GM, Welcome Back to the Dead Drop.

You've seen Tren de Aragua in the headlines. Immigration raids. Gang violence. MS-13 comparisons. What you haven't seen is the story I'm about to tell you, because almost nobody is connecting these dots publicly.

This Venezuelan terrorist organization isn't just trafficking humans. They're hacking your ATMs. And the machine you used last Tuesday might already be compromised.

Here's how it works. And I need you to understand this, because it's one of the most elegant (and simple) physical cyberattacks I've ever seen.

The weapon is called Ploutus. It's a malware family first discovered in Mexico in 2013, built specifically to make ATMs vomit every bill in their cassettes on command. The latest variant, Ploutus-D, targets Diebold ATMs running the Kalignite software platform. That platform operates across 40 ATM vendors in 80 countries. The malware runs on Windows XP, 7, 8, and 10. If you're wondering why ATMs are still running Windows XP in 2026, congratulations. You're asking the right question.

The operation runs in three phases.

Phase 1: Reconnaissance. Teams travel in multi-vehicle convoys to scout banks and credit unions. They catalog external security features, camera positions, alarm systems. They identify machines with outdated software and weak physical locks.

Phase 2: Physical Breach. After hours, operators pop the ATM's top panel using master keys, lock picks, or brute force. They connect a laptop or external keyboard directly to the machine's internals. In some cases, they swap the entire hard drive with one pre-loaded with Ploutus. The whole installation takes minutes.

Phase 3: The Jackpot. Once the malware is live, an operator enters an 8-digit activation code (valid for 24 hours, generated by the operation's boss) and presses F3. The ATM empties itself. Every bill. Every cassette. Individual machines have been drained of over $100,000 in a single hit. The malware then deletes its own logs, kills security monitoring processes, and covers its tracks. By the time the bank opens the next morning, the machine looks normal. It's just empty.

The proceeds don't buy cars or condos. According to the DOJ, this money funds Tren de Aragua's core operations: human trafficking, sex trafficking of children, kidnapping, drug distribution, and murder. The ATM at your corner bank is financing a terrorist supply chain.

The attacks have been concentrated across South Carolina, Georgia, North Carolina, and Virginia, but related activity has surfaced in Nebraska, Texas, and the Pacific Northwest. The Secret Service led the investigation alongside a Homeland Security Task Force. The defendants face sentences ranging from 20 to 335 years.

Your money wasn't stolen from your account. Jackpotting drains the bank's reserves, not individual deposits. Your balance is safe. But here's what isn't safe: the infrastructure you trust every time you slide a card into a machine.

Early Warning Signs at an ATM: If the top panel looks tampered with, scratched around the lock, or slightly misaligned, walk away. If the screen displays anything unusual during your transaction, even briefly, cancel and leave. If the machine feels physically loose or the card reader seems aftermarket, don't use it.

What You Can Actually Do: Use ATMs inside bank branches during business hours whenever possible. Standalone machines in gas stations, convenience stores, and strip malls are softer targets. Monitor your bank statements weekly, not monthly. Report any ATM that looks physically altered to the bank and to local law enforcement.

The Bigger Picture: Banks running ATMs on Windows XP in 2026 is institutional negligence dressed up as cost savings. The Kalignite platform serves 40 vendors in 80 countries. A minor code change to Ploutus could expand this attack surface exponentially. The criminals have already done the R&D. The question is whether financial institutions will upgrade their infrastructure before the next wave hits, or after.

Tren de Aragua figured out something most people haven't: the ATM on Main Street is running the same operating system as your grandma's desktop from 2004. They turned that oversight into a $40 million terrorist funding pipeline. And your bank probably hasn't fixed it yet.

Marriage fraud is one of the oldest immigration schemes in existence. It's also one of the oldest espionage recruitment tools in existence. Last week reminded us that sometimes it's both at the same time.

Eleven people were indicted in Florida for a scheme that recruited active duty U.S. military members into sham marriages with Chinese nationals. The operation specifically targeted Navy service members stationed in Jacksonville. The recruiter, a woman named Annie Chen, ran it like a business with a tiered payment structure: roughly $10,000 at the wedding ceremony, another $20,000 when the green card or equivalent credential came through, and a final installment at divorce. Average payout per sailor: about $35,000.

