The U.S. Justice Department recently took control of two domains, Anyproxy.net and 5socks.net, and charged four foreign individuals with being part of a long-standing botnet service that targeted older wireless internet routers. This botnet enabled the compromised routers to be reconfigured and serve as proxy servers. Prosecutors stated that the 5socks.net website claimed to have been operational for over 20 years and offered more than 7,000 proxies for sale globally, with monthly subscription costs ranging from $9.95 to $110.

So, what is a proxy, and how does it differ from a VPN?

A proxy acts like a relay. It sits between your device and the website you’re visiting, forwarding your traffic and changing your IP address in the process. Most proxies are limited to a single application, such as your browser, and generally don’t encrypt any data. This means that your internet provider and potentially eavesdroppers on public Wi-Fi can still observe your activity. A proxy mainly conceals your public IP address.

A VPN (Virtual Private Network) takes this a step further. It encrypts all your internet traffic and routes it through a secure server in a different location. This means that no one—neither your ISP, nor hackers, nor even someone using the same coffee shop Wi-Fi—can see what you are doing online. That’s why VPNs are a go-to tool for journalists, remote workers, and, yes, criminals.

Cybercriminals use VPNs to conceal their actual location, IP addresses, and encrypt their traffic, making it significantly more difficult for investigators to trace their activities. To evade detection, they frequently utilize so-called no-log VPNs, which assert they do not store any user activity or connection records. Many VPN providers also place their servers in countries with minimal judicial oversight and a weak law enforcement presence.

https://www.justice.gov/usao-ndok/pr/botnet-dismantled-international-operation-russian-and-kazakhstani-administrators

The News

Federal authorities have uncovered an underground banking network that allegedly handled $50 million in proceeds from drug trafficking over four years. The network, led by Chinese money-launderers, bought dollars at a discount from Mexico's Sinaloa cartel and sold them at a premium to Chinese nationals in the US. The operation used a chain of cash couriers and cartel operatives to launder the money, often depositing it into US banks, including Chase and Citibank. It’s a shame banks don’t have to follow some set standards to ensure this doesn’t happen…hmm. https://www.msn.com/en-us/money/companies/bags-of-cash-from-drug-cartels-flood-teller-windows-at-u-s-banks/ar-AA1ENiWq

The US Department of Justice has charged 12 individuals for their alleged involvement in a cryptocurrency theft and laundering scheme. The group, which formed on online gaming platforms, stole hundreds of millions of dollars from victims through social engineering attacks. The suspects allegedly used stolen databases to identify potential victims and convinced them to transfer funds to compromised wallets. The indictment also details the group's use of fake documents, private jets, and exotic cars to launder the stolen funds. Allegedly, they had a fleet of at least 28 exotic cars ranging in value from $100,000 to $3.8 million. https://www.justice.gov/usao-dc/pr/additional-12-defendants-charged-rico-conspiracy-over-263-million-cryptocurrency-thefts

The FBI issued a warning that attackers are using AI-powered SMS and voice phishing schemes to impersonate senior US officials. The schemes, targeting government officials and their contacts, aim to gain unauthorized access to accounts and extract sensitive information. https://www.ic3.gov/PSA/2025/PSA250515

Cloudflare has developed a better way to identify bots. https://blog.cloudflare.com/web-bot-auth/

Forward this report to your Human Resources staff; better yet, organize training sessions for them. Flashpoint lays out the method North Koreans use to obtain remote IT jobs in the US using stolen identifications and credentials. https://flashpoint.io/blog/flashpoint-investigation-uncovering-the-dprks-remote-it-worker-fraud-scheme/

Stealer logs generated by infostealer malware infections are compiled into searchable files, facilitating account takeovers, corporate breaches, and financial fraud. This type of malware gathers sensitive information from compromised devices and organizes it into logs for straightforward exploitation by attackers. Malware families such as RedLine, Raccoon, and Vidar produce these logs, which are subsequently traded on the Dark Web. https://socradar.io/stealer-logs-everything-you-need-to-know/

