Threats Without Borders

Threats Without Borders - Issue 284

Matt Dotts — Tue, 28 Apr 2026 10:30:29 GMT

I had a fun conversation this week.

It’s called a cash-flipping scam, and this version has been dressed up with an artificial-intelligence angle to make it sound sophisticated. It isn’t. But the people running it are smarter than you might think, and the way they’ve structured it creates some real challenges for victims and investigators.

The target gets an unsolicited text from a stranger promising easy money. The script goes something like this: send me $25, I’ll use my AI tool to flip it, and I’ll send you back $250. Simple, fast, and painless. Of course, the moment the money moves, the scammer either disappears or comes back asking for a little more before the payout arrives. There is no AI. There is no payout. Only fraud.

The $25 is important because the low dollar amount is not random. It’s a calculated decision. The people running these scams have figured out something that works in their favor at almost every level of the criminal justice system.

At $25, most victims are embarrassed, frustrated, and ultimately unwilling to take time out of their day to file a police report over a loss that won’t even cover their gas to get to the station. And honestly, can you blame them?

So the first filter is self-reporting; most of these never get reported at all.

The second filter is law enforcement. Even when a report is filed, no investigator opens an active investigation into a $25 fraud. The caseload doesn’t allow for it.

The third filter is the prosecutors. Even if someone handed a DA a complete, airtight case involving a $25 theft by a non-local suspect, no prosecutor would entertain charging, let alone extraditing, a defendant over such a de minimis loss. The scammers know this. They have built their entire business model around staying below the threshold that triggers a system response.

Live on the West coast of the country and scam people on the East coast for low dollar amounts... bulletproof.

What they’re actually doing is running this scheme at volume. A hundred victims at $25 each is $2,500. A thousand victims is $25,000. The individual loss is invisible to the system, but the aggregate is very real money.

These scams almost always use peer-to-peer payment apps like Cash App, Venmo, or Zelle, and that choice is deliberate too. P2P transfers are fast, feel casual, and are extremely difficult to reverse once completed. There’s no effective dispute process, unlike with a credit card. When the money moves, it’s gone.

But these accounts don’t exist in isolation. Cash App accounts must be verified with real identity details, including name, date of birth, and Social Security number. Additionally, they are connected to a real bank account. Somewhere within this chain, there’s a real person involved. It could be the scammer themselves or a money mule, but in either case, a person is associated with a financial institution that keeps records. Law enforcement with proper legal authority can serve a search warrant on Cash App and the linked bank to access this information (Yeah, I know, don’t hold your breath). The data is available; the key question is whether pursuing it is worth the effort, and that leads me to the most crucial point.

A single $25 case will go nowhere. But if you bring a prosecutor a case showing that the same Cash App tag, the same phone number, or the same script was used against 200 victims across multiple jurisdictions, resulting in $5,000 or $50,000 in total losses, that is a different conversation entirely.

Investigators need to connect with each other early and often. When you see one of these cases, get it into IC3 at ic3.gov and the FTC at reportfraud.ftc.gov immediately and make sure your victims do too. Include the Cash App tag, the phone number, the exact wording of the message, and any transaction IDs. Then reach out laterally—to investigators in neighboring jurisdictions, to fraud units in other agencies, and to your financial crime information networks. Ask whether anyone else is seeing the same tag or the same number.

The scammer is betting that each of us will look at $25 and walk away. The way we beat that bet is by refusing to work in silos. The case that can’t be built by one investigator on one complaint can absolutely be built when ten investigators across five states are looking at the same actor. Aggregate the losses, aggregate the evidence, and suddenly the math changes for everyone.

The News

Tennessee joins Indiana in banning cryptocurrency ATMs. https://www.yahoo.com/news/articles/tennessee-becomes-second-state-outlaw-204113466.html

Toronto Police have arrested and charged three men with 44 offenses following an investigation into the first known use of a mobile SMS blaster device in Canada. This technology mimics cellular towers to intercept phone calls and send fraudulent text messages that appear to come from trusted organizations such as banks, often directing victims to fake websites to steal personal and financial information. The investigation, called Project Lighthouse, began last November and detected thousands of device connections and over 13 million network disruptions across the Greater Toronto Area.
https://torontosun.com/news/local-news/toronto-cops-cybercrime-tool-sms-blaster-spam-phones

A man from Baltimore faces charges including wire fraud, mail fraud, aggravated identity theft, theft of government property, and making false statements. As a former Social Security Administration (SSA) customer service representative, he had access to sensitive SSA databases with personally identifiable information of benefit claimants. The indictment reveals that between February and April 2023, he planned and carried out a scheme to defraud the SSA. He fraudulently obtained Supplemental Security Income (SSI) benefits intended for others, using them for himself and his associates. He targeted claimants with mental health diagnoses, modifying their records to include bank accounts he controlled and his residential address, enabling him to divert their SSI payments. Additionally, he altered the benefit payment dates in SSA’s system, creating back payments in the claimants’ names, and redirected these payments to his accounts. https://www.justice.gov/usao-md/pr/former-social-security-administration-worker-charged-disability-funds-theft-scheme

Holy insider threat! A US special forces soldier was arrested for allegedly betting on the capture of Venezuelan President Nicolás Maduro, earning $400,000. Prosecutors claim he was involved in planning the mission and used insider information to place the bet. https://www.cnn.com/2026/04/23/politics/us-special-forces-soldier-arrested-maduro-raid-trade

It’s Spy vs. Spy. Apple has introduced a software update for iPhones and iPads to fix a serious bug that let law enforcement recover deleted or expiring messages by accessing cached notification content stored on the device for up to a month. The flaw, revealed when the FBI used forensic tools to retrieve deleted Signal messages, was caused by notifications that kept message content in the OS database even after the messages were deleted. Apple fixed this by making sure notifications marked for deletion are no longer stored unexpectedly. The update has also been applied to older iOS 18 versions to enhance user privacy. https://techcrunch.com/2026/04/22/apple-fixes-bug-that-cops-used-to-extract-deleted-chat-messages-from-iphones/

Kudos to law enforcement in Pittsburgh, PA, for their successful effort. Over two days, federal, state, and local authorities collaborated in the Pittsburgh area, resulting in the seizure of nine illegal card-skimming devices. This operation potentially prevented over $9 million in fraud losses for the public. The U.S. Secret Service, in coordination with Allegheny County Police, Pittsburgh police, the state attorney general, the U.S. Postal Inspection Service, and the state inspector general, visited 272 locations on Monday and Tuesday. During these visits, they examined 883 point-of-sale terminals, 775 gas pumps, and 170 ATM terminals. https://triblive.com/local/secret-service-led-operation-nets-9-credit-card-skimming-devices-in-pittsburgh-area/

The Talos group reports that phishing has reemerged as the most commonly observed means of gaining initial access, accounting for over a third of their engagements in which initial access could be determined. Phishing has not been the top vector for initial access since Q2 2025. https://blog.talosintelligence.com/ir-trends-q1-2026/

ADT confirmed a data breach that resulted on the loss of customer data, including names, contact details, dates of birth, and the last four digits of Social Security numbers. ShinyHunters has claimed to possess 10 million records and threatened to leak them unless a ransom is paid. https://therecord.media/ADT-data-breach-cyberattack

Feedback

Send Feedback to matt(at)threatswithoutborders.com

Investigations

The Supreme Court will hear oral arguments in Chatrie v. United States, a case examining the use of “geofence warrants” by law enforcement to obtain location data from tech companies like Google. The case centers on Okello Chatrie, who was convicted of bank robbery after authorities used a geofence warrant to identify his cellphone location near the crime scene. Chatrie argues that the warrant violated the Fourth Amendment by conducting a search without sufficient probable cause and that he had a reasonable expectation of privacy in his location data, which the government should not be able to access without a warrant. The government contends that Chatrie had no such privacy expectation because he voluntarily shared his location data with Google, and that the warrant was not a general search but a targeted request.
https://www.scotusblog.com/2026/04/court-to-hear-argument-on-law-enforcements-use-of-geofence-warrants/

I absolutely endorse this message:

Share Threats Without Borders

Cool Jobs

Manager of Security Awareness and Learning, Vanguard. https://vanguard.wd5.myworkdayjobs.com/en-US/vanguard_external/job/Malvern-PA/Manager--Security-Awareness-and-Learning_177094

Lead Investigator, National Basketball League. https://careers.nba.com/job/NBANBAUSJR000581EXTERNALENUS/Lead-Investigator

Cool Tools

“Upload a screenshot or photo and get clue-based location reasoning in seconds”. Probably not. But it’s currently free, so give it a try. https://reverseimagelocation.com/

DorkEye is an advanced automated dorking and OSINT recon tool that leverages DuckDuckGo. (Fantastic documentation!) https://github.com/xPloits3c/DorkEye

Irrelevant

Are you an Advil person or a Tylenol person? Acetaminophen, ibuprofen, and what doctors probably want you to know. https://asteriskmag.com/issues/14/the-mystery-in-the-medicine-cabinet

Sign Off

Thanks for reading this far. Recently, Google started blocking email tracking pixels, which Substack relies on to track open rates. Many other email services have also blocked these trackers, and now Google Gmail has joined them. My open rate was already inconsistent due to these controls, and now it’s completely useless metric. I really don't know how many subscribers read the newsletter each week. So, I’ll just keep throwing it at the wall and hoping for the best.

Matt

“THAT SHIT THAT HAPPENED YESTERDAY, HAPPENED YESTERDAY. MOVE ON.”

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.

cybercrime cyficrime financial fraud investigations osint aml cybersecurity

Threats Without Borders - Issue 283

Matt Dotts — Tue, 21 Apr 2026 10:31:27 GMT

I recently had a question about an IP address that resolved back to “iCloud Private Relay,” which is more information than is usually provided, since most of the time addresses just resolve to “Cloudflare” or “Akamai.” Unfortunately, for most investigations, this also resolves to a roadblock.

Apple introduced Private Relay as part of iCloud+, and most people think it’s Apple’s VPN service. It isn’t a VPN. It’s more accurate to call it a dual-hop proxy. The service is designed to make sure no single entity, not even Apple, knows both who you are and what you’re looking at. Apple's inclusion in that “no single entity” part is either admirable or politically convenient, depending on your level of cynicism.

When a user browses in Safari with Private Relay enabled, their traffic takes a two-stop detour before reaching its destination. First, it hits an Apple server. Apple sees the user’s real IP address, but can’t see where they’re going because the DNS request is encrypted. The traffic is then handed off to a second relay server operated by a third-party partner like Cloudflare, Akamai, or Fastly. That server knows the destination but has no idea who the user is. The website at the end of that chain sees a generic, temporary IP address shared by potentially thousands of other users in the same general region.

Nobody has the whole picture. That’s the whole point.

Private Relay protects only Safari browsing and encrypts DNS queries on the device.

It does not protect Third-party browsers like Chrome, Edge, or Firefox. Instagram, Facebook, email, banking apps, and most other apps on the device are also unprotected. In the absence of some additional masking technology, those will still phone home with the user’s real IP address.

So when trying to unmask a web browser user, our standard move -- get the IP, search warrant to the ISP, get the subscriber -- hits a wall. The destination logs a relay egress IP shared by thousands of users. The ISP can see the device was connected to Apple, but has no record of which sites were visited. And the relay partner doesn’t store the incoming Apple IP in a way that ties it to the outgoing destination. Nobody has the full picture. By design.

There are still some investigative avenues.

First, Apple publishes a list of all Private Relay egress IP ranges at https://mask-api.icloud.com/egress-ip-ranges.csv. Run any suspicious source IP against that list before spending resources on an ISP subpoena. Know what you’re dealing with upfront.

Second, Private Relay only masks the IP and DNS. Browser fingerprinting artifacts such as canvas fingerprinting, screen resolution, and installed fonts can still tie a specific Safari instance to activity across multiple sessions.

Third, look for cross-app leakage. If your subject used any other app on that same device, such as a different browser, a social media app, or any other service for communication across the Internet, those connections bypassed the relay entirely and may have logged the real IP with those respective servers.

iCloud Private Relay is a headache, a roadblock for sure, but maybe not a dead end. It breaks the attribution chain rather than eliminating it, but sometimes broken chains can still be put back together.

The News

Microsoft explains how to prevent domain compromises through “predictive shielding”. Predictive shielding in Microsoft Defender’s automatic attack disruption helps prevent the spread of identity-based attacks by acting before stolen credentials are fully exploited. Rather than waiting for malicious activity on an account, it detects early signs of credential exposure, such as high-confidence signals of credential theft, and proactively restricts potentially compromised accounts. https://www.microsoft.com/en-us/security/blog/2026/04/17/domain-compromise-predictive-shielding-shut-down-lateral-movement/

Think you won’t get bitten by a malicious insider? Cryptocurrency exchange, Kraken, is standing up to extortionists and refusing to pay their ransom demands. Kraken experienced two extortion attempts stemming from “inappropriate” access by support team members, not external breaches. Approximately 2,000 accounts were potentially compromised. https://www.blockhead.co/2026/04/14/kraken-refuses-extortion-demands-after-criminal-group-films-internal-systems/

I recently shared a report from another threat intel company that claimed Docusign is now the most imitated brand in phishing attacks. Checkpoint doesn’t even list them in the top ten. Regardless, I’m sure this list is applicable.

https://blog.checkpoint.com/research/the-phishing-paradox-the-worlds-most-trusted-brands-are-cyber-criminals-entry-point-of-choice/

So, you want to be a darknet drug lord? https://pastebin.com/raw/GrV3uYh5

The TidBITS public Slack group (SlackBITS) is being closed after a social engineering attack where the attacker impersonated author Glenn Fleishman by duplicating his profile and display name, then sent a direct message to another user to trick him into installing the OSX.Odyssey infostealer malware. https://tidbits.com/2026/04/18/shutting-down-slackbits-after-impersonation-based-malware-attack/

Wine Fraud - Yep. A 59-year-old UK citizen was sentenced to 10 years in federal prison for orchestrating a $97 million wine fraud scheme. Posing as the CFO of a fictitious company, the man and a co-conspirator deceived over 140 investors worldwide by falsely claiming to broker loans secured by high-value wine collections. In reality, the operation was a Ponzi scheme that used new investor funds to pay fake interest to earlier investors. Of the $97 million collected, only ~$14 million was returned, leaving victims with losses exceeding $83 million. https://www.justice.gov/usao-edny/pr/united-kingdom-citizen-sentenced-10-years-prison-97-million-wine-fraud-scheme

Feedback

Send Feedback to matt(at)threatswithoutborders.com

Losing Argument

This is for anyone who denies a connection between the rise in cryptocurrency use for fraud and the proliferation of cryptocurrency ATMs.

Cryptocurrency complaints were relatively flat until the first jump in 2021. And then it skyrockets over the next four years.

And sure enough, the Gemini tells us there was a huge influx, or “Hyper Saturation,” of machines beginning in 2021.

Share Threats Without Borders

Cool Jobs

Director of IT Security - Denver Broncos Football Team. https://job-boards.greenhouse.io/denverbroncosteamllc/jobs/5191274008

Cool Tools

Those who attended my recent talk on quickly triaging websites to determine legitimacy or attribution know that Whois has been replaced by RDAP. The name changed, but the data remains the same. And you might need to go back in history to find out not Who Is, but Who Was! ARIN’s WhoWas service provides historical registration information for IP addresses and ASNs. (Registration required) https://www.arin.net/reference/research/whowas/

Irrelevant

Claude can’t use a typewriter. College instructor turns to old school typewriters to curb the use of AI for assignments.

“What’s the point of me reading it if it’s already correct anyway, and you didn’t write it yourself? Could you produce it without your computer?” said Phelps.

https://sentinelcolorado.com/uncategorized/a-college-instructor-turns-to-typewriters-to-curb-ai-written-work-and-teach-life-lessons/

Sign Off

I’ve come to the realization that I’m a domain hoarder. Domain-rich but cash-poor, I guess. Every time I think of an awesome web domain name, I purchase it, usually with the idea of starting a business someday. But that never happens, and I just keep paying the yearly domain registration fees. It’s become expensive enough that I’ve come to a reckoning. I need to give up some, but it feels like giving up on ideas.

Oh, that’s a great name…domainhoarder.com!

Have a great week. See you all next Tuesday.

Matt

cybercrime cybersecurity cyficime cyber fraud investigations aml osint

Threats Without Borders - Issue 282

Matt Dotts — Tue, 14 Apr 2026 11:49:41 GMT

I generally enjoy AI tools and have found many uses for them. However, it can definitely be a joy killer.

One of my favorite yearly events is the release of the IC3 Internet Crime Report. I love diving into it to uncover insights that often go unnoticed by most. I call these insights 'nuggets,' a term familiar to regular newsletter readers. This year, things were different. The report was published on Monday afternoon, and within a few hours, I saw detailed analyses appearing on LinkedIn and X. Gary Warner, David Maimon, and a very few others in our field can craft such perfect summaries in just 90 minutes. For everyone else... It’s likely that a well-designed AI prompt played a significant role in generating many of those impressive analyses.

And that’s OK. It’s one of the things AI does best, breaking down long, complex, highly dense PDFs into something more digestible.

I’m not mad about it. But I am selfishly disappointed.

The proliferation of AI-generated analysis takes a little bit of the joy away from those of us who really love doing that type of work… old-school. And it renders us afterthoughts because by the time we get around to producing something worth publishing, every cybersecurity content mill has already flooded the zone with AI-created “hot-takes”.

I’m sure you’ve seen the highlights by now. But you really should take the time to actually read the report yourself.

https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf

I can’t help myself… consider this nugget

It is well known that most victims do not report their victimization and subsequent losses to any authorities, let alone the Internet Crime Complaint Center. In the 2025 report, the IC3 explicitly states that its figures only represent reports to the FBI via IC3 and do not account for other reporting channels. They also acknowledge that missing data and underreporting can result in “artificially low” loss estimates. However, they make no assumptions beyond this.

In contrast, the recent “Protecting Older Consumers 2024-2025” report by the Federal Trade Commission clearly states, “we assume Sentinel includes only 2% of all losses from consumers who lost under $1,000 and 6.7% of all losses from consumers who lost $1,000 or more.”

Page 28 for reference.

So the FTC “officially” assumes its reporting rate is somewhere between 2% and 7%.

Maybe IC3 is better known, and people are more inclined to report their victimization to them because it’s a division of the FBI. But can it be that much higher? Maybe a 15% reporting rate?

