We got a letter from a listener this week — George, out of Maryland. And George's story is one of those things that just sits with you. Someone got hold of his Social Security number. Not through a phishing email, not through some obvious scam. He still doesn't know exactly how. What he does know is that suddenly there were credit accounts he never opened, a loan he never applied for, and this deeply unsettling feeling that someone out there was wearing his financial identity like a costume.
The thing George said that really stuck with me — he told us his mental image of who did this was still the classic one. Some sketchy outfit in a basement somewhere, the modern descendant of the Nigerian prince email. And he knew, even as he said it, that it didn't match what actually happened to him. The attack was too clean, too coordinated. It felt corporate.
That gap between what George pictured and what actually hit him — that's the whole problem in a nutshell. Who actually is the cyber crook in twenty twenty-six? Because the answer is a lot more unsettling than some guy in a hoodie firing off spam from a laptop in Lagos.
The real answer looks more like an org chart than a wanted poster.
Yet the lone hacker image won't die. You see it in movies, in news graphics, in the way companies write their breach notifications. It's always some hooded figure in a dark room, bathed in green light, typing furiously. The reality is more like a mid-size consulting firm with a really unethical business plan.
There's a reason that image persists, and it's not just lazy journalism. The lone genius narrative is comforting in a weird way. If the threat is one brilliant weirdo in a basement, then the problem feels containable. You catch the guy, you solve the crime. It's a detective story. But when the threat is a distributed organization with departments and performance reviews and a customer support ticketing system — that's not a story with a clean ending. That's infrastructure.
Infrastructure doesn't go away when you arrest one person. That's the part people don't want to sit with.
I mean, think about what we're actually looking at now. Cybercrime is a mature, trillion-dollar global industry. It has division of labor. It has research and development. It has human resources departments — and I'm not being glib about that. There are ransomware operations that actively recruit on dark web forums, conduct interviews, offer paid time off to their top developers.
Paid time off.
Paid time off. There was a report from a threat intelligence firm last year that documented a ransomware group offering a signing bonus to affiliates who brought their own initial access broker relationship to the table. That's not crime in the sense of a stickup. That's a hiring pipeline.
The guy who stole George's Social Security number probably has a more structured onboarding process than half the startups I've seen.
And the thing that makes this dangerous, from a defense perspective, is that we keep designing our security posture around the wrong threat model. We're hardening against the lone attacker — the person trying to brute-force a password or exploit a single vulnerability. But the real attacker is an organization that treats your network like a business opportunity. They have project managers. They have quality assurance. They do post-incident reviews to figure out what worked and what didn't.
Which means they learn faster than the defenders do. That's the asymmetry that bothers me.
And that's the thesis we want to land today. If you want to defend yourself effectively — whether you're George checking his credit report or a Fortune 500 CISO managing a security budget — you have to understand the attacker's organizational chart. Not just their malware. Not just their tactics. Who are these people, what roles do they fill, and what does the supply chain look like? Because if the enemy is a business, your defense has to be designed to disrupt a business process, not just patch a vulnerability.
The uncomfortable corollary to that — if they're a business, then the people working there aren't all masterminds. Some of them are just employees. Which means the barrier to entry is a lot lower than most people assume.
That's where we're going next. But first I want to sit with the organizational chart idea for a second, because it flips a lot of conventional security wisdom on its head. For years, the industry has been obsessed with the technical attack surface — the servers, the endpoints, the code. And that matters. But when you've got a criminal enterprise that includes dedicated social engineering teams, dedicated money laundering teams, dedicated initial access brokers who do nothing but sell footholds into networks — the real attack surface is human. It's organizational. It's the fact that someone in accounts payable can be convinced to wire money to the wrong place because the person on the phone sounds exactly like the CEO.
The person on the phone sounding like the CEO — that's not a technical exploit. That's a business process exploit. They've studied the org chart. They know who reports to whom. They know when the CFO is on vacation.
Which is why the first step in fixing our mental model is this: stop picturing a hacker. Start picturing a competitor. An unethical, illegal, morally bankrupt competitor — but a competitor. Someone who is studying your operations, identifying weak points in your processes, and allocating resources to exploit them at scale. That's the shift. And once you make it, a lot of the defensive strategies that get dismissed as paranoid suddenly look like basic due diligence.
If the org chart is the right mental model, the business model that makes the whole thing scalable is something called Cybercrime-as-a-Service. And it works almost exactly like software-as-a-service in the legitimate world, except the product is ransomware instead of project management tools.
Subscription pricing and everything, I assume.
Take LockBit — before the international task force disrupted them, they were the poster child for this. They built the ransomware, maintained the infrastructure, handled the negotiation playbooks, even ran a help desk for victims who needed technical assistance paying the ransom. And then they franchised the whole operation. Affiliates would deploy the ransomware using LockBit's tools, and LockBit took a twenty to twenty-five percent cut of every ransom paid. The rest went to the affiliate.
