Things Matt Wrote

Writings from the intersection of law enforcement and the Internet

If you do a Google search for the term “Felony Lane Gang”, you will get “about 2,860,001” results. That’s a little more than a bunch. Most of them appear to be news reports with titles such as,“Felony Lane Gang targets Moms”, “EPD arrests woman they say is part of the Felony Lane Gang”, or “Felony Lane Gang Ramping Up Again”. The commonality of these reports is the generalization that all of these bad actors have a familial connection. The news reporters and journalists undoubtedly get this bent from those of us in law enforcement and financial industry security who flippantly suggest the connection. We casually suggest the conspiracy by referring to every group who steals bags and cashes checks through the far drive-through teller lane as “the Felony Lane Gang”. Singular. As if they are all connected like a crime family or neighborhood sect of a national gang.

They are not. And we should stop doing this.

“The” Felony Lane Gang did exist. They were a group from Florida that traveled the east coast and were eventually arrested and prosecuted in the Middle District of Pennsylvania. My home bailiwick. Many of us remember this case, and I’m sure that a few readers of this newsletter were involved in the investigation and prosecution of the case. It was brilliant work. Here is one of the press releases from 2014 that I could find still online

The method of operation (MO) was to steal purses and bags from unattended vehicles, then disguise themselves as the victims, and cash the checks through the far lane of the bank drive-through. The distance of the far lane made it more difficult, and sometimes impossible, for the teller to discern the actual identity of the driver presenting the check. The thief just had to look closely enough. The farthest lane of the drive-through has become known as the “Felony Lane”.


There is an old saying that goes something along the lines of “if you want to get rich during a gold rush, don’t mine for gold, sell the shovels”. There is a lot of truth to this and the wisdom of the statement is easily apparent through multiple verticals, not just mining. In the age of big data, don’t make the data, store it! So says Amazon as they rake in billions through Amazon Web Services fees.

Keeping with the plan of suppling the infrastructure rather than engage in the actual activity, we find another financial services provider who found money laundering just too profitable to turn away from. The cryptocurrency exchange Binance seemed to reason there was no need to engage in the overt criminal activity that generates the money when it’s just as profitable to turn a blind eye as the funds traveled through their networks. And in some cases they had to work to create “plausible deniability”.

In this special investigative report, Reuters claims that Binance, among other things, “acted against its own compliance department’s assessment by continuing to recruit customers in seven countries, including Russia and Ukraine, judged to be of “extreme” money-laundering risk”, and “watered down compliance rules” concerning Know Your Customer regulations.

The report highlights an even more pressing questions concerning cryptocurrency finance: Ethics and compliance according to whose standards? Who are the regulators? What countries rules do these multi-national “virtual” businesses adhere to? Who is the enforcer?

What a great time to be in the business of financial crime investigation and enforcement!

#cyficrime #AML

Regular readers of this blog or those who subscribe to the Threats Without Borders newsletter, have read my concerns about security training. This article from ZDNet highlighting the failure of such efforts struck a chord with me, but not because I agree with the position of the article. Well, not entirely. I agree that security training is not the be-all, end-all, and new learning techniques are needed.

The article proposes that security training is failing because it’s not being delivered in a way that creates a security mindset. The author believes the effort needs to be all-encompassing and daily.

"I think one of the most important things to realize is most of the education and training done, it's not very effective," "The 30-minute video you're obligated to watch once a year doesn't do the job".

Yes, I’ll agree with this, but maybe it’s not all on the security professionals.

I like to use the analogy of telling a child not to touch a hot stove. You can tell a child over and over to not touch the stove coil while it's glowing red hot, and even show them the scars you have from doing it, but until they do it and get burned they don't have any context. And because they don’t have any context, because they haven’t felt the pain, they’re going to touch the hot stove.

Consider phishing. How many phishing victims have received some form of training? A LOT. Yet they still clicked the link. In many of the cases I have investigated, the person responsible for clicking the link or sending the money order says to me, “ I knew it looked suspicious” and “ I know better, I saw the same thing in training”,

Almost all promise me “ I won't make that mistake again”. And they won't. Much like a child never touches a hot stove top twice, they must get burned for the message to have an impact.

