GACS Logo
Academy
Cluster Brief · Capstone Analytic Product
CFPS — Certified Fraud Prevention Specialist

Fraud Cluster Brief & Disruption Plan

Produce an agency-grade intelligence product on a live or recently active fraud cluster, with a working picture, evidence appendix, ACH matrix, and a sequenced disruption plan.

Estimated effort20–35 hours over 2 weeks
Passing score70 / 100
ReviewerReviewed by a senior CFPS analyst playing the role of your unit head. They will spot-check sources, reproduce the working picture, and read the brief end-to-end.

The brief

You are an analyst in a national-level financial-crime cell. Inbound intake last week surfaced what appears to be a pig-butchering / investment-platform brand operating across at least three frontend domains and targeting victims in two jurisdictions. Your task is to convert that intake into a publishable cluster brief that an exchange compliance team, a registrar abuse desk, a regulator, and a partner law-enforcement liaison can each act on within 48 hours of receipt.

Pick a target. Either (a) use a real, currently observable scam brand you can lawfully research via OSINT and public chain data, or (b) work from a synthetic-but-realistic cluster constructed from public typology reporting. State which path you took on page one and never mix evidence between paths.

This is a written analytic product, not a slide deck. It will be reviewed line by line. Every named entity must be evidenced, every confidence rating must be defensible, every disruption recommendation must name the seam, the consumer, and the legal instrument.

Operate inside the law of your jurisdiction and the platform terms of service of every site you touch. Do not pretext, do not contact suspects, do not contact victims without consent, do not republish victim PII.

Deliverables

  1. 1
    Cluster Brief (long-form)

    BLUF, executive summary, working picture (one-page diagram), narrative findings (numbered, with confidence + sourcing), entity register, recommended actions, open information gaps, caveats. 6–12 pages.

    format: report.pdf + report.md
  2. 2
    Evidence Appendix

    Per-artifact record: source URL, capture timestamp (UTC), capturing operator, SHA-256, archive mirror URL, rendering tool/version. No screenshot without an accompanying full-page DOM capture where the platform permits.

    format: evidence/<id>.{png,html,json} + evidence/manifest.csv
  3. 3
    Working Picture Diagram

    One-page diagram showing operator → brand fronts → infrastructure cluster → money flow → disruption seams. Edge labels reference evidence IDs.

    format: working-picture.svg + working-picture.png
  4. 4
    ACH Matrix

    Analysis of Competing Hypotheses for attribution. List ≥3 competing explanations (e.g. single-operator cluster, shared toolchain across unrelated operators, copy-cat). Score every evidence item as consistent/inconsistent/N-A per hypothesis. State the surviving hypothesis and what would invalidate it.

    format: ach.csv + ach-narrative.md
  5. 5
    Disruption Plan

    Sequenced takedown/freeze/warn plan. Per seam: target (host/registrar/exchange/processor/platform), consumer (compliance contact / abuse channel / liaison), legal instrument required, evidence package to send, expected latency, success criterion.

    format: disruption-plan.md
  6. 6
    Indicators & Warnings (I&W)

    Pre-committed list of observable signals that would shift confidence in either direction, with the review cadence. This is the trigger list for re-tasking.

    format: iw.md

Suggested timeline

  1. 1. Scope & PIR
    Days 1–2

    Pick target, write PIRs, draft collection plan, define cut-off.

  2. 2. Collection
    Days 3–6

    Pull infrastructure cluster, victim narrative, on-chain pivots; hash and archive everything.

  3. 3. Cluster construction
    Days 7–9

    Build working picture, anchor at least one durable infrastructure indicator.

  4. 4. ACH & confidence
    Days 10–11

    Run ACH, calibrate confidence per finding, write caveats.

  5. 5. Disruption plan
    Days 12–13

    Sequence seams, name consumers and instruments, validate liaison pathways.

  6. 6. Write & QA
    Day 14

    Draft, internal red-team review, reproducibility check, submit.

Graded rubric (100 pts)

Each criterion is scored 0–4. Final score = Σ (score × weight) ÷ 4. You need ≥70 to earn the capstone seal on your transcript.

BLUF & analytic clarity
10 pts
  • 0

    Missing or unusable. No BLUF, or BLUF that buries the judgement past the third sentence.

  • 1

    Present but materially deficient. Multiple gaps a reviewer would flag on first pass.

  • 2

    Meets minimum professional bar. BLUF states judgement, confidence and so-what in 3–5 sentences. Executive summary expands without contradiction.

  • 3

    Strong. Few corrections needed; would pass internal QA at a national-level cell.

  • 4

    Exemplary. BLUF and executive summary read like a senior-analyst product. A non-specialist consumer can act on page one without reading further.

Working picture & cluster construction
15 pts
  • 0

    Missing or unusable. No diagram, or diagram that does not match the narrative.

  • 1

    Present but materially deficient. Multiple gaps a reviewer would flag on first pass.

  • 2

    Meets minimum professional bar. Diagram covers operator, brand fronts, infrastructure cluster, money flow, and disruption seams. Edges reference evidence IDs.

  • 3

    Strong. Few corrections needed; would pass internal QA at a national-level cell.

  • 4

    Exemplary. Picture exposes a non-obvious operator-level pivot (shared analytics ID, name-server cluster, recurring deposit pattern) and the narrative defends it.

