Daylila

Cybersecurity · Wednesday, 17 June 2026

01 · Briefing · what happened

The FBI says crypto scammers now send couriers to your door for cash

Cybersecurity 3 min 46 sources

Banks got better at blocking transfers to crypto fraud, so scammers switched to in-person cash pickups — a move that puts the money even further out of reach.

Key takeaways

  • The FBI says crypto scammers now send couriers to collect cash in person, because banks got better at blocking the bank transfers they used to rely on.
  • Cash plus crypto erases the safety net: once a courier takes the money, there is no transfer to reverse and no bank to claw it back — US investment-fraud losses hit $8.6 billion last year.
  • No real investment platform asks you to hand cash to a stranger or pay "fees" to withdraw your own money — that demand is the scam.

The FBI has warned that cryptocurrency investment scammers are now sending couriers to pick up cash in person from their victims [27]. The reason is telling: banks have gotten better at spotting and freezing suspicious transfers to crypto schemes, so the fraudsters changed tactics to slip past those checks [27].

How the cash-courier trick works

The scam starts the way these usually do. A stranger reaches out on social media or by text, often posing as an investment expert, sometimes building a romantic relationship first [27]. They steer the victim into a fake crypto-trading platform that shows fake profits.

When it’s time to move real money, the scammers skip the bank entirely. They tell the victim that “in-person cash pickups are required” to keep investing — or to release flagged funds [27]. The victim withdraws cash from their own account. A courier arrives, proves they’re with the scammer by reading out a pre-agreed dollar-bill serial number or password, and takes the money [27]. The victim’s fake account then shows a bigger balance. When they try to cash out, the scammer demands more — fake taxes, fake penalties — and another courier comes [27].

The numbers are large. The FBI logged nearly 73,000 investment-fraud cases last year, tied to more than $8.6 billion in losses — the costliest cybercrime category it tracks [27]. In the UK, investment fraud was the biggest slice of authorised-payment fraud, at £221.5m ($297m), up 40% in a year [27].

The FBI’s advice is plain: never agree to meet a courier or hand cash to a stranger, treat unsolicited contact from “investment experts” as suspicious, and check independently before sending money anywhere [27]. No real exchange asks you to pay a courier in cash.

A quiet credential thief aimed at banks

Separately, researchers at security firm Fortra flagged a phishing campaign delivering malware they call Phantom Stealer, aimed at banks and other high-value targets [2]. Its job is to quietly copy browser passwords, session cookies, and financial details [2].

What makes it hard to catch: it runs entirely in memory rather than saving a file to disk, which sidesteps the scanners that look for known bad files [2]. The malware is rented to criminals as a subscription, $70 to $240, and ships stolen data out through four channels at once for resilience [2]. The takeaway for ordinary people is the same boring one that keeps working: a password stolen from one site becomes a key to every place you reused it. Turn on a second login check where you can.

A claimed hack of a drug giant

A cyber-extortion group calling itself FulcrumSec claimed it stole more than a terabyte of data from Novo Nordisk, the maker of Ozempic, and demanded $25 million [11]. The company refused, so the group says it is now exploring selling the data [11]. Treat the details as a claim, not confirmed fact — Reuters could not verify the data, and Novo Nordisk has only said it had a “cybersecurity incident” on June 11 involving some personal data [11][8].

The pattern is worth seeing even when the claim is unproven: extortion groups increasingly skip encrypting files and just steal data, then threaten to publish or sell it [11]. That shifts the leverage — and means a “we paid nothing” stance from the victim doesn’t undo the theft.

02 · Lesson · why it matters

Why a scam gets more dangerous every time the defenders win

When the bank learns to catch the fraud, the fraud moves to the one path the bank can't see — and that path is also the one with no way back.

The defenders got good, so the scam moved

For years, the crypto investment scam had a weak point its own makers didn’t choose. To get paid, the scammer needed the victim to wire money — and that wire ran through a bank. Banks have spent years building software that flags exactly this: a retiree suddenly sending thousands to a crypto exchange they’ve never used. So the bank would pause it, call the customer, ask if they were sure. A lot of money got stopped at that gate.