The IC3 reports that the total loss from Internet-enabled fraud in 2025 is $ 20.8 billion.

Imagine if that is only 15% of the true loss. What if it’s only 2-7%?

Speaking of AI tools…

The cybersecurity world is going through a mind melt over the release, and potential public release, of “Mythos”.

Anthropic’s Mythos is a highly advanced AI model focused on cybersecurity, particularly on identifying and analyzing software vulnerabilities.

Mythos finds exploitable vulnerabilities in software, systems, and networks at scale.

Think of a house. Every window, door, and air vent is a vulnerability that allows unwanted people to get into the house. We use security measures such as locks, shatterproof glass, reverse hinges, and other safeguards to ensure those vulnerabilities are secure and that only authorized people can enter and exit through them. Mythos finds that one window with a finicky lock, where, if you push a specific-style butter knife between the upper and lower panes, you can just reach the lock lever and pop it. And then it explains what materials you need and provides complete instructions on how to do it.

So does this mean the end of the vulnerability researcher? Are security companies specializing in this all going to go out of business? Maybe, maybe not. It will come down to cost.

Running these AI models isn’t free. While ChatGPT can generate some AI slop for your LinkedIn Hero account at no cost, operating a system that scans a corporate network and compares it against a comprehensive bug library requires substantial computation power, which will incur significant token costs.

And someone needs to pay real money for that usage. The impact of Mythos on the cybersecurity profession will, as with everything else, come down to economics. If the machine becomes more efficient and less expensive than a human, then we’ll see movement. But I don’t see that happening in the near future.

And I think maybe just the opposite.

So, a team at Anthropic created this model. Do you really think that China, Russia, North Korea, Iran, and other well-funded nation-state cyber teams won’t swiftly develop similar capabilities?

Certainly, and cybersecurity experts will continue to be essential in patching the vulnerabilities before these nation-states and criminal groups can exploit them.

Should your child still go to college for Cybersecurity? Meh, it’s still better than Journalism, but I don’t think tools like Mythos will be the immediate downfall of the entire field.

The News

Do you use plugins on your WordPress site? Someone purchased 30 different plugins and planted backdoors in each. This author argues “the WordPress plug-in market has a trust issue.” And further claims that WordPress.org has no mechanism to flag or review plugin ownership transfers. There is no “change of control” notification to users. No additional code review triggered by a new committer. The Plugins Team responded quickly once the attack was discovered. But 8 months passed between the backdoor being planted and being caught. https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/

The Financial Crimes Enforcement Network (FinCEN) has proposed a new rule to reform how financial institutions manage their anti-money laundering (AML) and counter-terrorism financing (CFT) programs under the Bank Secrecy Act. The reform aims to shift the focus from high-volume paperwork compliance to risk-based, effective programs that actually combat illicit finance, while reducing regulatory burden on banks. Maybe, I won’t hold my breath. https://www.fincen.gov/news/news-releases/fincen-proposes-rule-fundamentally-reform-financial-institution-programs

The FBI successfully recovered deleted Signal messages from a suspect’s iPhone by extracting data from the device’s internal notification storage, even after the Signal app had been removed. This was possible because the defendant had not enabled Signal’s setting to hide message content from notifications, allowing the full text to be cached locally by iOS. However, Apple recently changed how iOS 26.4 validates push notification tokens, so this method may no longer work. https://9to5mac.com/2026/04/09/fbi-used-iphone-notification-data-to-retrieve-deleted-signal-messages/

The CIA is increasingly deploying artificial intelligence to enhance its core intelligence analysis mission. The agency has already produced its first autonomous intelligence report and plans to integrate AI “co-workers” across all of its analytic platforms within the next few years to help analysts with tasks such as drafting assessments, testing conclusions, and identifying trends. The agency claims humans will remain responsible for key decisions, but it also noted that it tested 300 AI projects last year and is working to bring AI capabilities to field officers. https://www.politico.com/news/2026/04/09/cia-ai-intelligence-analysis-00865893

The first step a skilled attacker takes after gaining unauthorized access to a Microsoft 365 account is to abuse mailbox rules. Rather than deploying malware, they use native M365 features to create rules that automatically forward, hide, delete, or archive emails, enabling covert data exfiltration, suppressing security alerts, and maintaining persistence even after password changes. Proofpoint explains that these rules can be deployed in as little as 5 seconds after compromise and can be fully automated at scale via the Microsoft Graph API. https://www.proofpoint.com/us/blog/threat-insight/mailbox-rules-o365-post-exploitation-tactic-cloud-ato

Don’t end up on the “Sucker List”. https://www.welivesecurity.com/en/scams/recovery-scammers-hit-when-down-avoid-second-strike/

Feedback

Send Feedback to matt(at)threatswithoutborders.com

Evidence

Why screenshots fail in court. https://lucidtruthtechnologies.com/authenticate-social-media-evidence/

Share Threats Without Borders

Cool Jobs

Security Operations Associate - National Football League. https://job-boards.greenhouse.io/nflcareers/jobs/5127529008

Why MLB? Why are you still making people work in New York City? Ugh. Incident Response and Intel Analyst, Major League Baseball. https://hub.globalsportsjobs.com/vacancy/incident-response-intel-analyst-us-glap119784

Cool Tools

2026 DIY Opt-Out Manual For Removal From Over 400 Sites. https://github.com/thumpersecure/opt-out-manual-2026

Little Snitch (iykyk) but for Linux. https://obdev.at/products/littlesnitch-linux/index.html

Irrelevant

Sign Off

I thought I wrote a pretty good newsletter last week, but I somehow finished the week with fewer subscribers than I started with. Tough crowd. I sincerely appreciate everyone who stays with me.

Enjoy the warmer weather! Those of you in the Midwest should stay in your storm cellars. I’ll see you all next week.

Matt

“IT TAKES LESS TIME TO DO A THING RIGHT THAN TO EXPLAIN WHY YOU DID IT WRONG.”

Threats Without Borders - Issue 281

Matt Dotts — Tue, 07 Apr 2026 10:05:25 GMT

This was a DTMF attack. And it’s so damn clever!

When you press a key on your phone’s keypad, it generates a specific pair of audio tones. This system is called DTMF, or Dual-Tone Multi-Frequency signaling. Each key, 0 through 9, along with the asterisk and pound, produces a unique combination of two tones that phone systems use to identify what was pressed. It’s the same technology that lets you “press 1 for English” or enter your account number on an automated line. But those tones are just sounds, and anyone on the call with you can hear, record, and decode them.

That’s exactly what the scammer did.

When this Redditor called the balance verification number using three-way calling with the buyer on the line, they entered the card number and PIN using their keypad. Those DTMF tones traveled directly through the call to the scammer’s end in real time. The scammer either recorded the call or used software to decode the tones as the victim pressed them, translating each beep back into the exact digits entered. Once they had the card number and PIN, they hung up, logged into the gift card issuer’s website or called the automated line themselves, and drained the balance. The entire process likely took just minutes.

The technology behind this isn’t complex. Tools for recording and decoding DTMF tones are readily available and free. However, what made this attack so effective wasn’t the technology; it was the social engineering. The scammer didn’t hack anything; they simply created a situation where the victim willingly entered the credentials while they listened. The three-way call seemed like a normal, cooperative action. A buyer wanting to verify a balance before purchasing makes complete sense. That’s exactly why it succeeded. Social engineering attacks don’t target systems; they exploit trust.

https://en.wikipedia.org/wiki/DTMF_signaling

https://nhollmann.github.io/DTMF-Tool/

Wilmington?

Last week, I spoke at the Delaware Fraud Working Group conference in Wilmington, Delaware. What a pleasant event! I’m disappointed I had another commitment and couldn’t spend the entire day.

The host venue at Delaware Technical Community College was fantastic—truly one of the best places I’ve spoken at. I was also pleasantly surprised by Wilmington. I’ve long written off cities like Philadelphia and New York and generally refuse to attend any event hosted there. Heavy traffic, limited parking, panhandlers, dirt, and chaos make the inconveniences and costs too high to justify the effort.

Wilmington probably has those issues, but I didn’t experience them. The drive into the city from the West was smooth, and parking was straightforward and, best of all, free. The only problem I faced was the haze of marijuana smoke in the parking garage stairwell.

I’m not sure whether the DFWG will host next year's event at DelTech, but if you’re within a reasonable drive, attend.

Reader Mail

Matt, your take on the Darksword exploit is one of the most balanced I’ve read. You should push that to a publication with a much wider reach. It’s genuinely better than most things I’ve seen in any of the major news outlets. - JohnS

I was an examiner with a 3 letter agency for eight years, and now I work for an incident response firm. I can’t stress enough how important it is for people to keep their devices updated. We recently had an incident in which the owner of a business was using an iPhone XR running iOS 17.7. How does that happen? It’s really that simple. Keep your devices on the most recent version, and you eliminate 99.9% of remote exploits. - KS

See Issue 280 for context.

The News…

David Maimon explains the fraud known as “Pell Running” that is crushing the American federal student loan system. https://resources.sentilink.com/blog/inside-pell-running-the-federal-student-aid-fraud-congress-is-trying-to-stop

AI-generated deepfake audio has raised concerns about the integrity of evidence. With voice cloning tools becoming affordable and widely available, it’s now simple to produce realistic fake audio recordings of voicemails, calls, or confessions that can be used as evidence in legal proceedings, insurance claims, or business disagreements. https://www.forbes.com/sites/larsdaniel/2026/03/15/beyond-cybersecurity-deepfake-audio-is-an-evidence-crisis/

It’s tax season and that means tax scam season. Proofpoint has identified over 100 malicious campaigns using tax-themed lures to deliver malware, Remote Monitoring & Management tools, credential phishing, and fraud. https://www.proofpoint.com/us/blog/threat-insight/security-brief-tax-scams-aim-steal-funds-taxpayers

A recently identified phishing-as-a-service platform is targeting C-suite executives using highly personalized, QR-code-based emails that impersonate SharePoint notifications. These emails bypass detection using techniques such as randomized HTML noise, fake email threads, and Unicode QR codes that evade image scanners. When scanned, victims are led through a multi-layered “gate” that prevents automated tools and researchers from proceeding, before being redirected to credential harvesters. More worrisome, the exploit functions within Microsoft’s authentication system, making traditional MFA ineffective as a key line of defense. https://abnormal.ai/blog/venom-phishing-campaign-mfa-credential-theft

I currently hold two SANS/GIAC certifications and recently let a third (GSEC) expire. The exams and their preparation are quite demanding. The crucial aspect is really the preparation process itself. Although the exams are open book, spending too much time looking up answers will result in you running out of time. You will need to look up some answers quickly, and this is where the index becomes essential. Here is a good take on creating an effective index. https://aerobytes.io/writeups/giac-indexing-guide/

Two individuals have pleaded guilty in federal court in Rhode Island for their roles in a transnational fraud and money laundering scheme targeting elderly victims across the U.S. and Canada. The scheme involved fraudsters posing as representatives of financial institutions and government agencies, such as the FTC and the Federal Reserve, convincing victims that their accounts were compromised and directing them to transfer funds via wire transfers, cryptocurrency, cash, or gold bars. The scheme defrauded approximately 300 victims across 37 states, with known losses exceeding $5 million. https://www.justice.gov/usao-ri/pr/two-defendants-plead-guilty-transnational-fraud-scheme-targeting-elderly-victims

Uno is a good boy. https://cdapress.com/news/2026/apr/01/coffee-with-a-k9/

DFIR

Tsurugi Linux released update version 26.03 on iso or ova. https://tsurugi-linux.org/downloads.php

Cool Tools

FTC Sentinel Fraud Dashboard. https://public.tableau.com/app/profile/federal.trade.commission/viz/FraudReports/FraudFacts

Who is giving money to whom? https://www.opensecrets.org/

Cool Job

Card Fraud Manager, Members 1st Federal Credit Union. https://careers.members1st.org/jobs/2682/Card%20Fraud%20Manager

Vice President of Consumer and Banking Fraud Strategy. JP Morgan Chase https://jpmc.fa.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX_1001/job/210699592

Irrelevant

Credit: Varun.ch

Feedback

matt (at) threatswithoutborders.com

Sign Off

Wow, a lot of new subscribers this week.

So, what’s this all about? See that issue number, 281—that’s how many consecutive weeks the Threats Without Borders Newsletter has been published. Yep, every Tuesday morning for five years and four months. Never a miss. What I lack in quality, substance, and style, I make up for in tenacity.

Welcome. And when your email provider drops the newsletter or your company decides newsletters are a time-suck and creates a “unsubscribe and delete” rule, you can always find every issue published at www.threatswithoutborders.com.

Or install the Substack app on your smartphone and ensure delivery each week.

Available for iOS and Android

Thanks for checking us out and I hope to see you all next week.

Matt

“DON’T LET A BAD DAY MAKE YOU FEEL LIKE YOU HAVE A BAD LIFE.”

Threats Without Borders - Issue 280

Matt Dotts — Tue, 31 Mar 2026 10:46:52 GMT

A few weeks ago, I addressed a concern in this space about Apple iPhone users claiming, “Wasn’t me, my phone was hacked.” My response was straightforward: unless they are a direct target of a nation-state, the iPhone was not secretly compromised.

Well... news recently broke about an iPhone exploit called Darksword, and it has me reevaluating my stance on the issue.

Yes, your iPhone can be hacked; no, you’re probably not interesting enough to justify the price tag.

That tension, between what’s possible and what’s probable, is getting lost in the conversation around advanced mobile exploits like DarkSword. Headlines and social media chatter tend to flatten everything into the same message: your phone is vulnerable at any time. Technically, that’s true. Practically, it’s sensational trash.

DarkSword isn’t a typical piece of malware you download or install. It’s an exploit chain, a carefully engineered sequence of vulnerabilities that allows an attacker to break into an iPhone, escalate privileges, and extract data. It’s not a virus but a master key that unlocks multiple doors in sequence. Once inside, it can deploy tools to collect messages, access apps, or monitor activity, often without leaving much evidence behind.

That kind of capability has not just been rare, but elite. Building something like this requires deep expertise, time, and significant financial investment. For years, these tools were almost exclusively in the hands of nation-states and a small number of highly specialized surveillance vendors. And because they were so valuable, they were used sparingly, against very specific, high-value targets.

The ceiling hasn’t changed. These are still highly sophisticated, expensive, and complex attacks. But the floor has dropped.

The challenge of developing these capabilities remains very high, but the difficulty of accessing them is decreasing. We’re observing the same trend that has occurred in other areas of cybercrime. There was a time when launching a ransomware attack required significant technical skill. Now, ransomware-as-a-service has made it much more accessible. The expertise hasn’t disappeared; it has been packaged, productized, and distributed.

Bad guys who previously could not develop an iPhone exploit chain can now sometimes access or lease that capability. This doesn’t mean “anyone” can do it, but it does expand the pool of potential attackers. It’s no longer limited to intelligence agencies and top-tier operators; it may now include smaller governments, private intelligence firms, and well-funded criminal groups.

Yes, it is now more possible for a broader range of attackers to use these tools. No, it is still not probable that they will be used against the average person.

There are a few reasons for that.

First, these exploits remain costly assets. Even as access becomes more available, it’s not free or simple. Using one involves risk for the attacker. Each deployment raises the likelihood that the exploit will be discovered, analyzed, and patched. Burning a valuable capability on a random target offers little economic or operational benefit.

Second, these attacks still require targeting. Even a “one-click” exploit—where a user simply taps a link—relies on getting that link in front of the right person at the right time. That involves reconnaissance, delivery methods, and often some level of social engineering. This is not spray-and-pray activity. It’s intentional.

Third, and what I’ve been saying for a long time, is that there are far easier ways to compromise people.

Most cybercriminals don’t need a complicated exploit chain to succeed. Phishing emails, fake login pages, password reuse, SIM swapping, and social engineering are much cheaper and easier to scale. If they aim for financial gain, these methods provide a higher return on investment. Why invest heavily in a complex iPhone exploit when a convincing text message can trick someone into giving up their credentials?

This is why, for the average iPhone user, the biggest risks remain the same as they were before: scams, phishing, weak passwords, and account takeovers. Not zero-day exploits.

But that doesn’t mean nothing has changed.

The important shift is in who might now be considered “worth it.”

Previously, the range of targets for these attacks was very limited. Now, it has expanded, not to include everyone, but to include more individuals than before. Those now at risk include journalists, business leaders, government workers, activists, and anyone with access to confidential information or financial assets, even if they don’t operate internationally.

Additionally, there is a risk of spillover. As these tools become more widely used, there’s an increased chance of errors—such as incorrect numbers, misidentified devices, or infrastructure that unintentionally exposes unintended users. This doesn’t suddenly make everyone a target, but it does add more unpredictability to where these capabilities might be exploited.

So where does that leave the everyday iPhone user?

The iPhone is not under constant threat from elite hackers. It is not being silently compromised at random. But it is also no longer accurate to assume that these capabilities exist only in distant, highly controlled environments.

Understand that advanced attacks exist. Recognize that they are becoming more accessible to a wider range of actors. But also keep in perspective that attackers are still making decisions based on cost, value, and likelihood of success. Most people simply do not present a target that justifies the use of such a tool.

And importantly, many of the protections against these advanced threats are straightforward.

Keeping your iPhone updated is one of the most effective things you can do. These exploit chains rely on vulnerabilities, and once those vulnerabilities are patched, the window of opportunity closes. Delaying updates means leaving the door open longer than necessary.

Apple has also introduced built-in protections designed specifically for high-risk scenarios, such as Lockdown Mode. While not necessary for most users, it’s a powerful option for those who may be more likely to be targeted.

Yes, an iPhone can be hacked.

But what matters far more is whether it’s likely - and for most people, it still isn’t.

So in your investigations, it’s something you need to account for… but probably not.

