MICA Unified Master Manual — Intelligence, Fraud, Blockchain & OSINT

1. 1

   Intelligence Foundations

   Establishes the intelligence cycle, analyst mindset, and the structured analytic techniques every MICA candidate must internalize before touching a case. This chapter is doctrine: it governs how every later chapter is applied.

   The Intelligence Cycle

   The intelligence cycle is the operating system of every professional analytic service: planning & direction, collection, processing & exploitation, analysis & production, dissemination, and feedback. Planning translates a customer's question into prioritized intelligence requirements (PIRs) and essential elements of information (EEIs) — without that translation, collection becomes scavenging and analysis becomes opinion. Collection is deliberately tasked against EEIs and tracked in a collection plan so gaps are visible. Processing turns raw take (screenshots, on-chain pulls, scraped pages, leaked data) into normalized, searchable artifacts with hashes, timestamps and provenance. Analysis stress-tests competing explanations against the evidence. Dissemination matches format and classification to the consumer — a regulator, prosecutor, exchange compliance team and victim each need different products from the same underlying case. Feedback closes the loop: every product should generate a new requirement, a refined PIR, or a confirmed information gap.

   The Analyst Mindset

   The MICA analyst's posture is curiosity bounded by discipline. Assume nothing, source everything, treat every conclusion as provisional until corroborated by an independent stream, and write as if the reader will be hostile to your conclusions. Two failure modes destroy careers: the storyteller who builds a beautiful narrative on a single weak source, and the technician who produces flawless tooling output with no judgement attached. The mindset is auditable humility — the willingness to publish a finding with an explicit confidence level and to revise it in writing when new evidence arrives.

   Cognitive Bias Mitigation

   The dominant analytic risks are not technical, they are cognitive: confirmation bias (weighting evidence that fits the working theory), anchoring (locking onto the first number or hypothesis seen), availability heuristic (over-weighting recent or vivid examples), mirror-imaging (assuming the adversary thinks like you), and groupthink (premature analytic consensus inside the team). The MICA toolkit against these is procedural, not motivational: Analysis of Competing Hypotheses (ACH) forces simultaneous evaluation of all credible explanations; the Key Assumptions Check writes every load-bearing assumption on the wall before the analysis starts; Devil's Advocacy and Red Team review are scheduled, not optional; and a written 'pre-mortem' asks how this product would look six months from now if the lead theory turned out to be wrong.

   Structured Analytic Techniques (SATs)

   SATs are the operationalization of judgement. ACH is used to compare hypotheses against evidence in a matrix, scoring each piece of evidence as consistent, inconsistent, or not applicable; the surviving hypothesis is the one with the least disconfirming evidence, not the most confirming. Link analysis maps relationships between entities (wallets, handles, infrastructure, real-world identities) and exposes hubs that would not be visible from a list view. Timeline analysis sequences events to expose causality and OPSEC failures. Indicators & warnings (I&W) define, in advance, the observable signals that would shift confidence — committing to those signals before they appear is what makes I&W intellectually honest.

   Confidence Scoring & Analyst Caveats

   Every MICA finding carries an explicit confidence level — low, moderate, or high — with a written rationale tied to source quality, source independence, and the presence or absence of corroboration. Confidence is not certainty: 'high confidence' means the judgement is well-supported and unlikely to change without significant new information; it does not mean the judgement is correct. Caveats are first-class content: 'this assessment assumes the leaked database is authentic', 'attribution is based on infrastructure overlap and could be invalidated by shared-hosting reuse', 'the on-chain trace ends at a centralized exchange and depends on KYC subpoena for further resolution.' Overstated confidence is the fastest way to destroy analyst credibility; understated confidence is the second fastest way to be ignored.

   Intelligence Requirements & Collection Planning

   Before collection starts, the analyst converts the customer's question into a small set of priority intelligence requirements, each broken down into essential elements of information and assigned to specific collection methods (open-source, on-chain, SOCMINT, dark-web, human-source, vendor data, legal process). The collection plan is a living document: as each EEI is satisfied it is marked closed; as gaps emerge they are added. This discipline prevents the most common mid-career failure mode — collecting whatever is easy, then back-fitting a requirement to the data.

