Double Brokering Incident Database: Schema and How to Contribute Reports

Stop losing loads and trust: a community database for double brokering incidents

Freight and logistics teams, security researchers, and IT admins face the same urgent problem in 2026: sophisticated double brokering campaigns are scaling faster than individual firms can detect and respond. You lose money, time, and reputation when a load is accepted from a broker who wasn’t authorized to re-broker it — and current, centralized intelligence is sparse. This article launches a practical, community-driven concept: a shared incident database that captures double brokering cases, standardized indicators of compromise (IOCs), and measurable recovery outcomes so researchers and practitioners can detect, prevent, and remediate at scale.

Executive summary (most important first)

The proposed database is a crowdsourced repository that stores structured incident records of double brokering and related freight fraud. Each record follows a clear schema for identity artifacts, transactional metadata, IOCs, evidence attachments, taxonomy tags, and outcome metrics. It is designed for interoperability with STIX/TAXII, MISP, and W3C Verifiable Credentials, supports privacy-preserving contributions, and uses a layered validation model (automated triage + community vetting + expert sign-off). The aim is rapid indicator sharing, reproducible research, and measurable recovery tracking.

Why build this now — 2026 context and recent trends

Late 2025 and early 2026 saw several notable shifts that make a community incident database timely and necessary:

• Increased automation and market platforms lowered barriers to entry, enabling fraudsters to spin up bonded authority, synthesize identities, and re-broker in hours.
• Adoption of remote onboarding and digital documents (eBOLs, digital proof-of-delivery) expanded the attacker surface — but also created new artifact types suitable for shared analytics.
• Cross-industry standards matured: STIX/TAXII is now commonly used beyond infosec; W3C Verifiable Credentials and Decentralized Identifiers (DIDs) are piloted by carriers for identity attestations.
• Regulatory pressure increased for transparency in freight payments and claims, but enforcement and centralized registries remain patchy.

Those trends create both a set of new indicators we can share and a timely opportunity to coordinate the response.

"A fraudster with an internet connection, a burner phone, and a bond premium can access billions in freight. Detection is a collective problem — so should be the solution."

Who benefits and why

The database serves three primary audiences:

• Operators and carriers — faster detection of reused contact details, account numbers, and fraudulent documentation.
• Researchers and analysts — access to standardized, machine-readable incidents for trend analysis and model training.
• Investigators and law enforcement — consolidated evidence trails to prioritize cases and identify repeat offenders across regions.

Core design principles

• Structured, minimal viable schema — start small; require only essential fields to encourage submissions.
• Interoperability — map to STIX/TAXII and MISP objects; export JSON Schema for programmatic ingestion.
• Privacy-first — PII redaction guidance, consent capture, and access tiers for sensitive evidence.
• Verifiability — contributor reputation, digital signatures (W3C VC), and optional evidence hashes.
• Actionability — each incident should yield tangible defensive actions (blocklists, watchlists, contractual flags).

Proposed database schema (fields and rationale)

The schema below balances usability and depth. Fields are grouped into identity/transaction, indicators, evidence, taxonomy, and outcomes. Required fields are labeled; optional fields expand context.

1) Record header (required)

• incident_id (UUID) — unique, immutable identifier.
• reported_at (ISO8601 timestamp) — when the report was created.
• reporter_type (enum) — carrier, broker, 3PL, investigator, researcher.
• visibility (enum) — public, vetted_researchers, law_enforcement_only.

2) Identity & transactional metadata (required where applicable)

• claimed_broker_name, broker_mc_dot_number, scac_code, EIN — normalize multiple identifiers for correlation.
• originator_carrier_name, originator_dot, contact_info (email, phone) — who accepted the job.
• shipment_reference (BOL number, PO, PRO number), pickup_date, pickup_location, delivery_location.
• payment_terms, invoice_amount, invoice_date, bank_account_last4 (mask full account numbers).

3) Indicators of compromise (IOCs) (required: at least one IOC)

Standardize IOC types so automated systems can consume them:

• contact_email (domain, full email), phone_number (E.164), website_domain.
• bank_routing_last3, account_last4 (masked), payment_processor_id.
• document_hashes (SHA256) for invoices, bills of lading, proof-of-delivery PDFs.
• trailer_id, plate_number, VIN snippets, GPS track IDs, ELD log references.
• account_names on freight marketplaces, screenshots hosted at a content-hash address.

