Check Your Exposure

Cybercrime Security Research

SpyCloud Labs is SpyCloud’s focused cybercrime research group dedicated to uncovering and analyzing the most intricate patterns from the criminal underground. We nerd out on all things breach, malware, phishing, and threat actor-related – and are hellbent on making the internet a safer place for all and making bad guys sad. This is a space for our experts to share our latest research findings as well as best practices and solutions for organizations to better their defenses.

Latest security research

Dig in with us as we analyze digital underground collections, reverse-engineer malware, and identify threat actor patterns.

Webinars and videos

Tune in to hear new and interesting research insights from our experts, first-hand.

SpyCloud Labs in the news

Insights and research from the team making headlines.

SpyCloud News

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

Read more

How to Stop Infostealers and Next-Gen Ransomware with an Identity-Centric Security Approach

Read more
podcast

No Password Required – Episode 58 (Trevor Hilligoss)

Read more
SpyCloud News

SpyCloud Research Shows that Endpoint Detection and Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections

Read more
First of 2025: Trending Cybercrime News & Analysis

Cyberwire Research Saturday: The hidden cost of data hoarding

Read more

An Expert in the Dark Web Describes How to Manage the Risk

Read more

China’s Surveillance State Is Selling Citizen Data as a Side Hustle

Read more

Brazen crims selling stolen credit cards on Meta’s Threads

Read more

Ransomware on repeat

Read more

Operation Endgame Partner

2025 Cybersecurity Excellence Awards “Cybersecurity Team of the Year”

Meet the research team

The fuel behind our efforts is a talented team of analysts and researchers relentlessly focused on connecting the dots as threat actors pivot and change.

Trevor Hilligoss

Trevor served nine years in the U.S. Army and has an extensive background in federal law enforcement, tracking threat actors for both the DoD and FBI. He serves in an advisory capacity for multiple cybersecurity-focused non-profits and has spoken at numerous US and international cyber conferences, holds multiple federal and industry certifications in the field of cybersecurity, and is a recipient of the President's Volunteer Service Award for volunteer service aimed at countering cyber threats. Trevor is the Head of Security Research and Senior Vice President of SpyCloud Labs.

Wallis Romzek, PhD

Dr. Wallis Romzek is an applied mathematician who has spent the last decade leveraging Big Data and machine learning to tackle problems in the information and cybersecurity spaces. Most recently, her work has focused on tracking and characterizing cybercrime and its potential victims for SpyCloud and a number of government organizations. She is SpyCloud’s Principal Data Scientist.

Kyla Cardona

Kyla is a U.S. military veteran from the Air Force, Marines, and Army, holds a BS in Computer Information Systems and multiple cybersecurity certifications including Security+, CEH, CySA+, and Splunk. Specializing in Terrorism and Homeland Security certifications coupled with extensive Chinese OSINT training, she possesses a strong sense and understanding of geopolitical cyber threats in China’s digital landscape. Kyla is a Staff Security Researcher at SpyCloud, with a focus on cyber threats in China and other cybercrimes occurring within deep/dark web illicit communities.

Joe Roosen

Joe spent 20 years in various system administration, consulting and design roles in information technology but eventually shifted his focus to security and thwarting cybercrime. What started as a volunteer passion project in 2017 with the Cryptolaemus group fighting Emotet has now turned into a full-fledged information security career. Joe works as the Security Research Manager at SpyCloud Labs now leading his team to collect all of the data breaches and leaks possible. "Gotta catch them all!"

Aurora Johnson

Aurora is an information security researcher and cybersecurity policy expert who worked as a Senior Analyst for CISA before joining SpyCloud as Responsible Disclosure Coordinator. She manages the program to alert organizations when SpyCloud finds their sensitive breached, leaked, or exposed data through its collections. Aurora participates in a range of volunteer and public-private initiatives to track and disrupt the cybercriminal ecosystem and was a recipient of the President’s Volunteer Service Award in 2023 for work with the U.S. government against cyber security threats.