Speaking of Lockdown Mode

Nearly four years after its 2022 debut, Apple’s Lockdown Mode remains undefeated by mercenary spyware, with both Apple and independent investigators such as Amnesty International confirming that no devices with the feature activated have been successfully attacked. Citizen Lab researchers have documented instances where Lockdown Mode effectively prevented Pegasus and Predator spyware attacks. https://techcrunch.com/2026/03/27/apple-says-no-one-using-lockdown-mode-has-been-hacked-with-spyware/

Skimming Report

I’ll write more about this report, but I just don’t have the space today. FICO released the report “The State of Card Skimming in the US: 2025 Year In Review”. https://www.fico.com/blogs/state-card-skimming-us-2025-year-review

Cool Job

Data Scientist, Predictive Fraud Intelligence - VISA. https://jobs.smartrecruiters.com/Visa/744000117342711-data-scientist-predictive-fraud-intelligence

Fraud Risk Governance Lead - Customers Bank. https://customersbank.wd1.myworkdayjobs.com/customersbankcareers/job/Malvern-PA/Fraud-Risk-Governance-Lead_REQ-2026-851

Cool Tool

IRS charity search - https://apps.irs.gov/app/eos/

How charitable is a charity? Charity Navigator - https://www.charitynavigator.org/

International phone number look-up. https://www.thisnumber.com/

Irrelevant

The U.S. Army increased its maximum enlistment age to 42. Meh, I’m still too old, but of course, I couldn't have done it at 42 either. Kudos to anyone over 40 who accepts this challenge! https://abcnews.com/Politics/army-extends-maximum-recruitment-age-42-allowing-older/story?id=131411519

Sign Off

I had to cut the news section today due to space limitations. It will be back next week.

Do you know what a DTMF attack is? Or how they use it to steal the balance from gift cards? Come back next week to learn more.

Matt

“IF YOU WAIT FOR EVERYTHING TO FALL INTO PLACE BEFORE YOU ACT, YOU WILL NEVER MOVE.”

Threats Without Borders - Issue 279

Matt Dotts — Tue, 24 Mar 2026 11:20:09 GMT

So many times when we think of “cybercrime” or crime facilitated through the use of technology and the Internet, we think of the usual suspects - network intrusions with data theft, ransomware, DDOS attacks, investment and romance scams, email phishing… or any of the other crimes detailed in the Internet Crime Complaint Center’s yearly report.

Rarely do we ever think of music fraud. And certainly not music fraud involving AI-created music and a massive botnet that generates millions of “listens” across a dozen streaming services.

A North Carolina man has admitted guilt in a widespread music streaming fraud that occurred from 2017 to 2024. He used AI-generated songs and up to 10,000 bot accounts simultaneously to artificially inflate streaming counts on platforms such as Spotify, Apple Music, Amazon Music, and YouTube Music, resulting in billions of fake streams. To evade detection, he used VPNs and distributed activity across hundreds of thousands of tracks. Through this operation, he generated over $8 million in royalties.

Posting AI-generated music on streaming services isn’t illegal. The crime lies in using countless zombie machines to “listen” to the music.

He exploited technology and the Internet to set up a situation where victim businesses paid him money that he didn't legitimately earn. And 8 million dollars isn’t chump change.

Fraud is as old as time, and most schemes are not new, but the convergence of financial crime and the Internet continually takes us into new territory and pushes the boundaries of “cybercrime”.

https://www.justice.gov/usao-sdny/pr/north-carolina-man-pleads-guilty-music-streaming-fraud-aided-artificial-intelligence-0

Audit PTO

When providing fraud-prevention training to business owners and executives, I emphasize the importance of job rotation and mandated paid time off (PTO).

I often cite an investigation I was involved in where the suspect employee hadn’t taken any vacation for seven years. Although she took occasional days off around holidays, she never scheduled a full week off during that period.

She operated a sophisticated refund scheme, funneling refunds into her own accounts, and she knew that anyone who stepped into her role could uncover her fraud. Her eventual exposure came when a new accounting software flagged irregularities during a routine audit.

Over those seven years, she embezzled more than $200,000 from her employer.

This case from a Pennsylvania casino is the latest example of an insider executing a scam that could have been quickly uncovered if someone else had briefly stepped into the role. In fact, that’s precisely how she was caught:

When Petrillo was on medical leave, an employee at the casino’s horse racing office assisted with the office paperwork. Police said that’s when the employee discovered the discrepancies.

At least once a year, every financial role in the organization should be temporarily filled by another person for a few days. This practice not only helps prevent fraud but also enhances redundancy and recovery options. If someone refuses to take a week off, it should be forced.

An employee who refuses to use their Paid Time Off is a huge red flag… in more ways than one.

This employee stole over $700,000. And it’s so preventable.

https://www.pennlive.com/crime/2026/03/hollywood-casino-employee-accused-of-stealing-over-700k-in-fraud-scheme.html

Share Threats Without Borders

The News…

Holy... we’re smoked. Although hype for their own product, this article by Sublime Security describes a new attack that masquerades as a Zoom meeting invite but results in the recipient installing malware on their Windows PC. The extent to which the attackers go to pull this off is impressive. They even run a JavaScript-enabled Zoom meeting simulation in the browser session - complete with technical difficulties. Anyone who has ever worked at a Help Desk or in a role involving regular interaction with non-technical users knows this issue will have a significant impact on unsecured organizations that use Zoom. https://sublime.security/blog/advanced-fake-zoom-installer-used-for-delivering-malware/

Keep your iPhone updated, and these exploits will not be so bothersome. In fact, not at all. The Google Threat Intelligence Group reports the “DarkSword” exploit for Apple iPhone devices has been adopted by multiple threat actors since November 2025. The exploit chain uses six zero-day vulnerabilities to fully compromise iOS devices running versions 18.4-18.7. For the record, you should be on some version of iOS 26, preferably 26.3.1 (at the time of this writing). https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain

SEC will vote on reducing the quarterly reporting requirement to twice a year. https://www.reuters.com/business/finance/us-sec-preparing-eliminate-quarterly-reporting-requirement-wsj-says-2026-03-16/

Ok, this scam needed to be shut down, but are there actual victims here? Law enforcement authorities from 23 countries carried out *Operation Alice*, a major crackdown on a dark web network run by a 35-year-old in China. Over five years, he operated more than 373,000 fraudulent Tor domains, promoting child sexual abuse material (CSAM) and cybercrime-as-a-service (CaaS). He defrauded around 10,000 customers of over $345,000 in Bitcoin, without ever delivering the promised content. While the sites claimed to offer CSAM “packages” ranging from gigabytes to terabytes, they were entirely fake and victims were never supplied with the material. Europol coordinated international intelligence efforts, tracked cryptocurrency transactions, and helped identify the operator, who used up to 287 servers worldwide. https://www.europol.europa.eu/media-press/newsroom/news/global-cybercrime-crackdown-over-373-000-dark-web-sites-shut-down

Pennsylvania Attorney General Dave Sunday announced that the leader of a criminal organization that defrauded central Pennsylvania banks and their customers of more than $3 million has been sentenced to prison and ordered to pay more than half-a-million dollars in restitution. https://www.attorneygeneral.gov/taking-action/ringleader-in-multi-million-dollar-central-pa-bank-fraud-scheme-sentenced-to-prison/

Bank and credit union compliance software provider Marquis confirmed that a data breach discovered in August 2025 affected approximately 672,000 individuals, which is much less than the previously estimated 1.6 million. Of course, that doesn’t make it any better, just less impactful. The attackers stole sensitive personal and financial information, including names, addresses, Social Security numbers, dates of birth, and payment card numbers from dozens of the financial institutions Marquis serves. https://www.securityweek.com/marquis-data-breach-affects-672000-individuals/

DFIR

Andrea Fortuna introduces the DFIR Toolkit. https://andreafortuna.org/2026/03/17/dfir-toolkit

Cool Job

Criminal Intelligence Analyst, Group 9. https://groupnine.us/careers/

Cool Tool

I was a longtime user of Evernote, but left when it was bought by Bending Spoons, and they priced it out of reality. I’ve since switched to the fantastic notes app Bear, but it's only available on Apple devices. So, for you Windows users still feeling the loss of Evernote - try Cimanote. “Cimanote is the fast, clean note-taking app for people tired of Evernote's bloat and price hikes. Sign up today — your first year is completely on us.” https://cimanote.com/

Irrelevant

More evidence that not all addictions are bad. This long-term study discovered that moderate intake of caffeinated coffee or tea was associated with an 18% lower risk of dementia and improved cognitive performance over time. https://www.sciencedaily.com/releases/2026/03/260318033138.htm

Get Learned

SLEUTHCON is a forum for identifying and exploring cybercrime and financially-motivated threats. Friday, June 5, 2026. Arlington, VA and Virtual. https://www.sleuthcon.com/

Delaware Fraud Working Group, Full-Day Fraud Prevention Summit. Thursday, April 2, 2026. Wilmington, DE. https://www.eventbrite.com/e/delaware-fraud-working-group-full-day-fraud-prevention-summit-tickets-1982375409213

Late Breaking

If you think you need a new router, buy one now. The FCC plans to ban all foreign-made routers. While this isn’t necessarily a bad thing and will certainly benefit the American tech industry, the issue is that nearly every router is made entirely, or at least with parts from, outside the U.S. Once this rule is enforced, American manufacturers won't be able to meet the demand for a long time. When I searched for American-made routers, the only one I found that is made entirely in the U.S. is Starlink. Hmm. Is that a coincidence? https://docs.fcc.gov/public/attachments/DOC-420034A1.pdf

Sign Off

The best news of the week is that by Friday, the RSAC Conference will be over, and our inboxes will be free from the daily influx of emails from salespeople asking to “connect” during the event.

Thanks again for opening another issue of the newsletter. Cheers to sunshine and warmer weather!

Matt

“YOU WILL NEVER START ANYTHING IF YOU ALWAYS WAIT UNTIL YOU ARE FULLY READY.”

Threats Without Borders - Issue 278

Matt Dotts — Tue, 17 Mar 2026 11:20:24 GMT

I’m old enough to remember when ATM’s arrived on the scene. Of course, we called them “MAC Machines”. I recall a local bank holding a contest to see who could withdraw the most money in a set amount of time to highlight the ease of use.

I also remember the concern that such technology raised about the future of banking. Well, the ATM didn’t replace the teller. But as this excellent article highlights, the smartphone is.

David Oks

Why ATMs didn’t kill bank teller jobs, but the iPhone did

A few months ago, J. D. Vance, sitting vice president of the United States, gave an interview to Ross Douthat of the New York Times. During that interview, Vance and Douthat had an interesting exchange…

2 months ago · 1116 likes · 86 comments · David Oks

And when you combine the smartphone with an ebanking platform and the ATM, you get the perfect fraud workflow.

Proxy takedown

Law enforcement from eight countries seized 23 servers and 34 domains, froze $3.5M in crypto, and identified more than 124,000 users. Known as “SocksEscort”, the network, powered by the AVRecon botnet, has co-opted more than 369,000 IPs since 2020.

This service essentially took control of unsecured residential and business routers and sold access to them. This enabled an attacker to route their malicious Internet traffic through the router in a residential home or (small) business.

Untrained investigators often assume that tracing an IP address back to an ISP subscriber indicates that a user physically on the property who connected to the Internet through the router was responsible for the activity. Poor assumption. You must consider the possibility of an infected router being used as a proxy.

https://www.justice.gov/usao-edca/pr/authorities-dismantle-global-malicious-proxy-service-deployed-malware-and-defrauded

And not by coincidence, I’m sure, the Internet Crime Complaint Center (IC3) published a document titled “Evading Residential Proxy Networks: Protecting Your Devices From Becoming a Tool for Criminals”. https://www.ic3.gov/PSA/2026/PSA260312

More News…

This executive order, signed by President Trump, outlines a U.S. government strategy to combat cybercrime, fraud, and predatory schemes targeting American citizens, particularly those orchestrated by transnational criminal organizations (TCOs), sometimes with foreign state support. It directs multiple federal agencies to review and strengthen defenses, establish a coordinated operational cell within the National Coordination Center, enhance victim support through a proposed Victims Restoration Program, and engage internationally to pressure nations that harbor these criminal groups. The order emphasizes law enforcement, diplomacy, and potential offensive actions to disrupt and dismantle these threats. https://www.whitehouse.gov/presidential-actions/2026/03/combating-cybercrime-fraud-and-predatory-schemes-against-american-citizens/

C’mon, where are the controls? A Catholic bishop in the San Diego area resigned after being arrested and charged with embezzling $270,000 from St. Peter Chaldean Catholic Cathedral in El Cajon, California. He faces 16 felony charges, including money laundering, with prosecutors alleging he misappropriated monthly rental payments exceeding $30,000 from a church tenant. https://www.ncronline.org/news/pope-announces-resignation-us-bishop-accused-embezzling-270k-california-parish

Not a good week for men of the cloth. The head priest of Trinity Episcopal Cathedral in Pittsburgh was arrested on February 27 after being accused of stealing over $1,000 in baseball cards from a Walmart in Economy Borough. Police say he was caught leaving the store with 27 packs of baseball cards concealed on his person, and security footage allegedly showed him stealing from the same store on five separate occasions. The very reverend faces charges of receiving stolen property and retail theft. https://abcnews.com/US/wireStory/head-priest-episcopal-church-pittsburgh-accused-stealing-baseball-130976273

Crypto traders - “Slippage” will kill you. Or cost you 50 million dollars. “Slippage is the difference between the price a trader would expect to get in a trade and the price they receive once the transaction executes. This can happen in large orders or when liquidity is weak.” https://www.theblock.co/post/393466/crypto-whale-loses-nearly-50-million-swapping-usdt-for-aave

A ransomware negotiator working for an incident response firm has been accused by the Department of Justice of secretly collaborating with the ALPHV/BlackCat cybercrime group while helping victims negotiate ransoms. The man and two colleagues allegedly carried out at least 10 ransomware attacks and shared confidential negotiation details with criminals to increase ransom payments in exchange for a share of the proceeds, with ransoms reaching up to $26 million. https://therecord.media/ransomware-blackcat-doj-incident-responder

Bonus

Anthropic is doubling the usage limits for Claude during off-hours. So do your heavy work at 2 am. https://support.claude.com/en/articles/14063676-claude-march-2026-usage-promotion

Cool Job

Head of Digital Financial Crimes Compliance, State Street. https://statestreet.wd1.myworkdayjobs.com/Global/job/Boston-Massachusetts/Head-of-Digital-Financial-Crimes-Compliance--Managing-Director_R-781812

Financial Crimes Investigations Specialist, DraftKings. https://draftkings.wd1.myworkdayjobs.com/draftkings/job/Remote---US/Financial-Crimes-Investigations-Specialist_JR13845-3

Cool Tool

Notes as easy as texting. https://prism.you/

ABA Routing Number Look-up/Search. https://routingnumber.aba.com/Search1.aspx

DFIR

The forensic value of Apple Spotlight artifacts. https://forensafe.com/blogs/apple-spotlight.html

Young people…

Claude assessed itself and identified the jobs it will replace. Pivot and adapt as needed. Don’t be like the wagon wheel maker who kept making wagon wheels after seeing the automobile pass through town.

https://www.anthropic.com/research/labor-market-impacts

Irrelevant

Sending employees back into the office isn’t going well. https://thehill.com/opinion/technology/5775420-remote-first-productivity-growth/

Sign Off

My good will, positive vibes, and prayers will be offered to anyone traveling this week. What a mess. Get to the airport early and bring an extra dose of patience. I try to keep politics out of the newsletter, but damn, what do we even have these people for? If our elected officials can’t agree to ensure our essential security personnel, like TSA, get paychecks, then the system is graveyard dead. They all need to go, regardless of whether they have a D or R behind their name.

Thanks,

Matt

“TRY BEING INFORMED INSTEAD OF JUST OPINIONATED.”

Threats Without Borders - Issue 277

Matt Dotts — Tue, 10 Mar 2026 10:53:47 GMT

How to find a company’s email provider based on the domain.

It’s a 50/50 task. If you solve it correctly on the first try, it’s straightforward. Otherwise, it can become endlessly complex, and you might never find the answer. As I began preparing this piece and designing a workflow to help with your investigations, I realized this isn’t just a simple few-paragraph reply suitable for a newsletter.

So, I’ll give you the easy option first.

The first step in identifying an organization’s email provider is to check the MX record for the domain, which stands for Mail Exchanger. This record is publicly published in the Internet’s Domain Name System for every organization that receives email, indicating the mail server responsible for accepting their incoming messages. Since it’s publicly accessible, you can look it up without contacting the organization or leaving traces of your search.

To examine it, visit MXToolbox at mxtoolbox.com, enter the organization’s domain name and perform an MX Lookup. The large majority of all business organizations use either Microsoft or Google for email. If the record includes mail.protection.outlook.com, the organization uses Microsoft 365. If it points to google.com or contains aspmx.l.google.com, they use Google Workspace. That’s your answer, and you’re done.

Problems arise if the MX record points to a third-party security gateway instead of Microsoft or Google. Services like Mimecast, Proofpoint, and Barracuda act as intermediaries, filtering spam and malware before forwarding messages. In those cases, the MX record only reveals the gateway used, not the actual mail hosting provider. If your lookup shows hostnames like mimecast.com, pphosted.com, or barracudanetworks.com, you’ll need to investigate further.

When a security gateway obscures the MX record, we often turn to the SPF record. SPF, or Sender Policy Framework, lists all authorized email sending services for a domain. It aims to prevent email fraud by confirming which servers are legitimate senders, helping mail systems verify message authenticity. Importantly, the list must include the actual mailbox provider; otherwise, legitimate emails could be marked as spam or blocked. This makes the SPF record especially useful during investigations.

To check it, go back to MXToolbox, click the dropdown next to the search button, and select SPF Record Lookup. Enter the same domain and run the search. Although the results may look like a string of technical text, focus on entries starting with “include:”. These indicate external services trusted to send mail for the domain. For example, include:spf.protection.outlook.com suggests Microsoft 365, while include:_spf.google.com indicates Google Workspace — regardless of the MX record.

A security gateway can block incoming mail and hide its destination, but it cannot hide the outbound authorization record. The SPF record must list the real provider, and since it’s public, we can access and read it. Usually, if Phase 1 yields no results, Phase 2 might provide the answer.

The problem is when organizations obscure third-party hosting services or run their own email server. We’ll look at some of those next week.

