I generally enjoy AI tools and have found many uses for them. However, it can definitely be a joy killer.

One of my favorite yearly events is the release of the IC3 Internet Crime Report. I love diving into it to uncover insights that often go unnoticed by most. I call these insights 'nuggets,' a term familiar to regular newsletter readers. This year, things were different. The report was published on Monday afternoon, and within a few hours, I saw detailed analyses appearing on LinkedIn and X. Gary Warner, David Maimon, and a very few others in our field can craft such perfect summaries in just 90 minutes. For everyone else... It’s likely that a well-designed AI prompt played a significant role in generating many of those impressive analyses.

And that’s OK. It’s one of the things AI does best, breaking down long, complex, highly dense PDFs into something more digestible.

I’m not mad about it. But I am selfishly disappointed.

The proliferation of AI-generated analysis takes a little bit of the joy away from those of us who really love doing that type of work… old-school. And it renders us afterthoughts because by the time we get around to producing something worth publishing, every cybersecurity content mill has already flooded the zone with AI-created “hot-takes”.

I’m sure you’ve seen the highlights by now. But you really should take the time to actually read the report yourself.

https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf

I can’t help myself… consider this nugget

It is well known that most victims do not report their victimization and subsequent losses to any authorities, let alone the Internet Crime Complaint Center. In the 2025 report, the IC3 explicitly states that its figures only represent reports to the FBI via IC3 and do not account for other reporting channels. They also acknowledge that missing data and underreporting can result in “artificially low” loss estimates. However, they make no assumptions beyond this.

In contrast, the recent “Protecting Older Consumers 2024-2025” report by the Federal Trade Commission clearly states, “we assume Sentinel includes only 2% of all losses from consumers who lost under $1,000 and 6.7% of all losses from consumers who lost $1,000 or more.”

Page 28 for reference.

So the FTC “officially” assumes its reporting rate is somewhere between 2% and 7%.

Maybe IC3 is better known, and people are more inclined to report their victimization to them because it’s a division of the FBI. But can it be that much higher? Maybe a 15% reporting rate?

The IC3 reports that the total loss from Internet-enabled fraud in 2025 is $ 20.8 billion.

Imagine if that is only 15% of the true loss. What if it’s only 2-7%?

Speaking of AI tools…

The cybersecurity world is going through a mind melt over the release, and potential public release, of “Mythos”.

Anthropic’s Mythos is a highly advanced AI model focused on cybersecurity, particularly on identifying and analyzing software vulnerabilities.

Mythos finds exploitable vulnerabilities in software, systems, and networks at scale.

Think of a house. Every window, door, and air vent is a vulnerability that allows unwanted people to get into the house. We use security measures such as locks, shatterproof glass, reverse hinges, and other safeguards to ensure those vulnerabilities are secure and that only authorized people can enter and exit through them. Mythos finds that one window with a finicky lock, where, if you push a specific-style butter knife between the upper and lower panes, you can just reach the lock lever and pop it. And then it explains what materials you need and provides complete instructions on how to do it.

So does this mean the end of the vulnerability researcher? Are security companies specializing in this all going to go out of business? Maybe, maybe not. It will come down to cost.

Running these AI models isn’t free. While ChatGPT can generate some AI slop for your LinkedIn Hero account at no cost, operating a system that scans a corporate network and compares it against a comprehensive bug library requires substantial computation power, which will incur significant token costs.

And someone needs to pay real money for that usage. The impact of Mythos on the cybersecurity profession will, as with everything else, come down to economics. If the machine becomes more efficient and less expensive than a human, then we’ll see movement. But I don’t see that happening in the near future.

And I think maybe just the opposite.

So, a team at Anthropic created this model. Do you really think that China, Russia, North Korea, Iran, and other well-funded nation-state cyber teams won’t swiftly develop similar capabilities?

Certainly, and cybersecurity experts will continue to be essential in patching the vulnerabilities before these nation-states and criminal groups can exploit them.

