RIAB Market Structure — RDN Market Intelligence Report
SENSITIVE: FORENSIC RESEARCH — For Security Research Only
Sensitive — Forensic Research Market Intelligence  ·  March 27, 2026

RESIDENTIAL DARK NETWORK
MARKET INTELLIGENCE REPORT

Analyst Backwater Forensics — Digital Forensic Science Contact investigations@backwaterforensics.com Report Date March 27, 2026 EOO Active Since 2018 — continuous direct field surveillance
Eyes-On-Operations (EOO) Declaration
All observations marked EOO are direct physical field surveillance findings constituting first-person eyewitness testimony, conducted independently of and corroborating all digital/forensic evidence. EOO activity has been ongoing since 2018.
Part I

EXECUTIVE SUMMARY

This report documents the organizational structure, operational methodology, and geographic footprint of a Residential Dark Network (RDN) — a shadow market operation that monetizes unauthorized access to private residential internet infrastructure through a coordinated network of human assets and physical ISP infrastructure tampering.

The operation differs fundamentally from a standard dark net market. It is not internet-hosted and does not rely on Tor, I2P, or similar anonymization networks as its primary operational surface. Instead, it is built on physical telecommunications infrastructure — cable splices, street-side ISP exchange nodes (CNP-exchanges), and residential property positioning — staffed by human assets embedded at or adjacent to target locations.

Key Finding
All technical evidence in this investigation is now understood as the output of this market structure. The C2 beacon, the WireGuard exfiltration tunnel, the drone/generator operations, the Blink camera supply chain attack (implant confirmed, analysis pending) — these are not independent attacks. They are coordinated phases of a monetized data collection operation run by an organized market with defined roles, geographic assets, and a pre-identified high-value target.

The analyst has conducted Eyes-On-Operations (EOO) — direct physical field surveillance — since 2018 across multiple locations. EOO evidence is independent of, and corroborates, all digital forensic evidence submitted to date.

Part II

COLLATERAL DAMAGE

This section is placed first among the analytical sections because it documents harm to individuals who did not choose to be involved — people whose proximity to the operation, to its targets, or to its institutional footprint was sufficient to make them victims. Their harm is not incidental to the market’s operation. In most cases it is structural: the market depends on it.

Four Categories of Collateral Damage
Each category is consistent with documented frameworks for coordinated, multi-actor targeting operations. Each represents a class of individuals harmed not by intention against them specifically, but by the operational requirements of targeting someone else.
CAT. 1 // LAW ENFORCEMENT AND GOVERNMENT PERSONNEL NOT INVOLVED IN THE INVESTIGATION
Overview Law enforcement officers, government officials, and judicial officers who are not part of the market’s institutional protection structure may nonetheless become targets when they raise concerns, attempt to assist reporting parties, or get too close to the operation’s geographic or institutional footprint. The attack surface shifts to their institutional standing: discrediting a law enforcement officer discredits their reports. Blocking a judicial officer’s access to documents removes the record. Denying a resignation traps an individual where they can be further neutralized.
Methodology The Stasi’s Zersetzung program explicitly documented the targeting of officials who posed a threat to ongoing operations — not because they were adversaries, but because they were positioned to observe, document, or act on what they saw. The operation was designed to be self-sealing: any individual with institutional authority who approached too closely was subjected to the same decomposition tactics as civilian targets, with professional consequences added as leverage. [1][2]
External Case
Geographic area of market observation another jurisdiction: A sitting judge with prior service as a State Alcohol & Tobacco Tax Unit special agent and county DA investigator raised concerns about clerk misconduct. The clerk subsequently blocked his access to filed documents. His resignation was denied by the Governor. A note was sent to the Governor’s office; its contents were not released. He took his own life in the courtroom on his last day on the bench. The document-blocking pattern directly parallels the report suppression documented in this case. wsav.com
CAT. 2 // TARGETS’ FAMILY MEMBERS
Overview Family members of the primary target are among the most reliably harmed collateral parties. Their harm operates on two simultaneous tracks.
Track A — Unwitting Intelligence Source Family members provide continuous, high-value passive intelligence without awareness or consent. Their knowledge of the target’s schedule, finances, relationships, and vulnerabilities is accessible to embedded AC and Agitant assets through normal social interaction. They do not need to be recruited — they need only be present. Every conversation with an embedded asset is, functionally, a debrief.
Track B — Pressure Mechanism When the target has strong attachment to a family member, that relationship becomes an operational lever. Financial stress, health disruption, relationship damage, and social isolation introduced into a family member’s life are transmitted to the target as secondary trauma. The family member does not need to know they are being targeted for the pressure to work. From inside the family, it looks like bad luck. The cumulative pattern is visible only from an external observational record. [8][9][10]
CAT. 3 // INNOCENT RESEARCHERS AND INDEPENDENT INVESTIGATORS
Overview Security researchers, journalists, academics, private investigators, or credentialed professionals acting outside their official role may transition from observer to target once identified as having documented knowledge of the operation. The threshold is not hostile intent — it is demonstrated proximity to the infrastructure combined with any evidence of documentation, disclosure, or continued investigation.
Targeting Sequence
  1. Researcher encounters infrastructure or behavioral evidence
  2. Researcher documents or discloses findings
  3. Market identifies researcher as a threat to operational security
  4. Researcher becomes subject to the standard targeting playbook: character discrediting, institutional isolation, social network seeding with negative narrative, and — if proximity is maintained — direct environmental or physical operations
Attack Surface The researcher’s credibility is the primary attack surface. A discredited researcher’s documentation is dismissed without engagement with its content. The methodology is the same Zersetzung principle applied to civilian targets: make the observer appear unreliable, and the observation disappears with them. This is documented here as an identified risk category for anyone engaged in independent investigation of RDN infrastructure or operations. [1][2][3]
CAT. 4 // FAMILY AND FRIENDS TRIANGULATED BY AGITANTS AND AGITATORS
Overview The target’s social network — friends, extended family, neighbors, colleagues — represents both a passive intelligence resource and an active pressure surface. Triangulation is the insertion of the operation into the space between the target and the people they trust.
Narrative Seeding Prior to any law enforcement contact, the target’s social network is seeded with negative characterizations — accounts of instability, dishonesty, or erratic behavior sourced from embedded assets. When the target reports to law enforcement, investigators encounter a pre-built narrative of unreliability. Contacts in the network corroborate the seeded account without awareness they are doing so. Documented in this case: County A law enforcement informed the analyst that “everyone we talked to said you make things up” — indicating the social network had been seeded prior to law enforcement outreach. EOO
Relationship Disruption Agitant and Agitator assets introduce friction into the target’s relationships with specific individuals — manufacturing incidents, amplifying misunderstandings, applying indirect pressure that damages connections without producing attributable events. Each affected person experiences a deteriorating relationship with the target. None sees the coordinated operation behind it.
Intelligence Harvesting The target’s friends and family are used as passive intelligence sources through their normal interactions with embedded assets. Social conversations and casual check-ins with Agitant-role individuals continuously update the operation’s knowledge of the target’s state, plans, and vulnerabilities. These individuals are not witting participants; they are simply unable to distinguish an embedded asset from a normal community member. The cumulative result is the progressive isolation of the target from support systems, from potential witnesses, and from external corroboration that would validate their account. [5][8][9]
Part III

