Field notes from the investigation desk.
Practitioner analysis on data brokers, credential leaks, executive exposure, and corporate footprint — written by the team that does the work. Quarterly summary by email: subscribe to the intelligence brief.
Reading the Ransom Note: The 2026 Extortion Economy in the Actors’ Own Words
Read four current ransom notes alongside the ShinyHunters leak site to see how the extortion economy industrialised around named-individual exposure.
Personal exposure, doxing, family footprint, residence privacy.
31 briefings → → Corporate Audit Corporate & board cyber-exposure briefingsAttack surface, NIS2 governance, supply chain, threat profiles.
42 briefings → → Eraser · Lockdown Personal data removal & breach briefingsData-broker removal, breach response, credential hygiene.
32 briefings →Editor's picks
top by depth · last 60 daysQilin Ransomware: The Most Active Threat Group of 2025-2026
Qilin posts more new victims to its leak site than any other ransomware operation in 2026. Who they are, how they work, the September 2025 cartel with LockBit and DragonForce, and why disruption has not slowed them.
GUIDEWhat Is Account Takeover: The Full Attack Anatomy
A practitioner-level anatomy of account takeover — the credential supply chain, MFA bypass mechanics, post-access exploitation, and a layered defence that maps to each attack class.
ANALYSISThe Silent Market: How Stolen Corporate Data Is Quietly Bought and Sold
The loud ransomware economy is the part you can measure. A priced, brokered market for stolen corporate access and data runs in silence beside it, and this is how we map it.
What a Future Employer Is Allowed to Research About You: The Law, and What Actually Happens
By the time a senior offer is on the table, someone has run a search on you. Here is what an employer may lawfully research under the GDPR, and what actually happens.
ANALYSISWhat Your Digital Footprint Is Actually Used For: From Raw Data to the Decision That Prices You
Your digital footprint is refined like crude oil into the credit, insurance, tenancy, pricing and fraud decisions made about you. Here is the full chain, the named products, and what it is worth.
ANALYSISWhy Social Engineers Target the Executive's Family
A protected principal is a locked front door. The behavioural data shows the family is the side door: less defended, more susceptible, and the path attackers take to reach the principal.
GUIDEHow to Protect Your Digital Footprint: What You Can Do Now, and Where It Stops
Most guides on protecting your digital footprint stop at strong passwords and private accounts. The work that actually reduces your exposure is elsewhere — in metadata, identifiers, and device defaults.
ANALYSISThe Optimal Moment: How Your Digital Footprint Tells an Attacker When to Strike
Sophisticated social engineering attacks are not random. They are timed. The data that reveals when to strike is largely public — and most of it you have already published yourself.
GUIDEWhat Does the Internet Know About Me?
Your browser transmits a detailed fingerprint before you do anything on a page. This piece maps five standard data layers and dissects a real fingerprint to show how investigators chain device signals to a single identity.
ANALYSISThe Structural Doxing Problem: European Executives Face Harder Exposure Than Their US Peers
From Rotterdam to Glasgow, activist campaigns are targeting corporate offices across Europe through supply-chain research. In September 2025, that escalation reached executives' personal residences in the UK. Here is what the research chain looks like — and what you can do about it.
ANALYSISWhen Privacy Becomes a Price Tag: The Three-Tier Problem in Europe’s Data Market Debate
A Bruegel working paper proposes regulated data markets as Europe’s fix for the consent impasse. On examination, the three-tier model makes full privacy available only to those who can pay for it.
ANALYSISEU Facial Recognition: Loud Regulation, Quiet Enforcement
The EU has the strictest facial-recognition rules in any major jurisdiction. It also has Clearview AI, fined more than €110 million across five member states, paying nothing, still indexing EU residents’ faces. The gap between regulation and enforcement is the story.
GUIDEWhat Traces Do You Leave Online: The Silent Data Trail
Your visible online presence is only the surface. Below it sit contact graphs built by others, location broker pipelines, insurance registers, archive snapshots, and an AI assistant layer that logs and may train on everything you type.