   Product Standards & BLUF Writing

   The MICA standard product opens with a Bottom Line Up Front (BLUF) — three to five sentences that state the judgement, the confidence, and the so-what. The executive summary expands the BLUF for non-specialist readers. Findings are numbered, each with sourcing, confidence, and the specific evidence trail. An evidence appendix preserves hashes, URLs, timestamps and screenshots. Recommendations are separated from findings so the reader can act on the analysis without conflating it with the analyst's preferences. Every paragraph either advances the judgement or it is cut.

2. 2

   Fraud Intelligence & Financial Crime

   Covers the architecture of modern fraud ecosystems, social engineering, victim psychology, evidence preservation and the case-triage discipline drawn from CFPS, treated as an intelligence problem rather than a customer-service problem.

   Scam Architecture

   Every mature fraud operation is a pipeline of five stages — lead generation, grooming, conversion, extraction, and laundering — and each stage has distinct operators, infrastructure, and observable signals. Lead generation runs on advertising platforms, leaked databases, social-platform DMs, and bought victim lists. Grooming builds parasocial trust over days or weeks, often using scripted playbooks that are recognizable across cases. Conversion is the moment the victim takes the first irreversible action (sending funds, granting wallet approvals, installing remote-access software). Extraction is the systematic emptying of the victim, frequently combined with a 'tax', 'unlock fee', or 'profit withdrawal verification' designed to maximize the take. Laundering moves value through exchanges, OTC desks, mixers, bridges and shell businesses. Disrupting any one stage cascades — taking down a grooming platform, an exchange off-ramp, or a payment processor is more durable than chasing individual operators.

   Fraud Ecosystems & Roles

   Treat the adversary as an organization, not a person. Typical roles include the operator (financial owner of the scheme), recruiters who hire and manage call-center staff or 'closers', closers themselves (often human-trafficked labor in 'scam compounds'), money mules who receive and forward funds, recovery scammers who re-victimize the same list, OTC launderers who convert crypto to cash, infrastructure providers (bulletproof hosting, fake-KYC vendors, SMS-gateway operators) and tooling providers (off-the-shelf scam-platform vendors). Attribution at the role level — 'this infrastructure cluster supports at least seven distinct frontend brands' — is far more durable than attribution at the individual level, because individuals churn while infrastructure persists.

   Social Engineering

   Social engineering is applied behavioral science. Cialdini's six principles — reciprocity, commitment & consistency, social proof, authority, liking, and scarcity — are weaponized in every successful playbook, joined by manufactured urgency, fear-of-missing-out, and the sunk-cost trap. Romance and pig-butchering schemes use commitment & consistency plus liking; recovery scams use authority plus reciprocity ('I'm with the regulator, I have your file open'); investment scams use social proof (fake testimonials, fake dashboards showing other 'investors') plus scarcity ('the pool closes tonight'). The analytic value of naming the principle is that it predicts the next move: if the operator just established authority, the next message will weaponize it for an irreversible action.

   Victim Psychology & Triage

   Shame and sunk-cost are the operator's most reliable allies — they keep victims silent for weeks while evidence decays. The analyst's job is not to comfort the victim, it is to extract the maximum collectable evidence in the shortest time without causing additional harm. Triage by harm severity (ongoing extraction outranks completed loss), evidence freshness (the seventy-two-hour window after the last transaction is where exchange recovery is most plausible), and recoverability (funds still on a regulated exchange outrank funds already through a mixer). Emotional weight is not a triage criterion — the loudest case is rarely the most actionable.

   Evidence Preservation

   Evidence collected wrong is evidence lost. Screenshots must show URL bar, timestamp, and the relevant content together in a single frame; full-page captures are preferred over scrolled crops. Emails are preserved with full headers (Received-Path, Authentication-Results, Message-ID) because the body alone is worthless for attribution. On-chain artifacts (transaction hashes, wallet addresses, contract addresses, block numbers) are captured immediately and verified against at least two independent block explorers. Messaging-platform evidence is exported using the platform's own export tooling where available — third-party screenshots are easy to forge and easy to dismiss. Every artifact is hashed at collection, stored in a write-once location, and logged in a chain-of-custody record with collector, timestamp, method, and source URL.

