The case began with a visual clue rather than a direct tip or complaint. While monitoring online content for illegal wildlife trade (IWT), our team noticed that three different websites selling supposed “spiritual” products shared a strikingly similar user interface and layout. Two of them even used the same product photograph. All three claimed to sell “Hatha Jodi” – marketed as a rare plant root that brings prosperity – but the items being traded correspond to dried hemipenies of Bengal monitor lizards (Varanus bengalensis), a protected species. This type of product has been documented in India’s IWT, particularly through online platforms.

Over a 12‑month period, the team monitored 1245 social media/e-commerce website posts related to IWT, of which approximately 9% were linked to body parts of Bengal monitor lizards. In the early phase of this monitoring work, many sellers openly displayed phone numbers and, at times, postal addresses in their social media posts and website contact sections to facilitate sales. Over time, however, as Indian law enforcement agencies increased their efforts to address cyber‑enabled wildlife crime, seller behaviour changed markedly. Phone numbers and addresses began to disappear from public posts, and traders increasingly instructed potential buyers to contact them via direct messages on social media platforms. On websites, visible phone numbers and addresses were removed, leaving only email addresses as points of contact. This shift made traditional surface‑level monitoring insufficient and created a clear need for deeper open‑source intelligence (OSINT) to understand who was behind these operations and how they were organised. 

The initial lead in this case came from the three websites with a similar interface. A closer look showed that all three were powered by the same e‑commerce platform provider (see Figure 1), and two of them reused the same product image for Hatha Jodi. This strongly suggested a shared operational background rather than a coincidence. From earlier social media monitoring work, the team had already collected three phone numbers associated with these websites. These numbers became the starting point for a person‑of‑interest investigation.

As part of Maltego’s Grants Program, we used the Professional version of Maltego’s “SEARCH” capability to query three known phone numbers in order to identify additional details likely linked to the same actors. Of the three initial numbers, two returned rich results that included further associated contact details. From these two searches alone, the team identified three previously unknown phone numbers and four email addresses that had not appeared directly in posts observed earlier by the team. A detailed review of the combined search results showed that five different phone numbers were, in fact, associated with one particular website. Historically, at least one of these numbers had been used openly on a website as a contact channel for potential buyers, while three others were primarily linked to WhatsApp accounts used for communication. One of the newly surfaced email addresses was being used as a “support” or “help” contact in multiple contexts, creating a strong pivot point to tie different numbers together. Though we could not conclusively establish a connection between the websites shown in Figure 1, we have now gathered several pertinent pieces of information associated with one of the domains.

The analysis also provided important geographic insights. Prior to this OSINT work, the team already knew from contextual clues that the traders were operating from one particular city in India. By correlating the name of the phone service provider, location fields from various services (including Google Maps), and profile information returned in Maltego’s “SEARCH” results, the team could link the identifiers more precisely. This made it possible to associate the same network of phone numbers and emails with activity in two additional Indian cities located in different parts of the country. This indicated that the trade was not purely local, but rather coordinated across different urban centres.

The enriched data set also clarified the human side of the operation. By combining caller‑ID labels, social and communication platform profiles, and professional networking information, the team was able to infer that three individuals – two women and one man – were likely behind the network. In one case, a professional networking profile associated with one of the key email addresses revealed the woman’s profession, which helped build a picture of her digital footprint and the extent to which her legitimate and illegitimate activities intersected.

The presence of multiple phone numbers, multiple email addresses, and an overlapping web of profiles supported the assessment that these actors were casual sellers on the surface. In reality, they were forming a more organised operation that had adapted over time to investigative and enforcement pressure.

Taken together, the investigation demonstrates how OSINT and Maltego’s integrated search capability can turn a relatively weak initial lead – in this case, similar website interfaces and a small set of phone numbers – into an actionable, structured and accurate intelligence picture. Starting from three suspicious websites, the team pivoted via phone numbers to additional numbers, email addresses, online accounts, and cities of operation, and then to identifiable persons of interest. This connected view is now being developed into a formal intelligence package for law enforcement, including a consolidated mapping of phone and email infrastructure, geographic spread, and key individuals involved, suitable for use as supporting intelligence in cyber-enabled wildlife crime investigations. The case illustrates the continuing online trade in monitor lizard body parts under the guise of Hatha Jodi, how organised actors adapt to enforcement, and how OSINT tools can keep pace with those adaptations.

This article was originally posted on the Maltego website