Forensic Intelligence

We are a forensic intelligence service.

We map illicit financial networks, confirm beneficial ownership across eight detection layers, and deliver intelligence packages that hold at evidentiary standard — before the transaction clears.

The Argument

Every agency with capability lacks jurisdiction.
Every agency with jurisdiction lacks capability.

VELLARIXX was built to operate in the gap between them.

The financial networks that extracted $10 billion from the Ukrainian economy were engineered to be unreachable by the agencies most capable of acting on them. Jurisdictional boundaries are not an obstacle they encountered. They are an architecture they exploited — offshore ownership resets, nominee layering, captured regulatory channels, and guarantee instruments void at source — each component calibrated to terminate every detection query at the layer where it stops.

That operational knowledge cannot be assembled commercially. It was built over two decades of work conducted from within the financial networks and institutional architectures it now documents. Not from what those environments produced in public record.

What that presence produced follows.

The Structural Failure

The detection infrastructure was not the problem. The question of whether it would ever be pointed at the right place was.

The architecture was not designed to defeat detection. It was designed to ensure detection was never initiated. Five institutional domains. Each one a pathway through which scrutiny enters.

Legislative — the regulatory framework that defines what requires disclosure.
Regulatory — the supervisory function that monitors and refers.
Judicial — the channel through which evidence becomes action.
Enforcement — the apparatus that investigates and prosecutes.
Intelligence — the collection layer that surfaces what the others cannot see.

Every pathway was controlled. Parliamentary positions shaped what the regulatory environment required to be disclosed. Central bank appointments maintained the architecture that needed no scrutiny. The apex judicial channel absorbed referrals before they produced outcomes. The investigation bureau operated under influence that ensured cases did not open. The security apparatus provided the insulation that kept the collection layer blind.

10
Operations
Documented
$10B+
Extracted
Ukrainian Economy
11–14mo
Detection Lead
Before Outcomes

Every institution that would have initiated scrutiny was part of the architecture that made scrutiny unnecessary.

Institutions Operating in This Environment

The same architecture is already positioned inside the $800 billion reconstruction pipeline.

The exposure varies by institution. The failure mode does not.

The documented networks were not designed around a single institutional target. They were designed around the gap between what any single institution can see and what the full structure requires to be visible. That gap is architectural. It applies equally across development finance, supervisory authorities, global financial institutions, and sovereign defense partners — the surface exposure differs, the underlying failure mode does not.

Development Finance
EBRD · EIB · World Bank disbursement teams
The documented networks are already positioned inside the $800B reconstruction pipeline. The pre-disbursement window is the only window — after capital clears, recovery exceeds the dispersal window by design.
Supervisory Authorities
ECB · EBA · EPPO
The cross-operation facilitation architecture VELLARIXX has mapped is the precise cross-border structure the EPPO was created to address — and currently cannot see in full.
Global Financial Institutions
G-SIBs with Eastern European sovereign exposure
Compliance teams see Layer 3. Institutions are exposed at Layer 8. Institutions in the documented correspondent path face mandatory SAR obligations and OFAC IEEPA strict liability regardless of knowledge or intent.
Sovereign & Defense Partners
Allied government agencies · Defense contractors · EPC primes
Illicit-origin ownership confirmed across 14 power grids, 4 allied nations — 43 defence engineers under compromised ownership structures, 11 months before any allied government produced a signal.
EPC Contractors
Supply chain subcontractors
Network X entities represent exactly the established regional contractor presence that competes for EPC supply chain subcontracts. Documented exposure across six oblasts where major infrastructure reconstruction is already underway. UAH 10B+ extracted from Big Construction program.
Mission

Every financial intelligence platform was built to read what illicit financial networks produce.

VELLARIXX was built to produce what those platforms can only read about.
Undetected by every compliance system in the environment.  ·  Ten operations.
Extracted in excess of $10 billion.  ·  11–14 month leads before the outcomes were confirmed.

The Provenance

The ten documented operations were not detected by deploying a platform from the outside.

They were built from inside.

From two decades of direct access to the operational layer where these networks function. The platform is the codification of what that presence found.

In the environments where illicit capital extraction operates at institutional scale, the data required to detect the threat does not exist in any commercial database. It exists in the operational layer — in the financial architectures that exist only inside the networks, in the appointment histories that reveal which referrals will produce outcomes and which will be absorbed, in the institutional capture architecture that no external platform can reach from outside.

Ten illicit financial operations. Not ten independent schemes — one connected ecosystem, eleven documented fraud mechanisms, a shared architecture of extraction and protection. The ten documented here are the cases that can be proven in public — the verifiable fraction of a twenty-year operational record, not its ceiling.

The ten are the proof. The twenty years are the methodology.

The Operational Basis

The provenance claim is not asserted. It is documented against confirmed outcomes.

The twenty-year operational record produced four anchor cases before the outcomes that confirmed them. These are not projections or scenario assessments. They are documented detections — in every case, the intelligence preceded the outcome by months, not days.

Detection Record — Confirmed Against Outcomes
Operation
Detection Lead
Scale
Allied Power Grid
11 months before allied government
47 entities · 12 jurisdictions · 14 power grids
Nuclear Enterprise
13 months before outcome
$4M cash seized · 3yr ledger · 8 indictments
Fictitious Guarantees
Pre-disbursement
UAH 3.18B · 10 contracts · 100% void rate
Defense Procurement
14 months before outcome
40+ shell LLCs · 100+ nominees · UAH 5B+

The detection methodology is not derived from what those operations produced in public record. It is derived from inside the operations — before they became a record.

The detection record exists because the operational presence preceded it. Why the architecture cannot be replicated — the ground truth provenance, the sovereign access, the convergence analysis — is examined in full on the Methodology page.

The Detection Record

The architecture is how the detection framework is built. What follows is what it found.

Ten operations. The cases that can be proven in public — the verifiable fraction of a twenty-year operational record, not its ceiling.

0 Detections from any other source across all ten documented operations
Anchor Cases
ONTOLOGY Layer 8 UBO LEAD 11mo

Network VII · Stolen-Capital Re-Entry

$2.4B+ Active 14 Power Grids · 4 Allied Nations 96% UBO Confidence

Every institution in the environment stopped at Layer 3 — the Cyprus reset. VELLARIXX mapped to Layer 8. Natural person confirmed at 96% confidence across 12 jurisdictions. Eleven months before any allied government produced a signal.

8-layer beneficial ownership traversal · 6th-degree depth · 47 jurisdictions · 96% UBO confidence · round-trip pattern matching · multi-chain de-mixing
$2.4B+
Active
14
Power Grids
96%
UBO Confidence
ONTOLOGY Personnel Pathway PROTECTION MAPPING LEAD 13mo

Network VIII · SOE Barrier Extraction

$100M+ USD $4M Cash Seized 8 Indictments

VELLARIXX mapped the extraction mechanism and the protection architecture that sustained it — thirteen months before either was confirmed. The five-domain assessment identified which channels were clean before the referral was made. The referral produced eight indictments.

SOE barrier extraction mapping · personnel pathway temporal graph · appointment-cycle monitoring · five-domain protection mapping · facilitator density scoring
$100M+
USD
$4M
Cash Seized
8
Indictments
ONTOLOGY Sovereign Registry PROTECTION MAPPING GATE OUTPUT Pre-Disbursement

Network VI · Fictitious Guarantees

UAH 3.18B Void 10 Contracts · 100% Void Rate

VELLARIXX identified every instrument as void before disbursement cleared. UAH 3.18 billion across ten contracts. Every instrument legally formatted. Every one void from inception — Class 13 authority required, Class 16 held.

