Threats Without Borders

Threats Without Borders - Issue 291

Matt Dotts — Tue, 16 Jun 2026 09:40:10 GMT

There’s a question that circulates endlessly through every fraud conference, LinkedIn threads, and panel discussions. What’s the biggest fraud threat facing organizations right now? You already know the answer, because it’s always the same answer, delivered with the same misplaced confidence, almost like a reflex. AI. Of course, it’s AI.

Nobody ever mentions the telephone. Which is how my organization and it’s customers get attacked multiple times every day. Yeah, the phone. Scammers are calling the business, pretending to be customers, and calling our customers to pretend to be the business. Classic social engineering, zero sophistication required, and highly effective.

And I pay attention enough to know that’s the correct answer for a lot of organizations, too. But the telephone doesn’t trend, so here we are.

Fine. Let’s say the answer is AI. The problem isn’t the answer, and it’s probably more correct than not. It’s what happens immediately afterward when someone asks the inevitable follow-up: Can you give me an example? Panic. What you usually get is something vague about phishing emails and voice cloning. Sure, but that’s not an answer so much as a category, and categories don’t hold up when someone actually pushes back.

Google recently filed a lawsuit against a Chinese cybercrime network operating under the name Outsider Enterprise, alleging the group used Google’s own Gemini AI to automate a phishing campaign at genuinely impressive scale. The network operated primarily through Telegram, offered phishing-as-a-service to other criminals, and provided nearly 300 ready-to-deploy templates along with instructions on how to use Gemini to generate convincing fake websites impersonating Google, YouTube, and the New York E-ZPass system, among others. Google identified roughly 9,000 fraudulent sites and over a million malicious URLs tied to the campaign. The group sent more than 2.5 million scam text messages to Android users.

And the FBI and its partners, including Google, just took the operation offline.

The lawsuit itself is worth a moment’s attention. Google isn’t the first to take this approach, as Microsoft, Cloudflare, and others have pursued civil litigation against cybercrime actors who abused their platforms. It’s an interesting strategy, and the practical ceiling is obvious. Bringing meaningful legal consequences against a criminal operating out of China, North Korea, or Russia is less a law-enforcement action and more a very expensive message. Whether anyone receives it is another question entirely.

So, the next time someone asks us to name the biggest fraud threat and expects us to perform the AI genuflection, we can do better than a generic response. Say Outsider Enterprise. Explain what they built, how they used it, and what it produced. Answer like someone who actually follows this space, not like someone who learned the buzzword and stopped there.

Read the complaint here: https://fingfx.thomsonreuters.com/gfx/legaldocs/byvrdoelzve/GOOGLE%20SCAMMER%20LAWSUIT%20outsidercomplaint.pdf

It’s really well written and worth your time to read. Among other nuggets, on page 20, they explain the process for bypassing MFA.

Ok… let’s go!

At least 13 federal agencies work on countering scams and each one largely works independent of the others. Eight of these agencies receive complaints about scams, which can lead to confusion and frustration for Americans who want to report a scam. For example, an American who has been targeted by a tax-related scam could potentially report the scam to the FBI’s internet crimes website, the Federal Trade Commission’s fraud reporting website, the IRS’s tax fraud and scams reporting website, or by contacting the Treasury Inspector General for Tax Administration. The federal government needs a comprehensive, unified plan to deal with scams, and the American people deserve a clear, easy way to report scams and get connected with help.

U.S. Senators Hassan from Florida and Scott from Florida introduced the “reportscams.gov Act” which aims to consolidate the fraud-fighting efforts of the federal government. https://www.hassan.senate.gov/imo/media/doc/reportscamsgovonepager.pdf

The News

This question is being asked more often and with greater urgency—are anti-money laundering (AML) efforts justifiable given their costs? AML frameworks face increased criticism for high compliance costs, generating unused data, raising privacy concerns, and lacking clear evidence of effectiveness in preventing illicit transactions. Recent studies indicate that high compliance rates do not always correlate with reduced illegal activity. In this article, the authors examine the future of AML efforts. https://www.theregreview.org/2026/06/13/seminar-are-anti-money-laundering-regulations-effective-and-worth-the-cost/

Is this the end of “burner phones”? The FCC has proposed new rules intended to combat robocalls by requiring phone carriers to collect extensive personal data, including government ID, physical addresses, and alternative phone numbers, before activating service. https://docs.fcc.gov/public/attachments/DOC-421309A1.pdf

The FBI has initiated “Operation Riptide,” a nationwide effort to break down cybercrime networks by targeting the criminals, their infrastructure, and financial systems, especially following over $20 billion in losses from more than 1 million cybercrime complaints last year. https://www.fbi.gov/video-repository/operation-riptide-060926.mp4/view

An international law enforcement operation dismantled a popular money-laundering service known as ‘AudiA6’, believed to have laundered over EUR 336 million from 2022 to 2025. The service, associated with the ‘Dark2Web’ forum, was investigated by US and Polish authorities in collaboration with international partners. https://www.europol.europa.eu/media-press/newsroom/news/ransomware-gangs-cut-eur-336-million-audia6-crypto-laundering-pipeline

The Bank Policy Institute urged federal regulators to clarify oversight of stablecoin transactions after issuance. Current AML rules fail to adequately impose compliance obligations on DeFi firms, certain crypto custodians, and exchanges. https://www.pymnts.com/cpi-posts/banking-groups-pitch-anti-money-laundering-rules-for-stablecoins/

The U.S. government tells Anthropic to hit the brakes on their latest release. https://www.anthropic.com/news/fable-mythos-access

Feedback

Send Feedback to matt(at)threatswithoutborders.com

A vote that actually matters

A long time ago, I watched a guy turn a hotel room key card into a working Visa card. Before you shrug, this was well before card fraud became a punchline in every breach notification email and the fear of every ATM user. To a young detective freshly assigned to financial crimes, seeing this done was like watching magic.

That guy was Steve Lenderman. And now he’s running for President of the International Association of Financial Crime Investigators. Not the Delaware Valley Chapter, which he’s led for the past seven years. The whole organization.

Regular Tw/oB readers know my opinion on the IAFCI as an organization has been, well, complicated. That’s a diplomatic way of saying the past few years of leadership have been disappointing.

Which is exactly why this endorsement isn’t a formality. It’s a correction.

You’d be hard-pressed to find anyone more committed to fraud and financial crime prevention than Steve. He’s held leadership roles simultaneously in the IAFCI Delaware Valley Chapter, the Delaware chapter of ACFE, and the Delaware Fraud Working Group. That’s not resume padding, that’s someone who actually shows up.

I served as a Vice President under Steve for four of his seven years leading the Del-Val chapter. I can tell you firsthand that he is the embodiment of getting shit done. Not performative leadership. Not committee theater. Actual results.

IAFCI members receive ballots this week, including Steve’s full credentials. I’m not going to rehash them here.

What I will say is this: if five years of Threats Without Borders has earned me any credibility with you (there must be some reason you’re still reading), then take this for what it’s worth. The IAFCI needs forward-thinking and action-oriented leadership. I’m voting for Steve Lenderman. I hope you will, too.

dfir

The team at Unit 42 highlights a new macOS artifact, App.MenuItem, that logs user menu selections, providing granular data on user intent and actions across the operating system. https://unit42.paloaltonetworks.com/new-macos-artifact-discovered/

Share Threats Without Borders

Cool Jobs

Fraud Countermeasures Specialist - Veriff. https://www.veriff.com/careers/position/8590317002

Cool Tools

Remove the background from an image. https://www.remove.bg/

How loud is your workspace? In-browser decibel meter. https://noisedecibelmeter.com/

Irrelevant

Paul Graham explains how to become a billionaire (and why all these eat-the-rich politicians are so wrong). https://paulgraham.com/earn.html

Sign Off

I don’t understand ~~football~~ soccer. One of the happiest days of my early parenting was when my youngest son said he was done with it. Needless to say, I could not care less about the World Cup tournament. But I am completely enthralled with the abject glee of the foreign soccer fans currently visiting America to see the games. Everything from the beauty of our natural resources to the kindness of our people to the sheer excess of our eateries has created must-see social media content. A group of Norwegians tasting a brisket sandwich at Buc-ee's, or the Germans experiencing a Waffle House at 1 am, is absolutely heart-warming!

Matt

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.

Threats Without Borders - Issue 290

Matt Dotts — Tue, 09 Jun 2026 11:46:09 GMT

I want to give full credit to Jay Dubina for sparking my thoughts on this topic. He’s the first person I’ve heard delve into the idea of agentic AI commerce fraud to this extent. I’ve been aware of the concept, but I heard Jay discuss it last week, and he really brought it to life for me.

We know how to investigate cyber-fraud: Follow the money. Find the device. Put the bad guy behind the keyboard.

What happens when there’s no keyboard?

Agentic AI is here, and it’s changing how commerce works at a fundamental level. These aren’t chatbots answering questions, they’re autonomous systems with tools, stored credentials, and decision-making authority. You give them a goal and they execute it.

And so we’re all on the same page, an agent is “an autonomous software system powered by AI that can perceive its environment, make decisions, and execute multi-step tasks to achieve a specific goal without constant human intervention.”

Consider this. You tell your AI agent, “Buy me a battery-powered lawn mower. Budget is $500. Prioritize reviews, price, and shipping time. Deliver to my home address.” The agent searches, evaluates, selects, and purchases, all without you touching a browser. Two days later, a mower shows up at your door. You spent thirty seconds on a task that used to take hours.

It’s brilliantly useful. It’s also a fraud investigator’s nightmare.

Now run that same scenario with a stolen identity, a compromised credit card, and a drop address. The bad guy doesn’t search for anything. Doesn’t visit any merchant site. Doesn’t enter a single piece of payment data manually. He gives the agent an instruction and walks away. The agent does the rest, across ten stolen identities, simultaneously, without getting tired.

What does the merchant see? An API call, a billing address that matches the stolen card, a gift shipping address. The transaction looks clean in isolation. The velocity looks odd across accounts, but individually? Nothing flags.

But eventually the cardholder recognizes the fraud and files a report. So you open an investigation.

The communication chain runs like this: actor > agent > merchant API > payment processor > fulfillment. Every hop is a potential evidence gap. The merchant has a transaction record. The payment processor has an authorization. The shipping carrier has a delivery scan. And what nobody has is an idea of what the agent platform logs, what they retain, and what legal framework applies when you ask for it.

Is an AI agent platform an Internet service provider? A bank? A phone carrier? A search engine? The search warrant process hasn’t caught up to the question. And some platforms are built privacy-forward by design, which means the logs you need may not exist at all.

Even if you get the logs, you have a new attribution problem. You can prove the agent made the purchase. But can you prove that the human gave the instruction? The session that initiated the task might be behind a residential proxy. Might be a stolen session token. Might be another automated layer entirely.

The bad guys’ defense writes itself: “I didn’t choose those items. I didn’t enter that payment data. Maybe the system did that, but it wasn’t me.”

Technically? They’re not wrong.

The investigative frameworks we have were built around one assumption: a human made each decision in a transaction. Agentic AI destroys that assumption completely. Yes, a human may have “set it off,” but what exactly is “it”? How much control did the human actually have once the agent took the wheel?

It’s probably good we start talking about this because the future is here.

The News

Maybe (probably not) I’ll have to start suggesting older adults look at Android again…Google’s June Android update introduces improved scam detection features aimed at fighting AI-driven impersonation and deepfake voice scams. This new system, available on Android 12 and above, requires users to install Google’s Phone, Contacts, and Messages apps to verify incoming calls from contacts. If a call appears to be spoofed via an online relay, the user will receive an alert. https://arstechnica.com/gadgets/2026/06/google-announces-deepfake-call-detection-for-android-new-airdrop-device-support/

You’ll be hard-pressed to name a group that provides a better threat intelligence write-up than the team at Flare. In this article, they profile a new stealer malware: “For $40 and a tutorial video, anyone can deploy a fully functional information stealer with credential harvesting, screen capture, Wi-Fi password extraction, file collection, persistence installation, and remote access, all controlled through a Telegram bot. KeyCat is a Python-based, multi-platform infostealer and remote access toolkit targeting both Windows and Linux environments.” https://flare.io/learn/resources/blog/keycat-stealer-multi-platform-infostealer

Yes, passkeys are better security. Yes, most people reject using them. Microsoft is forcing the issue and will no longer provide codes through SMS. https://support.microsoft.com/en-us/accounts-billing/manage/microsoft-to-stop-sending-sms-codes-for-personal-accounts

Here's an interesting statistic for your next dinner party: between 10% and 20% of all domains registered in 2025 were created by cybercriminals. Even on the lower end, that means there are approximately 8.5 million malicious domains available for criminal activity. Great reporting by Interisle. https://static1.squarespace.com/static/63dbf2b9075aa2535887e365/t/6a20724a659b821142b48388/1780511306582/FullReport_MaliciousRegistrationsintheDomainNameMarket_2026_rev.pdf

Proving there is no floor to the prospect of insider threats, this Pennsylvania government employee threw away her job and reputation over $6,000. https://www.wtaj.com/crime/former-rush-township-employee-facing-forgery-charge-after-stealing-6k/

A North Carolina man was sentenced to 121 months in prison for selling lists of elderly Americans’ personal information to Jamaican lottery fraud scammers. His lists were so good that his pseudonym, “Steve Dixon,” became synonymous with the scam, to the point that it was dropped in rap music. It is alleged he earned over $5.2 million from the scheme, which victimized over seven million elderly Americans and resulted in losses exceeding $9.5 million. https://www.justice.gov/opa/pr/fraudster-who-sold-personal-information-over-7-million-elderly-americans-jamaican-scammers

Troy Hunt believes the data breach disclosure lag is worse than ever. And he’s the authority on the issue. https://www.troyhunt.com/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever/

FinCEN has issued a warning to banks to look out for “red flags” suggesting payroll schemes involving individuals living illegally in the country. This marks an important step in the Trump administration’s immigration enforcement. After President Trump signed an executive order in May, which instructs regulators to check the citizenship status of bank customers without making it mandatory to collect such data, the advisory highlights more than twelve signs of identity theft, payroll tax fraud, and money laundering associated with unauthorized workers. https://www.fincen.gov/system/files/2026-06/FinCEN-Advisory-Non-Work-Authorized-Populations.pdf

The FBI released an unserious "Most Wanted Fraudster” list. While the individuals included are certainly deserving, not a single politician made the list. Which politician? Any of them, I suppose. https://www.fbi.gov/wanted/most-wanted-fraudsters

Feedback

Hey Matt, saw in Issue 286 where you asked the rhetorical question “how do you leverage your existing network to find a new job without broadcasting to your current employer that you’re looking to leave. Any additional insights on that? - Keith

For context, that question was part of a larger conversation, and I wasn’t asking for myself (in case my current employer might be reading this). But, no, Keith, I don’t have any additional ideas. It’s a valid question—what’s the point of having a big social media network if you can’t leverage it? Except when you're already unemployed. Let’s try an experiment: someone who is employed should activate their “open to work” banner and report back the results.

Send Feedback to matt(at)threatswithoutborders.com

dfir

Andrea Fortune examines a study tracking hired crime and intelligence analysts at a UK law enforcement agency over three interview periods: at six, twelve, and eighteen months. A total of sixty-three interviews were conducted. These analysts handled cases involving sexual assault, homicide, and serious crimes, frequently reviewing investigative reports, interview transcripts, recordings, and crime scene or autopsy images. The findings indicate that their mental health declined as expected. https://andreafortuna.org/2026/06/05/dfir-analyst-psychological-impact/

Share Threats Without Borders

Cool Jobs

Director of Fraud Risk Oversight, Fidelity. https://jobs.fidelity.com/en/jobs/2125543/director-fraud-risk-oversight/

Technology Services Specialist, Hershey Entertainment and Resorts. https://hersheypa.rec.pro.ukg.net/HER1020HERS/JobBoard/035cdc57-c54b-48c9-8c4d-f30e022675e5/OpportunityDetail?opportunityId=9a55dff5-4337-4489-93af-e8ff0a4f93b3

Cool Tools

Supported in-flight Wi-Fi portals expose a flight manifest. CabinLink uses it to show your location, altitude, speed, and how long until you land. It keeps working when the cabin signal does not. (I have not personally used this app, but it looks cool.) https://www.vishrutjha.com/cabinlink

Long for the days of Windows 95? Want to get nostalgic about MacOS Puma? This emulator has over 1700 operating systems pre-loaded and ready to run. https://virtualosmuseum.org/

Irrelevant

Statistics show many parolees are sent back to prison for “technical parole violations,” not committing new crimes. But a closer examination reveals they are committing new crimes, yet are sent back to prison for the TPV and never charged for the new offenses. Why? The authors of the study conclude:

The candid answer: it’s faster, easier, and more likely to pay off for prosecutors to send someone back to prison through a parole-violation hearing rather than through the courts. The parole hearing is held before representatives of the parole board, without any need to seat a jury, and the standard of proof is lower (“preponderance of the evidence,” not “beyond a reasonable doubt”).

Sign Off

I received a lot of feedback over the last few weeks, especially about the editorial and the term “touch grass.” I can’t take credit for that, but I do subscribe to it. I spent my past Saturday outside, pretty much doing nothing but sitting in a chair, looking at trees, grass, and animals, and feeling the sun. I’m still a nutcase, but for that day, at least, it was a small dose of peace. And it felt good.

And I hope you all find some of it during your week.

Matt

Threats Without Borders - Issue 289

Matt Dotts — Tue, 02 Jun 2026 10:02:57 GMT

Although paper documents used for the promise of financial payment date back to the Romans, the invention of the pre-printed consumer check with serial numbers is credited to an English banker in 1762. Fraudulent checks probably started appearing three days later.

And here we are, 264 years in the future, still fighting check fraud, and it might even be a worse problem than it ever has been.

At least three of the talks I heard at the BSides Harrisburg cybersecurity conference last week prominently discussed mental health and the need for self-care. It’s not being selfish or being fragile. It’s necessary to keep you fit for the job, which ultimately makes you more effective.

The cybersecurity field is getting really good at talking about this. And demanding management recognizes it and provides resources for it. Coming together as a community and saying, “ Hey, we’re going to make mental health wellness part of our group identity.

Fraud - not so much. In fact, I feel like it’s gotten worse. A recurring mantra shared at conferences and shouted across social media of “mount up fraud fighters and get locked-the-fuck-in because THIS is the year we take it to the fraudsters!”

So everyone gets hyped, puts on their armor, works 58 hours a week for months, only to get absolutely steamrolled by the bad guys. And you all end up right back at disappointment and burnout.

Because the lack of diligence, knowledge, and hard work is not the problem. It’s a resource problem and a human psychology problem.

