You can use a burner account, connect through a VPN, and scrub your metadata—but your writing style still gives you away.

Every time we post, text, or email, we leave behind something unique: our writing fingerprint. The way we form sentences, our punctuation quirks, our favorite words, even how we structure a thought, all of it adds up to a pattern that’s surprisingly consistent. And for investigators, that pattern can be gold.

That’s where stylometry comes in. It’s the science of identifying authors based on the subtle habits in their writing. Law enforcement has used it to link anonymous threats and harassment to real suspects. Corporate security teams use it to trace data leaks and insider communications. And in the intelligence world, stylometry helps analysts connect propaganda pieces, disinformation campaigns, and entire networks of fake online personas.

I’ve been fascinated by this since the late 90s and early 2000s, when I used to browse message boards on the Internet. Message forums were the primary method for groups to organize and communicate before Facebook. I belonged to several related to fishing, and fake accounts were always an issue. It then became directly relevant to my work as an investigator tracking anonymously posted text across the web.

What makes this so powerful today is computing. Modern tools can analyze thousands of linguistic features across millions of words in seconds, finding links that would’ve taken weeks or months to spot manually.

In this upcoming series, we’ll take a closer look at how stylometry works, what features matter most, and how investigators can actually use it in real cases. Whether you’re tracking an online threat, a data leak, or a coordinated influence operation, the message is the same: Even when the account name changes, the writing doesn’t.

But here’s the catch… we’re going to discuss techniques that bad guys could use, so I don’t want to post this on the open web. It will be sent out to subscribers over the next three Fridays. Free Subscribers—that’s all there is. But those of you who only visit the newsletter’s Substack page each week won’t see it. You need to subscribe to access this series.

News…

David Dodda details how he almost infected his own system with malware while completing a “coding challenge” as part of a job interview. Of course, the job wasn’t real and the challenge was the trap. https://blog.daviddodda.com/how-i-almost-got-hacked-by-a-job-interview

Malwarebytes warns about a TikTok scam where users receive fake messages offering access to “crypto assets” through direct messages. The scam tricks users into logging into a fraudulent site that displays a fake balance, prompting them to pay for a “VIP” membership to withdraw funds, which never actually exists. The goal is to collect personal data and money while keeping victims trapped in a cycle of fake transactions. https://www.malwarebytes.com/blog/news/2025/10/tiktok-scam-sells-you-access-to-your-own-fake-money

Scammers love to impersonate Microsoft. So says, Cofense. https://cofense.com/blog/weaponized-trust-microsoft-s-logo-as-a-gateway-to-tech-support-scams

Leave the cows alone! The Dairy Farmers of America reported a cyberattack in June that exposed the personal information of 4,546 people, including Social Security numbers and bank account details. The breach affected multiple manufacturing plants within the organization’s network. It’s assumed the attackers are lactose intolerant. https://therecord.media/dairy-farm-leaked-info-ransomware

Love him or hate him, Elon Musk remains irresistible to many. Gizmodo warns readers about scams pretending to be Elon, where fake websites and AI-generated videos try to deceive people into investing in bogus opportunities. Elon Musk does not run public investment platforms or ask for individual funds, yet many have fallen victim to these scams. The article highlights some of these fraudulent websites and names, advising readers to steer clear and use trusted channels for investments. https://gizmodo.com/elon-musk-spacex-neuralink-grok-xai-investment-scam-2000669248

This guy claims the CIA triad of information security is dead. He might be right. https://www.csoonline.com/article/4070548/the-cia-triad-is-dead-stop-using-a-cold-war-relic-to-fight-21st-century-threats.html

Kudos to the PA State Police for making an arrest in this ATM jackpotting case. https://www.pennlive.com/news/2025/10/man-wanted-for-stealing-77k-by-jackpotting-atms-in-two-pa-counties.html

DFIR

I recently received an update on a case involving an exam I conducted on a mobile device about four years ago. Due to delays in investigation and procedures, along with the suspect being on the run for some time, the case only recently went to trial. The defendant presented an alibi defense, prompting the prosecution to obtain a new warrant to re-examine the device. The original data dump was also revisited using new tools. This new examination not only crushed the alibi but also uncovered additional evidence that was missed during the initial analysis.

Technology and DFIR tools are continuously advancing. A lot changed over the four years since the first and second exam. The original exam captured the artifacts, but the tools lacked the capacity to parse and interpret them.

Interestingly, the defendant would have been better served by opting for an immediate trial to challenge the evidence from the first exam. His attempts to delay and obstruct backfired on him and ultimately convicted him.

Just a reminder to revisit evidence gathered with previous technology. Technology is advancing quickly, and what wasn’t available then might be available now.

Send me email: matt(at)threatswithoutborders.com

Cool Job

Special Agent, National Insurance Crime Bureau (Pennsylvania location). The link is way too long, so you’ll have to trust me. Click HERE.

Financial Crime Compliance Manager, Revolut. https://people.revolut.com/public/careers/position/2b203839-3895-4a49-9c0d-aafd362d8c99

Cool Tool

Is this website legit or a scam? https://www.islegitsite.com/ (annoying captcha)

Networking

I’ve had way too many conversations with Steve Lenderman about conference name badges. They may seem trivial, but they are actually one of the most important parts of an event and are quite difficult to do correctly. And even when you get them right, people will still complain. While researching best practices for creating corporate ID badges, I came across this 2017 post. It’s eight years old, but still relevant. https://badge.reviews/10-rules-for-a-better-conference-name-badge/

Irrelevant

Doctors changed their guidance on introducing peanuts to infants and peanut allergies are plummeting. https://web.archive.org/web/20251020152903/https://www.nytimes.com/2025/10/20/well/peanut-allergy-drop.html

Sign Off

I still prefer using the Brave browser. Despite trying some others recently, I keep coming back to Brave because it's straightforward, a bit edgy, and prioritizes privacy. Although I’m a dedicated Mac user, Safari just doesn't suit my needs. If you're stuck on Edge or Chrome, give Brave a try. I believe you’ll like it.

Matt

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.