The News…

The FBI warns of a phishing scam in which criminals impersonate city and county officials to solicit fraudulent permit payments. Victims receive emails containing accurate permit information that request payment via wire transfer, peer-to-peer payment, or cryptocurrency. https://www.ic3.gov/PSA/2026/PSA260309

The White House released its cybersecurity policy in the new document “President Trump’s Cyber Strategy for America." Normally, I’d respond with "Meh," since government policies, papers, and promises are pretty worthless. However, President Trump has established a pretty good track record of following through on his commitments, for better or worse. We should digest this document and prepare to work within its guidelines because it’s likely to be carried out. https://www.whitehouse.gov/wp-content/uploads/2026/03/President-Trumps-Cyber-Strategy-for-America.pdf

Tycoon 2FA was a major “Phishing-as-a-Service (PhaaS)” platform that appeared in 2023 and was developed in 2024 to evade multi-factor authentication using adversary-in-the-middle attacks, capturing live session cookies to access accounts illegally. It was associated with more than 64,000 phishing incidents, affecting nearly 100,000 organizations worldwide. At its height, it accounted for approximately 62% of all phishing attempts blocked by Microsoft. In early 2026, a coordinated operation led by Europol, involving Microsoft, Intel 471, Cloudflare, Coinbase, and others, dismantled the platform’s infrastructure, seizing 330 domains and arresting the alleged ringleader. https://www.intel471.com/blog/born-to-bypass-mfa-taking-down-tycoon-2fa

BLUF: Keep your device updated to the most recent version of iOS. Security researchers at Google discovered an iPhone hacking toolkit called Coruna, originally used by a government customer, that has since leaked and spread to cybercriminals. The kit can compromise iPhones running iOS 13 through 17.2.1 by chaining together 23 vulnerabilities, requiring only that a target visit a malicious website. After its initial discovery in February 2025, the same toolkit was found being used by a Russian espionage group targeting Ukrainians and later by a financially motivated hacker in China. Mobile security firm iVerify linked the tools to the U.S. government, drawing parallels to previously attributed American hacking frameworks. https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit

The FBI has extradited a 28-year-old Bangladeshi from Malaysia to Alaska to face charges related to an international child sexual exploitation ring. Indicted in 2022 by an Alaska federal grand jury, the man is accused of using Instagram and Snapchat to coercively obtain sexually explicit material from hundreds of minors across the U.S. and internationally. He faces multiple charges, including conspiracy to produce child pornography, child exploitation enterprise, cyberstalking, and wire fraud. If convicted, he could face 20 years to life imprisonment. Kudos to the BU, Alaska State Police, and Anchorage PD for wrapping this guy up. https://www.justice.gov/usao-ak/pr/bangladeshi-national-make-initial-appearance-following-arrest-fbi-international

Who says crime doesn’t pay? Retail crime certainly seems to pay. This Ohio woman defrauded Home Depot of $266,699 through 1700 fraudulent returns. She was sentenced to 180 days in jail and five years of community supervision. Oh, and restitution, but we all know that will likely never happen. So, a quarter of a million dollars to sit in jail for 180 days? Some might say that’s a steal. https://www.cleveland19.com/2026/03/05/ohio-womans-multi-state-retail-fraud-scheme-created-266699-fake-store-credit-police/

DFIR

I once testified as an expert witness in a trial concerning the recovery of dashcam video evidence. I removed the microSD card from the device, cloned it, and then played the mp4 file to isolate the time period of the vehicle crash. It takes an expert to explain that process, I guess. In this post, SalvationData goes a little deeper into the process. https://www.salvationdata.com/product-tips/dashcam-video-recovery/

Mail Call

“Matt, don’t hate the player, hate the game. Personal branding is now a professional requirement, and LinkedIn is the most efficient place to do it.” - TF

Speaking of LinkedIn

I’ve been notably resistant to freaking out about AI being used to facilitate cybercrime, noting that the old methods still work just fine. But every day I become more bullish.

TrendAI researchers demonstrate how publicly available LinkedIn data can be rapidly weaponized into highly targeted phishing attacks using AI tools. The researchers built a proof-of-concept system that automates the collection of public LinkedIn posts and images, analyzes them for contextual insights, and generates detailed employee profiles. Using AI, the tool identifies key professional interests, creates personalized marketing emails, discovers likely email addresses, and even generates realistic phishing websites tailored to the target’s expertise—all within 30 minutes.

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/from-linkedin-to-tailored-attack-in-30-minutes-how-ai-accelerates-target-profiling-for-cybercrime

Cool Job

Fraud Investigator, PSECU. https://psecu.wd12.myworkdayjobs.com/PSECU/job/Harrisburg-PA/Fraud-Investigator_JR100773

Security Investigations Manager, Anduril. https://job-boards.greenhouse.io/andurilindustries/jobs/5051653007

Cool Tool

Find Flock cameras. https://deflock.org/

Irrelevant

System76 makes computers that run the Linux operating system and they are the publisher and maintainer of the pop_os! operating system. I’ve used both, hardware and software.

Colorado’s Senate Bill 26-051 and California’s Assembly Bill No. 1043 mandate that operating systems must report age brackets to app stores and websites. When someone creates an account on a computer, they are expected to be 18 or older and confirm their age, whether for themselves or their child. In reality, this regulation implies that individuals under 18 are generally not supposed to set up their own computer accounts.

The law requires technology providers to verify that all users are of legal age. While the Internet has harmful content and children need protection, it is ultimately the parents’ responsibility to provide guardrails. Stop expecting technology and Internet Service Providers to act as parents.

The CEO of Colorado-based System76 offers a clearer, better-argued case for why we should probably oppose these age-verification laws.

https://blog.system76.com/post/system76-on-age-verification

Sign Off

I felt something I haven’t in a long time this week. The warmth of the sun. Yeah, that big yellow orange thing in the sky. It’s still there and doing well. And the microdose of vitamin D has given me some hope we’ll pull out of the long cold winter season.

Thanks for staying with me each week, even when the newsletter is trash.

See you all next week.

Matt

“EVERY DAY YOU WAIT IS ANOTHER DAY YOU WON’T GET BACK.”

Threats Without Borders - Issue 276

Matt Dotts — Tue, 03 Mar 2026 12:44:46 GMT

Sometimes, I manage to get it right—recognizing trends, catching the right wave. I've been emphasizing TOAD attacks (Telephone Oriented Attack Delivery), also known as Call Back Fraud, for over two years. I've written about this attack multiple times in the newsletter and included it professionally in my security awareness trainings.

This new report from StrongestLayer confirms that my prediction about the attack's prevalence was accurate.

TOAD is no longer an emerging tactic; it’s become one of the dominant ways attackers bypass enterprise email security.

StrongestLayer shows that more than one in four successful phishing emails now use a phone number as the payload. That means no malicious link. No malware attachment. No exploit kit. Just a callback number.

And that’s precisely why it works.

Traditional Secure Email Gateways (SEGs) are designed to scan URLs, detonate attachments, and score message content for known malicious indicators. TOAD attacks contain none of those. The “weapon” is a string of digits, indistinguishable from a legitimate business contact number. Blocking financial language plus a phone number would cripple normal accounts payable traffic. From an architectural standpoint, these attacks operate in a structural blind spot.

Understanding TOAD requires understanding its layered evasion model.

Layer One: Trusted Delivery. Messages are often sent through legitimate infrastructure such as SendGrid or other reputable platforms. Reputation filtering sees clean domains and allows delivery.

Layer Two: Anti-Scanner. Some campaigns add QR codes inside PDFs or use CAPTCHA gates. Automated sandboxes follow the link, hit a challenge page, and mark the message safe because they never reach the malicious content.

Layer Three: Channel Shift. This is the core of TOAD. The victim calls the number. The social engineering happens over the voice. Credential harvesting, remote access installation, or gift card fraud can unfold during a 20–30-minute conversation. By design, this occurs outside the email system and outside our endpoint detection tools.

For investigators, this means the crime scene is not the inbox. It is the phone call and the subsequent cloud authentication logs. As attackers deliberately move away from malware and toward human exploitation, investigators must adapt accordingly.

This TOAD attack is designed to make me believe I was wrongly charged for a Geek Squad Protection plan for someone else. But if I act quickly enough, I can cancel the transaction. No links, no email addresses, just a phone number. I just need to call them!

Read the StrongestLayer report: https://cdn.prod.website-files.com/692908f21a0929f1fb06bc04/699df5313a4d214a1d53bd72_2026_Evasion_Technique_Combinations_Research_final.pdf

Unlinking from LinkedIn

I received several comments concerning my take on LinkedIn, included in last week’s issue (275).

Sometimes I think LinkedIn has quietly evolved into professional performance art. It’s just a theater.

People spend enormous amounts of time crafting long-form posts explaining concepts to… other professionals in the exact same field. If most of your network consists of peers who do what you do, who exactly is the audience?

It can feel a bit like delivering a keynote at a firefighter convention about the dangers of smoke inhalation. Important? Absolutely. Groundbreaking? Not so much.

That doesn’t make the content wrong. But it does raise an interesting question: are we sharing insight, or signaling expertise? Are we advancing the conversation, or just making sure everyone sees us advancing it?

There’s nothing inherently wrong with visibility. Thought leadership has its place. But when all of the applause comes from people who already know the script, it’s worth asking whether we’re educating… or performing.

And there’s nothing wrong with performing—obviously, it's something I do every week, but only in the appropriate place.

The News…

Oklahoma man will serve 46 months in federal prison for bank fraud and money laundering. He exploited insider access at multiple financial services companies and a banking software company to steal over $588,000 from accounts at three of the financial institutions. https://www.cutimes.com/2026/02/09/former-credit-union-employee-sentenced-in-588000-insider-fraud-case/

An unknown attacker exploited Anthropic’s Claude AI chatbot to breach multiple Mexican government agencies between December and January, stealing 150 gigabytes of sensitive data, including 195 million taxpayer records, voter information, and government employee credentials. The attacker used Spanish-language prompts to instruct Claude to act as an elite hacker, finding vulnerabilities and automating data theft. Although Claude initially refused some requests, the hacker eventually “jailbroken” it by framing the attacks as legitimate penetration testing and providing a detailed playbook. https://www.siliconvalley.com/2026/02/25/hacker-used-anthropics-claude-to-steal-sensitive-mexican-data/

The AirSnitch attack is a newly discovered Wi-Fi vulnerability that bypasses client isolation, a security feature meant to prevent direct communication between connected devices, by exploiting weaknesses at the lowest network layers. Rather than breaking encryption itself, the attack allows an attacker with access to the Wi-Fi network (or even connected infrastructure) to perform man-in-the-middle attacks, intercept unencrypted traffic, steal credentials, and manipulate data across home, office, and enterprise networks. While the vulnerability affects routers from major manufacturers like Netgear, Cisco, and D-Link, it requires more technical skill than some previous Wi-Fi attacks and can be partially mitigated through VPNs, zero-trust security models, or avoiding untrusted networks, though no complete immediate fix is currently available. https://arstechnica.com/security/2026/02/new-airsnitch-attack-breaks-wi-fi-encryption-in-homes-offices-and-enterprises/

A new federal anti-money laundering rule, effective March 1, 2026, requires reporting of beneficial ownership details (names, addresses, SSNs) for all-cash or non-financed residential real estate purchases made by entities or trusts. The report must be filed with FinCEN within 30–60 days of closing, typically by the closing agent, and title companies may refuse to close without this info. While real estate agents aren’t directly responsible, they should inform clients. FinCEN estimates 800,000–850,000 annual transactions will be affected. https://www.nar.realtor/magazine/real-estate-news/anti-money-laundering-rule-aimed-at-all-cash-buyers-goes-into-effect-march-1

Not victim-blaming here, but how did this situation escalate to the point where you’re paying over 4 million dollars to help your daughter become a model? A photographer was charged with wire fraud and money laundering after allegedly swindling a family out of $4.6 million. Prosecutors say Coyne falsely claimed she was securing modeling gigs for the family’s daughter, but instead used the money for personal expenses such as gambling. https://petapixel.com/2026/03/02/fbi-charge-photographer-with-4-6-million-child-modeling-fraud/

DFIR

The forensic value of Apple Maps. https://forensafe.com/blogs/apple-maps.html

Cool Job

Director of Security Services - Ford Motor Company. https://efds.fa.em5.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX_1/job/59407

Cool Tool

De-Google yourself - a complete Android-based mobile device operating system that removes all things Google. https://e.foundation/e-os/

Irrelevant

Sign Off

Thanks for coming back after last week’s trash heap of a newsletter. So many typos, including the misspelling of my own domain. Well, I guess it shows that I’m actually writing the newsletter and not AI.

So let’s try this again. You can email me at [matt (at) threatswithoutborders.com]

Matt

Threats Without Borders - Issue 275

Matt Dotts — Tue, 24 Feb 2026 11:17:06 GMT

RSAC is coming up, and I don’t even need a calendar to realize it. The evidence is in the flood of salespeople spamming my inbox with invitations to “Meet-up at RSAC?"

It feels so pretentious—every email seems to assume, "Of course, you're attending RSAC." There's a hint of condescension, too, implying that if you're not there, you're either not among the cool kids or you're low budget.

Well, I’m not in the cool-kids group, and I'm very low-budget. So I’ll gladly meet you in exchange for airfare, hotel, and a conference pass.

Otherwise, keep your spam to yourself.

No more BSA?

At a minimum, all the thresholds for reports required under the Bank Secrecy Act should be adjusted for inflation. Congress could go further and eliminate the reporting requirements. Even better, Congress could also do away with the Bank Secrecy Act regime entirely.

Interesting take from the Cato Institute.

The authors of “From Writs to Wires: The Surveillance State’s Long War on Privacy” explore how modern surveillance in the U.S. has evolved from colonial-era warrantless searches into an invisible digital system that “undermines constitutional privacy rights.” It alleges that government agencies exploit third-party data, weaken encryption, and use technologies such as facial recognition and financial tracking to monitor citizens.

All those records held by your bank, financial planner, and similar entities are fair game for prying eyes—as long as those eyes belong to the government.

Although this article was originally aimed at privacy advocates and perhaps conspiracy theorists, those working in BSA/AML should also pay attention - but for an entirely different reason.

https://www.cato.org/free-society/winter-2026/writs-wires-surveillance-states-long-war-privacy

Mail

Thanks for linking to the study that tells my wife it’s ok for me to drink a lot of coffee. -JS

Matt, I suspect you would be very successful if you started your own business, and you are correct, paid bank holidays are a very nice perk. - K

This week, I attended two presentations, and both could have benefited from your advice on avoiding lengthy problem explanations. In one, a speaker spent 20 minutes describing the problem to the group, who then identified it and submitted a ticket requesting it be fixed. - JohnB (See Issue 272 for reference)

The News…

Obviously, I support the Bureau and the Internet Crime Complaint Center (IC3), but sometimes I wonder what the point is. The information they release often feels outdated. Cybersecurity and fraud organizations share information in real time, but the analytical and content creation processes within any government agency, not just IC3, are so time-consuming that by the time the content is ready and approved, it's already old news. Anyway, they released a “Flash” report about malware-enabled ATM jackpotting, which most of us knew about long before the flash. https://www.ic3.gov/CSA/2026/260219.pdf

A recent cyberattack campaign impersonates Google Meet invitations to spread malware. Victims receive a fake meeting invite from a newly registered domain, and clicking the “Join” button redirects them to a convincing fake Google Meet page hosted on an impersonated Microsoft Store site. They are then prompted to download a fake “update” installer (`.secretly installs the **Teramind remote monitoring tool**, allowing attackers full control over the victim’s system and transmitting device details (IP, location, OS, etc.) to the attacker via Telegram. Important warning signs include a lookalike domain with intentional typos, a sender domain less than a month old, failed DKIM authentication, and poor HTML branding—all tactics aimed at deceiving both humans and security scanners. https://sublime.security/blog/fake-google-meet-invitation-fake-microsoft-store-real-malware-attack/

Signal launched Version 8 of its secure backups. https://aboutsignal.com/news/signal-launches-version-8-0-with-signal-secure-backups/

This guy laundered 2.3 million dollars through gift cards. Seriously, most gift cards limit out at $500. He purchased 460,000 gift cards? https://cbs6albany.com/news/local/chinese-man-found-guilty-in-money-laundering-conspiracy-involving-229m-in-gift-cards-fraud-jun-wang

LayerX, a cybersecurity company, identified 30 malicious Chrome extensions that mimic popular AI tools like Gemini and ChatGPT, with over 260,000 downloads. These extensions appear to provide legitimate AI chat interfaces but covertly send user data to attacker-controlled servers, capturing sensitive information such as emails, browser content, and pasted text. The threat is heightened by users' tendency to share sensitive info with AI tools and the extensions' use of hidden iframes, making detection difficult during reviews. Even after the discovery was made public, several of these malicious extensions remained available on the Chrome Web Store. https://layerxsecurity.com/blog/aiframe-fake-ai-assistant-extensions-targeting-260000-chrome-users-via-injected-iframes/

Starkiller is a sophisticated phishing-as-a-service (PhaaS) tool that bypasses traditional security measures, including MFA, by live-proxying legitimate login pages instead of mimicking them. This allows attackers to capture credentials and session tokens in real time, making detection extremely difficult since victims interact with actual websites. The tool’s user-friendly interface and automation lower the technical barrier for cybercriminals, forcing organizations to shift from static detection methods to behavioral and identity-aware monitoring. https://www.darkreading.com/threat-intelligence/starkiller-phishing-kit-mfa

Message me: matt (at) threatswithourborders.com

DFIR

I haven’t used this, so please test it in a safe space first, but it is interesting, and I’ll be giving it some more attention shortly.

Fuji is a free, open-source program for performing forensic acquisition of Mac computers. It should work on any modern Intel or Apple Silicon device, as it leverages standard executables provided by macOS. Fuji performs a so-called live acquisition (the computer must be turned on) of logical nature, i.e. it includes only existing files. The tool generates a DMG file that can be imported in several digital forensics programs.

https://github.com/Lazza/Fuji/releases/tag/1.2.0

`Cool` Job

Director of Safety and Security, Vanderbilt University. https://ecsr.fa.us2.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX_1/job/10007897

Security Intelligence Operations Specialist, Tesla. https://www.tesla.com/careers/search/job/256471

Cool Tool

Hate Apple? Hate Google? Graphene OS might be your huckleberry. Tomasz Dunia created a list of currently supported mobile devices and a full tutorial on getting up and running with Graphene as the OS. https://blog.tomaszdunia.pl/grapheneos-eng/#list-of-supported-devices-february-2026

“Spackle is a macOS menu bar app for inline AI rewrites. Select text in any app, press a keyboard shortcut, and Spackle replaces your selection with an AI-rewritten version — right in place. You never leave the app you’re working in. It works anywhere macOS Accessibility can reach: Mail, Notes, Slack, browser text areas, and more.” https://aisatsu.co/spackle/

Irrelevant

Something everyone in law enforcement and counseling has known for, well, ever.

