Notoriously reluctant: continuing conversations with FBI and private sector defenders about disrupting cybercriminals through collaboration

Friday 16 October 11:00 - 12:00, Small Talks room    

Sara Eberle (Sara Eberle Consulting) & DeLynn Bettencourt Hammell (FBI)

This presentation marks the third instalment in an ongoing series at Virus Bulletin, continuing conversations that Sara Eberle began with FBI Special Agent Doug Domin at VB2023 and Special Agent Mike Bordini at VB2024 as part of the Threat Intelligence Practitioners' Summit (TIPS).

This year, we welcome DeLynn "Dee" Bettencourt Hammell, the FBI's Assistant Law Enforcement Attaché at the U.S. Embassy in Lisbon covering cyber for Portugal, Spain, Andorra, and Gibraltar, and Sara Eberle, a cybersecurity communications expert who'll equip attendees with skills for engaging law enforcement, industry partners, and the press. Ahead of the talk, Eberle will interview top cybersecurity journalists on how practitioners can better leverage media to amplify disruption efforts.

The central theme: how trust-based collaboration between the FBI, international law enforcement, and the private sector is reshaping cybercrime disruption. The talk opens where VB2024 left off – with the still-unanswered question of who "Solymr," the primary administrator of Warzone RAT, actually is. What the investigation has yielded thus far is accountability at the customer level. Matthew Akande deployed Warzone RAT to target Massachusetts tax preparation firms, using the malware to harvest client PII and file fraudulent tax returns. Arrested at Heathrow in October 2024 and extradited in March 2025, he was sentenced to eight years in federal prison.

Hammell will address the evolution of FBI Cyber's operational model, including her coordination of Portugal and Spain's participation in Operation Leak, the multinational takedown of LeakBase with Europol and 14 countries.

Additional examples include the FBI's work countering Salt Typhoon, plus evidence from Ontinue, Cyber Threat Alliance, and others in cybersecurity, including the FBI-Sophos case, Pacific Rim, which led to indicting Guan Tianfeng.

 

Sara-Eberle.jpg

Sara Eberle

Sara Eberle is a cybersecurity and cybercrime communications strategist. She brings deep familiarity with the threat landscape, including vulnerabilities across first- and third-party ecosystems, ransomware, phishing and identity theft, dark web activity, and the evolving tactics, techniques, and procedures (TTPs) used by both cybercriminal groups and nation-state adversaries. She also tracks the role of cryptocurrency in cybercrime and the emergence of AI-driven cyberattacks and defences.  

Sara was Sophos’ Vice President of Global Communications from 2016 to 2025, and she is now a consultant for international cybersecurity service providers. She has worked with law enforcement and government partners including the FBI, CISA and the UK’s National Cyber Security Centre, and supports Secure by Design principles. She also served for eight years on the Cyber Threat Alliance (CTA) communications committee and regularly contributes to global cybersecurity dialogues. This includes presenting alongside FBI cyber agents at the CTA’s TIPS at Virus Bulletin conferences in London (2023) and Dublin (2024) on coordinated cybercrime takedowns through public-private collaboration.  

Sara believes the cybersecurity industry has a stronger chance of disrupting the adversaries when private and public sector experts join forces to piece together the criminal activities they’ve individually uncovered. And, with new AI capabilities and a vast number of unpatched systems already vulnerable to attack (way before Mythos!), far deeper practices of sharing threat intelligence are now essential. 

 
 

DeLynn "Dee" Bettencourt Hammell

DeLynn "Dee" Bettencourt Hammell serves as the FBI's Cyber Law Enforcement Attaché at the U.S. Embassy in Lisbon, where she works closely with partners in Portugal, Spain, Andorra and Gibraltar to coordinate international cyber operations and cross‑border information sharing. Throughout her FBI career of more than 16 years, she led and contributed to major collaborative efforts, including multi-national takedowns, cross-border disruption campaigns, and joint investigations with foreign law enforcement and intelligence services.

