what happened? pick one.
what happened to you? pick one. this page is for crisis arrival — no hero, no tool tour, no warmup. choose the closest match below. each tile links to a methodology guide and the tools to run locally on exports you already have. no upload. no account. close the tab when you're done. fatcousin is not emergency services, counsel, or a managed IR firm — it is a local triage workbench you can verify in devtools.
business email compromise (BEC)
if someone spoofed a vendor email or redirected a wire payment, methodology →
pig butchering / long-con investment scam
if weeks of chat grooming led to a fake crypto exchange and a drained wallet, methodology →
ransomware response
if files are encrypted and there is a ransom note, methodology →
stalkerware sweep (mobile)
if you think someone is watching your phone, methodology →
intimate partner violence — tech trail
if your partner tracks you through shared accounts or location history, methodology →
election integrity investigation
if election messaging or ballot artifacts look tampered, methodology →
account takeover (ATO)
if someone took over an account with password resets and unfamiliar logins, methodology →
crypto theft / wallet drain
if your wallet was drained or you signed a malicious contract, methodology →
insider threat / data exfiltration
if a departing employee may have copied data or abused access, methodology →
phishing campaign investigation
if you need to scope a phishing wave across an organization, methodology →
supply chain compromise
if a package, build, or signed update may be poisoned, methodology →
cloud account compromise (M365 / Workspace)
if a tenant was hit through OAuth abuse, mailbox rules, or admin takeover, methodology →
mobile device triage (consent-based)
if you need a consent-based scan of a phone for the basics, methodology →
workplace harassment / hostile workplace
if you need to preserve slack, teams, or email harassment evidence, methodology →
trade secret / IP theft
if an exiting employee may have taken source, customers, or CAD files, methodology →
document forgery / disputed authenticity
if a PDF, docx, or signature chain looks forged or edited, methodology →
AI-generated content dispute
if you need to dispute whether text, image, or code is AI-generated, methodology →
deepfake investigation (video / audio / image)
if video, audio, or image identity impersonation is in dispute, methodology →
romance scam
if a dating-app relationship turned into money requests, methodology →
tech support scam
if a pop-up led to remote access and gift-card or wire demands, methodology →
cryptojacking
if a machine is mining crypto without authorization, methodology →
lost or stolen device
if a lost phone came back and you need to know what happened on it, methodology →
disgruntled employee exit
if a last-day endpoint shows deletions, USB attach, or sabotage, methodology →
cyberstalking
if harassment spans social accounts, impersonation, and location leaks, methodology →
sextortion
if someone threatens to publish intimate images for payment, methodology →
minor online coercion · youth safety
if a child or teen was coerced into sending images and a payment demand followed, and you need to preserve chat logs locally before reporting, methodology →
creator safety · stalker & NCII
if a client or follower escalated from booking-platform contact to real-world surveillance or off-platform threats and you need a private timeline, methodology →
online doxxing (post-event triage)
if your PII was published and you need post-exposure triage, methodology →
smart home compromise
if a camera, lock, or voice assistant was accessed without consent, methodology →
API key leak / repo compromise
if a leaked repo credential led to cloud abuse or cost spikes, methodology →
healthcare data breach
if PHI exposure or EHR audit gaps need scoping, methodology →
medical device tamper / clinical IoT
if a pump, monitor, or ventilator log shows wrong dose or suppressed alarms, methodology →
DDoS investigation
if you need to scope a volumetric or application-layer attack after the fact, methodology →
invoice fraud / vendor account change
if a paid invoice or vendor bank-detail change looks fraudulent, methodology →
payroll fraud / ghost employee
if direct deposit, ghost employees, or payroll adjustments look wrong, methodology →
whistleblower / retaliation investigation
if an ethics report was followed by termination or adverse action, methodology →
HR platform audit / HCM integrity
if Workday, SuccessFactors, or Oracle HCM audit exports show drift, methodology →
equity grant / cap table investigation
if cap-table or vesting records show unauthorized grant changes, methodology →
global mobility / relocation audit
if relocation or assignment costs look inflated or tampered, methodology →
labor trafficking investigation
if recruiter contracts, wage ledgers, or movement logs suggest debt bondage or forced labor and you need to preserve evidence locally before a referral, methodology →
gig worker payout fraud
if platform payouts, tips, or driver accounts were redirected, methodology →
livestream impersonation / creator takeover
if a creator channel was taken over or impersonated on stream, methodology →
journalist source protection
if journalist or source comms may have been compromised around a sensitive story, methodology →
AI agent runaway action
if an autonomous agent took actions outside its prompt scope, methodology →
LLM prompt injection
if adversarial input — user prompt, RAG chunk, MCP tool result, or uploaded doc — bent an LLM into ignoring its system prompt, methodology →
MCP server compromise
if an MCP server's credentials leaked or its tool definitions were tampered with from the server side, methodology →
report this fraud
if you were scammed and need to file ic3 · ftc · cfpb · or state ag reports but the forms feel impossible, methodology →
school cyberbullying · K–12 IR
if district IT or counsel needs to correlate student monitor alerts with SIS discipline after a harassment disclosure, methodology →
wire fraud at closing · title escrow
if a homebuyer wired earnest money or closing funds to a fraud account and you have escrow email plus title-software exports, methodology →
title fraud · deed forgery
if county record grantee or deed instrument metadata does not match the sale file parties, methodology →
nursing home records audit · LTC exploitation
if a nursing home resident's bank accounts, POA, or caregiver device exports suggest financial exploitation and you need a local records audit binder, methodology →
maritime AIS · sanctions / dark vessel
if insurance or sanctions casework needs marinetraffic · spire · vesselfinder AIS exports correlated for dark vessels, track gaps, or ship-to-ship transfer, case type →