Researchers found that the teens who reported using cannabis in the past year were at a higher risk of being diagnosed with several mental health conditions a few years later, compared to teens who didn’t use cannabis.
Teens who reported using cannabis had twice the risk of developing two serious mental illnesses: bipolar, which manifests as alternating episodes of depression and mania, and psychotic disorders, such as schizophrenia which involve a break with reality.

https://text.npr.org/nx-s1-5719338

Sign Off

I spent some time in Buffalo, NY, last week. I’ve discussed the city in the newsletter before, and I believe I’ve finally figured out why people choose to live there. It’s self-hate. That’s the only explanation that fits. Yes, I’ve heard it’s beautiful in the summer.

Shout at me M&T friends.

Thanks for reading another issue. See you all next week.

Matt

Threats Without Borders - Issue 274

Matt Dotts — Tue, 17 Feb 2026 11:15:23 GMT

I am often asked why, when looking at a Bitcoin transaction where one address sends funds to another, there are sometimes two addresses on the output side - and sometimes it even looks like the sending address sent funds back to itself. It seems strange at first glance. Is something going wrong? Is it some kind of error?

One of the best analogies I’ve heard for explaining cryptocurrency transactions is doing business with gold bars.

Imagine you own a single 10 oz gold bar. You want to buy something from a merchant that costs 3 ounces of gold. Here is the problem: you physically cannot chip a 3-oz piece off a gold bar. You cannot hand over exactly 3 ounces from a 10-ounce bar. The whole bar has to go somewhere.

So what happens? The gold bar goes to the smelter. The smelter melts the gold bar down and pours the molten gold into new, smaller bars. Out come three new bars:

A 3-ounce bar that goes to the merchant -- this is your payment.
A 6.9-ounce bar that comes back to you -- this is your change.
A 0.1 ounce nugget is the fee paid to the smelter for their work.

The original 10-ounce bar no longer exists. It has been consumed, and three brand new bars have been created in its place.

In Bitcoin, your funds are not stored as a simple running balance like a bank account. Instead, they exist as individual chunks called UTXOs, which stand for Unspent Transaction Outputs. Think of each UTXO as one of those gold bars. You might have several of them of different sizes sitting in your digital wallet.

When you want to send Bitcoin to someone, your wallet picks one (or more) of those UTXOs to spend. Just like the gold bar, the entire UTXO must be consumed. You cannot spend just part of it. So the transaction does exactly what the smelter did:

The UTXO is fully spent as an input to the transaction.
A new output is created, sending the correct amount to the recipient.
A second new output is created, sending the leftover amount back to you -- this is your change.
A small amount is claimed by the miners (the people who process Bitcoin transactions) as their fee.

When you look at a Bitcoin transaction on a block explorer and see two output addresses, you are almost always looking at the recipient and the change going back to the sender.

So why does the change sometimes go back to the same address, but sometimes a new one? The answer is simple: it depends entirely on which wallet software is being used.

Older, less technical wallets, and some exchange platforms will send your change right back to the address you sent from. It is the equivalent of the smelter handing your change bar back to you in exactly the same labeled pouch you gave them. Easy to track, easy to understand.

You will also see this with some business accounts and exchange-managed wallets, where the platform keeps things neat by always cycling funds back to a known address.

More modern (secure) wallets automatically generate a brand new, never-before-used address to receive your change. This address still belongs entirely to you and is controlled by the same wallet and the same seed phrase. You do not need to do anything special to access those funds. Your wallet knows about it automatically.

Blow your whistle

The U.S. Treasury has introduced a new website for whistleblowers to report fraud, money laundering, and sanctions violations. Rewards will range from 10% to 30% of collected fines from successful enforcement actions. FinCEN will oversee the program, which includes violations of the Bank Secrecy Act, U.S. sanctions, and other financial laws, while the IRS will create a dedicated task force to investigate misuse of funds by tax-exempt organizations. https://www.fincen.gov/whistleblower/

Timely

Back in Issue 271, we looked at Pastebin sites and examined how criminals use them to facilitate cybercrime.

A new crypto scam exploits Pastebin comments to spread a ClickFix-style attack targeting crypto users. Scammers post comments with links to fake guides promising a profitable arbitrage opportunity. They trick victims into manually running malicious JavaScript code in their browser’s address bar. Once executed, the code hijacks the legitimate swap interface by replacing Bitcoin deposit addresses with wallets controlled by attackers and adjusting exchange rates to make the fake exploit seem real, leading to theft of victims’ cryptocurrencies. https://www.bleepingcomputer.com/news/security/pastebin-comments-push-clickfix-javascript-attack-to-hijack-crypto-swaps/

The News…

Chainalysis reports that cryptocurrency flows to suspected human trafficking services surged 85% in 2025, reaching hundreds of millions of dollars, primarily through Southeast Asian operations linked to Chinese-language money laundering networks on Telegram. https://www.chainalysis.com/blog/crypto-human-trafficking-2026/

It seems like only yesterday we were discussing Lockbit 2.0 and now we’re faced with Lockbit 5.0. What’s that saying, time flies when we’re… https://www.acronis.com/en/tru/posts/lockbit-strikes-with-new-50-version-targeting-windows-linux-and-esxi-systems/

A warning for all Mac “fanboys” (myself included): A thriving macOS infostealer economy is emerging, with attackers innovating specifically for Apple’s ecosystem. Flare explains that the assumption that Macs are immune to viruses is outdated and dangerous. https://flare.io/learn/resources/blog/the-macos-stealer-gold-rush-how-cybercriminals-are-racing-to-exploit-apples-ecosystem

To absolutely no one’s surprise, cybercriminals are using AI website builders to clone major brands, creating convincing fake sites to lure victims. These sites are used for credential harvesting, payment fraud, and malware delivery. The ease of use and lack of robust security measures in AI website builders enable attackers to create and deploy these scams rapidly. https://www.malwarebytes.com/blog/news/2026/02/criminals-are-using-ai-website-builders-to-clone-major-brands

Bitcoin exchange Paxful has been fined $4 million for transferring funds tied to money laundering, fraud, and sex trafficking. https://www.justice.gov/opa/pr/virtual-asset-trading-platform-sentenced-violating-travel-act-and-other-federal-criminal

There isn’t much left of CISA, but the remaining holdouts published the agency’s 2025 Year-In-Review report. https://www.cisa.gov/about/2025YIR

Posted without comment. https://techcrunch.com/2026/02/13/sex-toys-maker-tenga-says-hacker-stole-customer-information/

Cool Job

For those that like snow… Fraud Coordinator - Erie Federal Credit Union. https://eriefcu.acquiretm.com/job_details_clean.aspx?id=1676

Cool Tool

Reverse image search (you might get ads depending on your browser) https://picdetective.com/

DFIR

Jordan Mussman provides “a practical field guide to macOS security architecture and forensic artifacts for incident responders investigating compromised MacBooks in 2026”. https://jmussman.net/posts/mac_dfir/

Irrelevant

The best science I’ve read in a long time.

https://jamanetwork.com/journals/jama/fullarticle/2844764

Sign off

I was told twice last week that I should consider teaching technology investigations full-time. Maybe. But I fear people wouldn’t pay to listen to me run my mouth for a day or three. I expect to issue refunds around 2:30PM on the first day.

Besides, if I worked for myself, I wouldn’t get paid time off for bank holidays!

Have a great week.

Matt

matt @ threatswithoutborders.com

Threats Without Borders - Issue 273

Matt Dotts — Tue, 10 Feb 2026 10:47:42 GMT

Over the past week, two separate but critically connected events occurred.

First, the newsletter saw an unusually high number of unsubscribes. Perhaps I said something last week that offended some readers, or maybe it’s just the new year's resolution to declutter inboxes. I’m not sure.

But for the first time, I just said, Good. F* you, anyway. I dedicate hours weekly to this newsletter, and if you choose not to read it for free, fine. I don’t want to share my knowledge and experience with you anyway

And I’d rather have 50 truly invested readers who value my time and writing than 5000 people who sign up only to mark the newsletter as spam until they eventually figure out the unsubscribe process.

Terrible attitude, right? Yeah, I know.

Secondly, I read “How to Stop Being Boring” by JA Westenberg.

I’ve come to believe that boring = personality edited down to nothing. Somewhere along the way, too many of us learned to sand off our weird edges, to preemptively remove anything that might make someone uncomfortable or make us seem difficult to be around.
And the result = boredom.

It’s a powerful conviction about the dangers of self-editing to avoid being different, offensive, or controversial, and just becoming performative.

Erving Goffman wrote in 1959 about how we all perform versions of ourselves depending on context. What's less normal is when the performance becomes the only thing left. When you've been editing yourself for so long that you've forgotten what the original draft looked like.

Maybe that’s it! What if it’s not what I’m saying, but the things that I’m not saying?

Maybe I’ve just become… boring.

Please take two minutes to read this blog post.

https://www.joanwestenberg.com/how-to-stop-being-boring/

And let’s agree to stop being boring!

Wasn’t me, my iPhone was hacked…

The first question should be, “Are you a target of a nation-state? North Korea, Iran, or maybe Russia (or maybe the U.S.).” If the answer is probably not, then the iPhone was probably not hacked. No, the device most definitely wasn’t hacked.

Apple released its 2026 Apple Platform Security update, so let’s see if remote access software can be covertly installed on an iPhone. (I do this every year).

I’m not referring to a corporate device with Mobile Device Management (MDM) installed, which allows employers to control various functions but remains heavily restricted by Apple. Even then, the MDM software manager doesn’t have carte blanche over the device. And these devices aren’t getting “hacked” either.

We’ve all heard the claim: “Someone must have secretly installed a remote monitoring or remote desktop app on my phone.” But given Apple’s security architecture, this isn’t usually realistic for a personal, unmanaged iPhone.

Two main points:

Apps can’t silently install themselves; all code must be signed and installed through Apple-controlled methods.
No supported way exists for hidden background installs, drive-by downloads, or invisible services.

If such software exists on the device, it was installed intentionally - usually by the device owner.

Apple explicitly prevents apps from recording screens without the user's permission. Screen recording needs a user consent prompt before starting. Therefore:

no silent recording
no invisible broadcasting
no hidden monitoring

The user must approve any such activity.

And don’t come at me with “colluding apps.” They stopped doing that a long time ago. Apps are sandboxed, so one can’t directly access another’s activity unless permissions are strictly approved.

So when someone says “It wasn’t me” because their device is infected, what really happened is usually:

a password was phished
credentials were reused and leaked
a fake login page captured information
a malicious MFA prompt was approved
email or Apple ID was accessed
or they were socially engineered

Of course, with Android devices, all bets are off. And if you happen to be in the crosshairs of an elite hacking unit of a government, Google search Pegasus.

https://help.apple.com/pdf/security/en_US/apple-platform-security-guide.pdf

The News…

Speaking of iPhone security, turns out Lockdown mode is legit. The FBI could not bypass the security feature to access the internal data of a seized iPhone. Lockdown Mode is a security feature introduced by Apple in 2022 to protect against sophisticated cyber attacks. While the FBI extracted limited data from the SIM card, the iPhone’s Lockdown Mode restricted access to most apps, websites, and features. https://arstechnica.com/tech-policy/2026/02/fbi-stymied-by-apples-lockdown-mode-after-seizing-journalists-iphone/

A former Pennsylvania State Police corporal and compliance director for the skill games company Pace-O-Matic has pleaded guilty to money laundering and tax fraud after accepting hundreds of thousands of dollars in kickbacks from illegal gambling machine operators. The man used his position to suppress complaints about illegal gaming machines and falsely claimed the proceeds as business expenses to evade over $100,000 in taxaccepting hundreds of thousands of dollars in kickbacks from illegal gambling machine operators. He suppressed complaints about illegal gaming machines and falsely claimed the proceeds as business expenses to evade over $100,000 in taxes. https://www.attorneygeneral.gov/taking-action/former-executive-of-pace-o-matic-pleads-guilty-to-money-laundering-payments-from-gaming-machine-operators/

Sublime Security details a specific phishing scheme targeting real estate agents, where scammers impersonate prospective clients via contact forms or direct contact. They gradually earn the agents' trust through credible-sounding conversations, then deceive them into joining fake Zoom calls. These malicious “meeting links' often use lookalike domains such as webzoom[.]im instead of zoom[.]us, which download remote access tools like ScreenConnect, granting attackers control over the victim’s computer. This campaign is distinguished by its sophisticated social engineering tactics, including multi-message dialogues to build credibility before deploying malware. Additionally, the attackers prefer to host the meetings themselves rather than pass legitimate links to the agents.

I had always believed that cryptocurrency and gift cards were the preferred methods for criminals to move dirty money. However, according to this author, the latest trend seems to be watches and designer handbags. https://www.thetimes.com/culture/books/article/everybody-loves-our-dollars-how-money-laundering-won-oliver-bullough-review-z3p2wbf03

An Illinois man admitted guilt for hacking nearly 600 women’s Snapchat accounts from May 2020 to February 2021, stealing nude photos that he then kept, sold, or traded online. He employed social engineering tactics, impersonating Snapchat representatives to trick more than 4,500 victims into revealing their access codes. This strategy led to the compromise of about 570 victims’ credentials and the illegal access to at least 59 accounts without authorization perhttps://storage.courtlistener.com/recap/gov.uscourts.mad.293918/gov.uscourts.mad.293918.1.0.pdf

Is this Irony?

I think this is irony.

Google search is offering up links to download malware for macOS. https://eclecticlight.co/2026/01/30/more-malware-from-google-search/

Cool Job

Director of Fraud Prevention - TopStep. https://job-boards.greenhouse.io/topsteptrader/jobs/7615888003

Cool Tool

Your target may not have an online presence but their relatives might. https://www.familytreenow.com/

theHarvester is a very simple, yet effective tool designed to be used in the early
stages of a penetration test. Use it for open source intelligence gathering and helping
to determine a company's external threat landscape on the internet. The tool gathers
emails, names, subdomains, IPs, and URLs. https://pypi.org/project/theHarvester/

Be Alert

Yeah, so, Substack had a little oopsie and lost some user data. They claim to have notified affected users, but it seems the breach is much larger than initially acknowledged.

The good thing, if there is such a thing, when it comes to losing user information, is that it doesn’t appear that the scraped data would enable account takeovers.

As this HackRead article notes, the real danger is from a social engineering attack by someone pretending to be Substack and referencing your account.

Irrelevant

Being successful isn’t random. https://dariusforoux.com/the-big-5-predictors-of-success/

Learning

The Delaware Fraud Working Group is sponsoring a full-day training event on April 2, 2026, in Wilmington, Delaware. Best of all, it’s FREE.

No, even better, I’m speaking.

https://www.eventbrite.com/e/delaware-fraud-working-group-full-day-fraud-prevention-summit-tickets-1982375409213

Sign Off

Someone suggested I do that viral thing where you ask ChatGPT to make a caricature of you and post it to LinkedIn. Ugh, I’d rather stick a fork in my face.

So I asked ChatGPT to create that image instead.

Too bad, that wouldn’t be boring.

Thanks for reading another week. Come back next week to see if I write something useful.

Matt

Threats Without Borders - Issue 272

Matt Dotts — Tue, 03 Feb 2026 09:58:59 GMT

When so many organizations hide their reports behind information-collection barriers that require you to give away your professional contact information and then endure relentless sales calls… TRM Labs continues to share its knowledge freely and openly. And they don’t publish a vanilla product that simply rehashes common industry knowledge.

TRM Labs' 2026 Crypto Crime Report shows illicit crypto flows hit a record $158 billion in 2025, ending a multi-year decline. This rise was mainly due to three factors: new sanctions designations, better detection tools, and large hacks like the $1.46 billion Bybit breach. Despite the overall increase, illicit activity as a share of total crypto activity fell to 1.2%, suggesting that legitimate crypto use expanded faster than criminal activity.

The report highlights how state-aligned actors are institutionalizing crypto infrastructure for sanctions evasion, how ransomware and scam operations have become more sophisticated and organized, and how Chinese money-laundering networks have evolved into massive settlement layers that process over $103 billion.

The findings highlight that crypto crime has become a core part of both legitimate and illicit financial systems, emphasizing the need for improved enforcement coordination and specialized crypto-investigation tools.

This is a great report and well worth your time to read and digest.

https://www.trmlabs.com/reports-and-whitepapers/2026-crypto-crime-report

Because like security, duh.

I debated how to title this: “Because we suck at security” or “This is why you respond to every alarm”.

A federal grand jury indicted 31 people for stealing millions from ATMs using Ploutus malware. The gang surveilled ATMs, opened them to test alarms, and replaced hard drives or connected thumb drives with malware to dispense cash.

Two key points: 1) The attackers forced open the ATMs and then retreated to safety. If police arrived, they fled the scene. They continued the attack if there was no police response. 2) Ploutus malware has been active since 2013. Yes, thirteen years ago. While it has evolved, technology and protections exist to prevent it.

And it isn’t a stealthy attack. It’s a physical intrusion into the machine. It’s noisy and makes a mess. Here is an article the Google Threat Intelligence Team published in 2017 that explains the effort required to attack an ATM with Ploutus.

These types of attacks are preventable. Of course, we suck at security.

Anyways, kudos to the law enforcement teams that coordinated to shut this group down.

https://www.justice.gov/opa/pr/investigation-international-atm-jackpotting-scheme-and-tren-de-aragua-results-additional

Presenter Pro-Tip

When speaking to industry peers about a relevant topic, avoid wasting time explaining "how bad it is”. They already know. Being on the front lines, they recognize the problem; that's why they're listening to you.

Unless you’re speaking to beginners, a non-peer group, or presenting entirely new material based on your own research, avoid starting with five slides filled with numbers and statistics about the problem’s prevalence. By the time you finish outlining the industry landscape, most of your audience’s attention will have drifted. And honestly, it’s insulting.

I sat through a presentation this week in which the speaker spent the first ten minutes highlighting well-known fraud statistics from regularly cited sources like the Internet Crime Complaint Center. You're speaking to an audience of financial crime investigators. It’s ugly out there—we get it. That’s why we’re willing to give you thirty minutes of our time. Tell us something we don’t know!

