Skip to main content
DL Cyber
Back to Blog
Incident Response

Good vs Evil: A Holiday Cybercrime Story from the Front Lines

5 min read
Josh Dann
Good vs Evil: A Holiday Cybercrime Story from the Front Lines

Good vs Evil: A Holiday Cybercrime Story from the Front Lines

It was December 23rd. Most people were winding down for the holidays. I was not.

My phone rang, and on the other end was a client who had just received the kind of call no business ever wants to get. MasterCard had discovered over seven million card numbers for sale on the dark web. Samples had been purchased. They all traced back to this client.

No fraud had been reported yet, but it was only a matter of time.

The client’s first reaction was disbelief.

"We are too small for this to be real. We have antivirus and firewalls. It must be our fax line or the online store."

I have heard some version of that sentence in almost every breach I have ever worked.

That evening, my team of four packed up and headed out. It was Christmas Eve. I opted to drive. There is something surreal about cruising through holiday lights, knowing your destination is not family dinner but the front line of a digital war.

First Impressions

Our first job on any case is to get the lay of the land. We walked the environment, peeking into server rooms, checking the point-of-sale systems, and collecting anything with a hard drive.

When you are on-site in the first hours of an investigation, everything is evidence until proven otherwise. Laptops, desktops, servers—if it spins or stores, it comes with us.

We imaged drives. We captured memory. We took pictures and notes of everything. Meanwhile, the client floated theories: maybe a web order system, maybe the fax line. Anything but their point-of-sale systems.

Sometime that night, I got a call from Brian Krebs. He already knew about the case. News travels fast in the world of cybercrime.

The Investigation Picks Up

By the time we reached the second location, we were running on caffeine and adrenaline. My team split up across stores and began digging in.

Then came the moment we knew we had something real. Memory analysis of a captured system revealed a RAM scraper. That is the kind of malware that silently steals card data as it is processed.

On the disks, we found additional indicators of compromise. Base64 strings decoded into live card data. Registry artifacts tied to Carbanak / FIN7, a well-known financial threat actor.

We now had a breach. The evidence was undeniable.

Convincing the Client

The hardest part was not the forensics. It was getting the client to accept the reality.

"We only process fifteen million transactions a year. There is no way they got seven million cards from us."

Denial is natural, but it can slow down response if you let it. My role was part investigator, part counselor. I praised what they had done well, gently corrected the myths, and guided them toward action.

In incident response, technical skill will get you far. But trust and communication are what make an investigation successful.

Expanding the Scope

Over the next days, the scope of the breach became clear.

  • Nearly 1,000 point-of-sale systems across 150+ stores were compromised.
  • We collected and analyzed over 350 system images.
  • Malware had been active for months, silently exfiltrating card data.

We built a full timeline. We knew exactly how the attackers got in, how they moved, and how they stole data. The picture was grim, but complete.

One surprise was the third location the client had not originally disclosed. Nearly 50 additional systems came into evidence. In incident response, there is always a twist.

Containment and Resolution

Because we moved quickly, malware was contained in just five days. No consumer fraud was reported. By the time we delivered the final report, the client had already implemented major improvements in their security posture.

The engagement did not end with a report. It turned into a partnership. We continued working with them to harden their systems, improve monitoring, and prepare for the next time the bad guys came knocking.

Lessons From the Front Line

This case reinforced lessons that I carry into every engagement:

  • Overconfidence is dangerous. Even capable teams get blindsided.
  • Timing matters. Rapid detection and disciplined forensics are the difference between survival and disaster.
  • Trust is part of the job. Clients need guidance and reassurance as much as they need technical answers.
  • Every detail counts. Ignoring the small things is how attackers win.

And maybe one more lesson: if your DFIR team shows up on Christmas Eve, make sure there is coffee.

Closing Thoughts

Incident response is as much about people as it is about technology. It is about helping businesses through some of their darkest hours and leaving them stronger than before.

Sun Tzu said it best:

"If you know the enemy and know yourself, you need not fear the result of a hundred battles."

I live for the puzzle, the chase, and the satisfaction of helping a client come out the other side intact. Cases like Ebenezer are why I do this work.

Tags:cybersecurityincident responsedigital forensicscase study