Unit 221B has raised $5 million in a seed round to expand its work breaking up and tracking the youth-led cyber crews responsible for some of the most brazen attacks on major companies. The money is going to eWitness, the New Jersey-based security firm’s invite-only threat intelligence platform which investigators and Fortune 500 teams rely upon to catch offenders, preserve evidence and assist in arrests and civil recovery.
A fast-changing threat: “advanced persistent teenagers”
While legions of nation-state hackers still target governments and corporations, there has been a new breed of English-speaking teenage hacker, raised on internet forum discussions and YouTube tutorials, that does most damage today. These groups, often coordinating over encrypted chats and social media platforms, mix social engineering with SIM swapping and credential theft to break into cloud accounts and internal tools — and they know how to cash in on their access.
Recent breaches illustrate the stakes. The MGM Resorts intrusion, which multiple security companies have tied to social engineering-heavy tactics, cost the company roughly $100 million in impact and remediation, according to public filings. Also, the theft of data from Snowflake customer environments — monitored by incident responders such as Mandiant — showed how stolen credentials and poor identity hygiene can cut through blue-chip brands, with data affiliated to companies including Ticketmaster and Santander surfacing on criminal markets.
The pattern isn’t isolated. The FBI’s Internet Crime Complaint Center tallied more than $12 billion in reported cybercrime losses found in its latest annual report, while the 2024 Verizon Data Breach Investigations Report identified ransomware and sheer data extortion as factors in about a third of breaches it investigates. Both U.S. agencies, like CISA, and the U.K.’s National Cyber Security Centre have for some time been warning that help desk social engineering, as well as identity provider abuse, are two of these groups’ main enablers.
Inside eWitness: evidence-first threat intelligence
Unit 221B’s eWitness platform consolidates intelligence from vetted sources — law enforcement partners, journalists and security researchers — and correlates it with signals collected from closed forums, leak channels and blockchain transactions. The intention is twofold: speed up the attribution process, while retaining court-worthy evidence including chain-of-custody artifacts, legal holds and immutable logs which back up criminal prosecution and civil actions.
Enterprises utilize the platform to monitor brand mentions, credential exposures and targeting trends in specific industries, while researchers correlate infrastructure reuse across cases and map operators behind handles, wallets and devices. The tooling has led to arrests and the recovery of fraudsters’ proceeds and judgments against bad actors — areas where casework can break down over lack of cohesive data and jurisdiction hurdles, Unit 221B says.
New capital, focused expansion for Unit 221B’s eWitness
“We’re focused on today’s financially motivated crews and the groups chasing them,” said Chen-Contino, an executive at Unit 221B, saying that priorities include generating leads more quickly, standardizing evidence processing and improving coverage of new communication channels these crews use. It also plans to formalize relationships with national CERTs (Computer Emergency Response Teams) and cybercrime units in order to facilitate referrals.
Why timing counts for defenders and prosecutors
Teen-led crews take advantage of organizational weak spots — password resets through help desks, lazy adoption of multi-factor authentication, and inattention to monitoring use of admin tools — far faster than the traditional casework response can act. CISA and the FBI have also recommended mitigation such as phishing-resistant MFA, stringent identity proofing for account recovery, and SIM-swap-resistant carrier controls — but many victims still learn of their compromise only after receiving extortion notes or having their data leaked.
By focusing on attribution that holds up in court, Unit 221B is betting it can compress the timeline from intrusion to disruption. That means linking social engineering transcripts with on-chain payments, correlating device fingerprints between incidents and tracking handoffs among affiliates — critical details that make or break prosecutions and civil recovery actions.
What to watch next for eWitness and cyber defense
Key indicators for impact will be swift, coordinated takedowns and quicker arrests, as well as measurable reduction in dwell time resulting from social engineering-based breaches. On the enterprise side, take-up by high-risk industries like hospitality and retail as well as financial services and SaaS will prove whether eWitness can move defenders from reactive triage to proactive disruption.
The risks are well known: privacy and oversight in the collection of data, the importance of tight access controls and adversaries who quickly migrate to new channels. But with losses mounting and young offenders upping their game, the combination of investigator-class evidence and operational intelligence that Unit 221B is churning out comes at a brink-like moment for cyber defense.
