Major Update

FOR589: Cybercrime Investigations

  • In Person (5 days)
  • Online
30 CPEs

Today’s dynamic cybercrime ecosystem continuously lowers the barriers for novice criminals to collaborate with more sophisticated actors. FOR589: Cybercrime Investigations offers a comprehensive exploration of the cybercrime underground, detailing a broad spectrum of tactics and techniques used by cybercriminals to target organizations. This course includes over twenty hands-on labs and a final capstone exercise, equipping analysts with the skills necessary to enhance their organization's defenses, proactively gather critical intelligence, trace cryptocurrency proceeds linked to crime, and generate actionable insights.

What You Will Learn

There are ways to stay ahead of cybercrime and extend your perimeter. It starts with knowing the vast landscape you are up against and applying investigative methodologies to uncover and disrupt criminal operations.

Cybercrime investigations are essential for organizations aiming to detect, respond to, and attribute malicious activity, as well as for law enforcement and government agencies working to identify, arrest, and prosecute cybercriminals. FOR589: Cybercrime Investigations provides a deep dive into the global cybercrime underground, revealing the tactics and techniques threat actors use to exploit systems and monetize attacks. This course blends investigative tradecraft with modern cybersecurity practices to enhance operations. Whether you're part of a corporate security team, a government investigator, or simply looking to build your skills in tracking and understanding organized cybercrime and threats to your organization, this course will elevate your capabilities.

FOR589: Cybercrime Investigations will teach you how to map infrastructure, analyze threat actor capabilities, and identify victims, while working toward attribution of real-world criminal activity. Students will explore criminal underground forums, trace cryptocurrency transactions, and dissect laundering schemes used by cybercriminals. The course emphasizes safe online investigative practices, including creating sock puppets, engaging with threat actors, and infiltrating underground communities. Through hands-on labs and real-world case studies, participants will investigate cyber threats, collect and analyze digital evidence, and uncover the scope, scale, and impact of cybercriminal campaigns—aligning all findings with strategic intelligence priorities.

FOR589 Cybercrime Investigations Course Topics:

  • Online investigative fundamentals and applying traditional cyber frameworks to cybercrime
  • Navigate underground communities and understand the criminal ecosystem
  • Conduct covert online investigations to gain placement and access for case development
  • Using platforms to pivot, track, and monitor targets in support of investigations
  • Structuring digital evidence collection in line with intelligence requirements and legal standards
  • Managing cybercrime research at the strategic, operational, and tactical levels
  • Attribution of people, money, and infrastructure using investigative methodologies
  • Leveraging the Diamond Model and MITRE ATT&CK for investigative analysis
  • Supporting incident response using external datasets that reach beyond the network perimeter.
  • Mapping adversarial relationships and identifying criminal targeting patterns
  • Understanding pseudonymity and anonymity in the context of operational security
  • Conducting social engineering operations to elicit key information from cybercriminals
  • Tracing cryptocurrency transactions to connect payments to illicit entities
  • Uncovering money laundering techniques involving mixers and cross-chain activity

What Is Cybercrime Investigations And Why Is It Important?

  • Cybercrime investigations help organizations anticipate, prevent, and mitigate future cyber threats while aiding law enforcement in investigating and prosecuting cybercriminals. Cybercrime investigations are key to helping organizations to:
  • Proactively identify and address looming threats before attacks occur
  • Make informed decisions about resource allocation based on real-time threat information
  • Support law enforcement with evidence and insights to aid investigations

Business Takeaways

  • Bridge knowledge gaps in cybercrime and crypto crime across your investigative teams
  • Strengthen fraud investigations, incident response, and Cyber Threat Intelligence (CTI) capabilities with cybercrime expertise.
  • Identify and mitigate emerging cybercrime threats by investigating actors before attacks escalate.
  • Build proactive detection and alerting mechanisms based on criminal behavior.
  • Investigate initial access, malware deployment, and affiliate partnerships in the underground.
  • Prioritize investigative leads based on underground trends and threat actor movement.
  • Apply structured frameworks to track criminal operations from start to finish.
  • Attribute threat actors with greater confidence through infrastructure and cryptocurrency analysis.
  • Supplement vendor intel with independent investigative findings tailored to your organization.
  • Deliver timely, relevant case insights that inform strategic decision-making and response.