Sovereign registry direct query · Class 13/16 licence verification · guarantee-to-capital ratio analysis · appointment-cycle monitoring · five-domain protection mapping
UAH 3.18B
Void
10
Contracts
100%
Void Rate
Active
Proceedings
The Convergence Finding

The three anchor cases are not three separate detections.
They are three facets of one connected ecosystem — and one actor connects all ten.

A single cross-operation facilitation node has been confirmed across all ten documented operations simultaneously. No single authority has assembled this map. The connecting architecture exists only in the layer where the full ecosystem can be seen simultaneously.

That finding does not exist in any commercial output. It requires presence inside the full ecosystem to produce.

Supporting Cases
LEAD 14mo

Network I · Catalog Distortion

409-item catalog with systematic price distortion at volume-critical line items. 31% extraction rate.

UAH 1.52B+
~31% Extraction Rate
LEAD 14mo

Network II · Substitution Arbitrage

Substandard materials at specification-grade price. 40+ shell entities. 100+ nominee directors.

UAH 1.167B State Damage
Detained
LEAD 14mo

Network III · SOE Commodity Diversion

State property apparatus weaponised as extraction platform. Convergence node confirmed shared across three operations simultaneously.

UAH 10B+ Assessed
LEAD 13mo

Network IV · Offshore Extraction

Six-jurisdiction network. Cyprus/BVI endpoint. FSB exposure confirmed.

$2.1B+ Extracted
FSB Exposure Confirmed
LEAD 14mo

Network V · Advance Diversion

97% of advance payment captured within 72 hours across six jurisdictions before non-delivery registered.

UAH 1.5B+ Assessed
Detained
LEAD 12mo

Network IX · Reconstruction Advance Loop

Scheme accelerated, not contracted, under scrutiny. The live template for reconstruction fund diversion at scale.

UAH 1.9–2.0B Assessed
Proceedings Active
ACTIVE — Live Intelligence

Network X · Infrastructure Procurement Capture

The only documented live reconstruction fund capture. Full documentation available at named analyst briefing stage under NDA.

Active
Assessment Ongoing
The Protection Architecture

The detection failure was not episodic.
It was architectural.

A single apex node provided protection across five institutional domains simultaneously. The channels were not absent. They were structurally unavailable — captured at the point of referral before any outcome could be produced.

The Same Architecture · Stated Differently

The same five-domain capture architecture established on the home page protected every operation in this record. No referral routed through any of the five domains produced an outcome before VELLARIXX-derived intelligence was introduced.

Zero detections from any other source, across all ten operations, is the same fact stated from a different angle. The protection architecture and the detection vacuum are not two findings. They are one architecture viewed from inside it and from outside it.

The cases that can be proven in public. Not the totality of what was seen.

Operational Footprint

Not a database coverage list. An active intelligence map.

Active
Reconstruction Pipeline
$800 Billion
Documented Extraction
>$10B

Ukraine — Active Operational Foundation

Ten documented operations — the confirmed evidentiary layer of the broader operational history in this environment. The operations that extracted in excess of $10 billion are already positioned inside the $800 billion reconstruction pipeline.

The detection framework that produced the ten documented cases does not degrade at the border. The same sovereign registry access, the same archetype library, the same protection mapping architecture — all operational in the same environment where the capital is now being directed. The pipeline is the next deployment. The methodology is already there.

Network X alone spans six oblasts — Khmelnytsky, Rivne, Kherson, Vinnytsia, Zhytomyr, Chernivtsi — creating the jurisdictional fragmentation that standard single-jurisdiction enforcement cannot address. Any road, bridge, or infrastructure reconstruction contract in these oblasts has documented exposure to Labaziuk network entities.

Documented
Active Proceedings
2 Jurisdictions
Confirmed Gaps
4 Jurisdictions

Eastern Europe — Documented and Active

The same capability operating across the broader geographic reality of how the documented networks actually function. Each jurisdiction confirmed through sovereign registry query, not inferred from public record.

A single cross-operation facilitation node confirmed across all ten documented operations simultaneously.

The gap across Eastern Europe is not hypothetical. It is mapped. Each authority sees one fragment. VELLARIXX sees the complete architecture. Allied government channel relationships are established across the region. EU member state FIU relationships are active. This is not the next deployment. It is the current operational reality.

Next
Structural Homology
Confirmed

The Balkans — Next Structured Deployment

Structural homology to Ukraine confirmed. EU accession procurement vulnerabilities. The same Cyprus and BVI offshore architecture. The networks that operated in Ukraine are present in the Balkans.

The Active Window
Comparator Pipeline Rate
Iraq · SIGIR 2013 ~$60B 10–15% documented
Afghanistan · SIGAR 2010–21 ~$145B 15–30% documented
Ukraine — Ten Operations $800B 10–31% extraction rate
Working estimate range $80–248B Scenario range only

The active window is open. The question is whether it closes with or without a gate.

The deployment window is now.

The documented networks are already positioned inside the reconstruction pipeline. The question is whether the institutions disbursing into that pipeline will see them before the transaction clears.

Methodology

The Rosetta Stone did not find new script.
It rendered legible what was already there.

VELLARIXX is that instrument — built for the operational layer every other tool can see but cannot read.

What This Is Not

Not a compliance platform. Not a screening tool. Not a vendor with better database coverage. Not a risk scoring system.

The outputs are not the product. They are the delivery mechanism — the translation layer between intelligence produced at the layer where the threat actually exists and the frameworks every institution must operate inside.

Analytical platforms analyse what exists in commercial databases. VELLARIXX produces what does not — at the operational layer where illicit capital extraction actually functions, before it becomes a record that any database can hold.

The Architecture

Eight Detection Layers

Detection Architecture · Eight Layers
Layer 1 — Multi-script entity resolution
2.3M+ entities · 95%+ accuracy · 47 jurisdictions
Confirms the entity exists and where. Every jurisdiction. Every script.
Layer 2 — Sovereign guarantee validation
Class 13/16 authority · capitalisation · reinsurance class
Confirms the instrument is valid at source — before disbursement, not after failure.
Layer 3 — Beneficial ownership traversal
6th-degree depth · 47 jurisdictions · 96% UBO confidence
⚠  Standard compliance architecture stops here
Layer 4 — Enforcement-confirmed pattern matching
408+ signatures · cross-domain · real-time
Sees coordinated operations that produce no transaction anomaly.
Layer 5 — Cryptocurrency de-mixing
BTC→ETH→Monero→fiat · Tornado Cash IEEPA flag
Traces capital through obfuscation chains. Confirms IEEPA strict liability before it is created.
Layer 6 — Political protection mapping
Five-domain capture · facilitator density · appointment-cycle
Maps which channels are compromised before any referral is made.
Layer 7 — Forward-looking sanctions scoring
87–93% match rate · 90-day horizon · pre-flight detection
Identifies who will be designated before the list is published.
Layer 8 — Sovereign cross-database query
18 database types · 47 jurisdictions · simultaneous
Assembles the complete ownership picture no single registry holds.

The eight layers above describe how the detection architecture operates. The twelve archetypes below describe what it was built to find — derived from the operations that confirmed each detection pattern before it entered the library.

Twelve Detection Archetypes

Twelve Detection Archetypes

The twelve archetypes are not categories. They are the documented mechanics of how capital was extracted across ten confirmed operations — each one encoded into the detection library from the operation that produced it.

Six operate in domains where existing compliance architecture has partial detection pathways. None of the six operations that used these archetypes was detected by any system deployed in the same environment.

Six operate in domains existing compliance architecture cannot reach at all — personnel workflows, institutional appointment cycles, sovereign procurement barriers, infrastructure tender dominance. No detection pathway exists in any commercial tool. The anchor cases on the Record page demonstrate what detection in these domains requires.

