in Cyprus, BVI, or Liechtenstein run 18–36 months at standard processing cadence. The offshore layering cycle in Window 02 of Archetype ⑦ completes in 60–90 days. The evidentiary recovery window closes before the MLAT response arrives.

🗂️

Prosecution-grade evidentiary standard — IC collection is not formatted for DOJ or EPPO submission. The translation layer between IC-standard intelligence and prosecution-grade evidentiary package requires an intermediate capability that currently does not exist at scale. VELLARIXX produces prosecution-grade packages from operational intelligence.

🔗

Counter-intelligence dimension — the the CI/Operational bridge node finding (CI/Operational super-cluster bridge node) documents that the the back-office entity back-office, which processed Operation Midas laundering, is co-located at the documented property nexus. This converts the Midas case from a corruption matter to a national-security counter-intelligence matter. This linkage does not exist in any public enforcement record.

🇦🇹

Vienna safe-haven concentration — four documented financial pipelines converge in Vienna. Austrian extradition rejection of the principal (December 2025) consolidates Vienna's safe-haven status. The geographic-terminus bridge node requires coordinated allied-government action that no single jurisdiction can initiate unilaterally.

Sub-Report A · Output 1

MLAT-Velocity Bypass Package

Layer 4–8 beneficial ownership documentation produced from in-country sovereign database access — not MLAT-dependent. 18 DB categories, 47 jurisdictions, simultaneous query. Formatted for DOJ/EPPO evidentiary submission. Turnaround: 24–72 hours vs. 18–36 months MLAT standard.

Sub-Report A · Output 2

CI Assessment Package

Counter-intelligence dimension assessment for documented networks with Russian Federation exposure vectors. Includes: CI/Operational super-cluster bridge node documentation, familial-property-nexus findings, SSU-vector pipeline analysis, Vienna safe-haven convergence mapping. Five Eyes-compatible output format.

Sub-Report A · Output 3

Degradation Scenario Modelling

Five forward enforcement scenarios modelled against the documented ecosystem. Scenario C (Scenario C simultaneous removal of the apex and enforcement gateway nodes): ~50% ecosystem-exposure reduction. Each scenario includes: action set, post-action ecosystem state, protection-level metric, clean-channel count. Decision-support format for interagency coordination.

5

Enforcement degradation scenarios modelled · Scenario C achieves 50% exposure reduction

24–72hr

VELLARIXX BO documentation turnaround vs. 18–36 month MLAT standard

47

Jurisdictions covered by simultaneous sovereign database query (18 DB categories)

Engagement pathway for federal / government / counter-intelligence

Federal partner engagement operates outside the standard commercial intake sequence. Defence Intelligence of Ukraine MoU (January 2023 · allied government signatory) establishes the allied-government channel framework. Engagement is initiated directly through the named engagement lead identified in the condition-precedent briefing. No online intake form. No self-service workflow. Every engagement begins as a direct conversation between named counterparties at verified institutional affiliation.

Engagement Protocol

Three paths forward · all begin with a direct conversation

There is no online intake form, registration portal, or self-service workflow. Every engagement begins as a direct conversation between named counterparties.

Path 01

Internal Circulation

Forward demonstration materials to your compliance team, risk committee, or procurement integrity working group. The in-platform guided walkthrough is calibrated to be self-sufficient — a colleague receiving the materials cold can orient in approximately 25 minutes.

No commitment · no timing constraint

Path 02

Scoping Discussion

Your context briefing → applicable archetype / pattern / network identification → scope of engagement-tier deployment → preliminary timeline and structure. Calibrated to your specific jurisdiction, sector exposure, and mandate. No commitment required at scoping stage.

~1 week to scope · no NDA required

Path 03

NDA-Tier Counterparty Intake

Direct entry to engagement-tier work — where existing counterparty exposure, regulatory commitment, or programmatic deadline makes scoping a less efficient sequence. From named demonstration recipient to engagement-tier counterparty under standard confidentiality structure.

~2 weeks to NDA-tier status

Condition precedent screen · 24-hour turnaround

All three paths are initiated through the contact channel in the Engage module, or directly through the engagement lead identified in the briefing under which this demonstration was delivered.

Network

Intelligence Network Map

14 Networks · 14 Archetypes · 445+ Patterns · 5 Institutional Domains

Network identities redacted on public surface · full attribution under NDA

0

Clean Channels

$617B

At-Risk Capital

88%

Exposure Rate

14

Networks

14

Archetypes

445+

Patterns

What Is a Network?

Understanding the VELLARIXX detection architecture

1

A network is not a single actor

A network is a coordinated group of individuals — officials, intermediaries, corporate entities, and enablers — operating together to extract state funds through a shared mechanism.

2

Networks require institutional access

Extraction at scale requires institutional capture — placing affiliates within state bodies that control funds, approve contracts, or suppress investigations.

3

Each network uses specific archetypes

An archetype is a repeatable fraud method — a documented pattern of how funds are extracted. VELLARIXX has identified 14 archetypes — 12 confirmed from enforcement cases, 2 carrying candidate designation from May 2026 integration.

4

Detection precedes enforcement

VELLARIXX identifies networks before official enforcement action by recognizing pattern signatures across transaction data and relationship mapping.

Network Index

X

The Protection Layer
One network to shield them all

Networks I–IX extract funds. Each operates within one or two institutional domains, using specific fraud archetypes to divert capital from state coffers.

Network X extracts nothing. Instead, it provides the institutional protection that allows all nine extraction networks to operate without consequence.