Remember the old fraud triangle? Three elements come together to create a situation of fraud: Opportunity, Rationalization, and Pressure. Well, there are a hell of lot of people out there with the pressure to get money, our societal decay and low moral standards make it easy to rationalize criminality, and the Internet - oh, the great facilitator - is giving more and more people the opportunity every day.

I spent twelve of my twenty-four-year law enforcement career in the criminal investigation room with a case docket. And guess what, I never got to Casleoad 0. Regardless of how much overtime I worked, or how many birthdays and kids’ sporting events I missed to “get caught up”. And for what? So I could determine that some ass-hole in Romania stole some files from a company in Pennsylvania. Well, the company didn’t get their files back, the suspect is still in Romania, and I missed making memories with my kids. Duplicate this story dozens and dozens of times. Ask my wife, she spent a lot of time as a single mother.

The reality is that macro-level fraud is essentially unsolvable, so stop thinking you’re going to be the one to do it.

We are never going to work hard enough to expel all the adversaries. Like weeds in the garden, no matter how many we pull, there will be more next week.

Listen up, and don’t hear what I’m not saying. Yes, we should be working hard, continuously training, and accepting every effort to learn. Absolutely, go to fraud conferences to get recharged and socialized. Post your catchy slogans to LinkedIn. Get yourself locked in and down for the effort.

But remember, we’re not going to solve this problem. You’re going to have three more cases Monday morning, whether you work Saturday or not.

Prioritize your well-being by taking a mental health day, visiting the park with your kids, enjoying a nice dinner with your spouse, or spending a few days digging your toes in the sand.

Take a break. Or as the kids like to say, touch earth.

The fraud will be there when you return.

The News

This article is not interesting because of the subject itself but because of how the author analyzed the probable cause affidavit written by the charging investigator. Sometimes, we overlook this aspect in the name of “probable cause," but we often provide suspects with details that improve their chances of not getting caught. This results in us only catching the” low-hanging fruit” and inadvertently empowering the more dangerous individuals. https://arstechnica.com/tech-policy/2026/05/fbi-easily-nabs-man-selling-sexy-deepfakes-who-used-his-own-photo-in-profile/

US law enforcement and intelligence agencies are increasingly labeling dissent against artificial intelligence and data centers as “anti-tech extremism,”. Yeah, well, I don’t want a 24/7 data center in my backyard and I’m certainly not an anti-tech extremist. https://www.wired.com/story/us-law-enforcement-warns-of-anti-tech-extremism/

A Google employee has been charged with fraud for allegedly using insider information to profit $1.2 million from bets on Polymarket. https://www.cnbc.com/2026/05/27/google-employee-polymarket-insider-trading.html

Microsoft is not happy that several vulnerability researchers have released reports on bugs and exploits in Microsoft systems without first giving the compani’s PR teams time ~~to spin the news~~ , err, to create a patch. https://www.microsoft.com/en-us/msrc/blog/2026/05/a-shared-responsibility-protecting-customers-through-coordinated-vulnerability-disclosure

Attackers are abusing the shared content features of AI chatbot platforms like ChatGPT and Claude to deliver malware by hosting malicious pages on trusted domains such as `chatgpt.com` and `claude.ai`, effectively bypassing standard URL reputation checks. https://pushsecurity.com/blog/llmshare-malvertising-campaign

Researchers from Unit 42 are recognizing a significant shift in the cyber extortion landscape, in which threat actors are increasingly abandoning ransomware encryption in favor of pure data theft and extortion, a trend driven by improved organizational backup capabilities and the severe financial leverage of modern regulatory frameworks like GDPR and SEC disclosure rules. This “data-only” approach has surged, with incidents rising from 2% in 2020 to 15% in 2025, particularly targeting mid-sized firms in healthcare, professional services, and construction, where the average cost of a breach now exceeds $5 million. https://unit42.paloaltonetworks.com/cyber-extortion-economy/

The Supreme Court will soon decide the legality of geofence warrants. It heard arguments in Chatrie v. United States, a case about geofence warrants and Fourth Amendment privacy concerns. Tech Policy Press fellow Jake Laperruque discussed the case with Michael Price from the Fourth Amendment Center. https://www.techpolicy.press/whats-at-stake-in-chatrie-v-united-states/

Feedback

“I agree with your take that most of us would probably pay the ransom, but I think you missed an important caveat. At this point, the business isn’t making the decision; the insurance company is, or at least an attorney and a bean counter working for the insurance company is. The business owner makes that single phone call, and it’s on autopilot from there. Incident response team, ransom negotiator, legal, finance — it’s all pre-packaged. It is now standard for attackers to demand insurance documents to prove the payment limits before they lower their demands.” - Jack B.

Send Feedback to matt(at)threatswithoutborders.com

No subscription fees, no ads, no paid product placements. Free, for real. How about helping the newsletter grow? Share it with your network.

Share Threats Without Borders

DFIR

The digital forensics lab at Neumann University (just outside Philadelphia) led by Prof. Joe Walsh is winning at everything. Fantastic experience for students and actually helping law enforcement solve crimes. Awesome work, Joe.

To date, that team has assisted in 988 cases across 64 departments and agencies since the center’s inception in May 2024, including 424 forensic investigations of digital devices and 528 incidents of real-time crime.

https://www.govtech.com/education/higher-ed/neumann-university-helps-law-enforcement-with-digital-forensics

Cool Jobs

Sr. Manager of Cybersecurity, Washington Commanders Football. https://www.teamworkonline.com/football-jobs/washington-commanders-jobs/washington-commanders-jobs/cyber-security-sr-manager-2161458

Cool Tools

Chrome, Edge, Brave, Vivaldi, and Helium are all browsers built on Chromium. This site tests to ensure your browser of choice is built on the most up-to-date version of Chromium. https://chromiumchecker.com/

Network investigations toolbox. https://robtex.com/

Irrelevant

The Costco theory of the Internet. https://www.joanwestenberg.com/the-costco-theory-of-the-internet/

Just under the wire…

Published just in time to make this issue, David Maimon traces how the online fake document economy has evolved from the centralized, physical-forgeries marketplace of the Silk Road period (2011–2017) to an automated, AI-powered process accessible to anyone with a browser. The current “AI Era” has removed the last obstacle by employing generative AI to produce synthetic faces and evade liveness checks, rendering the entire fraud cycle, from identity creation to verification, completely automated. https://resources.sentilink.com/blog/the-evolution-of-the-online-fake-document-economy

Sign Off

They informed me that the attendance at the BSides Harrisburg Cybersecurity Conference this year was lower than usual, but I couldn’t tell. The rooms appeared packed, at least during the morning sessions. However, attendance at the presentations significantly declined in the afternoon, which was disappointing and something I never quite comprehend. Why pay to attend an event only to spend half of the day there? If I ever organize a conference, I’ll definitely schedule the most anticipated speaker at 3 p.m.

It was wonderful to meet so many readers and reconnect with those I’ve known.

Matt

Threats Without Borders - Issue 288

Matt Dotts — Tue, 26 May 2026 10:06:16 GMT

Plausible Diligence: Why Instructure paid the ransom, and you would too!

I give a talk called “DARVO: The Psychological Manipulation of Ransomware Victims”. If you’ve seen it, you know the basic thesis is that ransomware actors are not just technical adversaries. They are expert manipulators who understand pressure, timing, and human psychology better than most Fortune 500 marketing teams.

When ransomware group ShinyHunters attacked Instructure, the maker of Canvas used by almost every K-12 and higher education institution, and Instructure paid the ransom, the internet responded as expected. Security “experts” jumped on X and piously voiced their concerns, law enforcement officials anxiously wrung their hands and expressed curt disapproval, and countless others posted their opinions on blogs and news sites about why paying the ransom was such a bad idea.

And almost all of them were written by people who have never had to make that decision.

The anti-ransom crowd occupies a particularly comfortable perch. They’re mostly law enforcement administration, government agencies, security vendors, and journalists. People whose jobs don’t end if the data gets leaked. People who don’t have to look shareholders, school boards, or parents in the eye the next morning.

Instructure paid. And you probably would too.

ShinyHunters breached Instructure’s systems in late April 2026, exploiting a vulnerability in the Free-for-Teacher version of Canvas. They walked out with 3.65 terabytes of data, including names, email addresses, student ID numbers, course enrollments, and private messages between students and teachers. Records on roughly 275 million individuals across nearly 9,000 schools.

And this is not Instructure’s first visit to the octagon with this particular crew. ShinyHunters had already compromised Instructure through social engineering back in September 2025. A different system, and a different method, same attackers. Same company getting hit twice inside of eight months. Ouch.

But for now, let’s talk about what makes this case different from your standard corporate ransomware incident. What makes this one harder. What cranks the pressure up to a level that changes the decision calculus entirely.

It’s the kids.

There is a psychological dimension to ransomware targeting that doesn’t get discussed enough outside my talk. These groups are not randomly opportunistic. They pick timing the way surgeons pick incisions. ShinyHunters hit Instructure at the end of the academic year, during final exams, during AP testing season. Canvas went dark for thousands of colleges, universities, and K-12 schools at the exact moment those schools needed it most. That’s not an accident.

And the data! Private messages between students and teachers. Not just names and email addresses which are bad enough. Actual Messages. The kind of information that, if leaked, doesn’t just cause embarrassment. It causes real harm to children who cannot protect themselves, who didn’t choose to be in this system, and who had no say in whether their school used Canvas or not.

Ask the Minneapolis Public Schools district how this plays. They got hit in 2023. The attackers eventually released the data. It included psychological evaluations of students. Abuse documentation. It was a catastrophe measured in human damage, not just data records. Law enforcement “investigated”. No ransomware actor went to prison for it. No administrator held responsible. No family got their child’s records back.

There is no cavalry coming. Check me on that. Law enforcement might call you back. If your organization is important enough, someone might show up and deliver some nicely worded victim care. Your incident response firm is just there to put the pieces back together. Neither will recover your data. Neither will stop the leak. When you are staring down a countdown clock and the data on that clock belongs to other people’s children, the abstraction of “don’t reward criminals” has a hard time competing with the concrete reality of what happens if you don’t.

I hold Instructure responsible for being compromised. Absolutely. Not once, but twice, by the same group. That’s not bad luck; that’s a systemic failure in security posture. The first breach in September 2025 should have been a wake-up call. It apparently wasn’t, or wasn’t loud enough. Being compromised twice by the same threat actor in eight months is a process and leadership problem, not a technology problem. That’s on them.

But the payment? No hate there. That’s a business decision made under extraordinary pressure by people who had to live with the consequences. If you were sitting in that CEO chair, with 275 million records on the table and a countdown clock ticking down during finals week at 9,000 schools.

But here’s the part nobody wants to say out loud. The part that’s been quietly driving corporate ransom decisions for years, while the security industry pretends otherwise.

Paying the ransom buys something that isn’t data recovery or system restoration. It buys documentation. It buys a paper trail. It buys what I’m calling “plausible diligence”.

Most of us have experience with plausible deniability. The art of having enough distance to say “don’t blame me, I didn’t know.” Plausible diligence is its corporate cousin. It’s having enough documentation to say “Don’t blame us, we tried our hardest.” It is the deliberate practice of checking every box, engaging every vendor, exhausting every option, and generating a paper trail of effort , so that when the thing fails anyway, the failure attaches to circumstances rather than to negligence.

Yes, Instructure paid the ransom. In exchange, they received, per their own statement, the return of the stolen data and “digital confirmation of data destruction.” They were also informed that none of their customers would be separately extorted. They said they believed “it was important to take every step within our control to give customers additional peace of mind.”

“Every step is within our control”, think about that.

That is not a security statement, it’s a legal statement. That is the founding sentence of a liability defense.

When the lawsuits come, and they will come, because 275 million records across 9,000 schools is not a quiet incident, Instructure’s lawyers will walk into that courtroom and say: we detected the breach, we contained it, we engaged expert forensic vendors, we negotiated to recover the data, we obtained confirmation of destruction, and we notified our customers. “We did everything. The criminals lied to us. Blame them.”

Fully understand that the data is still out there. That’s how this works. ShinyHunters doesn’t actually delete anything, or, if they do, another group with a different name and the same data surfaces six months later. The “confirmation of destruction” is not a guarantee any serious security professional believes. Instructure’s own statement acknowledged there is “never complete certainty when dealing with cyber criminals.”

They paid anyway. Because plausible diligence isn’t about what actually happens to the data. It’s about what you can document you did about it.

Instructure did what cornered organizations do. They paid for something real, protection from immediate harm, and something less real but arguably more important: a documented record of having tried everything. A paper trail of effort that says, to regulators, to plaintiffs, to school boards and parents and lawyers, “Don’t blame us. We paid for an assurance and received documentation of its destruction.

That’s not justice, it’s not good security policy, but it’s how the game is actually played.

Until we fix the conditions that create the game, such as inadequate security investment by business leadership, the complete vacuum of real government response, and the absence of consequences for attackers, companies will keep playing it.

Paying the ransom makes the problem worse. But I’d probably pay it. And you would too!

News…

First… the Verizon DBIR was released. I didn’t miss it. There just isn’t room in this issue for me to talk about. Come back next week.

This report by HPE Threat Labs claims it studied 44.5 million connection attempts from 372,800 unique IP addresses and determined that the “top threat actor country by IP count” was… drumroll… the United States. Wait what? Are you saying the number-one source of criminal intrusion attempts is the United States? I must be misunderstanding that. Or they are only claiming that most threat actors are exiting from nodes based here in the states. https://www.hpe.com/psnow/doc/a50014950enw

Cofense details how attackers are using Zoom-themed phishing emails to trick victims into installing ConnectWise ScreenConnect. https://cofense.com/blog/click-install-compromised-the-new-wave-of-zoom-themed-attacks

Apple claims to have prevented 2.2 billion dollars in potentially fraudulent transactions through the App Store and deactivated 40.4 million accounts for fraud and abuse. https://9to5mac.com/2026/05/20/apple-gives-update-on-the-app-store-and-its-key-protections/

The FBI has issued an advisory warning about Kali365, a “Phishing-as-a-Service” platform distributed via Telegram that enables attackers to compromise Microsoft 365 accounts by capturing OAuth tokens instead of stealing passwords. The tool delivers AI-generated phishing lures that impersonate trusted services such as Adobe and SharePoint, tricking users into authorizing malicious device sessions on legitimate Microsoft login pages. https://therecord.media/fbi-warns-of-kali365-phishing-attacks

Feedback

Send Feedback to matt(at)threatswithoutborders.com

Bookmark this so you don’t have to keep asking for it on some email listserv - Bank Identification Number (BIN) search. https://binlist.net/

Irrelevant

Top 100 valued Bitcoin wallets. https://bitinfocharts.com/top-100-richest-bitcoin-addresses.html

Sign Off

The BSides Harrisburg 2026 conference is happening this Friday, May 26th, at the Farm Show Complex in Harrisburg. This marks my fourth year volunteering and my third year as a room emcee.

Please find me in the Track 1 room and say hi. I’ll be the person on stage introducing speakers and gently cutting them off if they go over time. Despite how stressed I might look, meeting TWoB readers is always a top priority for me. Please come and introduce yourself.

And tickets are still available. https://www.bsideshbg.com/

Matt

Threats Without Borders - Issue 287

Matt Dotts — Tue, 19 May 2026 10:07:03 GMT

Few individuals in our niche have the credibility to publish opinion pieces through major news organizations like Fox. David Maimon is one.

In this piece, he details how hostile state actors, including Iran, North Korea, Russia, and China, are systematically exploiting the US banking and employment systems by leveraging fraud infrastructure sourced from the dark web. His team has observed that these nations purchase stolen identity components, such as Social Security numbers and compromised bank credentials, to create synthetic identities and shell companies that bypass traditional compliance checks and sanctions screenings.

By routing transactions through correspondent banks with limited transparency and employing domestic US facilitators to conceal foreign IT workers or carry out financial grooming scams, these adversaries effectively funnel billions of dollars into the US financial system and infiltrate sensitive institutions. He emphasizes that current detection methods often fall short because the fraudulent entities look legitimate on paper, using forged documents and complex corporate structures to hide the true state-sponsored operators.

https://www.foxnews.com/opinion/adversaries-even-using-us-banking-system-heres-get-away

Can they make this any easier?

I’ve discussed this before, probably ad nauseam. But the bad guys are endlessly abusing the Payroll Protection Program (PPP) loans database. The pointy-head bureaucrat who decided this information should be made public should be made to sit in a dunk tank in the lobby of the IAFCI International conference.

And if they couldn’t make the database any easier to navigate, someone turned it into an interactive map. Awesome.

https://www.ppploanmap.com/

The News

A BitLocker bypass vulnerability was discovered. You must have physical access to the device, and it only works on Windows 11 machines. https://github.com/Nightmare-Eclipse/YellowKey

Tech-Support attacks are increasingly using the Quick Assistant tool, which is installed on Windows 10 and 11. Thomas Miller of TrustedSec shows how to identify and respond to attacks using this tool. https://trustedsec.com/blog/slamming-the-door-on-quick-assist-tech-support-scams-and-abuse

Capital One takes an offensive position by filing a federal lawsuit in Virginia against unidentified operators behind large-scale robocall scams. The bank accuses them of trademark infringement by misusing its and Discover’s names in deceptive impersonation schemes. Using civil litigation enables the bank to leverage the discovery process to identify these scammers and dismantle their operations. This strategy, increasingly employed by major tech companies, aims to supplement traditional law enforcement efforts. https://www.cnbc.com/2026/05/13/capital-one-lawsuit.html

Meta introduces Incognito Chat with Meta AI on WhatsApp and the Meta AI app, offering a fully private AI interaction. These conversations occur in a secure environment that Meta cannot access, and they are set to disappear automatically. https://about.fb.com/news/2026/05/incognito-chat-whatsapp-meta-ai/

The Dutch police have turned to shaming, and I’m completely onboard. The “Game Over?!” campaign, publicly named 100 of the country’s most wanted scammers, which led to the identification of 74 suspects. During this campaign, fraudsters were given a two-week period to surrender voluntarily while their blurred images were displayed; after the deadline, the police unblurred the faces on social media and billboards, prompting 34 individuals to turn themselves in and helping identify 40 more through over 500 public tips. The effort focused on scams targeting the elderly, like bank helpdesk impersonation and fake police visits. It reached nearly 90 million people on social media and has led to 38 interrogations and 6 arrests, with investigators noting that the average age of suspects is only 22. https://www.theregister.com/cyber-crime/2026/05/18/dutch-cops-shame-games-nets-74-wanted-fraudsters/5241980

Proofpoint launches a managed service provider (MSP) unit, which they are calling Proofpoint 365. No. https://www.proofpoint.com/us/newsroom/press-releases/proofpoint-launches-dedicated-msp-business-unit-and-introduces-365-total

A 25-year-old former Penn State student and auxiliary police officer, has been held on $2 million bail after being charged with felony computer crimes involving the unauthorized manipulation of police dispatch systems containing sensitive personal and criminal data. https://www.centredaily.com/news/local/crime/article315752921.html

OpenAI released Daybreak, its AI-powered cybersecurity and vulnerability management platform. https://openai.com/daybreak/

Feedback

Send Feedback to matt(at)threatswithoutborders.com

dfir

It appears that files synced to iCloud Drive are now stripped of their metadata. https://eclecticlight.co/2026/05/11/does-icloud-drive-now-lose-almost-all-metadata/

No subscriptions, no ads, no paid product promotions. Some issues better than others.

