← queueFIN-2026-0716opened 2026-07-16T08:45:00Z // ACTIVE

Account takeover & biometric exfiltration cluster

critical
98Fusion score
CURRENT RISK SCORE:98 / 100
CASE TARGET:USER_042

Incident Storyboard (Fused Narrative)

08:45:00 AMstep-1
EXPAND TELEMETRY +

At 08:45:00 AM, USER_042 suffered 3 consecutive failed login attempts from untrusted IP 192.168.1.100 using unregistered device profile DEV_UNKNOWN_999.

08:45:45 AMstep-2
EXPAND TELEMETRY +

At 08:45:45 AM, a password reset request was approved for USER_042 from the same untrusted IP 192.168.1.100.

08:47:00 AMstep-3
EXPAND TELEMETRY +

At 08:47:00 AM, an MFA bypass was approved using a replayed device identifier, allowing full system entry from the attacker endpoint.

08:47:30 AMstep-4
EXPAND TELEMETRY +

Ten seconds after logging in, a maximum-limit transfer of $9,950.0 was executed targeting ACCT_OFFSHORE_001. The transaction was flagged and set to PENDING_REVIEW.

09:15:00 AMstep-5
EXPAND TELEMETRY +

Starting at 09:15:00 AM, the database DB_BIOMETRICS_PROD exfiltrated 5.8 GB of encrypted biometric facial templates to exfiltration receiver 203.0.113.42.

Ingestion Architecture Flow

REALTIME AGENT AGGREGATION
Syslog
Netflow
Auditd
Hawkes Fusion
Entity Graph
Risk Timeline

Unified Entity Graph (Shared Screen)

USER_042192.168.1.100DEV_UNKNOWN_999ACCT_OFFSHORE_001DB_BIOMETRICS_PROD203.0.113.42
User ID
IP Address
MAC / Registry
High-Value Account
Failed Auth Pulse

Predictive Timeline (Smart Warning System)

INGESTED SIGNAL TRAIL (PAST)T-MINUTES
HAWKES PROCESS RISK PROBABILITYIMMINENT FRAUD
Past (Ingested)
NOW
Future (Hawkes Predictive)
94%Fraud Prob
TIME WINDOW LEFT:1m 20s