Using CLOAK and DAGGER to analyze and understand illicit networks

In this guest blog, Prof. Aili Malm explains a new approach to thinking about social network analysis of illicit networks. Follow Dr Malm on twitter @ailimalm

Prof. Aili Malm, California State University, Long Beach

Working with police personnel has always generated the most interesting research.

About 10 years ago, I got a call from Dr. Allan Castle, then head of intelligence analysis for the Pacific Region of the Royal Canadian Mounted Police (RCMP). Allan and his analysts wanted a coding strategy to understand the thousands of pages of intelligence files and detailed group narratives they had built for over 100 illicit groups. The strategy had to cover all the relationships so often present in intelligence files – family, friend, criminal, business, group membership, and so forth. But we also had to be pragmatic. Time and energy was limited, and it also needed to balance the complexity of relationships that fuel illicit activity, but simple enough to inform and influence police decision-making. The analysts coded more than 120 groups across five different types of relationships, delivering a wealth of data for SNA training sessions as well as some publications (see list at bottom of page).

Since that first foray into SNA to research illicit markets and criminal groups, I’ve been lucky enough to work with many police departments and help apply SNA to their intelligence data. And I keep coming back to the same coding strategy. It provides the necessary level of detail to capture how different types of relationships overlap, and makes use of data already collected during the course of police investigations. It is also not so overly complicated that it bewilders the decision-making environment vital to good intelligence-led policing. Like any good ‘structured analytical technique’, it can, as legendary CIA analyst Richards J. Heuer, Jr has said, “guide the dialogue between analysts with common interests as they share evidence, share alternative perspectives, and discuss the meaning and significance of the evidence” (Heuer, 2009).

The strategy outlined here is based on both the empirical research as well as the grounded expertise of professional intelligence staff. The analysts brought professional experience, which “is accumulated over time through reflection on the outcomes of similar actions taken in similar situations” (Barends et al., 2014). Pooling the collected experience of many analysts with the literature on SNA has created the CLOAK strategy.

The CLOAK analytical approach

CLOAK is a structured analytical approach that involves building, for a defined set of individuals, networks based on five different types of positive relationships between actors in an illicit network/market. These networks can be layered on top of one another to assess multiplex relationships. Multiplexity is simply SNA jargon for differentiating between different types of relationships and seeing how people can be connected in a number of ways.

Co-offendingCo-offending networks are defined as individuals who commit crimes with one another. It is often found in co-arrest data, and more generally through intelligence collection.

Legitimate: Many offenders are also involved in legit business dealings, such as co-owning real estate. You may need to adjust how you define legitimate by the amount of gray activity in your target illicit market.

Organization: These are defined as formal group ties in organizations such as outlaw motorcycle gangs or MS-13. Participants tend to have specific roles. These will usually be reciprocal ties, since all individuals will be connected to one another through group membership. These will mostly (but not always) be criminal ties.

Acquaintance: These networks are built by connecting acquaintances and friends. For example, neighborhood gangs (especially on the US east coast) often lack the formality of organizations, and instead are based on loose affiliations from school or block ties.

Kinship: Kinship networks are formed by actors tied through biological or family-based relationships. These networks also include romantic relationship ties outside of marriage.

Using a CLOAK structured approach to analysis requires knowing more than the traditional binary connection between individuals. You need content and context. After all, it’s difficult to differentiate between the five different types of relationships if you do not have the content of phone calls/texts between people. But with this information, you gain much more insight and understanding of different networks. And that is where DAGGER come in.

The DAGGER application

If every network was the same, there would be little point in analyzing the different components of relationships. But diverse illicit markets stress different connections. Like so many structured analytical techniques (think PESTEL, or ACH) CLOAK doesn’t necessarily cover every possible eventuality, but it covers most of what you will need. The same with the various markets covered by DAGGER. The table here shows a first estimate of which ties are most important to various illicit markets; Drugs, Art/antiquities, Guns (small arms), Gangs, Exploitation (and trafficking), and Religious extremism. For example, in drug networks co-offender ties are often weak and transitory, whereas organizational and kinship ties are strong bonds important to the success and strength of the criminal network. The table is intended to guide both data collection and analysis. Researchers and analysts should (1) prioritize data collection for the important ties, and (2) consider a link weighting strategy where important ties are emphasized.

The table is a first estimate based on my interpretation of the existing research, and the row at the bottom provides an estimate of the relative confidence we should draw from the literature. Drug networks are relatively well understood but illicit gun and art network still need much more research. It is highly likely this table will change as research increases in this area (so watch this space!).

The potential value of focused deterrence as an effective crime prevention technique has highlighted the importance of SNA as integral to crime reduction in complicated environments. Many analysts are now aware of SNA, though it is often applied in a binary fashion that provides little more than rudimentary insight. To reach that goal, accessible and structured approaches such as CLOAK and DAGGER might help spread not just SNA but a way to apply it to a broader audience of analysts and researchers.


Barends, E., Rousseau, D. M. & Briner, R. B. (2014). Evidence-Based Management: The Basic Principles. Amsterdam: Center for Evidence-Based Management.

Bright, D. A., Greenhill, C., Ritter, A., & Morselli, C. (2015). Networks within networks: using multiple link types to examine network structure and identify key actors in a drug trafficking operation. Global Crime16(3), 219-237.

Diviák, T., Dijkstra, J. K., & Snijders, T. A. (2017). Structure, multiplexity, and centrality in a corruption network: the Czech Rath affair. Trends in Organized Crime, 1-24.

Heuer, R. J. (2009). The evolution of structured analytic techniques. 9 pages. Washington, DC. Presentation to the National Academy of Science, National Research Council Committee on Behavioral and Social Science Research to Improve Intelligence Analysis for National Security.

Malm, A., Bichler, G., & Van De Walle, S. (2010). Comparing the ties that bind criminal networks: Is blood thicker than water? Security Journal23(1), 52-74.

Malm, A., & Bichler, G. (2011). Networks of collaborating criminals: Assessing the structural vulnerability of drug markets. Journal of Research in Crime and Delinquency48(2), 271-297.

Malm, A., & Bichler, G. (2013). Using friends for money: the positional importance of money-launderers in organized crime. Trends in Organized Crime16(4), 365-381.

Smith, C. M., & Papachristos, A. V. (2016). Trust thy crooked neighbor: multiplexity in Chicago organized crime networks. American Sociological Review81(4), 644-667.