Dee brings a strong technical foundation and a long track record of building partnerships across the cyber community. Prior to her current role based in South Europe she served as Unit Chief in the FBI's Cyber Division, a supervisory special agent at FBI's Washington Field Office, and a technical lead on high-profile intrusion investigations, including a major Silicon Valley data breach. As a former Silicon Valley Digital Signal Processing engineer, she frequently works at the intersection of technical investigation and inter-agency collaboration.

Back to VB2026 Programme page

Back to VB2026 conference page

Register your interest for VB2026

Other VB2026 papers

Threat intelligence-driven clustering: identifying a new cyber-mercenary intrusion set

VB2026 presentation: Threat intelligence-driven clustering: identifying a new cyber-mercenary intrusion set, Maher Yamout and Fatih Şensoy

From hotel account compromise to guest payment fraud: the reservation hijack attack chain

VB2026 presentation: From hotel account compromise to guest payment fraud: the reservation hijack attack chain, Martin Chlumecký and Luis Corrons

Hunting LANDFALL: from overlooked images to state-linked mobile spyware

VB2026 presentation: Hunting LANDFALL: from overlooked images to state-linked mobile spyware, Itay Cohen

Gorbag: Orcs at the border

VB2026 presentation: Gorbag: Orcs at the border, Damien Schaeffer

Defeating indirect branching obfuscations in malware with Hex-Rays Decompiler

VB2026 presentation: Defeating indirect branching obfuscations in malware with Hex-Rays Decompiler, Georgy Kucherin

Discerning the invisible: a heuristic engine for behavioural inference in nation-state covert networks

VB2026 presentation: Discerning the invisible: a heuristic engine for behavioural inference in nation-state covert networks, Madeline Sedgwick

Kimwolf’s claws loom over 1.8 million firewalled Android devices worldwide

VB2026 presentation: Kimwolf’s claws loom over 1.8 million firewalled Android devices worldwide, Alex Turing

Paying the TOLL: how REF3927 turned 571 IIS servers into an SEO fraud network

VB2026 presentation: Paying the TOLL: how REF3927 turned 571 IIS servers into an SEO fraud network, Salim Bitam and Jia Yu Chan

Leveraging Landlock telemetry for Linux detection engineering

VB2026 presentation: Leveraging Landlock telemetry for Linux detection engineering, Guillaume Couchard and Erwan Chevalier

Targeting the elderly: from spoofing to persistence

VB2026 presentation: Targeting the elderly: from spoofing to persistence, Axelle Apvrille

The invisible warzone: competing botnets fighting over your smart TV

VB2026 presentation: The invisible warzone: competing botnets fighting over your smart TV, Asher Davila, Chris Navarrete & Doel Santos

Mac&Cheese: cooking up the Digit Stealer recipe

VB2026 presentation: Mac&Cheese: cooking up the Digit Stealer recipe, Kseniia Yamburh & Joan Garcia

How real-world malware disables EDR systems

VB2026 presentation: How real-world malware disables EDR systems, Holger Unterbrink

Newsjacking the world: tracking three months of uncovered APT operations disguised as global headlines

VB2026 presentation: Newsjacking the world: tracking three months of uncovered APT operations disguised as global headlines, Darrel Virtusio & Subhajeet Singha

Polling is the vulnerability: a case for event-driven cloud detection

VB2026 paper: Polling is the vulnerability: a case for event-driven cloud detection, Santiago Abastante

The edge is the enemy: hunting Chinese router relay networks

VB2025 presentation: The edge is the enemy: hunting Chinese router relay networks, Ryan Sherstobitoff

Unravelling Lumma Stealer’s protection stack: pushing static deobfuscation to its practical limit

VB2026 presentation: Unraveling Lumma Stealer’s protection stack: pushing static deobfuscation to its practical limit, Yuki Umemura

AI in malware: evolution and predicting the future of AI-driven attacks

VB2026 presentation: AI in malware: evolution and predicting the future of AI-driven attacks, Eli Smadja

The cyber saga: deconstructing the DPRK’s global synthetic IT workforce ecosystem

VB2026 presentation: The cyber saga: deconstructing the DPRK’s global synthetic IT workforce ecosystem, Anastasia Tikhonova

Tracing the bloodline of LLM-driven polymorphic malware: do GHOSTs leave footprints?