METHODHow a Mirror Investigation Runs
What actually happens in 48 hours of a Mirror investigation: the four sequential stages a finding moves through before it appears in the report.
GUIDEIs Doxxing Illegal? How EU, UK and US Law Treat It in 2026
How doxxing is treated under Dutch, German, French, UK and US law in 2026: dedicated criminal statutes, GDPR overlay, federal-and-state patchwork, and what victims can do.
ANALYSISThe Identity Pack: How Breaches Without Credentials Fuel Executive Targeting
When a breach notification says no credentials were exposed, the data that was exposed is often exactly what executive targeting is built from.
ANALYSISThe Reconnaissance Phase: Why Whaling Attacks Start With Your Data Broker Listings
BEC and whaling attacks rely on personal data gathered during the reconnaissance phase. Removing that data from brokers and breach databases disrupts the attack before it begins.
ANALYSISAgentic AI Is Building Executive Profiles. Here’s What Feeds Them.
AI search engines build executive profiles by connecting data across brokers, breach databases, and public registries in real time.
GUIDEDeepfake Detection: A Practical Guide for Executives and Their Teams
How deepfake fraud works, why detection alone is failing, and the verification protocols that actually prevent losses.
METHODOSINT Research vs Stalkerware: Where Investigation Ends and Surveillance Begins
The FOUR rubric used by law enforcement — Fixated, Obsessive, Unwanted, Repeated — applied to the line between legitimate OSINT research and stalkerware surveillance, from both the investigator's and target's perspective.
GUIDEHow Executives Get Doxxed — and What Europe Is Doing About It
From the CEO Database to the Netherlands' first doxxing arrest, executive targeting has become organised. Here is where the data comes from, what the law now says, and what you can do about it.
GUIDEWhat Is a Digital Footprint — and How Attackers Use Yours
Your digital footprint is the sum of all data that can be linked back to you online. Here is what it contains — and how attackers exploit each piece.
GUIDEIf You Were in the Odido Breach — What to Do Now
The Odido dataset is public. If you were a customer — even a decade ago — your data is likely in it. This is what the exposure enables, and what closes it.
METHODThe Mosaic Effect: How Harmless Data Combines Into a Complete Profile
Your employer is public. Your general location is public. Your gym, your commute pattern, your lunch spot — all public. None of it is sensitive on its own. But combine them, and something qualitatively different emerges.
ANALYSISWhat Cryptocurrency Transactions Reveal About You — Without You Knowing
Bitcoin transactions do not contain your name — but pseudonymous is not anonymous. The moment a wallet address links to your identity, that link is permanent and retroactive. Covers KYC breach risk, blockchain tracing methodology, Monero's reputational problem, and the Bitfinex and Colonial Pipeline cases.
ANALYSISIf Dutch Ministers Could Not Stay Out of the Odido Dataset, You Probably Didn't Either
Four ministers. A senior intelligence officer. Three individuals under active government protection. The Odido breach did not distinguish between ordinary customers and people who thought they were managing their exposure. What each data field enables — and why the window for acting is narrowing.
GUIDEThe Accounts You Forgot About Are the Ones That Expose You Most
Most people think about their current online presence. They overlook the usernames, photos, emails, and forum posts from a decade ago — and that is exactly what attackers are looking at.
ANALYSISYour Digital Profile Already Exists. You Just Have Not Seen It.
Before anyone searches for you, your profile is already assembled. Three freely available layers — social media, data brokers, and breach data — combine into something far more complete than most people realise.
ANALYSISThe OSINT Ethics Spectrum: When Does a Tool Become a Weapon?
Sherlock, GHunt, SpiderFoot, Recon-ng, Maltego — the same tools used in legitimate investigations are used in stalking and doxxing. A feature-by-feature ethics map of the most popular OSINT platforms.
