diff --git a/clients/kittle/reports/2026-06-09-ic3-bec-fraud-report.md b/clients/kittle/reports/2026-06-09-ic3-bec-fraud-report.md
new file mode 100644
index 0000000..7778544
--- /dev/null
+++ b/clients/kittle/reports/2026-06-09-ic3-bec-fraud-report.md
@@ -0,0 +1,92 @@
+# FBI IC3 Complaint Package — BEC / ACH Payment-Redirection Fraud
+
+> Prepared by Arizona Computer Guru (ACG) for Kittle Design & Construction LLC
+> Incident date: 2026-06-08 to 2026-06-09 (UTC) · Package date: 2026-06-09
+> Submit at: https://www.ic3.gov · Complaint type: Business Email Compromise (BEC) / EAC — Wire/ACH fraud
+
+---
+
+## 1. VICTIM INFORMATION
+
+**Primary victim (compromised business):**
+- Kittle Design & Construction LLC — Tucson, Arizona
+- Domain / M365 tenant: kittlearizona.com (tenant ID 3d073ebe-806a-4a5e-9035-3c7c4a264fc0)
+- EIN on the fraudulent form: 86-0942406 (purported Kittle EIN — verify; attacker likely copied the real EIN)
+- Point of contact: Ken Schagel (owner), ken@kittlearizona.com, cell 520-310-1525
+- Compromised mailboxes: Ken@kittlearizona.com (entry point, Global Admin), Accounting@kittlearizona.com (finance — accessed via Ken's delegate rights)
+
+**Intended payer targeted by the fraud:**
+- City of Tucson, Business Services Department (BSD) — Accounts Payable
+- Finance contact in the fraud thread: Randi Arnett, Finance Manager (Randi.Arnett@tucsonaz.gov); AP: HCDAccountsPayable-Finance@tucsonaz.gov
+- Other City staff CC'd by the attacker: Monica Barcenas, Angelica Favela, Alexa Johnson, Katharine Mitchell; Buyer: Casey Adams (Casey.Adams@tucsonaz.gov)
+
+**Reporting party / IT provider:** Arizona Computer Guru (Managed Service Provider). Contact: Mike Swanson.
+
+## 2. FINANCIAL TRANSACTION INFORMATION
+
+**Nature:** Attacker submitted a fraudulent ACH/EFT banking-change ("BSD ACH Application", "Change" box) to the City of Tucson, impersonating Kittle's bookkeeper, to redirect Kittle's incoming City payments to attacker-controlled accounts.
+
+**Targeted / exposed payments (City of Tucson → Kittle, EFT):**
+- Invoice #31400 — KDC Job #5700.25B, "COT Knights Inn — Fire Suppression" (PO-007291); City indicated EFT processing **2026-06-09**. Approx. amount referenced in thread: ~$8,818.00 (confirm with City).
+- Invoice #31468 — Job #5654.25, "MMC Generator Upgrade" — **$123,776.75**.
+- NOTE: an approved ACH banking change would redirect ALL future City-of-Tucson payments to Kittle, so exposure is not limited to a single invoice.
+
+**Fraudulent receiving (mule) accounts:**
+| # | Bank | Routing/ABA | Account # | Name on account | Source |
+|---|---|---|---|---|---|
+| 1 (submitted to City) | **Truist Bank** | **053201607** | **1410020505238** | "Kittle Design & Construction" | BSD ACH Application form attached to the attacker's 2026-06-08 email |
+| 2 (second form in mailbox) | First State Bank (Eastpoint, MI) | 072410165 | 62100616 | FOAM FACTORY INCORPORATED | ACH-FoamFactory.pdf found in Ken's mailbox |
+| 2b | JPMorgan Chase Bank, N.A. (New York, NY) | 021000021 (wire) / 072000326 (ACH); SWIFT CHASUS33 | 2906183268 | FOAM FACTORY INCORPORATED | same form |
+
+**Attacker contact phone on the fraudulent form:** (659) 221-9243
+
+**Loss status:** Redirect ATTEMPTED. Detected by ACG before confirmation of any completed transfer. Kittle is verifying with the City of Tucson and their bank whether any change was processed. Actual completed loss: to be confirmed (likely prevented if caught in time); attempted/exposed amount as above.
