Cipher Cortex LLC
External Intelligence &
Digital Investigations
Cipher Cortex helps organizations investigate and reduce external digital risk — including fraud, impersonation, executive exposure, suspicious remote workers, and adversary infrastructure.
When external threats touch your people, brand, infrastructure, or hiring pipeline, generic alerts are not enough. Cipher Cortex provides focused intelligence and investigation services designed to answer specific questions and support practical decisions.
Executive Exposure
Identify public exposure, doxxing risk, exposed personal information, impersonation surface, and risks affecting executives or public-facing leaders.
Request an Exposure Assessment →Scam & Impersonation Investigations
Investigate fake personas, fraudulent domains, phishing infrastructure, crypto-enabled scams, and suspicious online activity.
Start an Investigation Sprint →Remote Worker Diligence
Assess suspicious contractors, technical applicants, vendors, and remote workers for identity, persona, and risk indicators.
Review a Suspicious Contractor →Threat Research Retainers
Monitor threats to your people, brand, industry, events, and digital footprint with recurring intelligence support.
Discuss a Retainer →Government & Mission Support
Provide collection, research, analysis, and reporting support for government-adjacent and mission-driven teams.
Request Mission Support →Who we serve
Intercept Cell
Published investigations — full detail, TLP:CLEAR.
Cipher Cortex publishes original threat research through Intercept Cell — independent from client engagements. Named dispatches, scam casework, defanged IOCs, and infrastructure mapping you can verify.
State-linked ops · Mar 2026
Behind the Firewall: Handala origin server exposed
Bypassed DDoS-Guard via a misconfigured www subdomain, mapped the origin WordPress API, predecessor domains, and operational timeline back to December 2023.
Read dispatch →State-linked ops · Mar 2026
The Boy With His Back Turned: Handala / Void Manticore
Attribution of Handala to MOIS operational cluster Void Manticore — operators, tooling, wiper safety checks, and OPSEC failures including Bangkok airport footage mislabeled as Tel Aviv.
Read dispatch →Hooked Scams · Apr 2026
coin-front.io — pig-butchering funnel mapped end-to-end
Documented X DM persona → fake trading platform → deposit pressure. Victim guidance, investigator readout, and kit infrastructure tied to prowebsitesamples.com.
Read case →DPRK fraud · Mar 2026
The Workers Who Aren't There: DPRK IT fraud infrastructure
Mapped front-company domains, shared hosting, and Contagious Interview malware delivery — the same tradecraft Cipher Cortex tracks in DPRK diligence engagements.
Read dispatch →Malware · Mar 2026
Forked and Burned: live stealer operators via GitHub
Systematic fork scanning found operators with live Telegram bots and Discord webhooks still receiving stolen credentials — including a Go binary committed nine days prior.
Read dispatch →Adversary infrastructure · Feb 2026
140 Beacons: exposed Cobalt Strike across the open internet
Extracted malleable C2 profiles from 140 live servers, clustered operators by watermark, and mapped domain fronting through Baidu CDN and Cloudflare.
Read dispatch →How engagements work
Scope the risk
Define the person, organization, asset, event, or threat question that needs investigation.
Collect and enrich
Gather and pivot from relevant open-source, commercial, and client-provided data where appropriate.
Analyze and document
Assess confidence, relevance, and business impact with evidence-backed findings.
Deliver decisions, not noise
Provide clear reporting, prioritized recommendations, and practical next steps.
Need clarity on an external threat?
Bring us the suspicious persona, exposed executive, scam infrastructure, contractor concern, or threat scenario. We will help determine what is knowable, what matters, and what to do next.
Contact Cipher Cortex