Cybersecurity for High Net Worth Individuals: What the Criminal Underground Reveals About Your Real Risk

Written By: Ryan Morrison

Listen On: YouTube | Spotify | Apple Podcasts

If you recently had a transaction announced publicly — a company sale, a PE exit, an executive appointment — your name is now searchable, and your wealth is attached to it. The question a lot of people in that position ask is whether that visibility creates real risk, and if so, what to do about it. Cybersecurity for high net worth individuals starts with understanding how the criminal ecosystem actually works, not with buying another tool or signing up for another monitoring service.

Jason Passwaters spent nearly 12 years in the Marine Corps in counterintelligence and human intelligence before moving into network forensics work supporting FBI cyber agents. He co-founded Intel 471 in 2014 — a threat intelligence company focused on tracking financially motivated cybercriminals from inside their own ecosystem — bootstrapped it to $20M+ in ARR, and took a Thoma Bravo private equity investment in 2021. He has tracked individual threat actors across decades, presented attribution findings at Black Hat, and has, on occasion, read the private chat logs of the people who are trying to take your money. His perspective reframes the question.

Table of Contents

• The criminal underground is not a dark web — it is a marketplace

• How cybercriminals actually decide who to target

• The internal-vs-external threat framework

• The practical hygiene that actually matters

• State actors, nation-state threats, and where they fit

• Bootstrapping Intel 471 to a Thoma Bravo exit

• Frequently Asked Questions

• Final Thoughts

The cybercriminal underground operates as a structured, reputation-based marketplace with specialized vendors, escrow services, and customer support — not a chaotic anonymous network.

"Dark web" is a term Passwaters does not use. He finds it imprecise. "It's not dark, it's not deep, it's very finite and very organized," he says. What he is describing is a network of forums and chat rooms where threat actors with established brands sell specialized products and services to other criminals. Some of them have maintained the same brand identity for over a decade. Passwaters was tracking one infrastructure provider publicly at Black Hat in 2016 and the person only recently got arrested.

What initial access brokers are and why they matter

The ecosystem is built on specialization. One category of threat actor — initial access brokers — focuses on a single job: compromise an organization and sell that access to someone else. They do not necessarily carry out the downstream attack. They find a way in, package it, and sell it to whoever has the money. That buyer might be a ransomware group, a fraud operation, or, as Passwaters explains, a state-level actor looking for a target of opportunity at a fraction of the cost of running their own intrusion operation.

Other specialists in the marketplace include malware-as-a-service providers, infrastructure operators who supply the backend and frontend systems used to conduct attacks, coding services, and sellers of stolen credential databases. The ecosystem supports all of these simultaneously, and they work together on a deal-by-deal basis.

How reputation and brand operate inside an illicit marketplace

Because there is no rule of law to enforce contracts, reputation is the operating currency. "Reputation is huge and you can quickly mess your reputation up and your brand and that will impact your business," Passwaters says. At the organized end of the market — the groups running the most impactful and most lucrative operations — reputation functions as a genuine moat.

The marketplace has also developed its own dispute resolution. There are actual escrow services where a threat actor can put several hundred thousand dollars in escrow pending the completion of a transaction. If the deal goes sideways, there is a formal arbitration process — not contractual in any legal sense, but structured enough to function. Passwaters describes it with some dry admiration: "If you take away the morality aspect of it, a lot of people in business would be fairly impressed with the scalability that some of these folks have achieved."

Cryptocurrency has accelerated all of this. In the earlier period Passwaters describes — roughly 2008 to 2013 — stolen money moved through human mules sent to the US on J1 visas, then wired out through Western Union. The Donetsk crew he tracked over that period stole $120 million in roughly 18 months from small and medium businesses in the US and UK using that infrastructure. Virtual currency changed the economics and the speed entirely.

For context on the scale of the problem: the FBI's Internet Crime Complaint Center reported $16.6 billion in losses to internet crime in 2024 alone, and nearly three-quarters of family offices in North America experienced a cyberattack in the past year, according to a 2025 report by RBC and Campden Wealth.

Most financially motivated cybercrime is opportunistic, but once your wealth becomes publicly visible — through a transaction announcement, executive role, or media mention — you move onto a specific radar.

