Capstone: Anatomy of a Multi-Stage Attack
A full investigation spanning email compromise, social engineering, wire fraud, and crypto laundering, showing how fraud domains interconnect
By Benjamin, Fraud Attacks · Updated
Cross-module fraud cases are attacks that span more than one knowledge domain: an attacker who phishes credentials, then runs social engineering, then triggers a wire transfer, then launders the proceeds across multiple rails. This capstone walks through one such attack in detail so you can see how each module of the curriculum applies to a single chain of events.
The Email, the Wire, and the Blockchain
On a Thursday afternoon, a manufacturing company called Thornfield Industries lost $1.7 million. The attack started with a compromised email account. It progressed through social engineering. It culminated in a wire transfer. And the money disappeared into a cryptocurrency laundering chain that spanned four countries.
No single module in this learning path covers the whole story. That's the point. Real fraud investigations cross domain boundaries. An analyst who understands email security but not money movement will miss the wire fraud. An analyst who understands payment systems but not crypto will lose the trail when funds hit the blockchain. An analyst who understands blockchain but not social engineering won't recognize how the initial compromise happened.
This capstone walks through an attack that touches every major domain you've studied: email security, social engineering, payment systems, and crypto fraud. It's the final exam, and the question is: can you follow the entire chain?
This story is fictional, but the patterns are real.
Phase 1: The Compromise (Email Security)
How did the attacker get in?
The attack began six weeks before the wire transfer, with a phishing email.
Thornfield's CEO, Marcus Webb, received an email that appeared to come from a board member. The subject line referenced an upcoming board meeting. The email contained a link to what looked like a shared Google document. When Marcus clicked the link, it took him to a convincing login page that captured his Google Workspace credentials.
The phishing page was hosted on a lookalike domain with valid SPF, DKIM, and DMARC records. The email passed every automated authentication check. (Recall from Email Authentication that authentication verifies the domain, not the domain's trustworthiness. A perfectly configured malicious domain passes every check.)
Marcus entered his credentials and saw a "document not found" error. He assumed the board member had removed the file and moved on with his day. From a defender's view this is the first link in an account takeover chain: harvested credentials, no second factor, no behavioral signal triggered.
What the Attacker Did Next
With Marcus's credentials, the attacker logged into his Google Workspace account. But they didn't send fraudulent emails immediately. Instead, they spent four weeks doing reconnaissance:
- Created an email forwarding rule that silently copied all of Marcus's inbound email to an external address
- Read every thread about ongoing vendor relationships, contracts, and payments
- Studied Marcus's writing style: his greeting patterns, his sign-off, his level of formality
- Identified that Thornfield was in the middle of a facility renovation with a contractor named Ridgeline Construction, with a $1.7 million payment due in mid-October
The attacker now knew the amount, the vendor, the timing, and the person who would authorize the payment. They had everything they needed.
(This reconnaissance phase mirrors what you learned in Wire Transfer & ACH Fraud. BEC attackers don't rush. They study the target's processes and wait for the right moment.)
Phase 2: The Social Engineering
Building the Pretext
Three days before Thornfield's payment to Ridgeline Construction was due, the attacker sent an email from Marcus's actual email account (not spoofed, actually sent from his compromised account) to Thornfield's controller, Diana Reeves.
Diana - Quick heads up, I just spoke with Tom at Ridgeline. They've switched banks and have new wire instructions for the renovation payment. Tom is going to send updated wiring details to you directly today. Please use those for the $1.7M payment. Thanks, Marcus
The email was perfect. It came from Marcus's real account. It referenced a real vendor, a real project, and a real amount. It matched Marcus's writing style because the attacker had studied it for weeks.
The Follow-Up
Twenty minutes later, Diana received an email from tom.briggs@ridgeline-const.com. Ridgeline's actual domain was ridgelineconstruction.com. The attacker had registered the lookalike domain the week before.
The email from "Tom" included updated wire instructions: a new bank, a new account number, and a new beneficiary name. The email was professional, referenced the renovation project by name, and included an invoice with Ridgeline's logo.
Diana had two pieces of confirming information: the CEO's heads-up and the vendor's "updated" instructions. From her perspective, this was a routine banking change.
Which social engineering principles did the attack use?
The attack used multiple social engineering techniques you studied in the Social Engineering module:
Authority. The initial email came from the CEO. Diana's instinct was to comply with a directive from the top.
Consistency. The CEO's email and "Tom's" follow-up were consistent with each other, creating a coherent narrative that felt validated.
Social proof. The vendor's email included specific project details that only a legitimate party would know (because the attacker had read the email threads).
Time pressure. The payment was due in three days. There was natural urgency to get the banking change processed before the deadline.
