Podcasts
The Microsoft Threat Intelligence Podcast
Ep 67
The Microsoft Threat Intelligence Podcast 4.22.26
Ep 67 | 4.22.26

The Cybercrime Shift: From Opportunistic Attacks to Marketplace-Driven Ecosystem

Show Notes
Transcript

Sherrod DeGrippo: Welcome to the "Microsoft Threat Intelligence Podcast." I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird, but don't worry. I'm your guide to the back alleys of the threat landscape. So crime doesn't start exactly with ransomware. It starts with the marketplace. You can buy access. You can rent infrastructure. You can do money laundering. And more and more, it's that same ecosystem that supports cyber criminals is now being leveraged by nation state threat actors. So we're not just seeing evolution. We're seeing industrialization and full operations coming to bear. Welcome to the "Microsoft Threat Intelligence Podcast." I'm Sherrod DeGrippo, and today we're going to look into one of the most important shifts that I've seen on the threat landscape, the convergence of crime, crypto infrastructure, and nation-sponsored activity. For the discussion, I'm joined by two people who spend their time right at the center of this intersection: Maurice Mason, Principal Investigator here at Microsoft with our Digital Crimes Unit. He works at the intersection of threat intelligence and real-world disruption, particularly around criminal infrastructure and how that operates. I'm also joined by Jackie Burns-Koven from Chainalysis, who is head of cyber threat intelligence there and leads efforts focused on illicit crypto activity, and recently coauthored their 2026 Crypto Crime Report. Jackie and Maurice, welcome to the show.

Jackie Burns-Koven: Thanks for having me.

Maurice Mason: Thank you.

Sherrod DeGrippo: So let's start kind of broad. Maurice, I'll start with you. What is the shift that you have seen right now in cybercrime? Because it seems like a lot of things are moving and changing.

Maurice Mason: Yeah, one of the things I've seen, from my perspective, is the shift to cybercrime enablers, right? So we're seeing a lot of left-goal post-enabler is providing access to these malware-as-a-services, or ransomware-as-a-services. So like one of the things that our team likes to do is go out and disrupt these enablers that are providing initial access to these crime groups.

Sherrod DeGrippo: Jackie, what about you? What's something you've been seeing?

Jackie Burns-Koven: Yeah, I feel like tracking the cybercrime ecosystem, tracking all the cryptocurrency that is being used by threat actors and their enablers over the years, it's really not changed so much. It's a perfect marketplace. It responds to supply and demand just like the real world, and it also responds to pressures from private sector like Microsoft disruptions in response to sanctions, in response to takedowns. So we're seeing -- that's where we see the interesting fluctuations in the marketplace. And it's been really, really fun to watch how the ecosystem response to novel technologies like AI to new malware. We can look at the ecosystem from a macro level and even zoom in on specific suppliers. And like as you said in the opening, we're not only seeing cybercriminals in these places. We're seeing nation-state actors. Nation-state actors are looking at this ecosystem as their R&D. That's where they're getting their ideas, their tooling, because at the end of the day, whether you're financially motivated, or you're a nation-state actor, you still need the same tools and services, right? And we're also seeing nation-state actors dabble in financially-motivated activity or why not both? Like they're doing espionage, but also doing extortion. It is -- and those kind of situations are probably the most fascinating to me.

Sherrod DeGrippo: I think we're -- I think that's right, and I think we're seeing sort of the money makes the world go round aspect of it coming in through nation-sponsored when they sort of, like you said, are kind of taking the tack of, oh yeah, we'll make a little money on this too. Like the espionage value is, you know, first order, but hey, there's money to be made, and we'll take it. And I think that that's been incredibly interesting to watch. So let's talk about initial access brokers in terms of what we're seeing there, how important they are. What role are initial access brokers playing today? Because we saw this format for all the -- going all the way back probably 10 years or so. I would say, like 2015, 2016 we started seeing this initial access broker capability emerge where access was being sold. Jackie, kind of tell me what does the initial access broker market look like today, and how does that work from the attack chain perspective?

