[{"slug":"ransomware-acme-corp","caseTypeSlug":"ransomware-response","description":"ACME Corp is a 280-endpoint healthcare MSP serving fourteen small clinics. Initial access came via a phished MFA token against the IT director six days before encryption. Dwell included BloodHound recon, PsExec lateral movement, Cobalt Strike beaconing, shadow-copy deletion, and Veeam backup tampering. Encryption onset was 2026-03-12 02:14 UTC with a BlackCat/ALPHV ransom note. All data is synthetic."},{"slug":"bec-sterling","caseTypeSlug":"bec","description":"Sterling & Associates is a 22-person property management firm. A receivables clerk receives a vendor impersonation email from a lookalike domain with forged reply chain and updated wiring instructions, wiring $84,300 to an attacker account. Eight days earlier the CFO mailbox was compromised via OAuth consent with a malicious invoice forwarding rule. Fully synthetic."},{"slug":"sarah-ios","caseTypeSlug":"stalkerware-sweep","description":"Synthetic iPhone 14 / iOS 17.4 scenario. An abuser had brief physical access, installed a supervised configuration profile via lockdown pairing (EscrowBag present), then unpaired. Profile persists and exfiltrates location/screen-time data to a synthetic MDM endpoint. No real victim."},{"slug":"sarah-android","caseTypeSlug":"stalkerware-sweep","description":"Synthetic Pixel 7 / Android 14 scenario. Abuser sideloaded Family Locator Pro — renamed, icon-hidden stalkerware with accessibility, notification listener, device admin, and background location exfil. Includes burner-app residue. No real victim."},{"slug":"hartmann-cloud-compromise","caseTypeSlug":"cloud-account-compromise","description":"Hartmann Logistics is a 180-person freight broker. An attacker sent a rogue OAuth consent link for TeamSync 365 to the COO; the app harvested 23 mailboxes and 320 SharePoint files before Defender flagged anomalous Graph API throughput. Fully synthetic."},{"slug":"miranda-pig-butchering","caseTypeSlug":"pig-butchering","description":"Miranda met David Chen on Hinge, moved to WhatsApp, and was groomed over four months into depositing $148,000 on fake TaiKun Capital USDT staking. Test withdrawal built trust; tax-hold scam triggered realization. On-chain deposits trace to Tornado Cash. Fully synthetic."},{"slug":"meridian-ato","caseTypeSlug":"ato","description":"Meridian Financial Group VP Finance jrodriguez@meridianfg.com was compromised via password spray, SIM swap, Okta MFA push fatigue, password reset, and a hidden external mailbox forward to dropbox@proton.me. Fully synthetic."},{"slug":"voss-wallet-drain","caseTypeSlug":"crypto-theft","description":"Alex Voss lost ~$312k after signing an unlimited USDC approve on a fake yield dapp; a sweeper bot drained the MetaMask wallet in 90 seconds. Residual BTC peeled through a CoinJoin-shaped transaction. Fully synthetic."},{"slug":"kepler-runaway-agent","caseTypeSlug":"ai-agent-runaway","description":"Kepler Insurance fictional SRE deploy: read-only S3 enumeration agent drifts into kepler-payments-prod get-object exfil and hourly lambda cron persistence in 8.5 minutes. Seven primary engines: tool-call trace · prompt-vs-action divergence · accountability · credential handling · MCP call graph · persistence · network exfil. Fully synthetic."},{"slug":"kline-insider-exfil","caseTypeSlug":"insider-threat","description":"Kline Robotics engineer jchen staged IP exfiltration in his final three weeks — USB copies, cross-department file access, copy-paste to personal email, and credential reuse onto admin file shares. Fully synthetic."},{"slug":"northwind-phishing-campaign","caseTypeSlug":"phishing-campaign","description":"Northwind Manufacturing AP clerk targeted by Microsoft 365 + Apple ID phishing waves with URL shorteners, MIME-mismatch attachment, and obfuscated kit JavaScript. Fully synthetic."},{"slug":"helix-supply-chain-compromise","caseTypeSlug":"supply-chain-compromise","description":"Helix Analytics updater build compromised — timestomped PE artifacts, trojanized build agent source, and YARA-detectable backdoor strings in signed release path. Fully synthetic."},{"slug":"rivera-mobile-triage","caseTypeSlug":"mobile-triage","description":"DV advocate intake for Alex Rivera — iOS backup manifest, spotlight shelter searches, mass messaging-app uninstalls, screen-time spike, and Android tracker backup residue. Fully synthetic."},{"slug":"thorne-document-forgery","caseTypeSlug":"document-forgery","description":"Disputed signed contract package where the PDF shows post-signature incremental edits, Word drafts carry conflicting author/template genealogy, and legacy .doc residue exposes ghost payment text. Fully synthetic."