#cyficrime #cybersecurity #infosec #risk

I stopped making new year's resolutions a long time ago because I wasn't very good at keeping them. The pressure to maintain the effort became another stressor in my life. You can only fail at losing 15 pounds or daily teeth flossing so many times. I still set yearly goals but they are something that I have developed a plan and a roadmap to achieve.

Making new years resolutions is still popular for others and I have heard many declare their ill-fated intentions over the past few days. One of the most frequent themes I've heard has been the desire to “return to normal” referencing the Covid-19 pandemic and the way it's turned our lives upside-down since 2019.

What is normal at this point? I can only assume the declarants mean a return to life as is it was in December 2019. Do we really want to go back there at this point? And how would we do that? You can't put the past two years back in the bottle.

This longing for “normal” is foreign to those of us that defend against, or investigate cyber-financial crime. The concept of normalcy doesn't exist. Well, other than the bad guys are unrelenting in their attacks and continuously evolving their tactics to defeat us. There isn't a normal because the game is continuously evolving. Much like a virus, ransomware, phishing emails, business email compromise attacks, money laundering methods, and social engineering techniques are continually mutating in response to the tactics of security and law enforcement. There are new variants every day! The theme may be the same but the characters and their schemes are ever changing.

We never have the desire to return to normal because there is no normal. Normal is chaos. Everyday.

Welcome to 2022 and another year of combating cyber-financial crime. Normalcy is not an option.

#cyficrime #cybercrime #risk

New York Times author Nikole Hannah Jones recently made headlines herself for claiming that the United States dropped a nuclear weapon on the Japanese cities of Hiroshima and Nagasaki due to the sunk cost fallacy. The United States had spent so much money and time in creating an atomic weapon that it used the resulting tool only to prove that it was worth the effort. Anyone who has a half understanding of world history knows this is incorrect. This claim made in the weeks, months, or even a few years after the event, would be understandable. But after 81 years of study, scrutiny, and academic review, this assertion is proven wrong. So wrong, that someone who makes it should be held in no more regard than a person who still claims the earth is flat. Of course, Ms. Jones isn't about the truth.

Giving credit where credit is due, government decision-making and policy can be influenced by sunk costs. Personally, it is easy to pivot when realizing we're “throwing good money after bad” but in the machine of government, that is much easier said than done. Particularly, when the ego is involved.

Law enforcement agencies have this odd organizational setting where it's not quite a strict hierarchal military rank and file system but yet not run like a free market business entity. Much like a business, law enforcement agencies must satisfy the needs of their customers – the public it serves, and the executive board – the elected politicians. But unlike a business, the customers can't just go to a competing business. No matter how poor the service, the customers keep paying the bill – in the form of taxes. And the executives are everchanging, so if the law enforcement leadership conflicts with the CEO or Board of Directors they need only wait them out through the next election.


Being a voracious reader, I would share my interesting findings with friends and colleagues through email. Eventually, one politely asked that I save his inbox the stress and just send a single email aggregating all of the interesting links I had gathered over the week. Matt's Newsletter was born.

That was the first try. It is hard to keep interested in something when no one is paying attention. I stopped publishing after a few weeks of no feedback and no subscribers.

I never lost my appetite for reading and sharing my knowledge though. I started to collect and publish my writings on a blog. When I learned about the newsletter service Substack, I wondered if I could combine my writing with a newsletter sharing the best news stories I had read over the previous week? Matt's Newsletter was re-born.

52 weeks later, and a name change, it's still going.

Welcome to the Threats Without Borders Newsletter – Issue ONE YEAR!

So what have I learned after publishing a newsletter every week for one year?


I have previously written about the rise of “dog fraud” and the increase of fake websites and Internet marketplace ads offering designer dogs that don’t exist. Well, the breeds of dogs exists, the seller just doesn’t actually possess any to sell. These fraudulent sellers are usually found operating on web marketplaces such Facebook and OfferUp but have also gone to the extreme of creating entire websites. And some of them are well designed and functional, not just a Weebly template with some stock photos.

I suspect the next breed that will be the focus of scammers is the Shiba Inu. The rapid ascent of the Shiba Inu cryptocurrency has resulted in images of the dog posted front and center of just about every mainstream press website and periodical. It is a really good-looking dog and with a price range of $900 to $2500, it will also look good to the scammers.

