So many times when we think of “cybercrime” or crime facilitated through the use of technology and the Internet, we think of the usual suspects - network intrusions with data theft, ransomware, DDOS attacks, investment and romance scams, email phishing… or any of the other crimes detailed in the Internet Crime Complaint Center’s yearly report.

Rarely do we ever think of music fraud. And certainly not music fraud involving AI-created music and a massive botnet that generates millions of “listens” across a dozen streaming services.

A North Carolina man has admitted guilt in a widespread music streaming fraud that occurred from 2017 to 2024. He used AI-generated songs and up to 10,000 bot accounts simultaneously to artificially inflate streaming counts on platforms such as Spotify, Apple Music, Amazon Music, and YouTube Music, resulting in billions of fake streams. To evade detection, he used VPNs and distributed activity across hundreds of thousands of tracks. Through this operation, he generated over $8 million in royalties.

Posting AI-generated music on streaming services isn’t illegal. The crime lies in using countless zombie machines to “listen” to the music.

He exploited technology and the Internet to set up a situation where victim businesses paid him money that he didn't legitimately earn. And 8 million dollars isn’t chump change.

Fraud is as old as time, and most schemes are not new, but the convergence of financial crime and the Internet continually takes us into new territory and pushes the boundaries of “cybercrime”.

https://www.justice.gov/usao-sdny/pr/north-carolina-man-pleads-guilty-music-streaming-fraud-aided-artificial-intelligence-0

Audit PTO

When providing fraud-prevention training to business owners and executives, I emphasize the importance of job rotation and mandated paid time off (PTO).

I often cite an investigation I was involved in where the suspect employee hadn’t taken any vacation for seven years. Although she took occasional days off around holidays, she never scheduled a full week off during that period.

She operated a sophisticated refund scheme, funneling refunds into her own accounts, and she knew that anyone who stepped into her role could uncover her fraud. Her eventual exposure came when a new accounting software flagged irregularities during a routine audit.

Over those seven years, she embezzled more than $200,000 from her employer.

This case from a Pennsylvania casino is the latest example of an insider executing a scam that could have been quickly uncovered if someone else had briefly stepped into the role. In fact, that’s precisely how she was caught:

When Petrillo was on medical leave, an employee at the casino’s horse racing office assisted with the office paperwork. Police said that’s when the employee discovered the discrepancies.

At least once a year, every financial role in the organization should be temporarily filled by another person for a few days. This practice not only helps prevent fraud but also enhances redundancy and recovery options. If someone refuses to take a week off, it should be forced.

An employee who refuses to use their Paid Time Off is a huge red flag… in more ways than one.

This employee stole over $700,000. And it’s so preventable.

https://www.pennlive.com/crime/2026/03/hollywood-casino-employee-accused-of-stealing-over-700k-in-fraud-scheme.html

Share Threats Without Borders

The News…

Holy... we’re smoked. Although hype for their own product, this article by Sublime Security describes a new attack that masquerades as a Zoom meeting invite but results in the recipient installing malware on their Windows PC. The extent to which the attackers go to pull this off is impressive. They even run a JavaScript-enabled Zoom meeting simulation in the browser session - complete with technical difficulties. Anyone who has ever worked at a Help Desk or in a role involving regular interaction with non-technical users knows this issue will have a significant impact on unsecured organizations that use Zoom. https://sublime.security/blog/advanced-fake-zoom-installer-used-for-delivering-malware/

Keep your iPhone updated, and these exploits will not be so bothersome. In fact, not at all. The Google Threat Intelligence Group reports the “DarkSword” exploit for Apple iPhone devices has been adopted by multiple threat actors since November 2025. The exploit chain uses six zero-day vulnerabilities to fully compromise iOS devices running versions 18.4-18.7. For the record, you should be on some version of iOS 26, preferably 26.3.1 (at the time of this writing). https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain

SEC will vote on reducing the quarterly reporting requirement to twice a year. https://www.reuters.com/business/finance/us-sec-preparing-eliminate-quarterly-reporting-requirement-wsj-says-2026-03-16/

