Over the past few weeks, we’ve analyzed how the defense might challenge digital evidence, shaping our investigation strategies to counter such objections. To conclude this series, we’ll examine the ‘Shaggy Defense’—the classic “it wasn’t me’ claim. In the context of computer and Internet investigations, this often means “I was hacked.”

As is well known, I’m not an attorney, so please don’t take this as legal advice. And equally well known, no attorney remains a subscriber to the newsletter very long. But if there is an attorney out there, please opine on this.

While the burden of proof falls on the prosecution, the defense can’t just say “My device was hacked, it wasn’t me” and play crossword puzzles the rest of the trial. Well, they can, but to legitimately enter a hacked device, they need to present some documentation that maybe the device or account was compromised. The mere suggestion of hacking is not enough — the defense must show some affirmative evidence that a compromise potentially occurred.

And you can be sure there’s an “expert” out there somewhere who will tell the jury how they identified “inconsistent connections” and “potential indicators of compromise” during their investigation and review of the evidence. Maybe they did, and you missed it, but maybe it’s just nonsense meant to confuse the jury. Either way, it’s bad. So let’s prevent that before it even happens.

Highlight Forensic Evidence

• Point to the digital forensics:

  • Logs show normal user behavior (consistent timestamps, device locations, login patterns).

  • No indicators of compromise (no malware, no unusual network traffic, no new accounts, no signs of persistence tools).

  • The alleged “hacker” somehow only did things that incriminate the defendant and nothing else, which is highly implausible.

• Emphasize chain of custody: the evidence was collected, preserved, and analyzed under strict forensic standards, making tampering unlikely.

Undermine the Plausibility of the Claim

• Show that remote compromise would require:

  • Bypassing multiple layers of authentication, firewalls, or encryption.

  • Leaving behind forensic evidence (which isn’t there).

• Argue that it is far less likely that a skilled hacker chose to control this device for the limited purpose of committing the charged crime than that the defendant acted directly.

Finally, highlight what we laid the foundation for last week, circumstantial reinforcement

• Pair digital evidence with other corroborating facts:

  • Defendant’s physical presence (cell tower data, cameras, witness testimony).

  • Use of accounts, devices, or credentials known only to the defendant.

  • Motive or connection to the crime.

• The more you tie the digital activity to the defendant’s life, the weaker the “it wasn’t me” claim becomes.

Timelines are powerful tools. Create an event timeline with precise timestamps, linking each action to its corresponding source (device, IP address, user account). Document the sequence of legitimate user activity, directly connected to the suspect, and question…so when was the malicious actor in control of this device?

You can’t underestimate the value of a solid interview with the suspect. Keeping in mind their rights, as granted by the Constitution, law, or company policy, conduct a solid initial interview with the device user before they have time to consider alternative explanations. Understanding their proficiency with technology helps determine whether to support or challenge the claim that their device was compromised without their knowledge.

And of course, if you find evidence that the device or account has been compromised, please just disclose it immediately and in full. Not only is it the law, but you don’t want your career to be “Giglio’d”.

The right answer

Last week, I was interviewed by an NBC news affiliate about the use of AI to facilitate fraud. The interview took place the day after news broke that the U.S. Secret Service had seized a SIM farm, claiming it housed 100,000 SIM cards that “could have” shut down the cellular networks of New York City.

Of course, I was asked about it. I hesitated to give a definitive answer, but mentioned that I doubted it was an act of espionage by a nation-state. I suggested it was probably only a matter of crime. That’s all, just crime. I praised the Secret Service for their success, acknowledging it was a well-run operation and evidence of an excellent investigation, though I also speculated that some hype might be overshadowing the reality.

I’m glad that Gary Warner believes the same, and he provides the receipts, showing that this was more likely not a nation-state actor targeting New York's communications, but fraud. Just crime. Excellent work by Gary. As always!

https://garwarner.blogspot.com/2025/09/sms-pools-and-what-us-secret-service.html

STOP - before you read further, share this newsletter with someone. It’s free!