Skills Learned

FOR589 will prepare you to:

  • Adapt traditional investigative methods to the cyber domain and uncover risks specific to your organization
  • Investigate dark web marketplaces, forums, and threat actor communications
  • Separate actionable leads from background noise to drive informed, evidence-based decisions
  • Translate investigative goals into structured collection and case development plans
  • Build and manage covert personas to safely access underground communities and collect evidence
  • Trace cryptocurrency transactions to uncover threat actors, affiliates, and laundering
  • Vet sources and communities for credibility and access to support investigative objectives

What You Will Receive

  • A custom virtual machine preloaded with investigation tools for use during and after class
  • Demo access to Authentic8 Silo for safe dark web and surface web investigations.
  • Demo access to Chainalysis Reactor, enabling hands-on cryptocurrency tracing and blockchain analysis
  • Demo access to Maltego, allowing you to visualize relationships between threat actors, infrastructure, and digital footprints using link analysis

What Comes Next?

The FOR589 course is part of the Digital Forensics, Malware Analysis, & Threat Intelligence Learning Path, designed to impart the specialized investigative skills you will need to perform forensics, threat intelligence, and malware analysis.

Other courses that are part of this Focus Area and Learning Path include:

Syllabus (30 CPEs)

Download PDF
  • Overview

    Cybercrime intelligence is the foundation for any successful investigation or threat mitigation strategy. In high-risk environments where attribution errors and OPSEC missteps can have real-world consequences, analysts must apply structured, defensible methodologies. This section introduces the intelligence lifecycle in the context of cybercrime operations—covering requirement setting, collection planning, digital tradecraft, and operational security. Students will learn how to profile threats, manage digital personas, and conduct safe, targeted intelligence collection from underground sources. The goal: turn fragmented data into actionable intelligence to support investigations, disruption efforts, and strategic decisions.

    Exercises
    • Configure your investigative VM and test OPSEC tooling
    • Use breached data and password pivoting to track actors
    • Safely create and maintain long-term sock puppet accounts
    • Perform visual link analysis with Maltego and digital dossiers
    • Create and secure a cryptocurrency wallet for underground use
    Topics
    • Intelligence Fundamentals & Structured Analysis
    • Collection Planning & Cybercrime Requirements
    • Cyberattack Profiling using industry frameworks
    • Operational Security: Defense-in-Depth Modeling
    • Persona Development & Sock Puppet Management
    • Tools for Attribution: Password Pivots, Wallet Analysis, and Forums
  • Overview

    Cryptocurrencies may appear anonymous, but their pseudonymous nature creates opportunities for exposure. This section trains students to uncover and trace illicit financial activity using blockchain analytics and attribution techniques. From clustering wallets to decoding laundering schemes, students will follow the money through mixers, CoinJoins, peel chains, and more. You’ll also examine how cybercriminals cash out, the impact of sanctions, and how off-chain artifacts like KYC records and OSINT enrich attribution. This section equips analysts with investigative tradecraft for mapping threat actor finances, supporting legal action, and recovering stolen assets.

    Exercises
    • Explore the Bitcoin Genesis Block and foundational transaction models (UTXO)
    • Analyze high-profile Twitter crypto scams using heuristics and wallet fingerprinting
    • Profile bulletproof hosting providers by tracing their cryptocurrency activity
    • Follow laundering techniques from the Bitfinex hack using advanced blockchain analysis
    • Track the Colonial Pipeline ransomware payment and investigate the DarkSide affiliate
    Topics
    • Fundamentals of blockchain and cryptocurrency tracing
    • UTXO and account-based models (Bitcoin, Ethereum)
    • Wallet clustering, change analysis, and transaction heuristics
    • Tracing obfuscation methods: mixers, CoinJoins, chain hopping, peel chains
    • Attribution using OSINT, KYC, sanctions data, and wallet fingerprinting
    • Analysis of laundering tactics in real-world ransomware and cybercrime campaigns
    • Blockchain FININT: Turning transaction data into strategic and tactical intelligence
  • Overview

    The cybercrime underground is a vast, dynamic, and evolving ecosystem of illicit services, marketplaces, and threat actors. In this section, students will learn how to safely navigate and investigate cybercriminal communities across surface, deep, and dark web environments. You'll uncover how forums, leak sites, messaging platforms, and infrastructure tie together into a functional underground economy—and how adversaries interact to buy, sell, and monetize access, data, and capabilities. Students will learn to identify key players, map infrastructure, profile behaviors, and trace victims across ransomware campaigns, infostealer logs, and data leaks. These investigations form the bedrock of effective cybercrime disruption and attribution.