Phase 3: The Wire Transfer (Money Movement)
The $1.7 Million Payment
Diana processed the wire on Tuesday morning. She followed Thornfield's standard procedure: CEO authorization via email (which she had), vendor invoice (which she had), and dual approval from the CFO (who signed off based on the CEO's email).
The wire was sent at 10:22 AM to a bank account in Miami. The money arrived by 10:31 AM.
At 3:15 PM, the real Tom Briggs from Ridgeline Construction called Thornfield's accounting department to ask about the status of their payment. The real Ridgeline hadn't changed banks. They'd never sent updated wire instructions.
Diana's blood went cold. She called the bank immediately.
The Recovery Attempt
As you learned in Payment Systems 101, wire transfers are final. There's no chargeback mechanism. Recovery depends entirely on speed: if the receiving bank can freeze the funds before they're moved, there's a chance.
Thornfield's bank sent a recall request to the receiving bank in Miami. The response came within three hours: only $140,000 remained in the account. The rest had already been moved.
The receiving account had been opened three weeks earlier using a stolen identity. It was a single-use account, set up specifically for this attack, of the kind that stronger know-your-customer checks are designed to stop at onboarding.
Phase 4: The Crypto Laundering Trail
Following the Money
The $1.56 million that left the Miami account didn't go to another bank. It went to five cryptocurrency exchanges via ACH transfers initiated within hours of the wire's arrival.
| Transfer | Amount | Destination | What Happened Next |
|---|---|---|---|
| 1 | $420,000 | Exchange A (US-based) | Converted to USDT, sent to external wallet |
| 2 | $380,000 | Exchange B (US-based) | Converted to BTC, withdrawn |
| 3 | $310,000 | Exchange C (offshore) | Converted to ETH, bridged to Tron |
| 4 | $280,000 | Exchange D (US-based) | Converted to USDT, sent to external wallet |
| 5 | $170,000 | Exchange E (offshore) | Converted to BTC, mixed via CoinJoin |
The conversion from fiat to crypto happened within 24 hours of the original wire. Once on the blockchain, the funds moved through a laundering chain designed to break the trail.
The Blockchain Analysis
The case team (Thornfield's bank, the FBI's field office, and a blockchain analytics vendor) used on-chain analysis tools to trace the funds. Here's what they found:
Transfers 1 and 4 (USDT on Tron): The funds were sent to a series of Tron addresses and eventually deposited at an unregistered OTC desk in Southeast Asia. The OTC desk didn't perform adequate KYC. The trail went cold at the cash-out point.
Transfer 2 (BTC): The Bitcoin was run through a CoinJoin mixing transaction, splitting into dozens of equal-sized outputs sent to fresh addresses. Mixing services exist to break the link between input and output addresses, and a well-mixed coin is effectively untraceable on-chain. However, one output was eventually deposited at a regulated exchange that cooperated with law enforcement. The account was linked to a known money mule recruited through a fake job listing.
Transfer 3 (ETH bridged to Tron): This was a chain-hopping pattern. ETH was bridged from Ethereum to Tron using a cross-chain bridge, then swapped for USDT on a Tron DEX. The analytics vendor tracked it through the bridge by correlating lock and mint events, but the trail was lost after the DEX swap.
Transfer 5 (BTC mixed): The mixing was thorough enough that individual outputs couldn't be traced with confidence. The funds were effectively laundered.
What was recovered?
| Amount | Status |
|---|---|
| $140,000 | Frozen in Miami bank account |
| $42,000 | Frozen at Exchange B (mule account identified) |
| $1,518,000 | Lost to crypto laundering |
Total recovered: $182,000 out of $1.7 million. Thornfield absorbed a $1.518 million loss.
The Investigation Map
Here's how the attack connects across every domain you've studied:
[Email Security]
Phishing email → credential capture → account compromise
↓
[Social Engineering]
4 weeks of reconnaissance → authority + consistency + urgency
↓
[Money Movement]
CEO impersonation → controller processes $1.7M wire → immediate movement
↓
[Crypto Fraud]
Fiat → 5 exchanges → BTC/ETH/USDT → mixing + chain hopping + OTC cash-out
↓
[Investigation]
Email headers + bank records + blockchain analysis → partial recovery
Every phase of the attack exploited specific knowledge from a specific domain. And every phase of the investigation required skills from multiple domains.
Where could the investigation have gone differently?
If Thornfield Had DMARC Enforcement
The initial phishing email came from a lookalike domain. DMARC wouldn't have caught it (the lookalike domain had its own valid DMARC). But if the attacker had tried to spoof Thornfield's own domain to target Marcus, DMARC at p=reject would have blocked it.
The real gap: domain monitoring. If Thornfield had been tracking newly registered domains similar to their own, ridgeline-const.com might have been flagged before it was used.
If Diana Had Used Out-of-Band Verification
One phone call to Marcus's known phone number would have revealed that he never sent the email about Ridgeline's banking change. One phone call to Ridgeline would have confirmed they hadn't changed banks. The entire $1.7 million loss hinged on Diana trusting email as a verification channel.
