I recently saw a social media post in which a young woman mentioned her earnings from Sugar Sites. How sweet!

Let’s start from the beginning: What is “Sugaring”?

Sugar dating is a relationship arrangement in which one person, often referred to as a “sugar daddy” or “sugar mommy,” provides financial support, gifts, or other benefits to another person, known as a “sugar baby,” in exchange for companionship, which can range from casual dating, to a single instance of sex, to regularly scheduled encounters. These arrangements are often facilitated through specialized websites and apps designed to connect potential sugar daddies/mommies with sugar babies.

Sounds like prostitution to me. Let’s check: Prostitution -- The act of exchanging sex or intimate companionship for financial compensation.

Yep. Checks out.

Unfortunately, we’ve reached a point in society where shame and stigma no longer exist. One of the most popular sugar sites, Sugarbook, uses the tagline “Where Romance Meets Finance.”

So yeah, there are many morally compromised people on these sites, which creates the perfect environment for fraud.

Scammers exploit the sugar dating model by targeting those looking for companionship or financial help. They begin with fake profiles, using attractive photos and persuasive bios to attract potential sugar babies or daddies. Often, they pretend to be wealthy and generous daddies offering significant financial support, or desirable sugar babies with the physical attractiveness seen only in the modeling industry.

Here are some common tactics used by scammers in the sugar-dating world:

• Advance Fee Fraud: The scammer promises to send money or gifts but first asks the victim to pay a fee, such as a processing fee, customs fee, or a payment to verify their identity. Once the fee is paid, the scammer disappears. Yes, gift cards are the preferred currency.

• Phishing for Personal Information: Scammers ask for personal information, including banking details, Social Security numbers, or other personal data under the guise of setting up direct deposits or verifying identity. This information is then used for identity theft or sold in criminal markets.

• Money Laundering: Scammers ask sugar babies to receive funds and then transfer them to another account, making the sugar baby an unwitting participant in money laundering activities. AKA Money Mule!

• Romance Scams: Scammers exploit the emotional aspect of sugar dating by faking a romantic interest to gain trust. Once trust is established, they concoct stories about financial emergencies, asking for money to cover medical bills, legal fees, or travel expenses.

This goes both ways… scammers impersonate the daddies and mommies to scam the babies, and scammers impersonate the babies to scam the daddies.

And most of this crime never gets reported to law enforcement. How do you explain why you were meeting people through one of these websites?

Oh, that’s right, they were seeking to hire a “personal assistant”.

The News…

At any given point, 50% of mobile devices connected to the Internet are running outdated versions of their operating system - Zimperium Mobile Threat Report. https://lp.zimperium.com/hubfs/Reports/2025%20Global%20Mobile%20Threat%20Report.pdf?hsLang=en

The SEC accused multiple crypto trading platforms and investment clubs of defrauding US retail investors of more than $14 million via a social media scam. These platforms falsely claimed to be government-licensed and promoted fake Security Token Offerings. https://www.sec.gov/files/litigation/complaints/2025/comp-pr2025-144.pdf

The U.S. government seized the ‘web3adspanels.org’ domain used by cybercriminals to host stolen bank login credentials. The FBI identified at least 19 victims in the U.S., with attempted losses of $28 million and actual losses of $14.6 million. https://www.justice.gov/usao-ndga/pr/justice-department-announces-seizure-stolen-password-database-used-bank-account

Flare explores how cybercriminals exploit cryptocurrency for illegal activities and how investigators can track them. Of course, readers of Tw/oB already know all of this! https://flare.io/learn/resources/blog/investigating-cybercrime-crypto-underground/

Aflac disclosed a data breach affecting 22.65 million people, exposing personal information, including Social Security numbers and health data. The breach may be linked to a cybercriminal organization known as “Scattered Spider,” which targets the insurance industry. https://techcrunch.com/2025/12/23/us-insurance-giant-aflac-says-hackers-stole-personal-and-health-data-of-22-6-million-people/

DFIR

Flashpoint notes 800% increase in credential theft since early 2025 that has compromised over 1.8 billion accounts. The article details three key tactics threat actors use to bypass security defenses: manipulating Windows’ Mark of the Web protection through drag-and-drop social engineering, exploiting vulnerabilities in trusted processes like Chrome, and targeting less-secure alternative software with weaker protections. https://flashpoint.io/blog/the-infostealer-gateway-uncovering-latest-methods-defense-evasion/