Jackie Burns-Koven: Yeah, I think focusing on initial access brokers is so important and so fascinating, and I think it also highlights how crypto intelligence can be used before the crime, right, getting left of boom, looking at what isn't a threat actor shopping cart, rather than just following the money post-extortion, post-theft, post-scam. And I think initial access brokers are really emblematic of the industrialization of cybercrime. We partnered with Dark Web IQ to correlate what we were seeing on chain with what they were seeing in their engagements. And again, this marketplace is not immune to the law of supply and demand. What we're seeing is that access has never been more ubiquitous. We're seeing more access being sold than ever, which is driving the price down from three years ago, from $1,400 on average, to about $450, right? So it's incredibly cheap. So the return on investment for access is wild when you compare that to potentially $820 million worth of ransom payments last year and counting.

Sherrod DeGrippo: So can you help me understand with initial access prices dropping, so they get the access, and then they start selling it on the marketplaces, these threat actor groups that specialize in that. What do you think is the reason that the price is going down? Supply is going up?

Jackie Burns-Koven: Exactly, and we attribute that -- and our Dark Web IQ has done some research as well -- to the automation of, you know, brute-forcing techniques to steal our logs. It's no longer as manual and tedious as it once was. We can thank AI and other advancements for that. And so we're also seeing that play out in terms of claimed victims on data leak sites. If you are to believe those metrics, we understand there's a misinformation. Threat actors lie sometimes, but that's a -- about as best a proxy as we can get in terms of number of ransomware victims out there. So they are being operationalized.

Sherrod DeGrippo: Maurice, anything that you've seen with initial access that's an interesting insight for you?

Maurice Mason: One of the things we're seeing from TCU point of view is initial access brokers being an important figure in the cybercrime ecosystem, right? And that's one of the things that we're trying to target with some of our disruptions that we could see have been doing. So once we identify like initial access broker that's gained access, we want to cluster that activity around a certain group and see how we can disrupt that before it gets to that, you know, attack chain of like, you know, data extortion, ransomware, things like that. So some things we like to look at, and it's like how long do these initial access brokers have access to these corporations? And is there any way we can kind of dwell that time down or go after the largest initial access broker in the ecosystem and disrupt them? So that's what we're seeing from our side.

Sherrod DeGrippo: So it sounds like the access gets cheaper, which increases the volume. And unfortunately, it sounds like achieving that initial access is getting easier and easier because of the ability to buy credentials, do data exfiltration, find vulns. I know that, separately, we've seen the velocity of vulnerability reporting just exponentially increase over the past six or 12 months because of the AI capabilities that we're seeing. Would you say that this is shifting sort of the way it works from being like a skill-based intrusion to more focused on access? Like is this an identity and access problem with initial access, or is it about really highly skilled capability? To put that another way, are the threat actors getting better, or are they just collecting more data?

Jackie Burns-Koven: I think it has to do with the automated brute-force tooling being able to sift through stealer logs quite easily to understand whose credentials are in there, what kind of targets are in there. I think that's what's driving it, really.

Sherrod DeGrippo: So it's that saying like identity is the new perimeter, again and again, yeah. That's really interesting. So that means that for a defender, if you're thinking about this, and you're in your organization, and you're like how do I stop this, you are not really fighting groups of threat actors the way that you might think. You are up against marketplaces. You're up against ecosystems. You're up against, really, like a cottage industry of how people are putting food on the table for their families, in a lot of ways.