Standard Detection Surface
Catalog Distortion
Substitution Arbitrage
Commodity Diversion
Offshore Extraction
Fictitious Guarantees
Advance Diversion
Beyond the Detection Surface
Stolen-Capital Re-Entry
SOE Barrier Extraction
Reconstruction Advance Loop
Appointment-Cycle Capture
Infrastructure Procurement Capture
Legal-Professional Network Capture
Archetype ⑪ — Infrastructure Procurement Capture [New Detail Block]

Multi-oblast tender dominance through political patronage, coordinated bidding, and administrative resource capture. Extraction via substandard materials substitution. Six-oblast geographic spread creates jurisdictional fragmentation that standard single-jurisdiction enforcement cannot address.

Primary Network Labaziuk / VITAGRO (Network X) Documented Scale UAH 10B+ (Big Construction 2020–2021) · UAH 1B (Reconstruction Attempt) Detection Patterns LB-001 Multi-Oblast Dominance · LB-002 Family Proxy Architecture · LB-003 Materials Substitution EPC Exposure Bechtel Tier 1 subcontract pathway · documented across six oblasts
The Structural Moat
01
Ground Truth From the Operational Layer

Four hundred eight signatures. Each one derived from within the networks — not from the records those networks subsequently produced. One pattern: two nominally independent bidders share a nominee director registered within 90 days of contract announcement, with overlapping registered addresses across three jurisdictions. Standard monitoring sees two clean entities. The detection framework sees one coordinated operation.

02
Sovereign Access

Eighteen sovereign database types. Forty-seven jurisdictions. Direct query at sovereign registry level. The Fictitious Guarantee detection — UAH 3.18 billion, ten contracts, 100% void rate — was produced by this access. Not discoverable any other way.

03
Convergence Analysis

The architecture maps operations, not entities. Shared nominees, overlapping appointment histories, coordinated registration timing — assembled across nominally independent networks into a single operational picture. A single facilitation node confirmed simultaneously across all ten documented operations — connecting MoD procurement, energy SOE extraction, fictitious guarantee architecture, offshore layering chains, infrastructure procurement capture, and the institutional capture mechanism that sustained all of them. No single enforcement authority has assembled this map. Each holds jurisdiction over one fragment. The connecting architecture exists only in the layer where all ten can be seen simultaneously — and where this record was produced.

The Five-Domain Protection Architecture

Detecting capital movement is necessary. It is not sufficient.

The same institutional capture architecture that extracts capital also protects the extractors. VELLARIXX maps which channels are clean before any referral is made. Without it, finished intelligence packages route to captured channels and produce no outcome.

I
Legislative
Statutory barriers embedded in regulatory framework
II
Regulatory
Capture of monitoring bodies · suppressed referral
III
Judicial
Weaponised proceedings · coercion architecture
IV
Enforcement
Infiltrated investigation channels · absorbed referrals
V
Intelligence
Counter-intelligence posture · compromised collection
Why No Other Instrument Reaches Here

The leading sovereign analytics platform was deployed in the same environment. It produced zero detections across ten documented operations.

Not because the platform failed. Because the data it needs does not exist in the layer it queries.

No existing compliance architecture queries the layer VELLARIXX operates in. The data required to detect sovereign-grade illicit capital extraction does not exist in any commercial database. It exists only in the layer where the operations actually ran — and where the detection record was produced.

The detection ontology is not a better algorithm. It is the only instrument capable of making legible what every other system can see but cannot read.

Insights

Analytical perspective on the threat environment.
From inside it.

Intelligence Analysis
Why AML Stops at Layer 3 The $800 Billion Problem The Compliance Record Request Briefing
Intelligence Analysis · Financial Crime Architecture

Why AML Stops at Layer 3 — And What Lives in the Gap

Ten confirmed financial crime architectures extracted $10 billion from a national economy. Every standard AML, KYC, and UBO tool in the environment cleared every transaction. This is not a failure story. It is a design story.

Vellarixx Intelligence · March 2026

The question that follows every major financial crime case is always the same: how did existing compliance systems miss it? The systems worked as designed. The schemes were built to operate in the space the design left open.

The Layer 3 Problem

Standard UBO traversal terminates at the offshore reset layer. The compliance system confirms the offshore entity is registered and in good standing, and closes the query. The beneficial owner at Layer 8 is invisible.

In the Allied Power Grid detection, a 47-entity ownership structure across 12 jurisdictions routed stolen capital into control of 14 power grids across four allied nations. The offshore reset terminated every standard UBO query at Layer 3. VELLARIXX continued to Layer 8. The natural person was confirmed at 96% confidence — 11 months before any allied government produced a signal.

What Lives at Layers 4 Through 8

Commercial pattern matching runs against transaction anomalies. It is ineffective against financial crime architectures designed to produce no statistical anomalies at the transaction layer. These patterns could not be derived from open-source data. They were built over twenty years of operational presence inside the cases that produced them.

Every compliance framework assumes that referral channels are operationally clean. This assumption fails when those authorities are participants in the network. Across ten documented operations, a single apex node provided protection simultaneously across five institutional domains. Zero detections from any other source across all ten operations.

The gap is not a malfunction. It is a design. The only question is whether your compliance record was built to close it or to document that it was open.

The Convergence Implication

The Layer 3 problem explains why individual operations went undetected. The convergence finding explains something more significant: why success against individual operations has been systemically ineffective.

When a single facilitation node connects all ten documented operations simultaneously, the ecosystem is not ten independent criminal enterprises. It is one architecture with ten expressions. When one node is disrupted, the others adapt. Standard efforts run against operations. The ecosystem survives by design.

The compliance framework that screens entities in isolation is not inadequate. It is answering a different question from the one the ecosystem is posing.

The convergence finding and full cross-network documentation are available at the named analyst briefing stage under NDA.

Continue the Conversation

These analyses are drawn from the same detection architecture available under NDA. If the problem described here applies to your institution, the briefing goes deeper.

Request Briefing
Engage

The briefing begins with a condition precedent screen.
The same standard applied to every counterparty.

VELLARIXX applies the same verification standard to the institutions it works with that it applies to the counterparties those institutions are screening. The briefing requires fit in both directions.

The Condition Precedent

The screen is not a sales qualification process.

It is the same architecture applied to a different counterparty.

Institutional mandate, operational context, and engagement type are assessed before any classified material is shared. The screen determines whether the scope of a new engagement aligns with the operational framework under which existing mandates are conducted.

VELLARIXX operates under active engagement across development finance, supervisory authority, and allied government mandates. New engagements are assessed for fit within that operational framework before the briefing is scheduled — not after.

The first conversation carries no commitment. The screen begins within 24 hours of the briefing request. The screen either clears or it does not. If it clears, the briefing follows. If it does not, VELLARIXX will say so directly.

Arriving Via Introduction

If this document was delivered to you directly, your response goes back through the same channel. No form required. The condition precedent screen begins within 24 hours.

Arriving Independently

If you reached this page without a prior introduction, the briefing request below begins the engagement screen. The screen determines fit for the engagement type before any classified briefing is scheduled.

Engagement Protocol
24 hours Condition precedent screen initiated · senior analyst contact
5 days Screen complete · briefing scope established · NDA executed
NDA tier Full pattern library · named actors · network ecosystem · case documentation
Engagement Named analyst team assigned · delivery timeline confirmed
Condition precedent screen applied to all engagements · Response within 24 hours
The Operational Team

Six operators across six disciplines.

