TL;DR A financial services professional at a US community bank received a long-form email from a Gmail account impersonating a fabricated unit called the Office of Cross-Border Financial Supervision Affairs, a name that does not correspond to any real U.S. Treasury bureau. The attack followed an advance-fee fraud script: a fabricated overseas fund release requiring a series of escalating payments (handling fee, transaction fee, verification fee, refundable deposit) to be sent to attacker-controlled Bitcoin and Ethereum wallet addresses. The wallets are the concrete attacker artifacts. Each fee demanded was larger than the last, and the email explicitly instructed the target not to send screenshots, a classic anti-forensic instruction designed to prevent the victim from seeking outside verification.
Severity: High Impersonation Advance-Fee Fraud Cryptocurrency Fraud MITRE: T1566 MITRE: T1598
The email claimed to be from the "U.S. Treasury Department, Office of Cross-Border Financial Supervision Affairs." No such office exists. The unit name was fabricated wholesale, designed to sound authoritative enough that a recipient unfamiliar with Treasury organizational structure would not immediately know to verify it.
What was real: the Bitcoin and Ethereum wallet addresses where the attacker wanted money sent.
A Fabricated Government Authority and a Constructed Chain of Fees
The email was addressed to a retail sales and service director at a US community bank. The sender was a first-contact Gmail account with no prior relationship to the recipient organization. The content followed the advance-fee fraud playbook with specificity.
The "OCBFO" told the recipient they were entitled to receive a large overseas fund transfer that had been frozen pending administrative clearance. To release the funds, the recipient was required to pay a 5% handling fee. After that: a 5% transaction fee of $5,925.15. Then an 8% verification fee of $9,480.24. Then an 8% "refundable deposit" of $11,292.90.
Each fee was framed as the final, non-negotiable administrative requirement. Each was larger than the last. The escalation pattern is a defining feature of advance-fee fraud: once a victim has paid once, the sunk-cost pressure to continue paying is significantly higher than the pressure to walk away.
The email included 29 JPEG attachments, all scanned clean. They were screenshots of fabricated transaction records, on-chain "proof" designed to make the fund-release narrative feel verifiable. The social engineering props were the attachments; the financial weapon was the wallet addresses in the body.
Crypto Wallets as Attacker Infrastructure
The attacker provided three cryptocurrency addresses for payment:
- BTC:
bc1q... (bech32 native SegWit format)
- BTC:
1HB1s3... (legacy P2PKH format)
- ETH:
0xAB0371659A90b319C0812646Df8E94de87115C51
Unlike a domain registration that can be suspended or a bank account that can be frozen upon fraud report, blockchain wallet addresses are persistent and pseudonymous. The attacker can collect across multiple victims using the same address. There is no intermediary to contact for a chargeback. Funds sent to these addresses are effectively unrecoverable.
This is the attacker infrastructure in this case. Not a domain, not a server, not an IP: three wallet addresses where the fraud terminates. The IRONSCALES Adaptive AI platform flagged this case with 86% confidence and labeled it "Credential Theft" and "VIP Recipient." The detection was driven by the combination of a first-time Gmail sender targeting a financial services executive with a long-form impersonation payload referencing cryptocurrency disbursement.
See Your Risk: Calculate how many threats your SEG is missing
The Anti-Forensic Instruction That Confirms Intent
Buried in the email body was an explicit instruction: "Please do not send screenshots." This single line is the clearest indicator of malicious intent in the entire message. A legitimate government agency requesting cooperation with a financial process does not instruct recipients to conceal the communication.
The instruction is an isolation tactic. Advance-fee and pig-butchering fraud both rely on the victim not consulting external verification before making the next payment. A fraud investigator, bank compliance officer, or security professional who sees the email will recognize the pattern immediately. The "no screenshots" instruction is designed to prevent that consultation.
The FBI IC3 2024 report documented over $2.9 billion in BEC-adjacent fraud losses, with cryptocurrency-based advance-fee schemes among the categories with the lowest recovery rate. Crypto transfers settle in minutes and cannot be reversed.
Why a Gmail Sender Targeted a Bank Employee Successfully Enough to Warrant Analysis
The case reached IRONSCALES through a detection and review workflow rather than a human report, which means the target did not immediately recognize the email as fraudulent. That is consistent with the attack design.
The email was long, formal, and bureaucratic in tone. Government impersonation phishing relies on the authority gap: most recipients have limited familiarity with Treasury organizational structure, so a unit name like "OCBFO" does not trigger immediate disbelief. The use of specific dollar amounts (not round numbers) makes the fees feel calculated rather than invented. The JPEG attachments add material weight to the "documentation" claim.
The Verizon 2026 Data Breach Investigations Report notes that 62% of breaches involve the human element. Advance-fee fraud is almost entirely a human-element attack: there is no malware to detect, no malicious URL to sandbox, no domain to blocklist. The entire attack surface is social.
IRONSCALES phishing protection covers this attack class through behavioral detection on first-contact senders combined with content classification models trained on impersonation and advance-fee fraud patterns. The NIST phishing definition notes phishing encompasses both technical and social engineering vectors; this case is entirely the latter.
What Security Teams Should Flag in Finance-Adjacent Inboxes
Executive and finance-role mailboxes should be configured with a higher scrutiny threshold for first-contact external senders. An email from a Gmail account with no prior relationship to the organization, claiming to represent a government authority and referencing cryptocurrency payments, is a clear advance-fee fraud attempt regardless of how formal the body text is.
IRONSCALES account takeover and VIP recipient protection includes detection logic specifically calibrated for high-value targets. The "VIP Recipient" flag on this incident reflects that calibration.
The IBM Cost of a Data Breach 2024 report documents social engineering as the second most common initial access vector. Advance-fee fraud that succeeds at the first payment stage rarely stops there.
The Wallets and Sender Address to Flag
| Type | Indicator | Context |
|---|
| Email | edgardoaep956@gmail[.]com | Attacker sender (first-contact, no prior relationship) |
| BTC wallet | bc1q... (bech32) | Attacker payment address |
| BTC wallet | 1HB1s3... (legacy) | Attacker payment address |
| ETH wallet | 0xAB0371659A90b319C0812646Df8E94de87115C51 | Attacker payment address |
| Fake authority | "Office of Cross-Border Financial Supervision Affairs (OCBFO)" | Fabricated U.S. Treasury unit |
---
Sources: FBI IC3 2024 Report | Verizon DBIR 2026 | IBM Cost of a Data Breach 2024 | MITRE ATT&CK T1566 | NIST Phishing
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