The News…

$2.5 million has been secured for a new cybercrime training facility in Madisonville, Kentucky. The facility, the largest police training academy in the state, will focus on cybercrime investigations and expand training to include computers, drones, and vehicle data systems. The investment aims to address the growing threat of cybercrime and position Madisonville as a leader in prevention and response. Kudos to them. Hopefully, someone there will invite me for a visit! https://spectrumnews1.com/ky/louisville/news/2026/01/26/cyber-crime-training-center

Scammers are using a legitimate Microsoft email address (no-reply-powerbi@microsoft.com) associated with Power BI. They send fraudulent emails claiming fake $399 charges and direct victims to call a phone number, where they are instructed to install remote access software. This scam exploits Power BI’s feature that allows external email addresses to subscribe to reports, making the emails appear trustworthy without suspicious links or attachments that could trigger spam filters. Microsoft has temporarily disabled the scorecard email subscription feature while working on a permanent fix. This incident underscores how scammers can misuse legitimate business platforms to enhance the credibility of their social engineering schemes. https://arstechnica.com/information-technology/2026/01/theres-a-rash-of-scam-spam-coming-from-a-real-microsoft-address/

Research by Chainalysis reveals Chinese-language money laundering groups laundered an estimated $16.1 billion in illicit cryptocurrency daily in 2025, totaling $82 billion annually. These groups utilize guarantee platforms, money mules, and Black U services to launder funds, including those stolen in ~~pig butchering~~ financial grooming scams. https://www.chainalysis.com/blog/2026-crypto-money-laundering/

The Google Threat Analysis Group (TAG) released its 4Q2025 Threat Report. https://blog.google/threat-analysis-group/tag-bulletin-q4-2025/

The FBI has seized the domains for the RAMP cybercrime forums. https://www.bleepingcomputer.com/news/security/fbi-seizes-ramp-cybercrime-forum-used-by-ransomware-gangs/

Trend Micro examines the maturation of criminal AI in 2025, revealing a shift from experimentation to industrialization. The criminal AI ecosystem has consolidated around established services offering “jailbreak-as-a-service” that exploit commercial AI models rather than building independent systems. While AI-generated malware remains limited by practical constraints, deepfake technology has become alarmingly accessible and weaponized across multiple fronts,from “nudifying” apps enabling image-based abuse to sophisticated corporate infiltration schemes where North Korean operatives use AI-enhanced identities to gain employment at tech companies, and banking fraud targeting KYC verification systems. https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-state-of-criminal-ai

The government seized over $400 million in assets from Larry Dean Harmon, operator of the darknet mixing service Helix. Harmon, who processed over $300 million in cryptocurrency transactions for Helix, pleaded guilty to money laundering and was sentenced to 36 months in prison. https://www.justice.gov/opa/pr/government-forfeits-over-400m-assets-tied-helix-darknet-cryptocurrency-mixer

Share Threats Without Borders

Reader Mail

Matt, thanks for the piece on paste sites. It brought back memories of an insider threat (corporate espionage) case I had about ten years ago, in which the employee used a paste site to send information to his handler. Using a prepaid cell phone, he’d paste his info into the same note every Tuesday. The handler would then go to the same note to retrieve the information. This was way before encrypted chat apps. We could never build a link to those he was communicating with. - RussK

Send email: matt (at) threatswithoutborders.com

Cool Job

Fraud Program Manager - Vervent. https://recruiting.paylocity.com/recruiting/jobs/Details/3821568/Vervent-Inc/Fraud-Program-Manager

Cool Tool

Search for people, Fast. https://www.fastpeoplesearch.com/

If Wal-Mart is closed, you know the weather is bad. Someone created a Wal-Mart store status dashboard. https://www.arcgis.com/apps/dashboards/4e573c79e1224081805165d25b4f33c7

Someone I like

There are not many people writing or podcasting in the Cyber/Fraud/AML space who I like enough to recommend in the newsletter. Check that, there are very few people that I like.

But I like Sarah Beth Felix! She writes a great LinkedIn newsletter focused on BSA and AML, titled “Dirty Money”. Give her a follow.

https://www.linkedin.com/pulse/problem-streamline-act-sarah-beth-felix-uxt7e/

Irrelevant

Sunshine and Salmon. This study reveals that positive levels of Vitamin D and Omega-3 have a greater effect on a person than antidepressants. https://blog.ncase.me/on-depression/

Closing

I wake up every morning at 5am. The other day, at 5 am, I started a pot of coffee. It was 12 degrees outside, and I heard the fire siren go off. I thought, ‘I’m glad I don’t need to leave this warm house and hot coffee to handle that.’ But, of course, someone did have to go out and handle it. And in my area, these selfless souls don’t get paid for it.

My deepest thanks to all the local emergency services volunteers who leave the comfort and safety of their homes, and a freshly poured cup of hot coffee, every day to help others. Thank you!

Matt

aml cybercrime cybersecurity financial fraud investigation osint cyficrime

Threats Without Borders - Issue 271

Matt Dotts — Tue, 27 Jan 2026 10:56:06 GMT

I found myself chasing some information on a Paste site this week.

A pastebin is a web service that allows users to store and share plain text via unique URLs. Originally designed as collaboration tools for developers and IT professionals, these platforms let anyone post code snippets, log files, configuration data, or notes without creating an account. Popular examples include Pastebin.com, Ghostbin, and JustPaste.it.

There are dozens of legitimate use cases for these sites, from sharing error logs for troubleshooting, collaborating on code across teams, and distributing configuration files. However, paste bins have become valuable infrastructure for threat actors precisely because of their legitimate popularity.

Several factors make them attractive for criminal activity:

Blending with legitimate traffic: Security tools and web filters rarely block paste sites since they’re widely used by legitimate users. Malicious communications to these platforms can hide in plain sight among normal developer traffic.
Low-friction anonymity: Most paste sites require no authentication or allow throwaway accounts. Content moderation is often minimal, allowing malicious pastes to remain accessible for extended periods.
Zero infrastructure costs: By leveraging existing platforms, attackers avoid maintaining their own servers or domains, reducing both operational costs and the risk of takedowns. The paste site handles hosting, uptime, and global accessibility.

The bad guys regularly upload stolen credentials, database dumps, and personal data (doxing) as pastes. These serve various purposes: showing evidence of a breach, promoting data sales, or blackmailing. Ransomware groups have turned paste sites into public boards, posting ransom demands, doxing threats, and attack updates before sharing links on underground forums or directly with targets victims.

In more advanced scenarios, malware often uses a two-phase process where the initial infection involves only a small loader. This loader connects to a pastebin URL to access encoded content, which it then decodes and runs as the main payload. Similarly, malware configuration details like command-and-control links, encryption keys, and operational settings are stored as text and fetched at runtime. This approach gives attackers considerable flexibility, enabling them to update payloads or change configurations just by editing a paste. Such modifications are applied instantly across all infected systems without needing to redeploy the malware binaries.

Beyond direct malware operations, paste sites facilitate information sharing among threat actors. Exploit code, attack tutorials, and operational guides are posted as pastes with links shared through encrypted messaging apps, forums, or social media. Buyers and sellers of stolen data exchange samples, or “teasers,” via disposable paste links, avoiding more traceable communication methods.

For cybercrime investigators, paste bins represent both a challenge and an intelligence goldmine. Here’s how investigators can leverage these platforms:

Indicator of Compromise extraction: Parse pastes for IOC’s including IP addresses, domain names, file hashes, email addresses, and cryptocurrency wallets. These can feed into threat intelligence platforms or be cross-referenced with ongoing investigations.
Breach notification: When investigating a suspected data breach, search paste sites for your organization’s information. Stolen data often appears publicly before victims are aware of the compromise.
Timeline reconstruction: Paste timestamps can help establish attack timelines. When malware samples are discovered, investigators can check if associated paste bin URLs still contain payloads or configurations, potentially revealing the attack sequence.
Attribution clues: Pastes may contain unintentional artifacts--usernames, language preferences, coding styles, timezone indicators in timestamps--that help link activities to known threat actors or narrow suspect pools.

Investigators should be aware that attackers can delete or alter content at any moment, and many pastes have automatic expiration features. Capture screenshots or archive suspicious pastes right away. Also, paste sites are operated worldwide, each with different policies on data retention, user privacy, and law enforcement cooperation. Since they are unlikely to respond to search warrants for data, seize what information you can whenever possible.

https://github.com/lorien/awesome-pastebins

Call back

In the last issue, we covered Synthetic Identity Fraud. Mr. Lenderman advises that the Federal Reserve has the most extensive documentation on this topic.

https://fedpaymentsimprovement.org/strategic-initiatives/payments-security/synthetic-identity-payments-fraud/

The News…

A TD Bank employee has pled guilty to federal charges related to bribery and money laundering. The bank insider facilitated a money laundering scheme, accepting bribes to open accounts for shell companies and issue debit cards. He then shipped the cards to Colombia, where they were used for over 120,000 ATM withdrawals. https://www.justice.gov/usao-nj/pr/td-bank-insider-pleads-guilty-facilitating-colombian-atm-money-laundering-scheme

The Tallahassee, Florida, government was targeted by a scam, resulting in a loss of one million dollars to the fraudsters. Ouch. The city police department states they are investigating the incident, but a watchdog group argues that the Chief of Police can not be impartial, as their superior is involved. Where is the FBI? They ask. https://www.tallahassee.com/story/news/local/2026/01/20/watchdog-group-calls-for-fbi-fdle-to-investigate-city-cybercrime/88267720007/

The Jamf Threat Labs has observed the North Korea-linked “Contagious Interview” campaign, where attackers use Microsoft Visual Studio Code to deliver malware. They lure victims by cloning fake Git repositories, often disguised as job tasks, from sites like GitHub or GitLab. When the repository is trusted in VS Code, a file automatically runs commands that download and execute a JavaScript backdoor, which communicates with control servers every five seconds. This allows hackers to take control, gather system details, and run commands on victims' computers. The campaign shows that DPRK-linked hackers continue to adapt to legitimate developer tools. Researchers advise developers to verify repositories before trusting them in VS Code and avoid running commands like “npm install” on untrusted projects. https://www.jamf.com/blog/threat-actors-expand-abuse-of-visual-studio-code/

Eight Amtrak employees have pleaded guilty to conspiracy to commit health care fraud. Between January 2019 and June 2022, they accepted kickbacks from healthcare providers in exchange for fraudulent billing of services, resulting in over $11 million in fraudulent claims. https://www.justice.gov/usao-nj/pr/amtrak-employees-admit-participating-11-million-health-care-fraud-scheme-0

Okta Threat Intelligence discusses the evolution of sophisticated phishing kits specifically designed for voice-based social engineering (vishing) attacks. These kits, available as-a-service, allow attackers to control what victims see in their browsers in real-time during phone calls, creating synchronized experiences that make fraudulent requests appear legitimate. The attackers typically impersonate IT support, guide victims to phishing sites, capture credentials, and then manipulate the browser display to match their verbal instructions for bypassing MFA challenges like push notifications or one-time passcodes. https://www.okta.com/blog/threat-intelligence/phishing-kits-adapt-to-the-script-of-callers/

Is this irony

Number one rule of OSINT - don’t end up on a database while doing OSINT

Cool Job

Manager of Investigations - Mattel (Hot Wheels) https://jobs.mattel.com/en/job/el-segundo/manager-of-investigations/2015/90587703168

Cool Tools

People finder. https://ufind.name/

Search for just about any artifact you have. https://intelx.io/

Conference Updates

Layer 8 Conference (OSINT focused) - Boston, June 5-6, 2026. https://layer8conference.com/

Keystone KConnection (IAFCI Delaware Valley and Pittsburgh Metro Chapters) - State College, PA, May 18-20, 2026. https://keystonekonnection.com/

Irrelevant

This guy is pretty smart for only being 34. https://elliot.my/im-34-heres-34-things-i-wish-i-knew-at-21/

Sign Off

I've gotten through the storm. It's all snow here, which makes it a pain to move, but it's not as damaging as ice. Sending my goodwill, hope, and prayers to those in the Southeast who were hit the hardest.

Thank you for taking the time to read this issue, and I’ll see you next Tuesday.

Email: matt (at) threatswithoutborders.com

Matt

“LIFE IS EASIER WHEN YOU LEARN TO ACCEPT THE APOLOGY YOU NEVER GOT.”

cybercrime cybersecurity financial crime fraud investigations aml cyficrime

Threats Without Borders - Issue 270

Matt Dotts — Tue, 20 Jan 2026 12:08:53 GMT

I frequently see requests from investigators seeking OSINT (Open Source Intelligence) training and resources to track down scoflaw account holders. The common belief is, “If we have more tools and training, we can effectively find these individuals.”

This topic came up in a forum this week, reminding me of a recent LinkedIn post that truly resonated with me.

For those not aware, a recent TransUnion analysis shows that synthetic identity fraud loss exposure rose to $3.3 billion for US lenders in 2024, involving open accounts for credit cards, retail cards, auto loans, and personal loans.

Investigators DO need more OSINT training and access to better tools, but first things first… tools and knowing how to use them are irrelevant if the person you're trying to find doesn’t exist!

A lot of time is spent tracking down puppets instead of uncovering the puppet masters.

The initial step should be learning how to identify synthetic identities. If an account is synthetic, focus on discovering who is behind it. If you verify that the account is linked to a real person, then proceed to find that individual.

At this stage, the initial question shouldn’t be “Where is this person?”, but rather “Is this actually a person?”.

https://plaid.com/resources/fraud/synthetic-identity-fraud/

The News…

Trellix observed a surge in Facebook phishing scams in the second half of 2025, notably using the “Browser in the Browser” technique to trick users into revealing credentials. https://www.trellix.com/blogs/research/the-unfriending-truth-how-to-spot-a-facebook-phishing-scam/

Unit 42 describes a payroll fraud attack where threat actors used social engineering to compromise employee accounts and redirect paychecks to attacker-controlled bank accounts. The attackers bypassed technical security controls by impersonating employees and manipulating help desk staff into performing password resets and MFA re-enrollment, using publicly available information from social platforms to answer verification questions. https://unit42.paloaltonetworks.com/social-engineering-payroll-pirates/

The Chainalysis 2026 Crypto Crime Report estimates that $17 billion was lost to crypto scams and fraud in 2025. This increase was driven by a 1400% year-over-year rise in impersonation scams and the growing use of AI tools, which make scams 4.5 times more profitable. Major trends include the industrialization of fraud through “crime-as-a-service” models like phishing kits and AI-powered deepfakes, often connected to criminal networks in East and Southeast Asia. The report also emphasizes the merging of different scam types, the involvement of human trafficking, and the urgent need for better international cooperation and real-time detection tools to address the escalating threat transnational threat.

https://www.chainalysis.com/blog/crypto-scams-2026/

Microsoft Threat Intelligence has identified RedVDS, a virtual desktop service exploited by cybercriminals for activities like business email compromise (BEC), phishing, account takeovers, and financial fraud. Operating since 2019, RedVDS offers inexpensive, unlicensed Windows RDP servers with complete administrative control, allowing threat actors to carry out extensive attacks with little oversight. The service is hosted by several third-party providers in countries including the U.S., Canada, UK, France, and the Netherlands, with payments made through cryptocurrency to preserve anonymity. https://www.microsoft.com/en-us/security/blog/2026/01/14/inside-redvds-how-a-single-virtual-desktop-provider-fueled-worldwide-cybercriminal-operations/

A man from Venezuela has been charged in the Eastern District of Virginia with laundering one billion dollars. Yes, that's a billion. https://www.justice.gov/usao-edva/pr/venezuelan-national-charged-laundering-approximately-billion-dollars-illicit-funds

Ever wonder how cocaine traffickers launder their money? Well, here’s a pretty good explanation. https://theconversation.com/how-cocaine-traffickers-launder-cartel-money-270500

DFIR

Steve Whalen is the the O.G. of Mac forensics so when he writes something, you need to read it. He explains why physical imaging is effectively dead for modern macOS machines. https://sumuri.com/the-death-of-physical-imaging-understanding-the-new-standard-in-mac-forensics/

I know physics

Cool Job

Fraud and Corruption Investigator - NSA. https://apply.intelligencecareers.gov/job-description/1248692

Cool Tool

Quickly find those hidden account deletion pages. https://justdeleteme.xyz/

To the glee of the enterprise's Marketing departments, this tool helps you create the most suspicious-looking link possible. https://creepylink.com/

Irrelevant

It’s annoying that Wal-Mart doesn’t accept Apple Pay. Here’s an explanation why. https://9to5mac.com/2026/01/18/heres-why-walmart-still-doesnt-support-apple-pay/

Sign Off

Thanks for checking in again this week. A major storm is forecasted to hit most of the eastern U.S. this weekend, so please stay safe if you need to travel.

See you all next Tuesday.

Matt

“IT ISN’T A PROBLEM UNLESS YOU WORRY ABOUT IT.”

Threats Without Borders - Issue 269

Matt Dotts — Tue, 13 Jan 2026 13:07:23 GMT

Last week, an investigator asked me a common question: “Does a copy of a check deposited via mobile banking app qualify as the actual check?”

I’m not a lawyer, so don’t listen to me.

In 2004, Congress enacted the Check Clearing for the 21st Century Act, known as Check 21. It aimed to speed up check processing by allowing banks to handle checks electronically instead of shipping paper. The law introduced the “substitute check”: a paper printout of a digital image that has the same legal status as the original check. Essentially, this means that a digital copy created during mobile deposit can legally stand in for the physical check. The substitute check isn’t just evidence of the original; it is considered the original in legal terms.

This marked a significant shift from traditional negotiable instruments law, which relied on physical possession of the original document. Congress deemed these efficiency improvements worth the tradeoff, which is now crucial to the financial system.

For investigators, this raises questions about the Best Evidence Rule, which requires producing the original document unless there’s a valid reason not to. When the original check is unavailable, such as when it’s destroyed after digital imaging or submitted via mobile deposit, courts have accepted that the substitute check under Check 21 is legally equivalent to the original.

Presenting the digital copy satisfies the Best Evidence Rule because the law equates the two.

Congress knew that this approach posed a tradeoff; it enhanced efficiency and reduced costs but diminished certain forensic and evidentiary capabilities. Protections for consumers, like indemnity for incorrect substitute checks, exist, but they do not resolve issues in criminal cases where key evidence might be missing. While the law requires substitute checks to display certain legends clarifying they are reproductions, this does not help detect digital fraud exploits.

So, to revisit the question: does a mobile deposit image count as the actual check? Legally, I believe it does. However, I only play attorney online, so consult your prosecutor for certainty.