Ok, this scam needed to be shut down, but are there actual victims here? Law enforcement authorities from 23 countries carried out *Operation Alice*, a major crackdown on a dark web network run by a 35-year-old in China. Over five years, he operated more than 373,000 fraudulent Tor domains, promoting child sexual abuse material (CSAM) and cybercrime-as-a-service (CaaS). He defrauded around 10,000 customers of over $345,000 in Bitcoin, without ever delivering the promised content. While the sites claimed to offer CSAM “packages” ranging from gigabytes to terabytes, they were entirely fake and victims were never supplied with the material. Europol coordinated international intelligence efforts, tracked cryptocurrency transactions, and helped identify the operator, who used up to 287 servers worldwide. https://www.europol.europa.eu/media-press/newsroom/news/global-cybercrime-crackdown-over-373-000-dark-web-sites-shut-down

Pennsylvania Attorney General Dave Sunday announced that the leader of a criminal organization that defrauded central Pennsylvania banks and their customers of more than $3 million has been sentenced to prison and ordered to pay more than half-a-million dollars in restitution. https://www.attorneygeneral.gov/taking-action/ringleader-in-multi-million-dollar-central-pa-bank-fraud-scheme-sentenced-to-prison/

Bank and credit union compliance software provider Marquis confirmed that a data breach discovered in August 2025 affected approximately 672,000 individuals, which is much less than the previously estimated 1.6 million. Of course, that doesn’t make it any better, just less impactful. The attackers stole sensitive personal and financial information, including names, addresses, Social Security numbers, dates of birth, and payment card numbers from dozens of the financial institutions Marquis serves. https://www.securityweek.com/marquis-data-breach-affects-672000-individuals/

DFIR

Andrea Fortuna introduces the DFIR Toolkit. https://andreafortuna.org/2026/03/17/dfir-toolkit

Cool Job

Criminal Intelligence Analyst, Group 9. https://groupnine.us/careers/

Cool Tool

I was a longtime user of Evernote, but left when it was bought by Bending Spoons, and they priced it out of reality. I’ve since switched to the fantastic notes app Bear, but it's only available on Apple devices. So, for you Windows users still feeling the loss of Evernote - try Cimanote. “Cimanote is the fast, clean note-taking app for people tired of Evernote's bloat and price hikes. Sign up today — your first year is completely on us.” https://cimanote.com/

Irrelevant

More evidence that not all addictions are bad. This long-term study discovered that moderate intake of caffeinated coffee or tea was associated with an 18% lower risk of dementia and improved cognitive performance over time. https://www.sciencedaily.com/releases/2026/03/260318033138.htm

Get Learned

SLEUTHCON is a forum for identifying and exploring cybercrime and financially-motivated threats. Friday, June 5, 2026. Arlington, VA and Virtual. https://www.sleuthcon.com/

Delaware Fraud Working Group, Full-Day Fraud Prevention Summit. Thursday, April 2, 2026. Wilmington, DE. https://www.eventbrite.com/e/delaware-fraud-working-group-full-day-fraud-prevention-summit-tickets-1982375409213

Late Breaking

If you think you need a new router, buy one now. The FCC plans to ban all foreign-made routers. While this isn’t necessarily a bad thing and will certainly benefit the American tech industry, the issue is that nearly every router is made entirely, or at least with parts from, outside the U.S. Once this rule is enforced, American manufacturers won't be able to meet the demand for a long time. When I searched for American-made routers, the only one I found that is made entirely in the U.S. is Starlink. Hmm. Is that a coincidence? https://docs.fcc.gov/public/attachments/DOC-420034A1.pdf

Sign Off

The best news of the week is that by Friday, the RSAC Conference will be over, and our inboxes will be free from the daily influx of emails from salespeople asking to “connect” during the event.

Thanks again for opening another issue of the newsletter. Cheers to sunshine and warmer weather!

Matt

“YOU WILL NEVER START ANYTHING IF YOU ALWAYS WAIT UNTIL YOU ARE FULLY READY.”

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.