In my experience, dog scammers had been focusing on the trendy and highly sought after, French Bulldog. I compared searches for the two breeds on Google.

“Shiba Inu for sale” (red) versus “French bulldog for sale” (blue)

Searches for the Shiba Inu are trending up, not as dramatically as I assumed, but have certainly risen to equal that of searches for French bulldogs.

I suspect that the Shiba Inu will create a lot of empty wallets, crypto, and leather.

#cyficrime #cybercrime

As defined by Wikipedia, the Curse of Knowledge is a cognitive bias that occurs when an individual, who is communicating with others, wrongly assumes they have the background to understand the communication. Just because you have mastered a subject doesn't mean everyone you communicate with has also. I often assume that my audience has the prerequisite knowledge to understand the information I am presenting. I am often wrong, which leads to frustration on both ends. This doesn't mean they are low intelligence, or unable to learn, it just means we have different backgrounds, experiences, and professions. An orthopedic doctor trying to explain bone density to me is going to get the same response as me trying to explain Network Address Translation to her.

I recently participated in a ransomware tabletop exercise at a local business. Initially, I was disappointed in the simplistic scenario presented by the consultant running the exercise. Uhh, so basic, I can't believe they are getting paid for this, I thought. But as the exercise played out, I observed that even such a basic scenario led to very productive conversation. In fact, the participants couldn’t have handled much more. Many of the stakeholders were not in the business of security, or Internet technology, and needed to be brought up to speed.

The curse of knowledge got me again. I allowed my mastery of the topic influence my opinion of the exercise and assumed the other participants had an equal or better understanding of ransomware and the incident response process. I had been through the scenario so many times, in both exercises and reality, that I had the answers. I wrongly assumed the others would also.


This week President Biden claimed to be “committed to the cybersecurity of the country” and promised to hold those that threaten our nation's security accountable. He also announced that his administration was hosting a meeting with 30 countries from the NATO and G7 alliance to discuss the problem of cybercrime and come up with a plan to combat it. The statement asserted the group would bring the “full strength” of their capabilities to disrupt the malicious cyber actors.

Israeli defense minister Naftali Bennett describes Iran as an Octopus that spreads its influence across the middle-east through its long tentacles. Mr. Bennett is the original proponent of the “Octopus Doctrine” declaring the only way to successfully beat an octopus is to target its head. “When the tentacles of the octopus strike you, do not fight only against tentacles, but strike the head also”. Life comes from the head, not the tentacles.

Previously the Biden administration outlined a new strategy for combating ransomware and cybercrime as detailed in this Wall Street Journal article. The administration plans to target the financial infrastructure of ransomware gangs hoping to remove the financial incentive of cyber-criminality.

Targeting the financial systems is just striking at one of the tentacles. You may cut it off but seven more exist and as you battle those the injured one will grow back.


I love speaking to telemarketers. It's a game really. I like to see how long I can keep them on the line before they hang up in frustration. The key is to not be an overt jerk and string them along like you want to be part of their program but just can't grasp what they need from you. Or offer a problem that they just can't get around. For instance, not being able to grasp the difference between a debit account and a credit account when credit card debt consolidators call. Another favorite is explaining that I live on an overgrown wooded lot and agreeing to purchase solar cells if the company will remove the five mature oak trees on my property.

Sometimes this game has unintended beneficial consequences. The vehicle warranty callers are relentless and I had been telling them that I have various vehicles and couldn't understand what vehicle they wanted to offer an extended warranty. They don't know what vehicle you own when they first call so their script offers a little social engineering attempting to get you to mention the make and model of your vehicle. I would try to keep them on the line as long as possible without ever mentioning a specific vehicle. Eventually, the caller would hang up. But someone else always called back. Sometimes the next day.

Recently one caller slipped and asked what vehicle I owned that was between the model years of 2012 and 2019. I guess the actual company behind the calls realizes there is no need to offer an extended warranty on a new vehicle that already has a valid warranty. Or one that is too old and will be a sure claim.

So, I told the next caller that I owned a 2021 Tesla to see how he handled the new model year. To my surprise, it wasn't the year that stymied him. It was the vehicle. The caller said, “Oh, we can't offer a warranty on a Tesla. I'll remove you from the list.” And then he hung up.