VB2026 presentation: Tracing the bloodline of LLM-driven polymorphic malware: do GHOSTs leave footprints? Chanbin Jeon, SeungBeom Lim & SuhMahn Hur

How LOLRMM, LOLDrivers and CertGraveyard map the attacker's favourite kill chain

VB2026 presentation: How LOLRMM, LOLDrivers and CertGraveyard map the attacker's favourite kill chain, Jose Enrique Hernandez & Nasreddine Bencherchali

Agent detection and response: safety on a token budget

VB2026 presentation: Agent detection and response: safety on a token budget, Václav Belák, Jakub Křoustek & Tomáš Ďuriš

Malwaremorphosis - breaking down a global multi-layer malvertising operation

VB2026 presentation: Malwaremorphosis - breaking down a global multi-layer malvertising operation, Ionuț Baltariu

I will find you and I will flag you: hunting malicious packages at scale

VB2026 presentation: I will find you and I will flag you: hunting malicious packages at scale, Christophe Tafani-Dereeper

Otter encyclopaedia: deep analysis of Otter family

VB2026 presentation: Otter encyclopaedia: deep analysis of Otter family, Rintaro Koike, Yuta Sawabe & Masaya Motoda

Break the silence: tracking Silent Lynx through exposed infrastructure

VB2026 presentation: Break the silence: tracking Silent Lynx through exposed infrastructure, Julian Ferdinand Vögele & Chi-en (Ashley) Shen

Operation FalseProof: PoC that bites back

VB2026 presentation: Operation FalseProof: PoC that bites back, Jiho Kim & Minyeop Choi

Transparency wars: exposing hidden biases in testing

VB2026 presentation: Transparency wars: exposing hidden biases in testing, Righard Zwienenberg & Luis Corrons

Snap, trigger, steal: SnappyClient and the art of trigger-based intrusions

VB2026 presentation: Snap, trigger, steal: SnappyClient and the art of trigger-based intrusions, Muhammed Irfan V A, Avinash Kumar & Nirmal Singh

Reverse engineering a multi-stage implant targeted Vietnamese organizations

VB2026 presentation: Reverse engineering a multi-stage implant targeted Vietnamese organizations, Minh Anh Luong

When malware talks back: real-time interaction with a threat actor during the analysis of Kiss Loader

VB2026 presentation: When malware talks back: real-time interaction with a threat actor during the analysis of Kiss Loader, Marvin Castillo & Arvin Jay Bandong

Free games, costly consequences: unravelling PiviGames’ hidden treasure malware

VB2026 presentation: Free games, costly consequences: unravelling PiviGames’ hidden treasure malware, John Rey Dador

Khmer Shadow: uncovering a targeted cyber espionage campaign against Cambodian military intelligence

VB2026 presentation: Khmer Shadow: uncovering a targeted cyber espionage campaign against Cambodian military intelligence, Subhajeet Singha

Practical ransomware detection on macOS (via math, not AI)

VB2026 presentation: Practical ransomware detection on macOS (via math, not AI), Patrick Wardle

From exclusive to widespread: the shifting exploitation dynamics of (zero-day) vulnerabilities before and after their (public) disclosure

VB2026 presentation: From exclusive to widespread: the shifting exploitation dynamics of (zero-day) vulnerabilities before and after their (public) disclosure, Kerstin Zettl-Schabath & Kritika Roy

The other side of the front: hunting Paper Werewolf's operations against Russia

VB2026 presentation: The other side of the front: hunting Paper Werewolf's operations against Russia, Nicole Fishbein

Meet ARES - an agentic reverse engineer that decrypts sophisticated ransomware encrypted files

VB2026 presentation: Meet ARES - an agentic reverse engineer that decrypts sophisticated ransomware encrypted files, Raviv Rachmiel

Disrupting the threat actor mythos: data-based insights into targeting, tooling, and the limits of AI in cybercrime

VB2026 presentation: Disrupting the threat actor mythos: data-based insights into targeting, tooling, and the limits of AI in cybercrime, Selena Larson & Daniel Blackford

Deadline as bait: a comparative analysis of tax-themed smishing campaigns targeting Spain and Portugal

