There has always been an uncomfortable truth at the core of serious cyber threat intelligence work: To understand threat actors, you often have to get close to them. Sometimes very close.

That has meant infiltrating forums, embedding in chat groups, purchasing access to data, paying for exploits, or otherwise engaging in conduct that—viewed in isolation—looks indistinguishable from participation. For decades, this activity has been tolerated, implicitly and explicitly, as part of legitimate security research, fraud prevention, and national security work. It is the backbone of modern OSINT and dark web intelligence.

The recent federal indictment of the Southern Poverty Law Center for conducting undercover operations to root out racism and extremism changes that calculus. And it does so in a way that should give every corporate security team, intelligence vendor, and researcher pause.

According to the charging document, the government alleges that the SPLC – an organization that has long collected information on neo-Nazi, white supremacist and other extremist organizations and has provided that information to law enforcement entities- engaged in a long-running scheme in which it paid informants embedded within extremist organizations, including leadership-level participants, while simultaneously soliciting donations under the premise of opposing those same groups. The indictment charges that these paid informants, under the guise of undermining or collecting intelligence on these organizations, were supporting the organization by making statements in support of their goals (to preserve their value as informants). It would be like charging Billy Costigan (Leonardo DiCaprio’s character in The Departed) with providing material support to the Frank Costello organization by pretending to be aligned with their goals.

But the more consequential allegations—at least for the cybersecurity community—relate to how those payments were made and concealed.

The indictment notes that the SPLC used fictitious entities and bank accounts—including accounts opened under names such as “Center Investigative Agency,” “North West Technologies,” and “Tech Writers Group”—to pay their informants without a check being issued from the SPLC directly – in order to obscure the source and purpose of funds. The government further alleges that false statements were made to financial institutions in connection with those accounts, and that transactions were structured to conceal the true nature, ownership, and control of the funds. Layered on top of that are allegations of wire fraud, false statements to federally insured banks, and conspiracy to commit money laundering.

The legal theory is not subtle. Concealment—even in the service of an investigation—can itself be a crime.

That theory lands directly on the fault line of modern OSINT and dark web research. Because the practices described in the indictment are not foreign to the field of cybersecurity and threat actor investigation. They are, in many cases, standard.

Researchers routinely adopt pseudonymous identities to gain access to closed communities. They create infrastructure—email accounts, cryptocurrency wallets, payment mechanisms—that cannot be traced back to their employer or client. They engage in transactions that are designed, by necessity, to conceal their true purpose.

And sometimes they pay. They pay for access. They pay for data. They pay for credibility. In some cases, they pay for exploits or stolen information—not to use them, but to understand them, to attribute them, to mitigate them, or to warn potential victims. These activities have generally been understood as part of a legitimate investigative function, particularly when conducted by reputable firms with defined policies and oversight.

The indictment suggests that this understanding may no longer be sufficient. The government’s position, as reflected in the charging language, is that the use of fictitious financial infrastructure to mask investigative activity can constitute fraud—particularly where it involves representations to financial institutions that are not literally true.

Similarly, the use of organizational funds to support individuals engaged in criminal activity—even for the purpose of gathering intelligence—may be framed as providing material support or facilitating unlawful conduct, depending on the facts. Even more striking is the implication that donor or corporate funds used for such purposes may give rise to independent fraud theories if the use of those funds is not fully disclosed.

In other words, the legal risk is not limited to the interaction with threat actors. It extends to the entire financial and operational architecture of the investigation.

To be clear, the cybersecurity industry is not operating in a vacuum. There is longstanding guidance from the U.S. Department of Justice addressing precisely these issues. The DOJ’s Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources (Feb. 2020) acknowledges that purchasing access to data or engaging with illicit marketplaces may, under certain circumstances, be lawful—particularly when done for defensive or investigative purposes.

But that guidance is just that: Guidance. It does not immunize conduct. It does not override statutory prohibitions. And it does not bind prosecutors. Indeed, as with other guidance from DOJ, it explicitly says that it confers no rights upon individuals or entities. Although it is generally felt that there must be some intention to violate the law, the SPLC indictment asserts that the crime is not disclosing the fact that an anti-hate group is paying for the operation. So a DFIR firm paying for an investigation must disclose to the threat actor that they are a DFIR firm or face criminal charges? Situation hazy.

The indictment demonstrates that, at least in some contexts, the government is prepared to pursue aggressive theories of liability where investigative techniques cross into areas that resemble deception, concealment, or financial misrepresentation. The problem is, fraud generally consists of false statements, misrepresentation, concealment and deceit. Undercover operations are the same – but in service of a different goal.

This creates a profound challenge for organizations engaged in OSINT and dark web research. For years, best practice has centered on the development of rules of engagement—internal policies that define what researchers can and cannot do. These typically address:

Whether and under what circumstances payments can be made;
What types of data can be purchased;
How researchers may represent themselves in undercover interactions;
What approvals are required for high-risk engagements;
How funds are tracked, documented, and audited.

Those controls remain essential. But the indictment suggests they may not be sufficient. Because the legal risk does not arise solely from unauthorized conduct. It can arise from authorized conduct that is later characterized as fraudulent, deceptive, or supportive of criminal activity.

The difference between legitimate investigation and criminal facilitation may be determined not by internal policy, but by prosecutorial interpretation. The implications for the industry are immediate.

First, organizations must re-evaluate their financial practices. The use of fictitious entities, nominee accounts, or misleading representations to financial institutions—common in undercover work—now carries heightened risk. Transparency with banks and payment providers, while operationally challenging, may become legally necessary.

Second, the scope of permissible engagement with threat actors must be reassessed. Payments, even for intelligence purposes, may be scrutinized as support or participation, particularly where they confer tangible benefit on the target.

Third, disclosure obligations—whether to donors, clients, or stakeholders—take on new significance. The use of funds for undercover or potentially controversial activities must be carefully considered in light of representations made about their purpose.

Fourth, legal oversight must be embedded, not episodic. Real-time consultation with counsel, particularly in high-risk operations, is no longer optional.

There is a broader policy question underlying all of this. Modern cybersecurity depends on intelligence. Intelligence depends on access. And access often depends on deception. If the legal system constrains the ability of legitimate actors to engage in undercover research, while leaving malicious actors unconstrained, the balance shifts—once again—toward offense.

That is not a theoretical concern. It is a structural one. The indictment does not resolve that tension. It sharpens it. The takeaway is not that OSINT or dark web research is now unlawful. It is that the margin for error has narrowed. And hey. Let’s be careful out there.

Significantly.

The practices that once existed in a gray area—tolerated, if not formally sanctioned—are now subject to a level of scrutiny that can translate into criminal exposure. And the existence of internal policies, however robust, may not provide the protection organizations assume.

Infiltration, payment, and concealment have always been part of the tradecraft.

Now they are also potential elements of an indictment.

And that changes the equation.