    Exercises
    • Identify and enumerate cybercrime forums, marketplaces, and leak sites
    • Investigate and pivot off adversary infrastructure using OSINT tools
    • Profile an underground actor by building a digital dossier from forum activity
    • Map capabilities and malware services using ATT&CK and open-source intelligence
    • Investigate ransomware campaigns, victims, and exposure through real-world cases
    Topics
    • Profiling forums, marketplaces, ransomware leak sites, and messaging apps
    • Understanding the roles of initial access brokers, ransomware affiliates, malware developers, and cybercrime forum members
    • Investigating cybercrime infrastructure using profiling techniques
    • Identifying victims across markets, extortion sites, and infostealer logs
    • Mapping capabilities using frameworks like MITRE ATT&CK and the Diamond Model
    • Uncovering identifiers (usernames, passwords, emails, wallets) and behavioral patterns
    • Profiling malware, phishing, and exploit services offered in the underground
    • Investigating and mapping ransomware victimology and campaign activity
    • Understanding adversary tradecraft, criminal ecosystems, and infrastructure reuse
  • Overview

    Investigating the cybercrime underground requires more than passive observation—it demands placement, access, and trust. In this section, students will learn how to infiltrate gated criminal communities, build credible personas, and collect human intelligence (HUMINT) directly from threat actors. You’ll explore both manual and automated approaches to collecting data, from eliciting adversaries through social engineering to scraping dark web content at scale. Students will also learn to assess source credibility, analyze cybercrime infrastructure in Kibana, and map intelligence to countermeasures—equipping them to shift from insight to disruption with precision and confidence.

    Exercises
    • Create and operationalize a sock puppet persona to access closed forums
    • Map forum access requirements and identify influential threat actors
    • Build and deploy a Tor-based scraper; analyze data in Kibana dashboards
    • Profile cybercriminals using structured targeting frameworks
    • Apply HUMINT tradecraft to elicit adversary insights and assess credibility
    Topics
    • Persona creation and maintaining access in cybercriminal communities
    • Navigating underground forums, marketplaces, and encrypted chats
    • HUMINT collection: spotting, assessing, targeting, and profiling sources
    • Social engineering and elicitation tradecraft in cybercrime investigations
    • Automating dark web data collection using scrapers and evasion tactics
    • Visualizing and analyzing cybercrime trends in Kibana
    • Attribution and disruption strategies for threat actors and infrastructure
  • Overview

    The final day of FOR589 is a capstone challenge that focuses on launching an investigation. Students engage in a fun and meaningful exercise that brings together various components of the entire course. The capstone will reinforce the principles taught via a simulated scenario that enables students to practice implementing their newly learned skills.

Prerequisites

FOR589: Cybercrime Intelligence is a course focused on navigating, discovering, detecting, and disrupting threats from the cybercrime economy. While introductory content is provided, familiarity with intelligence, dark web access, web data collection, cryptocurrency tracing, or digital forensics and incident response is beneficial. First time SANS students will be successful in this course as the technical demands of this course are on par with other beginner SANS courses.

Students may benefit from having taken one of the SANS courses listed below, or equivalent training. However, while these courses are helpful, they are not required.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