4) Evidence attachments (optional but recommended)

• attachment metadata: filename, mime_type, hash, uploader_id, redaction_flags.
• structured fields for common file types (invoice_fields, signatures, dates, addresses) to enable extraction.

5) Taxonomy & incident classification (required)

• incident_type (enum): double_brokering, chameleon_carrier, identity_spoofing, cargo_theft, payment_fraud.
• confidence_score (0-100) — reporter-estimated confidence; system-calculated score from validation heuristics.
• tags — freeform for rapid indexing (e.g., "bonded-fraud", "fake-bill-of-lading").

6) Recovery & outcome metrics (required where applicable)

• recovery_status (enum): not_recovered, partially_recovered, fully_recovered, in_dispute.
• recovery_amount (currency), recovery_method (insurance, reclamation, legal, direct_payment).
• legal_action_taken (boolean) and case_reference (redacted), law_enforcement_involved (agency, contact).
• time_to_detection_days, time_to_recovery_days — operational metrics for benchmarking.

7) Attribution & linking (optional)

• linked_incidents (list of incident_ids) — dedupe and cluster related cases.
• attributed_actor (freeform) — e.g., pseudonyms, known fraud group labels, with confidence.

Taxonomy and indicator normalization

Consistent taxonomy is essential for machine analysis. Adopt a minimal controlled vocabulary, then allow tag extension. Suggested taxonomy axes:

• Identity artifacts: email domain, phone carrier, MC/DOT anomalies.
• Document artifacts: templated invoice signatures, fonts, watermark absence.
• Transactional artifacts: payment routing patterns, repeated last4 digits, unusual disbursement timing.
• Logistics artifacts: repeated trailer numbers across different carriers, duplicated BOL numbers.

Evidence handling and privacy safeguards

To encourage participation while reducing legal risk, the platform must include:

• Redaction tools — built-in utilities to mask PII before submission (full account numbers, SSNs).
• Hashing — store cryptographic hashes of original documents so third parties can verify later without hosting raw PII.
• Consent capture — if a carrier uploads evidence about a customer, the system requires attestation of internal authorization.
• Retention policies — automated purging of sensitive attachments per jurisdictional rules (GDPR, CCPA/CPRA, Colorado Privacy Act).

Contribution workflow — step-by-step

1. Quick submit — required minimal fields (incident_id auto, reported_at, reporter_type, at least one IOC, incident_type, brief description).
2. Automated triage — system checks IOCs against existing entries, computes similarity, flags duplicates, scores confidence using heuristics (shared domains, repeated last4s, matching document hashes).
3. Community vetting — designated reviewers (trusted carriers, security researchers) validate, comment, and request additional evidence.
4. Expert sign-off — an optional panel (industry/legal experts) gives authoritative classification for research-grade records.
5. Publishing & sharing — records move to public or restricted access tiers based on visibility and evidence sensitivity.

Validation, reputation and combating false reports

False positives and malicious submissions are a real risk. Design mitigations include:

• Reputation system — weight contributions by reporter credibility (company verification, historical accuracy).
• Evidence-weight scoring — assign more weight when document hashes, signed VCs, or transaction records are provided.
• Rate limiting & CAPTCHAs — reduce automated spam submissions.
• Transparent correction workflow — allow appeals, corrections, and version history for every incident.

Interoperability: formats, APIs and intelligence sharing

For researchers and tool builders, standard formats matter. The database should provide:

• JSON Schema for the incident record (versioned).
• STIX/TAXII transformation for IOCs and high-confidence incidents to share with infosec tooling.
• MISP export/import capabilities to interoperate with existing threat-sharing communities.
• REST API & webhook subscriptions for live alerts (filtered by IOC, geography, or tag).

Example API endpoints (descriptive):

• GET /api/v1/incidents?query=double_brokering&from=2026-01-01
• POST /api/v1/incidents (authenticated) — submit new record
• GET /api/v1/iocs/{ioc_type}/{value} — lookup IOC history and linked incidents
• POST /api/v1/webhooks — register for real-time feeds

Analytics and research outputs

Researchers need aggregated artifacts, not raw PII. Publish:

• Periodic trend reports: topology of fraud networks, time-to-detection distributions.
• Open datasets (anonymized) for model training: CSV/Parquet with normalized taxonomy fields and hashed evidence IDs.
• Dashboards for practitioners: watchlists, top-IOCs, regional heatmaps, and recovery benchmarking.