Jackie Burns-Koven: I really like how you put that, and on a positive note is while we're seeing access is more ubiquitous than ever, cheaper than ever, we are seeing less payments than ever before relative to number of victims claimed in terms of ransomware payments. So even though a ransomware actor may succeed in popping an enterprise, there's still things that an enterprise can do to negate the need to pay, right? There's still preparation that can take place so that, at the end of the day, they can decline to pay or pay less than what threat actors are expecting. So in 2025 for the second year in a row, we've seen ransomware payments flatline, and that's coming off years of ransomware payment revenue reaching new record highs, topping billions of dollars a year. I would just say that take that as an encouraging note to defenders everywhere to keep doing what you're doing, keep making it harder for them to make less, right? And so we take imposing costs literally rich analysis, and that is happening. Those friction points are occurring, not only with access, but with all elements of the kill chain. And we can see that on-chain because those services and tools are accepting cryptocurrency as payment. Like if we look at just 2025 holistically, we've seen sanctions and takedowns on at least three different bulletproof hosting providers, different Steelers, different malware. Even Microsoft took action against Lumma Stealer. So there's a number of these elements that are making it harder, that are injecting friction. So there is a positive note to this in being proactive and disrupting elements of that attaching.

Sherrod DeGrippo: Maurice, anything you want to add to that?

Maurice Mason: Yeah, like I'm going to piggyback on Jackie's point about being more proactive and some of the disruptions like we've done, like Lumma Stealer or red PDS or Tycoon, more recently. I think as more organizations try to move to this more proactive than disruption method, we can kind of make a bigger impact. So for like, an example for red PDS, which was essentially an infrastructure-as-a-service, this allowed threat actors to basically purchase their own VM, essentially do whatever they wanted, right? And it was primarily used for BEC financial fraud, identity theft. If you're able to get to that before the threat actor actually able to purchase that, right, take down that infrastructure, take down those domains, follow the flow of money to see where the funds are going, you're putting like more of a friction on these threat actors or deterrence, right? Also, good thing is kind of like naming and shaming. I think that's important when you're trying to provide friction. More proactive to these threat actors is naming them. It kind of lowers their rep, in my opinion, right? Like because they have this reputation on these forums and these telegram channels. But if you're naming them, and you're taking this proactive approach, disrupting their infrastructure, they kind of lose their clientele, right? And everyone has to shift to someone new, right? And it's kind of like a -- kind of repeating the process. But you kind of -- you're kind of putting -- disrupting them, in a sense, right? Like you're making it harder for them to continue to, you know, put food on their plate, in my opinion.

Sherrod DeGrippo: I think that's worth calling out. So you mentioned bulletproof hosting a little bit. I want to talk about like this infrastructure-as-a-service capability and what that ecosystem looks like. Jackie, can you kind of walk me through? What are the services available? What do I need to get? What do I need to add to cart if I'm going to set this kind of stuff up? What are they doing?

Jackie Burns-Koven: It's pretty fascinating watching not only cybercriminals reinvest their profits into their next attack, their VPS, their domains, their VPNs, malware. Maybe they have an access broker they use on the regular. Each actor on the blockchain has their own unique financial signature, just like you and I have different shopping habits, different ATMs we use, different stores we are regulars at. Threat actors are the same, and when they launder funds, they typically like to set it and forget it. And they may be expert hackers, but they're not always expert launderers. And so those are mistakes there that can lead to attribution, and that's one of the more powerful elements of blockchain forensics is leading to attribution when other telemetry and other indicators are inconclusive or adding confidence to elements you already have. And what's in a cybercriminal shopping cart is very similar to what's in a nation-state actor shopping cart. We did a case study in our report. There was a leak on IRGC IO transactions, and it was everything from bulletproof hosting to VPNs to VPS to domain registrars. In years past, we've done a report on the SolarWinds C2 domain was purchased in cryptocurrency, and we've found SVR's wallet. So nation-state actors are doing the exact same things. And it's everything you could really ever need for a malicious cyber campaign is all available.

Sherrod DeGrippo: Maurice is there anything about the ecosystem and the sort of like what you need to start up aspect of it. You know, I think about like if I were to start a business, I would -- I would get a lot of this same stuff. I would buy my domain name. I would get hosting. I would get various services.