Mike Dausin

Mike has a long-standing fascination with leveraging data to solve security problems and has spent the last 20+ years writing security and automation tools and analytics at Dell, TippingPoint, Arbor Networks, and Alert Logic. Now as Data Analysis Manager at SpyCloud, he leads the Security Data Analytics team and is responsible for taming the chaos of raw breach data.

Jakob S.

Jakob is a trained software engineer and a recent newcomer to the cybersecurity realm. He works as a Junior Security Data Analyst on the SpyCloud Labs parsing team.

James

James is a self taught reverse engineer with published analyses featured by ZDNet, ThreatPost, BleepingComputer and other publications. They have experience reversing popular mailstealers/malspam families like Emotet, IcedID, and were a recipient of the the President's Volunteer Services Award in 2023 for public reversing work done on these families. They are currently tracking all things infostealer at SpyCloud.

Yashar H.

Yashar is a GIAC Certified Forensic Analyst (GCFA) and a former SOC/Incident Response analyst who dabbles in security research and reverse engineering in his free time. At SpyCloud, he works as a Staff Security Data Analyst, focusing primarily on processing breach data for the SpyCloud Cybercrime Analytics Engine.

Daniel

Daniel is hyper-focused on developing new methods to automate the collections process and acquire more data from criminal communities. He is a Senior Security Researcher at SpyCloud Labs.

Paul S.

Paul S. is from the UK and is a biochemist with a PhD in medical research. He decided to leave the life of medical research behind to become a sysadmin for the Crown. It was there he found a love of taking apart phishing campaigns and thwarting bad actors. Paul now hunts phish for a living as a Staff Security Researcher.

Andy Culler

Andy is a seasoned security engineer passionate about automation. He started his career as an analyst and tool developer at Dell SecureWorks before moving on to help build security engineering and automation programs at Box and Slack. As a Principal Security Research Engineer at SpyCloud, Andy is excited to leverage his more than 15 years of industry experience to tackle new challenges in the world of security research.

Keegan Keplinger

Keegan has degrees in physics, neuroscience, and mathematics and holds a President's Volunteer Service Award for cybersecurity. Raised a commercial fisherman out of Kodiak, Alaska, Keegan joined the cybersecurity community in 2017, as part of eSentire's Threat Intelligence team where he participated in detection engineering, tool building and the collection, analysis, and dissemination of threat intelligence. Keegan studies the linguistics and humanities of Slavic and Germanic cultures as part of a broader interest in Proto-Indo-European studies. At SpyCloud, Keegan focuses on tool-development, methodology, and theory around collection and promotes a disease-based view of criminology.

Zoe Neale

Zoe began her professional career in June 2024 after graduating from The University of Texas at Austin, interning in cybersecurity with a focus on DevOps. Now a Security Data Analyst at SpyCloud, she leverages her background in mathematics, computer science, and data science to analyze and parse security data, with a strong interest in machine learning.

Aaron Coffey

Forged at industry leaders like Google and Box, Aaron crafts elegant solutions to accelerate threat intelligence and disrupt cybercriminal operations. As a Senior Security Research Engineer at SpyCloud, he brings over a decade of expertise across IT, Incident Response, Security Automation, and Detection Engineering. Outside the world of threat research, Aaron swaps code for a camera, capturing landscapes instead of compromises.

Meet the research team

The fuel behind our efforts is a talented team of analysts and researchers relentlessly focused on connecting the dots as threat actors pivot and change.

Trevor Hilligoss

Trevor served nine years in the U.S. Army and has an extensive background in federal law enforcement, tracking threat actors for both the DoD and FBI. He is a member of the Joint Ransomware Task Force and serves in an advisory capacity for multiple cybersecurity-focused non-profits. He has spoken at numerous US and international cyber conferences, holds multiple federal and industry certifications in the field of cybersecurity, and is a recipient of the President's Volunteer Service Award for volunteer service aimed at countering cyber threats. Trevor is the Vice President of SpyCloud Labs

Wallis Romzek, PhD

Dr. Wallis Romzek is an applied mathematician who has spent the last decade leveraging Big Data and machine learning to tackle problems in the information and cybersecurity spaces. Most recently, her work has focused on tracking and characterizing cybercrime and its potential victims for SpyCloud and a number of government organizations. She is SpyCloud’s Principal Data Scientist.