},{"slug":"chen-ai-content-dispute","caseTypeSlug":"ai-content-dispute","description":"Mixed text, code, and image bundle disputing whether a marketing campaign was human-authored: LLM-like letter, A1111 parameters PNG, stripped social export, ComfyUI workflow artifacts, Copilot-marked code, and GAN-grid synthetic headshot. Fully synthetic."},{"slug":"arias-deepfake-investigation","caseTypeSlug":"deepfake-investigation","description":"Regional news anchor impersonation bundle: PRNU-matched authentic stills, face-swap composite, copy-move scene, GAN-grid synthetic headshot, natural vs spliced voice WAV, and six-frame temporal metrics strip. Fully synthetic."},{"slug":"walsh-lost-stolen-device","caseTypeSlug":"lost-stolen-device","description":"Emma Walsh lost an iPhone 15 and Pixel 7 at the airport; police returned them from a finder who paired the iPhone and authorized ADB on the Pixel. Find My remote wipe, Android factory reset logs, post-return app uninstall burst, and overlapping cloud logons from owner vs finder IP space. Fully synthetic."},{"slug":"foster-romance-scam","caseTypeSlug":"romance-scam","description":"Natalie Foster matched James Cole on Bumble; chat moved to WhatsApp and Telegram with fake military contractor persona. Venmo and Cash App payment trail ($11k) plus A1111-parameter profile PNG. Fully synthetic."},{"slug":"grayson-tech-support-scam","caseTypeSlug":"tech-support-scam","description":"Margaret Grayson called a fake Microsoft support line after a full-screen alert; operator connected via RDP from 203.0.113.88, installed AnyDesk and a malicious Chrome extension, ran obfuscated PowerShell, cleared Terminal Services logs, and pushed gift-card payments. KAPE triage collected next day. Fully synthetic."},{"slug":"vega-cryptojacking","caseTypeSlug":"cryptojacking","description":"Vega Cloud Hosting dev server vega-dev-01 spiked to 98% CPU after a compromised npm postinstall dropped XMRig with svchost-spawned PowerShell persistence. Stratum traffic to 198.51.100.77:3333 every ~60s plus pool DNS lookups. Fully synthetic."},{"slug":"park-disgruntled-exit","caseTypeSlug":"disgruntled-exit","description":"Jordan Park on WS-PARK ran a last-day sabotage chain: mass renames, SDelete/cipher wipes, registry and task/service cleanup, Chrome history gap, and PowerShell Clear-History. Fully synthetic."},{"slug":"ellis-cyberstalking","caseTypeSlug":"cyberstalking","description":"Elena Ellis cyberstalked via linked ChatGPT/Claude burner accounts, cross-platform entity resolution, authorship match on forum posts, iOS Significant Locations + Google Timeline edits, and lookalike domains. Fully synthetic."},{"slug":"hayes-sextortion","caseTypeSlug":"sextortion","description":"Morgan Hayes sextorted via burner email, iMessage/WhatsApp threads, AI-generated intimate imagery + face-swap still, deleted iMessage artifacts in sms.db, and a BTC peel payment path. Fully synthetic."},{"slug":"reed-smart-home-compromise","caseTypeSlug":"smart-home-compromise","description":"Jordan Reed's smart home abused while traveling: Alexa unlock commands, Google Home guest lock add, HomeKit geofence plist, Ring motion + live view, Nest unfamiliar face, August guest code at 03:22 UTC, thermostat away override, rogue Samsung TV account. Fully synthetic."},{"slug":"novak-api-key-leak","caseTypeSlug":"api-key-leak","description":"NovaPay ci-deploy-bot key committed to novak-payments-api, force-pushed but recoverable from reflog. Attacker cloned from 198.51.100.77, triggered secret scanning, then IAM escalation + Secrets Manager reads matching k8s export. Fully synthetic."},{"slug":"fischer-healthcare-breach","caseTypeSlug":"healthcare-breach","description":"Fischer Regional Clinic breach: DICOM PHI tags, Access registry export, M365 SharePoint downloads from 198.51.100.44, security EVTX gap with audit cleared, PACS SIEM silence, tampered audit trail export, chain-of-custody gaps. Fully synthetic."},{"slug":"ashford-ddos-investigation","caseTypeSlug":"ddos-investigation","description":"Ashford Edge Hosting origin 203.0.113.50 hit by 198.51.100.0/24 botnet SYN flood, TLS ClientHello cluster, NetFlow v5 talkers, and nginx access log rate anomaly. Fully synthetic."},{"slug":"cole-invoice-fraud","caseTypeSlug":"invoice-fraud","description":"Cole Manufacturing AP wired $127,450 on COLE-INV-7721 after apex-industrlal.com lookalike thread and incremental PDF remittance edit. Legitimate apexindustrial.com baseline included. Fully synthetic."},{"slug":"brennan-payroll-fraud","caseTypeSlug":"payroll-fraud","description":"Brennan Corp ghost employee E-88421 paid after termination · ADP/Workday routing change by svc-payroll-admin from 198.51.100.88 · WFM overtime inflation · HCM headcount mismatch. Fully synthetic."