MANDATORY FOR589 SYSTEM HARDWARE REQUIREMENTS
  • CPU: 64-bit Intel i5/i7 (4th generation+) processor, x64 bit 2.0+ GHz processor, or more recent processor is mandatory for this class. (Important - Please Read: a 64-bit system processor is mandatory.)
  • CRITICAL NOTE: Apple Silicon devices (starting with M1 processors) cannot perform the necessary virtualization and therefore cannot in any way be used for this course.
  • It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VT."
  • Be certain that you can access your BIOS if it is password-protected in case changes are necessary. Test it!
  • 16 gigabytes (GB) of RAM or higher is mandatory for this class. (Important - Please Read: 16 GB of RAM or higher of RAM is mandatory and minimum.)
  • USB 3.0 Type-A port is required. At least one open and working USB 3.0 Type-A port is required. (A Type-C to Type-A adapter may be necessary for newer laptops.) (Note: Some endpoint protection software prevents the use of USB devices, so test your system with a commercial USB drive before class to ensure that you can load the course data.)
  • 150 GB of free space on your system hard drive is critical to host the VMs we distribute.
  • Local administrator access is absolutely required. Do not let your IT team tell you otherwise. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • Wireless 802.11 capability
MANDATORY FOR589 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS
  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs. Please note: It is necessary to fully update your host operating system prior to the class to ensure that you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
  • Those who use a Linux host must also be able to access ExFAT partitions using the appropriate kernel or FUSE modules.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from completing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled, or you must have the administrative privileges to disable it.
PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:
  1. Download and install VMware Workstation Pro 17+ (for Windows hosts), or VMWare Fusion Pro 13+ (for macOS hosts) prior to class beginning. Workstation Pro and Fusion Pro are now available free for personal use from the VMware website. Licensed commercial subscriptions to these products can also be used.
  2. On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  3. Microsoft Office (any version) or OpenOffice installed on your host. Note that you can download Office Trial Software online (free for 30 days).
  4. Download and install 7Zip (for Windows Hosts) or Keka (macOS). These may be included in your SANS courseware .ISO files.

Your course media is delivered via download from the SANS "Course Material Downloads" page in your SANS account. The media files for the class can be large, some in the 40 to 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to PDFs. The number of classes using eWorkbooks will grow quickly. Considering this, we have found that a second monitor and/or a tablet device can be useful to keep the class materials visible while the instructor is presenting or while you are working on lab exercises.

If you have additional questions about the laptop specifications, please contact customer service.

Author Statement

"Cybercrime isn’t just a threat—it’s the threat redefining the modern battlefield for security professionals. In FOR589: Cybercrime Investigations, we train defenders to get left of boom—to investigate, infiltrate, and dismantle criminal networks before they strike. As financially motivated attacks surge, so does the need for those who can uncover the actors, follow the money, and build intelligence that leads to action. This course teaches students to trace illicit activity across forums, blockchains, and underground economies—equipping them with the knowledge and foresight to outsmart attackers and stop threats before they happen. FOR589 is where intelligence meets action—break the criminal cycle and reduce the blast radius."

- Sean O'Connor

"More organizations need to realize that cybercrime is the number one threat to their organization's IT operations. Illicit fortunes amassed by organized cybercrime groups have led to an emboldened underground economy that currently revolves around ransomware. This is because ransomware attacks persist as one of the most profitable and destructive methods of monetizing access to any type of network. The Colonial Pipeline ransomware incident in 2021 was the most disruptive cyberattack on U.S. critical infrastructure to date, which showcased that unabated cybercrime directly leads to real-world catastrophes. It is thus more important than ever to understand the core drivers behind this threat. SANS FOR589 will arm students with the knowledge to investigate sources of cybercrime, track cybercriminals financially, infiltrate underground communities, and, ultimately, disrupt the adversaries."

- Will Thomas

"Cybercriminals frequently penetrate networks with the primary goal of financial gain. Unfortunately, many organizations leave their sensitive data and intellectual property vulnerable to theft and exploitation, which leaves them with few options when they fall victim to a ransomware attack. They will often pay these ransoms, fueling the financial capabilities of these adversaries and escalating the threat of subsequent breaches. In FOR589, we equip students with the skills to delve into the depths of the cybercrime underworld. This exploration is key to comprehending the motives and proficiencies of cyber adversaries, which is essential for bolstering an organization's defenses and mitigating the likelihood of future security incidents, hopefully breaking this vicious cycle. In FOR589 we will teach students how to safely explore this criminal ecosystem and also provide practical training for tracing cryptocurrency transactions, offering even more intelligence by monitoring financial flows across blockchains."

- Conan Beach

Register for FOR589

Learn about Group Pricing

Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.

Loading...