fatcousin
// case comparison

ATO vs crypto theft

victim reports account compromise. case A is ato: credential stuffing, SIM swap, mailbox rules, and identity-provider session anomalies. case B is crypto-theft: approve-for-all tx, sweeper bot, or malicious dapp in browser history. wrong call sends you to okta-log-analyzer when you need ethereum-tx-decoder — or resets passwords while the on-chain approval already moved funds.

primary tools · side by side

ordered entry points from the case-type taxonomy. highlighted rows appear in both case types' editorial tool lists.

case a

account takeover (ATO)

credential stuffing → SIM swap → password reset chain → exfil. evidence lives in identity-provider logs, mailbox rules, and session artifacts.

  1. 01okta log analyzerokta system log json · timeline · suspicious · mfa fatigue · tor/proxy · users · ips · policy · csv export · runs locally
  2. 02o365 audit log parserunified audit log json · timeline · suspicious · users · ips · mailbox · inbox rules · csv export · runs locally
  3. 03office365 audit log analyzerdrop m365 unified audit log json or csv · flag inbox forward rules · mailbox forwarding · bulk downloads · global admin role adds · high-scope consent · audit log disabled · runs locally
  4. 04microsoft 365 unified audit log analyzerdrop m365 unified audit log csv or json export · parse all audit events across exchange sharepoint teams onedrive and azure ad · surface suspicious operations privilege changes and data access events · reconstruct user activity timeline · runs locally
  5. 05mail rule parserdrop Outlook rules.dat or Thunderbird msgFilterRules.dat · rule names conditions actions · flag suspicious forward redirect · CSV export · runs locally
  6. 06password spray & brute force detectordrop security evtx csv · analyze authentication failure patterns · detect low-and-slow password spray · high-speed brute force · credential stuffing patterns · flag attacker ips · runs locally
  7. 07credential artifact scannerdrop a memory dump · scan for plaintext credentials · NTLM hashes · OAuth tokens · API keys · session cookies · Base64 secrets · export CSV · runs locally
  8. 08sim swap artifact forensic detectordetect evidence of SIM swapping across devices, carriers, or subscriber records · runs locally
case b

crypto theft / wallet drain

approve-for-all phishing, sweeper bots, malicious dapps, drained hot wallets. evidence is a tx graph + the malicious contract bytecode + browser history.

  1. 01ethereum transaction decoderpaste raw ethereum transaction hex · rlp decode · from to value gas · erc20 calldata · runs locally
  2. 02bitcoin transaction decoderpaste raw transaction hex · decode inputs outputs scripts · fees · locktime · segwit · p2pkh p2sh p2wpkh · runs locally
  3. 03crypto tx graphpaste json csv btc hex · directed graph · hub peel fan patterns · ascii viz · stats · csv json export · runs locally
  4. 04crypto transaction graphdrop tx list csv · build adjacency · node edge counts · export nodes edges csv · runs locally
  5. 05smart contract bytecode analyzerpaste evm hex · disassemble push pop · flag delegatecall selfdestruct · opcode table · runs locally
  6. 06cryptocurrency mixer and tumbler detectordrop bitcoin transaction csv · apply statistical analysis to detect mixing service patterns · equal output detection · timing patterns · coinjoin identification · peel chain vs mixed funds · estimate mixing confidence · runs locally
  7. 07bitcoin address clusteringpaste or drop csv · extract btc addresses · common-input heuristic clustering · cluster table · export csv · runs locally
  8. 08private key format detectorpaste or drop a key file · identify WIF · hex · PEM · PKCS8 · BIP32 xprv/xpub · Ethereum keystore · validate format only · never derives · runs locally

editorial overlap

2 tools mapped to both case types in the editorial taxonomy — useful when the investigation spans both surfaces.
fatcousin cross export ioc hash correlatorfatcousin multi tool super timeline correlator

lean toward…

disambiguation signals derived from case-type descriptions and common practitioner confusion points.

lean toward ATO if you see…

  • password spray, SIM swap, or MFA bypass in Okta/Entra logs before downstream wallet activity
  • mailbox rule planting or session takeover from new geo/device on email identity
  • compromise centered on login telemetry — not standalone malicious contract interaction in browser history

lean toward crypto theft if you see…

  • approve-for-all or unlimited token approval in single on-chain transaction
  • sweeper bot or malicious smart-contract bytecode linked from browser/extension history
  • wallet drain via phishing signature or dapp — IdP logs clean or secondary to chain event
ready