   Payment-Rail & Off-Ramp Awareness

   Fraud proceeds rarely sit on the initial deposit address. The standard flow is victim → operator hot wallet → bridge or in-platform swap → consolidation address → exchange deposit address → off-ramp to fiat. Each hop has different evidentiary value: the deposit address is the strongest legal hook because it is the point where KYC and travel-rule data exist. The MICA analyst maps these rails before requesting legal process so the request lands at the actor with the data, not the actor with the noise.

   Case-Triage Discipline

   A mature fraud-intelligence shop runs intake, triage, working and archive queues. Intake captures everything reported; triage rates each case on harm, freshness, recoverability and intelligence value (does this case fill an existing PIR?); working cases are assigned a lead analyst with a defined product and deadline; archive cases are retained for pattern-matching against future intake. The discipline is to refuse to 'work' cases that do not meet triage thresholds — analytic time spent on unrecoverable, low-intelligence cases is time stolen from cases that can be resolved.

3. 3

   Blockchain Forensics & Crypto Crime

   Wallet forensics, multi-chain tracing, mixers and bridges, smart-contract exploitation, NFT laundering, DeFi fraud patterns and the analytic discipline that separates a tracer from an investigator. This is the CBI body of knowledge, condensed to its operational essentials.

   Wallet Forensics & Address Clustering

   An address is not an actor — a cluster of addresses controlled by the same actor is. Clustering relies on the common-input-ownership heuristic (inputs co-spent in a single transaction typically share a key), change-address heuristics (the unmarked output of a payment is usually a fresh wallet under the same control), behavioral fingerprints (fee selection, timing, dust patterns) and exchange-deposit attribution (deposit addresses are issued per-user by the exchange and identify the on-ramp). Modern clustering tools are probabilistic, not deterministic — every cluster carries a confidence level and a list of heuristics applied. MICA analysts must be able to defend a cluster: which heuristics fired, which transactions support them, and what would falsify the cluster.

   Transaction Tracing

   Forward tracing answers 'where did the funds go?', backward tracing answers 'where did they come from?'. Both produce graphs that explode quickly without graph-pruning rules: ignore dust transactions, ignore branches that return to a known exchange (the trace effectively ends at the off-ramp), and collapse self-transfers within the same cluster. Hops alone are not laundering — intent, structure and timing are. A six-hop trace through three centralized exchanges is usually a single user moving money; a two-hop trace through a custom contract is usually obfuscation. The product of tracing is not a graph, it is a narrative supported by the graph.

   Cross-Chain Laundering

   Bridges, atomic swaps, wrapped assets, and cross-chain DEX aggregators are the modern launderer's preferred tools because they exploit the gap between chain-specific tooling. Treat a bridge as a state transition, not a dead end: the same actor typically re-appears on the destination chain within minutes, often with characteristic gas patterns, identical fund amounts (minus bridge fees), and reused operational addresses. Bridge contracts emit events on both sides — collecting the lock event on the source chain and the mint event on the destination chain is non-negotiable evidence preservation. Some bridges publish indexer APIs that make this trivial; others require direct contract-event parsing.

   Mixers, Tumblers & Privacy Tools

   Mixing services fall into three classes: centralized mixers (custodial, easy to trace because the operator becomes a single point of attribution), CoinJoin-style protocols (non-custodial, defeats naive analysis but vulnerable to amount, timing and wallet-software fingerprinting), and smart-contract mixers (deposit-and-withdraw with a delay and an anonymity set). Behavioral analysis often defeats naive mixer use: the same operator who deposits one round amount and withdraws an equally round amount minutes later is barely mixed. Privacy coins (Monero, Zcash shielded pools) present hard limits to on-chain tracing and force the analyst back to off-chain attribution.