The person who actually locked up George's data might not have written a single line of code. They just bought a subscription.
That's the lowering of the barrier right there. You don't need to know how to build ransomware. You don't need to know how to set up a command-and-control server, or manage a cryptocurrency wallet, or negotiate with victims. The platform handles all of that. You just need to figure out how to get inside a network. And if you don't know how to do that either, you can buy initial access from a broker who specializes in it.
Which means we're not talking about a criminal. We're talking about a criminal supply chain. Different vendors, different specialties, all plugging into the same platform.
That supply chain maps almost perfectly onto the global economy. The masterminds — the people writing the malware and designing the campaigns — they tend to operate from safe-haven countries. Russia, North Korea, places where extradition treaties are basically nonexistent. They're the research and development arm. Then you've got the foot soldiers. These are the people running the phishing campaigns, making the vishing calls, managing the money mule networks. They're operating out of lower-cost labor markets — Nigeria, India, parts of Eastern Europe — where the economics of a few thousand dollars per successful attack go a lot further.
It's a human command-and-control surface. The brains are in one jurisdiction, the hands are in another, and neither one can be touched easily.
Precisely the design. And that brings us back to George. His Social Security number theft — that almost certainly wasn't a ransomware attack. It was something called synthetic identity fraud. And it's the fastest-growing type of financial crime in the United States right now.
Walk me through that. What does "synthetic identity" actually mean?
A real SSN gets stolen — from a data broker breach, a healthcare provider, one of those massive dumps we've seen over the years. Then a criminal takes that real SSN and combines it with a fabricated name, a fabricated date of birth, a fabricated address. You've essentially created a new person on paper. A synthetic identity. That identity has no credit history, so it looks clean. You start small — apply for a low-limit credit card, pay it off, build a credit score over six or eight months. Once the score is high enough, you take out loans, open bigger lines of credit, max everything out, and vanish. The identity disappears. The debt lands on the real SSN holder.
George is left holding the wreckage of a person who never existed.
And the supply chain behind this is disturbingly specialized. Step one, you need the raw SSNs. Those come from data broker breaches — companies that aggregate personal information and have, historically, terrible security. Step two, you need a document specialist. Someone who can take that SSN and produce a fake driver's license or utility bill that looks legitimate enough to pass a bank's verification. Step three, you need a money mule to physically walk into a bank branch or make the online application. That mule might be a low-level criminal, or they might be a victim themselves — someone recruited through a fake job ad. Step four, the mastermind orchestrates the whole thing, takes out the loans, extracts the cash, and disappears.
Four different roles, probably four different countries, and the victim never interacts with any of them directly. It's like being robbed by a committee.
The FBI's Internet Crime Complaint Center — the IC3 — put out their twenty twenty-five report earlier this year. Over twelve point five billion dollars in reported cybercrime losses. That's just what gets reported. And social engineering attacks — the human stuff, the phone calls, the impersonation — accounted for a massive portion of that. The human element isn't a side channel anymore. It's the main attack vector.
Twelve point five billion. That's not a crime wave. That's a parallel economy.
Who are these people, actually? Not the organizational boxes — the human beings filling them. Because that's where the profile gets stranger than most people expect.
The affiliate marketer who buys a ransomware kit — that person might have been selling legitimate SaaS subscriptions three years ago. They understand conversion funnels, they understand targeting, they understand customer psychology. They just pivoted to a product with better margins. I read a threat profile last year about a LockBit affiliate who previously ran Facebook ad campaigns for a dental supply company.
The LinkedIn-to-dark-web pipeline.
It's not even that dramatic. Sometimes it's the same skills, same mindset, completely different product. Then you've got the money mules — and this is where the victim-perpetrator line gets blurry. A lot of mules aren't career criminals. They're people who answered a job posting for a "financial processing assistant" or a "remote logistics coordinator." They think they're doing legitimate work. The first time they realize what's happening, they're already complicit.
Some of the people in George's supply chain might not even know they're in George's supply chain.
Then at the top, you've got the developers. These are skilled programmers, often in countries like Russia or North Korea, where the state either turns a blind eye or actively employs them. For North Korean operatives, cybercrime is literally a state revenue stream. It funds the weapons program. These aren't disaffected teenagers. They're national assets.
That's a long way from the guy in the basement.
Here's where it gets even more tangled. The twenty twenty-five Europol report on organized crime documented something that should make everyone reconsider their threat model. Traditional mafia organizations — Italian groups, Eastern European syndicates — are actively diversifying into cybercrime. They're not replacing the drug trade, they're adding a digital division. Because the risk-to-reward ratio is just better. Moving a kilogram of cocaine across a border involves customs agents, physical surveillance, violence, informants. Moving a million dollars in ransomware payments involves none of that.