VB2026 presentation: Deadline as bait: a comparative analysis of tax-themed smishing campaigns targeting Spain and Portugal, Natasha Márquez & Ghyorka Kpee

When wipers leave backups: an analysis of ArgonWiper’s encryption workflow

VB2026 presentation: When wipers leave backups: an analysis of ArgonWiper’s encryption workflow, Hyuna Lee & Hyoje Jo

Notoriously reluctant: continuing conversations with FBI and private sector defenders about disrupting cybercriminals through collaboration

VB2026 presentation: Notoriously reluctant: continuing conversations with FBI and private sector defenders about disrupting cybercriminals through collaboration, Sara Eberle & DeLynn Bettencourt Hammell

From dead malware to living adversaries: AI-powered digital twins for adaptive APT modelling

VB2026 presentation: From dead malware to living adversaries: AI-powered digital twins for adaptive APT modelling, Alexander Adamov & Anders Carlsson

The silent threat in your enterprise: SAP security

VB2026 presentation: The silent threat in your enterprise: SAP security, Anita Cwynar

BEAST: binary emulation and analysis simulation technology for advanced malware analysis and anti-forensic countermeasures

VB2026 presentation: BEAST: binary emulation and analysis simulation technology for advanced malware analysis and anti-forensic countermeasures, Bramwell Brizendine, Alexander Wood, Jared Sheldon & William Lochte

Spec-driven malware: turning markdown into threats

VB2026 presentation: Spec-driven malware: turning markdown into threats, Sven Rath

The invisible candidate: tracking the evolution of 'Un-tracked' GRITCASPIAN

VB2026 presentation: The invisible candidate: tracking the evolution of 'Un-tracked' GRITCASPIAN, Asli Koksal

DPRK-aligned threat operations: tradecraft, tooling, and detection patterns

VB2026 presentation: DPRK-aligned threat operations: tradecraft, tooling, and detection patterns, Wonkyeom Kim

Workshop: Collaborative attack modelling across CTI, Red Team, and SOC (MITRE)

VB2026 workshop: Collaborative attack modelling across CTI, Red Team, and SOC (MITRE)

TIPS: The next chapter

VB2026 TIPS presentation: The next chapter, Jiri Sejtko

TIPS: Collaboration in action: turning shared threat intelligence into coordinated defence

VB2026 TIPS presentation: Collaboration in action: turning shared threat intelligence into coordinated defence, Tuna Dabak

TIPS: From signal to shield: rapid collaboration to defend critical infrastructure during crisis

VB2026 TIPS presentation: From signal to shield: rapid collaboration to defend critical infrastructure during crisis, Madeline Sedgwick

TIPS: Harmonizing AI agents and human analysts in CTI - are CTI agents friends or rivals to junior analysts?

VB2026 TIPS presentation: Harmonizing AI agents and human analysts in CTI - are CTI agents friends or rivals to junior analysts? Takahiro Kakumaru

TIPS: Stairway to resilience: cybersecurity in good times, bad times, and everything between

VB2026 TIPS presentation: Stairway to resilience: cybersecurity in good times, bad times, and everything between Selena Larson, Jeannette Jarvis, Kathi Whitbey, Jeanette Miller Osborne

TIPS: Defending (against) the human layer: IoB in the real world

VB2026 TIPS presentation: Defending (against) the human layer: IoB in the real world Righard Zwienenberg, Kathi Whitbey, Samir Mody & Mienke

TIPS: STIX in action: proposed industry collaboration on sharing DigSig metadata

VB2026 TIPS presentation: STIX in action: proposed industry collaboration on sharing DigSig metadata, Samir Mody

TIPS: Ghosts in the chat: tracking GhostPairing from trusted message to linked-device takeover 

VB2026 TIPS presentation: Ghosts in the chat: tracking GhostPairing from trusted message to linked-device takeover, Michal Salat

TIPS: The art of fighting back

VB2026 TIPS presentation: The art of fighting back, Gabor Szappanos

TIPS: Wartime intelligence collection and collaboration

VB2026 TIPS presentation: Wartime intelligence collection and collaboration, Sergey Shykevich

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.