   Smart-Contract Exploitation

   MICA candidates must be able to read a transaction trace, not just look up its hash. The recurring attack classes are reentrancy (callback to the victim contract before state is updated), oracle manipulation (the price feed is poisoned, often via flash-loan-funded swaps on a thin pool), flash-loan attacks (large unsecured capital is used to bend an automated market for a single block), access-control failures (a function that should be admin-only is callable by anyone), and approval drains (the victim signed an unlimited allowance to a malicious contract). For each, the analyst must identify the vulnerable function, the attacker's setup transactions, the exploit transaction itself, and the post-exploit movement of funds.

   NFT & DeFi Fraud Patterns

   NFTs are a laundering vector as much as a market. Wash trading inflates apparent volume by self-trading at coordinated prices; rug pulls collapse liquidity after a marketing push; honeypot tokens let buyers in but block sells via hidden transfer logic; liquidity-removal exits drain pool reserves on a deployer-controlled timer; approval-phishing drains use deceptive UIs to harvest token allowances and clear wallets at the attacker's leisure. Recognizing these patterns is faster than tracing them: deployer-controlled mint functions, single-source liquidity, abnormal sell-tax logic, and post-deploy admin-key concentration are visible from contract metadata before any victim transactions occur.

   Exchange & Compliance Workflow

   The terminal stage of most blockchain investigations is a request to a centralized exchange, a stablecoin issuer, or a regulated custodian. Effective requests are surgical: they name the deposit address, the transaction hashes, the time window, the legal basis and the exact information sought. Vague 'please freeze and disclose' requests are routinely declined. The travel rule (FATF Recommendation 16) and equivalent local frameworks now require originator/beneficiary information to flow with transfers above threshold — this generates a parallel, off-chain evidence stream that the analyst should request explicitly.

4. 4

   OSINT Intelligence & Attribution

   Digital footprint mapping, SOCMINT, GEOINT, CHRONOINT, IMGINT/VIDINT, dark-web intelligence and threat-actor profiling — the OIA body of knowledge, taught as attribution craft rather than as a tool catalog.

   Digital Footprint Mapping

   An identity is the intersection of identifiers — usernames, email addresses, phone numbers, breach records, wallet addresses, profile-photo hashes, writing style, posting times, and infrastructure (domains, hosting, certificates, push tokens). The footprint methodology is to take any one identifier, enumerate every platform where it appears, extract every adjacent identifier, and iterate. Reuse is the analyst's best friend: people reuse handles across platforms, reuse passwords across breaches, and reuse profile photos across personas. A persona that appears in three independent breach datasets with a consistent email-to-phone mapping is rarely a sockpuppet.

   SOCMINT — Social Media Intelligence

   Each platform has its own collection surface, retention rules, and behavioral fingerprints. The discipline is platform-aware collection: capture the post and the metadata (post ID, edit history if available, engagement graph, profile-creation date, follower-graph snapshot), not just the screenshot. Behavioral fingerprinting — posting cadence, timezone, language register, error patterns — is often more durable than content, because operators change content but rarely change habits. Sockpuppet detection looks for synchronized posting, identical bios across multiple accounts, profile photos that fail reverse-image search, and engagement-graph density that exceeds organic norms.

   GEOINT & CHRONOINT

   GEOINT extracts location from imagery and text: landmarks, signage (language, alphabet, brand mix), vegetation and biome, vehicle plates and types, electrical sockets, road markings, architectural style and weather. CHRONOINT extracts time: sun and shadow geometry, seasonal indicators (foliage, snow, daylight length), weather corroboration against archival forecasts, and platform-side timestamps (with timezone). Where + when is a powerful attribution lever; a self-portrait taken at a recognizable terrace at a sun-elevation that matches a single thirty-minute window on a single day collapses an entire alibi.

   IMGINT & VIDINT

   Image and video intelligence starts with metadata preservation: EXIF where present, perceptual hash, file size, dimensions, and source URL. Reverse image search across multiple engines (each indexes a different slice of the web) is the cheapest, highest-yield first step. For video, frame-by-frame review, ambient audio analysis (sirens, languages, music in the background), and compression-artifact review for manipulation detection are standard. Modern manipulation detection includes face-swap artifacts, inconsistent lighting between subject and background, and physically impossible reflections — but the analyst should resist the temptation to claim manipulation without a specific, defensible indicator.