Firm Provenance · Public-Confirmable
20+
Years operational record
10
Documented operations
$10B+
Extraction documented
47
Sovereign jurisdictions
18
Sovereign DB types
0
Detections from any other source
The Team
M
Mosche
Founder
Chief Intelligence Architect
Verified · Identity under NDA
Forensic intelligence operations background. Founded the firm. Authored the detection ontology.
Tradecraft
408+ enforcement-confirmed signatures · 12 archetype classes
Archetype framework — ①–⑦ standard surface · ⑧–⑫ beyond
Guarantee gate — Class 13/16 licence verification · capital ratio
Sovereign access — 18 DBs · 47 jurisdictions · direct registry
Ground truth — derived inside operations before outcomes recorded
D
David
Chief Technology Officer
Detection Architecture & Predictive Engines
Verified · Identity under NDA
Engineering and forensic-platform background. Architected the platform. Designed the graph-native pipelines. Engineered the predictive sanctions engine.
Tradecraft
UBO traversal — 8-layer ownership · 96% natural-person attribution
Cross-operation knowledge graph & convergence ontology
Five-domain capture assessment · clean-channel routing
Sanctions evasion forecasting · 87–93% match · 90-day horizon
Zero-trust pipeline · 18+ sovereign DBs · 47 jurisdictions
O
Oliver
Head of OSINT Unit
Investigation Architect
Verified · Identity under NDA
Background in financial intelligence and decision sciences. Operates across contested-information environments.
Tradecraft
Investigation scope & calibration against the 11-archetype hierarchy
OSINT collection ontology · source-tier classification · SOPs
Final dossier sign-off · Bayesian confidence scoring
OSINT platform requirements · CTO pipeline integration
HUMINT source relationships · MLAT / Egmont / FATF mapping
T
Tom
OSINT Analyst
Legal Qualification & Evidentiary Logic
Verified · Identity under NDA
Legal background. Translates detection findings into statutory violations.
Tradecraft
Multi-jurisdictional statutory & case-law analysis
Criminal-law qualification of detected conduct
Evidentiary architecture — admissibility, sufficiency, chain-of-custody
Sanctions designation logic · civil & administrative pathways
Enforcement pathways · jurisdictional venue analysis
S
Sarah
OSINT Analyst
Link Analysis & Network Mapping
Verified · Identity under NDA
HUMINT/SIGINT background. Builds entity link graphs. Maps network topology. Reconstructs deleted source material.
Tradecraft
HUMINT-derived OSINT — source-validated open & semi-open environments
Conflict-zone intelligence assessment — actor mapping & situational analysis
Entity link graphs, network topology & affiliation ontologies
Pattern-of-life & behavioural signature extraction
Archive reconstruction — Wayback, regional caches, snapshot diffing, deleted-content recovery
R
Rachel
OSINT Analyst
Deanonymization & Digital Footprint
Verified · Identity under NDA
Economics and cybersecurity background. Recovers digital trace material. Resolves pseudonymous subjects to natural-person identity.
Tradecraft
Non-public source material — restricted, non-indexed, controlled-access
Advanced search-operator & dorking discipline
Selector pivot — handle → email → phone → identity
Cross-platform digital footprint reconstruction
Natural-person attribution at confidence-graded output
Network

Intelligence Network Map

10 Networks · 12 Archetypes · 400+ Patterns · 5 Institutional Domains

Network identities redacted on public surface · full attribution under NDA
0
Clean Channels
$617B
At-Risk Capital
88%
Exposure Rate
10
Networks
12
Archetypes
400+
Patterns
What Is a Network?
Understanding the VELLARIXX detection architecture
1
A network is not a single actor
A network is a coordinated group of individuals — officials, intermediaries, corporate entities, and enablers — operating together to extract state funds through a shared mechanism.
2
Networks require institutional access
Extraction at scale requires institutional capture — placing affiliates within state bodies that control funds, approve contracts, or suppress investigations.
3
Each network uses specific archetypes
An archetype is a repeatable fraud method — a documented pattern of how funds are extracted. VELLARIXX has identified 12 distinct archetypes from confirmed enforcement cases.
4
Detection precedes enforcement
VELLARIXX identifies networks 11–14 months before official enforcement action by recognizing pattern signatures across transaction data and relationship mapping.
Network Index
X
The Protection Layer
One network to shield them all

Networks I–IX extract funds. Each operates within one or two institutional domains, using specific fraud archetypes to divert capital from state coffers.

Network X extracts nothing. Instead, it provides the institutional protection that allows all nine extraction networks to operate without consequence.

The architecture is hierarchical. Remove any single extraction network and eight others continue. Remove Network X and the protection collapses.

5/5Domain coverage
$0Direct extraction
9Networks protected
$10B+Extraction enabled
Five Institutional Domains
Protection architecture operates across five distinct institutional verticals
Judiciary
Courts and judicial bodies that adjudicate cases, issue rulings, and can transfer or dismiss proceedings. Capture enables favorable rulings and procedural delays.
Prosecution
State prosecution offices responsible for bringing criminal charges and managing case files. Capture enables case suppression and selective prosecution.
Enforcement
Police and law enforcement agencies that execute arrests and conduct raids. Capture enables selective enforcement and tip-offs before operations.
Security
Intelligence and security services responsible for national security. Capture enables surveillance of investigators and classification of evidence.
Investigation
Specialized investigative bureaus that conduct financial crime investigations. Capture enables case steering and evidence suppression.
Domains
Judiciary
Prosecution
Enforcement
Security
Investigation
Priority
Critical
High
Moderate
Detection Timeline
VELLARIXX detection vs enforcement action — 11–14 month lead time
Networks I–III
Q1 2024
Networks IV–VI
Q2 2024
Networks VII–IX
Q3 2024
Enforcement begins
Q1 2025
Network X
Q1 2026
VELLARIXX detection Enforcement action Protection layer identified
Live Demo

Live Demo

Eight detection layers. Two counterparties. The architecture is calibrated — not tuned to fire.

SCENARIO A · ADVERSE PROFILE
RCN-7X-4429
Reconstruction contractor · high-risk profile
SCENARIO B · CLEAN ENTITY
ENT-4B-2281
Infrastructure fund · institutional counterparty
Entity
RCN-7X-4429
Jurisdiction Path
UA · CY · BVI · LU
Counterparty
Allied Reconstruction Facility
Contract Value
€47.2M
vellarixx_gate.sh
ENTITY: RCN-7X-4429 · LAYERS: 8
Synthetic case · representative of documented Archetype ⑦ — Stolen-Capital Re-Entry
$ vellarixx --screen [ENTITY_ID: RCN-7X-4429] --layers=8
Ready. Press Run to begin.
12 archetypes · 408+ signatures · 18 sovereign DBs
Ready

THE PRE-DISBURSEMENT WINDOW IS THE ONLY WINDOW. THE DOCUMENTED NETWORKS ALREADY KNOW THAT.

Closed-Loop Visualization · Tier-1 Prototype

Stolen capital, returned home as foreign investment.

A documented closed-loop architecture: domestic budget extracted → 8-tier offshore layered → re-emerges as apparent FDI → acquires the very infrastructure those funds were drawn from. The loop closes invisibly to systems that stop at the offshore reset wall.

