proof index

ACME Corp is a 280-endpoint healthcare MSP serving fourteen small clinics. Initial access came via a phished MFA token against the IT director six days before encryption. Dwell included BloodHound recon, PsExec lateral movement, Cobalt Strike beaconing, shadow-copy deletion, and Veeam backup tampering. Encryption onset was 2026-03-12 02:14 UTC with a BlackCat/ALPHV ransom note. All data is synthetic.

case type: ransomware responsefixture: ransomware-acme-corp

Sterling & Associates is a 22-person property management firm. A receivables clerk receives a vendor impersonation email from a lookalike domain with forged reply chain and updated wiring instructions, wiring $84,300 to an attacker account. Eight days earlier the CFO mailbox was compromised via OAuth consent with a malicious invoice forwarding rule. Fully synthetic.

case type: business email compromise (BEC)fixture: bec-sterling

Synthetic iPhone 14 / iOS 17.4 stalkerware-sweep scenario: covert lockdown pairing, supervised configuration profile abuse, and MDM endpoint exfiltration. Fully synthetic.

case type: stalkerware sweep (mobile)fixture: sarah-ios

Hartmann Logistics is a 180-person freight broker. An attacker sent a rogue OAuth consent link for TeamSync 365 to the COO; the app harvested 23 mailboxes and 320 SharePoint files before Defender flagged anomalous Graph API throughput. Fully synthetic.

case type: cloud account compromise (M365 / Workspace)fixture: hartmann-cloud-compromise

Miranda met David Chen on Hinge, moved to WhatsApp, and was groomed over four months into depositing $148,000 on fake TaiKun Capital USDT staking. Test withdrawal built trust; tax-hold scam triggered realization. On-chain deposits trace to Tornado Cash. Fully synthetic.

case type: pig butchering / long-con investment scamfixture: miranda-pig-butchering

Meridian Financial Group VP Finance jrodriguez@meridianfg.com was compromised via password spray, SIM swap, Okta MFA push fatigue, password reset, and a hidden external mailbox forward to dropbox@proton.me. Fully synthetic.

case type: account takeover (ATO)fixture: meridian-ato

Mixed text, code, and image bundle disputing whether a marketing campaign was human-authored: LLM-like letter, A1111 parameters PNG, stripped social export, ComfyUI workflow artifacts, Copilot-marked code, and GAN-grid synthetic headshot. Fully synthetic.

case type: AI-generated content disputefixture: chen-ai-content-dispute

NovaPay ci-deploy-bot key committed to novak-payments-api, force-pushed but recoverable from reflog. Attacker cloned from 198.51.100.77, triggered secret scanning, then IAM escalation + Secrets Manager reads matching k8s export. Fully synthetic.

case type: API key leak / repo compromisefixture: novak-api-key-leak

Alex Voss lost ~$312k after signing an unlimited USDC approve on a fake yield dapp; a sweeper bot drained the MetaMask wallet in 90 seconds. Residual BTC peeled through a CoinJoin-shaped transaction. Fully synthetic.

case type: crypto theft / wallet drainfixture: voss-wallet-drain

Vega Cloud Hosting dev server vega-dev-01 spiked to 98% CPU after a compromised npm postinstall dropped XMRig with svchost-spawned PowerShell persistence. Stratum traffic to 198.51.100.77:3333 every ~60s plus pool DNS lookups. Fully synthetic.

case type: cryptojackingfixture: vega-cryptojacking

Elena Ellis cyberstalked via linked ChatGPT/Claude burner accounts, cross-platform entity resolution, authorship match on forum posts, iOS Significant Locations + Google Timeline edits, and lookalike domains. Fully synthetic.

case type: cyberstalkingfixture: ellis-cyberstalking

Ashford Edge Hosting origin 203.0.113.50 hit by 198.51.100.0/24 botnet SYN flood, TLS ClientHello cluster, NetFlow v5 talkers, and nginx access log rate anomaly. Fully synthetic.

case type: DDoS investigationfixture: ashford-ddos-investigation

Regional news anchor impersonation bundle: PRNU-matched authentic stills, face-swap composite, copy-move scene, GAN-grid synthetic headshot, natural vs spliced voice WAV, and six-frame temporal metrics strip. Fully synthetic.

case type: deepfake investigation (video / audio / image)fixture: arias-deepfake-investigation

Jordan Park on WS-PARK ran a last-day sabotage chain: mass renames, SDelete/cipher wipes, registry and task/service cleanup, Chrome history gap, and PowerShell Clear-History. Fully synthetic.

case type: disgruntled employee exitfixture: park-disgruntled-exit

Disputed signed contract package where the PDF shows post-signature incremental edits, Word drafts carry conflicting author/template genealogy, and legacy .doc residue exposes ghost payment text. Fully synthetic.

case type: document forgery / disputed authenticityfixture: thorne-document-forgery

Grant County Elections case GCE-EI-2026-1103 — elections-grantcounty.org spoof email · AI disinfo press release · copy-move ballot composite · synthetic ballot PNG · JPEG metadata drift on precinct 14 scan. Fully synthetic.

case type: election integrity investigationfixture: grant-election-integrity

Quinn Ventures audit QEQ-2026-0510 on grant GQ-2026-118 for E-77203 from 198.51.100.77 · Carta/Shareworks unauthorized changes · 409A FMV retro revision · vesting backdate · exercise/payroll mismatch. Fully synthetic.

case type: equity grant / cap table investigationfixture: quinn-equity-grant-audit

Lyons Global audit LGM-2026-0615 on assignment ASG-2026-441 for E-44108 from 198.51.100.92 · Topia/Cartus unauthorized changes · tax equalization gross-up inflation · relocation cost overrun · payroll reimbursement mismatch. Fully synthetic.