   Dark-Web Intelligence

   Tor and equivalent overlay networks host marketplaces, forums, leak sites, and operator infrastructure. Safe collection requires isolated infrastructure: a disposable virtual machine, a non-attributable network path, a documented operating procedure, and a policy on what may and may not be downloaded. Marketplace intelligence focuses on vendor reputation systems, PGP-key reuse (the same key across vendor profiles is strong attribution), shipping origin claims, and listing-language fingerprinting. Forum OPSEC failures — clearnet-username reuse, accidentally posted screenshots showing localized OS chrome, inconsistent timezone behavior — are the single most productive attribution source.

   Threat-Actor Profiling

   An actor profile combines motivation (financial, ideological, state-aligned, personal), capability (tooling sophistication, access, infrastructure budget), opportunity (target exposure, defensive posture), and TTPs (tactics, techniques and procedures observed across cases). The durable attribution signals are infrastructure reuse, code reuse, linguistic fingerprints (preferred misspellings, calque patterns, code-switching), posting times that match a single timezone, and the OPSEC failure pattern — every group fails the same way repeatedly. Naming the actor is rarely the product; profiling them so future cases are recognized in days instead of weeks is.

   Source Validation & Disinformation Hygiene

   Every OSINT source has an agenda. The analyst evaluates source reliability (track record), information credibility (independent corroboration), and the probability that the source is itself an operation. Screenshot collections, 'leaked documents' offered without provenance, and conveniently-timed exposés should be treated as collection material, not as conclusions. The rule is: corroborate with at least one independent stream of a different type before relying on any OSINT finding for an attribution claim.

5. 5

   Integrated Intelligence Operations

   How to fuse fraud, blockchain and OSINT streams into a single attributable case — the discipline that separates MICA-level analysts from single-domain practitioners. This chapter is where the previous three chapters become one workflow.

   Multi-Source Fusion

   Fusion is not aggregation. Aggregation is putting all the evidence in one folder; fusion is corroborating every claim across at least two independent streams of different types — on-chain plus OSINT, OSINT plus victim-supplied evidence, victim-supplied evidence plus exchange data. A wallet without an identity is a number; an identity without a wallet is a name; together they are a case. The fusion product is a single evidence model where each node (wallet, persona, infrastructure, real-world entity) carries its own confidence and the relationships between nodes carry their own confidence.

   Cross-Discipline Attribution

   Attribution at MICA level routinely chains across all three disciplines. Example: on-chain analysis identifies a consolidation address; the consolidation address has historical deposits to a regulated exchange; legal process to the exchange returns a KYC identity; the identity matches a SOCMINT persona by email and phone; the persona's posting times, language and infrastructure match a previously profiled actor. Each step is a discrete, defensible inference; the product is a chain of inferences with an aggregate confidence that is lower than the weakest link.

   Case Reconstruction & Timeline

   A defensible case is a chronologically ordered list of events, each tied to a source artifact, a timestamp, and a confidence rating. The timeline is built bottom-up from artifacts, not top-down from narrative — the temptation to write the story and then look for evidence is the single largest source of analytic error. Reconstruction is what a prosecutor, regulator, exchange compliance lead, or court-appointed expert will actually read; if the timeline cannot be reconstructed from the evidence appendix alone, the case is not finished.

   Intelligence Reporting Standards

   A MICA-grade intelligence product opens with a BLUF, expands into an executive summary, presents numbered findings each with explicit confidence and sourcing, supplies an evidence appendix with hashes and provenance, lists analyst caveats and known information gaps, and separates recommendations from findings. Classification or sensitivity markings (PUBLIC / RESTRICTED / SENSITIVE) are applied per paragraph, not per document, so the product can be sanitized for different consumers without rewriting it. Distribution lists are explicit; downstream re-distribution is governed by the originator-control principle.