GUIDEPunch the Monkey: OSINT and the Battle of Narratives
A baby spider monkey, three conflicting headlines — and a masterclass in how the same footage can be spun into entirely different stories. Here is how OSINT methodology cuts through viral fiction to find what is actually true.
INTELWhat Investigators See When They Search You: A 2026 OSINT Breakdown
A step-by-step walkthrough of how OSINT analysts build a complete profile on any individual using only public sources in 2026 — and what you can do about it.
INTELWhy Using AI for OSINT Leaves a Trail — And What to Do Instead
Using ChatGPT or Perplexity for OSINT research leaves an auditable trace that compromises operational security. Why automation with manual interpretation is the correct methodology.
INTELHow Criminals Bypass KYC Checks Using Your Leaked Data
KYC identity verification was designed to stop fraud. Here's how criminals use your leaked data to defeat it — and what that means for your exposure.
INTELSchrödinger's Intel: The Zero-Trust Approach to OSINT
Until verified, everything is both real and fake. Learn how to apply Zero-Trust principles to validate intelligence in an age of AI-generated deepfakes and synthetic content.
How an Eraser Engagement Runs
A methodology walkthrough of the Eraser engagement — from the Mirror and Lockdown investigation foundation through active removal, verification, and the 90-day re-scrub.
ANALYSISGermany’s Data Economy: What the Auskunfteien, Address Traders, and Adtech Platforms Know About You
Germany ranks near the top of European privacy surveys and hosts one of the continent’s most sophisticated data trading ecosystems. This maps the credit bureaus, address traders, and adtech platforms that hold data about German residents — and the legal mechanisms that limit enforcement against each.
GUIDEBest Data Broker Removal Services in the US: What Actually Works (2026)
Six US data broker removal services tested against the August 2024 Consumer Reports field test — and why the free manual baseline outperformed every paid vendor in the cohort.
ANALYSISWhy Data Brokers Make Opt-Outs Hard: The Economics of Friction
Broker opt-out URLs break for a structural reason: working opt-outs lower subscription revenue. The SEC-anchored math behind the friction.
GUIDEHow to Delete Your Personal Information from the Internet — The Practitioner’s Sequence
Removing your personal information from the internet is four problems, not one. Each layer has its own legal mechanic and its own DIY ceiling.
GUIDEData Brokers in the UK: Your Rights Under UK GDPR and the DUAA 2025
Who the UK's data brokers are, what the Data (Use and Access) Act 2025 changed, and why individual GDPR action now does what the ICO no longer can.
GUIDEDo Data Broker Removal Services Actually Work? A Practitioner’s Answer
A practitioner’s answer on how data broker removal works under GDPR and CCPA, and when a subscription service, DIY, or full OSINT investigation is the right fit.
GUIDEIs Data Broker Removal Legal in Europe Under GDPR?
Data broker removal is legal across the EU under GDPR Articles 17 and 21 — but the "legitimate interest" argument brokers rely on usually does not survive a proper balancing test.
GUIDEBest Data Broker Removal Services in Europe: Country-by-Country (2026)
A verified, country-by-country comparison of data broker opt out services in France, Germany, Netherlands, Spain and the UK — using Consumer Reports 2024 results and direct pricing checks, not vendor marketing.
GUIDEData Broker Removal in Europe: What a Professional Engagement Actually Looks Like
Automated removal services average a 48 per cent success rate. Here is what a professional, human-led data broker removal engagement in Europe involves — from discovery through deletion, suppression, and ongoing monitoring.
GUIDEGDPR Data Subject Access Request: Template and Complete Guide
A complete guide to GDPR Data Subject Access Requests — what the law says, what you are entitled to receive, enforcement case law, and a ready-to-use template.
GUIDEHow to Disappear from the Internet
A practitioner’s guide to reducing your digital footprint. What you can remove yourself, what persists regardless, and where DIY efforts reach their structural limit.