The architecture is hierarchical. Remove any single extraction network and eight others continue. Remove Network X and the protection collapses.

5/5Domain coverage

$0Direct extraction

9Networks protected

$10B+Extraction enabled

Five Institutional Domains

Protection architecture operates across five distinct institutional verticals

Judiciary

Courts and judicial bodies that adjudicate cases, issue rulings, and can transfer or dismiss proceedings. Capture enables favorable rulings and procedural delays.

Prosecution

State prosecution offices responsible for bringing criminal charges and managing case files. Capture enables case suppression and selective prosecution.

Enforcement

Police and law enforcement agencies that execute arrests and conduct raids. Capture enables selective enforcement and tip-offs before operations.

Security

Intelligence and security services responsible for national security. Capture enables surveillance of investigators and classification of evidence.

Investigation

Specialized investigative bureaus that conduct financial crime investigations. Capture enables case steering and evidence suppression.

Domains

Judiciary

Prosecution

Enforcement

Security

Investigation

Priority

Critical

High

Moderate

Detection Timeline

VELLARIXX detection vs enforcement action

Networks I–III

Q1 2024

Networks IV–VI

Q2 2024

Networks VII–IX

Q3 2024

Enforcement begins

Q1 2025

Network X

Q1 2026

VELLARIXX detection Enforcement action Protection layer identified

Live Demo

Eight detection layers. Two counterparties. The architecture is calibrated — not tuned to fire.

SCENARIO A · ADVERSE PROFILE

RCN-7X-4429

Reconstruction contractor · high-risk profile

SCENARIO B · CLEAN ENTITY

ENT-4B-2281

Infrastructure fund · institutional counterparty

Entity

RCN-7X-4429

Jurisdiction Path

UA · CY · BVI · LU

Counterparty

Allied Reconstruction Facility

Contract Value

€47.2M

vellarixx_gate.sh

ENTITY: RCN-7X-4429 · LAYERS: 8

Synthetic case · representative of documented Archetype ⑦ — Stolen-Capital Re-Entry

$ vellarixx --screen [ENTITY_ID: RCN-7X-4429] --layers=8

Ready. Press Run to begin.

14 archetypes · 445+ signatures · 18 sovereign DBs

Ready

THE PRE-DISBURSEMENT WINDOW IS THE ONLY WINDOW. THE DOCUMENTED NETWORKS ALREADY KNOW THAT.

Closed-Loop Visualization · Tier-1 Prototype

Stolen capital, returned home as foreign investment.

A documented closed-loop architecture: domestic budget extracted → 8-tier offshore layered → re-emerges as apparent FDI → acquires the very infrastructure those funds were drawn from. The loop closes invisibly to systems that stop at the offshore reset wall.

10documented networks· 12archetype framework· 445+detection patterns· 47-entity case inventory· $10B+documented extraction· Attribution available under NDA

Reference Case

MR-7X-9981

Archetype

⑦ · Re-Entry

Volume / 90 days

$847M

Acquisition Target

$2.4B

UBO Confidence

96%

Closed-Loop Trace

MODE · STANDARD COMPLIANCE

Mode

WITHOUT INTERVENTION

Standard Stack

VELLARIXX

8-Tier Intercept

Phase Narrative

PHASE 0 · IDLE

System ready

Press Run to trace the architecture. Toggle modes to compare standard compliance traversal against VELLARIXX 8-tier intercept.

Live Counters

Extracted

$0

Layered

0 / 8 tiers

Re-entered

$0

Acquired

$0

Loop Status

Open

Controls

0.6×

1×

1.6×

2.4×

VERDICT · PENDING

Run the trace to see the closed loop complete — or be intercepted.

— awaiting trace

Method note

The reset wall sits at Tier 3 because that is where conventional KYC, EDD, and most sanctions-screening stacks terminate beneficial-ownership traversal. Cyprus, BVI, and Delaware structures are engineered specifically to be terminal under those constraints. VELLARIXX's claim is not that it sees more in the open — it is that it continues past the wall to natural-person attribution at Tier 8, where the loop can still be closed by the architecture but no longer hidden from the gate.

The same loop · three lenses · same evidence

Reconstruction

Fund stewardship · audit-ready

"Stolen capital takes legal title to the asset it financed."

Switch to this view →

Ontology

Entity resolution · graph traversal

"Attribution terminated at Tier 3."

Switch to this view →

G-SIB

Correspondent exposure · BSA §5324

"Correspondent exposure spans the chain. Screening terminates at Tier 3."

Switch to this view →

Archetype ⑦ of 12 · Network VII of 10

You've read one archetype. The other eleven are documented. Nine more networks. Four hundred more pattern signatures. Attribution routes through an NDA.

Request a Briefing →

VELLARIXX does not publish fee schedules.

Viewing as →

Detection Clock · Archetype ⑦ Time Axis

By the time the enforcement record is public, the capital isn't.

Same stolen capital, same eight-tier offshore chain, same 47-entity case. The axis that changes here is time: when evidence becomes available, and whether the window is open before disbursement or closed after the loss.

10 documented networks· 12 archetype framework· 445+ detection patterns· Pre-enforcement detection· 96% UBO confidence· Attribution available under NDA

Reference Case

MR-7X-9981

Archetype

⑦ · Re-Entry

Disbursement

M6

Public Flag (standard)

M14

VELLARIXX Lead

Pre-enforcement

Detection Timeline

MODE · STANDARD COMPLIANCE

Mode

Phase Narrative

PHASE 0 · IDLE

System ready

Press Run. Time sweeps 0 → 24 months. Toggle modes to compare when detection actually fires.

