Protecting Everyday People From Adversaries
We track, expose, and dismantle malspam and phishing campaigns that prey on ordinary people. From credential-harvesting kits to large-scale email fraud operations — we find them, document them, and shut them down.
Research Areas
We focus on the threats that hit closest to home — mass-scale phishing operations, malicious spam networks, and the adversaries behind them who target people with little to no cybersecurity training or support.
End-to-end investigation of phishing kits, lure themes, hosting infrastructure, and threat actor patterns targeting consumers and small businesses.
Tracking high-volume malicious email campaigns distributing credential stealers, banking trojans, and ransomware to unsuspecting recipients.
Identifying and cataloguing fake login pages, spoofed brands, and credential-theft infrastructure set up to defraud everyday users.
Mapping the bulletproof hosting, domain registrars, and C2 frameworks used by threat actors to evade detection and sustain campaigns.
Documenting evolving lure strategies — from fake parcel delivery SMS to IRS impersonation emails — that exploit trust and urgency.
Coordinating with registrars, hosting providers, and law enforcement to take down active threat infrastructure and protect potential victims.
Methodology
A focused, repeatable process — from spotting a campaign in the wild to ensuring the infrastructure behind it goes dark.
We monitor spam traps, abuse feeds, and passive DNS to surface newly active phishing domains and malspam runs as they emerge.
We reconstruct the full attack chain — from the initial lure email or SMS through to payload delivery and post-compromise objectives.
Pivoting on IPs, certificates, registrant data, and kit fingerprints to uncover the full scope of an actor's hosting and distribution network.
Linking campaigns to known threat actors or clustering previously unattributed activity into tracked groups for ongoing monitoring.
Submitting abuse reports, working with upstream providers, and notifying impersonated brands to dismantle active threat infrastructure.
Contact
Have a suspicious email, a phishing site tip, or want to partner on research? We want to hear from you.