GUIDEWhy Data Broker Opt-Outs Don't Stick: The Bounce-Back Problem Explained
A realistic framework for data broker removal: how broker tiers work, why deletions bounce back, and how to use GDPR/CCPA leverage effectively.
GUIDEData Brokers in the United States: No Federal Law, 25 Brokers, and How to Opt Out
The US has no comprehensive federal privacy law. Data brokers hold vast quantities of personal data on Americans with almost no legal obligation to stop. What the FCRA and state patchwork cover, 25 brokers with opt-out links, and why California's DELETE Act in 2026 changes everything.
GUIDEData Brokers in Europe: GDPR, UK Law, Germany, France — and the US Surveillance Risk Nobody Warned You About
GDPR gives Europeans powerful rights over their data. But data brokers exploit legitimate interest loopholes, US surveillance law undermines every EU-US transfer framework, and a third Schrems ruling may invalidate the current system again. A complete guide to EU privacy law, major fines, and how to use your rights.
GUIDEData Brokers in Australia and New Zealand: What They Hold, What the Law Allows, and How to Get Out
Australia has had some of the world's largest data breaches. But most Australians don't realise data brokers legally hold and sell their personal data every day — with few legal obligations to stop. What the law says, who the 25 biggest brokers are, and how to opt out.
ANALYSISAll Odido Data Is Now Online. Here Is What Happens Next.
When stolen data moves from 'for sale' to 'free for anyone', the real damage begins. Here is what typically happens next — illustrated with real Dutch and European cases.
INTELThe Right to Delete Your Data Exists. Data Brokers Are Ignoring It.
35 brokers hid their opt-out pages from Google. 43% ignored deletion requests entirely. California's new DROP tool changes everything. Here is the evidence — and how to fight back.
GUIDE15 Major Data Brokers: Direct Opt-Out Links (2026)
A practical guide to identifying data brokers holding your personal information and the most effective removal strategies available — including what they won't tell you.
What to Do After a Data Breach: An Individual’s Playbook
A practitioner’s playbook for the moment you learn you’ve been breached: triage by data class, work the four-wave attack timeline, and use your EU rights to shrink what’s exposed.
GUIDEWhat Is Account Takeover: The Full Attack Anatomy
A practitioner-level anatomy of account takeover — the credential supply chain, MFA bypass mechanics, post-access exploitation, and a layered defence that maps to each attack class.
ANALYSISFrom Gamble to Calculation: How Your Exposure Decides Who Gets Attacked
An intrusion told backwards from a single email address, and why a findable digital footprint turns a target from a gamble an attacker takes into a calculation they can run.
ANALYSISRansomware Negotiation: Four Response Modes Law Firms Have Actually Used
What the HWLE court record and four leaked transcripts reveal about how ransomware operators negotiate with law firms, and the four ways firms have actually responded when a ransom demand lands.
ANALYSISHow Modern Infostealers Work: Execution, Telemetry, and the 2026 Log Economy
How RedLine, Lumma, and Vidar execute on the host, what they harvest, what is visible on the wire, and how stolen credentials flow through 2026 log markets.
METHODHow a Lockdown Investigation Runs
The Lockdown is the credential-and-account-takeover tier of our investigation work. Five business days, fixed €995, the full Mirror foundation plus seven Lockdown-specific deliverables. This article walks the methodology stage by stage: discovery, cross-reference, verification, report.
ANALYSISHow Crypto Anonymity Breaks at the Endpoint
Crypto privacy was designed against chain analysis, not against the endpoint. The Fowler 2026 database showed why that gap is now the dominant threat.
GUIDEDark Web Monitoring: What It Actually Does and When It’s Worth Paying For
What dark web monitoring actually catches, what it misses on stealer logs and live session cookies, and when bundled, standalone, or human-led options each make sense.
INTELStealer Logs: Inside The Credential Market HIBP Doesn't See
Stealer logs are the credential exposure vector most organisations cannot see — per-device snapshots containing passwords and live session cookies, sold in underground markets within hours of infection.
