Threats Without Borders - Issue 230
Cybercrime Investigation Newsletter, week ending April 13, 2025
I just finished a run where I spoke to people ten times in seven days, from Saturday to Saturday. The purposes of the speeches varied: two were for a college class I teach, two were for internal events for my employer, and six were for community events.
The community events are both exhausting and exhilarating. It’s not the preparation that takes a toll, but the need to be “ON” that really impacts you mentally. You must be friendly, personable, likable, and agreeable. Effective communication is essential, alongside being knowledgeable about your subject and, most importantly, having something meaningful to say. You can’t show anything but positive emotions and can never appear stressed or distressed, regardless of the situation or environment.
On the other hand, when you are in front of a good audience- one that is engaged, interactive, and appreciative- there is nothing quite like it. It feeds and motivates you.
The one true wildcard is audience questions. They can be stimulating or devastating to the psyche. You stand before the audience as an expert, so you'd better have an answer or at least a plausible explanation.
Most of the questions remain the same, regardless of the audience composition, so over time, you learn what to expect and develop more refined answers.
But every once in a while, you get one that throws you. Sometimes it’s in a bad way and sometimes it's for the better. Some of my best content resulted from a question posed to me during a speaking engagement.
And I received one this week. An engaged young lady posed a question that truly made me think:
“As an insider who sees people fail at security every day, what is the one thing you see the rest of us doing that makes you cringe the hardest?”
I quickly said, “All of it, " not as an answer but to use the joke and the resulting laughter to buy myself some time to think of a legitimate response. And with that, I still needed to take a moment. It’s not that I didn’t have answers, but how do you narrow it down to “that one thing”.
I ultimately remarked, “Using a debit card for online purchases, well, using a debit card for any purchases. " I then clarified the difference between a debit card and a credit card, explaining why a credit card is a more secure option for online transactions.
But the question really made me think. Poor password hygiene, not enabling MFA, putting a paper check in your mailbox, clicking short links, posting vacation images online before you’re home… there are just so many.
I’m interested to hear your “one thing” that makes you cringe. Post a comment below or email me at matt@threatswithoutborders.com, and I’ll share some responses next week.
Beer money
Do you have an active account for one of the major cybercrime forums that you no longer use? Prodraft wants to buy it from you. They actively seek accounts for XSS, Exploit in, Ramp4u, Verified, and Breachforums. No questions asked. Pretty clever way to do threat intel and destroy the integrity of the forum, actually. Kudos to them.
The News…
Do security as I say…not as I do! The Office of the Comptroller of the Currency (OCC) has notified Congress of a major information security incident involving unauthorized access to its email system. The incident occurred on February 11, 2025, and affected highly sensitive information related to the financial condition of federally regulated financial institutions. https://www.occ.gov/news-issuances/news-releases/2025/nr-occ-2025-30.html
Krebs summarized this article, but I encourage you to read the reporting for yourself. It’s excellent. Silent Push exposes that the Smishing Triad, a Chinese cybercrime group, has conducted widespread SMS phishing (“smishing”) campaigns targeting organizations in at least 121 countries across various sectors, including finance, logistics, telecom, and government. Their analysis revealed over one million page visits in just 20 days—suggesting that actual SMS volumes may far exceed current estimates of 100,000 messages daily. On March 18, 2025, the group’s phishing kit developer launched a new Telegram channel to promote the “Lighthouse” kit, aimed at major Western and Asia-Pacific banks. The group claims to have over 300 staff globally to support fraud and cash-out operations and continues to distribute its kits to other cybercriminals. https://www.silentpush.com/blog/smishing-triad/
From zero to pwned in seconds…the Medusa ransomware group claims to have garaged NASCAR demanding 4 million dollars to delete the 1TB of stolen data. https://www.bitdefender.com/en-us/blog/hotforsecurity/medusa-ransomware-hacked-nascar
