As I write this, I am sitting in the lobby of a hotel in Altoona, Pennsylvania, at 6:15 in the morning. I get up every morning at 5am; my wife doesn’t, so hotel stays render me homeless between 5 and 8am. By the way, Altoona is a magical place; if you've never been, you should spend some time here if you’re traveling through.

Anyway, besides the breakfast bar attendant trying to fix a pancake-making robot, the only other person here is a middle-aged female who is speaking loudly into her mobile phone about her “man” having her cell phone “tapped" and tracking her location.

Do you mean the phone you're using right now?

It’s a crazy conversation that I’m enjoying immensely, but I’m forcefully diverting my attention to write this as the lady's assertion that her phone is infected gives me a writing topic.

Law enforcement is regularly met by someone claiming that another has nefariously infected their mobile smartphone. And it’s a question I am often asked during my community education events: How can I tell if “someone” has installed spyware on my device? ".

My answer is usually something like: Your device is absolutely infected with spyware, and you are being monitored; the suspects are Google, Apple, and Meta.

After some awkward laughs (funny, not funny), I attempt to give a more serious answer and question if they use an Android or iPhone?

The answer for Apple iPhone users is easy: Unless you’re the target of a Nation State, you’re about 99.5% safe from your device ever being infected by some spyware or remote management application without you knowing about it. Enabling Lockdown Mode will ensure your device is (probably) never affected.

The answer for Android users differs. Several aspects of the Android ecosystem make devices more susceptible to spyware infections, but the most prevalent factors are its open ecosystem, fragmented security, and the allowance of third-party app marketplaces.

The Android operating system is based on Linux. Its open-source nature and flexibility make it easier for developers to create apps; however, this also exposes the platform to more vulnerabilities. Third-party app stores enable Android users to install apps from sources other than the official Google Play Store. Google does not vet these apps, which increases the risk of downloading malicious software. Security updates are generally pushed to devices by the specific manufacturer. The variety of Android devices and versions causes fragmentation, resulting in delayed security updates for some users and leaving them vulnerable for more extended periods.

Even so, most malicious spyware apps are created and facilitated by experienced cybercriminals playing a larger game and not targeting a specific person. The likelihood of your non-technical significant other acquiring, configuring, and deploying remote spyware onto your device is relatively low.

Well, then how come my ex-boyfriend always knows where I am?

Because he’s following you through the Find My app, which you previously gave him permission to use and forgot to disable. Or through Google location sharing that you neglected to turn off. Or through Life365, which you didn’t disable. Or your bag contains an AirTag that you shared with him at some point.

Or the Snap Map function of Snapchat.

Oh, by the way, did you change all your passwords? Disabling the location-sharing functions of these apps is pointless if he knows your passwords and can log in to re-enable the functionality.

Remote access and spyware applications certainly exist for smart devices. However, the reason someone can track a person, read their conversations, or know who they’ve called is usually much simpler.

The News…

Over the past year, I’ve delivered a talk at several conferences titled “DARVO: The Psychological Manipulation of Ransomware Victims”. I predicted that ransomware groups would shift to data exfiltration and ransom rather than the simple data encryption and ransom model as it’s more efficient and profitable. Theft and possession of the data allow them to monetize it in ways other than just extortion while maximizing the pressure on the victim to pay the ransom. In the talk I provide support for that prediction. And it was entirely accurate. Arctic Wolf claims that 96% of the ransomware incidents they investigated last year included data theft. https://arcticwolf.com/resources/press-releases/arctic-wolf-threat-report-96-percent-of-ransomware-cases-included-data-theft-as-cybercriminals-double-down-on-extortion/

David Maimon reveals the alarming scale of stolen and forged U.S. Department of Treasury checks being traded on the dark web, highlighting the vulnerability of government disbursement systems to organized fraud. Maimon shares findings from his team’s monitoring of Telegram channels, where they documented over $140 million worth of stolen checks, emphasizing the need for financial institutions to strengthen their fraud detection measures. https://resources.sentilink.com/blog/stolen-and-forged-treasury-checks

This is a great article by Kennedy Meda examining how financial institutions are being affected by the Fraud-as-a-Service ecosystem. https://www.thomsonreuters.com/en-us/posts/corporates/faas-new-fraudsters/

Lexfo explores the business of forged documents, highlighting the ease of obtaining fake documents and the complex network of counterfeiters operating on the clear and deep web. The article analyzes two specific clusters of websites selling fake documents, one based in China and the other in the USA, revealing their interconnectedness and the strategies they employ to attract customers and evade detection. https://blog.lexfo.fr/the-business-of-forged-documents-investigation.html