10documented networks· 12archetype framework· 408+detection patterns· 47-entity case inventory· $10B+documented extraction· Attribution available under NDA
Reference Case
MR-7X-9981
Archetype
⑦ · Re-Entry
Volume / 90 days
$847M
Acquisition Target
$2.4B
UBO Confidence
96%
Closed-Loop Trace
MODE · STANDARD COMPLIANCE
Closed-loop capital re-entry visualization A circular trace showing stolen Ukrainian budget capital layered through eight offshore tiers and re-entering as apparent foreign direct investment, eventually acquiring the infrastructure those funds were extracted from. Two modes compare standard compliance against VELLARIXX 8-tier intercept.
Mode
Phase Narrative
PHASE 0 · IDLE
System ready
Press Run to trace the architecture. Toggle modes to compare standard compliance traversal against VELLARIXX 8-tier intercept.
Live Counters
Extracted
$0
Layered
0 / 8 tiers
Re-entered
$0
Acquired
$0
Loop Status
Open
Controls
0.6×
1.6×
2.4×
VERDICT · PENDING
Run the trace to see the closed loop complete — or be intercepted.
awaiting trace
Method note
The reset wall sits at Tier 3 because that is where conventional KYC, EDD, and most sanctions-screening stacks terminate beneficial-ownership traversal. Cyprus, BVI, and Delaware structures are engineered specifically to be terminal under those constraints. VELLARIXX's claim is not that it sees more in the open — it is that it continues past the wall to natural-person attribution at Tier 8, where the loop can still be closed by the architecture but no longer hidden from the gate.
The same loop · three lenses · same evidence
Reconstruction
Fund stewardship · audit-ready
"Stolen capital takes legal title to the asset it financed."
Switch to this view →
Ontology
Entity resolution · graph traversal
"Attribution terminated at Tier 3."
Switch to this view →
G-SIB
Correspondent exposure · BSA §5324
"Correspondent exposure spans the chain. Screening terminates at Tier 3."
Switch to this view →
Archetype ⑦ of 12 · Network VII of 10
You've read one archetype. The other eleven are documented. Nine more networks. Four hundred more pattern signatures. Attribution routes through an NDA.
Request a Briefing →
VELLARIXX does not publish fee schedules.
Viewing as →
Detection Clock · Archetype ⑦ Time Axis

By the time the enforcement record is public, the capital isn't.

Same stolen capital, same eight-tier offshore chain, same 47-entity case. The axis that changes here is time: when evidence becomes available, and whether the window is open before disbursement or closed after the loss.

10 documented networks· 12 archetype framework· 408+ detection patterns· 13-month detection lead· 96% UBO confidence· Attribution available under NDA
Reference Case
MR-7X-9981
Archetype
⑦ · Re-Entry
Disbursement
M6
Public Flag (standard)
M14
VELLARIXX Lead
13 months
Detection Timeline
MODE · STANDARD COMPLIANCE
Detection clock timeline Horizontal time axis showing VELLARIXX detection events in the first 5 months versus standard compliance events at month 14 onward.
Mode
Phase Narrative
PHASE 0 · IDLE
System ready
Press Run. Time sweeps 0 → 24 months. Toggle modes to compare when detection actually fires.
Live Counters
Time elapsed
M0
Detection status
Idle
Interdiction window
OPEN
Recovery probability
100%
Controls
VERDICT · PENDING
Run the clock to see when detection actually fires.
awaiting clock
Method note
The detection lead is the temporal face of attribution depth. Resolution to Tier 8 requires behavioural, registry, and kinship signals that are available pre-disbursement and decay rapidly once funds traverse. Post-wire enforcement preserves the regulatory record but not the capital — the pre-wire window is the only interval in which the control is architecturally distinguishable from the violation.
The same clock · three lenses · same 13-month lead
Detection Lead · 13 months · documented
You've read the clock for one archetype. Eleven more archetypes. Nine more networks. Lead times, case IDs, and pattern signatures route through an NDA.
Request a Briefing →
VELLARIXX does not publish fee schedules.
Engagement Protocol

Five phases. One condition precedent. The shape of every engagement, rendered to scale.

Condition Precedent Phase 0 Five-Domain Assessment T+0 T+24h T+5d T+10d T+14d No Phase 0 · Counterparty Mode FLAG → REMEDIATION BLOCK · ENGAGEMENT ENDS PASS · PROCEEDS Request Received Verification Screen Initiated Scope & Documents NDA Executed Principal Clearance Five-Domain Gate Intelligence Package Delivered Ack NDA Draft Scope Stmt Phase 0 Report Intel Pkg
Phase 0 Five-Domain Assessment · Engaging Party 10 BD from documentary receipt
ILegislative · regulatory frameworkclear
IIRegulatory · supervisory functionclear
IIIJudicial · referral channelclear
IVEnforcement · investigative apparatusclear
VIntelligence · collection layerclear
Transcript Engagement Event Log Ready
Press Run Protocol — events will accumulate here as the engagement executes.
Gate Outcome:
PASS · proceeds to Phase 1
FLAG · remediation per domain
BLOCK · engagement closes

THE PRE-DISBURSEMENT WINDOW IS THE ONLY WINDOW. THE DOCUMENTED NETWORKS ALREADY KNOW THAT.

Two Pathways Into Engagement
If you arrived via introduction
Respond through the same channel.
If a VELLARIXX intelligence package, briefing document, or capability assessment was delivered to you directly, your response goes back through whoever sent it. The first conversation carries no commitment.
Protocol
The verification screen begins within 24 hours of acknowledgement. Named analyst contact opens in parallel. No briefing-request form is required for warm-handoff engagements.
If you arrived independently
The briefing request begins the screen.
If you arrived at this page without a prior introduction, the form below initiates the verification screen. The screen determines fit for the engagement type before any classified briefing is scheduled.

Verification screen applied to all engagements · Response within 24 hours · VELLARIXX does not publish fee schedules

UNCLASSIFIED // FOR OFFICIAL USE ONLY VLX-XXX-XXXX
Engagement Artifact

Artifact Title

VELLARIXX Admin Panel
Hero Section
Stats Bar
Navigation
CTA Section (updates all pages)
Footer
⚙ ADMIN
VELLARIXX — Pre-Disbursement Intelligence
Forensic Intelligence

We are a forensic intelligence service.

We map illicit financial networks, confirm beneficial ownership across eight detection layers, and deliver intelligence packages that hold at evidentiary standard — before the transaction clears.

The Argument

Every agency with capability lacks jurisdiction.
Every agency with jurisdiction lacks capability.

VELLARIXX was built to operate in the gap between them.

The financial networks that extracted $10 billion from the Ukrainian economy were engineered to be unreachable by the agencies most capable of acting on them. Jurisdictional boundaries are not an obstacle they encountered. They are an architecture they exploited — offshore ownership resets, nominee layering, captured regulatory channels, and guarantee instruments void at source — each component calibrated to terminate every detection query at the layer where it stops.

That operational knowledge cannot be assembled commercially. It was built over two decades of work conducted from within the financial networks and institutional architectures it now documents. Not from what those environments produced in public record.

What that presence produced follows.

The Structural Failure

The detection infrastructure was not the problem. The question of whether it would ever be pointed at the right place was.

The architecture was not designed to defeat detection. It was designed to ensure detection was never initiated. Five institutional domains. Each one a pathway through which scrutiny enters.

Legislative — the regulatory framework that defines what requires disclosure.
Regulatory — the supervisory function that monitors and refers.
Judicial — the channel through which evidence becomes action.
Enforcement — the apparatus that investigates and prosecutes.
Intelligence — the collection layer that surfaces what the others cannot see.

Every pathway was controlled. Parliamentary positions shaped what the regulatory environment required to be disclosed. Central bank appointments maintained the architecture that needed no scrutiny. The apex judicial channel absorbed referrals before they produced outcomes. The investigation bureau operated under influence that ensured cases did not open. The security apparatus provided the insulation that kept the collection layer blind.

10
Operations
Documented
$10B+
Extracted
Ukrainian Economy
11–14mo
Detection Lead
Before Outcomes

Every institution that would have initiated scrutiny was part of the architecture that made scrutiny unnecessary.

Institutions Operating in This Environment

The same architecture is already positioned inside the $800 billion reconstruction pipeline.

The exposure varies by institution. The failure mode does not.

