Our capabilities. A story about what we can achieve

Introduction

Over the years we have been fortunate to have been called upon to help with some challenging investigations. iPhone prize scams, ransomware attacks that weren’t, aiding the Steele Dossier case, and even a fraudulent €14 million transfer.

Here we’ve picked out the most interesting ones, showing what our DFIR team can do, and continues to do, day in, day out…

Claydon’s fraud

An elderly person from a village near our HQ was targeted by fraudsters posing as their bank’s fraud team. They contacted us when something felt “off” about their questions.

Our investigation revealed a detail only their bank’s fraud team could have known: the transaction number from a prior support call. This pointed to an insider leak. With our help, they challenged the bank, which refunded their entire savings.

BBC Rip Off Britain

We assisted a victim featured on the BBC’s One Show whose phone had been compromised. Using mobile forensics, we identified a malicious APK disguised as a photo editor. It captured keystrokes and screenshots, recording credentials as the victim logged into their bank. Our report led to a full refund and aired on national television, raising public awareness of mobile malware.

Panama Papers / Port of Antwerp

Working with the investigative journalists behind the Panama Papers, we uncovered a smuggling operation using compromised port workers and automated systems at the Port of Antwerp. Our maritime expertise helped reveal how traffickers flagged containers for “random” inspection diversion. Our findings contributed to multiple arrests and systemic changes in European port security.

The Steele Dossier

During our forensic investigation for Orbis Business Intelligence, we analysed a set of encrypted laptops linked to the Steele Dossier. Among the deleted partitions, we recovered fragments of draft intelligence memos and encrypted comms between multiple intermediaries. Our evidence now forms part of the public record in the related legal proceedings.

€14 Million Theft – Madrid to Hong Kong

An employee at a multinational firm in Madrid was manipulated over WhatsApp by an Organised Crime Group (OCG) posing as senior executives. Over four days, they orchestrated a €14 million transfer to Hong Kong. We were deployed to Madrid, where we forensically imaged the employee’s devices. Our analysis proved they’d been socially engineered using deepfake voice calls and spoofed emails, exonerating the staff member and aiding in Interpol’s ongoing investigation.

Azerbijan’s Arabian Ghost – The annual climate change conference that nearly didn’t happen

The hacker group “Arabian Ghost” claimed responsibility for cyberattacks targeting several Azerbaijani government websites and telecommunication sites (Critical National Infrastructure). PTP were flown in and worked over 3 weeks straight. These attacks were successfully neutralised without any disruptions to government information systems.

The University Prize Scam

A student thought they’d won an iPhone 13. In reality, they were handed a pre-compromised device by an attacker posing as university staff. After a suspicious call claiming to “verify banking details”, the victim lost a five-figure sum. Our investigation revealed spyware with call-forwarding and banking credential capture, likely installed via custom firmware on the device.

Fleet Management – BEC Investigation

A phishing email led to a Business Email Compromise (BEC) at a vehicle leasing firm. We traced the attack to a fake Microsoft login page which harvested credentials. Our telemetry showed over 500 outbound spam messages attempted within one minute. Defender halted the spread, and we rebuilt their Azure policies with Conditional Access and OAuth protection to prevent recurrence.

The Billing System Breach

A pair of aviation systems in the Caribbean went down simultaneously. The client suspected their vendor. Our network analysis showed outbound traffic to DigitalOcean IPs, and forensic artefacts proved a backdoor had been installed via a custom DLL update. This likely came from a compromised developer pipeline. We advised regulatory reporting and application rebuilding.

Apache Server C2 to Russia

An on-prem Apache server was quietly beaconing out to a C2 server in Russia. Hidden in a deprecated file sharing service, we found a web shell disguised as a PDF generator. This server had evaded detection due to a WAF misconfiguration. We helped transition to CloudFlare, patch legacy systems, and perform a full compromise assessment.

