F1CRITICAL
SMTP Backdoor on noreply@backcheckgroup.com
Coordinated setup of a persistent SMTP relay bypassing owner control over client notifications.
- ›May 7: QR code verification + 2-Step Verification (recovery 03007419191)
- ›May 11: App password created — 'SMTP of Backcheck Portal'
- ›May 12: 'Suspicious activity found' alert triggered
F2CRITICAL
Account Sabotage — Kashif Wali (May 10–11, 2026)
Account disabled/re-enabled, password changed, 20 recovery emails purged, 2FA removed, Takeout exported.
- ›26 Vikash voice notes on May 9 (anomalous volume)
- ›Discussions of 'suspicious' setups, RDP access, server config
- ›App-password screenshots captured May 11
F3WARNING
Shadow Operations — x24.io / xcluesiv.com
Parallel infrastructure actively maintained outside BCG controls; news content automation pipeline.
- ›x24.io threat-intel dashboard active
- ›xcluesiv.com, cognitive24.com, backgroundcheck.email registered
- ›GNews → WordPress importer (pakalertpress.com)
F4WARNING
Portal Access Resistance
Systematic denial of SSH, WHM/cPanel, DB, and FTP access to BCG owner.
- ›39 voice notes mention portal access
- ›58 images document permission denials
- ›FTP credentials siloed under Vikash
F5CRITICAL
Evidence Tampering
Systematic deletion observed: 20 recovery emails purged, 2FA removed, passwords rotated, 1,417 messages from deleted users.
- ›Deleted-user message clusters in QC / Ops / Not-Initiated groups
- ›Record deletion refusal templated by insiders
F6WARNING
Scam Data Cache (18 GB)
'Scam Data.rar' on Vikash desktop containing SDN lists, cross-check & wiki data (Nov 10, 2025).
- ›Potential sanctioned-entity cross-referencing
F7CRITICAL
Drive Exfiltration Cluster — Hamza & Yousuf
1,643 external-share events on owner-class spreadsheets traced to two insider accounts operating from Pakistan residential IPs; one confirmed outbound email transmission to a personal Gmail.
- ›Ameer Hamza: 1,547 View/Edit events on externally-shared Drive items (1,516 from 110.93.244.209)
- ›Yousuf Khan: 96 events incl. 'Stationary Stock Log - 2025.xlsx' emailed as attachment to noorbcg1@gmail.com
- ›100% activity from PK-SD (Sindh) — not from corporate OVH or on-prem egress
- ›Failed license-removal log: containment blocked for finance@, hassan@, hassan.s@, zeeshan@
F8WARNING
Shadow Tenant Endpoint Inventory (xcluesiv.com)
28 user-owned endpoints — Windows, macOS, iOS — synced to xcluesiv.com identities (danish, vikash, f3t, info), confirming a parallel device fleet outside BCG MDM.
- ›14 devices under danish@xcluesiv.com, 7 under vikash@xcluesiv.com
- ›F3T CFX (f3t@xcluesiv.com): 6 endpoints across Mac/Windows actively syncing through Jun 14, 2026
- ›iOS handsets (iPhone12,5 / iPhone13,4) tied to vikash/danish — mobile evidence vector
F9WARNING
Expanded Entity Network — 181 Actors
Master entity registry resolves 81 persons and 100 organizations referenced across external-sharing and financial-flow evidence, including 31 vendors and 36 recipient parties.
- ›Primary suspects re-confirmed: Imran Haroon, Vikash Harjeewan, Yousuf Khan, Zubair, Dilawar Khan
- ›External IT vendor Horizon Technologies (ali@horizontech.biz) granted full BCG admin access
- ›Cross-referenced into Drive share events — see Exfiltration page