Maurice Mason: Yeah. I mean, there's several things, right? You can buy your own VM or your own VPS, your own domain. If you want to be someone who's doing phishing, right, you can go out to these phishing-as-a-services, where they basically give you your own kit, right, your easy one-shop kit, where basically they're giving you the tools. You don't -- you can be a script kiddie to basically do it. You don't have to be technical, right? And all you have to do is set up a couple of domains, use whatever they're providing, whether it's some type of tool or if they're providing you the control panel to actually see like your results from phishing victims. It's all-in-one shop, right, when it comes to these different type of services. In my opinion, they make it super easy for anyone to do it.

Sherrod DeGrippo: One thing I'll add is that we're also seeing AI tools in these marketplaces as well. We actually ran a study for scams, identified scams on the blockchain making purchases to AI tools, and they're 4.5 times more profitable than scams that aren't making those purchases. And if you think about that, we're rapidly moving to a future where virtually every scam is going to incorporate AI in some degree. And so when AI makes them 4.5 times more profitable that -- those are kind of alarming numbers. We're also seeing bulk SMS tools being used. When we see scams or threat actors make use of bulk SMS tools, those are about four times more profitable, 688 times more money per scam. It's just like wild, the scale that these tools enable, whether it's AI or phishing kits or bulk SMS tools. We're also seeing even AI tools buying VPS and topping up their credits with cryptocurrency. So it's a wacky future out there. It's turning really -- it's really turning into I, Robot in a lot of ways, where we're watching agents making purchases in crypto. It's exciting too. So that leads me to ask, obviously, if this infrastructure is there, if these ecosystems are there, the services are there, how interchangeable and how in common are they between financially-motivated threat actors and nation-sponsored threat actors? Are they really on the same VPS providers? Are they using the same infrastructure sellers?

Jackie Burns-Koven: Absolutely, absolutely. No, that's a great question because when we use crypto intelligence for attributions, it's important to note that even though threat actors are using the same VPS provider or the same malware-as-a-service, doesn't mean they're necessarily working together or know each other. It's like saying just because you and I shop at Home Depot, we're in cahoots, right? But there's certainly other on-chain connections where we would make that determination that they're not only working together; they are the same entity. And I think that's important because attribution has never been more difficult, in my experience, and what I'm hearing from colleagues in CTI, it's never been harder. Threat actors also, you know, change their handles, change their names on different forums. We're seeing ransomware strains rebrand or having hacktivists pretending to be APTs. We're having APTs pretending to be hacktivists or having teenagers working with -- Western teenagers working with Russian cybercriminal elements, and so it's really muddied the water in a lot of ways. And cryptocurrency identifiers can be really powerful in gaining that attribution where they're depositing their funds, which is like converting their crypto to cash because you can't pay your bar tab in crypto very easily these days. You can't pay your rent in crypto. You need one of those exchange services to make that conversion. But as I was saying earlier, even expert hackers are not necessarily expert launderers, right? There's mistakes. There's clues left on the blockchain that can lead to that attribution, and I'm sure Maurice probably knows that better than anyone.

Maurice Mason: Yeah, I'm quite familiar with threat actors slipping up on the blockchain. Like Jackie said, like I think DCU is probably one of the only teams in Microsoft that does cryptocurrency and blockchain analysis, and it's been so pivotal in our attribution, right? Because you're combining that on-chain intelligence with, you know, Microsoft's lev internal telemetry and other third-party telemetry. And it gives you kind of like that higher confidence that you are, you know, attributing to the right person, right? Because like Jackie said, attribution is becoming more and more difficult with everyone being affiliates. Everyone's moving around from this ecosystem to others. You have some people jumping from financially-motivated to nation-state. So I think combining that on-chain with like your telemetry or third-party telemetry, just shores up and helps your attribution. Some things I've seen in my investigations, I've been threat actors slipping up and giving me the wrong wallet, right? Like we do negotiations with threat actors when we're doing some of our disruptions, and there's been times where they've slipped up and gave me the wrong wallet that they weren't supposed to give to me. And that actually got me to where, like Jackie was saying, they were depositing their money at, that exchange, and that got us to get true attribution of who was the person receiving the funds. So those are just like some of the cool things that we've been doing on the blockchain.

