// BCG / FORENSIC OPS / FINDINGS
SECURE LINK● 256-bit

Key Findings

Consolidated conclusions from SMTP, account-sabotage, shadow-ops, and access-control analyses.

F1CRITICAL

SMTP Backdoor on noreply@backcheckgroup.com

Coordinated setup of a persistent SMTP relay bypassing owner control over client notifications.

  • May 7: QR code verification + 2-Step Verification (recovery 03007419191)
  • May 11: App password created — 'SMTP of Backcheck Portal'
  • May 12: 'Suspicious activity found' alert triggered
F2CRITICAL

Account Sabotage — Kashif Wali (May 10–11, 2026)

Account disabled/re-enabled, password changed, 20 recovery emails purged, 2FA removed, Takeout exported.

  • 26 Vikash voice notes on May 9 (anomalous volume)
  • Discussions of 'suspicious' setups, RDP access, server config
  • App-password screenshots captured May 11
F3WARNING

Shadow Operations — x24.io / xcluesiv.com

Parallel infrastructure actively maintained outside BCG controls; news content automation pipeline.

  • x24.io threat-intel dashboard active
  • xcluesiv.com, cognitive24.com, backgroundcheck.email registered
  • GNews → WordPress importer (pakalertpress.com)
F4WARNING

Portal Access Resistance

Systematic denial of SSH, WHM/cPanel, DB, and FTP access to BCG owner.

  • 39 voice notes mention portal access
  • 58 images document permission denials
  • FTP credentials siloed under Vikash
F5CRITICAL

Evidence Tampering

Systematic deletion observed: 20 recovery emails purged, 2FA removed, passwords rotated, 1,417 messages from deleted users.

  • Deleted-user message clusters in QC / Ops / Not-Initiated groups
  • Record deletion refusal templated by insiders
F6WARNING

Scam Data Cache (18 GB)

'Scam Data.rar' on Vikash desktop containing SDN lists, cross-check & wiki data (Nov 10, 2025).

  • Potential sanctioned-entity cross-referencing
F7CRITICAL

Drive Exfiltration Cluster — Hamza & Yousuf

1,643 external-share events on owner-class spreadsheets traced to two insider accounts operating from Pakistan residential IPs; one confirmed outbound email transmission to a personal Gmail.

  • Ameer Hamza: 1,547 View/Edit events on externally-shared Drive items (1,516 from 110.93.244.209)
  • Yousuf Khan: 96 events incl. 'Stationary Stock Log - 2025.xlsx' emailed as attachment to noorbcg1@gmail.com
  • 100% activity from PK-SD (Sindh) — not from corporate OVH or on-prem egress
  • Failed license-removal log: containment blocked for finance@, hassan@, hassan.s@, zeeshan@
F8WARNING

Shadow Tenant Endpoint Inventory (xcluesiv.com)

28 user-owned endpoints — Windows, macOS, iOS — synced to xcluesiv.com identities (danish, vikash, f3t, info), confirming a parallel device fleet outside BCG MDM.

  • 14 devices under danish@xcluesiv.com, 7 under vikash@xcluesiv.com
  • F3T CFX (f3t@xcluesiv.com): 6 endpoints across Mac/Windows actively syncing through Jun 14, 2026
  • iOS handsets (iPhone12,5 / iPhone13,4) tied to vikash/danish — mobile evidence vector
F9WARNING

Expanded Entity Network — 181 Actors

Master entity registry resolves 81 persons and 100 organizations referenced across external-sharing and financial-flow evidence, including 31 vendors and 36 recipient parties.

  • Primary suspects re-confirmed: Imran Haroon, Vikash Harjeewan, Yousuf Khan, Zubair, Dilawar Khan
  • External IT vendor Horizon Technologies (ali@horizontech.biz) granted full BCG admin access
  • Cross-referenced into Drive share events — see Exfiltration page

Recommended actions

IMMEDIATE
  • Revoke app passwords for noreply@
  • Reset all BCG account passwords
  • Re-enable 2FA on critical accounts
  • Audit FTP / SSH access logs
INVESTIGATION
  • Obtain noreply@ Google Takeout
  • Analyse SMTP relay logs
  • Cross-reference SDN data with clients
  • Investigate x24.io operations
LEGAL
  • Preserve evidence & chain-of-custody
  • Document sabotage timeline
  • Assess breach-notification duties
  • Review IT staff contracts