If the Exchanges Had Faster SAR Response
Two of the five exchanges were US-based and subject to BSA/AML requirements. By the time law enforcement contacted them, the crypto had already been withdrawn. Faster communication between banks, exchanges, and law enforcement could have frozen more funds.
If Thornfield Had a New Payee Hold
A 24-hour hold on wires to new beneficiaries would have delayed the payment long enough for Ridgeline to call about their missing payment before the money left.
What does this case teach us?
Fraud Is a Chain, Not an Event
The Thornfield attack wasn't a phishing attack, or a social engineering attack, or a wire fraud, or a crypto laundering operation. It was all four, executed in sequence. Breaking any single link would have prevented the loss.
This is why siloed thinking fails. An email security team that catches the phishing but doesn't flag the account compromise to the finance team leaves the door open. A finance team with wire controls but no email monitoring can't see the setup. An investigator who traces the wire but can't follow the crypto trail stops at 10% of the loss.
Speed Is the Common Thread
Every phase of the attack was time-sensitive, and every phase of the investigation was a race:
- The attacker moved money out of the Miami account within hours
- Crypto conversion happened within 24 hours
- Mixing and chain-hopping happened within 48 hours
- By the time law enforcement engaged, most of the money was gone
The organizations and investigators who acted fastest preserved the most value. The $140,000 frozen in Miami was frozen because Diana called the bank within hours. The $42,000 frozen at Exchange B was frozen because the FBI's IC3 team moved quickly.
Defense Is Layered
No single control would have prevented this attack with certainty. But layered defenses create multiple chances to catch it:
| Layer | Control | What It Would Have Caught |
|---|---|---|
| Phishing-resistant MFA for executives | Credential theft | |
| Email forwarding rule alerts | Attacker's reconnaissance | |
| Process | Out-of-band verification for wires | Fraudulent wire request |
| Process | New payee cooling-off period | Urgency-driven execution |
| Finance | Vendor banking change verification | Fake wire instructions |
| Crypto | Faster exchange-law enforcement coordination | More funds frozen |
Any one of these controls, properly implemented, would have stopped or reduced the loss.
Key Takeaways
- Real fraud investigations cross domain boundaries. The Thornfield attack spanned email security, social engineering, payment systems, and crypto laundering. Analysts who only understand one domain will miss parts of the chain.
- Breaking any link prevents the loss. Phishing-resistant MFA would have stopped the initial compromise. Out-of-band verification would have stopped the wire. Either control alone would have saved $1.7 million.
- Speed determines recovery. In wire fraud and crypto laundering, the window for intervention closes in hours, not days. Every organizational process that adds delay reduces the chance of recovery.
- Attackers invest weeks of preparation for one moment of execution. The attacker spent four weeks reading emails and building context for a single wire transfer. Detection during the reconnaissance phase is the best outcome.
- Layered defenses multiply your chances. No single control is perfect. But email monitoring, process controls, financial safeguards, and rapid incident response together create a defense that's difficult to penetrate completely.
Key Terms
| Term | Definition |
|---|---|
| Business email compromise (BEC) | An attack where criminals compromise or impersonate business email accounts to authorize fraudulent transactions |
| Lookalike domain | A domain registered to closely resemble a legitimate domain (e.g., ridgeline-const.com vs ridgelineconstruction.com) |
| Out-of-band verification | Confirming a request through a separate communication channel (e.g., phone call) rather than the channel the request arrived on |
| Chain hopping | Moving cryptocurrency across different blockchains to complicate tracking |
| OTC desk | Over-the-counter desk that facilitates direct crypto-to-fiat conversion, sometimes without adequate identity verification |
| Recall request | A sending bank's request to a receiving bank to return wire funds (not guaranteed to succeed) |
Continue learning
- Fraud BasicsFraud 101: What Is Fraud?Absolute basics for someone who has never looked at fraud: what is fraud, how is it different from other crimes, and why does it matter
- Fraud BasicsCommon Fraud Types Every Analyst Should KnowThe most frequent fraud types you will encounter as a fraud analyst: identity theft, payment fraud, account takeover, and business fraud
- Fraud BasicsSQL Crash Course for Fraud AnalystsEssential SQL skills for investigating fraud cases: learn to query transaction data, analyze patterns, and gather evidence
- More from Money Movement & Transaction FraudPayment Systems 101: How Money Really MovesEssential foundation for understanding how ACH, wire transfers, card payments, and digital payments actually work - and why criminals target them
- More from Account TakeoverATO FundamentalsEssential foundation every fraud professional needs to know about account takeover attacks
- More from Social EngineeringSocial Engineering FundamentalsThe psychology of manipulation and how attackers exploit human trust