A reminder to not log in to personal accounts from work computers…Six women have accused a co-worker of spying on them at work and at home by using spyware installed on 400 computers. The keylogger enabled the man to record logins and passwords for both work and personal accounts. The lawsuit alleges that Bathula accessed their personal accounts, downloaded private information, and spied on them in real time. https://www.malwarebytes.com/blog/news/2025/04/man-accused-of-using-keylogger-to-spy-on-colleagues-log-in-to-their-personal-accounts-and-watch-them-at-home
The Huntress team examines the various means used to steal credentials, including phishing, SEO poisoning, and brute force attacks to gain initial access to endpoints. Including the the use of legitimate services such as Docusign. https://www.huntress.com/blog/credential-theft-expanding-your-reach
Sublime breaks down a Business Email Compromise attack that involved vendor impersonation and a realistic-looking email thread to divert a $500K invoice payment. The attacker likely used intelligence from a prior compromise to create a fake thread. https://sublime.security/blog/500k-financial-fraud-built-on-bec-a-domain-lookalike-and-a-fake-thread/
A new Global Initiative Against Transnational Crime report explains how Eastern Europe and Russia have become hubs for cybercrime, driven by ransomware, geopolitical ‘grey zones’, and state connections. It also details how the Russia-Ukraine war has led to a split in cybercriminal groups, with some supporting Russian intelligence and others targeting Russia. https://globalinitiative.net/analysis/lawless-cyberspace-why-eastern-europe-leads-global-cybercrime/
Cyberattack delivered by drone? Mike Elgan says it’s gonna happen. https://www.computerworld.com/article/3958458/drones-are-the-future-of-cybercrime.html
Sucuri nicely documented the investigation into a web skimmer installed on a WordPress website. https://blog.sucuri.net/2025/04/fake-font-domain-used-to-skim-credit-card-data.html
The Bue operated a dark web money laundering service called "ElonmuskWHM" for nearly a year, allowing cybercriminals to exchange cryptocurrency for cash without providing identifying information. The operation, advertised on the dark web forum White House Market, took a 20% fee and processed nearly $90 million worth of cryptocurrency. The FBI used the service to investigate ties to drug trafficking, hacking, and other crimes, ultimately arresting the operator, Anurag Pramod Murarka, who was sentenced to 121 months in prison. Now, people are upset because, well, they need to be upset about something. Of course, they aren’t ever upset about drug dealing, hacking, fraud, abuse, etc. They are just upset that the FBI actually did something about it. https://gizmodo.com/the-fbi-hijacked-and-ran-a-dark-web-money-laundering-operation-called-elonmuskwhm-2000586515
For consideration
I’ve been a loyal (and happy) user of the Brave web browser, but the one-click activation of Proton VPN (for free) is a compelling reason to consider Vivaldi. It also boasts tab tiling and best-in-class ad blocking…
DFIR
Forensafe examines the private photo vault on Android-based phones. https://forensafe.com/blogs/android-private-photo-vault.html
This guy scans QR code
Cool Job
Manager - Cybersecurity Incident Response Team, Starbucks. https://apply.starbucks.com/careers/job/481064600034?hl=en&domain=starbucks.com&src=JB-12147
Cool Tool
Stretching is good for you. This app will help you do it. https://www.getbend.co/
Website reputation checker: https://www.urlvoid.com/
Irrelevant
Google is teaching an AI model how to talk to dolphins. No, seriously, AI is learning Dolphin. I wonder if it will be referred to as Dolphinese? https://blog.google/technology/ai/dolphingemma/
Training
The Keystone Konnection Conference, which brings together the Delaware Valley and Pittsburgh Metro chapters of the International Association of Financial Crime Investigators, will occur from May 19 to 21, 2025, in State College, Pennsylvania. Yes, I know it’s a terrible name, but it’s still one of the best training events focused on financial crime on the East Coast. And you still have time to register!
https://keystonekonnection.com/
Sign Off
I frequently receive requests from writers of other newsletters who want to "share" endorsements. The idea is simple: you promote my newsletter to your readers, and I'll promote yours to mine. I haven’t done this yet. It's not that I haven't discovered other newsletters I enjoy or believe you'd like, but it ultimately boils down to monetization.
The TWoB newsletter is completely free for everyone, and I won't recommend a newsletter that has a subscription fee. Additionally, the TWoB newsletter avoids advertisements and paid promotions, so I'm not going to recommend a newsletter that inundates you with ads and promotions. I may consider promoting another newsletter in the future; I'm not opposed to it. I just haven't found it yet.
Thank You for reading.
Matt
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.
cybercrime cybersecurity cyficrime financial fraud investigations AML osint