INTELOdido: One Month After Disclosure, the Breach Is Still Expanding
One month after Odido disclosed the breach, every dimension has escalated. The full dataset is public. Ministers and protected persons are in it. Former customers who left a decade ago are in it. And the fraud is doubling.
INTELThe Odido Breach: 30 Days of Criminal Activity, Documented
The Odido breach was confirmed February 12. Within 19 days, the full dataset was published on criminal infrastructure. Within 20 days, active phishing campaigns were running. This is not a prediction — it is a documented sequence.
ANALYSISBypassed: How Voice Cloning, Virtual Cameras, and Real-Time Interception Defeated the Controls Everyone Trusted
MFA was supposed to solve password theft. KYC was supposed to solve identity fraud. Both assumptions are now broken — defeated not by nation-states but by criminal groups using free software, breach data as raw material, and OSINT to source every component.
INTELOdido Breach: How ShinyHunters Stole 6.2M Records
ShinyHunters is publishing stolen Odido customer data daily — names, IBANs, ID numbers, sensitive account notes. The attack used a phone call, not a zero-day. Here is exactly how it unfolded.
The Data Broker in Your Sales Stack: What AI Sales Tools Do With the Data You Feed Them
Some AI sales and enrichment tools take a licence to absorb the contacts you upload into a dataset they resell, your competitors included. Here is the exposure under the GDPR and NIS2, and how to check before you connect your CRM.
INTELScattered Spider: A Social-Engineering Threat Profile
Scattered Spider (UNC3944) breaks into Fortune 500 networks with a ten-minute call to the help desk. A profile of its method, its ransomware partners, the arrests, and the defence.
ANALYSISWhat "The Com" Actually Is: One Word, Thousands of People, Three Kinds of Crime
In 2019 ‘The Community’ named nine indicted SIM-swappers. By 2025 ‘The Com’ meant thousands. We trace the drift and isolate the one layer that belongs on a corporate risk register.
ANALYSISWhy People Fall for Phishing
A 21-day field experiment sent simulated phishing to 158 people. 43% clicked, older users never improved, and the lures that worked show the limits of training.
ANALYSISThe Six Phases of a Social Engineering Attack
Social engineering runs in six phases, but the dominant security frameworks map only the technical ones. The Arup $25M deepfake fraud shows where defences actually need to sit.
ANALYSISThreat Surface vs Attack Surface: The Half That ASM Tools Miss
Attack surface is what you own; threat surface is that exposure plus the adversary capability pointed at it. ASM tools measure the first half well and the second half not at all.
INTELDragonForce Ransomware: Threat Actor Profile
DragonForce ransomware cartel: public RaaS registration, the RansomHub infrastructure episode, Suppliers marketplace, SINBON and Co-op UK breaches.
ANALYSISOne GitLab Instance, 800 Clients: The Credential Risk Hidden in Your Consulting Relationships
One breach of a consulting firm's self-managed GitLab instance exposed client engagement data across hundreds of organisations. The Nissan downstream disclosure three months later confirms the pattern.
ANALYSISWhy Family Office Succession Creates a Recurring Cybersecurity Window
Professional management cycles create a recurring cybersecurity window in family offices — resetting every seven years and compounding across CEO, CFO, and COO roles.
INTELThe Gentlemen Ransomware: Threat Actor Profile
The #2 ransomware group globally in Q1 2026, built from a Qilin affiliate dispute. A 14,700-device FortiGate access inventory, a self-propagating encryptor with no bulk-decrypt path, and a supply-chain pivot from an Atlassian partner into a $12B manufacturer.
ANALYSISWhen Someone Else's Security Becomes Your Breach: Third-Party Risk and Supply Chain Attacks Are Not the Same Problem
Third-party risk and supply chain risk describe opposite threat models — understanding the direction of trust changes what an organisation investigates and what it finds.