Live Counters

Time elapsed

M0

Detection status

Idle

Interdiction window

OPEN

Recovery probability

100%

Controls

VERDICT · PENDING

Run the clock to see when detection actually fires.

— awaiting clock

Method note

The detection lead is the temporal face of attribution depth. Resolution to Tier 8 requires behavioural, registry, and kinship signals that are available pre-disbursement and decay rapidly once funds traverse. Post-wire enforcement preserves the regulatory record but not the capital — the pre-wire window is the only interval in which the control is architecturally distinguishable from the violation.

The same clock · three lenses · same pre-enforcement lead

Detection · Pre-enforcement · documented

You've read the clock for one archetype. Eleven more archetypes. Nine more networks. Lead times, case IDs, and pattern signatures route through an NDA.

Request a Briefing →

VELLARIXX does not publish fee schedules.

Engagement Protocol

Five phases. One condition precedent. The shape of every engagement, rendered to scale.

Phase 0 Five-Domain Assessment · Engaging Party 10 BD from documentary receipt

ILegislative · regulatory frameworkclear

IIRegulatory · supervisory functionclear

IIIJudicial · referral channelclear

IVEnforcement · investigative apparatusclear

VIntelligence · collection layerclear

Transcript Engagement Event Log Ready

Press Run Protocol — events will accumulate here as the engagement executes.

Gate Outcome:

PASS · proceeds to Phase 1

FLAG · remediation per domain

BLOCK · engagement closes

THE PRE-DISBURSEMENT WINDOW IS THE ONLY WINDOW. THE DOCUMENTED NETWORKS ALREADY KNOW THAT.

Two Pathways Into Engagement

If you arrived via introduction

Respond through the same channel.

If a VELLARIXX intelligence package, briefing document, or capability assessment was delivered to you directly, your response goes back through whoever sent it. The first conversation carries no commitment.

Protocol
The verification screen begins within 24 hours of acknowledgement. Named analyst contact opens in parallel. No briefing-request form is required for warm-handoff engagements.

If you arrived independently

The briefing request begins the screen.

If you arrived at this page without a prior introduction, the form below initiates the verification screen. The screen determines fit for the engagement type before any classified briefing is scheduled.

Name

Institution

Engagement Type

Message

Verification screen applied to all engagements · Response within 24 hours · VELLARIXX does not publish fee schedules

Forensic Intelligence

We are a forensic intelligence service.

We map illicit financial networks, confirm beneficial ownership across eight detection layers, and deliver intelligence packages that hold at evidentiary standard — before the transaction clears.

The Argument

Every agency with capability lacks jurisdiction.
Every agency with jurisdiction lacks capability.

VELLARIXX was built to operate in the gap between them.

The financial networks that extracted $10 billion from the Ukrainian economy were engineered to be unreachable by the agencies most capable of acting on them. Jurisdictional boundaries are not an obstacle they encountered. They are an architecture they exploited — offshore ownership resets, nominee layering, captured regulatory channels, and guarantee instruments void at source — each component calibrated to terminate every detection query at the layer where it stops.

That operational knowledge cannot be assembled commercially. It was built over two decades of work conducted from within the financial networks and institutional architectures it now documents. Not from what those environments produced in public record.

What that presence produced follows.

The Structural Failure

The detection infrastructure was not the problem. The question of whether it would ever be pointed at the right place was.

The architecture was not designed to defeat detection. It was designed to ensure detection was never initiated. Five institutional domains. Each one a pathway through which scrutiny enters.

Legislative — the regulatory framework that defines what requires disclosure.
Regulatory — the supervisory function that monitors and refers.
Judicial — the channel through which evidence becomes action.
Enforcement — the apparatus that investigates and prosecutes.
Intelligence — the collection layer that surfaces what the others cannot see.

Every pathway was controlled. Parliamentary positions shaped what the regulatory environment required to be disclosed. Central bank appointments maintained the architecture that needed no scrutiny. The apex judicial channel absorbed referrals before they produced outcomes. The investigation bureau operated under influence that ensured cases did not open. The security apparatus provided the insulation that kept the collection layer blind.

10

Operations

Documented

$10B+

Extracted

Ukrainian Economy

0

Other Detections

Across All Operations

Every institution that would have initiated scrutiny was part of the architecture that made scrutiny unnecessary.

Institutions Operating in This Environment

The same architecture is already positioned inside the $800 billion reconstruction pipeline.

The exposure varies by institution. The failure mode does not.

The documented networks were not designed around a single institutional target. They were designed around the gap between what any single institution can see and what the full structure requires to be visible. That gap is architectural. It applies equally across development finance, supervisory authorities, global financial institutions, and sovereign defense partners — the surface exposure differs, the underlying failure mode does not.

Development Finance

EBRD · EIB · World Bank disbursement teams

The documented networks are already positioned inside the $800B reconstruction pipeline. The pre-disbursement window is the only window — after capital clears, recovery exceeds the dispersal window by design.

Supervisory Authorities

ECB · EBA · EPPO

The cross-operation facilitation architecture VELLARIXX has mapped is the precise cross-border structure the EPPO was created to address — and currently cannot see in full.

Global Financial Institutions

G-SIBs with Eastern European sovereign exposure

Compliance teams see Layer 3. Institutions are exposed at Layer 8. Institutions in the documented correspondent path face mandatory SAR obligations and OFAC IEEPA strict liability regardless of knowledge or intent.