James

James is a self taught reverse engineer with published analyses featured by ZDNet, ThreatPost, BleepingComputer and other publications. They have experience reversing popular mailstealers/malspam families like Emotet, IcedID, and were a recipient of the the President's Volunteer Services Award in 2023 for public reversing work done on these families. They are currently tracking all things infostealer at SpyCloud.

Kyla Cardona

Kyla is a U.S. military veteran from the Air Force, Marines, and Army, holds a BS in Computer Information Systems and multiple cybersecurity certifications including Security+, CEH, CySA+, and Splunk. Specializing in Terrorism and Homeland Security certifications coupled with extensive Chinese OSINT training, she possesses a strong sense and understanding of geopolitical cyber threats in China’s digital landscape. Kyla is a Staff Security Researcher at SpyCloud, with a focus on cyber threats in China and other cybercrimes occurring within deep/dark web illicit communities.

Joe Roosen

Joe spent 20 years in various system administration, consulting and design roles in information technology but eventually shifted his focus to security and thwarting cybercrime. What started as a volunteer passion project in 2017 with the Cryptolaemus group fighting Emotet has now turned into a full-fledged information security career. Joe works as the Security Research Manager at SpyCloud Labs now leading his team to collect all of the data breaches and leaks possible. "Gotta catch them all!"

Aurora Johnson

Aurora is an information security researcher and cybersecurity policy expert who worked as a Senior Analyst for CISA before joining SpyCloud as Responsible Disclosure Coordinator. She manages the program to alert organizations when SpyCloud finds their sensitive breached, leaked, or exposed data through its collections. Aurora participates in a range of volunteer and public-private initiatives to track and disrupt the cybercriminal ecosystem and was a recipient of the President’s Volunteer Service Award in 2023 for work with the U.S. government against cyber security threats.

Mike Dausin

Mike has a long-standing fascination with leveraging data to solve security problems and has spent the last 20+ years writing security and automation tools and analytics at Dell, TippingPoint, Arbor Networks, and Alert Logic. Now as Data Analysis Manager at SpyCloud, he leads the Security Data Analytics team and is responsible for taming the chaos of raw breach data.

Jakob S.

Jakob is a trained software engineer and a recent newcomer to the cybersecurity realm. He works as a Junior Security Data Analyst on the SpyCloud Labs parsing team.

Yashar H.

Yashar is a GIAC Certified Forensic Analyst (GCFA) and a former SOC/Incident Response analyst who dabbles in security research and reverse engineering in his free time. At SpyCloud, he works as a Staff Security Data Analyst, focusing primarily on processing breach data for the SpyCloud Cybercrime Analytics Engine.

Daniel

Daniel is hyper-focused on developing new methods to automate the collections process and acquire more data from criminal communities. He is a Senior Security Researcher at SpyCloud Labs.

Paul S.

Paul S. is from the UK and is a biochemist with a PhD in medical research. He decided to leave the life of medical research behind to become a sysadmin for the Crown. It was there he found a love of taking apart phishing campaigns and thwarting bad actors. Paul now hunts phish for a living as our latest Staff Security Researcher.

Keegan Keplinger

Keegan has degrees in physics, neuroscience, and mathematics and holds a President's Volunteer Service Award for cybersecurity. Raised a commercial fisherman out of Kodiak, Alaska, Keegan joined the cybersecurity community in 2017, as part of eSentire's Threat Intelligence team where he participated in detection engineering, tool building and the collection, analysis, and dissemination of threat intelligence. Keegan studies the linguistics and humanities of Slavic and Germanic cultures as part of a broader interest in Proto-Indo-European studies. At SpyCloud, Keegan focuses on tool-development, methodology, and theory around collection and promotes a disease-based view of criminology.