Project Winter – Lynx Ransomware

An extortion threat hit a large financial automation firm. The attackers presented proof pack material including screenshots and internal emails. We traced the entry to an outdated Ivanti VPN, correlated DNS to malware domains (like iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com), and observed 7zip activity linked to data staging. Our rapid response contained the threat, isolated infected servers, and confirmed that no critical data had been leaked — despite ominous warnings from the attackers.

The Forgotten Laptop – HR Leak

An ex-employee’s account was left active for five months after termination. During that time, they remotely accessed the company’s Google Workspace from an AWS-hosted IP, quietly exfiltrating over 2,800 sensitive HR documents. We pinpointed the activity window using Google audit logs and recovered evidence from a long-forgotten company laptop that was finally returned three weeks after we were engaged. HR processes were rebuilt from scratch post-incident.

The Curious Case of DT11349 – Malware Masquerade

A graphic designer’s desktop, was behaving oddly. We discovered code.exe sitting in C:\Windows\Tasks, a location requiring admin rights. The binary was masquerading as Visual Studio Code but had been used to tunnel traffic at 4 a.m. on a public holiday. Our timeline analysis showed log wiping, lateral movement, and persistence attempts via scheduled tasks. This was no ordinary infection — we believe it was a foothold by a red team gone rogue, or worse, a nation-state actor testing persistence techniques.

Midnight at the Data Centre – HR’s Laptop Strikes Back

We traced a suspicious connection from an HR staff laptop at 3 a.m., linking to multiple internal assets including the Active Directory controller. The user claimed to have been asleep. Forensics showed the system powered down at 16:52 and came back online during the window — a physical intrusion? Later, analysis uncovered signs of time stomping and spoofed hostnames. We recommended badge system and CCTV correlation. Client’s internal security team had missed the connection.

The Exchange Whisperer

A critical Exchange server was found to be leaking Outlook Web Access data via IIS logs. We confirmed the attacker was using legitimate accounts at odd hours, scripting keep-alive requests and mimicking admin behaviour. A custom 7z archive operation was spotted during our CrowdStrike review, staging a full dump of internal mailboxes. We named the attacker internally “The Whisperer” for their quiet, methodical behaviour. The client quietly rearchitected their mail infrastructure.

The Ransomware That Never Was

We isolated a server after it began compressing huge volumes of internal records using 7za.exe. All signs pointed to ransomware staging — except for one anomaly: no encryption ever took place. Our review revealed this was a panicked junior sysadmin, archiving data for a hardware swap using tools he’d downloaded without approval. Ironically, the containment response delayed the actual migration project by three weeks — but the team gained priceless incident response practice.

Phone, Malware, Action – Prize winner Setup

In a case eerily reminiscent of a “prize scam”, a second victim reported receiving a phone “won” through a social media competition. We imaged the iPhone and discovered an off-market configuration profile that silently installed a remote MDM profile. This granted the attacker root certificate access and complete visibility. Our report was passed to the NCSC. We suspect the devices were distributed via a Telegram-based fraud group running in eastern Europe.

Ghost in the VPN

Multiple remote desktop sessions were traced back to what we thought were legitimate users. A deeper dive revealed VPN sessions initiated from residential IPs that had never been used before. Logs were missing for a 20-day period — later discovered to be linked to exploitation of a zero-day in a VPN vendor’s client software. We helped the client rotate all access credentials and implement a certificate-based mutual auth system. The compromise might otherwise have persisted for months undetected.

The £1 Million That Wasn’t – Spoofed Invoice Recovery

A UK supplier to a maritime transport firm narrowly avoided a £1 million loss after receiving what looked like a routine invoice from their regular subcontractor. We were brought in just in time. Our analysis showed the attacker had sat in the firm’s mailbox for weeks, watching and learning invoice formats, tone, and email threads. Thanks to a forensic header analysis and timestamp mismatches, we built a case that stopped the transaction hours before release. The bank credited our report as critical to the freeze order.