ANALYSISThe Silent Market: How Stolen Corporate Data Is Quietly Bought and Sold
The loud ransomware economy is the part you can measure. A priced, brokered market for stolen corporate access and data runs in silence beside it, and this is how we map it.
ANALYSISThe Attack Surface You Don't Own: How Personal Devices and Lives Extend Corporate Risk
Attack surface management maps what a company owns and can see. A growing share of corporate access lives on personal devices and accounts it owns neither, and the gap widens with seniority.
INTELCoinbaseCartel: A Data-Theft Extortion Profile
A profile of CoinbaseCartel, the data-theft extortion group that breaks into companies using years-old infostealer credentials instead of encryption.
INTELQilin Ransomware: The Most Active Threat Group of 2025-2026
Qilin posts more new victims to its leak site than any other ransomware operation in 2026. Who they are, how they work, the September 2025 cartel with LockBit and DragonForce, and why disruption has not slowed them.
ANALYSISReporting Cybersecurity to Your Board: What NIS2 Requires, What Most Packs Miss
Most cybersecurity board packs were built for the audit committee, not the directive. A look at what NIS2 Article 20 actually asks the board to evidence, how the SEC and UK CSR Bill compare, and what a defensible six-section quarterly pack looks like in practice.
ANALYSISCybersecurity for Executives: Four Threat Models Most Buyers Don't Distinguish
Most executive cybersecurity products address one of four threat models. The other three are where the Arup, MGM, Coinbase and M&S losses landed.
ANALYSISRIA cybersecurity in 2026: where training-first programs miss the actual attack surface
Six RIAs breached by ShinyHunters in 90 days exposed a structural gap: firms train for phishing but leave principal data wide open to the attacks attackers actually used.
ANALYSISLaw Firm Data Breaches: What They Expose About the Client Side
When outside counsel is breached, the data exposed is the client’s. Six verified incidents, a 27-day ransomware leak-site cohort of 19 firms, and the questions principals can ask their counsel.
ANALYSISIdentity Attack Surface: What Infrastructure ASM Vendors Don’t See
Infrastructure ASM, CAASM, and exposure-assessment platforms map machines. They do not map the people-shaped surface that the most expensive intrusions of 2023–2025 actually turned on.
ANALYSISWhy Ransom Notes Read Like Demand Letters
Ransom-extortion text borrows the recognisable forms of demand letters, litigation pleadings, and PR holding statements. The form is a legitimation tool the corporate audit needs to read.
ANALYSISReading the Ransom Note: The 2026 Extortion Economy in the Actors’ Own Words
Read four current ransom notes alongside the ShinyHunters leak site to see how the extortion economy industrialised around named-individual exposure.
ANALYSISFamily Office Cybersecurity: The Principal’s Exposure Surface
Deloitte’s 2024 family office report shows phishing at 93% prevalence. The IT layer cannot reach the surface that makes those attacks plausible.
ANALYSISRight of Access as Reconnaissance: The Article 15 Verification Gap
GDPR Article 15 was designed to protect data subjects. It also creates a pre-authenticated data exfiltration channel at understaffed controllers — and NIS2 will close the gap.
INTELWhy Executive Digital Exposure Is a NIS2 Compliance Risk
Article 21 of the NIS2 directive names supply-chain and human-factor risk. Executive digital exposure fits both — and sits in the half of compliance that most programmes under-audit.
ANALYSISThe ATHR Disclosure: Anatomy of a Sole-Source Threat Claim
Abnormal's ATHR vishing disclosure is sole-sourced, IOC-free, and invisible on the underground after a full verification window. A framework for reading AI threat marketing.
ANALYSISNIS2 Personal Liability: What the Directive Actually Says About Board Members
The NIS2 Directive requires management bodies to approve, oversee, and bear liability for cybersecurity risk management. Twenty-two EU member states have transposed it into law. The directive sets the standard of care; national company law supplies the personal claim — and the gap most boards leave open is their own digital exposure.
