Threats Without Borders - Issue 295
Cybersecurity Investigation Newsletter, week ending July 12, 2026
I’ve been reading Marcus Aurelius. In Meditations, he writes that “the impediment to action advances action, that what stands in the way becomes the way”. He wasn’t thinking about cybercrime investigations, but he could have been.
In cybercrime investigation, the obstacle isn’t standing between you and the job. The obstacle is the job.
In traditional investigations, you build pattern recognition over a career. Burglary rings repeat, fraud schemes repeat, sexual predators repeat. Over time you learn these patterns, and eventually the patterns start doing some of the work for you. Experience compounds.
Cyber doesn’t let you have that. The tactics, techniques, and procedures of the bad guys you learned eighteen months ago are already half-obsolete. The threat actor you tracked last quarter has rebranded, retooled, and moved infrastructure twice. You don’t get to coast on accumulated pattern-recognition, because the patterns don’t hold still long enough to accumulate.
Investigators and practitioners new to the cyber game walk in expecting the traditional model where you learn the rules, then apply the rules. But that ultimately fails, and they get frustrated when the rules keep changing under them.
Every investigation that doesn’t fit the last one isn’t a deviation from the curriculum. It is the curriculum.
What stands in the way IS THE WAY!
Have a .beer with that malware
While reviewing web filter reports at my organization this week, I was reminded of a report by AlphaMountain because we are seeing .beer domains in our logs.
AlphaMountain analyzed domain risk ratings and identified the ten top-level domains with the highest percentage of risky domains. The analysis focused on namespaces most compromised by malicious or high-risk registrations.
https://www.alphamountain.ai/10-riskiest-tlds/
Crypto Recover Scams
While reviewing the latest Internet Crime Report, I noticed a graphic about crypto recovery scams mentioning “Fictitious Law Firms." I often see Reddit posts where people say, “I was scammed trying to recover my funds," but I haven't come across any where scammers pretended to be law firms specializing in crypto recovery. Has anyone encountered this or has a case involving such scammers?
The News
Richard Bejtlich wrote a new E-Book titled “NDR Essentials: A Practical Guide to Network Detection and Response”. And it’s free! https://8645105.fs1.hubspotusercontent-na1.net/hubfs/8645105/resources/ebooks/corelight-ndr-essentials-bk.pdf
CrowdStrike identifies five new AI prompt-injection attacks. https://www.crowdstrike.com/en-us/blog/crowdstrike-uncovers-new-prompt-injection-techniques/
Holy polygamy. A Las Vegas woman orchestrated a massive fraud scheme by marrying 14 men simultaneously since March 2019 to fund her gambling addiction at the Wynn casino. She convinced her victims to send her over $100,000 by fabricating stories about sick relatives in China, only to lose more than $300,000 gambling and cut off contact shortly after receiving the funds. https://www.dailymail.com/news/article-15962045/vegas-woman-married-multiple-men-china-fraud-gambling.html
Of course, this is happening. A new study reveals that terrorist groups like ISIS and Boko Haram are actively exploiting major AI chatbots, including ChatGPT, Claude, and Gemini, for attack planning, weapons development, and operational security. The research, based on 57 interviews with former members, details how these groups have established dedicated AI units to bypass safety filters and use AI for purposes ranging from building explosive devices to replicating dangerous motorcycle stunts, with some factions even considering mass-casualty weapons. https://the-decoder.com/terrorist-groups-are-using-every-major-ai-chatbot-for-attack-planning-and-weapons-development/
The Federal Reserve Board proposed a rule to establish risk-based anti-money laundering and counterterrorism financing (AML/CFT) program requirements for Board-supervised banks. https://www.federalreserve.gov/newsevents/pressreleases/bcreg20260707a.htm
Feedback
“I have been doing this job for almost two decades, and even now, I still see officers and detectives using photos or videos of a monitor when trying to identify suspects. I honestly cannot remember whether you have already covered why getting the original video surveillance footage and still images is so important, not just for evidentiary purposes but also for anything involving facial recognition. If this fits anywhere in your newsletter universe, I would love to see a full TWOBized breakdown of why this practice is still alive and why it is long overdue to be put out to pasture. Maybe with your level of reach and expertise, you can finally convince some people to stop sending out RFIs with photos that look like they were taken during a sighting of Bigfoot.”
Thanks for the suggestion, Patrick, and it’s on the agenda!
Send Feedback to matt(at)threatswithoutborders.com
Cool Jobs
Director of Fraud, Gemini. https://job-boards.greenhouse.io/embed/job_app?for=gemini&token=7954981&gh_jid=7954981&gh_src=jqrn2aif1us
Chief Information Security Officer, HACC. https://careers.hacc.edu/jobs/vice-president-information-technology-and-chief-information-security-officer-harrisburg-pa-pennsylvania-united-states-college-wide
Cool Tools
Turn an iPhone into a dumb phone. Perfect for the kids or grandma. https://www.wired.com/story/this-buried-apple-feature-turns-an-iphone-into-the-perfect-kids-dumb-phone/
Track over 30K satellites https://satellitemap.space/
Irrelevant
This company just received FCC approval to test a satellite system that will redirect sunlight to dark areas of the Earth. The goal is to illuminate dark areas without the use of electric lighting. It’s so crazy it might just work! https://spacenews.com/fcc-approves-first-reflect-orbital-satellite/
Really Irrelevant
Sign Off
Congratulations to the newly elected 2027-2028 Executive Board of the IAFCI.
President : Steve Lenderman
1st VP: Nina Berbiglia
2nd VP: Con Nikolaou
Secretary: Sam Fadel
Treasurer: Stuart Levine
Thank you for reading this issue, and I’ll see you all next Tuesday!
Matt
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.