   Chain of Custody

   Evidence that cannot survive scrutiny does not exist. Every artifact is hashed (SHA-256 at minimum) at the moment of collection, stored in a write-once location, and accompanied by a record of who collected it, when, by what method, from what source, on what device, and through what network. Every subsequent handler is logged. Modifications are forbidden; derived products (cropped screenshots, redacted PDFs, summary tables) are stored alongside the originals with their own hashes and a documented derivation. The discipline is procedural, not heroic — the analyst who improvises chain of custody under deadline is the analyst whose case is excluded later.

   Operational Tempo & Quality Control

   Intelligence shops live or die on tempo. Define for every product class a target turn-around, a peer-review step, and a 'good enough to ship' standard. Peer review is structural: a second analyst checks the evidence against the BLUF, the confidence ratings against the evidence, and the writing against the product standard. The most expensive errors are not the ones caught in review — they are the ones shipped because review was skipped under deadline.

6. 6

   Master-Level Case Studies

   Six representative cases that require simultaneous fraud, blockchain and OSINT competency. These mirror the scenarios candidates will see on the MICA capstone exam and are designed to be reconstructed end-to-end from the evidence model alone.

   Case A — Pig-Butchering with Cross-Chain Laundering

   Romance-scam grooming on social platforms migrates to an encrypted messenger after the parasocial bond is established. The victim is onboarded to a fake derivatives-trading dashboard and deposits USDT-TRC20 to an operator-controlled address. Funds are consolidated, bridged from TRON to Ethereum, routed through a smart-contract mixer, and cashed out via an OTC desk in a permissive jurisdiction. Attribution is built from reused operator handles across three victim cases, identical bridge-timing fingerprints (the operator runs the bridge on a fixed daily schedule), and a SOCMINT cluster of the 'closer' personas that share profile photo hashes and a single Cyrillic-keyboard typo pattern.

   Case B — Rug Pull with NFT Wash Trading

   A meme-token launch is preceded by a paid influencer push and a wash-traded NFT collection used to inflate the apparent on-chain footprint of the deployer. Liquidity is removed by the deployer ninety minutes after launch; proceeds are tumbled through a CoinJoin protocol and bridged to a privacy chain. Attribution begins with deployer-address reuse across three earlier failed launches, continues with a Discord OPSEC failure (the deployer pasted a screenshot showing a localized OS clock that contradicted the claimed jurisdiction), and resolves with a clearnet username overlap between the influencer's payment wallet and the deployer's pre-launch funding wallet.

   Case C — Recovery Scam Targeting Prior Victims

   Operators scrape public victim posts from open forums and impersonate a 'regulator-affiliated recovery agent', collecting a second round of fees from already-traumatized victims. The intelligence value is in the SOCMINT cluster: shared phrasing across victim outreach messages, a shared payment-processor account that bridges multiple persona identities, and a shared hosting cluster for the lookalike domains used in the impersonation. The output is a takedown package for the hosting provider and a public warning product disseminated through victim-support channels.

   Case D — Dark-Web Vendor Attribution

   A marketplace vendor with otherwise strong OPSEC is undone by three independent failures: clearnet username reuse on a hobbyist forum, PGP-key metadata containing a real-name email comment field, and a single product photo geolocated to a small residential district through a window-reflection landmark. No single failure would attribute the vendor; the fusion of three independent streams of different types produces a high-confidence attribution suitable for cross-border liaison.

   Case E — Flash-Loan Exploit & Laundering

   An attacker uses a flash loan to manipulate a thin DEX price oracle and drains a DeFi lending pool in a single transaction. Funds are bridged to a privacy chain; a portion is later returned via 'white-hat' negotiation. The analytic question is whether the actor is an opportunistic exploiter or part of an organized group — answered by tooling-reuse analysis against three previous exploits, behavioral fingerprinting of the negotiation language, and timing analysis of the pre-exploit setup transactions, which match the operating hours of a previously profiled actor cluster.

   Case F — Multi-Jurisdiction Investment Scam Ring

   Operators in three jurisdictions, victims in twelve, infrastructure in two more. The MICA-grade output is a structured intelligence report any regulator or law-enforcement liaison can act on without re-doing the work: a victim cohort with loss totals and timelines, an infrastructure model with hosting and domain attribution, an on-chain model with consolidation addresses and off-ramp deposit addresses, a personnel model with named operators ranked by attribution confidence, and a recommendations section that maps each operator to the jurisdiction where action is most plausible.