The weddings were staged across New York, Connecticut, Las Vegas, and Jacksonville. Organizers photographed ceremonies and fabricated the artifacts of a real marriage to present to immigration officials. A translator named Helen Fang handled communications between the Chinese nationals and their temporary American spouses. Four sailors and a reservist have already pleaded guilty. The total number charged in the broader investigation now stands at 15.

If this were just an immigration case, it wouldn't be in your Dead Drop. Here's why it is.

Three defendants are also charged with a bribery conspiracy to obtain Department of Defense Common Access Cards (CAC). If you've never held a CAC, let me tell you what that card unlocks: military installations, commissaries, exchanges, and depending on configuration, access to DoD networks and facilities both stateside and overseas. One defendant who already pleaded guilty paid approximately $3,500 to a serviceman and a civilian employee at Naval Air Station Jacksonville to obtain cards fraudulently.

For $3,500, someone bought a keycard to a U.S. military base. That's less than a month's rent in Jacksonville.

HSI's acting special agent in charge for Tampa, Michael Cochran, described the investigation as a national security matter, not an immigration matter. That distinction matters. Immigration fraud gets you deported. A national security case means counterintelligence is involved. It means the question isn't just "who got a green card illegally" but "who now has access to military infrastructure, and what are they doing with it."

Think about the tradecraft. Intelligence services have used marriage as an access and recruitment tool for as long as espionage has existed. It's the original honeypot. You don't need to hack a classified network when you can marry your way onto the base where that network lives. And at $35,000 per marriage, the cost of acquiring a potential intelligence asset with legitimate installation access is less than a midsize sedan.

Several defendants are Chinese nationals, some of whom prosecutors say are in the country illegally. Two defendants were active-duty service members at the time of the alleged conduct. Arrests have been made across multiple jurisdictions, including the Eastern District of New York. The case remains under active investigation, which in federal prosecutor language means more charges are likely coming.

Now zoom out. The same week this indictment dropped, a Defense Logistics Agency employee in Philadelphia was charged with laundering millions for Nigerian fraud networks while holding a government badge (below). Two different insider threat cases. Two different foreign adversaries. Same vulnerability: the people inside the building.

We build billion-dollar cybersecurity architectures to keep foreign actors out of our defense systems. Then a sailor in Jacksonville sells base access for the price of a used Honda Civic, and a logistics specialist in Philadelphia runs a crypto laundering operation for two and a half years while the FBI watches.

The perimeter isn't the firewall. The perimeter is the person.

Read The Full Story

Two weeks ago, I told you about scam compounds in Southeast Asia where trafficked workers type "good morning beautiful" at gunpoint. That was the old model. Here's the new one: nobody needs to type anything anymore.

AI just replaced the keyboard operator.

Pindrop, one of the leading fraud detection firms in the country, just released data showing AI-driven fraud attacks against major U.S. companies surged 1,210% in 2025. Not a typo. One thousand two hundred and ten percent. Combined losses across their client base hit an estimated $1 billion. Deepfake-related fraud losses in the United States tripled in a single year, jumping from $360 million to $1.1 billion. Experian is calling 2026 the official "tipping point" for AI-enabled fraud. Deloitte projects generative AI fraud losses will reach $40 billion by 2027.

And the weapon powering all of it? Your voice. Three seconds of audio is all it takes to clone it.

Three seconds. That's the length of your outgoing voicemail greeting, your Instagram story, your kid's TikTok where you're laughing in the background. A criminal can scrape that clip, feed it into a voice cloning tool that costs less than a dollar to run, and call your mother pretending to be you. "Mom, I've been in an accident. I need you to wire money right now." Seventy-seven percent of people targeted by AI voice clone scams lost money. Over a third lost between $500 and $3,000. Some lost everything.

But the consumer scams aren't even the most alarming part. Let me tell you what North Korea is doing.

The DOJ confirmed that North Korean operatives have infiltrated over 100 U.S. companies by using deepfake technology to pass remote job interviews. They create synthetic identities with AI-generated faces, fabricated resumes, and cloned voices. A single operator can interview for the same position multiple times using different deepfake personas. They get hired. They collect salaries. They steal proprietary data, including U.S. military technology under export control. And they send the money home to fund Pyongyang's weapons program.