Should your child still go to college for Cybersecurity? Meh, it’s still better than Journalism, but I don’t think tools like Mythos will be the immediate downfall of the entire field.

The News

Do you use plugins on your WordPress site? Someone purchased 30 different plugins and planted backdoors in each. This author argues “the WordPress plug-in market has a trust issue.” And further claims that WordPress.org has no mechanism to flag or review plugin ownership transfers. There is no “change of control” notification to users. No additional code review triggered by a new committer. The Plugins Team responded quickly once the attack was discovered. But 8 months passed between the backdoor being planted and being caught. https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/

The Financial Crimes Enforcement Network (FinCEN) has proposed a new rule to reform how financial institutions manage their anti-money laundering (AML) and counter-terrorism financing (CFT) programs under the Bank Secrecy Act. The reform aims to shift the focus from high-volume paperwork compliance to risk-based, effective programs that actually combat illicit finance, while reducing regulatory burden on banks. Maybe, I won’t hold my breath. https://www.fincen.gov/news/news-releases/fincen-proposes-rule-fundamentally-reform-financial-institution-programs

The FBI successfully recovered deleted Signal messages from a suspect’s iPhone by extracting data from the device’s internal notification storage, even after the Signal app had been removed. This was possible because the defendant had not enabled Signal’s setting to hide message content from notifications, allowing the full text to be cached locally by iOS. However, Apple recently changed how iOS 26.4 validates push notification tokens, so this method may no longer work. https://9to5mac.com/2026/04/09/fbi-used-iphone-notification-data-to-retrieve-deleted-signal-messages/

The CIA is increasingly deploying artificial intelligence to enhance its core intelligence analysis mission. The agency has already produced its first autonomous intelligence report and plans to integrate AI “co-workers” across all of its analytic platforms within the next few years to help analysts with tasks such as drafting assessments, testing conclusions, and identifying trends. The agency claims humans will remain responsible for key decisions, but it also noted that it tested 300 AI projects last year and is working to bring AI capabilities to field officers. https://www.politico.com/news/2026/04/09/cia-ai-intelligence-analysis-00865893

The first step a skilled attacker takes after gaining unauthorized access to a Microsoft 365 account is to abuse mailbox rules. Rather than deploying malware, they use native M365 features to create rules that automatically forward, hide, delete, or archive emails, enabling covert data exfiltration, suppressing security alerts, and maintaining persistence even after password changes. Proofpoint explains that these rules can be deployed in as little as 5 seconds after compromise and can be fully automated at scale via the Microsoft Graph API. https://www.proofpoint.com/us/blog/threat-insight/mailbox-rules-o365-post-exploitation-tactic-cloud-ato

Don’t end up on the “Sucker List”. https://www.welivesecurity.com/en/scams/recovery-scammers-hit-when-down-avoid-second-strike/

Feedback

Send Feedback to matt(at)threatswithoutborders.com

Evidence

Why screenshots fail in court. https://lucidtruthtechnologies.com/authenticate-social-media-evidence/

Share Threats Without Borders

Cool Jobs

Security Operations Associate - National Football League. https://job-boards.greenhouse.io/nflcareers/jobs/5127529008

Why MLB? Why are you still making people work in New York City? Ugh. Incident Response and Intel Analyst, Major League Baseball. https://hub.globalsportsjobs.com/vacancy/incident-response-intel-analyst-us-glap119784

Cool Tools

2026 DIY Opt-Out Manual For Removal From Over 400 Sites. https://github.com/thumpersecure/opt-out-manual-2026

Little Snitch (iykyk) but for Linux. https://obdev.at/products/littlesnitch-linux/index.html

Irrelevant

Sign Off

I thought I wrote a pretty good newsletter last week, but I somehow finished the week with fewer subscribers than I started with. Tough crowd. I sincerely appreciate everyone who stays with me.

Enjoy the warmer weather! Those of you in the Midwest should stay in your storm cellars. I’ll see you all next week.

Matt

“IT TAKES LESS TIME TO DO A THING RIGHT THAN TO EXPLAIN WHY YOU DID IT WRONG.”

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.