Sherrod DeGrippo: Threat actors making mistakes. I think anybody in intelligence is like we love an OpSec fail. Those can lead to incredible insights, if you get enough of them, or if you get them at just the right moment.

Maurice Mason: Yeah.

Jackie Burns-Koven: I love those stories, and I feel financial indicators have never really been a part of CTI. And I've been at Chainalysis for over seven years doing that, but I feel like it's never been a part financial -- forensics have never been a part of CTI -- not because they hadn't been useful, but because they weren't available. And the blockchain kind of put all of that on its head because things aren't now like behind closed doors of banks. Transactions are out there for everyone to see. Pseudonymous, of course, on the blockchain, but now that you've been able to like use heuristics and tag entities, we really do have the full picture just from a single crypto address posted on a forum or where an extortion address. You can really tease out the entire tax chain just from the spending habits alone. And it's so interesting to me because when I -- I'll often go to CTI conferences and survey the room. Who's seen a crypto address in their investigation? Who sees one on a weekly basis? And all the hands in the room are still up. And when I ask who's actually pivoting off of that, all the hands go down. And it's -- I think it's a shame that we're not operationalizing crypto data alongside our other telemetries because these challenges of attribution aren't going away. They're only going to get more difficult.

Sherrod DeGrippo: That's a really interesting aspect of it that I haven't really considered, or, you know, occasionally I'll get -- especially our DPRK-focused analysts will come on the podcast, or I'll just talk to them at work. And you know, one of the questions I asked on the episode called Between Two Gregs, which is a DPRK-focused episode, I said, hey, you know, you guys work on DPRK. Do you know a ton about cryptocurrency? Like are you really versed in cryptocurrency? Because DPRK is, you know, I would say, the leading pioneer and expert at this point at stealing cryptocurrency. And both of them are like, no, not really. And I also come from that point of view. So Jackie, let me ask you, remedially, I'm thinking, something I don't understand. I'm going to say this, and I'm sure like so many people on this be like, wow, Sherrod's very dumb. But I'm going to ask you this: how do you get a cryptocurrency wallet? And can a financially-motivated actor have hundreds and thousands of them, or do you only get one? Is it hard to get? How does that work?

Jackie Burns-Koven: I actually might turn this over to Maurice just because I heard him tell a story that made me laugh about this.

Sherrod DeGrippo: Maurice, how do I get a wallet? How does this work?

Maurice Mason: It's very easy. There are several companies or exchanges where you can go out and create an address or a wallet, right? And a lot of times there are not just one address you use when you're doing transactions, right? So if you make one transaction on a blockchain, a lot of times, you'll get money back, what we call a change address. So that'll be your second address or your wallet, and it's all part of your one cryptocurrency wallet. So a lot of times when we're doing these investigations, threat actors will have thousands of addresses --

Sherrod DeGrippo: Okay.

Maurice Mason: -- but they're all part of one wallet, right? So they're all part of one wallet. Think of your wallet where you have credit cards. Those are your individual addresses in your wallet. Your actual physical wallet is your crypto wallet. That's how I kind of think of it in that way.

Sherrod DeGrippo: I do. I have a lot of credit cards. I have a lot.

Maurice Mason: That's fun. Yeah. So you can think of it like that.

Jackie Burns-Koven: And can I say something, Sherrod? Because working in crypto has -- I've been doing it over seven years, and I'm humbled every single day. It is not easy, you know, and when you're talking about DPRK laundering $7 billion worth of stolen funds --

Sherrod DeGrippo: Amazing. Like even at the level of a nation to be able to move, launder, transfer, convert into real currency -- likely not of their own, not of their currency, likely into another country's currency to spend, that is mind boggling, especially, especially, for a nation that we put categorically for years in the B team. Oh, it's Russia, China. It's Russia, China. It's Russia, China. Not anymore.

