I’ve often heard investigators dismiss an investigation with a statement like “the victim sent the money through crypto to an anonymous wallet...it’s gone”.

I’ll agree that the money is probably “gone”, but an investigation shouldn’t end just because the funds were sent through cryptocurrency. There is still a lot of information to be gained, and you never know what you’ll find as you crawl down the rabbit hole.

Cryptocurrency is not anonymous. It is pseudonymous, and that isn’t just a matter of semantics.

The blockchain, the technology underpinning Bitcoin, Ethereum, and numerous other digital tokens, is not a secret. Instead, it’s a permanent ledger that anyone worldwide can access. Every transaction is recorded, validated, and broadcast across thousands of computers, creating an unalterable record.

The term “pseudo” in pseudonymity derives from wallet addresses. When a criminal transfers funds, the transaction doesn’t specify, “Matt Dotts sent $10,000.” Instead, it states, “The address XXXXYYYY1111... sent 1 BTC to address AAAABBBB999...”.

This long string of characters functions as the criminal’s pseudonym or nickname. While the network tracks the flow of money from and to this address, it cannot identify the actual person behind it. All investigative efforts focus on one key objective - connecting that public address or pseudonym to a real individual.

So how do we follow the money and connect the dots between the digital trail and the real world?

The first step is purely digital. Using blockchain analytics tools, track the stolen or illicit funds as they move across the public ledger.

• The Chain of Custody: trace the initial transaction from the victim’s wallet or other known address, following the funds block-by-block, transaction-by-transaction. We want to see where the money is accumulating.

• Clustering: blockchain forensic tools are designed to realize that even if a criminal uses hundreds of different wallet addresses, many of them are ultimately controlled by the same person. For example, if two different addresses send money into a single transaction (a “common spend”), the software will cluster those two addresses, tagging them as likely belonging to the same entity. One common analogy is that of an individual who uses 100 different P.O. boxes but always uses the same return address on their checks.

Step two involves identifying the off-ramps, where criminals eventually convert stolen digital assets into tangible cash, such as US Dollars, gift cards, or foreign currency like Euros. This point, known as the “off-ramp,’ represents the weakest link in their process.

• KYC Requirement: When converting cryptocurrency to fiat currency, criminals usually use a Centralized Exchange (CEX), like a regulated trading platform. These platforms are legally required to comply with Know Your Customer and Anti-Money Laundering regulations.

• Links: To withdraw cash, a criminal must register a real identity comprising a photo ID, physical address, and bank account with the CEX.

• Confirmation: Once your blockchain analysis in Step 1 identifies a wallet address associated with a regulated CEX you can issue a legal demand, such as a search warrant or grand jury subpoena. The exchange then releases the personal identity data they have collected (hopefully). The pseudonymous account is thus linked to a name, date of birth, and bank account, breaking the pseudonymity.

The smarter criminals are aware of Steps 1 and 2, so they attempt to hide their tracks by using services such as mixers or tumblers. These tools collect funds from many users and then distribute them randomly to new addresses. The goal is to make it appear as if the illicit coins originate from a random pool, concealing their true source.

However, this approach isn’t foolproof.

Next week, we’ll look at mixers, tumblers, and other obfuscation tools.

This is a great video to illustrate the concepts of pseudonymity and traceability on the blockchain.

The News…

David Maimon and Sentilink continue to provide valuable insights. Research shows that NBA and NFL draft prospects experience identity theft attempt rates about five times higher than the general U.S. population. Fraudsters systematically exploit publicly accessible personal data before these athletes become household names. Analyzing 288 NBA and 1,292 NFL draft prospects against account opening applications since 2020 found an overall identity theft attempt rate of approximately 10%, rising to 20% for NBA prospects with application activity. This is significantly higher than the 2-3% baseline for the broader population. The main targets are consumer lending, demand deposit accounts, auto loans, and telecom services, using publicly available info like birthdates, hometowns, addresses, family names, and AI-manipulated images. Quarterly data from 2021-2025 shows a consistent rise in high-risk applications, indicating that identity thieves increasingly target young athletes long before they turn professionals, with the trend accelerating as more athlete data becomes available online. https://resources.sentilink.com/blog/the-identity-theft-risk-profile-of-nba-and-nfl-draft-prospects

