The email claimed to be from the "U.S. Treasury Department, Office of Cross-Border Financial Supervision Affairs." No such office exists. The unit name was fabricated wholesale, designed to sound authoritative enough that a recipient unfamiliar with Treasury organizational structure would not immediately know to verify it.
What was real: the Bitcoin and Ethereum wallet addresses where the attacker wanted money sent.
The email was addressed to a retail sales and service director at a US community bank. The sender was a first-contact Gmail account with no prior relationship to the recipient organization. The content followed the advance-fee fraud playbook with specificity.
The "OCBFO" told the recipient they were entitled to receive a large overseas fund transfer that had been frozen pending administrative clearance. To release the funds, the recipient was required to pay a 5% handling fee. After that: a 5% transaction fee of $5,925.15. Then an 8% verification fee of $9,480.24. Then an 8% "refundable deposit" of $11,292.90.
Each fee was framed as the final, non-negotiable administrative requirement. Each was larger than the last. The escalation pattern is a defining feature of advance-fee fraud: once a victim has paid once, the sunk-cost pressure to continue paying is significantly higher than the pressure to walk away.
The email included 29 JPEG attachments, all scanned clean. They were screenshots of fabricated transaction records, on-chain "proof" designed to make the fund-release narrative feel verifiable. The social engineering props were the attachments; the financial weapon was the wallet addresses in the body.
The attacker provided three cryptocurrency addresses for payment:
bc1q... (bech32 native SegWit format)1HB1s3... (legacy P2PKH format)0xAB0371659A90b319C0812646Df8E94de87115C51Unlike a domain registration that can be suspended or a bank account that can be frozen upon fraud report, blockchain wallet addresses are persistent and pseudonymous. The attacker can collect across multiple victims using the same address. There is no intermediary to contact for a chargeback. Funds sent to these addresses are effectively unrecoverable.
This is the attacker infrastructure in this case. Not a domain, not a server, not an IP: three wallet addresses where the fraud terminates. The IRONSCALES Adaptive AI platform flagged this case with 86% confidence and labeled it "Credential Theft" and "VIP Recipient." The detection was driven by the combination of a first-time Gmail sender targeting a financial services executive with a long-form impersonation payload referencing cryptocurrency disbursement.
See Your Risk: Calculate how many threats your SEG is missing
Buried in the email body was an explicit instruction: "Please do not send screenshots." This single line is the clearest indicator of malicious intent in the entire message. A legitimate government agency requesting cooperation with a financial process does not instruct recipients to conceal the communication.
The instruction is an isolation tactic. Advance-fee and pig-butchering fraud both rely on the victim not consulting external verification before making the next payment. A fraud investigator, bank compliance officer, or security professional who sees the email will recognize the pattern immediately. The "no screenshots" instruction is designed to prevent that consultation.
The FBI IC3 2024 report documented over $2.9 billion in BEC-adjacent fraud losses, with cryptocurrency-based advance-fee schemes among the categories with the lowest recovery rate. Crypto transfers settle in minutes and cannot be reversed.
The case reached IRONSCALES through a detection and review workflow rather than a human report, which means the target did not immediately recognize the email as fraudulent. That is consistent with the attack design.
The email was long, formal, and bureaucratic in tone. Government impersonation phishing relies on the authority gap: most recipients have limited familiarity with Treasury organizational structure, so a unit name like "OCBFO" does not trigger immediate disbelief. The use of specific dollar amounts (not round numbers) makes the fees feel calculated rather than invented. The JPEG attachments add material weight to the "documentation" claim.
The Verizon 2026 Data Breach Investigations Report notes that 62% of breaches involve the human element. Advance-fee fraud is almost entirely a human-element attack: there is no malware to detect, no malicious URL to sandbox, no domain to blocklist. The entire attack surface is social.
IRONSCALES phishing protection covers this attack class through behavioral detection on first-contact senders combined with content classification models trained on impersonation and advance-fee fraud patterns. The NIST phishing definition notes phishing encompasses both technical and social engineering vectors; this case is entirely the latter.
Executive and finance-role mailboxes should be configured with a higher scrutiny threshold for first-contact external senders. An email from a Gmail account with no prior relationship to the organization, claiming to represent a government authority and referencing cryptocurrency payments, is a clear advance-fee fraud attempt regardless of how formal the body text is.
IRONSCALES account takeover and VIP recipient protection includes detection logic specifically calibrated for high-value targets. The "VIP Recipient" flag on this incident reflects that calibration.
The IBM Cost of a Data Breach 2024 report documents social engineering as the second most common initial access vector. Advance-fee fraud that succeeds at the first payment stage rarely stops there.
| Type | Indicator | Context |
|---|---|---|
edgardoaep956@gmail[.]com | Attacker sender (first-contact, no prior relationship) | |
| BTC wallet | bc1q... (bech32) | Attacker payment address |
| BTC wallet | 1HB1s3... (legacy) | Attacker payment address |
| ETH wallet | 0xAB0371659A90b319C0812646Df8E94de87115C51 | Attacker payment address |
| Fake authority | "Office of Cross-Border Financial Supervision Affairs (OCBFO)" | Fabricated U.S. Treasury unit |
---
Sources: FBI IC3 2024 Report | Verizon DBIR 2026 | IBM Cost of a Data Breach 2024 | MITRE ATT&CK T1566 | NIST Phishing
| Attack | What happened |
|---|---|
| The Phishing Link Lived on a Domain That Didn't Exist Nine Hours Earlier | A compromised university student account sent a phishing email that passed SPF, DKIM, and DMARC. |
| The GitLab Alert That Passed Every Filter (Except One Detail Nobody Checked) | A GitLab sign-in alert cleared Proofpoint URL Defense and passed SPF/DMARC — then listed a private RFC1918 IP as the sign-in source. |
| The U.S. Bank Email That Came From a Lawyer Directory and Passed Every Authentication Check | A fully authenticated email from lawyerlegion[.]com displayed pixel-perfect U.S. |
| Mimecast SafeLinks Phishing: Wrapped URLs Hide Lookalike Domains | Attackers routed a credential-harvesting link through Mimecast SafeLinks so the recipient saw a Mimecast-rewritten URL. |
| Cloudflare Blocked the Page, But the Email Still Landed: A .vu TLD Phishing Domain That Slipped Through | A phishing email impersonating an insurance adjuster used an obscure Vanuatu (.vu) TLD for its payload links. |