Team Cymru's threat researchers have spent years developing an almost psychological understanding of cybercriminals, tracking their behavioral patterns alongside technical infrastructure to predict where attacks will emerge before they happen. Josh and Abigail share with David how their multi-year tracking of Russian cybercrime groups enabled critical contributions to Operation Endgame. Their work demonstrates how sustained intelligence gathering creates opportunities for law enforcement victories that reactive security cannot achieve. Drawing from Josh's eight years at Team Cymru and background in law enforcement national security investigations, and Abigail's specialization in Russian cybercrime tracking, they reveal how NetFlow telemetry provides unprecedented visibility into criminal operations. Their approach goes far beyond traditional indicator-based threat intelligence, focusing instead on understanding the human patterns that drive criminal infrastructure deployment and management. Topics discussed: The evolution of Team Cymru's threat research mission from ad hoc investigations to formalized self-tasking teams. How NetFlow telemetry enables upstream infrastructure mapping that reveals criminal backend systems invisible to traditional security tools. The behavioral analysis techniques that distinguish between different criminal operators based on work schedules, personal browsing habits, and infrastructure access patterns. Why collaboration between private sector researchers and law enforcement requires transparency and trust-building rather than hoarding intelligence behind restrictive sharing classifications. How Operation Endgame demonstrated the effectiveness of combining multiple organizational perspectives on the same threats, with each contributor providing unique visibility into different attack components. The measurement challenges in threat research success when outcomes depend on external decision-makers and sensitive operations may not publicly acknowledge private sector contributions. Why financially motivated threat actors are shifting from mass spray-and-pray campaigns to more targeted, higher-payout operations. How click-fix attacks exploit human psychology by convincing victims to execute malicious commands themselves. The dual-edged impact of AI on cybercrime, lowering barriers to entry for malicious actors while simultaneously enabling more sophisticated social engineering and automation capabilities. Why security awareness training must evolve beyond identifying typos and obvious phishing indicators to address AI-generated content and sophisticated impersonation techniques. Key Takeaways:  Build long-term tracking capabilities that focus on understanding threat actor behavior patterns rather than chasing individual indicators or campaigns. Implement NetFlow telemetry analysis to identify upstream infrastructure connections that reveal criminal backend systems before they're deployed operationally. Develop collaborative relationships with law enforcement and private sector partners based on transparency and shared mission objectives. Create threat research teams with self-tasking authority to focus on societally important threats rather than customer-driven priorities that may miss critical criminal activity. Establish behavioral profiling techniques that distinguish between different criminal operators based on work patterns, personal interests, and infrastructure access methods. Invest in sustained intelligence gathering capabilities that track threat actors across multiple campaigns and infrastructure changes over extended periods. Prepare for the increasing sophistication of click-fix attacks by educating users about command execution risks and implementing controls that detect suspicious copy-paste activities. Develop AI-aware security awareness training that addresses deepfake voice calls, sophisticated impersonation techniques, and realistic-looking malicious websites. Build m