The FBI’s new warning is about what happened next. The scammers didn’t give up. They cut the bank out. Now they tell the victim to withdraw cash and hand it to a courier who shows up at the door, reads back a pre-agreed serial number from a dollar bill, and walks away with the money. No transfer. No flag. No call from the bank.

This is the first thing to see clearly. The bank’s defense worked. It worked so well that it changed the attacker’s behaviour. And the new behaviour is worse.

Pressure doesn’t kill a scam — it reshapes it

It’s tempting to read “banks block transfers” as a win and stop there. But a scam isn’t a single move you can block. It’s a business with a goal — get the money out, irreversibly — and many routes to that goal. Close one route and the operators don’t shut down. They walk to the next one.

The dangerous part is that the routes aren’t equally bad. A bank transfer is slow, logged, and reversible for a window. Cash is none of those. Crypto, once it lands in the scammer’s wallet, is none of those either. So when the defenders shut the most-defended door, the money doesn’t stop flowing — it flows through the door with the fewest protections on it. The system didn’t get safer. It got pushed toward its most exposed edge.

The safety net is made of friction

Here is the quiet thing the courier trick reveals: most of what protects your money isn’t a vault. It’s friction. A bank transfer can be paused because a human and a computer sit between you and the recipient. A chargeback exists because a card network keeps a record and can run it backward. Even the delay before a wire settles is protection — it buys time for someone to notice and stop it.

Cash handed to a stranger has zero friction. Crypto sent to a wallet has zero friction. The scammer’s whole evolution is a march toward zero friction, because friction is the only thing that ever clawed money back. When the FBI says “never hand cash to a courier,” it isn’t really about couriers. It’s about not stepping off the part of the system that can still say no on your behalf.

Who ends up holding the loss

Notice where the cost lands at each stage. When the bank blocks a transfer, the bank carries the work and the victim keeps their money. When the scam shifts to cash, the bank is out of the loop — and the entire loss lands on one person, usually the one who could least afford to lose it. Last year that was nearly 73,000 people in the US and $8.6 billion, the costliest category of cybercrime the FBI tracks. In the UK the same fraud was up 40 percent in a year.

The defenses got better and the losses got more concentrated at the same time. That isn’t a contradiction. The institutions hardened themselves, so the damage flowed to the place with the softest defenses — a single human at their kitchen table, told they’d lose their savings if they didn’t act now.

You are closer to this than it feels

It’s easy to file this under “things that happen to other people.” The victims in the FBI’s data aren’t careless. They were approached by someone patient, often warm, sometimes posing as a partner, who spent weeks building trust before the first dollar moved. The scam is engineered to make a normal person feel like the cautious one — “the platform flagged your account, you need to clear it.” By the time the courier knocks, the victim believes they’re protecting their own money, not losing it.

And the structure that makes them vulnerable is the same structure that protects the rest of us: the more the visible front doors get locked, the more value pools behind the few unguarded paths — irreversible cash, irreversible crypto, a person acting alone with no institution watching. You don’t have to be foolish to stand on that edge. You just have to be the one place the pressure found its way to.

The lesson isn’t “be smarter than the scammers.” It’s that safety is mostly the slow, dull machinery that lets a transaction be undone — and the moment someone urges you off that machinery and toward something fast and final, the urgency itself is the warning. The reversible path feels slower because it’s the one still watching your back.

03 · Lab · your turn

The Way Back

Rehearse choosing a payment path under pressure and feel which ones can still be undone — and which are final.

04 · Hope · carry this

The scammers had to invent the courier trick precisely because the banks' defenses got good enough to stop the easy way. Every clumsier move they're forced into is a sign the people protecting your money are gaining ground.

More from Cybersecurity

Chinese spies sat inside a research-data platform for over two years — and it touched medicine, the military, and beyond The FBI seized the factory behind a million scam links — not the scammers, the machine they all rented A critical Splunk flaw came from a helper service that no one asked to lock its own door

Across the beats

The Packers are fighting to keep TV from becoming a free market A game reviewers loved just cost its whole team their jobs Brazil's farmers are losing their land to a debt spiral