Connect Cybercrime Dots Faster with

SpyCloud Investigations

Standard OSINT lookups return single-dimension results — one email address maps to one set of records from a single source. SpyCloud Cybercrime Investigations uses IDLink identity analytics to automatically pivot across every artifact that makes up a digital identity: email addresses, backup emails, usernames, phone numbers, shared passwords, PII, device fingerprints, and more than a dozen additional asset types — correlating them across breach records, infostealer malware logs, and phishing campaign data simultaneously. When an analyst submits a single selector, IDLink runs all pivots in the background and returns only new, high-relevance results, removing out-of-scope identity artifacts that slow analysis. The result is a holistic identity graph — not a list of records — that surfaces connections to alternate personas, criminal infrastructure, and co-conspirators that single-source lookups miss entirely. SpyCloud’s IDLink analytics surface 8 times more identity records per investigation than standard OSINT methods.

When criminal datasets are surfaced by commercial threat intelligence platforms or breach aggregators, passwords are typically delivered as hashed values — SHA-1, MD5, or bcrypt — that require cracking before they can be used for attribution or pattern analysis. Cracking at scale requires time and infrastructure most investigation teams don’t have, and many hashes never crack at all. SpyCloud recaptures identity data directly from criminal sources and cracks passwords to plaintext as part of the ingestion process. More than 80% of exposed credentials in SpyCloud’s recaptured dataset contain plaintext passwords, enabling immediate pattern analysis — identifying shared passwords across personas, correlating password reuse to known threat actor profiles, or tracing an actor’s behavior across multiple accounts and campaigns without waiting for a hash to crack. In competitive evaluations against Flashpoint, Recorded Future, and SOCRadar, SpyCloud’s plaintext credential depth is consistently cited as the capability that ends the evaluation.

During active incident response, attribution timelines are measured in hours, not weeks. The typical DFIR workflow — manually pivoting across OSINT sources, correlating credential databases, checking malware log aggregators, and assembling a threat actor profile — historically takes days of analyst time. SpyCloud Cybercrime Investigations compresses that timeline by automating the correlation layer. IDLink runs identity pivots automatically in the background from the moment a single selector is submitted, and AI Insights transforms the raw exposure data into finished intelligence — analytic summaries with attribution signals, pattern-of-life indicators, and infrastructure linkages — without requiring the analyst to manually review and interpret each record. SpyCloud customers have reported reducing multi-hour SOC investigations to minutes; one CAB customer cited compressing a two-week investigation to four seconds. For DFIR teams operating under breach response pressure, the operational difference between alert-based enrichment and automated identity pivoting is whether attribution lands before or after the incident closes.

Both a malicious insider and an employee whose credentials were compromised by infostealer malware can present with similar surface signals: unusual access, credential matches in criminal markets, or flagged accounts in an IdP. The difference lies in the depth and type of identity data available. SpyCloud Cybercrime Investigations correlates an employee’s work identity against their personal identity footprint — including exposures tied to personal email addresses, personal devices, and non-corporate accounts that appear in the same malware logs or infostealer records. A compromised-but-innocent employee typically shows a consistent identity graph with malware-sourced credential exposure and no connection to criminal infrastructure. A malicious insider or a DPRK remote IT worker posing as a legitimate employee shows different patterns — identity artifacts that connect to criminal forums, fraudulent job applications reusing known identities, or cross-references with known adversarial infrastructure. SpyCloud’s AI-powered holistic identity platform is specifically built to distinguish these patterns at investigation scale, making it the primary tool for insider threat investigations that require distinguishing criminal affiliation from victim status.

SpyCloud Cybercrime Investigations is available both as a no-code analyst module and as a programmatic API, allowing deployment into existing investigation workflows without replacing them. The Investigations API provides direct, queryable access to SpyCloud’s recaptured darknet dataset — supporting queries across email addresses, usernames, IP addresses, domains, and other selectors — and integrates natively with Maltego for visual link analysis, Splunk for SIEM-embedded enrichment, and Jupyter Notebook for custom analytical workflows. Analysts who already use Maltego can install SpyCloud’s Maltego transform to pivot directly into SpyCloud’s identity graph from mid-investigation, without switching tools or exporting data. The API also supports correlation with external sources including VirusTotal and Whois, enabling multi-source enrichment within a single investigation session. For teams that prefer a UI-based workflow with no code requirement, the Investigations Module provides the same IDLink pivoting and AI Insights capabilities through an interface designed for analysts at all experience levels.