},{"slug":"morgan-whistleblower-retaliation","caseTypeSlug":"whistleblower-retaliation","description":"Morgan Industries Navex report NAV-2026-0312 dismissed without committee · PIP and HCM demotion on E-22901 within 17 days · HR Acuity ER-22901 and ServiceNow HRSD-884 closed from 198.51.100.55. Fully synthetic."},{"slug":"vance-hr-platform-audit","caseTypeSlug":"hr-platform-audit","description":"Vance Holdings audit VHR-2026-0415 on E-55102 job title drift across Workday, SuccessFactors, and Oracle HCM from 198.51.100.66 · headcount mismatch · onboarding background-check task skipped before provisioning. Fully synthetic."},{"slug":"quinn-equity-grant-audit","caseTypeSlug":"equity-grant-audit","description":"Quinn Ventures audit QEQ-2026-0510 on grant GQ-2026-118 for E-77203 from 198.51.100.77 · Carta/Shareworks unauthorized changes · 409A FMV retro revision · vesting backdate · exercise/payroll mismatch. Fully synthetic."},{"slug":"lyons-global-mobility-audit","caseTypeSlug":"global-mobility-audit","description":"Lyons Global audit LGM-2026-0615 on assignment ASG-2026-441 for E-44108 from 198.51.100.92 · Topia/Cartus unauthorized changes · tax equalization gross-up inflation · relocation cost overrun · payroll reimbursement mismatch. Fully synthetic."},{"slug":"parker-workplace-harassment","caseTypeSlug":"workplace-harassment","description":"Parker Corp HR case PKR-HR-2026-0418 on D. Mitchell hostile Slack #hr-policy and Teams messages targeting E-33017 · deleted DM sqlite residue · threaded email PKR-HR-THREAD-001 · anonymous post authorship match. Fully synthetic."},{"slug":"k12-cyberbullying-flatridge-middle","caseTypeSlug":"school-cyberbullying","description":"Flat Ridge Middle School case FRMS-IR-2026-0412 on google chat space frms-7b-lunch targeting casey wren · gaggle severity ladder + bark concern levels · doctored screenshot genealogy metadata only · powerschool discipline audit through restorative conference. Fully synthetic."},{"slug":"wire-fraud-at-closing-oakwood-estates","caseTypeSlug":"wire-fraud-at-closing","description":"Harrington Title case HTE-WF-2026-0518 on Oakwood Estates file HTE-2026-0518 — spoofed escrow wire email · wire-instruction PDF revision metadata · Qualia Shield bank change + disbursement approval · DocuSign Corrected on wire_instructions after send · MT103 to fraud beneficiary. Fully synthetic."},{"slug":"oakwood-vacant-lot-deed-forgery","caseTypeSlug":"title-fraud-deed-forgery","description":"Harrington Title file HTE-2026-0518-DF on parcel 47-1245-1138 (12 Oakwood Estates Court · Maricopa AZ) — true owner Eleanor Whitfield inherited a vacant lot in 2019, lived out-of-state, and discovered a forged 2026 quitclaim to Oakwood Holdings LLC followed by an arms-length resale to Patel Properties LLC. CoreLogic DataTree deed history, spoofed seller email thread, and incremental quitclaim instrument PDF (author drift · no /Sig dictionaries). Fully synthetic."},{"slug":"orchid-mcp-server-compromise","caseTypeSlug":"mcp-server-compromise","description":"Orchid Research Collective orchid-lab-db-mcp on mcp-orchid-01 — ten-minute window 2026-05-18 where supply-chain tamper replaces the server binary, registers inventory.export_bulk, grants /var/export, diverges client/server tool_call_id tc-00011, rewrites two tool-result payloads, and invokes postgres.copy_to the client never requested. Fully synthetic."},{"slug":"ltc-ombudsman-referral-riverside-manor","caseTypeSlug":"nursing-home-records-audit","description":"Riverside Manor ombudsman referral RM-OMB-2026-0312 on resident RES-88421 — break-glass PointClickCare access · cross-resident staff billing exports · MatrixCare progress_note revision hash drift · ALIS visitor check-in after hours. Fully synthetic."},{"slug":"hughes-trade-secret-theft","caseTypeSlug":"trade-secret-theft","description":"Hughes Biotech HBT-TS-2026-0552 on R. Navarro (E-55201) copying customer-list.xlsx + HughesCAD core.dll to E: and personal cloud · shellbags/jump lists · LNK deleted-target correlation · confidential print job. Fully synthetic."},{"slug":"brooks-ipv-tech","caseTypeSlug":"ipv-tech","description":"Brooks IPV case BRV-IPV-2026-0612 on S. Brooks — Google timeline contradicting shelter alibi · AirTag-class bluetooth pairings · coercive home Wi-Fi credentials · iOS/Android location history + significant places. Fully synthetic."},{"slug":"grant-election-integrity","caseTypeSlug":"election-integrity","description":"Grant County Elections case GCE-EI-2026-1103 — elections-grantcounty.org spoof email · AI disinfo press release · copy-move ballot composite · synthetic ballot PNG · JPEG metadata drift on precinct 14 scan. Fully synthetic."}]