One Arizona woman pleaded guilty to running a "laptop farm" out of her house, hosting computers for North Korean operatives posing as American remote workers. She helped them infiltrate 309 U.S. companies, including an aerospace defense contractor and a major television network. Total earnings funneled to the regime: over $17 million. CrowdStrike's head of counter-adversary operations says thousands of North Korean workers have infiltrated the Fortune 500.

Palo Alto Networks' Unit 42 put this to the test. A single researcher with zero deepfake experience, using a five-year-old computer, created a convincing real-time deepfake identity for job interviews in 70 minutes. That's how low the barrier has become.

This is the fraud landscape you're operating in now. The scam compound model, hundreds of humans typing scripted messages, is being replaced by AI systems that can run romance scams, impersonate family members, clone executives' voices for wire transfer fraud, and manufacture entire human beings for job interviews, all at scale, all simultaneously, all for nearly nothing.

Lock down your voice. Audit every platform where your voice exists publicly: social media, YouTube, podcasts, voicemail greetings. Assume anything posted can be cloned.

Establish a family safe word. Pick a word or phrase that only your immediate family knows. If anyone calls claiming to be a family member in distress, the safe word is the only verification that matters. No word, no wire.

Verify before you comply. Any urgent request involving money, whether it sounds like your CEO, your spouse, or your child, gets verified through a separate channel. Hang up. Call them directly on a number you already have saved. Never trust the inbound call.

Employers: the interview is compromised. If you're hiring remote workers, require at least one live, in-person or real-time interactive verification step. Ask candidates to pass a hand across their face on camera. Current deepfake systems can't handle facial occlusion smoothly. It's low-tech, but it works.

The criminals upgraded their infrastructure. Time to upgrade yours.

Last week, I told you about Laura Kowal. A retired healthcare executive who lost $2 million to a romance scam, got turned into an unwitting money mule, and died before justice caught up. She didn't know what she was part of. That's at least one thing that made her story tragic.

This one is different. This one knew exactly what he was doing.

Samuel Marcus, 33, worked as a logistics specialist at the Defense Logistics Agency in Philadelphia. Temple University graduate, class of 2019. Same year he started his federal career processing supply chains for the United States military.

By 2023, according to the DOJ, Marcus had a side hustle: laundering millions of dollars for Nigerian fraud networks.

The operators worked behind aliases like "Rachel Jude" and "Ned McMurray," running romance scams, tax fraud schemes, and other cons targeting American victims. Marcus was their domestic pipeline. Stolen money would land in his accounts. He'd convert it to cryptocurrency. Then he'd wire it to foreign accounts controlled by the scammers. Between July 2023 and December 2025, he moved enough money to earn eight federal charges: conspiracy to commit money laundering, money laundering, and six counts of illegal monetary transactions.

He allegedly sent fake invoices to banks to justify the transfers. He lied to financial institutions about the source of funds. He built a paper trail designed to make stolen money look legitimate.

And here's the part that separates Marcus from every other mule story you've read.

FBI agents confronted him directly. They told him, in plain terms, that the money flowing through his accounts was stolen. That his transfers were part of a criminal laundering operation. That he needed to stop.

He didn't stop.

A federal employee with a security badge, handling logistics for the Department of Defense, looked at an FBI warning and decided the paychecks from Nigerian scammers were worth the risk. He kept converting. He kept transferring. He kept lying to banks. For two and a half years.

If convicted on all charges, Marcus faces up to 100 years in prison.

This is the insider threat nobody talks about. We spend billions on firewalls, endpoint detection, classified network security, and zero-trust architecture. And then a logistics specialist with a Temple degree and a cryptocurrency wallet walks stolen money out the front door while the FBI is literally telling him to stop.

Laura Kowal was a victim who became a criminal without knowing it. Samuel Marcus was a federal employee who became a criminal because the money was good. Both of them served the same fraud networks. Both of them moved money stolen from Americans just like you. The only difference is that one of them had a government paycheck the entire time.

The most expensive cybersecurity system in the world can't protect an organization from someone who already has a badge and has decided the other team pays better. The insider threat isn't theoretical. It's a 33-year-old in Philadelphia who processed your military's supply chain by day and funded Nigerian fraud operations by night, even after the FBI told him to stop.

If the Defense Department can't keep its own people from moonlighting as money mules, what makes you think your company can?

Read the Full Story