Sovereign & Defense Partners

Allied government agencies · Defense contractors · EPC primes

Illicit-origin ownership confirmed across 14 power grids, 4 allied nations — 43 defence engineers under compromised ownership structures, before any allied government produced a signal.

EPC Contractors

Supply chain subcontractors

Network X entities represent exactly the established regional contractor presence that competes for EPC supply chain subcontracts. Documented exposure across six oblasts where major infrastructure reconstruction is already underway. UAH 10B+ extracted from Big Construction program.

Mission

Every financial intelligence platform was built to read what illicit financial networks produce.

VELLARIXX was built to produce what those platforms can only read about.
Undetected by every compliance system in the environment. · Ten operations.
Extracted in excess of $10 billion.

The Provenance

The ten documented operations were not detected by deploying a platform from the outside.

They were built from inside.

From two decades of direct access to the operational layer where these networks function. The platform is the codification of what that presence found.

In the environments where illicit capital extraction operates at institutional scale, the data required to detect the threat does not exist in any commercial database. It exists in the operational layer — in the financial architectures that exist only inside the networks, in the appointment histories that reveal which referrals will produce outcomes and which will be absorbed, in the institutional capture architecture that no external platform can reach from outside.

Ten illicit financial operations. Not ten independent schemes — one connected ecosystem, eleven documented fraud mechanisms, a shared architecture of extraction and protection. The ten documented here are the cases that can be proven in public — the verifiable fraction of a twenty-year operational record, not its ceiling.

The ten are the proof. The twenty years are the methodology.

The Operational Basis

The provenance claim is not asserted. It is documented against confirmed outcomes.

The twenty-year operational record produced four anchor cases before the outcomes that confirmed them. These are not projections or scenario assessments. They are documented detections — in every case, the intelligence preceded the outcome by months, not days.

Detection Record — Confirmed Against Outcomes

Operation

Detection Lead

Scale

Allied Power Grid

Pre-disbursement

47 entities · 12 jurisdictions · 14 power grids

Nuclear Enterprise

Pre-enforcement

$4M cash seized · 3yr ledger · 8 indictments

Fictitious Guarantees

Pre-disbursement

~$77M · 10 contracts · 100% void rate

Defense Procurement

Pre-enforcement

40+ shell LLCs · 100+ nominees · ~$122M+

The detection methodology is not derived from what those operations produced in public record. It is derived from inside the operations — before they became a record.

The detection record exists because the operational presence preceded it. Why the architecture cannot be replicated — the ground truth provenance, the sovereign access, the convergence analysis — is examined in full on the Methodology page.

The Detection Record

The architecture is how the detection framework is built. What follows is what it found.

Fourteen networks in the documented registry. The cases that can be proven in public — the verifiable fraction of a twenty-year operational record, not its ceiling.

0 Detections from any other source across all ten documented operations

Anchor Cases

ONTOLOGY Layer 8 UBO LEAD 11mo

Network VII · Stolen-Capital Re-Entry

$2.4B+ Active 14 Power Grids · 4 Allied Nations 96% UBO Confidence

Every institution in the environment stopped at Layer 3 — the Cyprus reset. VELLARIXX mapped to Layer 8. Natural person confirmed at 96% confidence across 12 jurisdictions, before any allied government produced a signal.

8-layer beneficial ownership traversal · 6th-degree depth · 47 jurisdictions · 96% UBO confidence · round-trip pattern matching · multi-chain de-mixing

$2.4B+

Active

14

Power Grids

96%

UBO Confidence

ONTOLOGY Personnel Pathway PROTECTION MAPPING LEAD 13mo

Network VIII · SOE Barrier Extraction

$100M+ USD $4M Cash Seized 8 Indictments

VELLARIXX mapped the extraction mechanism and the protection architecture that sustained it before either was confirmed in public enforcement. The five-domain assessment identified which channels were clean before the referral was made. The referral produced eight indictments.

SOE barrier extraction mapping · personnel pathway temporal graph · appointment-cycle monitoring · five-domain protection mapping · facilitator density scoring

$100M+

USD

$4M

Cash Seized

8

Indictments

ONTOLOGY Sovereign Registry PROTECTION MAPPING GATE OUTPUT Pre-Disbursement

Network VI · Fictitious Guarantees

~$77M Void 10 Contracts · 100% Void Rate

VELLARIXX identified every instrument as void before disbursement cleared. Approximately $77M across ten contracts. Every instrument legally formatted. Every one void from inception — Class 13 authority required, Class 16 held.

Sovereign registry direct query · Class 13/16 licence verification · guarantee-to-capital ratio analysis · appointment-cycle monitoring · five-domain protection mapping

UAH 3.18B

Void

10

Contracts

100%

Void Rate

Active

Proceedings

The Convergence Finding

The three anchor cases are not three separate detections.
They are three facets of one connected ecosystem — and one actor connects all ten.

A single cross-operation facilitation node has been confirmed across all ten documented operations simultaneously. No single authority has assembled this map. The connecting architecture exists only in the layer where the full ecosystem can be seen simultaneously.

That finding does not exist in any commercial output. It requires presence inside the full ecosystem to produce.

Supporting Cases

LEAD 14mo

Network I · Catalog Distortion

409-item catalog with systematic price distortion at volume-critical line items. 31% extraction rate.

