Infrastructure intelligence for fraud investigators

See the fraud before you see the loss.

Scams start outside financial institutions. EverydaySecurity turns scammer infrastructure, tactics, techniques, and procedures into connected fraud intelligence so investigators can act before money moves.

See the analyst workflow → Talk to us
FraudContext · ONENCO/AngelVanguard operation 20 nodes · 17 techniques
Attacker
Victim
Infrastructure
2022-12-21
Re-registered expired domain onenco.com acquired via GoDaddy from innocent prior owner T1583.001
2025-07-06
Created self-signed certificate All fields set to 'angel' for AngelVanguard C2 domain T1608.003
2026-03-04
Migrated DNS to Cloudflare Hides origin servers — marks active campaign start T1584.006
2026-03-07
Compiled malware R8 obfuscation, WebView wrapper. Rebranded from AngelVanguard T1660 · T1406
2026-05-17–20
Published iOS app trinity 3 apps in 3 days — Alcancex, Onexnco, Arcmkts. Team Z56PFHR7PL T1660
2026-05-18
Initiated human recruitment Jessica DMs victims with referral code 63532325 T1534
2026-05-20
Posted Vince Lambardi typo Static quote database confirmed — not LLM generation
2026-05-28
Asked direct question Bot ignored it — zero response capability confirmed
2026-06-01
Repeated identical typo Definitive proof of static list, not LLM generation
2026-06-01+
Registered accounts Via Jessica's referral link — email, phone, password harvested T1589
2026-06-02+
Contacted C2 server HTTP GET to angelVanguard.y7ujdsahgk.top · retrieved phishing URL T1071.001
Installed malware APK sideloaded or iOS app installed — camera/storage granted T1476
2026-06-02+
Harvested credentials & IDs WebView JS captured seed phrases, camera photographed gov IDs T1409 · T1417
2026-06-02+
Exfiltrated stolen data Credentials, wallet seeds, ID photos sent via HTTP POST to C2 T1646
2026-06-05
Completed malware analysis APK reversed, C2 mapped, Alibaba CDN IPs extracted
2026-06-08
Discovered iOS app trinity 3 apps linked via shared email in binaries — same developer
scroll to explore · 20 verified events
The visibility gap

Scams start long before fraud analysts can see them

Scams begin in external channels — texts, fake websites, social apps — that financial institutions have no visibility into. By the time a claim or dispute is filed, the damage is done.

Infrastructure builds
Fake domains, wallets, phone numbers, and scripts are deployed
Scam begins
Consumer receives phishing text, fake site link, or social scam
Money moves
Transaction completes — the first moment most institutions see anything
Claim filed
Fraud team investigates, weeks after the scam started
FraudContext

The investigation platform for fraud teams

FraudContext maps scam signals, collects related indicators, and turns scattered external data into intelligence fraud analysts can actually act upon. EverydaySecurity's sensor network collects signals and verifies them before they reach the platform.

  • Connect scam messages, domains, wallets, and victim reports into an investigation workbench
  • Identify fraud campaigns before they show up as transaction alerts or customer disputes
  • Start testing it — get on our waitlist
  • Generate executive-ready reports
Request a design partner conversation →
ONENCO/AngelVanguard · cryptocurrency · fraud · phishing
● 20 verified 29 edges · 17 techniques Open in FraudContext →
FraudContext graph view — ONENCO AngelVanguard fraud operation showing attacker nodes, victim, and infrastructure

“Customers get scammed, and we’re on the hook. We have excellent visibility inside the bank but can’t see what’s going on outside.”

VP, top 15 US financial institution  ·  paraphrased to protect identity
Ready to see what's targeting your customers?

Start a conversation. No commitment required to explore whether this fits your team's workflow.

Start a design partner conversation →
About
The team

Built by people who have done this before

The founding team has spent the last decade building and scaling intelligence products inside the institutions that define the security category.

Nick Goodman
Founder

Nick is a cybersecurity veteran with deep roots in threat intelligence and AI-driven security, having spent years at the forefront of the industry — first as VP of Engineering at RiskIQ, and then leading Microsoft Security Copilot from its founding through to launch. With over two decades of experience building and scaling engineering teams, Nick has a rare combination of hands-on technical depth and product leadership that few in the security space can match. Now, as the founder of EverydaySecurity, he's channeling that expertise into building security solutions that are as powerful as they are accessible.

Get in touch

Let's talk about what you're seeing

Whether you're a fraud analyst curious about FraudContext, a potential design partner, or an investor evaluating the fraud intelligence market — we want to hear from you.

info@everydaysecurity.ai
Follow EverydaySecurity on LinkedIn
Send us a message →