case type: global mobility / relocation auditfixture: lyons-global-mobility-audit

Fischer Regional Clinic breach: DICOM PHI tags, Access registry export, M365 SharePoint downloads from 198.51.100.44, security EVTX gap with audit cleared, PACS SIEM silence, tampered audit trail export, chain-of-custody gaps. Fully synthetic.

case type: healthcare data breachfixture: fischer-healthcare-breach

Vance Holdings audit VHR-2026-0415 on E-55102 job title drift across Workday, SuccessFactors, and Oracle HCM from 198.51.100.66 · headcount mismatch · onboarding background-check task skipped before provisioning. Fully synthetic.

case type: HR platform audit / HCM integrityfixture: vance-hr-platform-audit

Kline Robotics engineer jchen staged IP exfiltration in his final three weeks — USB copies, cross-department file access, copy-paste to personal email, and credential reuse onto admin file shares. Fully synthetic.

case type: insider threat / data exfiltrationfixture: kline-insider-exfil

Brooks IPV case BRV-IPV-2026-0612 on S. Brooks — Google timeline contradicting shelter alibi · AirTag-class bluetooth pairings · coercive home Wi-Fi credentials · iOS/Android location history + significant places. Fully synthetic.

case type: intimate partner violence — tech trailfixture: brooks-ipv-tech

Cole Manufacturing AP wired $127,450 on COLE-INV-7721 after apex-industrlal.com lookalike thread and incremental PDF remittance edit. Legitimate apexindustrial.com baseline included. Fully synthetic.

case type: invoice fraud / vendor account changefixture: cole-invoice-fraud

Emma Walsh lost an iPhone 15 and Pixel 7 at the airport; police returned them from a finder who paired the iPhone and authorized ADB on the Pixel. Find My remote wipe, Android factory reset logs, post-return app uninstall burst, and overlapping cloud logons from owner vs finder IP space. Fully synthetic.

case type: lost or stolen devicefixture: walsh-lost-stolen-device

DV advocate intake for Alex Rivera — iOS backup manifest, spotlight shelter searches, mass messaging-app uninstalls, screen-time spike, and Android tracker backup residue. Fully synthetic.

case type: mobile device triage (consent-based)fixture: rivera-mobile-triage

Brennan Corp ghost employee E-88421 paid after termination · ADP/Workday routing change by svc-payroll-admin from 198.51.100.88 · WFM overtime inflation · HCM headcount mismatch. Fully synthetic.

case type: payroll fraud / ghost employeefixture: brennan-payroll-fraud

Northwind Manufacturing AP clerk targeted by Microsoft 365 + Apple ID phishing waves with URL shorteners, MIME-mismatch attachment, and obfuscated kit JavaScript. Fully synthetic.

case type: phishing campaign investigationfixture: northwind-phishing-campaign

Natalie Foster matched James Cole on Bumble; chat moved to WhatsApp and Telegram with fake military contractor persona. Venmo and Cash App payment trail ($11k) plus A1111-parameter profile PNG. Fully synthetic.

case type: romance scamfixture: foster-romance-scam

Morgan Hayes sextorted via burner email, iMessage/WhatsApp threads, AI-generated intimate imagery + face-swap still, deleted iMessage artifacts in sms.db, and a BTC peel payment path. Fully synthetic.

case type: sextortionfixture: hayes-sextortion

Jordan Reed's smart home abused while traveling: Alexa unlock commands, Google Home guest lock add, HomeKit geofence plist, Ring motion + live view, Nest unfamiliar face, August guest code at 03:22 UTC, thermostat away override, rogue Samsung TV account. Fully synthetic.

case type: smart home compromisefixture: reed-smart-home-compromise

Synthetic Pixel 7 / Android 14 scenario. Abuser sideloaded Family Locator Pro — renamed, icon-hidden stalkerware with accessibility, notification listener, device admin, and background location exfil. Includes burner-app residue. No real victim.

case type: stalkerware sweep (mobile)fixture: sarah-android

Helix Analytics updater build compromised — timestomped PE artifacts, trojanized build agent source, and YARA-detectable backdoor strings in signed release path. Fully synthetic.

case type: supply chain compromisefixture: helix-supply-chain-compromise

Margaret Grayson called a fake Microsoft support line after a full-screen alert; operator connected via RDP from 203.0.113.88, installed AnyDesk and a malicious Chrome extension, ran obfuscated PowerShell, cleared Terminal Services logs, and pushed gift-card payments. KAPE triage collected next day. Fully synthetic.

case type: tech support scamfixture: grayson-tech-support-scam

Hughes Biotech HBT-TS-2026-0552 on R. Navarro (E-55201) copying customer-list.xlsx + HughesCAD core.dll to E: and personal cloud · shellbags/jump lists · LNK deleted-target correlation · confidential print job. Fully synthetic.

case type: trade secret / IP theftfixture: hughes-trade-secret-theft

Morgan Industries Navex report NAV-2026-0312 dismissed without committee · PIP and HCM demotion on E-22901 within 17 days · HR Acuity ER-22901 and ServiceNow HRSD-884 closed from 198.51.100.55. Fully synthetic.

case type: whistleblower / retaliation investigationfixture: morgan-whistleblower-retaliation

Parker Corp HR case PKR-HR-2026-0418 on D. Mitchell hostile Slack #hr-policy and Teams messages targeting E-33017 · deleted DM sqlite residue · threaded email PKR-HR-THREAD-001 · anonymous post authorship match. Fully synthetic.

case type: workplace harassment / hostile workplacefixture: parker-workplace-harassment