Share Threats Without Borders

Cool Jobs

IT Security Analyst - Baltimore Orioles Baseball Club. https://www.teamworkonline.com/baseball-jobs/orioles-jobs/baltimore-orioles-jobs/it-security-analyst-2169873

Director of Information Security - Penn Community Bank. https://penncommunitybank.wd501.myworkdayjobs.com/ExternalCareers/job/Bristol-PA/Director-of-Information-Security--ISO-_R-100099

Cool Tools

Python tool that digs deep for email addresses and usernames across hundreds of online resources. https://github.com/kaifcodec/user-scanner

Barcode reader. https://online-barcode-reader.inliteresearch.com/

What’s happening - right now? https://trends.google.com/trending?geo=US

Irrelevant

This guy keeps a running tab on Apple’s neglect of its base applications. As a longtime Mac user, I agree with all of this. Honestly, it’s pretty bad. Am I switching to Windows? Hell no. But if someone can get me a clean install of Linux on my M4 Mac Air, I’m gone. https://taoofmac.com/space/blog/2026/05/18/1320

Sign Off

Welcome, new subscribers! There’s always pressure after we gather a load of new subs, and I always feel like I’m letting everyone down. The newsletter gets hyped at an event, people subscribe, and this is what they get! The product always looks better in the ad, I guess. But hopefully, enough of you stay around for next week.

It’s hot here in Central PA, and I know the Midwest has been raked by violent storms. Stay cool and safe!

Matt

“DON’T RUIN A GOOD TODAY BY THINKING ABOUT A BAD YESTERDAY. LET IT GO.”

Threats Without Borders - Issue 286

Matt Dotts — Tue, 12 May 2026 10:47:19 GMT

There’s a special kind of confidence that exists on LinkedIn. Someone shares an article with a dramatic headline, adds “Important read!” or “Everyone needs to see this,” and suddenly the post starts bouncing from connection to connection like a digital game of phone-a-friend.

And this week, I almost fell for it myself.

One of my connections shared a post from a well-known anti-fraud organization that is usually pretty solid. Buried inside was a link to an article about how cybercriminals are using AI to craft scams and phishing attacks. On the surface, it sounded reasonable as AI is being used by criminals. So I was about two clicks away from hitting the repost button myself.

But then I did something crazy, I read the article.

Not the headline. Not the summary. Not the one-line hot-take above the share. The actual article.

The piece was written by a company selling an AI detection product for fraud prevention. Their “research” conveniently supported the urgent need for the exact service they happen to sell. The article sprinkled in just enough truth to sound credible, then fired up the hype machine and drifted straight into panic-porn marketing.

It wasn’t education. It was advertising dressed up as analysis.

I’m sure the person who shared it trusted the person they got it from. And that person probably trusted their connection. By the time it reached my feed, it was basically a share of a share of a share of a share, with everyone assuming someone else had done the homework.

Nobody did, and this happens constantly on LinkedIn. Content becomes heavily nested through reposts, and eventually, the original source becomes little more than a decorative attachment. People aren’t evaluating the information anymore. They’re evaluating the social credibility of the person sharing it.

“If Bob gave it a red 100 emoji, it must be good.” Meanwhile, Bob read exactly three sentences and a bullet point.

That’s why I read every article I include in the newsletter. Including an article doesn’t mean I endorse it or the author. I don’t always agree with what’s written, and many times that’s exactly why I include it.

But at the very least, I can honestly say I read it to make sure it’s not complete trash before passing it on.

You would think that would be the standard in 2026, but here we are.

So the next time your favorite LinkedIn warrior shares an article with fifteen fire emojis and the phrase “So True!” take an extra minute before you hit repost. Open the article and read it.

If you want to read an actual article about the criminal use of AI: Dr. Ben Collier from the Center for Emerging Technology and Security at the Alan Turing Institute explores generative AI adoption in the criminal underground. https://cetas.turing.ac.uk/publications/cybercrime-vibercrime-assessing-generative-ai-adoption-criminal-underground

And sometimes…

That article posted to LinkedIn is gold! Steve Lenderman shared a link to a report on card fraud this week that turned out to be the best thing I’ve read in a while.

No, not that card fraud, the other card fraud. Counterfeit trading cards. Who knew an original Charizard was in such demand, or worth so much money???

The 2025 Card Fraud Report from collectible authentication company PSA is a must-read, if for nothing more than to broaden your view of the fraud landscape. For someone immersed in cyber fraud, the topic is fascinating. A whole different world.

https://downloads.ctfassets.net/l40e281thfxr/72ZJooe31lk9KGBklfQFOu/4a3bf368f91a364fad3ccc2eca077a17/PSA_Fraud-Report_2025.pdf

The News

An investigation uncovered “Department 4’ at Russia’s Bauman Moscow State Technical University, which allegedly acts as a secret recruitment hub for the GRU, Russia’s military intelligence. Masked as an elite academic program, it trains students in advanced cyberwarfare skills such as password hacking, virus creation, and physical espionage, with the GRU controlling admissions, tests, and the placement of graduates into notorious hacking groups. The leaked 2,000 documents reveal that talented students are spotted as early as secondary school and assigned to units responsible for major cyberattacks worldwide. This is essentially a “hacker factory’. https://www.bitdefender.com/en-us/blog/hotforsecurity/inside-department-4-russias-secret-school-for-hackers

This makes me smile. Kids are beating age verification checks by wearing fake mustaches! https://www.theregister.com/security/2026/05/04/kids-can-bypass-some-age-checks-with-a-drawn-on-mustache/5224601

Securonix Threat Research has uncovered a phishing campaign that targets over 80 organizations primarily in the US by exploiting legitimate Remote Monitoring and Management (RMM) tools. The attack begins with impersonation emails mimicking the U.S. Social Security Administration, directing victims to compromised Mexican websites to download a malicious executable disguised as a government document. https://www.securonix.com/blog/venomous-helper-phishing-campaign/

You’re Invited! Psyche, how about some victimization instead? Fake invitations delivered via e-greeting cards are compromising accounts. https://tidbits.com/2026/05/11/beware-greeting-card-scams-from-trusted-senders/

And of course, Instructure, also known as Canvas, got hit, again. I won't spend time discussing it; a quick Google search can provide more details or the latest update on your school's likely recovery timeline.

Feedback

Send Feedback to matt(at)threatswithoutborders.com

dfir

Andrea Fortuna examines the challenges of cloud forensics, in which digital evidence is spread across multiple jurisdictions worldwide, forming a “jurisdictional labyrinth” that our traditional investigative techniques don’t easily navigate. Legal systems are increasingly in conflict, as seen in the conflict between the U.S. CLOUD Act, which claims jurisdiction based on the provider, even if data is stored elsewhere, and the EU’s GDPR, which limits cross-border data transfers unless there are specific international agreements. https://andreafortuna.org/2026/05/06/cloud-forensics-jurisdictional-labyrinth/

Share Threats Without Borders

Cool Jobs

Fraud Manager, Everence Federal Credit Union. https://www.everence.com/about-everence/careers/current-positions/current-positions/2026/may/fraud-manager

Cool Tools

Has this image been edited? Use this to find out. https://imageedited.com/

Track flights from your desktop. https://flightradar.live/en/

Find a blog to follow. https://blogosphere.app/

Irrelevant

Joan Westenberg argues that the modern outrage cycle is intentionally crafted as a business strategy to generate engagement through provoked anger. She suggests that high-intensity anger is the most effective way to drive viral content, transforming digital platforms into “slot machines” that deliver outrage to keep users engaged and advertising revenue flowing. The best safeguard, she proposes, is **procedural emotional resistance**: resisting the algorithm's emotional pull by asking who gains from your reaction and remembering that your attention is the actual product being sold. https://www.joanwestenberg.com/outrag/

Sign Off

I attended several events around a college graduation this weekend and heard multiple speakers emphasize the importance of “your network”. There’s plenty of advice on how to build connections with co-workers, colleagues, and like-minded professionals. However, what seems to be missing from most advice is how to leverage that network effectively, how to make it work for you. Once you’ve built your network, what should you do with it? That’s the real nugget.

For example, a large and active network is useful if you’re unemployed. It’s easy to contact colleagues and post on social media, saying, “Hey everyone, I need a job.” But what if you’re already employed but low-key seeking a new opportunity? How do you leverage your network then? You can’t exactly broadcast that you’re looking for a new job, nor is it wise to post “open to work” on LinkedIn. Well, you could, but it would be best to submit your resignation to your current employer along with such a post. Is a large network really only an insurance policy in the event you become unemployed?

Thanks for reading another week. See you next Tuesday.

Matt

Threats Without Borders - Issue 285

Matt Dotts — Tue, 05 May 2026 10:26:16 GMT

I’m frequently asked in my community presentations if PDFs are “safe” to open. As usual, my answer is something to the effect of “maybe”.

As the Q1 2026 Email Threats Landscapes Report from Microsoft details, PDFs are becoming one of the main malicious payloads for attackers, second only to HTML files

PDFs have become one of the most effective tools for the cybercriminal, not because they look dangerous, but because they look normal. We all use them every day! In most workplaces, PDFs are the default format for invoices, resumes, reports, and contracts. That familiarity creates trust, and attackers take full advantage of it.

But a PDF isn’t just a simple document. It’s a “rich” file format capable of running code, embedding other files, and interacting with users. That means a PDF can behave more like a small program than a static page.

Attackers exploit this in several ways, including embedded JavaScript that runs automatically when the file is opened. If the user’s PDF reader has a vulnerability, that script can attempt to exploit it and gain control of the system. In other situations, the PDF acts as a delivery mechanism, sometimes called a “dropper.” The file itself may appear harmless, but it triggers a download of malware from an external server once opened.

The most common method, however, isn’t a technical exploit; it’s simple visual deception. Examples include fake buttons, where a PDF displays a message like “This content is encrypted. Click here to decrypt.” Clicking the button redirects the user to a counterfeit login page (such as a spoofed Microsoft 365 portal) to steal credentials. Another method is the favorite tool of every marketer, URL shorteners. Malicious links are often concealed behind shortened URLs or legitimate-looking text to avoid detection by email security systems.

From a security standpoint, PDFs are difficult to detect and block for a few key reasons. First, attackers can hide or encrypt parts of the file, making it hard for email security tools to inspect the contents. Second, PDFs can be large and complex, and some systems limit how deeply they scan files to avoid slowing down email delivery.

The result is a perfect storm: a trusted file type, powerful built-in features, and technical complexity that challenges traditional defenses.

So, back to the question, is that PDF safe to open?

The default test for the everyday email users is, do you know the sender? But you need to consider that even a known sender might have a compromised account. The better test is, were you expecting the document? If not, use the phone and call the sender. Oh, and don’t call the contact number included in the email. You might be calling the bad guys!

Read the full Microsoft Report: https://www.microsoft.com/en-us/security/blog/2026/04/30/email-threat-landscape-q1-2026-trends-and-insights/

The News

Varonis Threat Labs discovered Bluekit, a phishing kit offering 40+ website templates, automated domain services, and add-ons, including AI assistants and voice cloning. While the platform is good, it’s not as good as promised. https://www.varonis.com/blog/bluekit

Scott Lang from Spur contends that relying solely on a single off-the-shelf fraud score to assess IP risk is restrictive. This approach tends to condense complex, multidimensional data into a static “black box” number that lacks necessary context and adaptability. He argues that security teams should focus on detailed IP intelligence features, such as data center locations, VPN links, and geographic discrepancies, to develop transparent and customizable risk models aligned with their specific organizational needs and risk tolerance. By moving away from a universal score towards a “glass box” methodology, organizations can make finer decisions, like initiating additional authentication steps or blocking traffic, based on genuine underlying signals rather than an opaque overall score. https://spur.us/blog/ip-risk-scoring-vs-ip-context

The FBI issued a PSA warning that cyber threat actors are impersonating legitimate businesses to hijack freight and steal high-value shipments. Since 2024, these actors have gained unauthorized access to computer systems, posing as victim companies and redirecting goods for resale. In 2025, estimated cargo theft losses in the United States and Canada surged to nearly $725 million. https://www.ic3.gov/PSA/2026/PSA260430

I’m more concerned about having my voice recorded in a permanent file, but these authors argue that patients should refuse consent for “AI” scribing tools in healthcare settings due to significant privacy risks, the potential for reduced openness during consultations, and the likelihood of automation bias leading to inaccurate medical records. They contend that charting is an essential part of the care process itself, and that replacing it with automated drafts degrades both immediate and long-term patient outcomes. https://buttondown.com/maiht3k/archive/why-you-should-refuse-to-let-your-doctor-record/

It’s Conference Season

I originally published this back in 2024, but since it’s conference season, let me remind you of the most terrible conference attendee – Conference Question Guy. And it’s always a guy.

Gotcha Guy attempts to put the speaker in a bad spot by asking a question about some obscure or little-known technical aspect of the speaker’s topic. The question’s intent isn’t to elicit more knowledge or spur conversation but to trick the speaker and make them look poor in front of the audience.

Test the Speaker’s Knowledge Guy, much like Gotcha Guy, this question asker is already knowledgeable about the topic and asks a question that he already knows the answer to. He’s a more benign version of Gotcha guy.

You can immediately spot Look How Smart I Am Guy as he’s on the edge of his seat the whole talk, and only an ounce of self-restraint is keeping him from stepping up on stage. His head is nodding or shaking throughout the entire talk, and he usually makes statements to those around him. His hand will be the first one up after the talk. His proposed question is usually a softball, but will be constructed to allow him to follow up with a more detailed and technical retort to demonstrate his mastery of the speaker’s topic.

While Mask Guy’s commitment to public health is admirable, no one can hear the question, including the speaker. The easy solution is just slightly to pull the mask down when asking the question, but since they don’t, they just come across as a virtue-signaling asshole.

Mansplaining Guy is a particularly dreadful species; the Mansplaining Guy targets female speakers and uses their questions as a way to lecture about a particular topic point he feels the speaker didn’t thoroughly explain or doesn’t completely understand.

Political Statement Guy usually wears the requisite noble cause t-shirt or some slogan buttons on his jacket. “How will this be interpreted by the [insert politician] government, considering their failure to…”, “Don’t you think this is all irrelevant, considering there are children dying on Côte d’Ivoire cocoa farms?“, “Isn’t this an assault on the 1^st Amendment?” “Have you seen any evidence that this might lead to the loss of the Arctic ice shelf…”, AHHHHHH – Please just stop.

Complain About My Employer Guy uses their question to passively-aggressively criticize their own employer or supervisor, framing it to get the speaker to agree with their assertion.

To clarify, speakers crave questions. There’s nothing worse than finishing your conference talk with “and now I’ll take any questions!” only to get blank stares and silence. Questions from your audience show they were listening to your words, and your ideas resonated, or at least got them thinking.

Please challenge your conference speakers, but do it for the right reasons.

Don’t be Conference Question Guy. Everyone hates that guy.

Feedback

Send Feedback to matt(at)threatswithoutborders.com

dfir

Steve Whalen from Sumuri digs into Mac metadata. https://sumuri.com/what-your-mac-forensic-tool-isnt-telling-you-about-metadata/

No subscription fees. No ads. No sponsored posts. Even the snark is free.

How about helping us grow?

Share Threats Without Borders

Cool Jobs

Director of Risk and Payment Options, BetMGM. https://betmgminc.wd5.myworkdayjobs.com/en-US/BetMGM/job/Director--Risk-and-Payments-Ops_JR100645

Cool Tools

Obtain the results from 100 different search engines with a single search: https://www.100searchengines.com/

Irrelevant

The end of an era…Jeve’s retires as Ask shuts down after 25 years. https://www.ask.com/

Sign Off

I've likely been the most persistent squeaky voice regarding the locations of the Keystone Connection conferences over the years—almost as much as my ongoing complaints about the event’s name. This year, however, Steve Lenderman and his team got it right, hosting the event at a fantastic venue in a prime location. And of course, I won't be able to attend due to other commitments.

Anyways…you should attend. And you still have time to register!

https://keystonekonnection.com/

Matt

Threats Without Borders - Issue 284

Matt Dotts — Tue, 28 Apr 2026 10:30:29 GMT

I had a fun conversation this week.

It’s called a cash-flipping scam, and this version has been dressed up with an artificial-intelligence angle to make it sound sophisticated. It isn’t. But the people running it are smarter than you might think, and the way they’ve structured it creates some real challenges for victims and investigators.

The target gets an unsolicited text from a stranger promising easy money. The script goes something like this: send me $25, I’ll use my AI tool to flip it, and I’ll send you back $250. Simple, fast, and painless. Of course, the moment the money moves, the scammer either disappears or comes back asking for a little more before the payout arrives. There is no AI. There is no payout. Only fraud.

The $25 is important because the low dollar amount is not random. It’s a calculated decision. The people running these scams have figured out something that works in their favor at almost every level of the criminal justice system.

At $25, most victims are embarrassed, frustrated, and ultimately unwilling to take time out of their day to file a police report over a loss that won’t even cover their gas to get to the station. And honestly, can you blame them?

So the first filter is self-reporting; most of these never get reported at all.

The second filter is law enforcement. Even when a report is filed, no investigator opens an active investigation into a $25 fraud. The caseload doesn’t allow for it.

The third filter is the prosecutors. Even if someone handed a DA a complete, airtight case involving a $25 theft by a non-local suspect, no prosecutor would entertain charging, let alone extraditing, a defendant over such a de minimis loss. The scammers know this. They have built their entire business model around staying below the threshold that triggers a system response.

Live on the West coast of the country and scam people on the East coast for low dollar amounts... bulletproof.

What they’re actually doing is running this scheme at volume. A hundred victims at $25 each is $2,500. A thousand victims is $25,000. The individual loss is invisible to the system, but the aggregate is very real money.

These scams almost always use peer-to-peer payment apps like Cash App, Venmo, or Zelle, and that choice is deliberate too. P2P transfers are fast, feel casual, and are extremely difficult to reverse once completed. There’s no effective dispute process, unlike with a credit card. When the money moves, it’s gone.

But these accounts don’t exist in isolation. Cash App accounts must be verified with real identity details, including name, date of birth, and Social Security number. Additionally, they are connected to a real bank account. Somewhere within this chain, there’s a real person involved. It could be the scammer themselves or a money mule, but in either case, a person is associated with a financial institution that keeps records. Law enforcement with proper legal authority can serve a search warrant on Cash App and the linked bank to access this information (Yeah, I know, don’t hold your breath). The data is available; the key question is whether pursuing it is worth the effort, and that leads me to the most crucial point.

