While every day someone new appears online self-proclaiming themselves as a rockstar, warrior, or champion, in the fight against cyber fraud, Gary Warner continues to crush it, without flare, pomp, or circumstance, just as he has for years.

This week, he absolutely slayed the Financial Times and their new documentary highlighting (allegedly) the extent of cybercrime victimization.

Wouldn’t you love to have been in the room when the writers, producers, and executives of this documentary read Gary’s breakdown of the actual numbers? Of course, they were probably too exhausted from the congratulatory backslapping to actually comprehend their own destruction.

Yes, I know, you shouldn’t throw out the baby with the bathwater. Just because the math is fuzzy doesn’t mean the rest of the documentary is worthless.

Maybe, but I think I’ll stick with Gary. And you probably should too.

Internet searches are not private - at least not in Pennsylvania

The Pennsylvania Supreme Court in Commonwealth v. Kurtz ruled that basic Google searches are not protected by Fourth Amendment or state privacy rights. The court upheld the use of a “reverse keyword warrant” that helped police identify and convict a suspect in a 2018 kidnapping and rape case. Applying the “third-party doctrine,” the court said users who search on Google without privacy tools share their queries with the company and accept the risk of law enforcement access. While this ruling only covers “general, unprotected internet use” and leaves room for stronger privacy claims through VPNs or private browsing.

Here is the actual decision: https://www.pacourts.us/assets/opinions/SUPREME/out/J-36A-2024oajc%20-%20106611829340009817.pdf

And the obligatory opinion by Prof. Kerr: https://reason.com/volokh/2025/12/16/are-there-fourth-amendment-rights-in-google-search-terms/

Mail

My wife and I thought there was a marching band competition our first time to Nashville. Sadly, we found it was only the kids drumming on buckets. Thanks for the laugh. - KP

Matt, congratulations on your first trip to Smashville. It’s a great place. You can go back in August to attend the IAFCI training conference. -AG

The News…

Last week, I spoke to a local civic group and told about a time when I threatened a bank official with arrest because they let an eighty-nine-year-old leave with nine thousand dollars in cash, which she immediately sent via FedEx to another state. Now, as THE bank official, I see things differently. Here is a case where an elderly woman from New York lost her entire $700,000 life savings to a complex scam that started in August 2023, after false pop-up warnings claimed her accounts were hacked. Over nine months, scammers persuaded her to make unusual withdrawals and wire transfers, claiming it was to protect her funds by converting them to gold, including $275,000 from Merrill Lynch, $150,000 from TD Bank, and over $100,000 from UBS. Her family has filed a lawsuit against the banks for negligence, stating they failed to flag suspicious activity despite her never withdrawing more than $5,000 in over 30 years. https://www.forbes.com/sites/steveweisman/2025/12/21/elderly-woman-loses-700000--to-scam-banks-accused-of-ignoring-red-flags/

This Splunk blog examines over 213 million domain registrations from 2023-2025 to show how cybercriminals quickly set up fraudulent infrastructure in response to current events. The study highlights three main patterns: natural disasters like the 2025 LA Palisades Fire lead to immediate increases in fake donation and relief sites; cryptocurrency events, such as Bitcoin reaching all-time highs, result in significant fraud activity with lasting effects like financial grooming scams; and financial instability, especially due to insurance rate hikes in 2024, prompts waves of phishing domains. The research reveals that attackers frequently capitalize on public attention during crises, with malicious domains often appearing within hours of major events. This suggests that defenders can anticipate emerging threats by monitoring new domain registrations containing relevant keywords and suspicious features during ongoing events. https://www.splunk.com/en_us/blog/security/insights-from-domain-registration-trends.html

Attackers are using advanced phishing kits that directly target authentication flows, bypassing MFA and enabling real-time session theft. These kits are marketed based on capabilities rather than specific tools, reflecting a mature ecosystem. Phishing infrastructure is now cloud-native and Kubernetes-backed, allowing for rapid scaling and high availability. Flare shows us how these phish kits work. https://flare.io/learn/resources/blog/phishing-kits-an-interactive-deepdive/

Malwarebytes breaks down a phishing campaign that uses a purchase order as bait. https://www.malwarebytes.com/blog/threat-intel/2025/12/inside-a-purchase-order-pdf-phishing-campaign

The social searcher blog offers strategies for turning real names into usernames. https://www.social-searcher.com/2025/12/12/how-to-find-social-accounts-by-real-name-the-reverse-strategy/

Two Maryland men have pleaded guilty to conspiring in a money-laundering scheme involving more than $11 million. The conspiracy, which began in 2021, involved wire fraud proceeds laundered through shell companies and encrypted communications. https://thebaynet.com/maryland-men-plead-guilty-in-multi-million-dollar-money-laundering-conspiracy/

A coordinated cybercrime crackdown across 19 African countries, resulted in 574 arrests and the recovery of approximately USD 3 million in illicit funds. The operation targeted business email compromise (BEC), digital extortion, and ransomware, taking down over 6,000 malicious links and decrypting six ransomware variants. And they’ll all be back online within 48 hours. https://www.interpol.int/fr/Actualites-et-evenements/Actualites/2025/574-arrests-and-USD-3-million-recovered-in-coordinated-cybercrime-operation-across-Africa

DFIR

Cofense highlights how threat actors leverage built-in Windows features, such as registry keys and scheduled tasks, to establish and maintain persistence of malware, ensuring continued access to compromised systems. Recognizing these persistence techniques is essential for detecting and preventing attackers from maintaining long-term access. https://cofense.com/blog/windows-persistence-explained-techniques,-risks,-and-what-defenders-should-know

Cool Tool

Insta OSINT - https://github.com/banaxou/hostagram

Keep track of all the gift cards you get this week. https://www.cardlyai.app/

See if a domain is on the dmarc blacklist. https://dmarcly.com/tools/blacklist-checker

Cool Job

Manager of Law Enforcement Response, xAI. https://job-boards.greenhouse.io/xai/jobs/4959528007

Irrelevant

Breaking news: the U.S. Government has banned all foreign-made drone and UAV parts, including those from DJI. Existing stock is exempt, so that drone gathering dust in your closet—perhaps unused for years—has suddenly skyrocketed in value.

https://edition.cnn.com/2025/12/23/business/us-ban-foreign-drones-dji-intl-hnk

Sign Off

Welcome new subscribers. Old subscribers, thank you for returning.

I wish you all a Merry Christmas and hope for nothing but the best for you and your families this holiday season!

Take it easy on the egg-nog and I’ll see you all next Tuesday.

Matt

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.