I assisted a friend, a fabulous fraud investigator, in deciphering some IP addresses and discovered that one of them traced back to Starlink. Well, that's something we all better get used to seeing as this technology becomes more available and affordable.

How is Starlink connecting endpoints to its network? How is it assigning IP addresses? And down the rabbit hole I went!

Really long story short - Starlink is using Carrier Grade Network Address Translation (CGNAT) to connect users to the Internet. This is the same technology employed by cell phone carriers to link millions (billions?) of mobile devices to the Internet through towers and base stations.

Using a cell phone, your device connects to a tower, which then links you to the Internet via a base station. In contrast, with Starlink, your signal goes to a router connected to a Starlink antenna. The antenna communicates with a Low Earth Orbit (LEO) satellite, which then forwards your signal to a ground-based base station that provides Internet access.

NAT functions like an address system in a large apartment building. The building has a single main street address, but each apartment within has its own unit number. When mail is sent to a resident, it first arrives at the main address, then the building’s mail system delivers it to the correct apartment. Similarly, NAT manages Internet-connected devices. A home or business might have several devices, such as phones, laptops, and smart TVs, and toasters, all sharing one public IP address. Inside the home, each device has a private IP address. NAT keeps track of which device requests information and ensures responses are directed correctly back to each device.

Network Address Translation is necessary because there are not enough IPv4 addresses, and we have not yet fully adopted IPv6. Mobile Internet Service Providers like Verizon, AT&T, and Starlink can’t provide each cellphone or Starlink antenna with its own IPv4 address. So it employs NAT.

And why is this important, Matt?

Because IP addresses aren’t people, and they aren’t devices. So when you say, “we have the suspect’s IP address,” you might just have the IP address for a tower router or Starlink base station. And you still have a lot of work to do from there.

https://www.starlink.com/support/article/1192f3ef-2a17-31d9-261a-a59d215629f4

By the way, if you enjoy my artwork, theres a lot of it in a talk I offer called “How the Internet Works,” where I show how to break down an IP address (binary math is fun), provide a clearer explanation of NAT, and explain why identifying a suspect's IP address is just the beginning of your investigation, not the end. I also discuss how to debunk the “my IP address was spoofed” defense.

What I probably look like while explaining NAT.

The News…

Share this link with your IT manager. While you might not understand this attack, hopefully, someone in your organization does and will take steps to ensure your protection. A new phishing campaign has been discovered, targeting over 70 organizations by exploiting Microsoft 365's Direct Send feature. This feature enables devices to send emails within a tenant without requiring authentication, which can facilitate phishing attacks. Malicious actors can utilize PowerShell to send spoofed emails that look like they come from internal addresses, all without logging in or accessing the tenant. https://www.varonis.com/blog/direct-send-exploit

The bad guys are using uncensored Large Language Models (LLMs), cybercriminal-designed LLMs, and jailbreaking legitimate LLMs to write malicious code, create phishing emails, and conduct research for their attacks. The Talos team highlights various techniques used by cybercriminals to bypass LLM safeguards, including obfuscation, role-playing, and meta-prompting. Really good reporting! https://blog.talosintelligence.com/cybercriminal-abuse-of-large-language-models/

The Electronic Frontier Foundation (EFF) says NO to the "NO FAKES" Act, a bill aimed at addressing concerns about generative AI-created "replicas" through a broad new intellectual property right. They claim the bill would create a censorship infrastructure, mandating the removal of speech upon receipt of a notice, and could lead to over-censorship, threats to anonymous speech, and harm to innovation. The bill would also require internet gatekeepers to create a system to remove and filter tools used to produce unauthorized images, and would grant rights-holders veto power over innovation. I think the EFF and I might agree on something. https://www.eff.org/deeplinks/2025/06/no-fakes-act-has-changed-and-its-so-much-worse