Governance, legal, and partnerships

Successful shared intelligence requires governance:

• Advisory board of carriers, security researchers, privacy lawyers, and law enforcement liaisons to set policy and review access requests.
• Data-sharing agreements for vetted participants to limit liability and clarify usage rights.
• Third-party audits — annual security and privacy audits to maintain trust.
• Partnerships with freight marketplaces, bonding agencies, and payment processors to automate IOC ingestion and remediation actions.

Operationalizing defense actions

Each high-confidence incident should feed concrete controls:

• Automatic watchlist updates in TMS/ERP to block booking by flagged emails, MC/DOT numbers, or bank account last4s.
• Marketplace vendor blacklists and fraud alerts sent via webhooks to integrated partners.
• Pre-built playbooks: stop-payment steps, evidence preservation checklist, and notification templates for customers and insurers.

Example case study (hypothetical, illustrative)

December 2025: Carrier A accepts a load from Broker X with matching MC/DOT details. After pickup, Carrier A contacts Broker X for payment and discovers Broker X’s payment email domain is different from the authoritative broker’s domain. Carrier A submits to the database: invoice PDF (hashed), contact email, bank account last4, BOL number, and a short narrative. The system finds two prior incidents sharing the same bank_last4 and a proof-of-delivery hash; community vetting elevates the record to high confidence. Outcome: Carrier A, using platform playbooks, initiated a stop-payment and law enforcement seized payments — partial recovery reported. The aggregated incident linked three carriers and revealed a reused invoice template pattern, enabling a marketplace to block the fraudulent account.

Advanced strategies and future-proofing (2026+)

• Adopt W3C Verifiable Credentials for carrier attestations — reduce identity spoofing by requiring cryptographic proofs for key attributes (bond status, insurance).
• Use federated MISP nodes or TAXII hubs so regional authorities can host restricted copies while sharing sanitized indicators globally.
• Train ML models on anonymized incident features to surface likely double brokering attempts in real time.
• Experiment with decentralized registries (DIDs) for provable persistence of carrier identities across re-registration attempts.

Actionable takeaways for security teams and researchers

• Instrument systems today to capture minimal but standardized metadata at acceptance time: BOL, broker email domain, payment last4, and document hashes.
• Start sharing: even a small number of high-quality reports drives better detection for everyone — contribute at least one historical incident to seed the registry.
• Integrate exported IOCs into TMS/ERP controls to block suspicious bookings automatically.
• Adopt redaction and hashing for sensitive evidence before sharing; preserve original evidentiary chains offline with hashes included in reports.
• Engage with auditing and legal counsel early to craft safe data-sharing agreements tailored to your jurisdiction.

Next steps & how to contribute

If you’re ready to help build the pilot:

1. Download the JSON Schema (link placeholder) and map 2 weeks of your historical incidents to the schema.
2. Join the pilot Slack or Matrix channel for onboarding and Q&A with schema authors and researchers.
3. Submit your first sanitized incident via the web UI or API and opt-into community vetting.
4. Volunteer as a reviewer if you represent a carrier or verified research lab — reviewers receive early access to analytics.

Final note — why shared intel matters

Double brokering is not an isolated operational failure — it is a systems problem that scales with anonymity, weak attestations, and fragmented enforcement. A community-driven incident database turns isolated losses into collective defense. By standardizing taxonomy, normalizing IOCs, and recording recovery outcomes, the industry gains the empirical foundation needed to prioritize fixes, pressure marketplaces, and improve enforcement.

Call to action

Help build the evidence base. Contribute a sanitized incident, review reports, or sponsor analytic capacity. Join the pilot today and get the schema, API spec, and onboarding materials — together we can make double brokering a detectable, trackable, and remediable risk instead of an existential surprise.

Related Reading

• Review: Portable Recovery Tools for Coaches on the Road (2026) — Field‑Tested Picks for PE Programs
• CES 2026 Picks Worth Buying for Your Home: 7 Devices That Actually Improve Daily Life
• Total Budgets vs Daily Budgets: A Tool Comparison for Budgeting Your Search Ads
• New Vendor Spotlight: FedRAMP AI Platforms and What They Mean for Government Office Procurement
• Are 'Mega Lift' Mascaras Safe for Sensitive Eyes? A Dermatologist and Optician Weigh In