A single $25 case will go nowhere. But if you bring a prosecutor a case showing that the same Cash App tag, the same phone number, or the same script was used against 200 victims across multiple jurisdictions, resulting in $5,000 or $50,000 in total losses, that is a different conversation entirely.

Investigators need to connect with each other early and often. When you see one of these cases, get it into IC3 at ic3.gov and the FTC at reportfraud.ftc.gov immediately and make sure your victims do too. Include the Cash App tag, the phone number, the exact wording of the message, and any transaction IDs. Then reach out laterally—to investigators in neighboring jurisdictions, to fraud units in other agencies, and to your financial crime information networks. Ask whether anyone else is seeing the same tag or the same number.

The scammer is betting that each of us will look at $25 and walk away. The way we beat that bet is by refusing to work in silos. The case that can’t be built by one investigator on one complaint can absolutely be built when ten investigators across five states are looking at the same actor. Aggregate the losses, aggregate the evidence, and suddenly the math changes for everyone.

The News

Tennessee joins Indiana in banning cryptocurrency ATMs. https://www.yahoo.com/news/articles/tennessee-becomes-second-state-outlaw-204113466.html

Toronto Police have arrested and charged three men with 44 offenses following an investigation into the first known use of a mobile SMS blaster device in Canada. This technology mimics cellular towers to intercept phone calls and send fraudulent text messages that appear to come from trusted organizations such as banks, often directing victims to fake websites to steal personal and financial information. The investigation, called Project Lighthouse, began last November and detected thousands of device connections and over 13 million network disruptions across the Greater Toronto Area.
https://torontosun.com/news/local-news/toronto-cops-cybercrime-tool-sms-blaster-spam-phones

A man from Baltimore faces charges including wire fraud, mail fraud, aggravated identity theft, theft of government property, and making false statements. As a former Social Security Administration (SSA) customer service representative, he had access to sensitive SSA databases with personally identifiable information of benefit claimants. The indictment reveals that between February and April 2023, he planned and carried out a scheme to defraud the SSA. He fraudulently obtained Supplemental Security Income (SSI) benefits intended for others, using them for himself and his associates. He targeted claimants with mental health diagnoses, modifying their records to include bank accounts he controlled and his residential address, enabling him to divert their SSI payments. Additionally, he altered the benefit payment dates in SSA’s system, creating back payments in the claimants’ names, and redirected these payments to his accounts. https://www.justice.gov/usao-md/pr/former-social-security-administration-worker-charged-disability-funds-theft-scheme

Holy insider threat! A US special forces soldier was arrested for allegedly betting on the capture of Venezuelan President Nicolás Maduro, earning $400,000. Prosecutors claim he was involved in planning the mission and used insider information to place the bet. https://www.cnn.com/2026/04/23/politics/us-special-forces-soldier-arrested-maduro-raid-trade

It’s Spy vs. Spy. Apple has introduced a software update for iPhones and iPads to fix a serious bug that let law enforcement recover deleted or expiring messages by accessing cached notification content stored on the device for up to a month. The flaw, revealed when the FBI used forensic tools to retrieve deleted Signal messages, was caused by notifications that kept message content in the OS database even after the messages were deleted. Apple fixed this by making sure notifications marked for deletion are no longer stored unexpectedly. The update has also been applied to older iOS 18 versions to enhance user privacy. https://techcrunch.com/2026/04/22/apple-fixes-bug-that-cops-used-to-extract-deleted-chat-messages-from-iphones/

Kudos to law enforcement in Pittsburgh, PA, for their successful effort. Over two days, federal, state, and local authorities collaborated in the Pittsburgh area, resulting in the seizure of nine illegal card-skimming devices. This operation potentially prevented over $9 million in fraud losses for the public. The U.S. Secret Service, in coordination with Allegheny County Police, Pittsburgh police, the state attorney general, the U.S. Postal Inspection Service, and the state inspector general, visited 272 locations on Monday and Tuesday. During these visits, they examined 883 point-of-sale terminals, 775 gas pumps, and 170 ATM terminals. https://triblive.com/local/secret-service-led-operation-nets-9-credit-card-skimming-devices-in-pittsburgh-area/

The Talos group reports that phishing has reemerged as the most commonly observed means of gaining initial access, accounting for over a third of their engagements in which initial access could be determined. Phishing has not been the top vector for initial access since Q2 2025. https://blog.talosintelligence.com/ir-trends-q1-2026/

ADT confirmed a data breach that resulted on the loss of customer data, including names, contact details, dates of birth, and the last four digits of Social Security numbers. ShinyHunters has claimed to possess 10 million records and threatened to leak them unless a ransom is paid. https://therecord.media/ADT-data-breach-cyberattack

Feedback

Send Feedback to matt(at)threatswithoutborders.com

Investigations

The Supreme Court will hear oral arguments in Chatrie v. United States, a case examining the use of “geofence warrants” by law enforcement to obtain location data from tech companies like Google. The case centers on Okello Chatrie, who was convicted of bank robbery after authorities used a geofence warrant to identify his cellphone location near the crime scene. Chatrie argues that the warrant violated the Fourth Amendment by conducting a search without sufficient probable cause and that he had a reasonable expectation of privacy in his location data, which the government should not be able to access without a warrant. The government contends that Chatrie had no such privacy expectation because he voluntarily shared his location data with Google, and that the warrant was not a general search but a targeted request.
https://www.scotusblog.com/2026/04/court-to-hear-argument-on-law-enforcements-use-of-geofence-warrants/

I absolutely endorse this message:

Share Threats Without Borders

Cool Jobs

Manager of Security Awareness and Learning, Vanguard. https://vanguard.wd5.myworkdayjobs.com/en-US/vanguard_external/job/Malvern-PA/Manager--Security-Awareness-and-Learning_177094

Lead Investigator, National Basketball League. https://careers.nba.com/job/NBANBAUSJR000581EXTERNALENUS/Lead-Investigator

Cool Tools

“Upload a screenshot or photo and get clue-based location reasoning in seconds”. Probably not. But it’s currently free, so give it a try. https://reverseimagelocation.com/

DorkEye is an advanced automated dorking and OSINT recon tool that leverages DuckDuckGo. (Fantastic documentation!) https://github.com/xPloits3c/DorkEye

Irrelevant

Are you an Advil person or a Tylenol person? Acetaminophen, ibuprofen, and what doctors probably want you to know. https://asteriskmag.com/issues/14/the-mystery-in-the-medicine-cabinet

Sign Off

Thanks for reading this far. Recently, Google started blocking email tracking pixels, which Substack relies on to track open rates. Many other email services have also blocked these trackers, and now Google Gmail has joined them. My open rate was already inconsistent due to these controls, and now it’s completely useless metric. I really don't know how many subscribers read the newsletter each week. So, I’ll just keep throwing it at the wall and hoping for the best.

Matt

“THAT SHIT THAT HAPPENED YESTERDAY, HAPPENED YESTERDAY. MOVE ON.”

cybercrime cyficrime financial fraud investigations osint aml cybersecurity

Threats Without Borders - Issue 283

Matt Dotts — Tue, 21 Apr 2026 10:31:27 GMT

I recently had a question about an IP address that resolved back to “iCloud Private Relay,” which is more information than is usually provided, since most of the time addresses just resolve to “Cloudflare” or “Akamai.” Unfortunately, for most investigations, this also resolves to a roadblock.

Apple introduced Private Relay as part of iCloud+, and most people think it’s Apple’s VPN service. It isn’t a VPN. It’s more accurate to call it a dual-hop proxy. The service is designed to make sure no single entity, not even Apple, knows both who you are and what you’re looking at. Apple's inclusion in that “no single entity” part is either admirable or politically convenient, depending on your level of cynicism.

When a user browses in Safari with Private Relay enabled, their traffic takes a two-stop detour before reaching its destination. First, it hits an Apple server. Apple sees the user’s real IP address, but can’t see where they’re going because the DNS request is encrypted. The traffic is then handed off to a second relay server operated by a third-party partner like Cloudflare, Akamai, or Fastly. That server knows the destination but has no idea who the user is. The website at the end of that chain sees a generic, temporary IP address shared by potentially thousands of other users in the same general region.

Nobody has the whole picture. That’s the whole point.

Private Relay protects only Safari browsing and encrypts DNS queries on the device.

It does not protect Third-party browsers like Chrome, Edge, or Firefox. Instagram, Facebook, email, banking apps, and most other apps on the device are also unprotected. In the absence of some additional masking technology, those will still phone home with the user’s real IP address.

So when trying to unmask a web browser user, our standard move -- get the IP, search warrant to the ISP, get the subscriber -- hits a wall. The destination logs a relay egress IP shared by thousands of users. The ISP can see the device was connected to Apple, but has no record of which sites were visited. And the relay partner doesn’t store the incoming Apple IP in a way that ties it to the outgoing destination. Nobody has the full picture. By design.

There are still some investigative avenues.

First, Apple publishes a list of all Private Relay egress IP ranges at https://mask-api.icloud.com/egress-ip-ranges.csv. Run any suspicious source IP against that list before spending resources on an ISP subpoena. Know what you’re dealing with upfront.

Second, Private Relay only masks the IP and DNS. Browser fingerprinting artifacts such as canvas fingerprinting, screen resolution, and installed fonts can still tie a specific Safari instance to activity across multiple sessions.

Third, look for cross-app leakage. If your subject used any other app on that same device, such as a different browser, a social media app, or any other service for communication across the Internet, those connections bypassed the relay entirely and may have logged the real IP with those respective servers.

iCloud Private Relay is a headache, a roadblock for sure, but maybe not a dead end. It breaks the attribution chain rather than eliminating it, but sometimes broken chains can still be put back together.

The News

Microsoft explains how to prevent domain compromises through “predictive shielding”. Predictive shielding in Microsoft Defender’s automatic attack disruption helps prevent the spread of identity-based attacks by acting before stolen credentials are fully exploited. Rather than waiting for malicious activity on an account, it detects early signs of credential exposure, such as high-confidence signals of credential theft, and proactively restricts potentially compromised accounts. https://www.microsoft.com/en-us/security/blog/2026/04/17/domain-compromise-predictive-shielding-shut-down-lateral-movement/

Think you won’t get bitten by a malicious insider? Cryptocurrency exchange, Kraken, is standing up to extortionists and refusing to pay their ransom demands. Kraken experienced two extortion attempts stemming from “inappropriate” access by support team members, not external breaches. Approximately 2,000 accounts were potentially compromised. https://www.blockhead.co/2026/04/14/kraken-refuses-extortion-demands-after-criminal-group-films-internal-systems/

I recently shared a report from another threat intel company that claimed Docusign is now the most imitated brand in phishing attacks. Checkpoint doesn’t even list them in the top ten. Regardless, I’m sure this list is applicable.

https://blog.checkpoint.com/research/the-phishing-paradox-the-worlds-most-trusted-brands-are-cyber-criminals-entry-point-of-choice/

So, you want to be a darknet drug lord? https://pastebin.com/raw/GrV3uYh5

The TidBITS public Slack group (SlackBITS) is being closed after a social engineering attack where the attacker impersonated author Glenn Fleishman by duplicating his profile and display name, then sent a direct message to another user to trick him into installing the OSX.Odyssey infostealer malware. https://tidbits.com/2026/04/18/shutting-down-slackbits-after-impersonation-based-malware-attack/

Wine Fraud - Yep. A 59-year-old UK citizen was sentenced to 10 years in federal prison for orchestrating a $97 million wine fraud scheme. Posing as the CFO of a fictitious company, the man and a co-conspirator deceived over 140 investors worldwide by falsely claiming to broker loans secured by high-value wine collections. In reality, the operation was a Ponzi scheme that used new investor funds to pay fake interest to earlier investors. Of the $97 million collected, only ~$14 million was returned, leaving victims with losses exceeding $83 million. https://www.justice.gov/usao-edny/pr/united-kingdom-citizen-sentenced-10-years-prison-97-million-wine-fraud-scheme

Feedback

Send Feedback to matt(at)threatswithoutborders.com

Losing Argument

This is for anyone who denies a connection between the rise in cryptocurrency use for fraud and the proliferation of cryptocurrency ATMs.

Cryptocurrency complaints were relatively flat until the first jump in 2021. And then it skyrockets over the next four years.

And sure enough, the Gemini tells us there was a huge influx, or “Hyper Saturation,” of machines beginning in 2021.

Share Threats Without Borders

Cool Jobs

Director of IT Security - Denver Broncos Football Team. https://job-boards.greenhouse.io/denverbroncosteamllc/jobs/5191274008

Cool Tools

Those who attended my recent talk on quickly triaging websites to determine legitimacy or attribution know that Whois has been replaced by RDAP. The name changed, but the data remains the same. And you might need to go back in history to find out not Who Is, but Who Was! ARIN’s WhoWas service provides historical registration information for IP addresses and ASNs. (Registration required) https://www.arin.net/reference/research/whowas/

Irrelevant

Claude can’t use a typewriter. College instructor turns to old school typewriters to curb the use of AI for assignments.

“What’s the point of me reading it if it’s already correct anyway, and you didn’t write it yourself? Could you produce it without your computer?” said Phelps.

https://sentinelcolorado.com/uncategorized/a-college-instructor-turns-to-typewriters-to-curb-ai-written-work-and-teach-life-lessons/

Sign Off

I’ve come to the realization that I’m a domain hoarder. Domain-rich but cash-poor, I guess. Every time I think of an awesome web domain name, I purchase it, usually with the idea of starting a business someday. But that never happens, and I just keep paying the yearly domain registration fees. It’s become expensive enough that I’ve come to a reckoning. I need to give up some, but it feels like giving up on ideas.

Oh, that’s a great name…domainhoarder.com!

Have a great week. See you all next Tuesday.

Matt

cybercrime cybersecurity cyficime cyber fraud investigations aml osint

Threats Without Borders - Issue 282

Matt Dotts — Tue, 14 Apr 2026 11:49:41 GMT

I generally enjoy AI tools and have found many uses for them. However, it can definitely be a joy killer.

One of my favorite yearly events is the release of the IC3 Internet Crime Report. I love diving into it to uncover insights that often go unnoticed by most. I call these insights 'nuggets,' a term familiar to regular newsletter readers. This year, things were different. The report was published on Monday afternoon, and within a few hours, I saw detailed analyses appearing on LinkedIn and X. Gary Warner, David Maimon, and a very few others in our field can craft such perfect summaries in just 90 minutes. For everyone else... It’s likely that a well-designed AI prompt played a significant role in generating many of those impressive analyses.

And that’s OK. It’s one of the things AI does best, breaking down long, complex, highly dense PDFs into something more digestible.

I’m not mad about it. But I am selfishly disappointed.

The proliferation of AI-generated analysis takes a little bit of the joy away from those of us who really love doing that type of work… old-school. And it renders us afterthoughts because by the time we get around to producing something worth publishing, every cybersecurity content mill has already flooded the zone with AI-created “hot-takes”.

I’m sure you’ve seen the highlights by now. But you really should take the time to actually read the report yourself.

https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf

I can’t help myself… consider this nugget

It is well known that most victims do not report their victimization and subsequent losses to any authorities, let alone the Internet Crime Complaint Center. In the 2025 report, the IC3 explicitly states that its figures only represent reports to the FBI via IC3 and do not account for other reporting channels. They also acknowledge that missing data and underreporting can result in “artificially low” loss estimates. However, they make no assumptions beyond this.

In contrast, the recent “Protecting Older Consumers 2024-2025” report by the Federal Trade Commission clearly states, “we assume Sentinel includes only 2% of all losses from consumers who lost under $1,000 and 6.7% of all losses from consumers who lost $1,000 or more.”

Page 28 for reference.

So the FTC “officially” assumes its reporting rate is somewhere between 2% and 7%.

Maybe IC3 is better known, and people are more inclined to report their victimization to them because it’s a division of the FBI. But can it be that much higher? Maybe a 15% reporting rate?

The IC3 reports that the total loss from Internet-enabled fraud in 2025 is $ 20.8 billion.

Imagine if that is only 15% of the true loss. What if it’s only 2-7%?

Speaking of AI tools…

The cybersecurity world is going through a mind melt over the release, and potential public release, of “Mythos”.

Anthropic’s Mythos is a highly advanced AI model focused on cybersecurity, particularly on identifying and analyzing software vulnerabilities.

Mythos finds exploitable vulnerabilities in software, systems, and networks at scale.

Think of a house. Every window, door, and air vent is a vulnerability that allows unwanted people to get into the house. We use security measures such as locks, shatterproof glass, reverse hinges, and other safeguards to ensure those vulnerabilities are secure and that only authorized people can enter and exit through them. Mythos finds that one window with a finicky lock, where, if you push a specific-style butter knife between the upper and lower panes, you can just reach the lock lever and pop it. And then it explains what materials you need and provides complete instructions on how to do it.

So does this mean the end of the vulnerability researcher? Are security companies specializing in this all going to go out of business? Maybe, maybe not. It will come down to cost.

Running these AI models isn’t free. While ChatGPT can generate some AI slop for your LinkedIn Hero account at no cost, operating a system that scans a corporate network and compares it against a comprehensive bug library requires substantial computation power, which will incur significant token costs.

And someone needs to pay real money for that usage. The impact of Mythos on the cybersecurity profession will, as with everything else, come down to economics. If the machine becomes more efficient and less expensive than a human, then we’ll see movement. But I don’t see that happening in the near future.

And I think maybe just the opposite.

So, a team at Anthropic created this model. Do you really think that China, Russia, North Korea, Iran, and other well-funded nation-state cyber teams won’t swiftly develop similar capabilities?

Certainly, and cybersecurity experts will continue to be essential in patching the vulnerabilities before these nation-states and criminal groups can exploit them.

Should your child still go to college for Cybersecurity? Meh, it’s still better than Journalism, but I don’t think tools like Mythos will be the immediate downfall of the entire field.