The documented networks were not designed around a single institutional target. They were designed around the gap between what any single institution can see and what the full structure requires to be visible. That gap is architectural. It applies equally across development finance, supervisory authorities, global financial institutions, and sovereign defense partners — the surface exposure differs, the underlying failure mode does not.

Development Finance
EBRD · EIB · World Bank disbursement teams
The documented networks are already positioned inside the $800B reconstruction pipeline. The pre-disbursement window is the only window — after capital clears, recovery exceeds the dispersal window by design.
Supervisory Authorities
ECB · EBA · EPPO
The cross-operation facilitation architecture VELLARIXX has mapped is the precise cross-border structure the EPPO was created to address — and currently cannot see in full.
Global Financial Institutions
G-SIBs with Eastern European sovereign exposure
Compliance teams see Layer 3. Institutions are exposed at Layer 8. Institutions in the documented correspondent path face mandatory SAR obligations and OFAC IEEPA strict liability regardless of knowledge or intent.
Sovereign & Defense Partners
Allied government agencies · Defense contractors · EPC primes
Illicit-origin ownership confirmed across 14 power grids, 4 allied nations — 43 defence engineers under compromised ownership structures, 11 months before any allied government produced a signal.
EPC Contractors
Supply chain subcontractors
Network X entities represent exactly the established regional contractor presence that competes for EPC supply chain subcontracts. Documented exposure across six oblasts where major infrastructure reconstruction is already underway. UAH 10B+ extracted from Big Construction program.
Mission

Every financial intelligence platform was built to read what illicit financial networks produce.

VELLARIXX was built to produce what those platforms can only read about.
Undetected by every compliance system in the environment.  ·  Ten operations.
Extracted in excess of $10 billion.  ·  11–14 month leads before the outcomes were confirmed.

The Provenance

The ten documented operations were not detected by deploying a platform from the outside.

They were built from inside.

From two decades of direct access to the operational layer where these networks function. The platform is the codification of what that presence found.

In the environments where illicit capital extraction operates at institutional scale, the data required to detect the threat does not exist in any commercial database. It exists in the operational layer — in the financial architectures that exist only inside the networks, in the appointment histories that reveal which referrals will produce outcomes and which will be absorbed, in the institutional capture architecture that no external platform can reach from outside.

Ten illicit financial operations. Not ten independent schemes — one connected ecosystem, eleven documented fraud mechanisms, a shared architecture of extraction and protection. The ten documented here are the cases that can be proven in public — the verifiable fraction of a twenty-year operational record, not its ceiling.

The ten are the proof. The twenty years are the methodology.

The Operational Basis

The provenance claim is not asserted. It is documented against confirmed outcomes.

The twenty-year operational record produced four anchor cases before the outcomes that confirmed them. These are not projections or scenario assessments. They are documented detections — in every case, the intelligence preceded the outcome by months, not days.

Detection Record — Confirmed Against Outcomes
Operation
Detection Lead
Scale
Allied Power Grid
11 months before allied government
47 entities · 12 jurisdictions · 14 power grids
Nuclear Enterprise
13 months before outcome
$4M cash seized · 3yr ledger · 8 indictments
Fictitious Guarantees
Pre-disbursement
UAH 3.18B · 10 contracts · 100% void rate
Defense Procurement
14 months before outcome
40+ shell LLCs · 100+ nominees · UAH 5B+

The detection methodology is not derived from what those operations produced in public record. It is derived from inside the operations — before they became a record.

The detection record exists because the operational presence preceded it. Why the architecture cannot be replicated — the ground truth provenance, the sovereign access, the convergence analysis — is examined in full on the Methodology page.

The Detection Record

The architecture is how the detection framework is built. What follows is what it found.

Ten operations. The cases that can be proven in public — the verifiable fraction of a twenty-year operational record, not its ceiling.

0 Detections from any other source across all ten documented operations
Anchor Cases
ONTOLOGY Layer 8 UBO LEAD 11mo

Network VII · Stolen-Capital Re-Entry

$2.4B+ Active 14 Power Grids · 4 Allied Nations 96% UBO Confidence

Every institution in the environment stopped at Layer 3 — the Cyprus reset. VELLARIXX mapped to Layer 8. Natural person confirmed at 96% confidence across 12 jurisdictions. Eleven months before any allied government produced a signal.

8-layer beneficial ownership traversal · 6th-degree depth · 47 jurisdictions · 96% UBO confidence · round-trip pattern matching · multi-chain de-mixing
$2.4B+
Active
14
Power Grids
96%
UBO Confidence
ONTOLOGY Personnel Pathway PROTECTION MAPPING LEAD 13mo

Network VIII · SOE Barrier Extraction

$100M+ USD $4M Cash Seized 8 Indictments

VELLARIXX mapped the extraction mechanism and the protection architecture that sustained it — thirteen months before either was confirmed. The five-domain assessment identified which channels were clean before the referral was made. The referral produced eight indictments.

SOE barrier extraction mapping · personnel pathway temporal graph · appointment-cycle monitoring · five-domain protection mapping · facilitator density scoring
$100M+
USD
$4M
Cash Seized
8
Indictments
ONTOLOGY Sovereign Registry PROTECTION MAPPING GATE OUTPUT Pre-Disbursement

Network VI · Fictitious Guarantees

UAH 3.18B Void 10 Contracts · 100% Void Rate

VELLARIXX identified every instrument as void before disbursement cleared. UAH 3.18 billion across ten contracts. Every instrument legally formatted. Every one void from inception — Class 13 authority required, Class 16 held.

Sovereign registry direct query · Class 13/16 licence verification · guarantee-to-capital ratio analysis · appointment-cycle monitoring · five-domain protection mapping
UAH 3.18B
Void
10
Contracts
100%
Void Rate
Active
Proceedings
The Convergence Finding

The three anchor cases are not three separate detections.
They are three facets of one connected ecosystem — and one actor connects all ten.

A single cross-operation facilitation node has been confirmed across all ten documented operations simultaneously. No single authority has assembled this map. The connecting architecture exists only in the layer where the full ecosystem can be seen simultaneously.

That finding does not exist in any commercial output. It requires presence inside the full ecosystem to produce.

Supporting Cases
LEAD 14mo

Network I · Catalog Distortion

409-item catalog with systematic price distortion at volume-critical line items. 31% extraction rate.

UAH 1.52B+
~31% Extraction Rate
LEAD 14mo

Network II · Substitution Arbitrage

Substandard materials at specification-grade price. 40+ shell entities. 100+ nominee directors.

UAH 1.167B State Damage
Detained
LEAD 14mo

Network III · SOE Commodity Diversion

State property apparatus weaponised as extraction platform. Convergence node confirmed shared across three operations simultaneously.

UAH 10B+ Assessed
LEAD 13mo

Network IV · Offshore Extraction

Six-jurisdiction network. Cyprus/BVI endpoint. FSB exposure confirmed.

$2.1B+ Extracted
FSB Exposure Confirmed
LEAD 14mo

Network V · Advance Diversion

97% of advance payment captured within 72 hours across six jurisdictions before non-delivery registered.

UAH 1.5B+ Assessed
Detained
LEAD 12mo

Network IX · Reconstruction Advance Loop

Scheme accelerated, not contracted, under scrutiny. The live template for reconstruction fund diversion at scale.

UAH 1.9–2.0B Assessed
Proceedings Active
ACTIVE — Live Intelligence

Network X · Infrastructure Procurement Capture

The only documented live reconstruction fund capture. Full documentation available at named analyst briefing stage under NDA.

Active
Assessment Ongoing

Full Case Documentation Available Under NDA.

Complete network architecture, detection methodology, enforcement outcomes. Condition precedent screen applied to all engagements · Response within 24 hours.