7. 7

   Counterintelligence, OPSEC & Tradecraft Hygiene

   The analyst is also a target. This chapter covers operational security for the investigator, counter-surveillance against the subjects of investigation, and the tradecraft hygiene that keeps cases — and the analysts working them — defensible and safe.

   Analyst OPSEC

   The MICA analyst operates from non-attributable infrastructure where the subject of investigation might detect collection: dedicated browser profiles, isolated virtual machines, residential or commercial proxies sized to the case, disposable accounts created on different days from different IPs, and strict separation between research, personal and corporate identities. Reusing personal devices, personal accounts or corporate IP for clandestine collection has ended careers and burned cases. The rule is: assume the subject will see the collection footprint and design accordingly.

   Counter-Surveillance & Subject Awareness

   Mature adversaries monitor their own infrastructure for analyst footprints: visits to specific dark-web URLs, fetches of specific archived pages, lookups against specific wallet addresses. Counter-surveillance discipline routes collection through neutral proxies, varies timing, and avoids touching unique infrastructure twice from the same path. When a subject is known to operate counter-surveillance (tip-offs from prior cases, posted boasts, observed retaliation), collection plans are revised before any sensitive request is made.

   Sockpuppet Construction & Management

   A defensible research persona has a birth date older than the case, a coherent posting history, a plausible profile photo not findable by reverse image search, a country and timezone consistent with the claimed identity, and a slow, organic engagement footprint. Personas are aged before use; high-value personas are never burned on low-value collection. Persona inventory, ownership, and burn-status are tracked in a managed register, not in the analyst's head.

   Data Handling & Sensitive Material

   Sensitive material — victim PII, breach data, intercept-style content, internal communications — is held under explicit retention rules, access-controlled, and disposed of on a schedule. Reproduction is logged. Sharing across organizational boundaries follows originator-control: the originator approves each onward distribution. The default posture is minimum collection consistent with the requirement, and minimum retention consistent with the product.

   Personal Safety & Threats to Analysts

   Investigators of organized fraud, cybercrime and state-aligned operations are routinely targeted with doxxing, swatting, legal threats and physical intimidation. The discipline is preventive: minimize the analyst's public attack surface (data-broker removals, social-media compartmentalization, address-of-record hygiene), maintain an incident playbook with named contacts and predefined actions, and treat any indicator of targeting as a formal incident rather than an inconvenience.

   Burn Notices & Compromise Recovery

   When infrastructure, persona or identity is compromised, the response is documented and rehearsed: the burned asset is isolated, dependencies are mapped, ongoing collection is moved to clean infrastructure, and a post-incident review identifies the failure mode. Pretending a compromise did not happen is the single most expensive decision an analytic team can make.

8. 8

   Legal, Ethical & Liaison Framework

   Intelligence work that cannot be used in court, by regulators or by liaison partners is intelligence work that does not matter. This chapter covers the legal frame, the ethical floor, and the liaison craft that turns analytic products into action.

   Legal Basis for Collection

   Open-source collection is broadly lawful in most jurisdictions but is not unlimited: terms-of-service violations, computer-misuse statutes, data-protection regimes (GDPR, CCPA and equivalents), and sector-specific rules on financial data all apply. The MICA analyst is responsible for understanding the legal frame of every collection method used, documenting the lawful basis, and refusing collection that cannot be defended. 'I didn't know' is not a defence; 'I assessed it under [framework] and concluded [basis]' is.

   Evidence Admissibility

   Evidence is admissible only if it can be authenticated, its provenance traced, its chain of custody preserved, and its collection method shown to be lawful. The analyst writes for admissibility from the first artifact: hashes at collection, contemporaneous notes, repeatable collection methods, and screenshots that show the URL bar and clock. Reconstructing admissibility after the fact is sometimes possible and always painful.