Lower overhead, no shipping costs, and you never have to leave the house.
The Europol report specifically flagged increased cooperation between these traditional groups and cybercriminal networks in money laundering and drug trafficking logistics. The mafia brings the infrastructure for moving dirty money. The hackers bring the new revenue stream. It's a merger.
Which means the physical safety question isn't theoretical anymore. If you're a security researcher tracking a ransomware group and that group is now backed by an organization that has a history of physical violence — suddenly doxxing isn't just a privacy concern.
That's exactly the escalation we're seeing. Researchers in the ransomware tracking space have had to relocate their families. Conferences now have physical security protocols for speakers who work on takedowns. This isn't just bits and bytes anymore.
There's another profile I want to surface here, because it's the one that keeps CISOs up at night. The insider threat. The legitimate IT professional who decides to run a black hat side hustle.
The white-collar credential broker.
This person has a real job, real access, real credentials. They're not breaking in — they're already inside. And they might rationalize it as victimless. Selling a few login credentials on a dark web forum for extra cash. What's the harm?
The harm is that they're the hardest to detect. No strange IP addresses, no unusual login times, no malware signatures. They're supposed to be there. Behavioral analytics — what the industry calls UEBA, user and entity behavior analytics — is one of the few tools that can catch this. You're looking for deviations from normal patterns. The sysadmin who suddenly starts accessing HR databases at three in the morning. The developer pulling customer records they've never touched before.
That requires a level of monitoring that most organizations don't have, and a level of trust in your analytics that most security teams haven't developed yet.
Which loops back to the core shift we've been talking about. If the attacker is structured like a corporation, your defense has to be corporate too. It's not just about firewalls and endpoint detection anymore. It's about threat intelligence sharing between companies. It's about disrupting the supply chain — taking down the bulletproof hosting providers, arresting the money mules, making the business model less profitable.
The LabHost takedown in twenty twenty-four is the case study here. Over two thousand criminal subscribers, a full SaaS dashboard with tutorials, customer support. When law enforcement took it down, they didn't just seize a server. They disrupted a business. Two thousand criminals suddenly lost their platform.
That's the strategic reframe. For years, security spending has been dominated by the question "what tool stops this attack?" The better question is "what action makes this criminal business less viable?" Sometimes that's a technical control. Sometimes it's going after their payment infrastructure. Sometimes it's better identity verification that makes synthetic fraud harder to pull off.
Which means security budgets need to shift from pure technology to include things like threat intelligence partnerships, industry information-sharing groups, even funding for law enforcement cyber units. That's not a line item most CFOs are used to seeing.
No, and it's a hard sell because the ROI isn't immediate. You don't see the attack that didn't happen because the criminal group decided your industry was too much trouble. But that's the game now. You're not trying to be faster than a hacker. You're trying to be a less attractive target than the next company in their pipeline.
The question for someone like George — and for every organization listening — isn't "how do I build a better wall?" It's "how do I make myself a business problem they don't want to solve?
Let's make this concrete. If the enemy is a business, what does that mean for the person sitting at home checking their bank account? For George in Maryland, the single most effective thing he can do is not buy better antivirus software. It's freeze his credit.
Credit freeze is the nuclear option, and it's free now. Every major bureau has to offer it. What it does is simple — no new creditor can pull your report, which means no one can open a new account in your name. The synthetic identity fraud we described? It stops working if the credit bureau won't release the file.
The reason this matters more than any technical fix is that George didn't lose his SSN because his computer was insecure. He lost it because some data broker got breached three years ago and his number has been circulating on dark web marketplaces ever since. No amount of patching on his end prevents that. The defense has to happen downstream, at the point where the stolen data gets used.
That's the mental shift. Stop asking "how did they get in" and start asking "what can they actually do with what they stole." A frozen credit file answers the second question with "nothing.
The second piece for individuals — multi-factor authentication on every financial account. Not SMS-based, ideally. App-based or hardware key. Because if someone has your SSN and your address, they can call your bank and try to talk their way in. But if the bank requires a code from an authenticator app that's tied to your physical phone, the social engineering hits a wall.
The third thing — this is the one people hate because it's tedious — check your credit report for accounts you didn't open. Not once a year. Every few months. The synthetic identity fraud playbook relies on the victim not noticing for six to twelve months while they build up the credit score. Early detection collapses the timeline.
There's a specific thing to look for, too. It's not just unfamiliar credit cards. Look for small utility accounts, prepaid phone plans, rent-to-own furniture. Those are the starter accounts synthetic identities use to build a credit file from scratch. If you see a gas bill in Peoria you never signed up for, that's not a mistake. That's the first brick in the wall.