UAH 1.52B+

~31% Extraction Rate

LEAD 14mo

Network II · Substitution Arbitrage

Substandard materials at specification-grade price. 40+ shell entities. 100+ nominee directors.

UAH 1.167B State Damage

Detained

LEAD 14mo

Network III · SOE Commodity Diversion

State property apparatus weaponised as extraction platform. Convergence node confirmed shared across three operations simultaneously.

UAH 10B+ Assessed

LEAD 13mo

Network IV · Offshore Extraction

Six-jurisdiction network. Cyprus/BVI endpoint. FSB exposure confirmed.

$2.1B+ Extracted

FSB Exposure Confirmed

LEAD 14mo

Network V · Advance Diversion

97% of advance payment captured within 72 hours across six jurisdictions before non-delivery registered.

UAH 1.5B+ Assessed

Detained

LEAD 12mo

Network IX · Reconstruction Advance Loop

Scheme accelerated, not contracted, under scrutiny. The live template for reconstruction fund diversion at scale.

UAH 1.9–2.0B Assessed

Proceedings Active

ACTIVE — Live Intelligence

Network X · Infrastructure Procurement Capture

The only documented live reconstruction fund capture. Full documentation available at named analyst briefing stage under NDA.

Active

Assessment Ongoing

Full Case Documentation Available Under NDA.

Complete network architecture, detection methodology, enforcement outcomes. Condition precedent screen applied to all engagements · Response within 24 hours.

Operational Footprint

Not a database coverage list. An active intelligence map.

Active

Reconstruction Pipeline

$800 Billion

Documented Extraction

>$10B

Ukraine — Active Operational Foundation

Ten documented operations — the confirmed evidentiary layer of the broader operational history in this environment. The operations that extracted in excess of $10 billion are already positioned inside the $800 billion reconstruction pipeline.

The detection framework that produced the ten documented cases does not degrade at the border. The same sovereign registry access, the same archetype library, the same protection mapping architecture — all operational in the same environment where the capital is now being directed. The pipeline is the next deployment. The methodology is already there.

Network X alone spans six oblasts — Khmelnytsky, Rivne, Kherson, Vinnytsia, Zhytomyr, Chernivtsi — creating the jurisdictional fragmentation that standard single-jurisdiction enforcement cannot address. Any road, bridge, or infrastructure reconstruction contract in these oblasts has documented exposure to Labaziuk network entities.

Documented

Active Proceedings

2 Jurisdictions

Confirmed Gaps

4 Jurisdictions

Eastern Europe — Documented and Active

The same capability operating across the broader geographic reality of how the documented networks actually function. Each jurisdiction confirmed through sovereign registry query, not inferred from public record.

A single cross-operation facilitation node confirmed across all ten documented operations simultaneously.

The gap across Eastern Europe is not hypothetical. It is mapped. Each authority sees one fragment. VELLARIXX sees the complete architecture. Allied government channel relationships are established across the region. EU member state FIU relationships are active. This is not the next deployment. It is the current operational reality.

Confirmed

The Balkans — Next Structured Deployment

Structural homology to Ukraine confirmed. EU accession procurement vulnerabilities. The same Cyprus and BVI offshore architecture. The networks that operated in Ukraine are present in the Balkans.

The Active Window

Comparator Pipeline Rate

Iraq · SIGIR 2013 ~$60B 10–15% documented

Afghanistan · SIGAR 2010–21 ~$145B 15–30% documented

Ukraine — Ten Operations $800B 10–31% extraction rate

Working estimate range $80–248B Scenario range only

The active window is open. The question is whether it closes with or without a gate.

The deployment window is now.

The documented networks are already positioned inside the reconstruction pipeline. The question is whether the institutions disbursing into that pipeline will see them before the transaction clears.

Methodology

The Rosetta Stone did not find new script.
It rendered legible what was already there.

VELLARIXX is that instrument — built for the operational layer every other tool can see but cannot read.

What This Is Not

Not a compliance platform. Not a screening tool. Not a vendor with better database coverage. Not a risk scoring system.

The outputs are not the product. They are the delivery mechanism — the translation layer between intelligence produced at the layer where the threat actually exists and the frameworks every institution must operate inside.

Analytical platforms analyse what exists in commercial databases. VELLARIXX produces what does not — at the operational layer where illicit capital extraction actually functions, before it becomes a record that any database can hold.

The Architecture

Eight Detection Layers

Detection Architecture · Eight Layers

Layer 1 — Multi-script entity resolution

2.3M+ entities · 95%+ accuracy · 47 jurisdictions
Confirms the entity exists and where. Every jurisdiction. Every script.

Layer 2 — Sovereign guarantee validation

Class 13/16 authority · capitalisation · reinsurance class
Confirms the instrument is valid at source — before disbursement, not after failure.

Layer 3 — Beneficial ownership traversal

6th-degree depth · 47 jurisdictions · 96% UBO confidence

⚠ Standard compliance architecture stops here

Layer 4 — Enforcement-confirmed pattern matching

445+ signatures · cross-domain · real-time
Sees coordinated operations that produce no transaction anomaly.

Layer 5 — Cryptocurrency de-mixing

BTC→ETH→Monero→fiat · Tornado Cash IEEPA flag
Traces capital through obfuscation chains. Confirms IEEPA strict liability before it is created.

Layer 6 — Political protection mapping

Five-domain capture · facilitator density · appointment-cycle
Maps which channels are compromised before any referral is made.

Layer 7 — Forward-looking sanctions scoring

87–93% match rate · 90-day horizon · pre-flight detection
Identifies who will be designated before the list is published.