   Privacy, Proportionality & Necessity

   Collection on identified individuals is justified only by necessity and proportionality: the question being answered must require the collection, and the collection must be the least intrusive method that will answer it. Victim PII is held only as long as the case requires; bystander data is minimized or discarded. The ethical floor is higher than the legal floor; the analyst's standard is whether the collection would survive disclosure to the data subject.

   Working with Law Enforcement & Regulators

   Effective liaison is product-shaped to the consumer. Law-enforcement consumers need elements that match charging-decision frameworks (predicate offence, jurisdiction, identifiable subject, admissible evidence); regulators need elements that match supervisory frameworks (named regulated entities, dates, breach categories). The analyst learns the consumer's intake format and ships products that drop into it. Over-the-transom 'general intelligence' submissions are routinely lost.

   Working with Exchanges & Custodians

   Centralized exchanges, stablecoin issuers and regulated custodians are the most actionable intermediaries in crypto fraud cases. Effective requests are specific (named deposit address, transaction hashes, time window, legal basis, exact information sought), routed through the correct intake channel (compliance, law-enforcement liaison, legal), and accompanied by enough context for the recipient to act without re-investigating. Building durable relationships with these compliance teams is itself an analytic asset.

   Cross-Border Liaison

   Mature fraud operations are deliberately cross-border. Effective cross-border products use standardized formats (incident summary, indicators, requested action), translate legal terms-of-art rather than using local shorthand, and respect the receiving jurisdiction's process. Mutual Legal Assistance Treaty (MLAT) timelines are measured in months — analytic products that depend on MLAT action are scoped accordingly.

   Whistleblower & Source Protection

   Sources — whistleblowers, insiders, recovered operators, victims who agree to cooperate — are the analyst's responsibility. Identity-protective handling, compartmented access, agreed communication channels, and explicit understandings of what will and will not be published are mandatory. A burned source is a source you can never replace, and frequently a person you have endangered.

9. 9

   Analyst Tradecraft Glossary & Reference

   A consolidated reference for the terms-of-art the MICA analyst is expected to use precisely. The capstone exam treats these as common vocabulary; candidates who use them loosely will be marked down.

   PIR / EEI / SIR

   Priority Intelligence Requirement: the customer's question, prioritized against other questions. Essential Element of Information: a specific fact required to answer a PIR. Specific Information Requirement: a single, collectable observation that satisfies an EEI. PIRs are written for customers; EEIs are written for analysts; SIRs are written for collectors.

   BLUF / EXSUM / Findings / Caveats

   Bottom Line Up Front: the three-to-five-sentence judgement at the top of every product. Executive Summary: a one-page expansion of the BLUF. Findings: numbered, sourced, confidence-tagged. Caveats: explicit statements of what would change the judgement, what assumptions are load-bearing, and what gaps exist.

   Confidence Vocabulary

   Low confidence: based on fragmentary or uncorroborated reporting; the judgement may be wrong. Moderate confidence: credibly sourced and plausible but not corroborated to the point of certainty. High confidence: well-supported by multiple independent streams; unlikely to change without significant new information. 'Probable' / 'likely' / 'highly likely' are used with deliberate calibration, not as synonyms.

   TTPs / IOCs / I&W

   Tactics, Techniques and Procedures: the recurring how of an actor's operations. Indicators of Compromise: observable artifacts (addresses, hashes, infrastructure) tied to known activity. Indicators & Warnings: pre-defined observables that, if seen, will shift confidence about a future event.

   Attribution Vocabulary

   Attribution: a defensible judgement linking observed activity to a named actor or actor cluster. Co-location, infrastructure overlap, TTP overlap, code reuse and OPSEC-failure pattern are the durable evidence types. 'Attribution' is not 'identification' — identifying a person is a legal act, attributing activity to an actor is an analytic act.

   Tradecraft Discipline Summary

   Source everything. Corroborate across independent streams. Score confidence explicitly. Caveat honestly. Preserve evidence at collection. Respect the legal and ethical frame. Write for the hostile reader. Brief for the decision-maker. The MICA standard is not 'I know'; it is 'I can show, defend and revise.'

GACS.app — Academic & Intelligence Standards Division