The News

Do you use plugins on your WordPress site? Someone purchased 30 different plugins and planted backdoors in each. This author argues “the WordPress plug-in market has a trust issue.” And further claims that WordPress.org has no mechanism to flag or review plugin ownership transfers. There is no “change of control” notification to users. No additional code review triggered by a new committer. The Plugins Team responded quickly once the attack was discovered. But 8 months passed between the backdoor being planted and being caught. https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/

The Financial Crimes Enforcement Network (FinCEN) has proposed a new rule to reform how financial institutions manage their anti-money laundering (AML) and counter-terrorism financing (CFT) programs under the Bank Secrecy Act. The reform aims to shift the focus from high-volume paperwork compliance to risk-based, effective programs that actually combat illicit finance, while reducing regulatory burden on banks. Maybe, I won’t hold my breath. https://www.fincen.gov/news/news-releases/fincen-proposes-rule-fundamentally-reform-financial-institution-programs

The FBI successfully recovered deleted Signal messages from a suspect’s iPhone by extracting data from the device’s internal notification storage, even after the Signal app had been removed. This was possible because the defendant had not enabled Signal’s setting to hide message content from notifications, allowing the full text to be cached locally by iOS. However, Apple recently changed how iOS 26.4 validates push notification tokens, so this method may no longer work. https://9to5mac.com/2026/04/09/fbi-used-iphone-notification-data-to-retrieve-deleted-signal-messages/

The CIA is increasingly deploying artificial intelligence to enhance its core intelligence analysis mission. The agency has already produced its first autonomous intelligence report and plans to integrate AI “co-workers” across all of its analytic platforms within the next few years to help analysts with tasks such as drafting assessments, testing conclusions, and identifying trends. The agency claims humans will remain responsible for key decisions, but it also noted that it tested 300 AI projects last year and is working to bring AI capabilities to field officers. https://www.politico.com/news/2026/04/09/cia-ai-intelligence-analysis-00865893

The first step a skilled attacker takes after gaining unauthorized access to a Microsoft 365 account is to abuse mailbox rules. Rather than deploying malware, they use native M365 features to create rules that automatically forward, hide, delete, or archive emails, enabling covert data exfiltration, suppressing security alerts, and maintaining persistence even after password changes. Proofpoint explains that these rules can be deployed in as little as 5 seconds after compromise and can be fully automated at scale via the Microsoft Graph API. https://www.proofpoint.com/us/blog/threat-insight/mailbox-rules-o365-post-exploitation-tactic-cloud-ato

Don’t end up on the “Sucker List”. https://www.welivesecurity.com/en/scams/recovery-scammers-hit-when-down-avoid-second-strike/

Feedback

Send Feedback to matt(at)threatswithoutborders.com

Evidence

Why screenshots fail in court. https://lucidtruthtechnologies.com/authenticate-social-media-evidence/

Share Threats Without Borders

Cool Jobs

Security Operations Associate - National Football League. https://job-boards.greenhouse.io/nflcareers/jobs/5127529008

Why MLB? Why are you still making people work in New York City? Ugh. Incident Response and Intel Analyst, Major League Baseball. https://hub.globalsportsjobs.com/vacancy/incident-response-intel-analyst-us-glap119784

Cool Tools

2026 DIY Opt-Out Manual For Removal From Over 400 Sites. https://github.com/thumpersecure/opt-out-manual-2026

Little Snitch (iykyk) but for Linux. https://obdev.at/products/littlesnitch-linux/index.html

Irrelevant

Sign Off

I thought I wrote a pretty good newsletter last week, but I somehow finished the week with fewer subscribers than I started with. Tough crowd. I sincerely appreciate everyone who stays with me.

Enjoy the warmer weather! Those of you in the Midwest should stay in your storm cellars. I’ll see you all next week.

Matt

“IT TAKES LESS TIME TO DO A THING RIGHT THAN TO EXPLAIN WHY YOU DID IT WRONG.”

Threats Without Borders - Issue 281

Matt Dotts — Tue, 07 Apr 2026 10:05:25 GMT

This was a DTMF attack. And it’s so damn clever!

When you press a key on your phone’s keypad, it generates a specific pair of audio tones. This system is called DTMF, or Dual-Tone Multi-Frequency signaling. Each key, 0 through 9, along with the asterisk and pound, produces a unique combination of two tones that phone systems use to identify what was pressed. It’s the same technology that lets you “press 1 for English” or enter your account number on an automated line. But those tones are just sounds, and anyone on the call with you can hear, record, and decode them.

That’s exactly what the scammer did.

When this Redditor called the balance verification number using three-way calling with the buyer on the line, they entered the card number and PIN using their keypad. Those DTMF tones traveled directly through the call to the scammer’s end in real time. The scammer either recorded the call or used software to decode the tones as the victim pressed them, translating each beep back into the exact digits entered. Once they had the card number and PIN, they hung up, logged into the gift card issuer’s website or called the automated line themselves, and drained the balance. The entire process likely took just minutes.

The technology behind this isn’t complex. Tools for recording and decoding DTMF tones are readily available and free. However, what made this attack so effective wasn’t the technology; it was the social engineering. The scammer didn’t hack anything; they simply created a situation where the victim willingly entered the credentials while they listened. The three-way call seemed like a normal, cooperative action. A buyer wanting to verify a balance before purchasing makes complete sense. That’s exactly why it succeeded. Social engineering attacks don’t target systems; they exploit trust.

https://en.wikipedia.org/wiki/DTMF_signaling

https://nhollmann.github.io/DTMF-Tool/

Wilmington?

Last week, I spoke at the Delaware Fraud Working Group conference in Wilmington, Delaware. What a pleasant event! I’m disappointed I had another commitment and couldn’t spend the entire day.

The host venue at Delaware Technical Community College was fantastic—truly one of the best places I’ve spoken at. I was also pleasantly surprised by Wilmington. I’ve long written off cities like Philadelphia and New York and generally refuse to attend any event hosted there. Heavy traffic, limited parking, panhandlers, dirt, and chaos make the inconveniences and costs too high to justify the effort.

Wilmington probably has those issues, but I didn’t experience them. The drive into the city from the West was smooth, and parking was straightforward and, best of all, free. The only problem I faced was the haze of marijuana smoke in the parking garage stairwell.

I’m not sure whether the DFWG will host next year's event at DelTech, but if you’re within a reasonable drive, attend.

Reader Mail

Matt, your take on the Darksword exploit is one of the most balanced I’ve read. You should push that to a publication with a much wider reach. It’s genuinely better than most things I’ve seen in any of the major news outlets. - JohnS

I was an examiner with a 3 letter agency for eight years, and now I work for an incident response firm. I can’t stress enough how important it is for people to keep their devices updated. We recently had an incident in which the owner of a business was using an iPhone XR running iOS 17.7. How does that happen? It’s really that simple. Keep your devices on the most recent version, and you eliminate 99.9% of remote exploits. - KS

See Issue 280 for context.

The News…

David Maimon explains the fraud known as “Pell Running” that is crushing the American federal student loan system. https://resources.sentilink.com/blog/inside-pell-running-the-federal-student-aid-fraud-congress-is-trying-to-stop

AI-generated deepfake audio has raised concerns about the integrity of evidence. With voice cloning tools becoming affordable and widely available, it’s now simple to produce realistic fake audio recordings of voicemails, calls, or confessions that can be used as evidence in legal proceedings, insurance claims, or business disagreements. https://www.forbes.com/sites/larsdaniel/2026/03/15/beyond-cybersecurity-deepfake-audio-is-an-evidence-crisis/

It’s tax season and that means tax scam season. Proofpoint has identified over 100 malicious campaigns using tax-themed lures to deliver malware, Remote Monitoring & Management tools, credential phishing, and fraud. https://www.proofpoint.com/us/blog/threat-insight/security-brief-tax-scams-aim-steal-funds-taxpayers

A recently identified phishing-as-a-service platform is targeting C-suite executives using highly personalized, QR-code-based emails that impersonate SharePoint notifications. These emails bypass detection using techniques such as randomized HTML noise, fake email threads, and Unicode QR codes that evade image scanners. When scanned, victims are led through a multi-layered “gate” that prevents automated tools and researchers from proceeding, before being redirected to credential harvesters. More worrisome, the exploit functions within Microsoft’s authentication system, making traditional MFA ineffective as a key line of defense. https://abnormal.ai/blog/venom-phishing-campaign-mfa-credential-theft

I currently hold two SANS/GIAC certifications and recently let a third (GSEC) expire. The exams and their preparation are quite demanding. The crucial aspect is really the preparation process itself. Although the exams are open book, spending too much time looking up answers will result in you running out of time. You will need to look up some answers quickly, and this is where the index becomes essential. Here is a good take on creating an effective index. https://aerobytes.io/writeups/giac-indexing-guide/

Two individuals have pleaded guilty in federal court in Rhode Island for their roles in a transnational fraud and money laundering scheme targeting elderly victims across the U.S. and Canada. The scheme involved fraudsters posing as representatives of financial institutions and government agencies, such as the FTC and the Federal Reserve, convincing victims that their accounts were compromised and directing them to transfer funds via wire transfers, cryptocurrency, cash, or gold bars. The scheme defrauded approximately 300 victims across 37 states, with known losses exceeding $5 million. https://www.justice.gov/usao-ri/pr/two-defendants-plead-guilty-transnational-fraud-scheme-targeting-elderly-victims

Uno is a good boy. https://cdapress.com/news/2026/apr/01/coffee-with-a-k9/

DFIR

Tsurugi Linux released update version 26.03 on iso or ova. https://tsurugi-linux.org/downloads.php

Cool Tools

FTC Sentinel Fraud Dashboard. https://public.tableau.com/app/profile/federal.trade.commission/viz/FraudReports/FraudFacts

Who is giving money to whom? https://www.opensecrets.org/

Cool Job

Card Fraud Manager, Members 1st Federal Credit Union. https://careers.members1st.org/jobs/2682/Card%20Fraud%20Manager

Vice President of Consumer and Banking Fraud Strategy. JP Morgan Chase https://jpmc.fa.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX_1001/job/210699592

Irrelevant

Credit: Varun.ch

Feedback

matt (at) threatswithoutborders.com

Sign Off

Wow, a lot of new subscribers this week.

So, what’s this all about? See that issue number, 281—that’s how many consecutive weeks the Threats Without Borders Newsletter has been published. Yep, every Tuesday morning for five years and four months. Never a miss. What I lack in quality, substance, and style, I make up for in tenacity.

Welcome. And when your email provider drops the newsletter or your company decides newsletters are a time-suck and creates a “unsubscribe and delete” rule, you can always find every issue published at www.threatswithoutborders.com.

Or install the Substack app on your smartphone and ensure delivery each week.

Available for iOS and Android

Thanks for checking us out and I hope to see you all next week.

Matt

“DON’T LET A BAD DAY MAKE YOU FEEL LIKE YOU HAVE A BAD LIFE.”

Threats Without Borders - Issue 280

Matt Dotts — Tue, 31 Mar 2026 10:46:52 GMT

A few weeks ago, I addressed a concern in this space about Apple iPhone users claiming, “Wasn’t me, my phone was hacked.” My response was straightforward: unless they are a direct target of a nation-state, the iPhone was not secretly compromised.

Well... news recently broke about an iPhone exploit called Darksword, and it has me reevaluating my stance on the issue.

Yes, your iPhone can be hacked; no, you’re probably not interesting enough to justify the price tag.

That tension, between what’s possible and what’s probable, is getting lost in the conversation around advanced mobile exploits like DarkSword. Headlines and social media chatter tend to flatten everything into the same message: your phone is vulnerable at any time. Technically, that’s true. Practically, it’s sensational trash.

DarkSword isn’t a typical piece of malware you download or install. It’s an exploit chain, a carefully engineered sequence of vulnerabilities that allows an attacker to break into an iPhone, escalate privileges, and extract data. It’s not a virus but a master key that unlocks multiple doors in sequence. Once inside, it can deploy tools to collect messages, access apps, or monitor activity, often without leaving much evidence behind.

That kind of capability has not just been rare, but elite. Building something like this requires deep expertise, time, and significant financial investment. For years, these tools were almost exclusively in the hands of nation-states and a small number of highly specialized surveillance vendors. And because they were so valuable, they were used sparingly, against very specific, high-value targets.

The ceiling hasn’t changed. These are still highly sophisticated, expensive, and complex attacks. But the floor has dropped.

The challenge of developing these capabilities remains very high, but the difficulty of accessing them is decreasing. We’re observing the same trend that has occurred in other areas of cybercrime. There was a time when launching a ransomware attack required significant technical skill. Now, ransomware-as-a-service has made it much more accessible. The expertise hasn’t disappeared; it has been packaged, productized, and distributed.

Bad guys who previously could not develop an iPhone exploit chain can now sometimes access or lease that capability. This doesn’t mean “anyone” can do it, but it does expand the pool of potential attackers. It’s no longer limited to intelligence agencies and top-tier operators; it may now include smaller governments, private intelligence firms, and well-funded criminal groups.

Yes, it is now more possible for a broader range of attackers to use these tools. No, it is still not probable that they will be used against the average person.

There are a few reasons for that.

First, these exploits remain costly assets. Even as access becomes more available, it’s not free or simple. Using one involves risk for the attacker. Each deployment raises the likelihood that the exploit will be discovered, analyzed, and patched. Burning a valuable capability on a random target offers little economic or operational benefit.

Second, these attacks still require targeting. Even a “one-click” exploit—where a user simply taps a link—relies on getting that link in front of the right person at the right time. That involves reconnaissance, delivery methods, and often some level of social engineering. This is not spray-and-pray activity. It’s intentional.

Third, and what I’ve been saying for a long time, is that there are far easier ways to compromise people.

Most cybercriminals don’t need a complicated exploit chain to succeed. Phishing emails, fake login pages, password reuse, SIM swapping, and social engineering are much cheaper and easier to scale. If they aim for financial gain, these methods provide a higher return on investment. Why invest heavily in a complex iPhone exploit when a convincing text message can trick someone into giving up their credentials?

This is why, for the average iPhone user, the biggest risks remain the same as they were before: scams, phishing, weak passwords, and account takeovers. Not zero-day exploits.

But that doesn’t mean nothing has changed.

The important shift is in who might now be considered “worth it.”

Previously, the range of targets for these attacks was very limited. Now, it has expanded, not to include everyone, but to include more individuals than before. Those now at risk include journalists, business leaders, government workers, activists, and anyone with access to confidential information or financial assets, even if they don’t operate internationally.

Additionally, there is a risk of spillover. As these tools become more widely used, there’s an increased chance of errors—such as incorrect numbers, misidentified devices, or infrastructure that unintentionally exposes unintended users. This doesn’t suddenly make everyone a target, but it does add more unpredictability to where these capabilities might be exploited.

So where does that leave the everyday iPhone user?

The iPhone is not under constant threat from elite hackers. It is not being silently compromised at random. But it is also no longer accurate to assume that these capabilities exist only in distant, highly controlled environments.

Understand that advanced attacks exist. Recognize that they are becoming more accessible to a wider range of actors. But also keep in perspective that attackers are still making decisions based on cost, value, and likelihood of success. Most people simply do not present a target that justifies the use of such a tool.

And importantly, many of the protections against these advanced threats are straightforward.

Keeping your iPhone updated is one of the most effective things you can do. These exploit chains rely on vulnerabilities, and once those vulnerabilities are patched, the window of opportunity closes. Delaying updates means leaving the door open longer than necessary.

Apple has also introduced built-in protections designed specifically for high-risk scenarios, such as Lockdown Mode. While not necessary for most users, it’s a powerful option for those who may be more likely to be targeted.

Yes, an iPhone can be hacked.

But what matters far more is whether it’s likely - and for most people, it still isn’t.

So in your investigations, it’s something you need to account for… but probably not.

Speaking of Lockdown Mode

Nearly four years after its 2022 debut, Apple’s Lockdown Mode remains undefeated by mercenary spyware, with both Apple and independent investigators such as Amnesty International confirming that no devices with the feature activated have been successfully attacked. Citizen Lab researchers have documented instances where Lockdown Mode effectively prevented Pegasus and Predator spyware attacks. https://techcrunch.com/2026/03/27/apple-says-no-one-using-lockdown-mode-has-been-hacked-with-spyware/

Skimming Report

I’ll write more about this report, but I just don’t have the space today. FICO released the report “The State of Card Skimming in the US: 2025 Year In Review”. https://www.fico.com/blogs/state-card-skimming-us-2025-year-review

Cool Job

Data Scientist, Predictive Fraud Intelligence - VISA. https://jobs.smartrecruiters.com/Visa/744000117342711-data-scientist-predictive-fraud-intelligence

Fraud Risk Governance Lead - Customers Bank. https://customersbank.wd1.myworkdayjobs.com/customersbankcareers/job/Malvern-PA/Fraud-Risk-Governance-Lead_REQ-2026-851

Cool Tool

IRS charity search - https://apps.irs.gov/app/eos/

How charitable is a charity? Charity Navigator - https://www.charitynavigator.org/

International phone number look-up. https://www.thisnumber.com/

Irrelevant

The U.S. Army increased its maximum enlistment age to 42. Meh, I’m still too old, but of course, I couldn't have done it at 42 either. Kudos to anyone over 40 who accepts this challenge! https://abcnews.com/Politics/army-extends-maximum-recruitment-age-42-allowing-older/story?id=131411519

Sign Off

I had to cut the news section today due to space limitations. It will be back next week.

Do you know what a DTMF attack is? Or how they use it to steal the balance from gift cards? Come back next week to learn more.

Matt

“IF YOU WAIT FOR EVERYTHING TO FALL INTO PLACE BEFORE YOU ACT, YOU WILL NEVER MOVE.”

Threats Without Borders - Issue 279

Matt Dotts — Tue, 24 Mar 2026 11:20:09 GMT

So many times when we think of “cybercrime” or crime facilitated through the use of technology and the Internet, we think of the usual suspects - network intrusions with data theft, ransomware, DDOS attacks, investment and romance scams, email phishing… or any of the other crimes detailed in the Internet Crime Complaint Center’s yearly report.

Rarely do we ever think of music fraud. And certainly not music fraud involving AI-created music and a massive botnet that generates millions of “listens” across a dozen streaming services.

A North Carolina man has admitted guilt in a widespread music streaming fraud that occurred from 2017 to 2024. He used AI-generated songs and up to 10,000 bot accounts simultaneously to artificially inflate streaming counts on platforms such as Spotify, Apple Music, Amazon Music, and YouTube Music, resulting in billions of fake streams. To evade detection, he used VPNs and distributed activity across hundreds of thousands of tracks. Through this operation, he generated over $8 million in royalties.

Posting AI-generated music on streaming services isn’t illegal. The crime lies in using countless zombie machines to “listen” to the music.

He exploited technology and the Internet to set up a situation where victim businesses paid him money that he didn't legitimately earn. And 8 million dollars isn’t chump change.

Fraud is as old as time, and most schemes are not new, but the convergence of financial crime and the Internet continually takes us into new territory and pushes the boundaries of “cybercrime”.

https://www.justice.gov/usao-sdny/pr/north-carolina-man-pleads-guilty-music-streaming-fraud-aided-artificial-intelligence-0

Audit PTO

When providing fraud-prevention training to business owners and executives, I emphasize the importance of job rotation and mandated paid time off (PTO).

I often cite an investigation I was involved in where the suspect employee hadn’t taken any vacation for seven years. Although she took occasional days off around holidays, she never scheduled a full week off during that period.

She operated a sophisticated refund scheme, funneling refunds into her own accounts, and she knew that anyone who stepped into her role could uncover her fraud. Her eventual exposure came when a new accounting software flagged irregularities during a routine audit.