The former IT Manager of the Heinz Foundation has been charged with wire fraud and money laundering for allegedly stealing $1 million from the organization. According to the indictment, between 2016 and 2024, he embezzled the funds through a shell company controlled by Richardson and used fraudulent invoices to bill the foundation for services not rendered or provided by other vendors. https://www.justice.gov/usao-wdpa/pr/former-foundation-it-manager-charged-theft-and-money-laundering-nearly-1-million

Securi details how a WordPress website was infected with spam pages and posts, which were hidden using a malicious plugin called Performance Labs. The plugin, disguised as a legitimate one, used a backdoor to grant attackers persistent access to the site and hid itself from administrator users. Another plugin, Yoast SEO, was also compromised and used to hide the spam pages by adding them to a custom settings page that was only visible to administrators who were aware of it. The attackers employed a combination of JavaScript and CSS tricks to hide the options and conceal the spam pages when querying the wp-admin panel, making it difficult to detect and remove the malware. https://blog.sucuri.net/2025/06/the-case-of-hidden-spam-pages.html

A New Jersey man was arrested for selling counterfeit Apple devices. https://www.tapinto.net/towns/east-orange-slash-orange/sections/law-and-justice/articles/orange-electronics-store-owner-charged-with-selling-counterfeit-apple-products

Trustwave profiles the Dire Wolf ransomware group. https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/dire-wolf-strikes-new-ransomware-group-targeting-global-sectors/

Nefture Security highlights the limitations of Monero for money laundering, despite its strong privacy features. Monero's design ensures privacy and anonymity through the use of ring signatures, stealth addresses, and confidential transactions. However, its fungibility and the absence of a fixed supply cap make it difficult to launder large sums of money, and regulatory authorities and exchanges are increasingly restricting its use. Nefture believes that Monero is not a practical standalone option for laundering large amounts of money, and its use is mostly confined to direct criminal transactions involving manageable sums. https://medium.com/coinmonks/monero-why-it-may-fall-short-as-a-money-laundering-tool-457e0fd79f94

Op-Sec is important. A hacker hired by the Sinaloa drug cartel spied on the U.S. Embassy in Mexico City in 2018, identifying "people of interest" for potential targeting and killing. The hacker accessed the FBI assistant legal attaché's mobile phone and used the camera system to track the attaché's movements and identify people they met with. The cartel used this information to intimidate and kill potential sources or cooperating witnesses. https://techcrunch.com/2025/06/30/mexican-drug-cartel-hacker-spied-on-fbi-officials-phone-to-track-and-kill-informants-report-says/

DFIR

Florian roth urges the DFIR community to improve efficiency during exams and investigations. https://cyb3rops.medium.com/the-inefficiency-in-digital-forensics-3da88123d2ec

Feedback

Several responses to my take on the rise of fraud consultants.

“Everyone wants to be CEO, even if it's only a company of themself” - Jason

Matt, I see you woke up this morning and chose violence. Haha. I oversee the fraud department at a credit union in the Southeast. A woman reached out to us, offering to review and revise our fraud policies and procedures. The experience sheet she provided was pretty light, so I (delicately) asked if she's so knowledgeable, then why isn't she working for a major firm? Her response was, "my passion is for small credit unions." I laughed out loud. Literally. - SM

Feedback: matt @ threatswithoutborders.com

Cool Tool

Track your coffee beans and recipes. https://beanbook.app/

Image Raider - reverse image search. https://infringement.report/api/raider-reverse-image-search/

Cool Job

Investigations Manager - Information Network Associations. https://www.adzuna.com/details/5251310460

Irrelevant

Mark Dent explains why the $25,000 car has vanished, and as someone who has been searching for a budget vehicle for my son, I can confirm that the $25,000 price point has really disappeared. https://media.hubspot.com/why-the-25000-car-is-going-extinct

Sign Off

Thanks for coming back another week. Please consider sharing the newsletter with your colleagues. I don’t do advertising or promotions, so we only grow through referrals.

See you next Tuesday!

Matt

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.