We work on the parts of security that matter to financial infrastructure.
Curated vulnerability research, incident response, and detection engineering for banks, payment processors, and the institutions that clear and settle their transactions. We are deliberately small and deliberately deep.
Three things, done seriously
- 01 / 03 Threat intelligence
-
We track adversaries that target payment, settlement, and treasury infrastructure. Output is curated, sourced, and timestamped — not branded reports. Subscribers receive new findings the same day they are validated, with confidence levels stated in IC analytic terms.
Read more - 02 / 03 Incident response
-
On retainer or on call. We work the technical containment and the regulatory clock in parallel, because a breach inside a regulated institution is two crises that share a phone line. Every engagement ships a forensic timeline, a remediation roadmap, and a written briefing that survives auditor scrutiny.
Read more - 03 / 03 Security engineering
-
Detections, controls, and architecture review for the systems your customers rely on. We build to your stack rather than ours: SIEM rules in your SIEM, IaC patches in your repository, runbooks in your wiki. The work outlasts the engagement.
Read more
Joint advisory: shell-company exploitation in third-party payment processing
We are issuing this joint advisory together with five sector partners to draw attention to a sustained pattern of shell-company onboarding through third-party payment processors. The pattern moves between jurisdictions on a weekly cycle, exploits inconsistencies in beneficial-ownership data, and is currently observed against small-and-mid-sized payment processors in particular.
- Author
- IMF Practice
- Length
- 872 words
- Reading
- 4 min
- Version
- v1.0
Long-form output
Adversarial attacks against machine-learning systems in financial services
Financial institutions are deploying ML systems into the parts of their stack that matter most: fraud detection, anti-money-laundering screening, credit decisioning, transaction monitoring, and customer-service LLMs. These systems carry an attack surface that traditional cyber-security controls do not address. This paper defines six adversarial attack classes specific to financial-sector ML, maps them to malicious-actor goals, and proposes a starting threat model for the institutions we work with.
2,486 words · 11 min
RESEARCH · 2026-04-22
Could your choice of payment-fraud telemetry be harming your detection?
Most fraud-detection programmes report on the wrong things. Volume-of-alerts and mean-time-to-resolution measure the work that the platform produces, not the work that catches an attacker. This paper looks at four metrics we routinely see harming fraud detection in the institutions we work with, and proposes four replacements.
1,518 words · 7 min
RESPONSE GUIDE · 2026-04-15
What to do if your business has just wired money to a fraudster
A short, prioritised checklist of the actions that materially affect whether the funds can be recovered. The first sixty minutes matter most; by the end of the working day the realistic recovery probability is meaningfully lower. Read this once before you need it.
1,233 words · 6 min
What we are tracking
- CVE-2024-6387 · 2024-07-01 · HIGH
Signal handler race in OpenSSH sshd allows pre-auth RCE on glibc Linux
A signal handler race condition in sshd, dubbed regreSSHion, permits unauthenticated remote code execution as root on glibc-based Linux. The flaw is a regression of CVE-2006-5051. Exploitation is non-trivial but demonstrated.
CVSS 8.1 OpenSSH 8.5p1 through 9.7p1 (inclusive) on glibc-based Linux +1 - CVE-2024-30255 · 2024-04-03 · MEDIUM
Envoy HTTP/2 CONTINUATION frame flood causes CPU exhaustion DoS
Envoy's HTTP/2 codec processes CONTINUATION frames without effective rate limiting. A remote unauthenticated client can stream CONTINUATION frames indefinitely, exhausting CPU on the target. Part of the wider 2024 HTTP/2 CONTINUATION flood disclosure class.
CVSS 5.9 Envoy < 1.26.8 +3 - CVE-2024-3094 · 2024-03-29 · CRITICAL
Backdoor in xz-utils 5.6.0–5.6.1 (liblzma) compromises sshd
xz-utils 5.6.0 and 5.6.1 ship a deliberate backdoor that compromises sshd via the libsystemd → liblzma load path. An attacker holding the actor's private key gains pre-authentication RCE as root.
CVSS 10.0 xz-utils 5.6.0 +2
Notes from the practice
Detection engineering against low-and-slow operations
When the dwell time is measured in months rather than minutes, the detection problem stops being about signatures and becomes about baselines. Notes from a year of working financial-sector telemetry.
By IMF Research
EDITORIAL · 2026-03-15
On disclosure timelines: when ninety days is too long, when it is too short
The default coordinated-disclosure window of ninety days exists for reasons that are sometimes load-bearing and sometimes vestigial. A practitioner's view from inside financial-sector vulnerability work.
By IMF Research
A small practice, working only on the parts of security that matter to financial infrastructure.
International Money Flow is a research and engagement practice for banks, payment processors, and the institutions that clear and settle their transactions. We do not run a SOC, sell a platform, or authoritatively pronounce on the threat landscape. We track public vulnerabilities that affect the systems our clients run, work incidents when those clients have them, and write detection and architecture work that survives the engagement.
About the practice