The Phantom Developer – Silent Saboteur

Two custom applications for the Jamaican civil aviation authority failed simultaneously. Wireshark logs showed outbound traffic to DigitalOcean — a red flag. Our investigation revealed a DLL sideloaded into the billing software by a third-party developer. It wasn’t malware — it was surveillance. The intent was to keep a backdoor open while their contract negotiations dragged on. We advised termination and rolled out behavioural monitoring across all client apps.

Operation Piece Fifteen – The Code in the Tasks Folder

We were called in after NCSC flagged suspicious activity on a workstation in a government organisation. We found code.exe running from C:\Windows\Tasks — a location that normally requires admin access. It was masquerading as Visual Studio Code but turned out to be a custom-built tunnelling utility. RDP sessions, log clearing, lateral movement to an Exchange server, and DNS beacons to fake update domains like iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com painted a picture of a well-planned breach. The attacker cleared their tracks so effectively that we suspect they had blue team experience.

The Ghost Employee – Google Drive Heist

A terminated employee’s account was left active for five months due to HR and IT misalignment. During this time, over 2,800 sensitive internal files were accessed via AWS-hosted infrastructure from the US. We reconstructed timelines using Google Workspace logs and built an evidentiary chain showing repeated credential use long after the employee’s departure. No malware, no backdoors — just good old-fashioned failure of internal process and a very quiet data thief.

The Disappearing Logs and Extortion Threats

A major financial services provider was warned of a potential data breach by the police. The attackers — believed to be the Lynx ransomware group — supplied screenshots and audio recordings of internal systems as part of a proof pack. When we were brought in, key VPN logs were missing. Our analysis revealed exploitation of an unpatched Ivanti Connect Secure appliance weeks earlier. The attackers had wiped logs and exfiltrated proof before triggering extortion. The client narrowly avoided a full-scale ransomware attack thanks to early detection and hard containment.

The Phisher Who Phoned It In – University Email Compromise

A university staff member clicked a link claiming to contain a “secure document.” It redirected to a fake Microsoft login. Hours later, Microsoft Defender blocked the account as it attempted to send 500 phishing emails. We followed the trail through Microsoft 365 logs and found a forwarding rule routing emails to an obscure Gmail address. MFA hadn’t been enforced for the user, despite holding Global Admin privileges. A lesson in assumptions — and why you don’t wait for licensing to enforce security basics.

The Mislabelled Device – Forensics on the Wrong Host

We were analysing an HR laptop suspected of being used in a breach. All indicators pointed to it — except when we dug into system logs, we found it had been powered off at the time of the attack. No matching user account, no RDP sessions, no registry changes. It turns out a hostname mapping error in the SIEM had misidentified the device. The real attacker was on a system three doors down, which we isolated just in time. SIEM misconfiguration can be just as dangerous as no SIEM at all.

The Billing Trojan

A custom billing platform for an airspace regulator went dark on the same day a related personnel licensing system failed. Our forensic imaging showed both servers were communicating with the same external IPs, hosted on DigitalOcean — a telltale sign. Both apps had been developed by the same contractor, who had inserted call-home functionality disguised as DLL updates. The motive? Intellectual property protection — or so they claimed. We reported it as unauthorised remote access and helped the client rebuild from clean codebases.

The Archiver – False Alarm, Real Lessons

A server flagged by CrowdStrike for ransomware-like activity turned out to be compressing files using 7za.exe — but not maliciously. It was a sysadmin archiving logs ahead of a planned migration, unaware his actions mimicked ransomware staging tactics. The incident highlighted a need for internal comms protocols during infrastructure changes. We turned the investigation into a tabletop exercise and used it to improve internal documentation, asset labelling, and EDR alert tuning.

The HR Honeypot – A Curious 3AM Link

One of the strangest incidents began with an RDP session from an HR machine at 3:00 a.m. The user denied knowledge, and logs showed the device powered off before and after. We theorised a sleep/wake attack via PXE boot or Wake-on-LAN misuse. Further inspection revealed the device had once been cloned by IT for imaging tests and had retained an old certificate chain. The real host was long decommissioned, but its digital ghost continued haunting the network — until we purged the orphaned asset completely.