Speaking of checks

The News

Between July and December 2025, Team Cymru investigated carding infrastructure through internet-wide scanning, passive DNS, and NetFlow data. Their goal was to identify and monitor illicit carding markets and forums. By searching for keywords like “CVV” and “Carding” in HTTP/HTTPS banners and examining X509 certificates, they identified 28 unique IP addresses hosting carding activities. Many of these were linked to domains with TLDs such as .su, .cc, and .ru, often hosted by offshore providers like Privex that offer privacy-intensive VPS services, allowing cybercriminals to operate with minimal oversight. The findings underscore the role of carding markets as transactional platforms and forums as social hubs for cybercriminals. https://www.team-cymru.com/post/analysing-carding-infrastructure

Two Pittsburgh business owners face charges from the Pennsylvania Attorney General's Office for conspiracy and handling proceeds of illegal activities, accused of conducting a complex EBT card fraud scheme. The investigation found that they bought EBT cards at discounted prices from benefit recipients, then used those cards for over 800 transactions totaling $178,289 at Sam’s Club and other stores, purchasing food items such as beef, chicken, bread, and drinks. They allegedly sold these items at their restaurant and deli on East Ohio Street in Pittsburgh, misusing a public assistance program meant to aid underserved residents to boost their business profits. https://www.attorneygeneral.gov/taking-action/attorney-general-sundays-organized-retail-crime-unit-charges-2-pittsburgh-business-owners-in-178k-ebt-card-scheme/

The World Economic Forum published its Global Security Outlook 2026 report. https://reports.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2026.pdf

What do you mean it’s a wiretap? A Michigan man pleaded guilty to federal charges for knowingly marketing pcTattletale, a monitoring software he developed in 2002. He promoted it as a tool to spy on romantic partners without their consent. Although initially advertised for legitimate purposes like parental monitoring and employee tracking, he shifted to marketing it as a “catch a cheater” app. He provided instructions for secretly installing it on partners’ phones while they slept and hiding evidence of its use. Federal investigators found substantial evidence that he supported users who explicitly said they were spying on spouses without permission, actively promoting the software with affiliate marketing aimed at people suspicious of cheating partners. https://arstechnica.com/security/2026/01/michigan-man-learns-the-hard-way-that-catch-a-cheater-spyware-apps-arent-legal/

Group-IB has identified a sophisticated phishing campaign since August 2025 that impersonates DocuSign emails and uses LogoKit, a framework that dynamically customizes credential-harvesting pages in real time to match victim organizations. https://www.group-ib.com/blog/docusign-impersonation-logokit/

Infoblox research shows that parked domains are now far more dangerous than before, with over 90% of visits leading to malicious content—a sharp increase from less than 5% a decade ago. The main threat comes from “direct search” or “zero-click parking” features that route users through complex traffic distribution systems (TDS) and ad networks, complicating attribution. The study uncovers three new threat actors who employ advanced techniques like DNS manipulation, double fast flux, and typosquatting on major brands to direct unsuspecting users, especially those making simple typos, toward scams, malware, and data theft. These domain owners actively profile visitors, serving safe parking pages to security scanners while funneling actual users to malicious advertisers. This creates a weaponized ecosystem where legitimate business practices enable cybercrime with little oversight. https://www.infoblox.com/blog/threat-intelligence/parked-domains-become-weapons-with-direct-search-advertising/

Nineteen countries collaborated to arrest 574 individuals, recover approximately USD 3 million, and dismantle criminal infrastructure. https://www.trmlabs.com/resources/blog/international-cybercrime-operation-leads-to-574-arrests-and-usd-3-million-in-recovered-funds-2

https://blog.barracuda.com/2026/01/07/threat-spotlight-phishing-kits-evolved-2025

Cool Tools

What do the attackers know about your website? Or any website. https://web-check.xyz/

Send a self-destructing note. https://burnernote.com/

Cool Job

Senior AML Investigations Trainer, Coinbase. https://www.coinbase.com/careers/positions/6852375

Mail

Matt, I think you're off-base about the impact of AI on the level of fraud. It’s playing a major role and is only going to get worse as the AI models become more reasonable in price and accessible in countries with less access to the higher-capacity computing needed to run them. - DT

I appreciate your level-headed take on fraud trends and your resistance to pushing fraud Panic-Porn on us. I saw one group providing their trends, and it was clear they didn’t even understand the technology they were warning the rest of us to watch out for. Then someone posted a video on LinkedIn about the mentioned trends report, and they had even less understanding. - KDel

Matt: Enjoyed your article on what is new, is old. Hit the nail on the head. Another area that should be a focus is the insider threat. It has been around for years and is old, but those doing it are new, and the tools that they can use are new. Below is an example. - CG

DFIR

Atola provided a fairly comprehensive list of DFIR conferences to attend in 2026. https://blog.atola.com/top-digital-forensic-conferences/

Irrelevant

Increase your productivity, or at least sanity, using the Napoleon Technique. https://effectiviology.com/napoleon/

Sign off

I was driving through a local city and as I pulled up to an intersection, there was a man on the corner holding a panel of cardboard folded in half. As he opened it, I expected to see “Homeless Vet, Please Help, God Bless” or something similar to the traditional panhandler sign. Instead, it said, “WEED”. It totally threw me off, to the point that I sat halfway through the green light cycle as I processed the proposition. Are you selling or buying? What is it you want me to do???? I was literally knocked sideways by the unexpected ambiguity.

Welcome new subscribers! A small group of people like it here, and I hope you do as well. Thank you for giving it a chance.

Send me email: matt (at) threatswithoutborders.com

“WORRY IS INTEREST PAID ON TROUBLE BEFORE IT COMES DUE.”

Threats Without Borders - Issue 268

Matt Dotts — Tue, 06 Jan 2026 12:01:39 GMT

Happy New Year - It’s gonna be the same

It’s that time when every blogger, YouTuber, LinkedIn warrior, and yes, even an itinerant newsletter writer, feels the need to guess what’s coming in the new year.

I look to the past. In fact, I could probably just recycle what I wrote last year, and the year before that, and the year before that.

Because when it comes to cyber and financial crime, the old is always news again.

This past year, my organization was targeted with intensive email bomb attacks. Didn’t have that on my bingo card, I mean, when were those last popular? Mid 2000’s?

And you know what else was crushing? Social engineering attacks by telephone. Email phishing. Card cracking...oh, that’s so 2015.

Facebook Marketplace scams? Believe it or not, over 3 billion people still use Facebook every day.

And as David Maimon so directly highlights just about every week on LinkedIn, check fraud. Yeah, paper check fraud.

Sure, technology has been used to enhance these old-school attacks to make them more effective, but for the most part, the bad guys don’t stray too far from the playbook.

But Matt, what about DDoS and ransomware? Just extortion. Same ‘ol crime, new technology. There are practical solutions to prevent both.

And as far as AI, it’s a real danger for sure... but not because it’s going to be used to launch some complex and elaborate attack against our network infrastructure. It’s because employees are loading corporate secrets into it while writing a product brief, or giving away their customer database while formatting a spreadsheet.

Don’t hear what I’m not saying. There are many advanced technological attacks, but for the most part, the real risk comes from the non-technical.

As an investigator, dedicate yourself to learning about the newest threats, but don’t forget where we’ve been.

Welcome to 2026, or maybe 2016.

The News…

Baker University disclosed a data breach affecting more than 53,000 individuals, revealing that attackers accessed its network from December 2-19, 2024 and stole sensitive information. The Kansas school hasn’t released information about the cause of the breach. https://www.bakeru.edu/wp-content/uploads/2025/12/Baker-Unviersity-Final-Website-Notice.pdf

The U.S. Attorney’s Office, working with international partners and the Michigan State Police, dismantled the online infrastructure of E-Note, a cryptocurrency exchange reportedly used for money laundering by transnational cybercriminal groups. Operating since 2010, the service provided money laundering services to cybercriminals, enabled international transfer of criminal funds, and converted cryptocurrency into cash. It’s good to see a cyber task force receive credit for its efforts. https://www.justice.gov/usao-edmi/pr/fbi-disrupts-virtual-money-laundering-service-used-facilitate-criminal-activity

Brad Duncan at the Sans Internet Storm Center examines some cryptocurrency scam emails. https://isc.sans.edu/diary/rss/32594

I teach a class called “How the Internet Works,” which delves into the development of IPv6 and why it’s not being adopted. IPv6, now 30 years old, was created in 1995 to address the looming IPv4 address shortage by expanding from 32-bit to 128-bit addresses, significantly increasing the available IP pool. Yet, less than half of internet users have adopted IPv6 due to its limited features beyond the larger address space, lack of backward compatibility with IPv4, and the widespread use of Network Address Translation (NAT), which allows multiple devices to share a single IPv4 address. https://www.theregister.com/2025/12/31/ipv6_at_30/

More like an incident non-response. Hernando County government website and services were offline for over a year and a half due to a Rhysida ransomware attack. The county recently confirmed data exfiltration, although the local newspaper has been actively reporting on the incident throughout. Nice of the County to final confirm what the local reporter knew 18 months ago. https://www.hernandosun.com/2026/01/02/hernando-county-notices-cybersecurity-breach-21-months-later/

Though not a major vulnerability, I tested this issue and confirmed it. A quirk in the iPhone Camera app causes the camera to activate when the app icon is touched, even if the app isn't opened. https://blog.jgc.org/2025/12/if-you-care-about-security-you-might.html

Reader Mail

Matt, my victim purchased some “Bitcoin” from someone on Facebook Marketplace. I’ve attached an image from the ad for your amusement. - G

This raises a genuine legal question: Is there a crime here? Clearly, the buyer failed to do basic research to understand what they intended to buy versus what they actually purchased. Where is the line between “theft by deception” and “buyer beware"? If I advertise an elephant for sale with a picture of a Husky and deliver a dog instead of an elephant, is that theft? Or is the buyer simply negligent or maybe plain stupid?

Send me mail: matt (at) threatswithoutborders.com

If the rent is too damn low

(It’s probably a scam)

The FTC released a new Data Spotlight report highlighting nearly 65,000 rental scams since 2020, resulting in approximately $65 million in losses, with the actual harm likely much higher due to underreporting.

Some highlights of the report:

Scammers create fake listings by copying legitimate ads, changing contact information, or fabricating properties with attractive photos and below-market rent
Facebook is the most reported platform (50% of scams), followed by Craigslist (16%)
Young adults ages 18-29 are three times more likely to lose money to rental scams than other age groups
The median reported loss is $1,000 per victim

https://www.ftc.gov/news-events/data-visualizations/data-spotlight/2025/12/rental-scams-hit-home-65-million-reported-losses

Cool Job

Director of Intelligence and Investigations - Major League Soccer. https://careers-mlssoccer.icims.com/jobs/2207/job

Senior Manager, Payments and Fraud - Tapestry https://careers.tapestry.com/job/North-Bergen-Sr_-Manager%2C-Payments-&-Fraud-NJ/1262914600/

Cool Tool

Search public forums and message boards: https://boardreader.com/

IntelOwl is an open-source platform built for managing large-scale threat intelligence. It combines a variety of online analyzers and sophisticated malware analysis tools to offer comprehensive insights from a single interface. https://github.com/intelowlproject/IntelOwl

Irrelevant

Last week, I provided an overview of the iOS apps that were moved to my phone's home screen due to heavy usage. Here are my favorite macOS applications.

Brave is my web browser of choice. It’s not as full-featured as Safari, but it is privacy-focused and secure, and it includes the best ad and pop-up blocker built in.

My information documentation and retention system includes Obsidian as my knowledge base, where I store long-term information—think of it as a personal Wiki. For routine notes, I use Bear. Almost all begin as a note in Bear and are moved to other repositories as needed. Bear uses tags for organization rather than folders. It’s awkward at first, but once you get the hang of it, you don’t want to use anything else. Additionally, I use Apple Notes for documentation tasks such as saving receipts or property inventories.

As mentioned in the iOS post, Things 3 is my task manager / To-Do application. It’s simple and effective.

All my writing starts in Drafts. It’s hard to find another app that’s as effective and efficient as Drafts, regardless of the app’s purpose. It’s really good, and the development team keeps it on point. I’ll transfer writing out of Drafts to other resources as needed. And of course, everything gets run through Grammarly. I pay for the Pro license, and it’s easily one of my best investments.

I’ve tested nearly all commercially available AI and LLM models. My most used are Perplexity, for Internet searches and general knowledge, and Claude, which I find excellent for ideation and exploring topics.

I use so many different utility and single-function apps that I can’t list them all. Some of the MVPs are:

TrashMe to remove apps and files from my Mac permanently. Dragging and dropping an app into the trash can (the Apple-recommended method) leaves orphaned files and folders scattered across the entire file system. TrashMe gets them all.

Cleanshot X is the best app for screenshots and recordings. Amphetamine is a small utility that keeps your machine from going to sleep. If you know, you know.

And I use many more, but you’re no longer reading at this point.

Sign Off

Thanks for sticking around another year! I can’t promise the newsletter will be great, but it probably can’t get worse.

See you next Tuesday.

Matt

“YOU WILL REGRET THINGS YOU DO NOT DO MORE THAN THE THINGS YOU DO.”

Threats Without Borders - Issue 267

Matt Dotts — Tue, 30 Dec 2025 13:27:53 GMT

I recently saw a social media post in which a young woman mentioned her earnings from Sugar Sites. How sweet!

Let’s start from the beginning: What is “Sugaring”?

Sugar dating is a relationship arrangement in which one person, often referred to as a “sugar daddy” or “sugar mommy,” provides financial support, gifts, or other benefits to another person, known as a “sugar baby,” in exchange for companionship, which can range from casual dating, to a single instance of sex, to regularly scheduled encounters. These arrangements are often facilitated through specialized websites and apps designed to connect potential sugar daddies/mommies with sugar babies.

Sounds like prostitution to me. Let’s check: Prostitution -- The act of exchanging sex or intimate companionship for financial compensation.

Yep. Checks out.

Unfortunately, we’ve reached a point in society where shame and stigma no longer exist. One of the most popular sugar sites, Sugarbook, uses the tagline “Where Romance Meets Finance.”

So yeah, there are many morally compromised people on these sites, which creates the perfect environment for fraud.

Scammers exploit the sugar dating model by targeting those looking for companionship or financial help. They begin with fake profiles, using attractive photos and persuasive bios to attract potential sugar babies or daddies. Often, they pretend to be wealthy and generous daddies offering significant financial support, or desirable sugar babies with the physical attractiveness seen only in the modeling industry.

Here are some common tactics used by scammers in the sugar-dating world:

Advance Fee Fraud: The scammer promises to send money or gifts but first asks the victim to pay a fee, such as a processing fee, customs fee, or a payment to verify their identity. Once the fee is paid, the scammer disappears. Yes, gift cards are the preferred currency.
Phishing for Personal Information: Scammers ask for personal information, including banking details, Social Security numbers, or other personal data under the guise of setting up direct deposits or verifying identity. This information is then used for identity theft or sold in criminal markets.
Money Laundering: Scammers ask sugar babies to receive funds and then transfer them to another account, making the sugar baby an unwitting participant in money laundering activities. AKA Money Mule!
Romance Scams: Scammers exploit the emotional aspect of sugar dating by faking a romantic interest to gain trust. Once trust is established, they concoct stories about financial emergencies, asking for money to cover medical bills, legal fees, or travel expenses.

This goes both ways… scammers impersonate the daddies and mommies to scam the babies, and scammers impersonate the babies to scam the daddies.

And most of this crime never gets reported to law enforcement. How do you explain why you were meeting people through one of these websites?

Oh, that’s right, they were seeking to hire a “personal assistant”.

The News…

At any given point, 50% of mobile devices connected to the Internet are running outdated versions of their operating system - Zimperium Mobile Threat Report. https://lp.zimperium.com/hubfs/Reports/2025%20Global%20Mobile%20Threat%20Report.pdf?hsLang=en

The SEC accused multiple crypto trading platforms and investment clubs of defrauding US retail investors of more than $14 million via a social media scam. These platforms falsely claimed to be government-licensed and promoted fake Security Token Offerings. https://www.sec.gov/files/litigation/complaints/2025/comp-pr2025-144.pdf

The U.S. government seized the ‘web3adspanels.org’ domain used by cybercriminals to host stolen bank login credentials. The FBI identified at least 19 victims in the U.S., with attempted losses of $28 million and actual losses of $14.6 million. https://www.justice.gov/usao-ndga/pr/justice-department-announces-seizure-stolen-password-database-used-bank-account

Flare explores how cybercriminals exploit cryptocurrency for illegal activities and how investigators can track them. Of course, readers of Tw/oB already know all of this! https://flare.io/learn/resources/blog/investigating-cybercrime-crypto-underground/

Aflac disclosed a data breach affecting 22.65 million people, exposing personal information, including Social Security numbers and health data. The breach may be linked to a cybercriminal organization known as “Scattered Spider,” which targets the insurance industry. https://techcrunch.com/2025/12/23/us-insurance-giant-aflac-says-hackers-stole-personal-and-health-data-of-22-6-million-people/

DFIR

Flashpoint notes 800% increase in credential theft since early 2025 that has compromised over 1.8 billion accounts. The article details three key tactics threat actors use to bypass security defenses: manipulating Windows’ Mark of the Web protection through drag-and-drop social engineering, exploiting vulnerabilities in trusted processes like Chrome, and targeting less-secure alternative software with weaker protections. https://flashpoint.io/blog/the-infostealer-gateway-uncovering-latest-methods-defense-evasion/

Cool Tool

Elcomsoft makes several of its forensic tools free to download and use. https://www.elcomsoft.com/news/873.html

The official release of Parrot OS 7 is available for download. https://parrot.sh/blog/2025-12-24-parrot-7.0-release-notes/

Cool Job

Global Financial Crimes Training Officer, Morgan Stanley. https://morganstanley.eightfold.ai/careers/job?domain=morganstanley.com&pid=549785402892&src=JB-10147

Feedback: matt (at) threatswithoutborders.com

Irrelevant

It’s been a while since I did this, and with the year ending, it’s the perfect time for an app review. Which applications have made it to my mobile device’s homescreen in 2025?

From the top - Left to Right

Settings - Mandatory

Photos - Of course

Clock - I need to wake up in the morning

Bible App - I try to be a good person

Coinbase - Someday my Shib boat will come in! I currently own 28 crypto assets, and I’ve found that Coinbase is the best brokerage for managing them.

SoFi - I needed a separate bank account to keep my crypto activity separate from my main financial accounts, so I opened one with SoFi. It’s been a really good experience, and they're allegedly releasing a cryptocurrency exchange as part of their standard service.

Ring - Home surveillance. If you come to my home, you will be surveilled.

Substack - Obvious

LastPass - Yes, they had a little security issue, but it’s a great password manager, and I think probably one of the most secure at this point. What’s the safest airline to fly on? The one that just had a failure.

