Case 01 February 2021 OSINT Investigation

Revealing the Founder of
Culper Research

An anonymous financial research firm had been publishing short-selling reports under a protected identity. A professional investigation firm spent two weeks trying to unmask the founder. The task came to us. It was solved in under 24 hours.

OSINT Metadata Forensics Digital Investigation ExifTool Open Source Intelligence
24h
Time to solve
2wk
Prior firm failed
100%
Finding confirmed
1
Key OSINT technique

The problem: an anonymous identity hiding in plain sight

Culper Research was a financial short-selling firm publishing research reports under a fully anonymous identity. The site, culperresearch.com, offered no identifying information about its operators — no names, no company registration, no contact details beyond a generic email.

A client engaged a professional corporate investigation firm to unmask the person behind it. After two weeks of trying, they came back empty-handed. The task was then passed to our team at ISECOM through a trusted intermediary.

The brief

"See if we can learn anything about Culper Research — technical analysis and research regarding their website, email address, and any other known virtual footprint."

The site was operating under deliberate anonymity. Standard lookup methods — WHOIS, domain registration, corporate registries — had already been exhausted by the prior investigators. A different approach was needed.

The approach: follow the documents, not the domain

Rather than focusing on the website's infrastructure — which had been deliberately obscured — the investigation turned to the site's published content. Culper Research had published multiple PDF research reports, freely available for download.

PDFs created with standard office software embed metadata invisibly inside the file: author name, creation tool, creation date, modification date, and unique document identifiers. This metadata is often forgotten — or never considered — by people who believe their identity is protected.

Key insight

The domain was anonymous. But the documents published on that domain were not. Every PDF told a story its author didn't intend to share.

A script was written to automate the process: download all available PDF files from the site, then run ExifTool across each one to extract every available metadata field.

ExifTool metadata extraction — selected output
File Name        : Culper_PUMP_11-14-2019.pdf
File Size        : 940 kB
PDF Version      : 1.7
Producer         : Microsoft® Word for Office 365
Creator          : Christian Lamarco
Author           : Christian Lamarco
Creator Tool     : Microsoft® Word for Office 365
Create Date      : 2019:10:30 22:22:57-04:00
Document ID      : uuid:644B0DDD-82BD-4926-A023-EBF83F5780DF
# Creator and Author fields present in two separate documents
# Eastern timezone offset confirms US-based authorship

The name Christian Lamarco appeared as both Creator and Author in the metadata of two separate documents. This was the first concrete lead — a real name attached to the anonymous operation.

From a name to a confirmed identity

A name alone isn't confirmation. The next phase involved building a chain of corroborating evidence to validate that the Christian Lamarco found in the metadata was the same person operating Culper Research.

Step 01

PDF metadata extraction

ExifTool script run across all PDFs downloaded from culperresearch.com. Two documents returned "Christian Lamarco" as Creator and Author. Eastern US timezone confirmed in the creation timestamp.

Step 02

Public records cross-reference

A government FOIA log (FCC records, publicly available) listed a Christian Lamarco filing from the same time period, confirming the name was associated with regulatory activity consistent with financial research work.

Step 03

Public writing analysis

A public blog attributed to Christian Lamarco — covering stock analysis and corporate intelligence topics — was identified. Manual comparison of writing style, terminology, and subject matter between the blog and Culper Research reports showed strong consistent patterns.

Step 04

Tool fingerprinting

The metadata also confirmed the use of Microsoft Office 365 and Outlook — consistent with the email infrastructure identified from the Culper Research domain. Multiple independent signals pointed to the same individual.

Step 05

Findings reported and validated

All findings were compiled and reported. The client engaged a federal contact to perform final verification through writing style analysis and criminal records cross-reference. The identification was confirmed. The client was satisfied.

What the investigation established

Identity confirmed via PDF metadata

The Creator and Author fields embedded in two Culper Research PDF reports directly named the individual, providing the primary identification vector that all other evidence supported.

Tool stack fingerprinted

Microsoft Word for Office 365 confirmed as the document creation tool, with Outlook used for email — creating a consistent digital fingerprint across multiple independent data points.

Writing style cross-validated

Public writing attributed to the identified individual showed consistent style, vocabulary, and subject matter patterns when compared to Culper Research reports — corroborating the technical findings.

Public records confirmation

Government FOIA records independently corroborated the individual's name and activity in domains consistent with the Culper Research operation, adding a layer of official record to the findings.

Confirmed. Validated. In under 24 hours.

Time to identification

24h

A professional investigation firm had already spent two weeks on the same task without result. The identification was made in under 24 hours using open-source intelligence and document metadata forensics.

The finding was later independently validated when the identified individual was publicly named in a formal defamation lawsuit in September 2021 — confirming the accuracy of the investigation. The case subsequently received coverage in Bloomberg Businessweek.

Client response

"The client is really happy with our work. BTW, the client first paid a big investigation company to do the job and they failed after 2 weeks of trying. We did it in less than 24 hours."

What this case demonstrates

Metadata is often overlooked

Most anonymity efforts focus on domain registration and network-level concealment. Document-level metadata is frequently forgotten and can be a decisive investigation vector.

Corroboration matters

A single data point is a lead. Multiple independent signals pointing to the same conclusion is evidence. The investigation built a chain, not a single finding.

Speed comes from methodology

The 24-hour result wasn't luck — it came from applying a structured OSINT approach systematically, starting with the content the target had already published.

Public content is never fully anonymous

Every piece of content published online carries traces of its origin. Understanding where those traces live is the core skill of digital investigation.

← Back to all cases Next case: Service Stories Pentest →