For George specifically — credit freeze, MFA on everything financial, and a recurring calendar reminder to scan his credit report. That's the individual playbook. It's not glamorous, but it's designed to disrupt the business model, not the malware.
Now for organizations, the translation is similar but scaled up. The biggest bang-for-buck investment right now is not another endpoint detection tool. It's training your people to resist the specific social engineering tactics that bypass all the technical controls. Vishing — voice phishing — is exploding. Deepfake audio of executives authorizing wire transfers. These aren't theoretical. They're happening weekly.
The defense against a deepfake of your CFO's voice is not a better spam filter. It's a process. For any transaction above a certain threshold, you verify through a second channel. The phone call says "wire the money now" — you hang up and send a text or a Slack message to confirm. It adds thirty seconds. It kills the attack.
The second organizational piece is identity verification for high-value actions. If someone calls your IT help desk claiming to be an employee who forgot their password, what's the verification? "What's your employee ID and date of birth?" That information is probably in the last breach dump. You need something that can't be looked up — a video call, a pre-registered passphrase, a push notification to a known device.
This connects back to the supply chain idea. If synthetic identity fraud requires a fake ID to open the bank account, then better ID verification at the bank level makes the whole fraud more expensive to pull off. You're not securing your network. You're making their supply chain less efficient.
That's the through-line. Whether you're George or a bank or a mid-size company, the question is the same. Not "am I unhackable" — nothing is unhackable. The question is "have I made the cost of attacking me higher than the expected return?" Because criminal enterprises, like real enterprises, do ROI calculations. If your defenses make the margin too thin, they move to someone who didn't bother.
The uncomfortable truth is that a lot of them will find that someone. But that doesn't mean the defenses don't matter. It means the goal is to be in the top half of the herd. You don't have to outrun the lion. You just have to outrun the next guy.
Which is a deeply unromantic way to think about security. But it's the one that actually works.
Let's bring this back to George. He's sitting in Maryland, staring at a credit report full of accounts he never opened, trying to picture who did this to him. And the answer isn't a guy in a basement. It's a twenty-two-year-old affiliate in a rented apartment in Lagos, running a script he didn't write, using a toolkit built by a thirty-five-year-old developer in St. Petersburg, for a boss whose name shows up in Russian organized crime watchlists.
The twenty-two-year-old might not even know the boss's real name. He just knows the cut is twenty percent, the dashboard tracks his success rate, and customer support answers within four hours if he runs into trouble.
That's the part that should reframe how we think about this. The person who actually stole George's identity probably doesn't hate George. Probably never thought about George at all. George was a line item. A conversion metric. A successful deployment on a platform that gamifies fraud the way a sales dashboard gamifies cold calls.
Which is somehow worse, isn't it? The malice is impersonal. It's just business.
That's where we have to leave this, because the next evolution is already happening. AI is making the social engineering side of this scalable in ways that should make everyone uncomfortable. We're already seeing deepfake audio that can clone a voice from three seconds of social media footage. We're seeing language models that can run a vishing call in real time, adapting to the victim's responses, never getting tired, never getting flustered, never making the mistake that tips you off.
The human firewall — that phrase we use for employees who are trained to spot social engineering — that firewall is about to face an attacker that doesn't sound like an attacker. It sounds like your boss. It sounds like your spouse. It knows your kid's name because your kid's name is on Instagram.
The open question we want to leave on the table — and this is genuinely where the next few years are headed — is what does the human firewall become when the attacker is no longer human in the moment of contact? When the voice on the phone isn't a person reading a script, but a model generating persuasion in real time? Does the defense shift entirely to out-of-band verification? Do we need shared secrets between family members the way intelligence agencies use them? Do we need to start treating personal information as classified material?
That's a whole episode on its own. And honestly, probably an uncomfortable one.
For now, the actionable takeaway is the one we landed on. The cyber crook in twenty twenty-six isn't a lone genius or a basement-dwelling scammer. They're an employee in a global enterprise. And you defend against an enterprise by making yourself a bad business proposition. Freeze your credit. Check your report. Verify through a second channel. Make the margin too thin.
If you've got a weird prompt — maybe about AI voice cloning, maybe about the death of the password, maybe about why anteaters are inherently untrustworthy — send it to us. The show lives on what you send in.
Now: Hilbert's daily fun fact.
Hilbert: In the early medieval period, roughly one in every three cooking pots recovered from archaeological sites in Belize was carved from solid soapstone, a material that retains heat so effectively it was traded across the Maya lowlands as a prestige cookware item.
...I have questions about how Hilbert categorizes "fun."
This has been My Weird Prompts. If you enjoyed this episode, leave us a review wherever you listen — it helps other people find the show. We're Corn and Herman Poppleberry, and we'll catch you next time.