Cool Tool

Elcomsoft makes several of its forensic tools free to download and use. https://www.elcomsoft.com/news/873.html

The official release of Parrot OS 7 is available for download. https://parrot.sh/blog/2025-12-24-parrot-7.0-release-notes/

Cool Job

Global Financial Crimes Training Officer, Morgan Stanley. https://morganstanley.eightfold.ai/careers/job?domain=morganstanley.com&pid=549785402892&src=JB-10147

Feedback: matt (at) threatswithoutborders.com

Irrelevant

It’s been a while since I did this, and with the year ending, it’s the perfect time for an app review. Which applications have made it to my mobile device’s homescreen in 2025?

From the top - Left to Right

Settings - Mandatory

Photos - Of course

Clock - I need to wake up in the morning

Bible App - I try to be a good person

Coinbase - Someday my Shib boat will come in! I currently own 28 crypto assets, and I’ve found that Coinbase is the best brokerage for managing them.

SoFi - I needed a separate bank account to keep my crypto activity separate from my main financial accounts, so I opened one with SoFi. It’s been a really good experience, and they're allegedly releasing a cryptocurrency exchange as part of their standard service.

Ring - Home surveillance. If you come to my home, you will be surveilled.

Substack - Obvious

LastPass - Yes, they had a little security issue, but it’s a great password manager, and I think probably one of the most secure at this point. What’s the safest airline to fly on? The one that just had a failure.

Weather - I need to know how to dress for the day

Bear is my preferred note app. There really isn’t a better choice if you’re committed to the Apple ecosystem. It offers a beautiful and seamless experience. While Apple Notes is improving, it still lacks the polish and customization that Bear provides. Using Bear makes me happy.

Brave is the best web browser for security and privacy. Not as integrated as Safari, but I’ll sacrifice some functionality for privacy.

Proton Mail - A great privacy-based and free, email service

Spotify - I never thought I’d pay for music, but my youngest son gave me a 3-month subscription as a gift, and I’ve never looked back. It’s a really great experience, and the AI DJ is spot on (most of the time).

Things is a really well-done task management app made exclusively for Apple products. It’s how I GSD.

Waze - I’d literally be lost without it. It blows my mind that an app this good is still free. It makes all the other travel routing apps look childish. It’s earned my trust to the point that when it tells me to divert from my initial route, I do it. Even if I already know where I’m going.

Snapchat - My kids won’t answer my phone calls, but a Snap gets an immediate response.

DraftKings - I like to throw my money away. I am going to start extorting NFL players: pay me 100 per week, or I’ll include you in my parlay, which guarantees you will not score a TD.

Instagram - A good way to keep up with family and friends. Reels can suck me in, though, and I have to watch not to get caught up in doom scrolling. I’ve literally lost hours.

Signal - Please use this as your encrypted messaging application.

Dunkin Donuts - Every day. I currently have 2029 reward points. I probably spend way too much money on coffee.

Calendar - My schedule can be hectic, so I need to know where I should be and at what time. I also use a Blue Sky paper calendar because I prefer to see my entire schedule laid out at once. I find that maintaining two calendars - one digital and one analog - keeps me more focused and responsible.

HearMax app - Pro Tip for young police officers: when they tell you to wear hearing protection at the range, wear it - and those little foam plugs don’t count. Hearing loss sucks. Wearing hearing aids sucks. Protect your hearing.

ReSound app - See above. I have hearing loss-induced tinnitus, so I hear a high-frequency white noise in my left ear 24/7. This app offers different sounds to provide some relief. I listen to crickets. Yep, crickets chirp at the same frequency as my tinnitus, so sometimes when you’re talking to me, I’m literally hearing crickets.

Next week, I’ll review my favorite Mac apps.

Sign Off

Thank you for your loyalty to the newsletter in 2025. I understand there’s a lot of competition for your attention, and I don’t take it for granted that you’ll return here every Tuesday.

Wishing you all a happy New Year and even greater success than you can imagine. 2026.

Matt

“An optimist stays up until midnight to see the new year in. A pessimist stays up to make sure the old year leaves.” —Bill Vaughan

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.