Over those seven years, she embezzled more than $200,000 from her employer.

This case from a Pennsylvania casino is the latest example of an insider executing a scam that could have been quickly uncovered if someone else had briefly stepped into the role. In fact, that’s precisely how she was caught:

When Petrillo was on medical leave, an employee at the casino’s horse racing office assisted with the office paperwork. Police said that’s when the employee discovered the discrepancies.

At least once a year, every financial role in the organization should be temporarily filled by another person for a few days. This practice not only helps prevent fraud but also enhances redundancy and recovery options. If someone refuses to take a week off, it should be forced.

An employee who refuses to use their Paid Time Off is a huge red flag… in more ways than one.

This employee stole over $700,000. And it’s so preventable.

https://www.pennlive.com/crime/2026/03/hollywood-casino-employee-accused-of-stealing-over-700k-in-fraud-scheme.html

Share Threats Without Borders

The News…

Holy... we’re smoked. Although hype for their own product, this article by Sublime Security describes a new attack that masquerades as a Zoom meeting invite but results in the recipient installing malware on their Windows PC. The extent to which the attackers go to pull this off is impressive. They even run a JavaScript-enabled Zoom meeting simulation in the browser session - complete with technical difficulties. Anyone who has ever worked at a Help Desk or in a role involving regular interaction with non-technical users knows this issue will have a significant impact on unsecured organizations that use Zoom. https://sublime.security/blog/advanced-fake-zoom-installer-used-for-delivering-malware/

Keep your iPhone updated, and these exploits will not be so bothersome. In fact, not at all. The Google Threat Intelligence Group reports the “DarkSword” exploit for Apple iPhone devices has been adopted by multiple threat actors since November 2025. The exploit chain uses six zero-day vulnerabilities to fully compromise iOS devices running versions 18.4-18.7. For the record, you should be on some version of iOS 26, preferably 26.3.1 (at the time of this writing). https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain

SEC will vote on reducing the quarterly reporting requirement to twice a year. https://www.reuters.com/business/finance/us-sec-preparing-eliminate-quarterly-reporting-requirement-wsj-says-2026-03-16/

Ok, this scam needed to be shut down, but are there actual victims here? Law enforcement authorities from 23 countries carried out *Operation Alice*, a major crackdown on a dark web network run by a 35-year-old in China. Over five years, he operated more than 373,000 fraudulent Tor domains, promoting child sexual abuse material (CSAM) and cybercrime-as-a-service (CaaS). He defrauded around 10,000 customers of over $345,000 in Bitcoin, without ever delivering the promised content. While the sites claimed to offer CSAM “packages” ranging from gigabytes to terabytes, they were entirely fake and victims were never supplied with the material. Europol coordinated international intelligence efforts, tracked cryptocurrency transactions, and helped identify the operator, who used up to 287 servers worldwide. https://www.europol.europa.eu/media-press/newsroom/news/global-cybercrime-crackdown-over-373-000-dark-web-sites-shut-down

Pennsylvania Attorney General Dave Sunday announced that the leader of a criminal organization that defrauded central Pennsylvania banks and their customers of more than $3 million has been sentenced to prison and ordered to pay more than half-a-million dollars in restitution. https://www.attorneygeneral.gov/taking-action/ringleader-in-multi-million-dollar-central-pa-bank-fraud-scheme-sentenced-to-prison/

Bank and credit union compliance software provider Marquis confirmed that a data breach discovered in August 2025 affected approximately 672,000 individuals, which is much less than the previously estimated 1.6 million. Of course, that doesn’t make it any better, just less impactful. The attackers stole sensitive personal and financial information, including names, addresses, Social Security numbers, dates of birth, and payment card numbers from dozens of the financial institutions Marquis serves. https://www.securityweek.com/marquis-data-breach-affects-672000-individuals/

DFIR

Andrea Fortuna introduces the DFIR Toolkit. https://andreafortuna.org/2026/03/17/dfir-toolkit

Cool Job

Criminal Intelligence Analyst, Group 9. https://groupnine.us/careers/

Cool Tool

I was a longtime user of Evernote, but left when it was bought by Bending Spoons, and they priced it out of reality. I’ve since switched to the fantastic notes app Bear, but it's only available on Apple devices. So, for you Windows users still feeling the loss of Evernote - try Cimanote. “Cimanote is the fast, clean note-taking app for people tired of Evernote's bloat and price hikes. Sign up today — your first year is completely on us.” https://cimanote.com/

Irrelevant

More evidence that not all addictions are bad. This long-term study discovered that moderate intake of caffeinated coffee or tea was associated with an 18% lower risk of dementia and improved cognitive performance over time. https://www.sciencedaily.com/releases/2026/03/260318033138.htm

Get Learned

SLEUTHCON is a forum for identifying and exploring cybercrime and financially-motivated threats. Friday, June 5, 2026. Arlington, VA and Virtual. https://www.sleuthcon.com/

Delaware Fraud Working Group, Full-Day Fraud Prevention Summit. Thursday, April 2, 2026. Wilmington, DE. https://www.eventbrite.com/e/delaware-fraud-working-group-full-day-fraud-prevention-summit-tickets-1982375409213

Late Breaking

If you think you need a new router, buy one now. The FCC plans to ban all foreign-made routers. While this isn’t necessarily a bad thing and will certainly benefit the American tech industry, the issue is that nearly every router is made entirely, or at least with parts from, outside the U.S. Once this rule is enforced, American manufacturers won't be able to meet the demand for a long time. When I searched for American-made routers, the only one I found that is made entirely in the U.S. is Starlink. Hmm. Is that a coincidence? https://docs.fcc.gov/public/attachments/DOC-420034A1.pdf

Sign Off

The best news of the week is that by Friday, the RSAC Conference will be over, and our inboxes will be free from the daily influx of emails from salespeople asking to “connect” during the event.

Thanks again for opening another issue of the newsletter. Cheers to sunshine and warmer weather!

Matt

“YOU WILL NEVER START ANYTHING IF YOU ALWAYS WAIT UNTIL YOU ARE FULLY READY.”

Threats Without Borders - Issue 278

Matt Dotts — Tue, 17 Mar 2026 11:20:24 GMT

I’m old enough to remember when ATM’s arrived on the scene. Of course, we called them “MAC Machines”. I recall a local bank holding a contest to see who could withdraw the most money in a set amount of time to highlight the ease of use.

I also remember the concern that such technology raised about the future of banking. Well, the ATM didn’t replace the teller. But as this excellent article highlights, the smartphone is.

David Oks

Why ATMs didn’t kill bank teller jobs, but the iPhone did

A few months ago, J. D. Vance, sitting vice president of the United States, gave an interview to Ross Douthat of the New York Times. During that interview, Vance and Douthat had an interesting exchange…

3 months ago · 1116 likes · 86 comments · David Oks

And when you combine the smartphone with an ebanking platform and the ATM, you get the perfect fraud workflow.

Proxy takedown

Law enforcement from eight countries seized 23 servers and 34 domains, froze $3.5M in crypto, and identified more than 124,000 users. Known as “SocksEscort”, the network, powered by the AVRecon botnet, has co-opted more than 369,000 IPs since 2020.

This service essentially took control of unsecured residential and business routers and sold access to them. This enabled an attacker to route their malicious Internet traffic through the router in a residential home or (small) business.

Untrained investigators often assume that tracing an IP address back to an ISP subscriber indicates that a user physically on the property who connected to the Internet through the router was responsible for the activity. Poor assumption. You must consider the possibility of an infected router being used as a proxy.

https://www.justice.gov/usao-edca/pr/authorities-dismantle-global-malicious-proxy-service-deployed-malware-and-defrauded

And not by coincidence, I’m sure, the Internet Crime Complaint Center (IC3) published a document titled “Evading Residential Proxy Networks: Protecting Your Devices From Becoming a Tool for Criminals”. https://www.ic3.gov/PSA/2026/PSA260312

More News…

This executive order, signed by President Trump, outlines a U.S. government strategy to combat cybercrime, fraud, and predatory schemes targeting American citizens, particularly those orchestrated by transnational criminal organizations (TCOs), sometimes with foreign state support. It directs multiple federal agencies to review and strengthen defenses, establish a coordinated operational cell within the National Coordination Center, enhance victim support through a proposed Victims Restoration Program, and engage internationally to pressure nations that harbor these criminal groups. The order emphasizes law enforcement, diplomacy, and potential offensive actions to disrupt and dismantle these threats. https://www.whitehouse.gov/presidential-actions/2026/03/combating-cybercrime-fraud-and-predatory-schemes-against-american-citizens/

C’mon, where are the controls? A Catholic bishop in the San Diego area resigned after being arrested and charged with embezzling $270,000 from St. Peter Chaldean Catholic Cathedral in El Cajon, California. He faces 16 felony charges, including money laundering, with prosecutors alleging he misappropriated monthly rental payments exceeding $30,000 from a church tenant. https://www.ncronline.org/news/pope-announces-resignation-us-bishop-accused-embezzling-270k-california-parish

Not a good week for men of the cloth. The head priest of Trinity Episcopal Cathedral in Pittsburgh was arrested on February 27 after being accused of stealing over $1,000 in baseball cards from a Walmart in Economy Borough. Police say he was caught leaving the store with 27 packs of baseball cards concealed on his person, and security footage allegedly showed him stealing from the same store on five separate occasions. The very reverend faces charges of receiving stolen property and retail theft. https://abcnews.com/US/wireStory/head-priest-episcopal-church-pittsburgh-accused-stealing-baseball-130976273

Crypto traders - “Slippage” will kill you. Or cost you 50 million dollars. “Slippage is the difference between the price a trader would expect to get in a trade and the price they receive once the transaction executes. This can happen in large orders or when liquidity is weak.” https://www.theblock.co/post/393466/crypto-whale-loses-nearly-50-million-swapping-usdt-for-aave

A ransomware negotiator working for an incident response firm has been accused by the Department of Justice of secretly collaborating with the ALPHV/BlackCat cybercrime group while helping victims negotiate ransoms. The man and two colleagues allegedly carried out at least 10 ransomware attacks and shared confidential negotiation details with criminals to increase ransom payments in exchange for a share of the proceeds, with ransoms reaching up to $26 million. https://therecord.media/ransomware-blackcat-doj-incident-responder

Bonus

Anthropic is doubling the usage limits for Claude during off-hours. So do your heavy work at 2 am. https://support.claude.com/en/articles/14063676-claude-march-2026-usage-promotion

Cool Job

Head of Digital Financial Crimes Compliance, State Street. https://statestreet.wd1.myworkdayjobs.com/Global/job/Boston-Massachusetts/Head-of-Digital-Financial-Crimes-Compliance--Managing-Director_R-781812

Financial Crimes Investigations Specialist, DraftKings. https://draftkings.wd1.myworkdayjobs.com/draftkings/job/Remote---US/Financial-Crimes-Investigations-Specialist_JR13845-3

Cool Tool

Notes as easy as texting. https://prism.you/

ABA Routing Number Look-up/Search. https://routingnumber.aba.com/Search1.aspx

DFIR

The forensic value of Apple Spotlight artifacts. https://forensafe.com/blogs/apple-spotlight.html

Young people…

Claude assessed itself and identified the jobs it will replace. Pivot and adapt as needed. Don’t be like the wagon wheel maker who kept making wagon wheels after seeing the automobile pass through town.

https://www.anthropic.com/research/labor-market-impacts

Irrelevant

Sending employees back into the office isn’t going well. https://thehill.com/opinion/technology/5775420-remote-first-productivity-growth/

Sign Off

My good will, positive vibes, and prayers will be offered to anyone traveling this week. What a mess. Get to the airport early and bring an extra dose of patience. I try to keep politics out of the newsletter, but damn, what do we even have these people for? If our elected officials can’t agree to ensure our essential security personnel, like TSA, get paychecks, then the system is graveyard dead. They all need to go, regardless of whether they have a D or R behind their name.

Thanks,

Matt

“TRY BEING INFORMED INSTEAD OF JUST OPINIONATED.”

Threats Without Borders - Issue 277

Matt Dotts — Tue, 10 Mar 2026 10:53:47 GMT

How to find a company’s email provider based on the domain.

It’s a 50/50 task. If you solve it correctly on the first try, it’s straightforward. Otherwise, it can become endlessly complex, and you might never find the answer. As I began preparing this piece and designing a workflow to help with your investigations, I realized this isn’t just a simple few-paragraph reply suitable for a newsletter.

So, I’ll give you the easy option first.

The first step in identifying an organization’s email provider is to check the MX record for the domain, which stands for Mail Exchanger. This record is publicly published in the Internet’s Domain Name System for every organization that receives email, indicating the mail server responsible for accepting their incoming messages. Since it’s publicly accessible, you can look it up without contacting the organization or leaving traces of your search.

To examine it, visit MXToolbox at mxtoolbox.com, enter the organization’s domain name and perform an MX Lookup. The large majority of all business organizations use either Microsoft or Google for email. If the record includes mail.protection.outlook.com, the organization uses Microsoft 365. If it points to google.com or contains aspmx.l.google.com, they use Google Workspace. That’s your answer, and you’re done.

Problems arise if the MX record points to a third-party security gateway instead of Microsoft or Google. Services like Mimecast, Proofpoint, and Barracuda act as intermediaries, filtering spam and malware before forwarding messages. In those cases, the MX record only reveals the gateway used, not the actual mail hosting provider. If your lookup shows hostnames like mimecast.com, pphosted.com, or barracudanetworks.com, you’ll need to investigate further.

When a security gateway obscures the MX record, we often turn to the SPF record. SPF, or Sender Policy Framework, lists all authorized email sending services for a domain. It aims to prevent email fraud by confirming which servers are legitimate senders, helping mail systems verify message authenticity. Importantly, the list must include the actual mailbox provider; otherwise, legitimate emails could be marked as spam or blocked. This makes the SPF record especially useful during investigations.

To check it, go back to MXToolbox, click the dropdown next to the search button, and select SPF Record Lookup. Enter the same domain and run the search. Although the results may look like a string of technical text, focus on entries starting with “include:”. These indicate external services trusted to send mail for the domain. For example, include:spf.protection.outlook.com suggests Microsoft 365, while include:_spf.google.com indicates Google Workspace — regardless of the MX record.

A security gateway can block incoming mail and hide its destination, but it cannot hide the outbound authorization record. The SPF record must list the real provider, and since it’s public, we can access and read it. Usually, if Phase 1 yields no results, Phase 2 might provide the answer.

The problem is when organizations obscure third-party hosting services or run their own email server. We’ll look at some of those next week.

The News…

The FBI warns of a phishing scam in which criminals impersonate city and county officials to solicit fraudulent permit payments. Victims receive emails containing accurate permit information that request payment via wire transfer, peer-to-peer payment, or cryptocurrency. https://www.ic3.gov/PSA/2026/PSA260309

The White House released its cybersecurity policy in the new document “President Trump’s Cyber Strategy for America." Normally, I’d respond with "Meh," since government policies, papers, and promises are pretty worthless. However, President Trump has established a pretty good track record of following through on his commitments, for better or worse. We should digest this document and prepare to work within its guidelines because it’s likely to be carried out. https://www.whitehouse.gov/wp-content/uploads/2026/03/President-Trumps-Cyber-Strategy-for-America.pdf

Tycoon 2FA was a major “Phishing-as-a-Service (PhaaS)” platform that appeared in 2023 and was developed in 2024 to evade multi-factor authentication using adversary-in-the-middle attacks, capturing live session cookies to access accounts illegally. It was associated with more than 64,000 phishing incidents, affecting nearly 100,000 organizations worldwide. At its height, it accounted for approximately 62% of all phishing attempts blocked by Microsoft. In early 2026, a coordinated operation led by Europol, involving Microsoft, Intel 471, Cloudflare, Coinbase, and others, dismantled the platform’s infrastructure, seizing 330 domains and arresting the alleged ringleader. https://www.intel471.com/blog/born-to-bypass-mfa-taking-down-tycoon-2fa

BLUF: Keep your device updated to the most recent version of iOS. Security researchers at Google discovered an iPhone hacking toolkit called Coruna, originally used by a government customer, that has since leaked and spread to cybercriminals. The kit can compromise iPhones running iOS 13 through 17.2.1 by chaining together 23 vulnerabilities, requiring only that a target visit a malicious website. After its initial discovery in February 2025, the same toolkit was found being used by a Russian espionage group targeting Ukrainians and later by a financially motivated hacker in China. Mobile security firm iVerify linked the tools to the U.S. government, drawing parallels to previously attributed American hacking frameworks. https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit

The FBI has extradited a 28-year-old Bangladeshi from Malaysia to Alaska to face charges related to an international child sexual exploitation ring. Indicted in 2022 by an Alaska federal grand jury, the man is accused of using Instagram and Snapchat to coercively obtain sexually explicit material from hundreds of minors across the U.S. and internationally. He faces multiple charges, including conspiracy to produce child pornography, child exploitation enterprise, cyberstalking, and wire fraud. If convicted, he could face 20 years to life imprisonment. Kudos to the BU, Alaska State Police, and Anchorage PD for wrapping this guy up. https://www.justice.gov/usao-ak/pr/bangladeshi-national-make-initial-appearance-following-arrest-fbi-international

Who says crime doesn’t pay? Retail crime certainly seems to pay. This Ohio woman defrauded Home Depot of $266,699 through 1700 fraudulent returns. She was sentenced to 180 days in jail and five years of community supervision. Oh, and restitution, but we all know that will likely never happen. So, a quarter of a million dollars to sit in jail for 180 days? Some might say that’s a steal. https://www.cleveland19.com/2026/03/05/ohio-womans-multi-state-retail-fraud-scheme-created-266699-fake-store-credit-police/

DFIR

I once testified as an expert witness in a trial concerning the recovery of dashcam video evidence. I removed the microSD card from the device, cloned it, and then played the mp4 file to isolate the time period of the vehicle crash. It takes an expert to explain that process, I guess. In this post, SalvationData goes a little deeper into the process. https://www.salvationdata.com/product-tips/dashcam-video-recovery/

Mail Call

“Matt, don’t hate the player, hate the game. Personal branding is now a professional requirement, and LinkedIn is the most efficient place to do it.” - TF

Speaking of LinkedIn

I’ve been notably resistant to freaking out about AI being used to facilitate cybercrime, noting that the old methods still work just fine. But every day I become more bullish.

TrendAI researchers demonstrate how publicly available LinkedIn data can be rapidly weaponized into highly targeted phishing attacks using AI tools. The researchers built a proof-of-concept system that automates the collection of public LinkedIn posts and images, analyzes them for contextual insights, and generates detailed employee profiles. Using AI, the tool identifies key professional interests, creates personalized marketing emails, discovers likely email addresses, and even generates realistic phishing websites tailored to the target’s expertise—all within 30 minutes.

