RiskX interview video featuring Colin Mahony and Mastercard's Aditi Sawhney

At RiskX Singapore 2026, Recorded Future CEO Colin Mahony and Mastercard's Aditi Sawhney discussed why payment fraud has become an ecosystem problem that spans cyber and financial crime. The fraudulent transaction is the visible end of a chain that began weeks or months earlier, with harvested credentials, registered lookalike domains, and infected merchant sites. This post looks at how connecting cyber and fraud signals lets defenders intervene before monetization, and how Recorded Future’s Payment Fraud solution maps to each stage of that chain.
https://www.youtube.com/watch?v=NTqcdZrx0ic

Every fraud investigator knows the pattern: the fraudulent charge is the first thing anyone notices and the last thing the attacker actually does. Before it posts, malicious infrastructure has been stood up, credentials have been harvested, payment data sold, and mule accounts lined up to move the money.

So the transaction is not the attack. It is the receipt. That was the premise Recorded Future CEO Colin Mahony and Mastercard's Aditi Sawhney kept returning to at RiskX Singapore 2026, in a conversation produced by Miss Cyber Penny with Jane Lo on the convergence of cyber and financial crime.

Sawhney put the shift plainly. Mastercard has spent years securing the transaction, and realized it had to go much broader, because fraud is now an ecosystem problem where cyber, identity, and payments come together and the fraudulent transaction is only the final outcome.

Mastercard secures the transaction. The attack happens everywhere else.

The reason fraud thrives across that ecosystem is partly organizational. The cyber team sees phishing infrastructure, credential dumps, and dark web activity. The fraud team sees suspicious transactions, common points-of-purchase, and chargeback patterns. Each works from its own view of an attack that was built to cross both.

Sawhney noted that customers feel the importance of cyber and fraud fusion, but the teams still sit in silos, and even when they want to collaborate they do not yet share a common language. The work, on both the Mastercard and Recorded Future sides, is connecting the dots between threat intelligence and network data so the two views become one.

There is a maturity gap underneath this too. Fraud teams have scored transactions for decades, but using external intelligence to get ahead of an attack, rather than react to it, is newer ground for them than for most cyber teams. The constraint is the upstream signal and the tooling to act on it, not the skill of the team.

Two of the examples they gave.

Mahony described one attack from start to finish. A criminal stands up a website that looks like a real merchant, convinces people to enter their card details, and collects the data. Recorded Future can find and help take down the fraudulent domain, and identify the merchant account behind it so that account can be shut down as well. That is intelligence working across domains, cyber and fraud in one motion, so the response is coordinated across the business rather than a single transaction blocked in isolation.

This is one of the signals Recorded Future Payment Fraud collects at the very start of the chain. It continuously analyzes newly registered merchant domains for known indicators of purchase scams and links each one back to the merchant account behind it, so fraud teams can act before customers ever transact. For teams that also run Digital Risk Protection, that same domain can be investigated further and submitted for takedown, turning a detection into a disruption.

Sawhney's example came one step later. By bringing intelligence on cards being tested on the dark web together with network data, issuers can spot a compromised card and act before a fraudulent transaction posts. She called this incremental in the truest sense: it catches things traditional fraud models miss, and it catches them earlier in the chain.

Card testing is one of the latest, and therefore highest-intent, signals that preempt the fraudulent transaction. Payment Fraud continuously monitors the dark web checker services and tester merchants criminals use to validate stolen cards. This enables fraud prevention teams to tighten controls on customer cards transacting with these tester merchants to confirm activity before cash out.

Signals that look unrelated until you connect them.

Mahony's broader point was about correlation. Events that seem unrelated turn out to be tightly connected once you trace how the chain works, and the moment you recognize a signature you have seen before, it tells you where to look next.

That is the job of the Intelligence Graph®: it maps how entities connect, so one recognized signal surfaces the others linked to it. The value does not end at prevention either. The same signals also speed up investigations after the fact, pointing analysts to the bulletproof hosting and dark web malware behind an attack.

AI lowered the price of an attack.

Mahony was blunt about the economics: attackers are unregulated, they adopt new tools freely, and it no longer takes much money to launch an attack. AI lets them study a target's psychology and personalize believable scams at scale.

The same acceleration shows up in the tooling attackers use to compromise merchant sites, and it flows straight into payments. Recorded Future's 2025 Payment Fraud Intelligence Report found that ready-made e-skimmer kits and malware-as-a-service offerings lowered the barrier to entry for digital skimming, the malicious code injected into a checkout page to steal card data as customers enter it. More than 10,500 of these Magecart infections were active over the year, likely compromising more than 23 million online transactions.

Payment Fraud monitors legitimate merchant sites daily for these infections and records how long each exposure window stays open. For teams using Cyber Operations, that fraud signal can be the start of a cyber investigation: automated threat hunting against the infected infrastructure and deeper malware analysis in Sandbox.

Defending at this pace means using AI on the defensive side as well. Mahony described automating the work analysts used to do by hand, matching signatures, deploying hunts into security controls, and surfacing exactly what was found in a customer's environment so they can act. He shared a telling detail: some customers who had no interest in autonomous threat hunting came back six months after launch saying they simply need it.

He also framed speed as the new baseline. Recorded Future is learning from how quickly Mastercard has to clear or decline a transaction, because security operations are heading toward that same standard, with AI triaging the noise so analysts are not reviewing every alert by hand.

What success looks like.

Both were careful about how to measure this. Nobody is eliminating fraud, Sawhney said; the goal is to help customers recover and perform better. Success is fraud prevented, but it is also precision: fewer false positives, the right transactions allowed through, and customers able to keep spending while protection runs in the background.

Mahony made the same point from the security side. Success is speeding business up and earning trust, and fitting intelligence into the controls and systems a team already uses rather than becoming another bottleneck.

Both also pushed on who gets protected. The institutions that can operationalize this intelligence today are mostly large banks with mature, proactive fraud teams, yet smaller businesses, newer payment channels, and more exposed communities need it just as much. Sawhney made the case for growth that is inclusive, and noted that channels differ in the protection they carry: card rails come with dispute and chargeback frameworks that newer, faster rails often do not, and those gaps get exploited.

Fraud is borderless, and so is the defense.

Fraud does not respect regions, Mahony said, and neither does prevention. When an attack surfaces in one part of the world, it lands in the Intelligence Graph® and every Recorded Future user can see what happened and prepare for the same pattern in a different market or industry.

Sawhney detailed what coordinated defense looks like in practice. Recorded Future brings threat intelligence to law enforcement and governments, and Mastercard helped found the Global Anti-Scam Alliance, where it holds the chairmanship and has set up chapters across regions to bring technology companies, telecoms, and governments together.

Twelve months from now.

Asked what they hoped to see in a year, both answered in terms of getting ahead. Mahony wants autonomous threat operations to be the norm, the way the once-skeptical customers now treat them. Sawhney wants the connection between cyber, identity, and fraud to be stronger, and proven out in more markets.

The transaction was always the last step. The work now is reclaiming the chain that comes before it.

See it in action.

See how Recorded Future Payment Fraud helps fraud teams act on pre-monetization signals, from scam and Magecart merchant detection to dark web card monitoring and checker activity: request a demo.