Fraud and security folks, we’ll get back to your business after next week. Stay with me.

Another tactic defense attorneys will use to challenge digital evidence is to highlight the absence of direct evidence. Digital evidence is mainly circumstantial, as it often requires inference. Many believe that circumstantial evidence is problematic, and defense attorneys exploit this perception.

Consider the difference between a short but intense snowstorm that arrives at 8 am and the same storm that arrives at 3 am. During the daylight storm, there is direct evidence that the 3 inches of snow in your driveway fell from the sky. You actually saw it fall from the sky and pile up with your own eyes. Now, consider the storm that arrives at 3am, dumps 3 inches of snow, and is gone by the time you wake up at 7 am. There was no snow on the ground when you went to bed, but three inches when you woke up.

You didn’t see the snow in your driveway fall from the sky, but you can infer it did. The snow in your driveway is circumstantial evidence that a natural weather event happened overnight while you slept – it snowed.

Direct evidence is straightforward and speaks for itself without requiring any guesswork or connecting the dots. This includes eyewitness testimony where someone saw the defendant commit the crime, video footage showing the criminal act, audio recordings of confessions, DNA evidence found on weapons, or fingerprints discovered at crime scenes. When direct evidence is presented, you simply need to determine if the evidence itself is credible and authentic.

Circumstantial evidence, on the other hand, doesn't directly prove the main fact but instead proves other facts that allow you to infer what happened reasonably. It's like putting together pieces of a puzzle to see the bigger picture.

Circumstantial evidence can be just as powerful as direct evidence in proving guilt. Courts don't prefer one type over the other, and circumstantial evidence often forms the backbone of criminal cases because direct evidence isn't always available, can sometimes be unreliable, and multiple pieces of circumstantial evidence pointing to the same conclusion can be extremely persuasive.

Most digital evidence collected from cell phones, computers, and network appliances falls into this category of circumstantial evidence. Text messages, internet search histories, GPS location data, and social media posts don't directly show someone committing a crime, but they can establish patterns of behavior, intent, or presence that help build a case.

In many cases, the evidence shows that a specific device or account was used to commit a crime, but you need to make an inference about who was controlling the device at the time.

Maybe a man with a truck came in the dark of night and dumped three inches of snow on your driveway and lawn, smoothing it out perfectly. He did the same to all your neighbors and left no tracks.

No, it’s perfectly reasonable to believe that the snow fell from the sky, even if you didn’t see it happen with your own eyes, and neither did anyone else who can tell you about it.

The defense will emphasize the absence of direct evidence such as DNA, eyewitnesses, or surveillance footage. They aim to confuse the jury by arguing that the case is “entirely circumstantial” and should not be believed.

Get in front of this from the start of the investigation. Go out of your way to collect evidence that can corroborate the digital evidence and put the subject “behind the keyboard”.

Access - show the defendant had access to commit the offense. Not only access to the devices used, but also system and network access. And regularly used that access.

Knowledge – the defendant had the education, training, and experience necessary to use the technology to commit the offense. A common defense strategy is to argue that their client was not skilled with technology and would not have been able to commit the crime because they would have known how. School and training records, eyewitness accounts of their use of the technology, web browser records, sales receipts, and online chat forum experiences can all demonstrate skill and ability, or at least an effort to gain it. Get their YouTube history!

Surveillance Records - include not only access logs for physical locations but also virtual spaces. It's important to connect virtual access points with their corresponding physical places. Many investigators overlook IP addresses connected to public Wi-Fi networks. “It could be anyone”, they say. Does the business operating the Wi-Fi hotspot also have video surveillance footage? How impactful would it be to present to the jury that each time there was a network intrusion from IP 208.24.56.202, which belongs to a coffee shop, the defendant was there, and on a laptop? Or the same model and color of car they drive was parked in the lot.

Motive – You certainly don’t need to present a motive to achieve a conviction, but dammit, the jury expects one. Why did the subject commit the criminal act? Providing a solid motive makes it a lot easier to accept all that “circumstantial evidence”.

Finally, dismissing alternative explanations is essential. Defense attorneys often challenge circumstantial evidence by suggesting innocent explanations, so investigators can strengthen their case by thoroughly addressing and ruling out all reasonable alternative interpretations of the evidence. Begin this process at the start of your investigation by asking, "Is there any other way to explain this?" and eliminate all options until you get to the truth.