Weather - I need to know how to dress for the day

Bear is my preferred note app. There really isn’t a better choice if you’re committed to the Apple ecosystem. It offers a beautiful and seamless experience. While Apple Notes is improving, it still lacks the polish and customization that Bear provides. Using Bear makes me happy.

Brave is the best web browser for security and privacy. Not as integrated as Safari, but I’ll sacrifice some functionality for privacy.

Proton Mail - A great privacy-based and free, email service

Spotify - I never thought I’d pay for music, but my youngest son gave me a 3-month subscription as a gift, and I’ve never looked back. It’s a really great experience, and the AI DJ is spot on (most of the time).

Things is a really well-done task management app made exclusively for Apple products. It’s how I GSD.

Waze - I’d literally be lost without it. It blows my mind that an app this good is still free. It makes all the other travel routing apps look childish. It’s earned my trust to the point that when it tells me to divert from my initial route, I do it. Even if I already know where I’m going.

Snapchat - My kids won’t answer my phone calls, but a Snap gets an immediate response.

DraftKings - I like to throw my money away. I am going to start extorting NFL players: pay me 100 per week, or I’ll include you in my parlay, which guarantees you will not score a TD.

Instagram - A good way to keep up with family and friends. Reels can suck me in, though, and I have to watch not to get caught up in doom scrolling. I’ve literally lost hours.

Signal - Please use this as your encrypted messaging application.

Dunkin Donuts - Every day. I currently have 2029 reward points. I probably spend way too much money on coffee.

Calendar - My schedule can be hectic, so I need to know where I should be and at what time. I also use a Blue Sky paper calendar because I prefer to see my entire schedule laid out at once. I find that maintaining two calendars - one digital and one analog - keeps me more focused and responsible.

HearMax app - Pro Tip for young police officers: when they tell you to wear hearing protection at the range, wear it - and those little foam plugs don’t count. Hearing loss sucks. Wearing hearing aids sucks. Protect your hearing.

ReSound app - See above. I have hearing loss-induced tinnitus, so I hear a high-frequency white noise in my left ear 24/7. This app offers different sounds to provide some relief. I listen to crickets. Yep, crickets chirp at the same frequency as my tinnitus, so sometimes when you’re talking to me, I’m literally hearing crickets.

Next week, I’ll review my favorite Mac apps.

Sign Off

Thank you for your loyalty to the newsletter in 2025. I understand there’s a lot of competition for your attention, and I don’t take it for granted that you’ll return here every Tuesday.

Wishing you all a happy New Year and even greater success than you can imagine. 2026.

Matt

“An optimist stays up until midnight to see the new year in. A pessimist stays up to make sure the old year leaves.” —Bill Vaughan

Threats Without Borders - Issue 266

Matt Dotts — Tue, 23 Dec 2025 10:42:20 GMT

While every day someone new appears online self-proclaiming themselves as a rockstar, warrior, or champion, in the fight against cyber fraud, Gary Warner continues to crush it, without flare, pomp, or circumstance, just as he has for years.

This week, he absolutely slayed the Financial Times and their new documentary highlighting (allegedly) the extent of cybercrime victimization.

Wouldn’t you love to have been in the room when the writers, producers, and executives of this documentary read Gary’s breakdown of the actual numbers? Of course, they were probably too exhausted from the congratulatory backslapping to actually comprehend their own destruction.

Yes, I know, you shouldn’t throw out the baby with the bathwater. Just because the math is fuzzy doesn’t mean the rest of the documentary is worthless.

Maybe, but I think I’ll stick with Gary. And you probably should too.

Internet searches are not private - at least not in Pennsylvania

The Pennsylvania Supreme Court in Commonwealth v. Kurtz ruled that basic Google searches are not protected by Fourth Amendment or state privacy rights. The court upheld the use of a “reverse keyword warrant” that helped police identify and convict a suspect in a 2018 kidnapping and rape case. Applying the “third-party doctrine,” the court said users who search on Google without privacy tools share their queries with the company and accept the risk of law enforcement access. While this ruling only covers “general, unprotected internet use” and leaves room for stronger privacy claims through VPNs or private browsing.

Here is the actual decision: https://www.pacourts.us/assets/opinions/SUPREME/out/J-36A-2024oajc%20-%20106611829340009817.pdf

And the obligatory opinion by Prof. Kerr: https://reason.com/volokh/2025/12/16/are-there-fourth-amendment-rights-in-google-search-terms/

Mail

My wife and I thought there was a marching band competition our first time to Nashville. Sadly, we found it was only the kids drumming on buckets. Thanks for the laugh. - KP

Matt, congratulations on your first trip to Smashville. It’s a great place. You can go back in August to attend the IAFCI training conference. -AG

The News…

Last week, I spoke to a local civic group and told about a time when I threatened a bank official with arrest because they let an eighty-nine-year-old leave with nine thousand dollars in cash, which she immediately sent via FedEx to another state. Now, as THE bank official, I see things differently. Here is a case where an elderly woman from New York lost her entire $700,000 life savings to a complex scam that started in August 2023, after false pop-up warnings claimed her accounts were hacked. Over nine months, scammers persuaded her to make unusual withdrawals and wire transfers, claiming it was to protect her funds by converting them to gold, including $275,000 from Merrill Lynch, $150,000 from TD Bank, and over $100,000 from UBS. Her family has filed a lawsuit against the banks for negligence, stating they failed to flag suspicious activity despite her never withdrawing more than $5,000 in over 30 years. https://www.forbes.com/sites/steveweisman/2025/12/21/elderly-woman-loses-700000--to-scam-banks-accused-of-ignoring-red-flags/

This Splunk blog examines over 213 million domain registrations from 2023-2025 to show how cybercriminals quickly set up fraudulent infrastructure in response to current events. The study highlights three main patterns: natural disasters like the 2025 LA Palisades Fire lead to immediate increases in fake donation and relief sites; cryptocurrency events, such as Bitcoin reaching all-time highs, result in significant fraud activity with lasting effects like financial grooming scams; and financial instability, especially due to insurance rate hikes in 2024, prompts waves of phishing domains. The research reveals that attackers frequently capitalize on public attention during crises, with malicious domains often appearing within hours of major events. This suggests that defenders can anticipate emerging threats by monitoring new domain registrations containing relevant keywords and suspicious features during ongoing events. https://www.splunk.com/en_us/blog/security/insights-from-domain-registration-trends.html

Attackers are using advanced phishing kits that directly target authentication flows, bypassing MFA and enabling real-time session theft. These kits are marketed based on capabilities rather than specific tools, reflecting a mature ecosystem. Phishing infrastructure is now cloud-native and Kubernetes-backed, allowing for rapid scaling and high availability. Flare shows us how these phish kits work. https://flare.io/learn/resources/blog/phishing-kits-an-interactive-deepdive/

Malwarebytes breaks down a phishing campaign that uses a purchase order as bait. https://www.malwarebytes.com/blog/threat-intel/2025/12/inside-a-purchase-order-pdf-phishing-campaign

The social searcher blog offers strategies for turning real names into usernames. https://www.social-searcher.com/2025/12/12/how-to-find-social-accounts-by-real-name-the-reverse-strategy/

Two Maryland men have pleaded guilty to conspiring in a money-laundering scheme involving more than $11 million. The conspiracy, which began in 2021, involved wire fraud proceeds laundered through shell companies and encrypted communications. https://thebaynet.com/maryland-men-plead-guilty-in-multi-million-dollar-money-laundering-conspiracy/

A coordinated cybercrime crackdown across 19 African countries, resulted in 574 arrests and the recovery of approximately USD 3 million in illicit funds. The operation targeted business email compromise (BEC), digital extortion, and ransomware, taking down over 6,000 malicious links and decrypting six ransomware variants. And they’ll all be back online within 48 hours. https://www.interpol.int/fr/Actualites-et-evenements/Actualites/2025/574-arrests-and-USD-3-million-recovered-in-coordinated-cybercrime-operation-across-Africa

DFIR

Cofense highlights how threat actors leverage built-in Windows features, such as registry keys and scheduled tasks, to establish and maintain persistence of malware, ensuring continued access to compromised systems. Recognizing these persistence techniques is essential for detecting and preventing attackers from maintaining long-term access. https://cofense.com/blog/windows-persistence-explained-techniques,-risks,-and-what-defenders-should-know

Cool Tool

Insta OSINT - https://github.com/banaxou/hostagram

Keep track of all the gift cards you get this week. https://www.cardlyai.app/

See if a domain is on the dmarc blacklist. https://dmarcly.com/tools/blacklist-checker

Cool Job

Manager of Law Enforcement Response, xAI. https://job-boards.greenhouse.io/xai/jobs/4959528007

Irrelevant

Breaking news: the U.S. Government has banned all foreign-made drone and UAV parts, including those from DJI. Existing stock is exempt, so that drone gathering dust in your closet—perhaps unused for years—has suddenly skyrocketed in value.

https://edition.cnn.com/2025/12/23/business/us-ban-foreign-drones-dji-intl-hnk

Sign Off

Welcome new subscribers. Old subscribers, thank you for returning.

I wish you all a Merry Christmas and hope for nothing but the best for you and your families this holiday season!

Take it easy on the egg-nog and I’ll see you all next Tuesday.

Matt

Threats Without Borders - Issue 265

Matt Dotts — Tue, 16 Dec 2025 10:29:53 GMT

Last week, I began a series about the use of cryptocurrency in cybercrime and concluded with an introduction to tools that hinder blockchain investigators. As often occurs, another publication published a timely article that supports exactly what I was explaining and likely did so more effectively. But first, let’s examine two tools employed by those trying to obscure their cryptocurrency activities.

A cryptocurrency mixer is typically a decentralized protocol, meaning no single company or operator controls it. Instead, multiple users participate in one large shared transaction. Each participant deposits cryptocurrency simultaneously, and the pool combines all the funds. The user then receives the same amount back from a different output, making it impossible to link the incoming wallet to the outgoing one.

Conversely, a tumbler is usually a centralized service operated by a single entity. Criminals send their funds to the tumbler’s wallet, which holds the funds, breaks them into smaller parts, delays them, and then gradually returns the funds using new addresses. Tumblers act as intermediaries, while mixers resemble a group activity that anonymizes all participants.

In both cases, their purpose is to erase the clear investigative trail showing the source and destination of illicit cryptocurrency. The aim isn’t to halt the money but to obscure the record.

Criminals send illegal funds into these systems to hide their original source. After mixing or tumbling, they receive “clean” funds that seem to come from a random place on the blockchain, rather than a criminal wallet.

Fortunately for investigators, these services often leave prominent digital footprints. A typical wallet shows predictable activity—money occasionally goes in and out. But a mixer or tumbler wallet resembles chaos: it receives numerous deposits from unrelated users and makes many rapid payments in various amounts. It also charges a small fee, which provides another clue.

Using blockchain analytics tools, investigators can identify these patterns and connect wallets to mixing or tumbling services. These tools cluster addresses, spot unusual money flows, and flag transactions that seem artificially engineered.

Even when criminals use these services, they eventually want to convert their funds into real-world value. This is where investigations often succeed.

A key weak point is the off-ramp. Eventually, mixed funds land in a cryptocurrency exchange, where they’re converted into dollars, euros, or stablecoins. Regulated exchanges collect customer information through Know Your Customer rules. Tracking the funds from the mixer to an exchange allows investigators to subpoena the platform and reveal the true identity behind the wallet.

Statistical de-mixing also helps, where analysis of timing, transfer amounts, delays, and routing patterns can link outputs back to inputs. Although mixers try to break direct links, advanced analysis can often reconstruct likely connections with high confidence.

While mixers and tumblers make tracking individual transactions more difficult, they don’t make the money invisible. Instead, they create a chaotic pattern—one that investigators can recognize. By analyzing these patterns and focusing on how criminals eventually use their “cleaned” coins, investigators can trace the wallet back to a real person. Cryptocurrency isn’t an escape hatch for criminals; it’s a trail they inevitably leave behind.

Yohan Yun published an article in Cointelegraph just in time for this week’s issue, profiling cryptocurrency security experts who act as “onchain detectives”. These investigators trace stolen funds across blockchain networks, often working under pseudonyms like ZachXBT and 0xSaiyanGod. They utilize open-source tools and informal networks to track hackers and draining operations. Operating in “war rooms” formed immediately after breaches, they combine blockchain forensics with human intelligence to follow the money trail before it vanishes through mixers and bridges.

The article is titled “Meet the Onchain Crypto Detectives Fighting Crime Better than Cops.”

Yes, they do.

https://cointelegraph.com/magazine/meet-crypto-sleuths-fighting-crime-better-than-the-cops/

Share Threats Without Borders

The News…

FinCEN issued a report revealing that companies paid over $2.1 billion to ransomware groups across 4,194 incidents from January 2022 to December 2024, nearly matching the total for the previous nine years combined. Ransom payments peaked in 2023 at $1.1 billion—a 77% increase from 2022—with a median of $174,000, and then fell to $734 million in 2024 following law enforcement actions against major gangs such as ALPHV and LockBit. ALPHV/BlackCat was the most profitable, earning nearly $400 million, with LockBit at $252.4 million and Black Basta at $137.7 million. The top 10 ransomware variants accounted for $1.5 billion in payments. The 267 identified gangs mainly targeted financial, manufacturing, and healthcare sectors, with 97% of payments in Bitcoin, laundered through unregulated crypto exchanges. The report says the quiet part out loud, despite efforts like the Counter Ransomware Task Force, the threat remains high as most gangs operate from Russia and other countries that do not extradite their citizens, complicating enforcement. https://www.fincen.gov/system/files/2025-12/FTA-Ransomware.pdf

Malwarebytes describes a sophisticated phishing operation that uses free Cloudflare Pages hosting to create fake banking and insurance login portals, which steal not just passwords but also security question answers to bypass multi-factor authentication. The attackers combine these free hosting services with compromised legitimate websites as redirectors (making phishing links appear more trustworthy) and send all stolen credentials directly to Telegram bots for immediate use, avoiding traditional command-and-control servers. https://www.malwarebytes.com/blog/news/2025/12/how-phishers-hide-banking-scams-behind-free-cloudflare-pages

Are you prepared for the RAMpocalypse? https://taoofmac.com/space/links/2025/12/05/1330

The Financial Action Task Force released new guidance and best practices to enhance efforts in recovering criminal assets. The guidance, covering topics from financial investigations to victim compensation, aims to disrupt criminal organizations by removing their financial motivation. https://www.fatf-gafi.org/en/publications/Methodsandtrends/asset-recovery-guidance-best-practices-2025.html

A data breach at 700Credit is expected to affect 5.6 million people, exposing names, addresses, dates of birth, and Social Security numbers. The breach, yet to be attributed, involved data collected from dealers between May and October 2025. https://techcrunch.com/2025/12/12/data-breach-at-credit-check-giant-700credit-affects-at-least-5-6-million/

FalconFeeds is quickly becoming one of my favorite threat intelligence blogs. In this article, they describe how cybercrime localization has developed into a sophisticated, high-precision strategy where threat actors craft phishing and social engineering campaigns tailored to regional cultures, languages, and time zones, greatly increasing their chances of success. By utilizing AI and large language models, cybercriminals can achieve linguistic accuracy and cultural relevance, helping them bypass conventional security measures and build human trust. This trend is fueled by clear ROI, with financially driven groups and state-sponsored entities deploying localized tactics to target key sectors, manipulate regional financial systems, and exploit holidays and political events. https://falconfeeds.io/blogs/cybercrime-localization-regional-targeting-evolution

Be cautious when purchasing a subscription to an AI service. Cybercriminals are increasingly exploiting AI platforms such as ChatGPT, Perplexity, and Gemini by offering premium account access at heavily discounted prices on the Dark Web. These prices range from $6.99 to $59.99 for shared or upgraded accounts. They often use stolen credit cards or credentials from infostealer logs, frequently sold on Underground markets, to acquire and resell these accounts for profit, with some offering a one-year Perplexity AI Pro subscription for as little as $9.99. The danger is not limited to financial loss; compromised AI accounts can also be exploited for phishing, malware creation, and data theft, particularly when linked with corporate systems. https://www.esentire.com/blog/hackers-are-celebrating-holidays-big-this-year

Google is shutting down its “Dark Web Report” service. https://support.google.com/websearch/answer/16767242

Send mail

matt[@]threatswithoutborders[.]com

What could go wrong

A privacy advocate, after 11 years fighting the FBI over National Security Letters demanding customer data from internet service providers, has introduced Phreeli. This new mobile carrier aims to provide anonymous cellular service accessible to all. Operating as an MVNO on T-Mobile’s infrastructure, Phreeli only requires a ZIP code for sign-up—the minimum personal info needed legally for taxes—while employing an advanced encryption called “Double-Blind Armadillo”“ based on zero-knowledge proofs to verify payments without linking credit cards or identities to phone numbers. Users can pay via cryptocurrency or credit cards and select their privacy level, with options like eSIMs or Tor-hosted sites for maximum anonymity.

This is fine. Everything is fine.

https://www.wired.com/story/new-anonymous-phone-carrier-sign-up-with-nothing-but-a-zip-code/

Cool Tools

Ethereum storage analyzer https://slotscan.info/

The Beta version of ParrotSec 7 has been released. https://www.parrotsec.org/blog/2025-12-09-parrot-7.0-beta-release-notes/

Cool Job

Director of Fraud Escalations - Q2. https://q2ebanking.wd5.myworkdayjobs.com/en-US/Q2/job/Austin-TX/Director--Product-Security_REQ-11071

Intelligence Analysts - MLB. https://www.mlb.com/careers/opportunities?gh_jid=7362278

Irrelevant

Cloudflare released its “2025 Year in Review” report. It’s always one of the best of the yearly reports, and this one is no exception. No, it’s exceptionally well done. https://radar.cloudflare.com/year-in-review/2025

Sign Off

I spent time in Nashville last week. First time. I saw a show at the Grand Ole Opry, visited the Country Music Hall of Fame, saw the Predators beat up the St. Louis Blues, ate some BBQ, and had authentic Nashville hot chicken. But what’s up with all the homeless people? Or “unsheltered”, as I was told they should be called. And the kids on every street corner banging on buckets? At first, it was impressive, but after a while, like 15 minutes, it just became noise pollution. Otherwise, it was a fantastic trip, and I plan to return sooner rather than later.

Thanks for reading another issue. See you all next Tuesday!

Matt

“START EVEN IF YOU DON’T KNOW HOW.”

Published every Tuesday for over five years, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

cybersecurity cyficrime AML osint financial crime fraud investigations