This is the framing that matters for most Long Angle members. The criminal ecosystem is doing things at scale. It is not manually researching individuals. But the scale is precisely the mechanism: compromised credential databases are hoovered up automatically, and anyone whose name is attached to a high-value account will show up in those results.

The difference between being an opportunity and being a target

"Everybody's an opportunity," Passwaters says. The distinction is between mass-scale opportunistic crime — which affects everyone — and targeted operations that begin once you become known to the ecosystem. "I would say somebody that has, you know, 10 million bucks in their account or has large portfolios that they're having managed — once that becomes knowledge to the bad guys, then you're now right on their radar."

The visibility triggers matter. A public company CEO cannot hide that fact and faces a different risk profile than a private individual with similar wealth. For the latter — someone who just had a PE exit announced or whose name appeared in deal press — the relevant action is an audit of what is now searchable: what connects your name, your wealth, your location, and your family.

Passwaters points to the UnitedHealthcare CEO case as an illustration of how dramatically digital footprint risk can escalate when public visibility and wealth intersect. The lesson is not that every HNW individual faces that level of exposure — it is that the mechanism is the same, and managing a digital footprint after a liquidity event is a different task than managing it before one.

Family is also part of this equation. "You're kind of an extension of your network's public presence," Passwaters says. Social media profiles of family members can connect dots that the primary individual has been careful to obscure.

Effective cyber defense requires both understanding what is happening inside your systems and monitoring what attack opportunities threat actors see when they look at you from the outside.

Passwaters organizes the cybersecurity landscape along a simple internal-external axis. The internal side is what most people are familiar with: the CrowdStrikes and Palo Altos of the world, doing endpoint protection and internal visibility. That side gets most of the attention and most of the budget.

The external side is what his company is built on. It asks a different question: when the bad guys look at me, what opportunities do they see? That might be compromised credentials from a prior breach that are now circulating in the marketplace. It might be a third-party vendor whose systems are already compromised and whose access to your organization represents an unlocked door. It might be a specific malware strain that has been used against organizations in your sector and that you could check for proactively, rather than waiting to be hit.

Why most people are only doing half the job

For individuals and most small organizations, the external side is essentially unaddressed. The assumption is that strong internal hygiene is sufficient. Passwaters' career is built on the evidence that it is not — that the underlying world of threat actors, compromised credentials, and specialist services exists whether or not any individual organization is monitoring it.

The practical translation for a HNW individual is not that they need a full threat intelligence program. It is that they should think about what exposure they present to an outside observer: what accounts exist, what credentials are attached to them, what public information connects those accounts to real assets, and where the weakest links in their network of advisors and service providers might be.

A password manager, two-factor authentication on every account, and friction on high-value asset movement are the changes that move a person from soft target to hard target.

Passwaters is direct about this. The single most common and most exploited failure he sees when talking to people is credential reuse. "You can always just ask them, say, hey, are you using the same password for all of your accounts? And they're like, yes." The pattern is usually some combination of a child's name and a birthday. That credential, once compromised in any breach anywhere, gives an attacker a pivot point into every other account.

Why credential reuse is the most exploited personal security failure

The mechanism is straightforward. Bad actors are constantly collecting compromised credential databases from breaches across the internet. They run those credentials against every high-value target they can identify. If your email and password from a retail breach from five years ago is the same email and password you use for your brokerage account, that is a trivial escalation.

A password manager solves this entirely. Every account gets a unique, complex password that exists nowhere else. The cognitive cost goes to zero because you are not managing the passwords yourself. Passwaters uses one. He also uses two-factor authentication on everything, and he operates on the assumption that his data is already out there to some degree.

"I just operate as if all my stuff is out there to some extent," he says. The posture is not alarm — it is footprint management. Know what exists, reduce the impact of what cannot be controlled, and make sure the things that matter have real protection.

Adding friction to asset movement

On the question of brokerage accounts specifically, Passwaters endorses the approach directly: "If you can make yourself a hard target, they'll move to a softer target." Adding transfer friction to high-value accounts — so that moving money requires deliberate additional steps rather than just a logged-in session — reduces the damage ceiling even if credentials are compromised. Virtual credit cards with specific spending limits serve a similar function for everyday purchases.