Layer 8 — Sovereign cross-database query

18 database types · 47 jurisdictions · simultaneous
Assembles the complete ownership picture no single registry holds.

The eight layers above describe how the detection architecture operates. The fourteen archetypes below describe what it was built to find — derived from the operations that confirmed each detection pattern before it entered the library.

Fourteen Detection Archetypes

The fourteen archetypes are not categories. They are the documented mechanics of how capital was extracted across the documented corpus — each one encoded into the detection library from the operation that produced it.

Six operate in domains where existing compliance architecture has partial detection pathways. Six operate in domains existing compliance architecture cannot reach at all — personnel workflows, institutional appointment cycles, sovereign procurement barriers, infrastructure tender dominance. None of the documented operations was detected by any system deployed in the same environment.

Two carry CANDIDATE designation — documented at evidentiary tier in source material, requiring additional collection for elevation to fully-confirmed status. Candidate archetypes are surfaced explicitly; the platform reasons under uncertainty rather than asserting flat conclusions.

Standard Detection Surface

① Catalog Distortion

② Substitution Arbitrage

③ Commodity Diversion

④ Offshore Extraction

⑤ Fictitious Guarantees

⑥ Advance Diversion

Beyond the Detection Surface

⑦ Stolen-Capital Re-Entry

⑧ SOE Barrier Extraction

⑨ Reconstruction Advance Loop

⑩ Appointment-Cycle Capture

⑪ Infrastructure Procurement Capture

⑫ Legal-Professional Network Capture

Archetype ⑪ — Infrastructure Procurement Capture [New Detail Block]

Multi-oblast tender dominance through political patronage, coordinated bidding, and administrative resource capture. Extraction via substandard materials substitution. Six-oblast geographic spread creates jurisdictional fragmentation that standard single-jurisdiction enforcement cannot address.

Primary Network Labaziuk / VITAGRO (Network X) Documented Scale ~$241M+ (Big Construction 2020–2021) · ~$24M (Reconstruction Attempt) Detection Patterns LB-001 Multi-Oblast Dominance · LB-002 Family Proxy Architecture · LB-003 Materials Substitution EPC Exposure Bechtel Tier 1 subcontract pathway · documented across six oblasts

The Structural Moat

01

Ground Truth From the Operational Layer

Four hundred eight signatures. Each one derived from within the networks — not from the records those networks subsequently produced. One pattern: two nominally independent bidders share a nominee director registered within 90 days of contract announcement, with overlapping registered addresses across three jurisdictions. Standard monitoring sees two clean entities. The detection framework sees one coordinated operation.

02

Sovereign Access

Eighteen sovereign database types. Forty-seven jurisdictions. Direct query at sovereign registry level. The Fictitious Guarantee detection — UAH 3.18 billion, ten contracts, 100% void rate — was produced by this access. Not discoverable any other way.

03

Convergence Analysis

The architecture maps operations, not entities. Shared nominees, overlapping appointment histories, coordinated registration timing — assembled across nominally independent networks into a single operational picture. A single facilitation node confirmed simultaneously across all ten documented operations — connecting MoD procurement, energy SOE extraction, fictitious guarantee architecture, offshore layering chains, infrastructure procurement capture, and the institutional capture mechanism that sustained all of them. No single enforcement authority has assembled this map. Each holds jurisdiction over one fragment. The connecting architecture exists only in the layer where all ten can be seen simultaneously — and where this record was produced.

The Five-Domain Protection Architecture

Detecting capital movement is necessary. It is not sufficient.

The same institutional capture architecture that extracts capital also protects the extractors. VELLARIXX maps which channels are clean before any referral is made. Without it, finished intelligence packages route to captured channels and produce no outcome.

I

Legislative

Statutory barriers embedded in regulatory framework

II

Regulatory

Capture of monitoring bodies · suppressed referral

III

Judicial

Weaponised proceedings · coercion architecture

IV

Enforcement

Infiltrated investigation channels · absorbed referrals

V

Intelligence

Counter-intelligence posture · compromised collection

Why No Other Instrument Reaches Here

The leading sovereign analytics platform was deployed in the same environment. It produced zero detections across ten documented operations.

Not because the platform failed. Because the data it needs does not exist in the layer it queries.

No existing compliance architecture queries the layer VELLARIXX operates in. The data required to detect sovereign-grade illicit capital extraction does not exist in any commercial database. It exists only in the layer where the operations actually ran — and where the detection record was produced.

The detection ontology is not a better algorithm. It is the only instrument capable of making legible what every other system can see but cannot read.

Insights

Analytical perspective on the threat environment.
From inside it.

Intelligence Analysis

Why AML Stops at Layer 3 The $800 Billion Problem The Compliance Record Request Briefing

Intelligence Analysis · Financial Crime Architecture

Why AML Stops at Layer 3 — And What Lives in the Gap

Ten confirmed financial crime architectures extracted $10 billion from a national economy. Every standard AML, KYC, and UBO tool in the environment cleared every transaction. This is not a failure story. It is a design story.

Vellarixx Intelligence · March 2026

The question that follows every major financial crime case is always the same: how did existing compliance systems miss it? The systems worked as designed. The schemes were built to operate in the space the design left open.

The Layer 3 Problem

Standard UBO traversal terminates at the offshore reset layer. The compliance system confirms the offshore entity is registered and in good standing, and closes the query. The beneficial owner at Layer 8 is invisible.

