Over the two-year, Target’s Cyber Threat Intelligence (CTI) team tracked a sophisticated scam campaign by a threat actor dubbed “Monti.” Monti registered over 164 domains impersonating Target to execute crypto-based remote job scams. Using phishing, smishing, and paid ads on Facebook, Instagram, and TikTok, Monti impersonated Target recruiters to lure job seekers. Victims were pushed to fake “training platforms,” prompted to submit fraudulent product reviews, and pressured to deposit Bitcoin under the promise of $8,000/month earnings. This talk will walk attendees through Monti’s full kill chain—from domain registration patterns to Bitcoin wallet attribution—and show how Target’s CTI team leveraged OSINT, HUMINT, and cross-industry collaboration with RH-ISAC partners and NCFTA to disrupt the operation. We’ll share detection tips, brand-protection tactics, and lessons learned on mitigating reputational harm when threat actors leverage a trusted household name.