Operational Footprint

Not a database coverage list. An active intelligence map.

Active
Reconstruction Pipeline
$800 Billion
Documented Extraction
>$10B

Ukraine — Active Operational Foundation

Ten documented operations — the confirmed evidentiary layer of the broader operational history in this environment. The operations that extracted in excess of $10 billion are already positioned inside the $800 billion reconstruction pipeline.

The detection framework that produced the ten documented cases does not degrade at the border. The same sovereign registry access, the same archetype library, the same protection mapping architecture — all operational in the same environment where the capital is now being directed. The pipeline is the next deployment. The methodology is already there.

Network X alone spans six oblasts — Khmelnytsky, Rivne, Kherson, Vinnytsia, Zhytomyr, Chernivtsi — creating the jurisdictional fragmentation that standard single-jurisdiction enforcement cannot address. Any road, bridge, or infrastructure reconstruction contract in these oblasts has documented exposure to Labaziuk network entities.

Documented
Active Proceedings
2 Jurisdictions
Confirmed Gaps
4 Jurisdictions

Eastern Europe — Documented and Active

The same capability operating across the broader geographic reality of how the documented networks actually function. Each jurisdiction confirmed through sovereign registry query, not inferred from public record.

A single cross-operation facilitation node confirmed across all ten documented operations simultaneously.

The gap across Eastern Europe is not hypothetical. It is mapped. Each authority sees one fragment. VELLARIXX sees the complete architecture. Allied government channel relationships are established across the region. EU member state FIU relationships are active. This is not the next deployment. It is the current operational reality.

Next
Structural Homology
Confirmed

The Balkans — Next Structured Deployment

Structural homology to Ukraine confirmed. EU accession procurement vulnerabilities. The same Cyprus and BVI offshore architecture. The networks that operated in Ukraine are present in the Balkans.

The Active Window
Comparator Pipeline Rate
Iraq · SIGIR 2013 ~$60B 10–15% documented
Afghanistan · SIGAR 2010–21 ~$145B 15–30% documented
Ukraine — Ten Operations $800B 10–31% extraction rate
Working estimate range $80–248B Scenario range only

The active window is open. The question is whether it closes with or without a gate.

The deployment window is now.

The documented networks are already positioned inside the reconstruction pipeline. The question is whether the institutions disbursing into that pipeline will see them before the transaction clears.

Methodology

The Rosetta Stone did not find new script.
It rendered legible what was already there.

VELLARIXX is that instrument — built for the operational layer every other tool can see but cannot read.

What This Is Not

Not a compliance platform. Not a screening tool. Not a vendor with better database coverage. Not a risk scoring system.

The outputs are not the product. They are the delivery mechanism — the translation layer between intelligence produced at the layer where the threat actually exists and the frameworks every institution must operate inside.

Analytical platforms analyse what exists in commercial databases. VELLARIXX produces what does not — at the operational layer where illicit capital extraction actually functions, before it becomes a record that any database can hold.

The Architecture

Eight Detection Layers

Detection Architecture · Eight Layers
Layer 1 — Multi-script entity resolution
2.3M+ entities · 95%+ accuracy · 47 jurisdictions
Confirms the entity exists and where. Every jurisdiction. Every script.
Layer 2 — Sovereign guarantee validation
Class 13/16 authority · capitalisation · reinsurance class
Confirms the instrument is valid at source — before disbursement, not after failure.
Layer 3 — Beneficial ownership traversal
6th-degree depth · 47 jurisdictions · 96% UBO confidence
⚠  Standard compliance architecture stops here
Layer 4 — Enforcement-confirmed pattern matching
408+ signatures · cross-domain · real-time
Sees coordinated operations that produce no transaction anomaly.
Layer 5 — Cryptocurrency de-mixing
BTC→ETH→Monero→fiat · Tornado Cash IEEPA flag
Traces capital through obfuscation chains. Confirms IEEPA strict liability before it is created.
Layer 6 — Political protection mapping
Five-domain capture · facilitator density · appointment-cycle
Maps which channels are compromised before any referral is made.
Layer 7 — Forward-looking sanctions scoring
87–93% match rate · 90-day horizon · pre-flight detection
Identifies who will be designated before the list is published.
Layer 8 — Sovereign cross-database query
18 database types · 47 jurisdictions · simultaneous
Assembles the complete ownership picture no single registry holds.

The eight layers above describe how the detection architecture operates. The twelve archetypes below describe what it was built to find — derived from the operations that confirmed each detection pattern before it entered the library.

Twelve Detection Archetypes

Twelve Detection Archetypes

The twelve archetypes are not categories. They are the documented mechanics of how capital was extracted across ten confirmed operations — each one encoded into the detection library from the operation that produced it.

Six operate in domains where existing compliance architecture has partial detection pathways. None of the six operations that used these archetypes was detected by any system deployed in the same environment.

Six operate in domains existing compliance architecture cannot reach at all — personnel workflows, institutional appointment cycles, sovereign procurement barriers, infrastructure tender dominance. No detection pathway exists in any commercial tool. The anchor cases on the Record page demonstrate what detection in these domains requires.

Standard Detection Surface
Catalog Distortion
Substitution Arbitrage
Commodity Diversion
Offshore Extraction
Fictitious Guarantees
Advance Diversion
Beyond the Detection Surface
Stolen-Capital Re-Entry
SOE Barrier Extraction
Reconstruction Advance Loop
Appointment-Cycle Capture
Infrastructure Procurement Capture
Legal-Professional Network Capture
Archetype ⑪ — Infrastructure Procurement Capture [New Detail Block]

Multi-oblast tender dominance through political patronage, coordinated bidding, and administrative resource capture. Extraction via substandard materials substitution. Six-oblast geographic spread creates jurisdictional fragmentation that standard single-jurisdiction enforcement cannot address.

Primary Network Labaziuk / VITAGRO (Network X) Documented Scale UAH 10B+ (Big Construction 2020–2021) · UAH 1B (Reconstruction Attempt) Detection Patterns LB-001 Multi-Oblast Dominance · LB-002 Family Proxy Architecture · LB-003 Materials Substitution EPC Exposure Bechtel Tier 1 subcontract pathway · documented across six oblasts
The Structural Moat
01
Ground Truth From the Operational Layer

Four hundred eight signatures. Each one derived from within the networks — not from the records those networks subsequently produced. One pattern: two nominally independent bidders share a nominee director registered within 90 days of contract announcement, with overlapping registered addresses across three jurisdictions. Standard monitoring sees two clean entities. The detection framework sees one coordinated operation.

02
Sovereign Access

Eighteen sovereign database types. Forty-seven jurisdictions. Direct query at sovereign registry level. The Fictitious Guarantee detection — UAH 3.18 billion, ten contracts, 100% void rate — was produced by this access. Not discoverable any other way.

03
Convergence Analysis

The architecture maps operations, not entities. Shared nominees, overlapping appointment histories, coordinated registration timing — assembled across nominally independent networks into a single operational picture. A single facilitation node confirmed simultaneously across all ten documented operations — connecting MoD procurement, energy SOE extraction, fictitious guarantee architecture, offshore layering chains, infrastructure procurement capture, and the institutional capture mechanism that sustained all of them. No single enforcement authority has assembled this map. Each holds jurisdiction over one fragment. The connecting architecture exists only in the layer where all ten can be seen simultaneously — and where this record was produced.

The Five-Domain Protection Architecture

Detecting capital movement is necessary. It is not sufficient.

The same institutional capture architecture that extracts capital also protects the extractors. VELLARIXX maps which channels are clean before any referral is made. Without it, finished intelligence packages route to captured channels and produce no outcome.