Jackie Burns-Koven: Absolutely, absolutely. You know, they're constantly innovating. You know, it's why, you know, Chainalysis is launching Chainalysis agents that can democratize our data and intelligence and meet people where they are, wherever they are, in their crypto literacy. I've been leveraging it for a long time, and it's been amazing. There's always a new coin, a new protocol. They have funny names. It's a lot to contend with. I'll give you that. But I think whether it's DPRK or whether it's a criminal that Maurice is following, scamming people out of Africa, I really appreciate crypto wallets in that they are often providing the criminal resume of an actor. Because you can watch actors kind of graduate through different modes of crime because they're leveraging the same wallet the entire duration. So that's helpful with attribution, but also, these criminals are not static. That's why I don't like, you know, putting them in different boxes all the time because people pivot. People make career changes. So do criminals. And you can kind of watch this maturation real time through their transactions.

Sherrod DeGrippo: So a lot of what you're describing to me, of course, you know, I say all the time here that I have a detection engineer's heart. That's just kind of like how my brain works. And so what is the realistic practicality of using wallets and addresses as atomic indicators? Is that a thing?

Jackie Burns-Koven: Yes, we hear from cyber threat intel teams that they're using it to identify attack preparation. There's different join keys in cryptocurrency that marry up very nicely with indicators that cybersecurity teams, cyber threat intel teams are collecting themselves. So being able to understand who's trying to break into your house? And what are they coming at you with? Do they have a hammer or an ax? So really understanding like who it is, and what do they have with them is a really important prevention. I think some of our earliest adopters, interestingly, like when I would talk to people about using crypto for CTI, like, well, we don't have crypto. They're not trying to hack us. We're not going to pay a ransom. Like why? But then they -- the light bulb kind of comes on when they realize but the people attacking us do have crypto, and they are using it against us. So being able to identify how they're trying to use it, and also find signal in the noise. Like who are the top threat actors by revenue? Or there's this new actor on the -- on the scene, or this new malware on the scene. How should I be paying attention to it? And you can look at their war chest, essentially. Like, oh, this is taking off. They're getting a lot of revenue. A lot of people are buying this. We better shore up our defenses against this. So there's a number of ways to use it from the tactical and to the strategic.

Sherrod DeGrippo: That's interesting. That's something I really haven't looked into very deeply, just because it's something like I think I don't understand. And when I talk to others in threat intelligence, and certainly when I talk to a lot of defenders on the front lines, it's just not something that we're incorporating as breadcrumbs to follow.

Jackie Burns-Koven: Yeah, and I think it's important with all the wonderful disruption events occurring, we know threat actors aren't going to hang up their hat, right, and go home and start a 9 to 5 in the real world, but we know they're going to go somewhere else. And so using blockchain intelligence to find where that somewhere else is, okay, we took down the -- where is everyone else going to start going shopping now? We took down this bulletproof host, or where should we be looking now? This darknet marketplace, where should we be looking for our stolen creds or our customer information? Those are important questions to ask the what's next?

Maurice Mason: I think some things you could think about is like, a lot of times, when you see a lot of OpSec errors with the reuse of wallets over years, all right? So a lot of times these threat actors, if you're -- if you're using these indicators from like transaction hashes or addressings, they'll use kind of like the same crypto addresses over and over again. They have like a set that's part of their wallet. And if you're able to monitor that for like a couple-year period, you can kind of see how they shift from, hey, making purchases for this particular malware-as-a-service. Now they shift into ransomware-as-a-service. Now another common affiliate. Now they're trying to purchase infrastructure on the blockchain. Maybe they're purchasing domains from Namecheap. You can all follow that on the blockchain and see like over a year's time period like how they've shifted from one ecosystem to the other. And that's one thing that we kind of focus on, on my team, is just seeing like how these threat actors are shifting on-chain and not in -- and they combining that with other, you know, telemetry sources.

Sherrod DeGrippo: So Maurice, I'll start with you, but I want to hear from Jackie too. What's going to happen over the next like 12 to 18 months, do you think? Because you've watched this shift over time. Where do you think it's going?