You might be thinking, “another ransomware report..so what?”. FinCEN has released a Financial Trend Analysis detailing ransomware incidents reported between 2022 and 2024, revealing over $2.1 billion in ransomware payments during this period. The report highlights that 2023 saw the highest number of ransomware incidents and payments, with the financial services, manufacturing, and healthcare sectors being the most affected. The organization believes you should read this report… because…it’s different, no really… “Today’s report shifts the focus to the incident date of each ransomware attack and offers greater visibility into the activities conducted by ransomware actors”. https://www.fincen.gov/system/files/2025-12/FTA-Ransomware.pdf

Reporters Without Borders needs to read Threats Without Borders! The Russia-linked Star Blizzard APT targeted Reporters Without Borders (RSF) in March with a phishing attack. The attack involved spoofed emails, a compromised website, and a ProtonDrive link to a PDF. https://rsf.org/en/rsf-targeted-cyberattack-attributed-group-reportedly-linked-russian-intelligence

How does Carpenter v. United States impact CSAM investigations involving BitTorrent networks? Specifically, when law enforcement uses tools like Torrential Downpour to monitor BitTorrent swarms for known CSAM by downloading files from publicly shared IP addresses. Courts have consistently dismissed Carpenter-based challenges in BitTorrent cases, ruling that users lack a reasonable expectation of privacy in files voluntarily shared on public P2P networks. Nonetheless, an open question remains: whether extensive, long-term ICAC dragnet monitoring of BitTorrent swarms combined with ISP subscriber lookups should require warrants under Carpenter’s doctrine, as the difference between one-time public downloads and prolonged surveillance may be an unexamined aspect of the Fourth Amendment. https://lucidtruthtechnologies.com/carpenter-decision-and-ip-based-investigations/

Yes, Mac’s get malware. Mooklock’s 2025 macOS Threat Report explains how. https://moonlock.com/2025-macos-threat-report

Huntress examines five of the top email phishing techniques of 2025. https://www.huntress.com/blog/five-shady-phishing-email-techniques-we-spotted-in-2025

FalconFeeds considers the concept of “Digital Safe Havens,” jurisdictions that provide legal, political, or judicial protection to cybercriminals and nation-state actors, enabling them to operate with impunity. These safe havens undermine global efforts to combat cybercrime by creating legal loopholes, hindering extradition cooperation, and offering political shielding. FF highlights the economic impact of cybercrime, with projected global losses reaching $265 billion annually by 2031, and outlines the challenges in international law enforcement, including weak cybercrime legislation, limited enforcement capabilities, and geopolitical conflicts. https://falconfeeds.io/blogs/digital-safe-havens-global-cybercrime-impunity

Censys considers using Cobalt strike to find…Cobalt Strike. https://censys.com/blog/using-cobalt-strike-to-find-more-cobalt-strike

A phishing campaign is targeting business ad management accounts through Calendly-themed lures disguised as job opportunities from companies like LVMH, Lego, and Mastercard. The attackers used multiple variants employing Attacker-in-the-Middle (AiTM) techniques to compromise Google Workspace and Facebook Business accounts, with advanced evasion tactics like multi-stage emails, CAPTCHA checks, domain-specific targeting, and Browser-in-the-Browser pop-ups to avoid detection by security tools. https://pushsecurity.com/blog/uncovering-a-calendly-themed-phishing-campaign

The FBI issued a Public Service Announcement concerning “virtual kidnapping”. https://www.ic3.gov/PSA/2025/PSA251205

Cool Job

Director of Fraud, Publix Employees Federal Credit Union. https://recruiting.ultipro.com/PUB1005PEFCU/JobBoard/9fd496f2-3b7d-4799-812c-faee446800c6/OpportunityDetail?opportunityId=52E70201-F36E-480C-9BB5-BAA750A7BE7E

Cool Tool

(Maybe not so cool) Has your vehicle been recorded by a Flock camera and then leaked? https://haveibeenflocked.com/

Irrelevant

This study confirmed a connection between “dark web”usage and mental health issues. Yeah, no shit.

These people are so out of pocket - “Researchers encourage mental health professionals and policymakers to recognize these hidden online spaces as important areas for outreach, as many vulnerable individuals may turn to the dark web seeking anonymity, information and a sense of community”. Yeah, a community of depravity and criminality.

https://www.fau.edu/newsdesk/articles/dark-web-mental-health

Sign Off

It’s cold here in the mid-atlantic region.

That’s it. Cold.

Thanks for stopping by. See you all next Tuesday.

Matt.

“IF YOU ARE GOING TO DO SOMETHING STUPID, BE SMART ABOUT IT.”

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.