The Social Security Administration has dropped a key component of its anti-fraud policy, which held retirement benefit applications for three days to verify fraud. The anti-fraud policy was previously revised several times due to pushback from advocates for senior citizens and individuals with disabilities, who feared it would complicate the claims filing process. The agency is now refining its anti-fraud algorithm to flag only claims with the highest likelihood of fraud, but critics argue that the policy change has led to customer service issues without effectively preventing fraud. If they don’t get the fraud under control, customer service will be the least of the problems. https://www.cnn.com/2025/05/17/politics/social-security-anti-fraud-policy

This article is paywalled, but if you have a WSJ subscription, it’s worth your time to read. The article highlights a growing trend of crypto-related physical abductions and real-world robberies worldwide. These attacks often target wealthy individuals who flaunt their cryptocurrency holdings online and may involve organized crime rings. In some cases, attackers use information obtained from hacks of cryptocurrency trading platforms to identify potential victims. https://www.wsj.com/finance/currencies/crypto-industry-robberies-attacks-32c2867a

This Rock Island, Illinois, employee stole $900,000 over her 21 years of employment. I know, I know, where were the controls, Matt? Good grief. https://www.wifr.com/2025/05/15/retired-county-employee-accused-stealing-900k-money-laundering/

As expected, the UK’s Legal Aid Agency breach is more extensive than initially publicized. “On Friday 16 May we discovered the attack was more extensive than originally understood and that the group behind it had accessed a large amount of information relating to legal aid applicants.”. Of course. https://www.gov.uk/government/news/legal-aid-agency-data-breach

DFIR

DFIR teams rarely receive the recognition they deserve from leadership, which makes organizations more vulnerable to cyber threats, internal issues, and legal troubles. The Magnet Forensics blog explains how team members can enhance their visibility by maintaining open lines of communication, providing regular updates, and engaging with stakeholders in impactful ways. https://www.magnetforensics.com/blog/underfunded-and-overlooked-why-your-dfir-team-deserves-a-seat-at-the-table/

feedback: matt[@]threatswithoutborders[.]com

Cool Job

Director of Global Fraud Strategy, TALA. https://jobs.lever.co/tala/e6de4804-eb39-4aa4-a4b1-c16e7396ff74

Cool Tool

This automated tool monitors changes to major government websites by identifying and tracking removed pages, using publicly available data from the Internet Archive. https://censortrace.org/

Troy Hunt released Have I Been Pwned V.2 https://www.troyhunt.com/have-i-been-pwned-2-0-is-now-live/

Reader Mail

Great article on the crypto-atms! I work for a medium-sized credit union, and we just discussed this during our Risk meeting today. One of my co-worker’s passed on a tidbit he got from local law enforcement: South Carolina has little to no regulation around crypto-atms, so they are in every gas station around. A plain-clothes SLED officer (SC Law Enforcement Division) asked the casher who used it. Her response: “Only little ole ladies gettin’ scammed.” - Chris in SC

(Reference: Issue 234)

Conference

International Association of Special Investigation Units (IASIU) 2025 Annual Training Conference. August 24-27 in Aurora, Colorado. https://www.iasiu.org/page/2025AnnualConference

Irrelevant

The third time is the charm. The power of persistence. Try, try, and try again. Whatever idiom you choose, this Chicago bank robber gets an A+ for effort after failing twice before finally succeeding. https://cwbchicago.com/2025/05/bank-robber-has-struck-3-times-in-a-week-fbi-offers-1000-for-info-that-brings-him-in.html

Sign Off

Judging from the views of last week’s issue, my take on crypto-ATMs hit home. The machines have really amplified the use of cryptocurrency to facilitate financial fraud. Bankers should consider training their frontline staff on the indicators of an older adult being involved in a cryptocurrency scam. Any customer over 50 years old who mentions a keyword related to cryptocurrency should raise suspicion. We can’t even get you to adopt online banking, but you're now using digital currencies? That’s a red flag!

Thank you for reading another issue. Please consider sharing the newsletter with a colleague!

Matt

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.

cybersecurity cybercrime fraud investigation aml osint