Published research into the persistent operators, infrastructure, and financial networks that enable sanctions evasion, cybercrime, and organized criminal finance.
Within weeks of the Strait of Hormuz closure, threat actors registered 1,435 crisis-themed domains — impersonating government subsidies from Pakistan to the UK, spinning up fake oil trading platforms, and squatting on Hormuz-related keywords. Infrastructure analysis reveals 33 coordinated clusters and a 48-hour activation lag tied to relief program announcements.
Read analysisA single Bitcoin address from an automated database ransom attack is traced through 14 investigative phases across Bitcoin and Ethereum, uncovering a 3-year criminal operation with 307 victim-facing multisig wallets, cross-chain laundering via Polygon, and a Binance-centric circular financial loop processing 107+ BTC.
Read analysisThree smishing specimens received over nine days reveal real-time template evolution and operational diversification by the Lighthouse phishing kit, a Phishing-as-a-Service platform operated by the China-based Smishing Triad.
Read analysisA Starbucks Yeti Rambler lure, five layered anti-spam evasion techniques, three Namecheap broker domains, and an affiliate scareware operation — all deobfuscated from a single email that Gmail trusted enough to put front and center.
Read analysisHow cryptocurrency, underground banking, and state-sponsored illicit finance converge — from Russia's crypto laundromats and Chinese money brokers laundering for North Korea, to an FSB spy paid in Bitcoin and a U.S.-based crypto firm funneling $530 million for sanctioned Russian banks. Updated May 2026.
Read analysis