A few weeks ago, we ran a multi-issue series on domains and how criminals manipulate the domain name system. In this article, Checkpoint examines how cybercriminals use sophisticated URL manipulation techniques to deceive users and compromise organizations and individuals. This campaign, which began on January 21st, involves phishing emails that disguise malicious links through URL encoding, redirects, and other methods, ultimately leading to a Microsoft 365 phishing page. https://emailsecurity.checkpoint.com/blog/cyber-criminals-using-url-tricks-to-deceive-users

The Talos group discusses the various scams targeting sellers on online marketplaces, highlighting the tactics used by scammers to steal financial information and circumvent seller protections. https://blog.talosintelligence.com/online-marketplace-scams/

Google is discontinuing SMS codes for verifying Gmail accounts due to security risks and the rise in scams exploiting SMS-based authentication. The company will substitute SMS codes with passkeys and QR codes, allowing users to scan them with their devices for verification. Google views SMS codes as susceptible to phishing and SIM-swapping attacks, where fraudsters hijack phone numbers to steal security codes. This shift aims to lower the chances of users sharing their SMS codes with scammers and to eliminate phone carriers as a possible vulnerability. https://www.yahoo.com/tech/google-doing-away-sms-codes-211300486.html

The Securities and Exchange Commission (SEC) created the Cyber and Emerging Technologies Unit (CETU) to combat cyber-related misconduct and protect retail investors from bad actors in emerging technologies. https://www.sec.gov/newsroom/press-releases/2025-42

The Threat Intelligence Team at Mandiant (Google) discusses attacks targeting higher ed. https://cloud.google.com/blog/topics/threat-intelligence/phishing-targeting-higher-education/

Roman Sannikov shares an update on the current Russian cybercrime landscape. https://intel471.com/blog/the-evolution-of-russian-cybercrime

Oh, the drama

In just under the wire: The U.S. Treasury Department announced it will not enforce the Corporate Transparency Act, which requires businesses to disclose their real beneficial owners, citing concerns about its impact on small businesses and American taxpayers. https://www.reuters.com/world/us/us-treasury-department-says-it-will-not-enforce-anti-money-laundering-law-2025-03-03/

Reader Mail

Matt, about your opinion that fraudsters aren’t heavily using AI, I just read in the 2025 Crowdstrike Threat Report that AI-powered voice phishing attacks rose 442% in 2024. - Greg

Don’t hear what I’m not saying. I’m not denying the use of AI to craft certain attacks; I’m just pushing back a bit on the hype. Some attackers utilize AI tools, but it’s not what most of us see empirically, as the old methods are still highly effective. This will undoubtedly change as AI usage increases, but it’s just old wine in a new bottle.

Cool Tool

I try to link only free-to-use tools here, and many are open-source. Skopenow discusses the risks associated with using free open-source intelligence (OSINT) tools and emphasizes the importance of conducting due diligence before using any OSINT tool, whether free or paid. https://www.skopenow.com/news/risks-of-free-osint-tools

Speaking of free-to-use, open-source tools, how about the “USB Swiss Army Knife” which claims to be “the ultimate tool for pen testers and red teamers”. https://github.com/i-am-shodan/USBArmyKnife

Cool Job

Reader submitted job - "Since you liked Buffalo so much, we’re hiring this position. You’d be perfect”. Well, Ken, it’s a cool job, but Buffalo is too cool for me.

Director - Corporate Security Intelligence Operations, M&T Bank. https://mtb.wd5.myworkdayjobs.com/en-US/MTB/details/Director---Corporate-Security-Intelligence-Operations--Buffalo--NY-_R72617-1?q=security%20intelligence

DFIR

Define your goals before you begin the investigation. https://dfirinsights.com/2025/02/27/investigation-goals-in-dfir-reports/

Irrelevant

Does street lighting affect crime?

A study evaluated the impact of Philadelphia's citywide rollout of enhanced street lighting on public safety. The results showed a 15% decline in outdoor nighttime street crimes and a 21% reduction in outdoor nighttime gun violence following the streetlight upgrades. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5150459

Sign Off

Well, I turned down an offer for a paid endorsement. Occasionally, I receive a solicitation to promote a product or include an ad, but I have never accepted. With 224 issues published, none have ever included a paid ad. I’ve never made a dollar from this newsletter. I think that means something, considering other newsletters I see that are packed full of ads and product plugs.

I’m sure I’ll get the offer I can’t refuse at some point, but I’m holding firm for now.

Matt

“ANYTHING WORTH DOING IS WORTH DOING WRONG. IT’S THE ONLY WAY TO START.”

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.