Real-Time Security Intelligence

Explore 2024 payment fraud trends with Recorded Future: e-skimming, scam e-commerce, dark web insights, and 2025 predictions.

Learn about CVE-2024-50623 affecting Cleo MFT products. Patch now to prevent RCE attacks and secure your systems.

Between July 2023 and December 2024, RedDelta, a Chinese state-sponsored group, targeted Mongolia, Taiwan, and Southeast Asia using advanced spearphishing campaigns with evolving infection chains and the PlugX backdoor.

Discover our 2024 Hispanic Heritage Month series: overcoming adversity, fostering community, and empowering growth through inclusion.

A new report by Recorded Future’s Insikt group finds that countries across Central Asia and Latin America are increasingly basing their digital surveillance practices on Russia’s System for Operative Investigative Activities (SORM). Learn more about the privacy and security risks, as well as risks to corporate organizations operating in these regions.

Editor’s note: The following blog post originally appeared on Levi Gundert’s Substack page.IntroductionA past conversation with an undercover federal agent who specializes in money laundering revealed staggering amounts of currency moving across geographic boundaries, skirting traditional Anti-Money Laundering (AML) processes. From local and transnational crime syndicates to presidential spouses and those looking to evade sanctions or tax regimes, the need to wash and move illicit funds into reputable banking channels has never been greater. The FTs recent AML coverage highlights the scale of the problem and provides timely background reading on money laundering networks, suspects, and indictments. One story is particularly relevant as it centers around proof of address compliance failures. Coincidentally, address verification is precisely the problem highlighted by a recent Recorded Future Payment Fraud Intelligence (PFI) report.Big Fraud and a Hong Kong AddressThe address in question is:12th Floor, San Toi Building,137-139Connaught Road Central, Hong KongThe San Toi Building (and 12th-floor visual estimate) provided by Google MapsThe address is linked to two scam website (fraud) clustersdesignated Misspelled and Brand as a Coverwhich share merchant accounts and payment processing logic. The three merchant accounts include CAMHUBSTORE, AQAPAY*xmvmxft, SMARTTECHHK, and gracefashionhub. Hundreds, if not thousands, of scam websites are connected to these merchants.A scam website snapshot. A victim articulates why Camhubstore is a scam site. These merchant accounts that process payments for fraudulent, non-existent goods are tied to the 12th floor of the San Toi Building as the registered business address. The address is even placed directly on some of the sites as a contact address. Heres where it gets interesting. The address is listed on the U.S. Treasury OFAC list for ties to an Iranian terrorism group. The 12th floor is presumably large enough to house multiple businesses and likely sufficiently small such that businesses transit through reasonably often. Of course, it would be difficult to draw a direct connection between these merchant accounts and terrorism based on a shared space address. Still, other questions remain, namely: how are these scam merchants acquiring the ability to process payment cards when their physical address is on the OFAC list? Remedying AML / KYC Compliance FailuresKnowing your customer (KYC) might be difficult when bad actors go to great lengths to obscure their identity and purpose, but this is an egregious case of acquiring banks and payment processors missing obviously problematic contact details.Geoff Whites book, The Lazarus Heist, documented that even routine checks can lead to better outcomes. In it, White details North Korean hackers’ inability to transfer a more significant amount (hundreds of millions of dollars) from Bangladesh Bank to a bank branch in Manila because the branch is located on Jupiter Street, and “Jupiter is also the name of a sanctioned Iranian shipping vessel. Addresses matter. Suppose the US pursues a more friendly regulatory environment for cryptocurrencies under President Trump, and exchanges find it easier to acquire bank accounts. In that case, the potential for money laundering may explode without rigorous AML / KYC / KYT efforts. The SEC may have fewer teeth, but banks and processors are still gambling if anyone can obtain a merchant account with little to no compliance checks. Indeed, the business incentives are aligned to offer maximum merchant accounts to generate more processing fees, and historically, compliance costs have eroded profitability. However, this may be an emerging opportunity for GenAI. Semi-autonomous agents trained to flag basic AML violations (for example, website contact details listed on OFAC, perhaps) and elastic agents that deploy on demand when a new merchant application is submitted would assist AML compliance efforts and help the financial services industry grappling with a tsunami of fraudulent merchant transactions.

China’s ICCs reshape global propaganda via targeted messaging, social media, and influence networks to amplify the Communist Party’s voice globally.

Discover the rising costs of data breaches, including disruption, legal risks, and lost trust. Learn proactive steps to protect your business from escalating threats.

BlueAlpha, a Russian cyber group, uses Cloudflare Tunnels to deploy GammaDrop malware, escalating challenges in targeting Ukrainian entities.

Discover key insights from 550+ cybersecurity experts on threat intelligence trends, spending, and strategies in our 2024 infographic. Learn more.

Russia’s “Operation Undercut” uses AI-driven disinformation to sway opinion on Ukraine, aiming to erode Western support. Explore tactics and impacts.

Discover how scam websites exploit seasonal opportunities and advanced tactics to target cardholders and banks. Learn how threat actors use lures, monetization strategies, and dark web resources to execute fraud.

Building Consistent Efforts: Veterans’ Causes at Recorded Future

TAG-110, a Russia-aligned threat group, targets organizations across Asia and Europe using HATVIBE and CHERRYSPY malware for espionage. Learn how Recorded Future’s analysis uncovers the group’s tactics, techniques, and indicators of compromise.

From Magecart to Mobile Menaces

Russia’s sabotage in Europe threatens NATO allies, targeting infrastructure to weaken Ukraine support. Explore tactics, goals, and risks.

Explore why identity is the new security frontier. Learn how credential-based attacks dominate and discover proactive strategies for safeguarding SaaS environments.

China-based TAG-112 exploited Tibetan sites to spread Cobalt Strike malware. Recorded Future reveals targeted threats by state-sponsored actors.

Insights from Recorded Future’s Predict: leaders tackle evolving threats, AI risks, ransomware, and resilience strategies to empower security teams globally.

Discover how we use gamified training at Recorded Future. Engaging exercises simulate real-world threats, boosting employee preparedness and teamwork