I
Legislative
Statutory barriers embedded in regulatory framework
II
Regulatory
Capture of monitoring bodies · suppressed referral
III
Judicial
Weaponised proceedings · coercion architecture
IV
Enforcement
Infiltrated investigation channels · absorbed referrals
V
Intelligence
Counter-intelligence posture · compromised collection
Why No Other Instrument Reaches Here

The leading sovereign analytics platform was deployed in the same environment. It produced zero detections across ten documented operations.

Not because the platform failed. Because the data it needs does not exist in the layer it queries.

No existing compliance architecture queries the layer VELLARIXX operates in. The data required to detect sovereign-grade illicit capital extraction does not exist in any commercial database. It exists only in the layer where the operations actually ran — and where the detection record was produced.

The detection ontology is not a better algorithm. It is the only instrument capable of making legible what every other system can see but cannot read.

Insights

Analytical perspective on the threat environment.
From inside it.

Intelligence Analysis
Why AML Stops at Layer 3 The $800 Billion Problem The Compliance Record Request Briefing
Intelligence Analysis · Financial Crime Architecture

Why AML Stops at Layer 3 — And What Lives in the Gap

Ten confirmed financial crime architectures extracted $10 billion from a national economy. Every standard AML, KYC, and UBO tool in the environment cleared every transaction. This is not a failure story. It is a design story.

Vellarixx Intelligence · March 2026

The question that follows every major financial crime case is always the same: how did existing compliance systems miss it? The systems worked as designed. The schemes were built to operate in the space the design left open.

The Layer 3 Problem

Standard UBO traversal terminates at the offshore reset layer. The compliance system confirms the offshore entity is registered and in good standing, and closes the query. The beneficial owner at Layer 8 is invisible.

In the Allied Power Grid detection, a 47-entity ownership structure across 12 jurisdictions routed stolen capital into control of 14 power grids across four allied nations. The offshore reset terminated every standard UBO query at Layer 3. VELLARIXX continued to Layer 8. The natural person was confirmed at 96% confidence — 11 months before any allied government produced a signal.

What Lives at Layers 4 Through 8

Commercial pattern matching runs against transaction anomalies. It is ineffective against financial crime architectures designed to produce no statistical anomalies at the transaction layer. These patterns could not be derived from open-source data. They were built over twenty years of operational presence inside the cases that produced them.

Every compliance framework assumes that referral channels are operationally clean. This assumption fails when those authorities are participants in the network. Across ten documented operations, a single apex node provided protection simultaneously across five institutional domains. Zero detections from any other source across all ten operations.

The gap is not a malfunction. It is a design. The only question is whether your compliance record was built to close it or to document that it was open.

The Convergence Implication

The Layer 3 problem explains why individual operations went undetected. The convergence finding explains something more significant: why success against individual operations has been systemically ineffective.

When a single facilitation node connects all ten documented operations simultaneously, the ecosystem is not ten independent criminal enterprises. It is one architecture with ten expressions. When one node is disrupted, the others adapt. Standard efforts run against operations. The ecosystem survives by design.

The compliance framework that screens entities in isolation is not inadequate. It is answering a different question from the one the ecosystem is posing.

The convergence finding and full cross-network documentation are available at the named analyst briefing stage under NDA.

Continue the Conversation

These analyses are drawn from the same detection architecture available under NDA. If the problem described here applies to your institution, the briefing goes deeper.

Request Briefing
Engage

The briefing begins with a condition precedent screen.
The same standard applied to every counterparty.

VELLARIXX applies the same verification standard to the institutions it works with that it applies to the counterparties those institutions are screening. The briefing requires fit in both directions.

The Condition Precedent

The screen is not a sales qualification process.

It is the same architecture applied to a different counterparty.

Institutional mandate, operational context, and engagement type are assessed before any classified material is shared. The screen determines whether the scope of a new engagement aligns with the operational framework under which existing mandates are conducted.

VELLARIXX operates under active engagement across development finance, supervisory authority, and allied government mandates. New engagements are assessed for fit within that operational framework before the briefing is scheduled — not after.

The first conversation carries no commitment. The screen begins within 24 hours of the briefing request. The screen either clears or it does not. If it clears, the briefing follows. If it does not, VELLARIXX will say so directly.

Arriving Via Introduction

If this document was delivered to you directly, your response goes back through the same channel. No form required. The condition precedent screen begins within 24 hours.

Arriving Independently

If you reached this page without a prior introduction, the briefing request below begins the engagement screen. The screen determines fit for the engagement type before any classified briefing is scheduled.

Engagement Protocol
24 hours Condition precedent screen initiated · senior analyst contact
5 days Screen complete · briefing scope established · NDA executed
NDA tier Full pattern library · named actors · network ecosystem · case documentation
Engagement Named analyst team assigned · delivery timeline confirmed
Condition precedent screen applied to all engagements · Response within 24 hours
The Analysts

The ten documented operations carry named analyst authorship. These are the analysts.

The Operational Record

Detection Record — Confirmed Against Outcomes

Operation
Detection Lead
Outcome
Allied Power Grid
11 months before allied government
47 entities · 12 jurisdictions · 14 power grids
Nuclear Enterprise
13 months before outcome
$4M cash seized · 3yr ledger · 8 indictments
Fictitious Guarantees
Pre-disbursement
UAH 3.18B · 10 contracts · 100% void rate
Defense Procurement
14 months before outcome
40+ shell LLCs · 100+ nominees · UAH 5B+
Infrastructure Capture
Active prosecution
UAH 10B+ · 6 oblasts · NABU/SAP active
The Operational Team
M
MOSCHE
Founder · Chief Intelligence Architect
Detection Ontology
Pattern library
408+ enforcement-confirmed signatures · 11 archetype classes
Archetype framework
①–⑦ standard detection surface · ⑧–⑪ beyond it
Guarantee gate
Class 13/16 licence verification · capital ratio analysis
Sovereign access
18 sovereign database types · 47 jurisdictions · direct registry query
Ground truth basis
Derived inside the operations · before outcomes were recorded
D
DAVID
Chief Technology Officer
Network & Pipeline Architecture
UBO traversal
8-layer ownership chain · 6th-degree depth · 96% natural person attribution
Network ontology
Cross-operation convergence mapping · single facilitation node confirmed
Protection mapping
Five-domain institutional capture assessment · clean channel routing
Sanctions engine
Forward-looking indicator set · 87–93% match rate · 90-day horizon
Pipeline
Zero-trust multi-source fusion · enforcement-submission standard output

Every intelligence package carries named analyst authorship with source citations on every finding. Full credentials shared under NDA.

Live Demo

Live Demo

Eight detection layers. Two counterparties. The architecture is calibrated — not tuned to fire.

SCENARIO A · ADVERSE PROFILE
RCN-7X-4429
Reconstruction contractor · high-risk profile
SCENARIO B · CLEAN ENTITY
ENT-4B-2281
Infrastructure fund · institutional counterparty
Entity
RCN-7X-4429
Jurisdiction Path
UA · CY · BVI · LU
Counterparty
Allied Reconstruction Facility
Contract Value
€47.2M
vellarixx_gate.sh
ENTITY: RCN-7X-4429 · LAYERS: 8
Synthetic case · representative of documented Archetype ⑦ — Stolen-Capital Re-Entry
$ vellarixx --screen [ENTITY_ID: RCN-7X-4429] --layers=8
Ready. Press Run to begin.
12 archetypes · 408+ signatures · 18 sovereign DBs
Ready

THE PRE-DISBURSEMENT WINDOW IS THE ONLY WINDOW. THE DOCUMENTED NETWORKS ALREADY KNOW THAT.

VELLARIXX Admin Panel
Hero Section
Stats Bar
Navigation
CTA Section (updates all pages)
Footer
⚙ ADMIN