azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

report(kittle): fraud PREVENTED - City stopped payment, Foam Factory confirmed mule

Browse Source 
Per Kittle bookkeeper (2026-06-09): City of Tucson stopped the payment before any funds reached
the attacker (no completed loss; attempted $130k+). Kittle confirms no Foam Factory relationship,
confirming both receiving accounts are mules. Also: Ken un-restricted from sending (Outbox/Drafts
verified empty first); Lori was never restricted.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-06-09 09:15:07 -07:00
parent 42135ed557
commit 4c580fe485
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
clients/kittle/reports/2026-06-09-ic3-bec-fraud-report.md
View File

@@ -41,7 +41,7 @@
**Attacker contact phone on the fraudulent form:** (659) 221-9243 **Attacker contact phone on the fraudulent form:** (659) 221-9243
**Loss status:** Redirect ATTEMPTED. Detected by ACG before confirmation of any completed transfer. Kittle is verifying with the City of Tucson and their bank whether any change was processed. Actual completed loss: to be confirmed (likely prevented if caught in time); attempted/exposed amount as above. **Loss status — PREVENTED (no completed loss).** Confirmed 2026-06-09 by Kittle's bookkeeper (Darline Cabrera), after speaking with the City of Tucson: **the City stopped the payment before any funds were transferred to the attacker.** No completed financial loss occurred. Attempted / exposed amount: **$130,000+** (as above). Kittle also confirmed it has **no business relationship with Foam Factory Incorporated**, confirming both receiving accounts are attacker-controlled mule accounts. The fraudulent accounts should still be reported and frozen, and the perpetrator pursued (this complaint documents an attempted wire/ACH fraud).
## 3. SUBJECT (PERPETRATOR) INFORMATION ## 3. SUBJECT (PERPETRATOR) INFORMATION
@@ -86,7 +86,8 @@ Separately/concurrently, the attacker harvested contacts (18:3618:53 UTC) and
## 7. ACTIONS TAKEN BY ACG / VICTIM ## 7. ACTIONS TAKEN BY ACG / VICTIM
- Compromised accounts' sessions revoked; passwords reset (Ken's password changed in person 2026-06-09). - Compromised accounts' sessions revoked; passwords reset (Ken's password changed in person 2026-06-09).
- Malicious inbox rules removed; mailbox forwarding, transport rules, and delegate access re-verified clean (2026-06-09). - Malicious inbox rules removed; mailbox forwarding, transport rules, and delegate access re-verified clean (2026-06-09).
- Kittle contacting City of Tucson AP (by phone) to halt/verify the ACH change and confirm the June 9 EFT routes to Kittle's verified account; Kittle contacting their bank. - Kittle contacted the City of Tucson; **the City stopped the fraudulent payment** before any funds were transferred (confirmed 2026-06-09). Kittle confirmed no relationship with Foam Factory Incorporated.
- Ken's account was auto-restricted from sending by outbound-spam protection during the phishing blast; ACG verified nothing malicious was queued (Outbox/Drafts empty) and **removed the restriction (sending restored 2026-06-09).**
- Client advised to file this IC3 complaint and notify Truist / First State Bank / JPMorgan Chase fraud departments to freeze the receiving accounts. - Client advised to file this IC3 complaint and notify Truist / First State Bank / JPMorgan Chase fraud departments to freeze the receiving accounts.
--- ---