Insider Threats…

A recent court filing claims that an employee of TaskUs, a business process outsourcing company, was involved in a significant data breach targeting Coinbase. The breach, which took place in December 2024, may have exposed the data of nearly 70,000 customers, and the attackers attempted to extort Coinbase for $20 million. TaskUs acknowledged its staff's involvement but aimed to downplay its role in the breach. A class-action lawsuit has been filed against TaskUs, accusing the company of negligence and trying to cover up the breach, while Coinbase customers are seeking financial compensation and improved security measures.

The court filing alleged that the employee systematically stole and photographed sensitive Coinbase customer records – up to 200 per day – starting from September 2024, including names, addresses, emails, partial bank account details, account balances, and Social Security numbers.

According to prosecutors, the employee sold the stolen data to hackers for $200 per record, amassing a trove of over 10,000 customers’ personal information on her device before her arrest in January 2025.

https://storage.courtlistener.com/recap/gov.uscourts.nysd.643269/gov.uscourts.nysd.643269.36.0.pdf

feedback: matt @ threatswithoutborders.com

The News…

Push Security discusses how attackers are increasingly sending phishing links through non-email channels like social media, instant messaging apps, and malicious search engine ads. https://pushsecurity.com/blog/why-attackers-are-moving-beyond-email-based-phishing/

The FBI issued another warning that criminals are spoofing the website of the Internet Crime Complaint Center (IC3). And yes, you are supposed to report suspicious websites using the IC3 website, just make sure you’re reporting the fake site to the real one and not vice versa. https://www.ic3.gov/PSA/2025/PSA250919

Of course, maybe the whole effort isn’t to commit fraud but to just clown the Bureau.

Google faces an issue as cybercrime groups gain unauthorized access to its Law Enforcement Request System (LERS) by creating fake accounts. Google confirmed that the account was disabled and no data was accessed, but the breach shows that attackers are targeting these systems mainly to harass and embarrass cybercrime response entities. Other significant news includes ransomware attacks, malware discoveries, and arrests connected to cybercrime activities. https://securityaffairs.com/182266/security/cybercrime-group-accessed-google-law-enforcement-request-system-lers.html

This author claims, “Stablecoins’ transparent blockchain nature could revolutionize financial crime detection, giving law enforcement unprecedented global transaction visibility.” https://cointelegraph.com/news/anti-money-laundering-stablecoin

The National Consumer Law Center demands an end to fraud. https://www.nclc.org/financial-fraud-is-a-national-crisis-demanding-better-protection/

Scammers are now using mobile “sms blasters” capable of sending 100,000 sms text messages per hour. https://futurism.com/scammers-fake-cell-towers

Share Threats Without Borders

Cool Job

Computer Forensics Instructor, FLETC (Glynco). https://www.usajobs.gov/job/846080700

Financial Crime Intelligence Analysts, BVNK. https://job-boards.eu.greenhouse.io/bvnk/jobs/4654703101

Cool Tool

Deep dive on any Reddit user: https://reddit-user-analyser.netlify.app/

Irrelevant

Do towns with a low crime rate deserve advanced security protections? Do they wait until crime rates increase before taking action? This article examines Bridgewater, a small town in Virginia that uses Flock surveillance cameras to record license plates. Law enforcement agencies accessed Bridgewater's data over 6.9 million times in a year, which raises privacy concerns. The author emphasizes the town's “low crime rate” to dismiss the need for a security system. I suspect the residents might disagree with the author's tone. https://www.whro.org/virginia-center-for-investigative-journalism/2025-09-17/va-flock-data-shared-millions-of-times

More Irrelevant

American students are getting dumber. And that’s not just anecdotal.

Slow Boring

American students are getting dumber

One of the major themes of my writing is that mass media is driven by negativity bias, which is driven by audience behavior, and this is slowly driving us all crazy…

Read more

a month ago · 368 likes · 553 comments · Matthew Yglesias

Sign Off

Last Friday, I released the first official Premium post, which I called the Friday Brief. I’m not satisfied with that name, but I can't think of a better one at the moment. I expect the name will change eventually, but I'm unsure when. Thanks for reading the newsletter another week!

Matt

Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.

cybercrime dfir cybersecurity investigations aml osint financial fraud