Sleuthcon 2025 Trip Report: Key Takeaways From the Industry’s Premier Cyber-Crime Conference

I spent two days in Arlington, VA, glued to a ballroom chair. At most conferences these days, I spend most of my time in the halls, seeing friends, but Sleuthcon is built for practitioners hunting the hunters. Every session drilled into the mechanics of e-crime, mapping real campaigns, and showing receipts from the field. Below is my trip report (grab coffee).

Why Sleuthcon matters

• Mission-first programming. Where mainstream security events skew toward generalist and sexy, Sleuthcon’s North Star is pursuit: attribution, dismantling, and prosecution. Plenty of the talks ended with a law-enforcement knock or seized server rack.

• Zero vendor fluff. The “expo” floor was basically a coffee urn, some cool swag, and a few very on brand vendors who we’re all fans of like DomainTools. Content dominated.

• Unusually concentrated expertise. Speakers ranged from Mandiant intel leads to independent malware reversers and UK’s NCA Investigators. That breadth created cross-disciplinary pivots, from legal workflow to blockchain forensics, in a single track room.

The result: wall-to-wall signal.

five stand-out sessions - and why they slapped

These presentations rewired my threat-hunting brain. They weren’t just good; they expanded how I think about adversary psychology, monetisation, and incident response.

1. “How Does The Com Work?” - Allison Nixon & Ben Coon

This is what I walked in most excited to watch. Allison is the GOAT and has helped me out a ton during my run ins with threat actors at my day job or in my personal life.

She peeled back the mythos around the Com, showing it’s less a criminal cartel and more a fame-farm for Gen-Z keyboard vandals. She mapped Telegram brag posts to real-world arrests: every bust tanked the chatter volume, proving notoriety collapses when consequences feel personal.

“We’ve worked a non zero number of murders” was a chilling phrase they said when outlining things The Com does.

Just a few weeks before the talk, they worked a case where a school was being swatted. The target was a student there, at the same time they were on the phone swatting the school, they were also on the phone with the target’s underage girlfriend convincing her, successfully, to self harm.

The takeaway is strategic, if the motive is status, name-and-shame + speedy indictments beat endless takedown whack-a-mole. They outlined some the funnel within this crew from casual fans/observers in discords down to the most infamous of the bunch who actually perputrate most of the crime. They highlighted how arresting the most prolific of the bunch actually works.

2. “Crazy, Stupid, Ransomware” - Kristina Savelesky & Simeon Kakpovi

Simeon and Kristina from Microsofts threat hunting team killed it. They hunt ransomware for a living and we got to see what they look through and how they think about it all. CrazyHunter is the group they went through here.

Their single-region targeting and politically charged leaks look a lot like nation-state sabotage wearing an e-crime mask. Simeon overlaid KC7 gameplay telemetry to illustrate how rookie analysts can still catch bespoke tradecraft if they have the right data pivots. Proof that good tooling, combined with curiosity, beats 2 a.m. pager + fatigue. I left determined to bake KC7-style “boss fights” into my own training so junior hunters can spot strategic oddballs, not just spray-and-pray lockers. (sleuthcon.com)

3. Lightning talk: “Victims Beware—Threat Actors Are Monitoring Your Communications Strategy” - Allie Bohan

Every incident responder knows the press release dance; Bohan showed the adversary is dancing right beside you. She walked through ransom chats where crooks quoted real-time media statements to jack up demands, or to taunt the comms team.

Moral: your crisis-comms timeline is now an attacker intel feed. The fix isn’t silence, it’s staggered transparency: release only what can’t be weaponised, and assume every Slack post will be screenshotted in the next negotiation email. She broke down threat actors threatening an executives entire family and sending them flowers wishing them condolences on their soon to be dead relatives in order to get them to the negotiating table.

4. “RADIANT SPIDER Unveiled” - Eric Loui

We spend so much airtime on Russian ransomware that Chinese e-crime often feels invisible; Loui brought it into focus. RADIANT SPIDER’s Golang loader rewrites its config in memory, dodging every hash-based IOC list in existence. Even wilder: their end-game is quiet formjacking on high-traffic e-commerce sites, siphoning card data for years. The message that landed for me: don’t let headlines set your threat model; let telemetry do it.

5. “Ransomware to Riches – Operation Destabilise” - Sal Melki

Melki, fresh off the UK NCA task-force, narrated a real-world follow-the-money saga that started with a single crypto payment and unravelled a multi-billion-dollar laundering empire. The slide that stuck: a Sankey diagram showing 70 % of high-value ransoms funnelling through five nested OTC brokers. Cut those arteries and you don’t just stop one gang, you raise the cost of doing crime for the entire ecosystem. For defenders, it’s a nudge to partner with fin-crime investigators.

Emerging macro-themes

1. Crimeware is franchising. Multiple speakers showed “operators” outsourcing initial access and customer support. Effectively acting as overlay brands atop commodity loaders and brokers.

2. Tradecraft is de-centralising. Residential proxies, blockchain tumblers, and public paste services replace central C2 choke points. The perimeter to seize is now people, not hardware.

3. OSINT cuts both ways. Researchers live-stream indicators; attackers treat them as QA dashboards. Expect a shift toward gated intel sharing or delayed release cycles.

4. Money flow is intel gold. From Bitcoin chain-hops to gift-card cash-outs, follow the funds. Cryptocurrency tracing tools starred in at least four talks. - This is a skill I’d like to level up soon, ability to crawl and reverse engineer blockchains.

5. AI hype meets attacker ROI. Only one session (the SEO spambot) leaned on LLMs, but hallway chatter agrees: criminals use AI for scale, not exotic exploits. Think content generation, not zero-days.

KC7: Gamified threat hunting training

One other highlight for me was getting a crash course in KC7 (https://kc7cyber.com/) - a free gamified training for people to learn how to threat hunt. The Microsoft team that built it showcased how they used it to teach 10 year olds to hunt ransomware indicators. But they also said some of their staff members couldn’t complete the later modules without help.

“If you can complete the later modules, hit us up for a job interview because we’ll hire you”

KC7 is a nonprofit gamified SOC simulator where players pivot through Kusto-style logs to solve intrusions.

Lobbycon

Everyone there was in the same sort of role which lead to just an amazing Lobbycon experience. A couple hundred people laser focused on cybercrime and threat hunting was just amazing to be a part of.

Personal takeaways

1. Sit front row more often. I learned so much.

2. Bring back “intel for defenders” at my own events. Threat-hunting communities crave agile intel. They value the steak over the sizzle. Sleuthcon’s model (single-track, hard-hitting, community-priced) is a model I’d like to emulate and see emulated.

3. Double-down on money-flow analysis. - Seems like a skill we’ll need a lot more of with high returns in cybercrime hunting.

4. Community is king - I mean i’m not surprised, but it just felt like the infosec community I fell in love with 20 years ago.

Sleuthcon 2025 reminded me why I got into security: chasing adversaries is equal parts science and passion. When an entire agenda is laser-focused on catching bad guys, you don’t burn out, you level up. I left Arlington with a notebook full, a Slack channel full of new collaborators, and zero regret.

If your day job involves anything incident response, threat intel, DFIR, bookmark next year’s dates. I’ll be back in the front row.

References

• Sleuthcon official agenda (sleuthcon.com)

• Lily Hay Newman, “Cybercriminals Are Hiding Malicious Web Traffic in Plain Sight,” WIRED, June 6 2025 (wired.com)

• “The Com operations spurred by internet notoriety,” SC Media, June 10 2025 (scworld.com)

• “KC7: A Free Online Cybersecurity Game,” YouTube, published March 2025 (youtube.com)