← All posts April 30, 2026

Shell entity patterns — the five statistical tells

shell kyb fraud red-flags

“Shell” defined

A “shell entity” in the credit-underwriting context is a legal entity that exists on paper without an operating business behind it. The entity may be entirely fraudulent (formed specifically to commit a credit fraud) or it may be a benign holding structure (formed to hold an asset, isolate liability, or facilitate a transaction). Both look similar on the public record.

For a processor, the distinction matters: a holding-structure shell is fine to extend credit to if the credit is secured by the underlying asset and the actual operator backs the deal. A fraud shell is, by definition, not creditworthy.

The five tells below are how shell entities present in public-records data. None is dispositive alone. Three or more present together is high-conviction “this is a shell” — at which point the underwriting question shifts to “is it a legitimate one.”

Tell 1: Recent formation date with no operating history elsewhere

The entity was formed in the last 6-24 months. The SOS record is current and clean. But there is no presence in any other public-records data source:

  • No USDOT for trucking deals.
  • No state contractor license for construction deals.
  • No NPI for healthcare deals.
  • No SBA loan history.
  • No federal contracting history.
  • No DBAs registered anywhere.
  • No UCC filings against it as debtor (no equipment financing, no lines of credit).

A real operating business 12-24 months in usually has accumulated some footprint. A clean SOS record with no other-system presence at this age is suggestive.

Tell 2: Principal address matches the registered agent address

This is the strongest single tell. A real operating business has an address where the operation happens. That address is on the SOS record as the “principal place of business” or “principal office address.”

A shell entity often lists the registered agent’s address as both the registered office and the principal office — because there is no other address. The agent has a real Wyoming/Nevada/Delaware office; the entity has no operating address; so the agent’s address is what gets filed in both fields.

When you see the principal and the agent address match on the SOS record, and the address is a known registered-agent service address (especially in Wyoming, Nevada, Delaware), you’re looking at an entity with no separate operating footprint. The next question is whether that’s intentional (holding company) or a problem (shell).

Tell 3: Address overlap with other unrelated entities

Run the principal address against other SOS records nationally. If the same address returns 5, 20, 100 unrelated entities, you have an “office” that is actually a registered-agent service, a coworking space, or a mail-drop. The entity-density on the address is the signal:

  • 2-3 entities: probably a real small business with a few related affiliates. Normal.
  • 5-15 entities: possibly a small holding-company family, possibly a low-volume registered agent. Worth checking.
  • 20-100 entities: likely a registered-agent service or shared coworking address. Not informative either way about the specific entity.
  • 100-1,000+ entities: definitely a registered-agent service or mail-drop. The address tells you nothing about the operator.

The address-overlap check is most useful at the 5-50 range, where it can identify clusters of related entities sharing a common operator. That cluster — multiple entities at one address with overlapping principals — is the most common operator-portfolio signal in shell-cluster fraud cases.

Tell 4: Principal name appears as officer on many unrelated entities

The flip side of address overlap. Run the named principal against SOS records nationally. If they appear as officer/manager/director on 30, 50, 100 unrelated entities, you’re looking at one of three things:

  • A serial entrepreneur with a real portfolio. Common in real estate (each property is an LLC) or in private equity (each investment is an LLC). Normal.
  • A registered agent or nominee officer. Common in Wyoming/Nevada. Tells you the actual principal is hidden behind the nominee.
  • A serial shell operator. Rare but real. An individual who creates dozens or hundreds of entities for opaque purposes.

The way to distinguish: look at the entities themselves. A real entrepreneur’s portfolio shows entities with operating activity (USDOTs, contractor licenses, real principal addresses). A nominee’s portfolio shows entities with no operating footprint, all at the same agent address. A serial shell operator’s portfolio shows entities formed in bursts, with shared addresses and short lifespans.

Tell 5: Officer-list quality

The officer list itself contains signals about whether the entity is real:

Single “Authorized Member” with no other officers. Permissible in many states. Common pattern for small LLCs and for shells. Not informative by itself.

Officer names that don’t match the credit applicant’s stated principals. If the credit application says the borrower is “John Smith and Jane Doe,” but the SOS record lists “Michael Johnson, Manager,” that discrepancy needs explanation. Maybe Michael is the formation attorney; maybe Michael is the nominee; maybe John and Jane never owned the LLC.

Officer names that match known nominee patterns. Some Wyoming/Nevada nominee services use the same individual on hundreds of unrelated filings. Recognizable nominee names recur.

A single officer whose address matches the registered agent’s address. The officer is presumably a nominee employed by the agent service.

Putting it together

A typical fraud shell will hit 4 or 5 of these tells:

  • Formed within the last 12 months (Tell 1)
  • Principal address = registered agent address (Tell 2)
  • Address is a known commercial registered-agent service in Wyoming or Nevada (Tell 3)
  • Single named “Authorized Member” who is the nominee (Tell 5)
  • The named individual appears on hundreds of other Wyoming/Nevada LLCs (Tell 4)

That stack is unmistakable. The underwriter’s question shifts from “should we run more diligence” to “do we have a legitimate operator backing this entity, or do we walk.”

A typical legitimate holding-company structure will hit 1-2 of the tells:

  • Recent formation (Tell 1) — but principals visible in other operating entities.
  • Address overlap (Tell 3) — but only with related entities in the same family.

That’s a normal structure, just one that doesn’t have its own independent operating footprint yet.

What this means for you

Shell detection is pattern recognition across multiple data sources, not a single check on the SOS record. The SOS gives you the entity itself; cross-referencing against other entities, other states, and the operating-data sources (USDOT, contractor license, NPI) builds the pattern.

A VerifySOS lookup runs the address overlap and officer-name overlap checks automatically and surfaces the count of related entities found. Counts above thresholds get flagged in the packet. Developers get the related-entity counts and the threshold flag on /api/v1/lookup.

Report a bug — straight to our team

See something broken or weird? Tell us. Your report submits directly to our team — no email client needed. Each report gets a unique ticket ID so we can track and respond.

v0.8-beta · 66ceacf