The logic throughout is the same: the criminal ecosystem is largely opportunistic. Raising the cost of attacking you by even a modest amount moves most attackers to easier targets.

Nation-state cyber actors typically participate in the same underground marketplace as financially motivated criminals — buying access through initial access brokers — rather than running entirely parallel operations.

The popular framing of nation-state threats as a separate category with entirely distinct infrastructure is an oversimplification. Passwaters explains that state-level actors operate in the underground marketplace alongside criminal groups, co-opting them in several ways. Some buy access directly from initial access brokers — getting a compromised foothold inside a target organization for, as Passwaters puts it, "pennies on the dollar on what it would cost to do a full scale op." Some moonlight: a state-level actor doing their official work who also uses the underground marketplace to make money on the side. And some corruption operates in a more direct, physical sense — state actors shaking down or leveraging criminal groups through face-to-face relationships.

SolarWinds is the clearest illustration. One of the most consequential nation-state cyber incidents on record originated in the underground marketplace — an Eastern European criminal selling access to state-level buyers. The criminal infrastructure and the geopolitical threat shared the same pipeline.

For organizations and individuals, the practical implication is that the distinction between "financially motivated threat" and "nation-state threat" is less clean than it looks. The same ecosystem, the same tools, and often the same initial entry points serve both. The financial cybercrime operations that Passwaters has spent his career tracking are the same infrastructure that state actors tap into when targets of opportunity become available.

Intel 471 reached $20M+ in ARR with zero outside capital in seven years by refusing to expand beyond what its founders knew better than anyone else in the market.

Passwaters and his co-founder Mark Arena built Intel 471 starting in 2014, coming out of practitioner backgrounds rather than business ones. "We weren't business folk guys when we started the company. We just thought we could do something." They specialized from the beginning in the human intelligence mission — engaging directly with cyber criminals to produce intelligence — and everything automated in the platform was built to support that core function.

The bootstrapping was partly by design and partly by constraint. "We couldn't afford to take risks because we had bills to pay." But it produced a discipline that translated unusually well into the PE environment. Their lawyer, now their general counsel, told them at the time that he never saw founders who did not have credit card debt. That lack of external obligation meant every dollar went back into making the core product better rather than into adjacent bets.

Why bootstrapping discipline translated well to PE

When they ran their process in 2021, they had seven options — a few strategic buyers and several PE firms. The strategics were running 20 to 25 percent below PE on valuation, and more importantly, they represented an endpoint rather than a new phase. The PE route offered what Passwaters describes as "a second bite of the apple" — a reset of the clock, room to do acquisitions, and the ability to scale the company to a substantially larger outcome.

Thoma Bravo won the process over a hands-off alternative for a reason that is worth noting: "They would also allow us to realize our full potential, both individually, but also, most importantly, as a company." The choice was not just about valuation or autonomy — it was about which partner was most likely to make the next phase work.

The current phase is disciplined in the same way the bootstrapping phase was. "Now is not the phase that we're going to be a $250 million company overnight. That will be the next phase of the company as we continue the journey. This phase is getting it to 60, 70 million." The go-to-market is focused on Western Europe and the United States. No geographic expansion for its own sake. No adjacent product categories until the core is mature.

The picture Passwaters describes is not designed to be alarming — it is designed to be accurate. The criminal ecosystem is organized, scalable, and accelerating. The people running it are professionals who have built brands, managed reputations, and developed supply chains that would be recognizable to anyone who has run a business. AI is making their operations faster and cheaper.

The response to that, for someone with $10M–$25M in net worth, is not to disappear from the internet or to treat every digital interaction as a threat. It is to take the basics seriously before a problem develops: a password manager, two-factor authentication, an honest audit of what is publicly searchable about you, and friction on the accounts where the real damage would happen. Passwaters is one of the most informed people in the world on this subject. His personal approach is not elaborate. It is disciplined.

The people who manage this well are the ones who made those adjustments before they needed to.

Resources Mentioned

• Intel 471

• Jason Passwaters on LinkedIn

• FBI Internet Crime Complaint Center

• RBC/Campden Wealth 2025 North America Family Office Report

• Microsoft: Cybercrime-as-a-Service Explained