ANALYSISBasic-Fit, Booking.com, and the SEPA Direct Debit Fraud Kit
Two major EU breaches disclosed on the same Sunday, two different attack patterns, one downstream consequence: targeted fraud built on real data. How SEPA Direct Debit fraud actually works after an IBAN leak, and what closes the window.
ANALYSISCanada Goose: Two Extortion Claims and the Vendors Nobody Named
ShinyHunters published 581,877 Canada Goose customer records in February 2026. Twenty-four days later, Coinbasecartel listed the same brand claiming supply chain data — on the same day as Lacoste.
ANALYSISHow a Security Scanner Breached the European Commission
CERT-EU confirmed the European Commission was breached through a poisoned Trivy vulnerability scanner. The supply chain attack exposed DKIM signing keys, military financing data, and 52,000 email files — at the institution drafting Europe's cybersecurity laws.
GUIDECorporate Breach Response Checklist: The First 72 Hours
A structured 72-hour breach response checklist covering GDPR and US state notification laws, with phase-by-phase guidance for DPOs, CISOs, and board members.
ANALYSISRaaS Inc.: The Business Plan Nobody Asked For
Eighty-five ransomware groups competed for an $820 million market in 2025. Forty-seven of them claimed fewer than ten victims. The unit economics explain why.
ANALYSISHow OSINT Tracks Smuggling Networks: The Intelligence Tradecraft Behind Europol’s New Centre
Europol launched ECAMS and named OSINT a core strategic capability. Here is how open-source intelligence actually tracks smuggling networks — from Telegram forwarding chains to satellite change detection.
INTELWhat Happens After Your Corporate Credentials Leak
Google shut down its Dark Web Report because alerts without context are noise. Here is what stealer logs actually contain, why free scans miss most of it, and what a professional assessment covers.
ANALYSISThe EDPB Work Programme 2026–2027 and the Digital Omnibus: Is GDPR Quietly Shifting?
The EDPB is building compliance tools for a GDPR framework the European Commission may be in the process of dismantling. Here is what both documents change — and where they contradict.
METHODHow a 10-Minute Phone Call Took Down a $34 Billion Company
How Scattered Spider used LinkedIn, breach databases, and a 10-minute helpdesk call to compromise MGM Resorts and Marks & Spencer. Both attacks dissected stage by stage.
METHODUsername and Alias Correlation: Methodology, Tooling, and Likelihood Assessment
A username is not anonymous. It is a behavioural fingerprint dressed as a pseudonym. This is how analysts trace handles to real identities — and why the same process is used against private individuals.
METHODWhat a LinkedIn Profile Reveals to a Scammer
LinkedIn profiles reveal far more than most understand—timing patterns, role signals, public networks, business-context posts, and document metadata all become intelligence for phishing and vishing. This is what attackers actually see.
METHODHow the FBI Traced $3.6B in Bitcoin — Tool by Tool
The Bitfinex hack moved $3.6 billion through 2,000 addresses across six years. This is a step-by-step reconstruction of how investigators followed the trail — using Blockchair, 3xpl, and WalletExplorer, the same open-source tools anyone can access today.
ANALYSISWhat ShinyHunters Sees Before They Call: Your Organisation's Public Attack Surface
ShinyHunters called Wynn Resorts. Before that call was placed, they already knew who managed IT access, which SSO platform the company used, and which employees had credentials in breach databases. The call was the end of the intelligence phase, not the beginning.
ANALYSISAfter LockBit: The Ransomware Market Never Shrinks
Every major takedown — LockBit, ALPHV, RansomHub — was followed by a larger, more capable successor. 680 victims across 54 groups in February 2026 alone. A market analysis of who fills every vacuum, and what comes next.
INTELShinyHunters: Inside the Threat Group
From Tokopedia to Charter Communications, ShinyHunters has stolen data from hundreds of millions of people. Updated June 2026: Carnival (5.99M confirmed), Charter (42M claimed), BCD Travel, DentaQuest, Baker — and the FBI PSA on LMS targeting.
Reset filters