Maurice Mason: That's a good question. I mean, I don't think cryptocurrency is going anywhere. I think threat actors are going to continue to use it to get their payments. One of the things that we see is a shift to using Tether and not just Bitcoin.

Sherrod DeGrippo: What's Tether?

Maurice Mason: That's another cryptocurrency that's tied to the dollar. So it's a stable coin that's tied to the US dollar. So a lot of times, these threat actors will convert from Bitcoin, which you know is very volatile. At times you'll see on the news market crypto is like $90,000 this day now it'$69,000 just depending on the market. And Tether is tied to the US dollar, so that kind of stays in that range of what the US dollar is. So we've seen in a lot of our investigations. I'm sure Jackie can talk a lot more from where she's saying that our threat actors are asking for money in Tether, or they're converting it to Tether to keep that stability when they are trying to cash it out to, you know, fiat, right? Because you need actual cash to make your purchases, live that great lifestyle that a threat actor wants. So that's one thing we've seen is like a lot of threat actors that we're tracking, they just love using Tether. Another type of alternative coins like Solana. Tron has been a really big one that we've seen as well because it's kind of shifting from like that Bitcoin, which is kind of like now known and out there. There's a lot of tools that can trace it, like Chainalysis, and they're trying to use these alternative coins, I guess, to be more obscure, from what we're seeing.

Sherrod DeGrippo: Jackie, I'm learning a lot today. Tell me what you -- what you think is kind of like coming on the horizon. Like what are the new things that that we're seeing now and that we might see in a year?

Jackie Burns-Koven: Yeah, so it's interesting that cryptocurrency is really having a moment for legitimate purposes as well as illicit. More and more institutions are offering crypto for their customers. It's an attractive option for legitimate uses, illicit uses for the same reasons. It's instantaneous transporter payments. Frictionless payments is really attractive for a number of things. We highlighted in one of our reports this year the increasing adoption of cryptocurrency by nation-state actors as well. It's a popular tool for sanctions evasion. What's happening in the world, in Russia and Iran, crypto is being leveraged by those entities for -- whether it's for purchasing infrastructure or purchasing drones, even. I think that this Uber in this insanely complicated world, I talk about scams a lot, pig-butchering scams. Excuse the lexicon. It's what the scammers themselves call it. But I think it's -- that is actually kind of emblematic of how complicated this all is and how industrialized this ecosystem is. They do everything from malware, human trafficking, wildlife trafficking, scams, data theft, and that's why I think scamming is like bigger than just this niche box. I think it really is a cyber problem. I'm hoping it's not as controversial as it has been in the past. So yeah, yeah, crypto is a tool of nation states now. It's not just sectioned off to criminals, and so we should be leveraging it to our fullest. We're not -- no one's sitting back and saying, oh, AI, don't need to learn that to do my job. Like we need to, right? It's a race to adopt these tools and operationalize them because the threat actors are.

Sherrod DeGrippo: I will put in the show notes the link to my favorite pig-butchering investigative piece recently from Andy Greenberg and WIRED about a month ago. I'll make sure that that link is in the show notes for anybody listening. But if you don't want to go click, you can check your favorite search engine, which is Bing that will give you Andy Greenberg's recent WIRED article on paid butchering. It's a fantastic piece, but I think like the lesson here is that, much like AI, much like a variety of tooling and capability -- whether you're talking pen testing tools and offensive tools, whether you're talking ability to code, whether you're talking a hammer versus a nail gun -- all of these things are tools that can be used for really benevolent purposes, or they can be used for malicious purposes. And we just have to pay attention to where the malicious purposes are and try to protect ourselves as defenders and disrupt those uses by threat actors. So like, I guess, to kind of wrap up, Maurice, I'll start with you. What do you think the greatest capability we have is to kind of disrupt some of these ecosystems and threat actors?

Maurice Mason: I think the greatest thing we have is collaboration between private and public partners.