+
+## 3. SUBJECT (PERPETRATOR) INFORMATION
+
+**IP addresses used:**
+| IP | Use | Geolocation | ASN |
+|---|---|---|---|
+| 64.44.131.168 | OWA access to Ken + Accounting mailboxes; sent the fraudulent ACH emails; deleted evidence | Chicago, IL | AS20278 Nexeon Technologies (VPN/hosting) |
+| 40.126.41.96 | Contact harvesting via python-httpx | Microsoft Azure | Microsoft Corp |
+| 45.134.224.220 | Bulk phishing send (1,000 emails) | Kansas City, MO | AS147049 PacketHub S.A. (hosting) |
+
+**Impersonation infrastructure:**
+- `Accounting.kittlearizona@gmx.com` — GMX free account impersonating Kittle's Accounting dept (inserted into the City invoice thread starting 2026-06-05)
+- `tucsonoz.com` — lookalike domain of the City's `tucsonaz.gov` (e.g. randi.arnett@tucsonoz.com)
+- Attacker tooling: python-httpx/0.28.1 using an OAuth token for the Microsoft Desktop app (`d3590ed6-52b3-4102-aeff-aad2292ab01c`)
+
+## 4. INCIDENT NARRATIVE
+
+On 2026-06-08, an external attacker compromised the Microsoft 365 account of Ken Schagel (owner / Global Administrator) of Kittle Design & Construction LLC, accessing it via Outlook on the Web from IP 64.44.131.168 beginning 13:24 UTC. Ken's account held standing FullAccess (delegate) permission to the company's Accounting (finance) mailbox (a legitimate permission Ken granted himself on 2026-05-15, ~3 weeks before the incident). The attacker used that delegate access to enter the Accounting mailbox.
+
+From the Accounting mailbox, the attacker — impersonating Kittle's bookkeeper ("Darline Cabrera") — submitted a fraudulent ACH/EFT banking-change form to the City of Tucson's Accounts Payable, attempting to redirect Kittle's incoming City payments (including Invoice #31400, EFT scheduled 2026-06-09) to a Truist Bank account they controlled. The attacker had pre-positioned by inserting a GMX lookalike address (Accounting.kittlearizona@gmx.com) into the legitimate Kittle↔City invoice thread as early as 2026-06-05. The attacker hard-deleted the EFT and invoice emails from both Ken's and Accounting's mailboxes to conceal the activity (recovered by ACG from the audit-log dumpster).
+
+Separately/concurrently, the attacker harvested contacts (18:36–18:53 UTC) and sent ~1,000 phishing emails ("Ken Schagel shared a file with you") from 45.134.224.220 between 21:14–21:26 UTC (747 delivered). ACG detected the incident ~21:30 UTC and performed containment/remediation. The payment-redirection fraud was identified by ACG on 2026-06-09 via mailbox-audit and message-trace analysis.
+
+## 5. TIMELINE (UTC)
+- 2026-06-05 ~11:52 — Attacker (via Accounting.kittlearizona@gmx.com) inserts into the Kittle↔City invoice thread.
+- 2026-06-08 13:24 — First attacker OWA login to Ken's account (64.44.131.168).
+- 2026-06-08 14:51–21:09 — Attacker accesses Accounting mailbox as delegate (21 access events); reads Inbox\Customers, Assured Partners, Employees, Sent, Deleted.
+- 2026-06-08 15:52 / 16:45 / 18:52 / 20:29 — Attacker sends "EFT UPDATE" / ACH-change emails on behalf of Accounting@ to Randi Arnett (City of Tucson); hard-deletes the thread after each.
+- 2026-06-08 18:36–18:53 — Contact harvest (python-httpx, 40.126.41.96).
+- 2026-06-08 21:14–21:26 — 1,000-recipient phishing blast (45.134.224.220).
+- 2026-06-08 ~21:30 — ACG detects, begins containment.
+- 2026-06-09 — ACG identifies the ACH payment-redirection fraud; password resets; client notified; this package prepared.
+
+## 6. EVIDENCE INVENTORY (preserved by ACG)
+- `Downloads/kittle-bec-attachments/FRAUD_BSD_ACH_APPLICATION.pdf` — the fraudulent ACH change form submitted to the City (shows Truist 053201607 / 1410020505238).
+- `Downloads/kittle-bec-attachments/Ken_ACH-FoamFactory.pdf` — second ACH form (Foam Factory Inc accounts).
+- Recovered email thread (EFT UPDATE / ACH, Accounting@ ↔ Randi Arnett) — recovered from the M365 Recoverable Items dumpster via Graph (the attacker hard-deleted the originals).
+- Microsoft 365 Unified Audit Log: MailItemsAccessed (delegate, IP 64.44.131.168), SendOnBehalf, SoftDelete/HardDelete events for Accounting@ and Ken@ — exportable on request.
+- Message trace confirming delivery of the fraud emails and the original recalled message.
+- Prior incident report: `clients/kittle/reports/2026-06-08-breach-check.md` (full BEC remediation, phishing campaign, inbox rules).
+
+## 7. ACTIONS TAKEN BY ACG / VICTIM
+- Compromised accounts' sessions revoked; passwords reset (Ken's password changed in person 2026-06-09).
+- Malicious inbox rules removed; mailbox forwarding, transport rules, and delegate access re-verified clean (2026-06-09).
+- Kittle contacting City of Tucson AP (by phone) to halt/verify the ACH change and confirm the June 9 EFT routes to Kittle's verified account; Kittle contacting their bank.
+- Client advised to file this IC3 complaint and notify Truist / First State Bank / JPMorgan Chase fraud departments to freeze the receiving accounts.
+
+---
+*Package compiled from M365 unified audit log, message trace, and recovered mailbox evidence. Dollar amounts to be confirmed with the City of Tucson. ACG can provide raw audit-log exports and the recovered emails/attachments on request.*