Evidence quality & chain-of-custody
15 pts
  • 0

    Missing or unusable. Screenshots only, no hashes, no archive mirrors, no timestamps.

  • 1

    Present but materially deficient. Multiple gaps a reviewer would flag on first pass.

  • 2

    Meets minimum professional bar. Every artifact carries source URL, UTC capture time, capturing operator, hash, archive mirror, rendering tool. Manifest reconciles.

  • 3

    Strong. Few corrections needed; would pass internal QA at a national-level cell.

  • 4

    Exemplary. Evidence is reproducible by an independent analyst at submission time. Full-page DOM captures accompany screenshots wherever platform-permitted.

Confidence ratings & caveats
10 pts
  • 0

    Missing or unusable. Single confidence rating, or none. No caveats.

  • 1

    Present but materially deficient. Multiple gaps a reviewer would flag on first pass.

  • 2

    Meets minimum professional bar. Every finding carries low/moderate/high with rationale. Caveats state what would invalidate the judgement.

  • 3

    Strong. Few corrections needed; would pass internal QA at a national-level cell.

  • 4

    Exemplary. Confidence calibration is conservative where evidence is single-sourced and asserted only where independently corroborated. Honest failure is named, not hidden.

ACH discipline
15 pts
  • 0

    Missing or unusable. No competing hypotheses considered. Single narrative.

  • 1

    Present but materially deficient. Multiple gaps a reviewer would flag on first pass.

  • 2

    Meets minimum professional bar. ≥3 competing hypotheses scored against evidence. Surviving hypothesis is the one with the least disconfirming evidence, not the most confirming.

  • 3

    Strong. Few corrections needed; would pass internal QA at a national-level cell.

  • 4

    Exemplary. ACH surfaces a counter-hypothesis the analyst initially rejected and explains in writing why the evidence eventually overrode it.

Disruption plan operability
15 pts
  • 0

    Missing or unusable. Recommendations are generic ('notify exchange'). No legal instrument named.

  • 1

    Present but materially deficient. Multiple gaps a reviewer would flag on first pass.

  • 2

    Meets minimum professional bar. Per seam: target, consumer, legal instrument, evidence package, latency, success criterion. Sequence is justified.

  • 3

    Strong. Few corrections needed; would pass internal QA at a national-level cell.

  • 4

    Exemplary. Plan is timed so that fast seams (registrar, hosting) fire before slow seams (LE) to deny the operator time to migrate. Counter-move risks are named.

Victim & PII handling
10 pts
  • 0

    Missing or unusable. Victim PII appears unredacted in the brief or appendix.

  • 1

    Present but materially deficient. Multiple gaps a reviewer would flag on first pass.

  • 2

    Meets minimum professional bar. Victims are referenced by case-id. PII is access-controlled and excluded from any externally shareable artifact. Consent posture is documented.

  • 3

    Strong. Few corrections needed; would pass internal QA at a national-level cell.

  • 4

    Exemplary. Brief demonstrates duty-of-care posture: distress indicators recognized, referral pathway named, retention schedule stated.

Legal & ethical posture
5 pts
  • 0

    Missing or unusable. Evidence of pretexting, ToS violation, or unlawful access.

  • 1

    Present but materially deficient. Multiple gaps a reviewer would flag on first pass.

  • 2

    Meets minimum professional bar. Rules of engagement document is included. Bright lines (no LE impersonation, no breach data as proceedings evidence, no victim contact without consent) are observed.

  • 3

    Strong. Few corrections needed; would pass internal QA at a national-level cell.

  • 4

    Exemplary. Gray-zone decisions (ToS-restricted scraping, persona engagement) are documented with the analyst's pre-decision rationale, not after-the-fact justification.

Reproducibility & writing quality
5 pts
  • 0

    Missing or unusable. Cannot reproduce the brief from the appendix. Prose is sloppy.

  • 1

    Present but materially deficient. Multiple gaps a reviewer would flag on first pass.

  • 2

    Meets minimum professional bar. Independent analyst can re-derive every finding from the appendix. Prose is direct, paragraph-led, no padding.

  • 3

    Strong. Few corrections needed; would pass internal QA at a national-level cell.

  • 4

    Exemplary. Reads like a service-published product. Every paragraph either advances the judgement or is cut.

Pre-submission checklist

Every item must be true before you submit. Reviewers will spot-check.

  • BLUF is 3–5 sentences and states judgement, confidence, and so-what
  • Every finding has a confidence rating and a sourcing trail
  • Working picture matches the narrative and references evidence IDs
  • Evidence manifest reconciles — every cited artifact is in the appendix and vice versa
  • ACH matrix lists ≥3 hypotheses and scores every evidence item
  • Disruption plan names target, consumer, legal instrument, latency, success criterion per seam
  • No unredacted victim PII anywhere in externally shareable artifacts
  • Rules-of-engagement document is included and signed-off
  • Brief is reproducible end-to-end by an independent analyst from the appendix alone
  • Caveats explicitly state what would invalidate each load-bearing judgement

Stretch goals (bonus 0–10 pts)

  • Add an attribution-ladder section showing how the brief moves from brand → operator → organization, with explicit confidence at each rung
  • Include a public-warning draft suitable for a regulator press release, redacted to the named-entity standard
  • Author a journalist-facing background brief with embargo terms and redacted evidence excerpts
  • Add a counter-move forecast: what the operator will do within 7/14/30 days of the disruption firing, with I&W to detect each