Andy Culler

Andy is a seasoned security engineer passionate about automation. He started his career as an analyst and tool developer at Dell SecureWorks before moving on to help build security engineering and automation programs at Box and Slack. As a Principal Security Research Engineer at SpyCloud, Andy is excited to leverage his more than 15 years of industry experience to tackle new challenges in the world of security research.

Zoe Neale

Zoe began her professional career in June 2024 after graduating from The University of Texas at Austin, interning in cybersecurity with a focus on DevOps. Now a Security Data Analyst at SpyCloud, she leverages her background in mathematics, computer science, and data science to analyze and parse security data, with a strong interest in machine learning.

Aaron Coffey

Forged at industry leaders like Google and Box, Aaron crafts elegant solutions to accelerate threat intelligence and disrupt cybercriminal operations. As a Senior Security Research Engineer at SpyCloud, he brings over a decade of expertise across IT, Incident Response, Security Automation, and Detection Engineering. Outside the world of threat research, Aaron swaps code for a camera, capturing landscapes instead of compromises.

Meet the research team

The fuel behind our efforts is a talented team of analysts and researchers relentlessly focused on connecting the dots as threat actors pivot and change.

Trevor Hilligoss

Trevor served nine years in the U.S. Army and has an extensive background in federal law enforcement, tracking threat actors for both the DoD and FBI. He is a member of the Joint Ransomware Task Force and serves in an advisory capacity for multiple cybersecurity-focused non-profits. He has spoken at numerous US and international cyber conferences, holds multiple federal and industry certifications in the field of cybersecurity, and is a recipient of the President's Volunteer Service Award for volunteer service aimed at countering cyber threats. Trevor is the Vice President of SpyCloud Labs

Wallis Romzek, PhD

Dr. Wallis Romzek is an applied mathematician who has spent the last decade leveraging Big Data and machine learning to tackle problems in the information and cybersecurity spaces. Most recently, her work has focused on tracking and characterizing cybercrime and its potential victims for SpyCloud and a number of government organizations. She is SpyCloud’s Principal Data Scientist.

James

James is a self taught reverse engineer with published analyses featured by ZDNet, ThreatPost, BleepingComputer and other publications. They have experience reversing popular mailstealers/malspam families like Emotet, IcedID, and were a recipient of the the President's Volunteer Services Award in 2023 for public reversing work done on these families. They are currently tracking all things infostealer at SpyCloud.

Kyla Cardona

Kyla is a U.S. military veteran from the Air Force, Marines, and Army, holds a BS in Computer Information Systems and multiple cybersecurity certifications including Security+, CEH, CySA+, and Splunk. Specializing in Terrorism and Homeland Security certifications coupled with extensive Chinese OSINT training, she possesses a strong sense and understanding of geopolitical cyber threats in China’s digital landscape. Kyla is a Staff Security Researcher at SpyCloud, with a focus on cyber threats in China and other cybercrimes occurring within deep/dark web illicit communities.

Joe Roosen

Joe spent 20 years in various system administration, consulting and design roles in information technology but eventually shifted his focus to security and thwarting cybercrime. What started as a volunteer passion project in 2017 with the Cryptolaemus group fighting Emotet has now turned into a full-fledged information security career. Joe works as the Security Research Manager at SpyCloud Labs now leading his team to collect all of the data breaches and leaks possible. "Gotta catch them all!"

Aurora Johnson

Aurora is an information security researcher and cybersecurity policy expert who worked as a Senior Analyst for CISA before joining SpyCloud as Responsible Disclosure Coordinator. She manages the program to alert organizations when SpyCloud finds their sensitive breached, leaked, or exposed data through its collections. Aurora participates in a range of volunteer and public-private initiatives to track and disrupt the cybercriminal ecosystem and was a recipient of the President’s Volunteer Service Award in 2023 for work with the U.S. government against cyber security threats.

Mike Dausin

Mike has a long-standing fascination with leveraging data to solve security problems and has spent the last 20+ years writing security and automation tools and analytics at Dell, TippingPoint, Arbor Networks, and Alert Logic. Now as Data Analysis Manager at SpyCloud, he leads the Security Data Analytics team and is responsible for taming the chaos of raw breach data.

Yashar H.

Yashar is a GIAC Certified Forensic Analyst (GCFA) and a former SOC/Incident Response analyst who dabbles in security research and reverse engineering in his free time. At SpyCloud, he works as a Staff Security Data Analyst, focusing primarily on processing breach data for the SpyCloud Cybercrime Analytics Engine.

Daniel

Daniel is hyper-focused on developing new methods to automate the collections process and acquire more data from criminal communities. He is a Senior Security Researcher at SpyCloud Labs.

Jakob S.

Jakob is a trained software engineer and a recent newcomer to the cybersecurity realm. He works as a Junior Security Data Analyst on the SpyCloud Labs parsing team.

Paul S.

Paul S. is from the UK and is a biochemist with a PhD in medical research. He decided to leave the life of medical research behind to become a sysadmin for the Crown. It was there he found a love of taking apart phishing campaigns and thwarting bad actors. Paul now hunts phish for a living as our latest Staff Security Researcher.

Keegan Keplinger

Keegan has degrees in physics, neuroscience, and mathematics and holds a President's Volunteer Service Award for cybersecurity. Raised a commercial fisherman out of Kodiak, Alaska, Keegan joined the cybersecurity community in 2017, as part of eSentire's Threat Intelligence team where he participated in detection engineering, tool building and the collection, analysis, and dissemination of threat intelligence. Keegan studies the linguistics and humanities of Slavic and Germanic cultures as part of a broader interest in Proto-Indo-European studies. At SpyCloud, Keegan focuses on tool-development, methodology, and theory around collection and promotes a disease-based view of criminology.

Andy Culler

Andy is a seasoned security engineer passionate about automation. He started his career as an analyst and tool developer at Dell SecureWorks before moving on to help build security engineering and automation programs at Box and Slack. As a Principal Security Research Engineer at SpyCloud, Andy is excited to leverage his more than 15 years of industry experience to tackle new challenges in the world of security research.

Zoe Neale

Zoe began her professional career in June 2024 after graduating from The University of Texas at Austin, interning in cybersecurity with a focus on DevOps. Now a Security Data Analyst at SpyCloud, she leverages her background in mathematics, computer science, and data science to analyze and parse security data, with a strong interest in machine learning.

Aaron Coffey

Forged at industry leaders like Google and Box, Aaron crafts elegant solutions to accelerate threat intelligence and disrupt cybercriminal operations. As a Senior Security Research Engineer at SpyCloud, he brings over a decade of expertise across IT, Incident Response, Security Automation, and Detection Engineering. Outside the world of threat research, Aaron swaps code for a camera, capturing landscapes instead of compromises.

Driven by SpyCloud's identity intelligence

The purpose of SpyCloud Labs is to relentlessly analyze the active tactics we’re seeing among cybercriminals and look ahead in the evolution of these practices. We use advanced analytics to illuminate exposures relating to employee and customer credentials, cookies, PII, and other stolen assets so you can protect your organization.

0 B+

Recaptured Assets

0 B+

Assets Ingested Monthly

0 K+

Breaches

0 +

Malware Families

0 +

Phish Kits

Get the latest research

Sign up to receive regular updates from SpyCloud, including new cybercrime research, product updates, and security resources.

About SpyCloud's Responsible Disclosure Program

SpyCloud Labs coordinates SpyCloud’s Responsible Disclosure (RD) program. We regularly and proactively engage with victimized organizations to make sure they have access to the data that was allegedly stolen from them, giving them an opportunity to remediate potential user or employee exposures due to the release of the information.

NEW: SpyCloud Investigations with AI Insights. Get finished intel in seconds

Got it!
X