Share Threats Without Borders

The News…

Cops often say, ‘Jesus must live in prison because everyone who goes there finds him.’ Now, a man calling himself Apostle, also known as “Jesus’ best friend,” is about to find out. He ran a fake church called Kingdom of God Global Church and has been extradited to Michigan to face federal charges involving forced labor and money laundering. He and his executive assistant are accused of controlling victims at fundraising call centers across several states, restricting their freedom, and coercing strict obedience through religious manipulation. https://www.clickondetroit.com/news/local/2025/09/25/church-leader-charged-in-alleged-forced-labor-money-laundering-scheme-being-extradited-to-michigan/

How about some classic fraud—rolling back vehicle odometers! Four individuals face multiple charges related to a year-long, multi-state car fraud scheme in Pennsylvania. Authorities stated they tampered with the odometers of at least 33 vehicles with high mileage, making their mileage appear much lower, then sold these cars at higher prices across Pennsylvania, Maryland, and West Virginia. Overall, the group reportedly erased over 2.3 million miles of wear, causing victims damages over $100,000. Individual losses ranged from hundreds to several thousand dollars. https://www.pennlive.com/crime/2025/09/four-charged-in-multi-state-odometer-fraud-scheme-at-pa-car-dealership.html

Are you using GoAnywhere by Fortra? Yeah…go patch. There is a critical vulnerability in Fortra’s GoAnywhere MFT, a widely used managed file transfer solution. This vulnerability allows for a CVSS 10.00 (that’s really bad) rated exploit due to an insecure deserialization flaw in the License Servlet, potentially enabling remote code execution. An attacker can bypass authentication and exploit the vulnerability by obtaining a token through an unlicensed endpoint and then triggering deserialization with a signed object. https://labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-10035/

A new phishing campaign uses SVG files to trick users into visiting malicious websites. These SVG files, written in XML, can contain hidden JavaScript that redirects users to phishing sites, often disguised with food-related code to obfuscate their true purpose. The campaign takes advantage of Microsoft Edge opening SVG files by default on Windows, making them less likely to be protected by ad-blockers or web filters. https://www.malwarebytes.com/blog/news/2025/09/new-svg-based-phishing-campaign-is-a-recipe-for-disaster

New Ohio law requires local governments to implement basic cybersecurity standards. Good on you, Ohio. https://www.wlwt.com/article/ohio-new-cybersecurity-standards-local-governments/68030862

CISA shares lessons learned from an incident response engagement with a Federal Civilian Executive Branch agency. https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-266a

When the cyber world and real world collide: Two brothers have been charged with kidnapping and cryptocurrency theft after holding a family at gunpoint for nine hours and stealing $8 million in cryptocurrency from their home in Grant, Minnesota. The crime led to the cancellation of a local high school football game for safety. The brothers forced the victim to transfer funds from his cryptocurrency accounts and later took him to a cabin to retrieve additional funds. Law enforcement tracked the brothers to Texas, where they were arrested and later confessed to the crime. Super Kudos to the Washington County (MN) Sheriff’s Office and the FBI for this stellar investigation. Seriously, good work. https://www.justice.gov/usao-mn/pr/brothers-charged-8-million-armed-crypto-kidnapping-heist-0

Cool Job

Investigator (Spanish fluency required), Major League Baseball. https://www.mlb.com/careers/opportunities?gh_jid=7232961

Cool Tool

Crypto transaction tracker (free tier available) https://metasleuth.io/

The EFF does great things when it focuses on its core mission and avoids politics, like developing a browser extension that blocks third-party trackers. https://privacybadger.org/

Idea

In programming, there’s a concept called “rubber-ducking.” When a programmer faces a tough problem, they might explain it to the person next to them, hoping for a solution. While explaining, they often unintentionally solve their own issue, thinking, “oh... never mind...,” and then continue working. This act of verbalizing and articulating the problem helps them analyze it more thoroughly. The term “rubber-ducking” comes from the idea that the listener could be replaced by a rubber duck, making it a simple and approachable problem-solving technique.

Irrelevant

Can Parents Be Liable for Negligently Entrusting Their Adult Children with Internet Service? Or, otherwise said, are homeowners responsible for hackers living in their home?

https://reason.com/volokh/2025/09/29/can-parents-be-liable-for-negligently-entrusting-their-adult-children-with-internet-service/

Sign Off

I’ve been asked multiple times this week how you can support the newsletter. Well, besides offering good vibes, the best thing you can do is share it. Yep, just pass it along to a friend or two—no cost, no catch. After all, sharing is caring!

See you next Tuesday. Maybe earlier.

Matt

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.

cybersecurity cybercrime aml osint fraud investigations cyficrime