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/from-linkedin-to-tailored-attack-in-30-minutes-how-ai-accelerates-target-profiling-for-cybercrime

Cool Job

Fraud Investigator, PSECU. https://psecu.wd12.myworkdayjobs.com/PSECU/job/Harrisburg-PA/Fraud-Investigator_JR100773

Security Investigations Manager, Anduril. https://job-boards.greenhouse.io/andurilindustries/jobs/5051653007

Cool Tool

Find Flock cameras. https://deflock.org/

Irrelevant

System76 makes computers that run the Linux operating system and they are the publisher and maintainer of the pop_os! operating system. I’ve used both, hardware and software.

Colorado’s Senate Bill 26-051 and California’s Assembly Bill No. 1043 mandate that operating systems must report age brackets to app stores and websites. When someone creates an account on a computer, they are expected to be 18 or older and confirm their age, whether for themselves or their child. In reality, this regulation implies that individuals under 18 are generally not supposed to set up their own computer accounts.

The law requires technology providers to verify that all users are of legal age. While the Internet has harmful content and children need protection, it is ultimately the parents’ responsibility to provide guardrails. Stop expecting technology and Internet Service Providers to act as parents.

The CEO of Colorado-based System76 offers a clearer, better-argued case for why we should probably oppose these age-verification laws.

https://blog.system76.com/post/system76-on-age-verification

Sign Off

I felt something I haven’t in a long time this week. The warmth of the sun. Yeah, that big yellow orange thing in the sky. It’s still there and doing well. And the microdose of vitamin D has given me some hope we’ll pull out of the long cold winter season.

Thanks for staying with me each week, even when the newsletter is trash.

See you all next week.

Matt

“EVERY DAY YOU WAIT IS ANOTHER DAY YOU WON’T GET BACK.”

Threats Without Borders - Issue 276

Matt Dotts — Tue, 03 Mar 2026 12:44:46 GMT

Sometimes, I manage to get it right—recognizing trends, catching the right wave. I've been emphasizing TOAD attacks (Telephone Oriented Attack Delivery), also known as Call Back Fraud, for over two years. I've written about this attack multiple times in the newsletter and included it professionally in my security awareness trainings.

This new report from StrongestLayer confirms that my prediction about the attack's prevalence was accurate.

TOAD is no longer an emerging tactic; it’s become one of the dominant ways attackers bypass enterprise email security.

StrongestLayer shows that more than one in four successful phishing emails now use a phone number as the payload. That means no malicious link. No malware attachment. No exploit kit. Just a callback number.

And that’s precisely why it works.

Traditional Secure Email Gateways (SEGs) are designed to scan URLs, detonate attachments, and score message content for known malicious indicators. TOAD attacks contain none of those. The “weapon” is a string of digits, indistinguishable from a legitimate business contact number. Blocking financial language plus a phone number would cripple normal accounts payable traffic. From an architectural standpoint, these attacks operate in a structural blind spot.

Understanding TOAD requires understanding its layered evasion model.

Layer One: Trusted Delivery. Messages are often sent through legitimate infrastructure such as SendGrid or other reputable platforms. Reputation filtering sees clean domains and allows delivery.

Layer Two: Anti-Scanner. Some campaigns add QR codes inside PDFs or use CAPTCHA gates. Automated sandboxes follow the link, hit a challenge page, and mark the message safe because they never reach the malicious content.

Layer Three: Channel Shift. This is the core of TOAD. The victim calls the number. The social engineering happens over the voice. Credential harvesting, remote access installation, or gift card fraud can unfold during a 20–30-minute conversation. By design, this occurs outside the email system and outside our endpoint detection tools.

For investigators, this means the crime scene is not the inbox. It is the phone call and the subsequent cloud authentication logs. As attackers deliberately move away from malware and toward human exploitation, investigators must adapt accordingly.

This TOAD attack is designed to make me believe I was wrongly charged for a Geek Squad Protection plan for someone else. But if I act quickly enough, I can cancel the transaction. No links, no email addresses, just a phone number. I just need to call them!

Read the StrongestLayer report: https://cdn.prod.website-files.com/692908f21a0929f1fb06bc04/699df5313a4d214a1d53bd72_2026_Evasion_Technique_Combinations_Research_final.pdf

Unlinking from LinkedIn

I received several comments concerning my take on LinkedIn, included in last week’s issue (275).

Sometimes I think LinkedIn has quietly evolved into professional performance art. It’s just a theater.

People spend enormous amounts of time crafting long-form posts explaining concepts to… other professionals in the exact same field. If most of your network consists of peers who do what you do, who exactly is the audience?

It can feel a bit like delivering a keynote at a firefighter convention about the dangers of smoke inhalation. Important? Absolutely. Groundbreaking? Not so much.

That doesn’t make the content wrong. But it does raise an interesting question: are we sharing insight, or signaling expertise? Are we advancing the conversation, or just making sure everyone sees us advancing it?

There’s nothing inherently wrong with visibility. Thought leadership has its place. But when all of the applause comes from people who already know the script, it’s worth asking whether we’re educating… or performing.

And there’s nothing wrong with performing—obviously, it's something I do every week, but only in the appropriate place.

The News…

Oklahoma man will serve 46 months in federal prison for bank fraud and money laundering. He exploited insider access at multiple financial services companies and a banking software company to steal over $588,000 from accounts at three of the financial institutions. https://www.cutimes.com/2026/02/09/former-credit-union-employee-sentenced-in-588000-insider-fraud-case/

An unknown attacker exploited Anthropic’s Claude AI chatbot to breach multiple Mexican government agencies between December and January, stealing 150 gigabytes of sensitive data, including 195 million taxpayer records, voter information, and government employee credentials. The attacker used Spanish-language prompts to instruct Claude to act as an elite hacker, finding vulnerabilities and automating data theft. Although Claude initially refused some requests, the hacker eventually “jailbroken” it by framing the attacks as legitimate penetration testing and providing a detailed playbook. https://www.siliconvalley.com/2026/02/25/hacker-used-anthropics-claude-to-steal-sensitive-mexican-data/

The AirSnitch attack is a newly discovered Wi-Fi vulnerability that bypasses client isolation, a security feature meant to prevent direct communication between connected devices, by exploiting weaknesses at the lowest network layers. Rather than breaking encryption itself, the attack allows an attacker with access to the Wi-Fi network (or even connected infrastructure) to perform man-in-the-middle attacks, intercept unencrypted traffic, steal credentials, and manipulate data across home, office, and enterprise networks. While the vulnerability affects routers from major manufacturers like Netgear, Cisco, and D-Link, it requires more technical skill than some previous Wi-Fi attacks and can be partially mitigated through VPNs, zero-trust security models, or avoiding untrusted networks, though no complete immediate fix is currently available. https://arstechnica.com/security/2026/02/new-airsnitch-attack-breaks-wi-fi-encryption-in-homes-offices-and-enterprises/

A new federal anti-money laundering rule, effective March 1, 2026, requires reporting of beneficial ownership details (names, addresses, SSNs) for all-cash or non-financed residential real estate purchases made by entities or trusts. The report must be filed with FinCEN within 30–60 days of closing, typically by the closing agent, and title companies may refuse to close without this info. While real estate agents aren’t directly responsible, they should inform clients. FinCEN estimates 800,000–850,000 annual transactions will be affected. https://www.nar.realtor/magazine/real-estate-news/anti-money-laundering-rule-aimed-at-all-cash-buyers-goes-into-effect-march-1

Not victim-blaming here, but how did this situation escalate to the point where you’re paying over 4 million dollars to help your daughter become a model? A photographer was charged with wire fraud and money laundering after allegedly swindling a family out of $4.6 million. Prosecutors say Coyne falsely claimed she was securing modeling gigs for the family’s daughter, but instead used the money for personal expenses such as gambling. https://petapixel.com/2026/03/02/fbi-charge-photographer-with-4-6-million-child-modeling-fraud/

DFIR

The forensic value of Apple Maps. https://forensafe.com/blogs/apple-maps.html

Cool Job

Director of Security Services - Ford Motor Company. https://efds.fa.em5.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX_1/job/59407

Cool Tool

De-Google yourself - a complete Android-based mobile device operating system that removes all things Google. https://e.foundation/e-os/

Irrelevant

Sign Off

Thanks for coming back after last week’s trash heap of a newsletter. So many typos, including the misspelling of my own domain. Well, I guess it shows that I’m actually writing the newsletter and not AI.

So let’s try this again. You can email me at [matt (at) threatswithoutborders.com]

Matt

Threats Without Borders - Issue 275

Matt Dotts — Tue, 24 Feb 2026 11:17:06 GMT

RSAC is coming up, and I don’t even need a calendar to realize it. The evidence is in the flood of salespeople spamming my inbox with invitations to “Meet-up at RSAC?"

It feels so pretentious—every email seems to assume, "Of course, you're attending RSAC." There's a hint of condescension, too, implying that if you're not there, you're either not among the cool kids or you're low budget.

Well, I’m not in the cool-kids group, and I'm very low-budget. So I’ll gladly meet you in exchange for airfare, hotel, and a conference pass.

Otherwise, keep your spam to yourself.

No more BSA?

At a minimum, all the thresholds for reports required under the Bank Secrecy Act should be adjusted for inflation. Congress could go further and eliminate the reporting requirements. Even better, Congress could also do away with the Bank Secrecy Act regime entirely.

Interesting take from the Cato Institute.

The authors of “From Writs to Wires: The Surveillance State’s Long War on Privacy” explore how modern surveillance in the U.S. has evolved from colonial-era warrantless searches into an invisible digital system that “undermines constitutional privacy rights.” It alleges that government agencies exploit third-party data, weaken encryption, and use technologies such as facial recognition and financial tracking to monitor citizens.

All those records held by your bank, financial planner, and similar entities are fair game for prying eyes—as long as those eyes belong to the government.

Although this article was originally aimed at privacy advocates and perhaps conspiracy theorists, those working in BSA/AML should also pay attention - but for an entirely different reason.

https://www.cato.org/free-society/winter-2026/writs-wires-surveillance-states-long-war-privacy

Mail

Thanks for linking to the study that tells my wife it’s ok for me to drink a lot of coffee. -JS

Matt, I suspect you would be very successful if you started your own business, and you are correct, paid bank holidays are a very nice perk. - K

This week, I attended two presentations, and both could have benefited from your advice on avoiding lengthy problem explanations. In one, a speaker spent 20 minutes describing the problem to the group, who then identified it and submitted a ticket requesting it be fixed. - JohnB (See Issue 272 for reference)

The News…

Obviously, I support the Bureau and the Internet Crime Complaint Center (IC3), but sometimes I wonder what the point is. The information they release often feels outdated. Cybersecurity and fraud organizations share information in real time, but the analytical and content creation processes within any government agency, not just IC3, are so time-consuming that by the time the content is ready and approved, it's already old news. Anyway, they released a “Flash” report about malware-enabled ATM jackpotting, which most of us knew about long before the flash. https://www.ic3.gov/CSA/2026/260219.pdf

A recent cyberattack campaign impersonates Google Meet invitations to spread malware. Victims receive a fake meeting invite from a newly registered domain, and clicking the “Join” button redirects them to a convincing fake Google Meet page hosted on an impersonated Microsoft Store site. They are then prompted to download a fake “update” installer (`.secretly installs the **Teramind remote monitoring tool**, allowing attackers full control over the victim’s system and transmitting device details (IP, location, OS, etc.) to the attacker via Telegram. Important warning signs include a lookalike domain with intentional typos, a sender domain less than a month old, failed DKIM authentication, and poor HTML branding—all tactics aimed at deceiving both humans and security scanners. https://sublime.security/blog/fake-google-meet-invitation-fake-microsoft-store-real-malware-attack/

Signal launched Version 8 of its secure backups. https://aboutsignal.com/news/signal-launches-version-8-0-with-signal-secure-backups/

This guy laundered 2.3 million dollars through gift cards. Seriously, most gift cards limit out at $500. He purchased 460,000 gift cards? https://cbs6albany.com/news/local/chinese-man-found-guilty-in-money-laundering-conspiracy-involving-229m-in-gift-cards-fraud-jun-wang

LayerX, a cybersecurity company, identified 30 malicious Chrome extensions that mimic popular AI tools like Gemini and ChatGPT, with over 260,000 downloads. These extensions appear to provide legitimate AI chat interfaces but covertly send user data to attacker-controlled servers, capturing sensitive information such as emails, browser content, and pasted text. The threat is heightened by users' tendency to share sensitive info with AI tools and the extensions' use of hidden iframes, making detection difficult during reviews. Even after the discovery was made public, several of these malicious extensions remained available on the Chrome Web Store. https://layerxsecurity.com/blog/aiframe-fake-ai-assistant-extensions-targeting-260000-chrome-users-via-injected-iframes/

Starkiller is a sophisticated phishing-as-a-service (PhaaS) tool that bypasses traditional security measures, including MFA, by live-proxying legitimate login pages instead of mimicking them. This allows attackers to capture credentials and session tokens in real time, making detection extremely difficult since victims interact with actual websites. The tool’s user-friendly interface and automation lower the technical barrier for cybercriminals, forcing organizations to shift from static detection methods to behavioral and identity-aware monitoring. https://www.darkreading.com/threat-intelligence/starkiller-phishing-kit-mfa

Message me: matt (at) threatswithourborders.com

DFIR

I haven’t used this, so please test it in a safe space first, but it is interesting, and I’ll be giving it some more attention shortly.

Fuji is a free, open-source program for performing forensic acquisition of Mac computers. It should work on any modern Intel or Apple Silicon device, as it leverages standard executables provided by macOS. Fuji performs a so-called live acquisition (the computer must be turned on) of logical nature, i.e. it includes only existing files. The tool generates a DMG file that can be imported in several digital forensics programs.

https://github.com/Lazza/Fuji/releases/tag/1.2.0

`Cool` Job

Director of Safety and Security, Vanderbilt University. https://ecsr.fa.us2.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX_1/job/10007897

Security Intelligence Operations Specialist, Tesla. https://www.tesla.com/careers/search/job/256471

Cool Tool

Hate Apple? Hate Google? Graphene OS might be your huckleberry. Tomasz Dunia created a list of currently supported mobile devices and a full tutorial on getting up and running with Graphene as the OS. https://blog.tomaszdunia.pl/grapheneos-eng/#list-of-supported-devices-february-2026

“Spackle is a macOS menu bar app for inline AI rewrites. Select text in any app, press a keyboard shortcut, and Spackle replaces your selection with an AI-rewritten version — right in place. You never leave the app you’re working in. It works anywhere macOS Accessibility can reach: Mail, Notes, Slack, browser text areas, and more.” https://aisatsu.co/spackle/

Irrelevant

Something everyone in law enforcement and counseling has known for, well, ever.

Researchers found that the teens who reported using cannabis in the past year were at a higher risk of being diagnosed with several mental health conditions a few years later, compared to teens who didn’t use cannabis.
Teens who reported using cannabis had twice the risk of developing two serious mental illnesses: bipolar, which manifests as alternating episodes of depression and mania, and psychotic disorders, such as schizophrenia which involve a break with reality.

https://text.npr.org/nx-s1-5719338

Sign Off

I spent some time in Buffalo, NY, last week. I’ve discussed the city in the newsletter before, and I believe I’ve finally figured out why people choose to live there. It’s self-hate. That’s the only explanation that fits. Yes, I’ve heard it’s beautiful in the summer.

Shout at me M&T friends.

Thanks for reading another issue. See you all next week.

Matt

Threats Without Borders - Issue 274

Matt Dotts — Tue, 17 Feb 2026 11:15:23 GMT

I am often asked why, when looking at a Bitcoin transaction where one address sends funds to another, there are sometimes two addresses on the output side - and sometimes it even looks like the sending address sent funds back to itself. It seems strange at first glance. Is something going wrong? Is it some kind of error?

One of the best analogies I’ve heard for explaining cryptocurrency transactions is doing business with gold bars.

Imagine you own a single 10 oz gold bar. You want to buy something from a merchant that costs 3 ounces of gold. Here is the problem: you physically cannot chip a 3-oz piece off a gold bar. You cannot hand over exactly 3 ounces from a 10-ounce bar. The whole bar has to go somewhere.

So what happens? The gold bar goes to the smelter. The smelter melts the gold bar down and pours the molten gold into new, smaller bars. Out come three new bars:

A 3-ounce bar that goes to the merchant -- this is your payment.
A 6.9-ounce bar that comes back to you -- this is your change.
A 0.1 ounce nugget is the fee paid to the smelter for their work.

The original 10-ounce bar no longer exists. It has been consumed, and three brand new bars have been created in its place.

In Bitcoin, your funds are not stored as a simple running balance like a bank account. Instead, they exist as individual chunks called UTXOs, which stand for Unspent Transaction Outputs. Think of each UTXO as one of those gold bars. You might have several of them of different sizes sitting in your digital wallet.

When you want to send Bitcoin to someone, your wallet picks one (or more) of those UTXOs to spend. Just like the gold bar, the entire UTXO must be consumed. You cannot spend just part of it. So the transaction does exactly what the smelter did:

The UTXO is fully spent as an input to the transaction.
A new output is created, sending the correct amount to the recipient.
A second new output is created, sending the leftover amount back to you -- this is your change.
A small amount is claimed by the miners (the people who process Bitcoin transactions) as their fee.

When you look at a Bitcoin transaction on a block explorer and see two output addresses, you are almost always looking at the recipient and the change going back to the sender.

So why does the change sometimes go back to the same address, but sometimes a new one? The answer is simple: it depends entirely on which wallet software is being used.

Older, less technical wallets, and some exchange platforms will send your change right back to the address you sent from. It is the equivalent of the smelter handing your change bar back to you in exactly the same labeled pouch you gave them. Easy to track, easy to understand.

You will also see this with some business accounts and exchange-managed wallets, where the platform keeps things neat by always cycling funds back to a known address.

More modern (secure) wallets automatically generate a brand new, never-before-used address to receive your change. This address still belongs entirely to you and is controlled by the same wallet and the same seed phrase. You do not need to do anything special to access those funds. Your wallet knows about it automatically.

Blow your whistle

The U.S. Treasury has introduced a new website for whistleblowers to report fraud, money laundering, and sanctions violations. Rewards will range from 10% to 30% of collected fines from successful enforcement actions. FinCEN will oversee the program, which includes violations of the Bank Secrecy Act, U.S. sanctions, and other financial laws, while the IRS will create a dedicated task force to investigate misuse of funds by tax-exempt organizations. https://www.fincen.gov/whistleblower/

Timely

Back in Issue 271, we looked at Pastebin sites and examined how criminals use them to facilitate cybercrime.