Sherrod DeGrippo: Oh, I love that. That's so DCU.

Maurice Mason: That -- I was about to say, like that's definitely a DCU. That fakes. But all honesty, I think when combined with private sector has like telemetry wise with public sector, right, the law enforcement angle, where they can go out and make arrests, they can freeze those assets at these cryptocurrency exchanges. I think that's so powerful, right? Because, in my opinion, at the end of the day, threat actors get more upset when you get their money than you like name and shame them, or you do some other disruption because they could set up infrastructure again, right? They can set up domains. They can set up servers. But when you take their money from one, they're going to be pissed. Like I would be upset. I know they're upset when their money is either frozen, or it's been taken by law enforcement. So I think that's like one of the big things that I always try to say is like the public-private partnership. And then also just like private-to-private. Like Microsoft, working with Chainalysis has been like a huge collaboration. We've had several major disruptions just using blockchain intelligence, right? Like Jackie was talking about earlier, attribution, it's so great because you can get so much information from on-chain and the blockchain of like how the money's moving, where it's going to, and who's actually receiving those illicit proceeds? So I think -- I think just having more of that private-to-private collaboration is really key going forward.

Sherrod DeGrippo: Jackie, what would you tell defenders?

Jackie Burns-Koven: In the same spirit of what you said, Maurice, money is a universal language.

Sherrod DeGrippo: I love that. Money is the universal language. I love that.

Jackie Burns-Koven: Everybody understands the dollar sign, like what it means to them. It impacts everybody's risk calculus differently. But at the end of the day, that return on investment, the cost of doing business means something. And crypto is really the oxygen in a lot of the operations that we see in the threat actors that we're following. And so we can illuminate those centers of gravity. What are the tools and services? Who are the individuals that are causing the most harm and using all tools at our disposal -- legal, regulatory, law enforcement -- to go after those centers of gravity and impose cost, literally. And I think we've really learned -- we, the entire ecosystem -- that we can still go after threat actors in jurisdictions that are not compliant with Western law enforcement. We can still seize funds. We can still seize infrastructure, even if we can't necessarily put handcuffs on the perpetrator, and that's a really powerful tool. And we're seeing that that those learnings play out in other parts of the world against other threat types, and still being able to, in some cases, make victims whole again, which is really, really powerful.

Sherrod DeGrippo: That's amazing. This is something that is definitely an area that is non-traditional in terms of threat intel. That's not something that I feel super well versed in. So I love hearing from both of you. Maurice, Jackie, thank you so much for joining. And I think, for people listening, if you take something away from this, I think it's really about understanding the ecosystems, understanding the threat actors, and kind of knowing that there's all of this available information that you can kind of look at, like the recent report that Jackie and her team put out. I would take a look at that, kind of start to understand this ecosystem. It's a little new and weird for me. And when you think something is new and weird, it's probably time to dig into it and check it out. So Maurice, Jackie, thank you so much for joining me, and we'll see you next time on the "Microsoft Threat Intelligence Podcast." [ Music ] Thanks for listening to the "Microsoft Threat Intelligence Podcast." We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode, we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out -- msthreatintelpodcast.com -- for more, and subscribe on your favorite podcast app. [ Music ]

The Microsoft Threat Intelligence Podcast
Podcast Info
HOST(S):
Sherrod DeGrippo
Sherrod DeGrippo, Deputy CISO, GM Customer Security at Microsoft, is a frequently cited threat intelligence expert with a 19-year career leading global threat research and analyst teams. She was named Cybersecurity Woman of the Year in 2022 and Cybersecurity PR Spokesperson of the Year for 2021. Sherrod has provided expert commentary for BBC News, Wall Street Journal, CNN, and New York Times and has presented extensively at conferences including Black Hat, RSA Conference, RMISC, SleuthCon, and others.
Schedule: Bi-Weekly
Credits: Producer is Rob Petrillo, Production Manager is Max Solomon, Scheduling and Administrative Support is Elliot Volkman, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft