Legitimacy and Scale – The Two Things Cybercrime Cannot Build Alone
Published
Key Takeaways
- Sweeney warns that sanctions and disruptions matter, but they punish a snapshot of the organization.
- By the time that infrastructure shows up in a click event or a help-desk ticket, the attack is already underway.
- Silent Push notes that these operators prey on financial anxiety.
- If you don’t know your baseline cold, you can’t distinguish an attacker mimicking you from an internal team.
- Complete SPF, DMARC, and DKIM coverage on every sending domain remains one of the strongest protections.
Michael Sweeney, Director of the Preemptive Cyber Defense Team at Silent Push, explained how cybercrime operations are built to survive disruption by spreading infrastructure, abusing trusted platforms, and rebuilding despite sanctions or takedowns.
He previously worked as an Intelligence Analyst and Cyber Threat Analyst within the U.S. Federal Government, focusing on cyber defense, threat detection, and infrastructure analysis.
Sweeney described how ransomware groups, fraud actors, and laundering networks deliberately distribute operations across multiple hosting providers, registrars, crypto services, and jurisdictions so no single seizure can collapse the ecosystem.
Legitimate cloud services, CDNs, object storage platforms, and front companies now play a major role in helping malicious infrastructure blend into normal internet traffic by inheriting the trust of established platforms.
Pig-butchering operations succeed by building emotional trust over weeks or months before introducing fake investment schemes tied to crypto or AI-themed platforms. AI is reducing the cost of impersonation campaigns by helping attackers generate convincing websites, emails, voice clones, and executive deepfakes at scale.
From a defensive perspective, organizations still struggle to detect staged infrastructure, allowing adversaries to target customers, employees, and supply chains long before anyone notices.
Vishwa: We’re seeing fraud networks continue operating even after sanctions. What allows these groups to rebuild?
Michael: The cycle from detection to designation moves slowly. Investigators need to build evidentiary records that can survive court and diplomatic scrutiny, and that work takes months or years while the actor keeps generating revenue and stockpiling resources.
By the time a sanction lands, the operator has already built the muscle memory to rebuild. Specific takedowns can and do hurt like Operation Cronos materially degraded LockBit's operations, seized its infrastructure, and exposed its leadership.
But at the ecosystem level, the pattern repeats. Conti's leadership and tooling didn't disappear when the brand collapsed; it reorganized into successor operations.
The same dynamic shows up in crypto laundering infrastructure: when one exchange gets designated, the same operators set up a successor exchange with new branding but the same customer base.
Sanctions and disruptions matter, but they punish a snapshot of the organization.
Vishwa: How are attackers structuring their infrastructure to avoid disruption and takedowns?
Michael: The operators that survive at scale spread infrastructure deliberately. The patterns we track most often:
- distributing assets across multiple hosting providers and autonomous systems so a single takedown only clips one branch
- leaning on bulletproof hosting operators whose business model is tolerating abuse complaints
- rotating nameserver substrates and registrar relationships so the operator surface isn't anchored to one chokepoint
- routing illicit proceeds through crypto exchanges
- mixing services that operate in jurisdictions with weak KYC or active sanctions-evasion practices
The throughline is redundancy by design — the operator assumes any single piece will get burned, so they make sure no single piece carries the operation. Commodity operators don't bother with this level of redundancy; the operators that last in this market do.
Vishwa: What role do legitimate services and front companies play in keeping these operations active?
Michael: Legitimate services give criminal infrastructure two things it can't manufacture on its own: trust and scale.
- A phishing kit hosted on a well-known cloud platform,
- a payload staged on a major CDN,
- an exfiltration channel routed through a mainstream object-storage service,
- They all inherit the reputation of the host.
Traditional perimeter security and domain reputation filters struggle to flag this kind of traffic precisely because it looks legitimate at the network layer.
Front companies do the same job at the corporate layer: state-sponsored programs use them to onboard remote IT workers into Western payroll systems and project platforms, where the worker's traffic and tooling blend into normal business activity.
The mechanics aren't nuanced. The actors are studying each platform's controls until they understand which checks they can defeat and which they need to bypass with social engineering. Then they ride the platform's own legitimacy.
Vishwa: Fraud campaigns like pig-butchering continue to see high success rates. What makes these schemes effective?
Michael: Operators invest weeks or months building a friendship, romantic connection, or business rapport with the victim before the investment pitch ever appears. By the time the victim is staring at a fake trading platform, their critical evaluation has already been disabled by trust.
Two factors stack on top of that. First, the technology being mimicked:
- crypto trading apps,
- AI investment platforms,
- fintech products are genuinely new and unfamiliar,
- so the threshold for what "looks real" is lower
Victims tolerate a `.io` or `.app` domain and a slightly rough interface because the legitimate products in this space are also young.
Second, these operators prey on financial anxiety. When economic uncertainty is high, scams frame themselves as a convenient solution.
The FBI's most recent annual figures put cryptocurrency investment fraud losses around $5.8 billion across more than 41,000 reported cases, and the actual number is meaningfully higher because most victims never file.
Vishwa: How are threat actors able to impersonate global brands?
Michael: They borrow the brand's technical identifiers.
- A lookalike domain registered on a permissive registrar,
- a copied favicon or HTML title,
- an MX configuration that mimics the real mail flow,
- an image and color palette pulled directly from the legitimate site
- They are inexpensive to assemble, and in combination they clear the bar for most casual inspection.
AI has compressed the cost of the harder pieces. Where actors previously needed a competent designer and a native speaker to produce a convincing landing page or executive impersonation email, they can now generate both at scale.
The FBI has documented a sharp rise in AI-enabled social engineering — including AI-generated voice impersonations of senior officials and high-profile deepfake video-call frauds reported in 2024.
Vishwa: From a defender’s perspective, where do organizations typically fail to detect these campaigns?
Michael: Defenders are good at watching their own attack surface. The assets they own, the perimeter they control, the obvious lookalikes on `.com`.
In my team's work, the gap we see most consistently is one step outside that view: the staged infrastructure that an adversary builds before they fire.
- A credential-harvesting site on a less-policed top-level domain,
- a phishing kit hosted on a service the SOC doesn't normally monitor,
- a payload server that never connects inbound to the corporate network but is being prepared for the customer base, the supply chain, or the executive team.
By the time that infrastructure shows up in a click event or a help-desk ticket, the attack is already underway. Mandiant's most recent annual frontline data shows attacker dwell time is actually getting worse:
- the global median rose from 10 days in 2023 to 11 in 2024, and again to 14 in 2025
- driven in part by adversaries hiding on edge devices and platforms that traditional EDR doesn't cover
The same dynamic applies upstream, in the staging window before the adversary ever touches the perimeter.
Vishwa: What signals or patterns should security teams prioritize if they want to disrupt these operations?
Michael: Start with your own infrastructure baseline before you start hunting adversaries. Adversary tradecraft has technical commonalities:
- reused certificates,
- recycled nameserver substrates,
- predictable favicon and HTML title patterns,
- certain registrar and ASN preferences
Those commonalities eventually collide with your own baseline:
- your authorized CAs,
- your real nameservers,
- your legitimate subdomain inventory,
- your email authentication posture
- If you don't know your baseline cold, you can't distinguish an attacker mimicking you from an internal team standing up a new service.
Prioritize, in roughly this order:
- A clean inventory of authorized certificate authorities and CAA records,
- Complete SPF/DMARC/DKIM coverage on every sending domain, like CISA's guidance specifically calls out a DMARC policy of `reject` as the strongest protection against spoofed email
- A current list of legitimate subdomains and CNAME targets so dangling records get caught, and visibility into the registrar and hosting space your legitimate footprint lives in.
Once that baseline is solid, the adversary's lookalikes targeting your customers and supply chain stop looking plausible and start looking obvious.
From there, the disruption work abuse to registrars and hosting providers, brand-protection takedowns, coordinated reporting to law enforcement actually has traction, because you're submitting the evidence.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular