
Cybercrime Security Research
SpyCloud Labs is SpyCloud’s focused cybercrime research group dedicated to uncovering and analyzing the most intricate patterns from the criminal underground. We nerd out on all things breach, malware, phishing, and threat actor-related – and are hellbent on making the internet a safer place for all and making bad guys sad. This is a space for our experts to share our latest research findings as well as best practices and solutions for organizations to better their defenses.
Latest security research
Dig in with us as we analyze digital underground collections, reverse-engineer malware, and identify threat actor patterns.

Big News: Our Data is Going from “Once a Day” to “All Day, Every Day”
SpyCloud’s continuous delivery model processes breach data in 2 hours, malware in 1 hour – giving cybersecurity teams the speed to detect and remediate threats before attackers weaponize stolen data.

July Cybercrime Update: The Latest Takedowns, Tycoon 2FA & the Tea Leak
From the XSS forum takedown to the Tea app data leak & Tycoon 2FA attacks, our July cybercrime update breaks down the biggest threats and news.

Trapped by the Tycoon: An Analysis of 150K Credentials Phished by Tycoon 2FA
SpyCloud analyzed 150K stolen credentials from Tycoon 2FA phishing attacks. See what the data reveals about targeted victims.
Webinars and videos
Tune in to hear new and interesting research insights from our experts, first-hand.

Preparing for the Inevitable: Strengthening Incident Response in a Rapidly Evolving Threat Landscape
This live webcast will cover how to unite IT, identity, and security teams to strengthen incident response, reduce risk, and build cyber resilience before the next attack strikes.

Phish Happens: Reeling in the Real Risk of Phished Identity Exposures
In this webinar we’ll unpack the latest phishing tactics and show how recaptured phished data lets you protect vulnerable users and block follow-on attacks.

Minding the Malware Gap – Identity Threat Protection Beyond The Endpoint
This webinar explores the latest malware trends uncovered by our SpyCloud Labs team, and how these insights help security teams enable proactive measures to secure corporate access.
SpyCloud Labs in the news
Insights and research from the team making headlines.
Meet the research team
The fuel behind our efforts is a talented team of analysts and researchers relentlessly focused on connecting the dots as threat actors pivot and change.
Trevor Hilligoss
Trevor served nine years in the U.S. Army and has an extensive background in federal law enforcement, tracking threat actors for both the DoD and FBI. He serves in an advisory capacity for multiple cybersecurity-focused non-profits and has spoken at numerous US and international cyber conferences, holds multiple federal and industry certifications in the field of cybersecurity, and is a recipient of the President's Volunteer Service Award for volunteer service aimed at countering cyber threats. Trevor is the Head of Security Research and Senior Vice President of SpyCloud Labs.
Wallis Romzek, PhD
Dr. Wallis Romzek is an applied mathematician who has spent the last decade leveraging Big Data and machine learning to tackle problems in the information and cybersecurity spaces. Most recently, her work has focused on tracking and characterizing cybercrime and its potential victims for SpyCloud and a number of government organizations. She is SpyCloud’s Principal Data Scientist.
Kyla Cardona
Kyla is a U.S. military veteran from the Air Force, Marines, and Army, holds a BS in Computer Information Systems and multiple cybersecurity certifications including Security+, CEH, CySA+, and Splunk. Specializing in Terrorism and Homeland Security certifications coupled with extensive Chinese OSINT training, she possesses a strong sense and understanding of geopolitical cyber threats in China’s digital landscape. Kyla is a Staff Security Researcher at SpyCloud, with a focus on cyber threats in China and other cybercrimes occurring within deep/dark web illicit communities.
Joe Roosen
Joe spent 20 years in various system administration, consulting and design roles in information technology but eventually shifted his focus to security and thwarting cybercrime. What started as a volunteer passion project in 2017 with the Cryptolaemus group fighting Emotet has now turned into a full-fledged information security career. Joe works as the Security Research Manager at SpyCloud Labs now leading his team to collect all of the data breaches and leaks possible. "Gotta catch them all!"
Aurora Johnson
Aurora is an information security researcher and cybersecurity policy expert who worked as a Senior Analyst for CISA before joining SpyCloud as Responsible Disclosure Coordinator. She manages the program to alert organizations when SpyCloud finds their sensitive breached, leaked, or exposed data through its collections. Aurora participates in a range of volunteer and public-private initiatives to track and disrupt the cybercriminal ecosystem and was a recipient of the President’s Volunteer Service Award in 2023 for work with the U.S. government against cyber security threats.
Mike Dausin
Mike has a long-standing fascination with leveraging data to solve security problems and has spent the last 20+ years writing security and automation tools and analytics at Dell, TippingPoint, Arbor Networks, and Alert Logic. Now as Data Analysis Manager at SpyCloud, he leads the Security Data Analytics team and is responsible for taming the chaos of raw breach data.
Jakob S.
Jakob is a trained software engineer and a recent newcomer to the cybersecurity realm. He works as a Junior Security Data Analyst on the SpyCloud Labs parsing team.
James
James is a self taught reverse engineer with published analyses featured by ZDNet, ThreatPost, BleepingComputer and other publications. They have experience reversing popular mailstealers/malspam families like Emotet, IcedID, and were a recipient of the the President's Volunteer Services Award in 2023 for public reversing work done on these families. They are currently tracking all things infostealer at SpyCloud.
Yashar H.
Yashar is a GIAC Certified Forensic Analyst (GCFA) and a former SOC/Incident Response analyst who dabbles in security research and reverse engineering in his free time. At SpyCloud, he works as a Staff Security Data Analyst, focusing primarily on processing breach data for the SpyCloud Cybercrime Analytics Engine.
Daniel
Daniel is hyper-focused on developing new methods to automate the collections process and acquire more data from criminal communities. He is a Senior Security Researcher at SpyCloud Labs.
Paul S.
Paul S. is from the UK and is a biochemist with a PhD in medical research. He decided to leave the life of medical research behind to become a sysadmin for the Crown. It was there he found a love of taking apart phishing campaigns and thwarting bad actors. Paul now hunts phish for a living as a Staff Security Researcher.
Andy Culler
Andy is a seasoned security engineer passionate about automation. He started his career as an analyst and tool developer at Dell SecureWorks before moving on to help build security engineering and automation programs at Box and Slack. As a Principal Security Research Engineer at SpyCloud, Andy is excited to leverage his more than 15 years of industry experience to tackle new challenges in the world of security research.
Keegan Keplinger
Keegan has degrees in physics, neuroscience, and mathematics and holds a President's Volunteer Service Award for cybersecurity. Raised a commercial fisherman out of Kodiak, Alaska, Keegan joined the cybersecurity community in 2017, as part of eSentire's Threat Intelligence team where he participated in detection engineering, tool building and the collection, analysis, and dissemination of threat intelligence. Keegan studies the linguistics and humanities of Slavic and Germanic cultures as part of a broader interest in Proto-Indo-European studies. At SpyCloud, Keegan focuses on tool-development, methodology, and theory around collection and promotes a disease-based view of criminology.
Zoe Neale
Zoe began her professional career in June 2024 after graduating from The University of Texas at Austin, interning in cybersecurity with a focus on DevOps. Now a Security Data Analyst at SpyCloud, she leverages her background in mathematics, computer science, and data science to analyze and parse security data, with a strong interest in machine learning.
Aaron Coffey
Forged at industry leaders like Google and Box, Aaron crafts elegant solutions to accelerate threat intelligence and disrupt cybercriminal operations. As a Senior Security Research Engineer at SpyCloud, he brings over a decade of expertise across IT, Incident Response, Security Automation, and Detection Engineering. Outside the world of threat research, Aaron swaps code for a camera, capturing landscapes instead of compromises.
Meet the research team
Trevor Hilligoss
Trevor served nine years in the U.S. Army and has an extensive background in federal law enforcement, tracking threat actors for both the DoD and FBI. He is a member of the Joint Ransomware Task Force and serves in an advisory capacity for multiple cybersecurity-focused non-profits. He has spoken at numerous US and international cyber conferences, holds multiple federal and industry certifications in the field of cybersecurity, and is a recipient of the President's Volunteer Service Award for volunteer service aimed at countering cyber threats. Trevor is the Vice President of SpyCloud Labs
Wallis Romzek, PhD
Dr. Wallis Romzek is an applied mathematician who has spent the last decade leveraging Big Data and machine learning to tackle problems in the information and cybersecurity spaces. Most recently, her work has focused on tracking and characterizing cybercrime and its potential victims for SpyCloud and a number of government organizations. She is SpyCloud’s Principal Data Scientist.
James
Kyla Cardona
Joe Roosen
Joe spent 20 years in various system administration, consulting and design roles in information technology but eventually shifted his focus to security and thwarting cybercrime. What started as a volunteer passion project in 2017 with the Cryptolaemus group fighting Emotet has now turned into a full-fledged information security career. Joe works as the Security Research Manager at SpyCloud Labs now leading his team to collect all of the data breaches and leaks possible. "Gotta catch them all!"
Aurora Johnson
Aurora is an information security researcher and cybersecurity policy expert who worked as a Senior Analyst for CISA before joining SpyCloud as Responsible Disclosure Coordinator. She manages the program to alert organizations when SpyCloud finds their sensitive breached, leaked, or exposed data through its collections. Aurora participates in a range of volunteer and public-private initiatives to track and disrupt the cybercriminal ecosystem and was a recipient of the President’s Volunteer Service Award in 2023 for work with the U.S. government against cyber security threats.
Mike Dausin
Mike has a long-standing fascination with leveraging data to solve security problems and has spent the last 20+ years writing security and automation tools and analytics at Dell, TippingPoint, Arbor Networks, and Alert Logic. Now as Data Analysis Manager at SpyCloud, he leads the Security Data Analytics team and is responsible for taming the chaos of raw breach data.
Jakob S.
Jakob is a trained software engineer and a recent newcomer to the cybersecurity realm. He works as a Junior Security Data Analyst on the SpyCloud Labs parsing team.
Yashar H.
Yashar is a GIAC Certified Forensic Analyst (GCFA) and a former SOC/Incident Response analyst who dabbles in security research and reverse engineering in his free time. At SpyCloud, he works as a Staff Security Data Analyst, focusing primarily on processing breach data for the SpyCloud Cybercrime Analytics Engine.
Daniel
Daniel is hyper-focused on developing new methods to automate the collections process and acquire more data from criminal communities. He is a Senior Security Researcher at SpyCloud Labs.
Paul S.
Paul S. is from the UK and is a biochemist with a PhD in medical research. He decided to leave the life of medical research behind to become a sysadmin for the Crown. It was there he found a love of taking apart phishing campaigns and thwarting bad actors. Paul now hunts phish for a living as our latest Staff Security Researcher.
Keegan Keplinger
Keegan has degrees in physics, neuroscience, and mathematics and holds a President's Volunteer Service Award for cybersecurity. Raised a commercial fisherman out of Kodiak, Alaska, Keegan joined the cybersecurity community in 2017, as part of eSentire's Threat Intelligence team where he participated in detection engineering, tool building and the collection, analysis, and dissemination of threat intelligence. Keegan studies the linguistics and humanities of Slavic and Germanic cultures as part of a broader interest in Proto-Indo-European studies. At SpyCloud, Keegan focuses on tool-development, methodology, and theory around collection and promotes a disease-based view of criminology.
Andy Culler
Andy is a seasoned security engineer passionate about automation. He started his career as an analyst and tool developer at Dell SecureWorks before moving on to help build security engineering and automation programs at Box and Slack. As a Principal Security Research Engineer at SpyCloud, Andy is excited to leverage his more than 15 years of industry experience to tackle new challenges in the world of security research.
Zoe Neale
Zoe began her professional career in June 2024 after graduating from The University of Texas at Austin, interning in cybersecurity with a focus on DevOps. Now a Security Data Analyst at SpyCloud, she leverages her background in mathematics, computer science, and data science to analyze and parse security data, with a strong interest in machine learning.
Aaron Coffey
Forged at industry leaders like Google and Box, Aaron crafts elegant solutions to accelerate threat intelligence and disrupt cybercriminal operations. As a Senior Security Research Engineer at SpyCloud, he brings over a decade of expertise across IT, Incident Response, Security Automation, and Detection Engineering. Outside the world of threat research, Aaron swaps code for a camera, capturing landscapes instead of compromises.
Meet the research team
The fuel behind our efforts is a talented team of analysts and researchers relentlessly focused on connecting the dots as threat actors pivot and change.
Trevor Hilligoss
Trevor served nine years in the U.S. Army and has an extensive background in federal law enforcement, tracking threat actors for both the DoD and FBI. He is a member of the Joint Ransomware Task Force and serves in an advisory capacity for multiple cybersecurity-focused non-profits. He has spoken at numerous US and international cyber conferences, holds multiple federal and industry certifications in the field of cybersecurity, and is a recipient of the President's Volunteer Service Award for volunteer service aimed at countering cyber threats. Trevor is the Vice President of SpyCloud Labs
Wallis Romzek, PhD
James
James is a self taught reverse engineer with published analyses featured by ZDNet, ThreatPost, BleepingComputer and other publications. They have experience reversing popular mailstealers/malspam families like Emotet, IcedID, and were a recipient of the the President's Volunteer Services Award in 2023 for public reversing work done on these families. They are currently tracking all things infostealer at SpyCloud.
Kyla Cardona
Kyla is a U.S. military veteran from the Air Force, Marines, and Army, holds a BS in Computer Information Systems and multiple cybersecurity certifications including Security+, CEH, CySA+, and Splunk. Specializing in Terrorism and Homeland Security certifications coupled with extensive Chinese OSINT training, she possesses a strong sense and understanding of geopolitical cyber threats in China’s digital landscape. Kyla is a Staff Security Researcher at SpyCloud, with a focus on cyber threats in China and other cybercrimes occurring within deep/dark web illicit communities.
Joe Roosen
Aurora Johnson
Mike Dausin
Mike has a long-standing fascination with leveraging data to solve security problems and has spent the last 20+ years writing security and automation tools and analytics at Dell, TippingPoint, Arbor Networks, and Alert Logic. Now as Data Analysis Manager at SpyCloud, he leads the Security Data Analytics team and is responsible for taming the chaos of raw breach data.
Yashar H.
Yashar is a GIAC Certified Forensic Analyst (GCFA) and a former SOC/Incident Response analyst who dabbles in security research and reverse engineering in his free time. At SpyCloud, he works as a Staff Security Data Analyst, focusing primarily on processing breach data for the SpyCloud Cybercrime Analytics Engine.
Daniel
Daniel is hyper-focused on developing new methods to automate the collections process and acquire more data from criminal communities. He is a Senior Security Researcher at SpyCloud Labs.
Jakob S.
Paul S.
Paul S. is from the UK and is a biochemist with a PhD in medical research. He decided to leave the life of medical research behind to become a sysadmin for the Crown. It was there he found a love of taking apart phishing campaigns and thwarting bad actors. Paul now hunts phish for a living as our latest Staff Security Researcher.
Keegan Keplinger
Keegan has degrees in physics, neuroscience, and mathematics and holds a President's Volunteer Service Award for cybersecurity. Raised a commercial fisherman out of Kodiak, Alaska, Keegan joined the cybersecurity community in 2017, as part of eSentire's Threat Intelligence team where he participated in detection engineering, tool building and the collection, analysis, and dissemination of threat intelligence. Keegan studies the linguistics and humanities of Slavic and Germanic cultures as part of a broader interest in Proto-Indo-European studies. At SpyCloud, Keegan focuses on tool-development, methodology, and theory around collection and promotes a disease-based view of criminology.
Andy Culler
Andy is a seasoned security engineer passionate about automation. He started his career as an analyst and tool developer at Dell SecureWorks before moving on to help build security engineering and automation programs at Box and Slack. As a Principal Security Research Engineer at SpyCloud, Andy is excited to leverage his more than 15 years of industry experience to tackle new challenges in the world of security research.
Zoe Neale
Zoe began her professional career in June 2024 after graduating from The University of Texas at Austin, interning in cybersecurity with a focus on DevOps. Now a Security Data Analyst at SpyCloud, she leverages her background in mathematics, computer science, and data science to analyze and parse security data, with a strong interest in machine learning.
Aaron Coffey
Forged at industry leaders like Google and Box, Aaron crafts elegant solutions to accelerate threat intelligence and disrupt cybercriminal operations. As a Senior Security Research Engineer at SpyCloud, he brings over a decade of expertise across IT, Incident Response, Security Automation, and Detection Engineering. Outside the world of threat research, Aaron swaps code for a camera, capturing landscapes instead of compromises.
Driven by SpyCloud's identity intelligence
The purpose of SpyCloud Labs is to relentlessly analyze the active tactics we’re seeing among cybercriminals and look ahead in the evolution of these practices. We use advanced analytics to illuminate exposures relating to employee and customer credentials, cookies, PII, and other stolen assets so you can protect your organization.
Recaptured Assets
Assets Ingested Monthly
Breaches
Malware Families
Phish Kits
Get the latest research
Sign up to receive regular updates from SpyCloud, including new cybercrime research, product updates, and security resources.
About SpyCloud's Responsible Disclosure Program
SpyCloud Labs coordinates SpyCloud’s Responsible Disclosure (RD) program. We regularly and proactively engage with victimized organizations to make sure they have access to the data that was allegedly stolen from them, giving them an opportunity to remediate potential user or employee exposures due to the release of the information.