A new crypto scam exploits Pastebin comments to spread a ClickFix-style attack targeting crypto users. Scammers post comments with links to fake guides promising a profitable arbitrage opportunity. They trick victims into manually running malicious JavaScript code in their browser’s address bar. Once executed, the code hijacks the legitimate swap interface by replacing Bitcoin deposit addresses with wallets controlled by attackers and adjusting exchange rates to make the fake exploit seem real, leading to theft of victims’ cryptocurrencies. https://www.bleepingcomputer.com/news/security/pastebin-comments-push-clickfix-javascript-attack-to-hijack-crypto-swaps/

The News…

Chainalysis reports that cryptocurrency flows to suspected human trafficking services surged 85% in 2025, reaching hundreds of millions of dollars, primarily through Southeast Asian operations linked to Chinese-language money laundering networks on Telegram. https://www.chainalysis.com/blog/crypto-human-trafficking-2026/

It seems like only yesterday we were discussing Lockbit 2.0 and now we’re faced with Lockbit 5.0. What’s that saying, time flies when we’re… https://www.acronis.com/en/tru/posts/lockbit-strikes-with-new-50-version-targeting-windows-linux-and-esxi-systems/

A warning for all Mac “fanboys” (myself included): A thriving macOS infostealer economy is emerging, with attackers innovating specifically for Apple’s ecosystem. Flare explains that the assumption that Macs are immune to viruses is outdated and dangerous. https://flare.io/learn/resources/blog/the-macos-stealer-gold-rush-how-cybercriminals-are-racing-to-exploit-apples-ecosystem

To absolutely no one’s surprise, cybercriminals are using AI website builders to clone major brands, creating convincing fake sites to lure victims. These sites are used for credential harvesting, payment fraud, and malware delivery. The ease of use and lack of robust security measures in AI website builders enable attackers to create and deploy these scams rapidly. https://www.malwarebytes.com/blog/news/2026/02/criminals-are-using-ai-website-builders-to-clone-major-brands

Bitcoin exchange Paxful has been fined $4 million for transferring funds tied to money laundering, fraud, and sex trafficking. https://www.justice.gov/opa/pr/virtual-asset-trading-platform-sentenced-violating-travel-act-and-other-federal-criminal

There isn’t much left of CISA, but the remaining holdouts published the agency’s 2025 Year-In-Review report. https://www.cisa.gov/about/2025YIR

Posted without comment. https://techcrunch.com/2026/02/13/sex-toys-maker-tenga-says-hacker-stole-customer-information/

Cool Job

For those that like snow… Fraud Coordinator - Erie Federal Credit Union. https://eriefcu.acquiretm.com/job_details_clean.aspx?id=1676

Cool Tool

Reverse image search (you might get ads depending on your browser) https://picdetective.com/

DFIR

Jordan Mussman provides “a practical field guide to macOS security architecture and forensic artifacts for incident responders investigating compromised MacBooks in 2026”. https://jmussman.net/posts/mac_dfir/

Irrelevant

The best science I’ve read in a long time.

https://jamanetwork.com/journals/jama/fullarticle/2844764

Sign off

I was told twice last week that I should consider teaching technology investigations full-time. Maybe. But I fear people wouldn’t pay to listen to me run my mouth for a day or three. I expect to issue refunds around 2:30PM on the first day.

Besides, if I worked for myself, I wouldn’t get paid time off for bank holidays!

Have a great week.

Matt

matt @ threatswithoutborders.com

Threats Without Borders - Issue 273

Matt Dotts — Tue, 10 Feb 2026 10:47:42 GMT

Over the past week, two separate but critically connected events occurred.

First, the newsletter saw an unusually high number of unsubscribes. Perhaps I said something last week that offended some readers, or maybe it’s just the new year's resolution to declutter inboxes. I’m not sure.

But for the first time, I just said, Good. F* you, anyway. I dedicate hours weekly to this newsletter, and if you choose not to read it for free, fine. I don’t want to share my knowledge and experience with you anyway

And I’d rather have 50 truly invested readers who value my time and writing than 5000 people who sign up only to mark the newsletter as spam until they eventually figure out the unsubscribe process.

Terrible attitude, right? Yeah, I know.

Secondly, I read “How to Stop Being Boring” by JA Westenberg.

I’ve come to believe that boring = personality edited down to nothing. Somewhere along the way, too many of us learned to sand off our weird edges, to preemptively remove anything that might make someone uncomfortable or make us seem difficult to be around.
And the result = boredom.

It’s a powerful conviction about the dangers of self-editing to avoid being different, offensive, or controversial, and just becoming performative.

Erving Goffman wrote in 1959 about how we all perform versions of ourselves depending on context. What's less normal is when the performance becomes the only thing left. When you've been editing yourself for so long that you've forgotten what the original draft looked like.

Maybe that’s it! What if it’s not what I’m saying, but the things that I’m not saying?

Maybe I’ve just become… boring.

Please take two minutes to read this blog post.

https://www.joanwestenberg.com/how-to-stop-being-boring/

And let’s agree to stop being boring!

Wasn’t me, my iPhone was hacked…

The first question should be, “Are you a target of a nation-state? North Korea, Iran, or maybe Russia (or maybe the U.S.).” If the answer is probably not, then the iPhone was probably not hacked. No, the device most definitely wasn’t hacked.

Apple released its 2026 Apple Platform Security update, so let’s see if remote access software can be covertly installed on an iPhone. (I do this every year).

I’m not referring to a corporate device with Mobile Device Management (MDM) installed, which allows employers to control various functions but remains heavily restricted by Apple. Even then, the MDM software manager doesn’t have carte blanche over the device. And these devices aren’t getting “hacked” either.

We’ve all heard the claim: “Someone must have secretly installed a remote monitoring or remote desktop app on my phone.” But given Apple’s security architecture, this isn’t usually realistic for a personal, unmanaged iPhone.

Two main points:

Apps can’t silently install themselves; all code must be signed and installed through Apple-controlled methods.
No supported way exists for hidden background installs, drive-by downloads, or invisible services.

If such software exists on the device, it was installed intentionally - usually by the device owner.

Apple explicitly prevents apps from recording screens without the user's permission. Screen recording needs a user consent prompt before starting. Therefore:

no silent recording
no invisible broadcasting
no hidden monitoring

The user must approve any such activity.

And don’t come at me with “colluding apps.” They stopped doing that a long time ago. Apps are sandboxed, so one can’t directly access another’s activity unless permissions are strictly approved.

So when someone says “It wasn’t me” because their device is infected, what really happened is usually:

a password was phished
credentials were reused and leaked
a fake login page captured information
a malicious MFA prompt was approved
email or Apple ID was accessed
or they were socially engineered

Of course, with Android devices, all bets are off. And if you happen to be in the crosshairs of an elite hacking unit of a government, Google search Pegasus.

https://help.apple.com/pdf/security/en_US/apple-platform-security-guide.pdf

The News…

Speaking of iPhone security, turns out Lockdown mode is legit. The FBI could not bypass the security feature to access the internal data of a seized iPhone. Lockdown Mode is a security feature introduced by Apple in 2022 to protect against sophisticated cyber attacks. While the FBI extracted limited data from the SIM card, the iPhone’s Lockdown Mode restricted access to most apps, websites, and features. https://arstechnica.com/tech-policy/2026/02/fbi-stymied-by-apples-lockdown-mode-after-seizing-journalists-iphone/

A former Pennsylvania State Police corporal and compliance director for the skill games company Pace-O-Matic has pleaded guilty to money laundering and tax fraud after accepting hundreds of thousands of dollars in kickbacks from illegal gambling machine operators. The man used his position to suppress complaints about illegal gaming machines and falsely claimed the proceeds as business expenses to evade over $100,000 in taxaccepting hundreds of thousands of dollars in kickbacks from illegal gambling machine operators. He suppressed complaints about illegal gaming machines and falsely claimed the proceeds as business expenses to evade over $100,000 in taxes. https://www.attorneygeneral.gov/taking-action/former-executive-of-pace-o-matic-pleads-guilty-to-money-laundering-payments-from-gaming-machine-operators/

Sublime Security details a specific phishing scheme targeting real estate agents, where scammers impersonate prospective clients via contact forms or direct contact. They gradually earn the agents' trust through credible-sounding conversations, then deceive them into joining fake Zoom calls. These malicious “meeting links' often use lookalike domains such as webzoom[.]im instead of zoom[.]us, which download remote access tools like ScreenConnect, granting attackers control over the victim’s computer. This campaign is distinguished by its sophisticated social engineering tactics, including multi-message dialogues to build credibility before deploying malware. Additionally, the attackers prefer to host the meetings themselves rather than pass legitimate links to the agents.

I had always believed that cryptocurrency and gift cards were the preferred methods for criminals to move dirty money. However, according to this author, the latest trend seems to be watches and designer handbags. https://www.thetimes.com/culture/books/article/everybody-loves-our-dollars-how-money-laundering-won-oliver-bullough-review-z3p2wbf03

An Illinois man admitted guilt for hacking nearly 600 women’s Snapchat accounts from May 2020 to February 2021, stealing nude photos that he then kept, sold, or traded online. He employed social engineering tactics, impersonating Snapchat representatives to trick more than 4,500 victims into revealing their access codes. This strategy led to the compromise of about 570 victims’ credentials and the illegal access to at least 59 accounts without authorization perhttps://storage.courtlistener.com/recap/gov.uscourts.mad.293918/gov.uscourts.mad.293918.1.0.pdf

Is this Irony?

I think this is irony.

Google search is offering up links to download malware for macOS. https://eclecticlight.co/2026/01/30/more-malware-from-google-search/

Cool Job

Director of Fraud Prevention - TopStep. https://job-boards.greenhouse.io/topsteptrader/jobs/7615888003

Cool Tool

Your target may not have an online presence but their relatives might. https://www.familytreenow.com/

theHarvester is a very simple, yet effective tool designed to be used in the early
stages of a penetration test. Use it for open source intelligence gathering and helping
to determine a company's external threat landscape on the internet. The tool gathers
emails, names, subdomains, IPs, and URLs. https://pypi.org/project/theHarvester/

Be Alert

Yeah, so, Substack had a little oopsie and lost some user data. They claim to have notified affected users, but it seems the breach is much larger than initially acknowledged.

The good thing, if there is such a thing, when it comes to losing user information, is that it doesn’t appear that the scraped data would enable account takeovers.

As this HackRead article notes, the real danger is from a social engineering attack by someone pretending to be Substack and referencing your account.

Irrelevant

Being successful isn’t random. https://dariusforoux.com/the-big-5-predictors-of-success/

Learning

The Delaware Fraud Working Group is sponsoring a full-day training event on April 2, 2026, in Wilmington, Delaware. Best of all, it’s FREE.

No, even better, I’m speaking.

https://www.eventbrite.com/e/delaware-fraud-working-group-full-day-fraud-prevention-summit-tickets-1982375409213

Sign Off

Someone suggested I do that viral thing where you ask ChatGPT to make a caricature of you and post it to LinkedIn. Ugh, I’d rather stick a fork in my face.

So I asked ChatGPT to create that image instead.

Too bad, that wouldn’t be boring.

Thanks for reading another week. Come back next week to see if I write something useful.

Matt

Threats Without Borders - Issue 272

Matt Dotts — Tue, 03 Feb 2026 09:58:59 GMT

When so many organizations hide their reports behind information-collection barriers that require you to give away your professional contact information and then endure relentless sales calls… TRM Labs continues to share its knowledge freely and openly. And they don’t publish a vanilla product that simply rehashes common industry knowledge.

TRM Labs' 2026 Crypto Crime Report shows illicit crypto flows hit a record $158 billion in 2025, ending a multi-year decline. This rise was mainly due to three factors: new sanctions designations, better detection tools, and large hacks like the $1.46 billion Bybit breach. Despite the overall increase, illicit activity as a share of total crypto activity fell to 1.2%, suggesting that legitimate crypto use expanded faster than criminal activity.

The report highlights how state-aligned actors are institutionalizing crypto infrastructure for sanctions evasion, how ransomware and scam operations have become more sophisticated and organized, and how Chinese money-laundering networks have evolved into massive settlement layers that process over $103 billion.

The findings highlight that crypto crime has become a core part of both legitimate and illicit financial systems, emphasizing the need for improved enforcement coordination and specialized crypto-investigation tools.

This is a great report and well worth your time to read and digest.

https://www.trmlabs.com/reports-and-whitepapers/2026-crypto-crime-report

Because like security, duh.

I debated how to title this: “Because we suck at security” or “This is why you respond to every alarm”.

A federal grand jury indicted 31 people for stealing millions from ATMs using Ploutus malware. The gang surveilled ATMs, opened them to test alarms, and replaced hard drives or connected thumb drives with malware to dispense cash.

Two key points: 1) The attackers forced open the ATMs and then retreated to safety. If police arrived, they fled the scene. They continued the attack if there was no police response. 2) Ploutus malware has been active since 2013. Yes, thirteen years ago. While it has evolved, technology and protections exist to prevent it.

And it isn’t a stealthy attack. It’s a physical intrusion into the machine. It’s noisy and makes a mess. Here is an article the Google Threat Intelligence Team published in 2017 that explains the effort required to attack an ATM with Ploutus.

These types of attacks are preventable. Of course, we suck at security.

Anyways, kudos to the law enforcement teams that coordinated to shut this group down.

https://www.justice.gov/opa/pr/investigation-international-atm-jackpotting-scheme-and-tren-de-aragua-results-additional

Presenter Pro-Tip

When speaking to industry peers about a relevant topic, avoid wasting time explaining "how bad it is”. They already know. Being on the front lines, they recognize the problem; that's why they're listening to you.

Unless you’re speaking to beginners, a non-peer group, or presenting entirely new material based on your own research, avoid starting with five slides filled with numbers and statistics about the problem’s prevalence. By the time you finish outlining the industry landscape, most of your audience’s attention will have drifted. And honestly, it’s insulting.

I sat through a presentation this week in which the speaker spent the first ten minutes highlighting well-known fraud statistics from regularly cited sources like the Internet Crime Complaint Center. You're speaking to an audience of financial crime investigators. It’s ugly out there—we get it. That’s why we’re willing to give you thirty minutes of our time. Tell us something we don’t know!

The News…

$2.5 million has been secured for a new cybercrime training facility in Madisonville, Kentucky. The facility, the largest police training academy in the state, will focus on cybercrime investigations and expand training to include computers, drones, and vehicle data systems. The investment aims to address the growing threat of cybercrime and position Madisonville as a leader in prevention and response. Kudos to them. Hopefully, someone there will invite me for a visit! https://spectrumnews1.com/ky/louisville/news/2026/01/26/cyber-crime-training-center

Scammers are using a legitimate Microsoft email address (no-reply-powerbi@microsoft.com) associated with Power BI. They send fraudulent emails claiming fake $399 charges and direct victims to call a phone number, where they are instructed to install remote access software. This scam exploits Power BI’s feature that allows external email addresses to subscribe to reports, making the emails appear trustworthy without suspicious links or attachments that could trigger spam filters. Microsoft has temporarily disabled the scorecard email subscription feature while working on a permanent fix. This incident underscores how scammers can misuse legitimate business platforms to enhance the credibility of their social engineering schemes. https://arstechnica.com/information-technology/2026/01/theres-a-rash-of-scam-spam-coming-from-a-real-microsoft-address/

Research by Chainalysis reveals Chinese-language money laundering groups laundered an estimated $16.1 billion in illicit cryptocurrency daily in 2025, totaling $82 billion annually. These groups utilize guarantee platforms, money mules, and Black U services to launder funds, including those stolen in ~~pig butchering~~ financial grooming scams. https://www.chainalysis.com/blog/2026-crypto-money-laundering/

The Google Threat Analysis Group (TAG) released its 4Q2025 Threat Report. https://blog.google/threat-analysis-group/tag-bulletin-q4-2025/

The FBI has seized the domains for the RAMP cybercrime forums. https://www.bleepingcomputer.com/news/security/fbi-seizes-ramp-cybercrime-forum-used-by-ransomware-gangs/

Trend Micro examines the maturation of criminal AI in 2025, revealing a shift from experimentation to industrialization. The criminal AI ecosystem has consolidated around established services offering “jailbreak-as-a-service” that exploit commercial AI models rather than building independent systems. While AI-generated malware remains limited by practical constraints, deepfake technology has become alarmingly accessible and weaponized across multiple fronts,from “nudifying” apps enabling image-based abuse to sophisticated corporate infiltration schemes where North Korean operatives use AI-enhanced identities to gain employment at tech companies, and banking fraud targeting KYC verification systems. https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-state-of-criminal-ai

The government seized over $400 million in assets from Larry Dean Harmon, operator of the darknet mixing service Helix. Harmon, who processed over $300 million in cryptocurrency transactions for Helix, pleaded guilty to money laundering and was sentenced to 36 months in prison. https://www.justice.gov/opa/pr/government-forfeits-over-400m-assets-tied-helix-darknet-cryptocurrency-mixer

Share Threats Without Borders

Reader Mail

Matt, thanks for the piece on paste sites. It brought back memories of an insider threat (corporate espionage) case I had about ten years ago, in which the employee used a paste site to send information to his handler. Using a prepaid cell phone, he’d paste his info into the same note every Tuesday. The handler would then go to the same note to retrieve the information. This was way before encrypted chat apps. We could never build a link to those he was communicating with. - RussK

Send email: matt (at) threatswithoutborders.com

Cool Job

Fraud Program Manager - Vervent. https://recruiting.paylocity.com/recruiting/jobs/Details/3821568/Vervent-Inc/Fraud-Program-Manager

Cool Tool

Search for people, Fast. https://www.fastpeoplesearch.com/

If Wal-Mart is closed, you know the weather is bad. Someone created a Wal-Mart store status dashboard. https://www.arcgis.com/apps/dashboards/4e573c79e1224081805165d25b4f33c7

Someone I like

There are not many people writing or podcasting in the Cyber/Fraud/AML space who I like enough to recommend in the newsletter. Check that, there are very few people that I like.

But I like Sarah Beth Felix! She writes a great LinkedIn newsletter focused on BSA and AML, titled “Dirty Money”. Give her a follow.

https://www.linkedin.com/pulse/problem-streamline-act-sarah-beth-felix-uxt7e/

Irrelevant

Sunshine and Salmon. This study reveals that positive levels of Vitamin D and Omega-3 have a greater effect on a person than antidepressants. https://blog.ncase.me/on-depression/

Closing

I wake up every morning at 5am. The other day, at 5 am, I started a pot of coffee. It was 12 degrees outside, and I heard the fire siren go off. I thought, ‘I’m glad I don’t need to leave this warm house and hot coffee to handle that.’ But, of course, someone did have to go out and handle it. And in my area, these selfless souls don’t get paid for it.

My deepest thanks to all the local emergency services volunteers who leave the comfort and safety of their homes, and a freshly poured cup of hot coffee, every day to help others. Thank you!

Matt

aml cybercrime cybersecurity financial fraud investigation osint cyficrime