In the Allied Power Grid detection, a 47-entity ownership structure across 12 jurisdictions routed stolen capital into control of 14 power grids across four allied nations. The offshore reset terminated every standard UBO query at Layer 3. VELLARIXX continued to Layer 8. The natural person was confirmed at 96% confidence — before any allied government produced a signal.

What Lives at Layers 4 Through 8

Commercial pattern matching runs against transaction anomalies. It is ineffective against financial crime architectures designed to produce no statistical anomalies at the transaction layer. These patterns could not be derived from open-source data. They were built over twenty years of operational presence inside the cases that produced them.

Every compliance framework assumes that referral channels are operationally clean. This assumption fails when those authorities are participants in the network. Across ten documented operations, a single apex node provided protection simultaneously across five institutional domains. Zero detections from any other source across all ten operations.

The gap is not a malfunction. It is a design. The only question is whether your compliance record was built to close it or to document that it was open.

The Convergence Implication

The Layer 3 problem explains why individual operations went undetected. The convergence finding explains something more significant: why success against individual operations has been systemically ineffective.

When a single facilitation node connects all ten documented operations simultaneously, the ecosystem is not ten independent criminal enterprises. It is one architecture with ten expressions. When one node is disrupted, the others adapt. Standard efforts run against operations. The ecosystem survives by design.

The compliance framework that screens entities in isolation is not inadequate. It is answering a different question from the one the ecosystem is posing.

The convergence finding and full cross-network documentation are available at the named analyst briefing stage under NDA.

Continue the Conversation

These analyses are drawn from the same detection architecture available under NDA. If the problem described here applies to your institution, the briefing goes deeper.

Request Briefing

Engage

The briefing begins with a condition precedent screen.
The same standard applied to every counterparty.

VELLARIXX applies the same verification standard to the institutions it works with that it applies to the counterparties those institutions are screening. The briefing requires fit in both directions.

The Condition Precedent

The screen is not a sales qualification process.

It is the same architecture applied to a different counterparty.

Institutional mandate, operational context, and engagement type are assessed before any classified material is shared. The screen determines whether the scope of a new engagement aligns with the operational framework under which existing mandates are conducted.

VELLARIXX operates under active engagement across development finance, supervisory authority, and allied government mandates. New engagements are assessed for fit within that operational framework before the briefing is scheduled — not after.

The first conversation carries no commitment. The screen begins within 24 hours of the briefing request. The screen either clears or it does not. If it clears, the briefing follows. If it does not, VELLARIXX will say so directly.

Arriving Via Introduction

If this document was delivered to you directly, your response goes back through the same channel. No form required. The condition precedent screen begins within 24 hours.

Arriving Independently

If you reached this page without a prior introduction, the briefing request below begins the engagement screen. The screen determines fit for the engagement type before any classified briefing is scheduled.

Engagement Protocol

24 hours Condition precedent screen initiated · senior analyst contact

5 days Screen complete · briefing scope established · NDA executed

NDA tier Full pattern library · named actors · network ecosystem · case documentation

Engagement Named analyst team assigned · delivery timeline confirmed

Full Name Professional Email Organization Engagement Type Message

Condition precedent screen applied to all engagements · Response within 24 hours

The Analysts

The ten documented operations carry named analyst authorship. These are the analysts.

The Operational Record

Detection Record — Confirmed Against Outcomes

Operation

Detection Lead

Outcome

Allied Power Grid

Pre-disbursement

47 entities · 12 jurisdictions · 14 power grids

Nuclear Enterprise

Pre-enforcement

$4M cash seized · 3yr ledger · 8 indictments

Fictitious Guarantees

Pre-disbursement

~$77M · 10 contracts · 100% void rate

Defense Procurement

Pre-enforcement

40+ shell LLCs · 100+ nominees · ~$122M+

Infrastructure Capture

Active prosecution

UAH 10B+ · 6 oblasts · NABU/SAP active

The Operational Team

M

MOSCHE

Founder · Chief Intelligence Architect

Detection Ontology

Pattern library

445+ enforcement-confirmed signatures · 11 archetype classes

Archetype framework

①–⑦ standard detection surface · ⑧–⑪ beyond it

Guarantee gate

Class 13/16 licence verification · capital ratio analysis

Sovereign access

18 sovereign database types · 47 jurisdictions · direct registry query

Ground truth basis

Derived inside the operations · before outcomes were recorded

D

DAVID

Chief Technology Officer

Network & Pipeline Architecture

UBO traversal

8-layer ownership chain · 6th-degree depth · 96% natural person attribution

Network ontology

Cross-operation convergence mapping · single facilitation node confirmed

Protection mapping

Five-domain institutional capture assessment · clean channel routing

Sanctions engine

Forward-looking indicator set · 87–93% match rate · 90-day horizon

Pipeline

Zero-trust multi-source fusion · enforcement-submission standard output

Every intelligence package carries named analyst authorship with source citations on every finding. Full credentials shared under NDA.

Live Demo

Eight detection layers. Two counterparties. The architecture is calibrated — not tuned to fire.

SCENARIO A · ADVERSE PROFILE

RCN-7X-4429

Reconstruction contractor · high-risk profile

SCENARIO B · CLEAN ENTITY

ENT-4B-2281

Infrastructure fund · institutional counterparty

Entity

RCN-7X-4429

Jurisdiction Path

UA · CY · BVI · LU

Counterparty

Allied Reconstruction Facility

Contract Value

€47.2M

vellarixx_gate.sh

ENTITY: RCN-7X-4429 · LAYERS: 8

Synthetic case · representative of documented Archetype ⑦ — Stolen-Capital Re-Entry

$ vellarixx --screen [ENTITY_ID: RCN-7X-4429] --layers=8

Ready. Press Run to begin.

14 archetypes · 445+ signatures · 18 sovereign DBs

Ready

THE PRE-DISBURSEMENT WINDOW IS THE ONLY WINDOW. THE DOCUMENTED NETWORKS ALREADY KNOW THAT.

We are a forensic intelligence service.

Every agency with capability lacks jurisdiction.Every agency with jurisdiction lacks capability.

The detection infrastructure was not the problem. The question of whether it would ever be pointed at the right place was.

The same architecture is already positioned inside the $800 billion reconstruction pipeline.

Every financial intelligence platform was built to read what illicit financial networks produce.

The ten documented operations were not detected by deploying a platform from the outside.

The provenance claim is not asserted. It is documented against confirmed outcomes.

The architecture is how the detection framework is built. What follows is what it found.

Network VII · Stolen-Capital Re-Entry

Network VIII · SOE Barrier Extraction

Network VI · Fictitious Guarantees

The three anchor cases are not three separate detections.They are three facets of one connected ecosystem — and one actor connects all ten.

Network I · Catalog Distortion

Network II · Substitution Arbitrage

Network III · SOE Commodity Diversion

Network IV · Offshore Extraction

Network V · Advance Diversion

Network IX · Reconstruction Advance Loop

Network X · Infrastructure Procurement Capture

The detection failure was not episodic.It was architectural.

Not a database coverage list. An active intelligence map.

Ukraine — Active Operational Foundation

Eastern Europe — Documented and Active

The Balkans — Next Structured Deployment

The deployment window is now.

The Rosetta Stone did not find new script. It rendered legible what was already there.

Not a compliance platform. Not a screening tool. Not a vendor with better database coverage. Not a risk scoring system.

Eight Detection Layers

Fourteen Detection Archetypes

Detecting capital movement is necessary. It is not sufficient.

Analytical perspective on the threat environment.From inside it.

Why AML Stops at Layer 3 — And What Lives in the Gap

The $800 Billion Problem

The Compliance Record That Doesn’t Hold

Continue the Conversation

The briefing begins with a condition precedent screen.The same standard applied to every counterparty.

The screen is not a sales qualification process.

It is the same architecture applied to a different counterparty.

Six operators across six disciplines.

The intelligence architecturebehind the detection record.

Eight layers.Layers 1–3 are where every other platform stops.

Stolen-capital re-entry · five operational windows

Mechanism

Detection surface

Gate output

Mechanism

Detection surface

Gate output

Mechanism

Detection surface

Gate output

Mechanism

Detection surface

Gate output

Mechanism

Detection surface

Gate output

The right buyer already knowshow financial crime works. They are asking: show me somethingno platform I currently have can do.

You control the disbursement decision.The extraction network is already positioned to capture it.

What your current tools do not reach

Engagement pathway for DFIs / IFIs / SWFs

Your correspondent banking exposureruns through captured channels.Your SAR workflow sees the invoice.Not the architecture behind it.

What your AML/KYC stack does not reach

Engagement pathway for G-SIBs / financial crime risk

Every agency with capability lacks jurisdiction.Every agency with jurisdiction lacks capability.VELLARIXX built the only ontologycapable of crossing that gap.

The structural gaps Sub-Report A documents

Engagement pathway for federal / government / counter-intelligence

Three paths forward · all begin with a direct conversation

Condition precedent screen · 24-hour turnaround

Intelligence Network Map

Live Demo

Stolen capital, returned home as foreign investment.

By the time the enforcement record is public, the capital isn't.

Artifact Title

We are a forensic intelligence service.

Every agency with capability lacks jurisdiction.Every agency with jurisdiction lacks capability.

The detection infrastructure was not the problem. The question of whether it would ever be pointed at the right place was.

The same architecture is already positioned inside the $800 billion reconstruction pipeline.

Every financial intelligence platform was built to read what illicit financial networks produce.

The ten documented operations were not detected by deploying a platform from the outside.

Every agency with capability lacks jurisdiction.
Every agency with jurisdiction lacks capability.

The three anchor cases are not three separate detections.
They are three facets of one connected ecosystem — and one actor connects all ten.

The detection failure was not episodic.
It was architectural.

The Rosetta Stone did not find new script.
It rendered legible what was already there.

Analytical perspective on the threat environment.
From inside it.

The briefing begins with a condition precedent screen.
The same standard applied to every counterparty.

The intelligence architecture
behind the detection record.

Eight layers.
Layers 1–3 are where every other platform stops.

The right buyer already knows
how financial crime works.
They are asking: show me something
no platform I currently have can do.

You control the disbursement decision.
The extraction network is already positioned to capture it.

Your correspondent banking exposure
runs through captured channels.
Your SAR workflow sees the invoice.
Not the architecture behind it.

Every agency with capability lacks jurisdiction.
Every agency with jurisdiction lacks capability.
VELLARIXX built the only ontology
capable of crossing that gap.

Every agency with capability lacks jurisdiction.
Every agency with jurisdiction lacks capability.

The three anchor cases are not three separate detections.
They are three facets of one connected ecosystem — and one actor connects all ten.

The Rosetta Stone did not find new script.
It rendered legible what was already there.

Analytical perspective on the threat environment.
From inside it.

The briefing begins with a condition precedent screen.
The same standard applied to every counterparty.