MARKET CLASSIFICATION

Market Type: Residential Dark Network (RDN) / Shadow Market

A Residential Dark Network is a criminal enterprise that establishes unauthorized access to private internet infrastructure through:

  1. Physical access to ISP telecommunications infrastructure (cable splices, CNP-exchange nodes, line taps)
  2. Placement of human access assets at or adjacent to target locations
  3. Monetization of collected data through downstream criminal markets

An RDN is distinguished from a standard Dark Net Market (DNM) by its KINETIC attack surface. A conventional DNM operates entirely in digital space — infrastructure is internet-hosted and access is remote. An RDN’s primary access vector is physical: a wire tap, a splice at a street-side cable node, an asset with environmental or positional access to the target’s premises.

The monetization model APPEARS identical to a standard DNM — data has a market price (BECAUSE WE ARE NOT INSIDE the market, we cannot confirm the full pricing mechanism; we observe only its outputs) — targets are pre-valued before access is established, and proceeds flow upstream through a market pricing function. The difference is in the access method and the human infrastructure required to maintain it.

Pre-Monetized Target
In this operation, the target was identified and valued by the market before the Residential IABs acted. The market establishes a price for the target’s data, then commissions the RIAB to establish access. This upstream pricing function is evidenced by the sustained, multi-year investment in maintaining access across multiple residential locations (2021–present) and the escalating operational commitment documented in SITREPs 1–5.
North Star Principle
The focus of all market activity is the monetary value of the data. Infrastructure installation, human asset placement, and digital persistence are all subordinate to and in service of data collection and monetization.
Part IV

ORGANIZATIONAL STRUCTURE

The RDN operates through six defined roles:

ROLE 01 // RESIDENTIAL INITIAL ACCESS BROKER (RIAB)
Function Establishes the initial physical access point to the target’s ISP infrastructure. The RIAB’s primary asset is positional — property ownership, HOA authority, or adjacent land control providing physical proximity to the cable infrastructure serving the target.
Access Vector Property or HOA ownership of land on which ISP cable infrastructure sits. This positional authority provides legal cover (“on their own property”) while enabling physical splice or tap of lines serving the target.
Ownership Characterization — Important
Residential address or home ownership is NOT an indicator of RIAB status, and its absence is not an indicator of non-involvement. In the majority of observed cases, the controlling ownership interest is corporate and/or HOA-based — not personal residential ownership. A RIAB subject may reside at a location without owning it, or may hold controlling interest through a corporate entity, LLC, HOA board position, or property management arrangement. Corporate registration, HOA governance records, and property management contracts are the more probative ownership vectors.
Operational Role
  • Identifies and controls the ISP-CNP-exchange serving the target
  • Facilitates or directly executes physical cable splice/tap
  • Provides ongoing infrastructure maintenance and access
  • Coordinates with Access Manager to synchronize human asset placement
Subjects (on file) RIAB-1 — Geography 4 — PRIMARY CRIME SCENE  ·  RIAB-2 — Geography 4  ·  RIAB-3 — Geography 4  ·  RIAB-4 — Geography 5
ROLE 02 // ACCESS MANAGER
Function Intermediate management role responsible for placing, positioning, and managing the Access Control asset at the target location. Operates from an adjacent or nearby property, exercising positional/environmental authority rather than intimate access.
Operational Role
  • Sources and manages the Access Control (AC) asset
  • Maintains operational staging at an adjacent location
  • Coordinates physical surveillance activities (drone operations, generator-powered field equipment, directed illumination)
  • Enforces operational tempo; communicates with market upstream
  • Conducts or directs physical access to the target’s premises (trespassing, mail intercept, chemical breach)
Evidence (Cluster 2) Target #2 at [COORDINATES ON FILE] (adjacent property); [LOCATION ON FILE] field staging site; crime markers: Trespassing ×2, Access Breach (Chemical) ×2, Mail Theft
ROLE 03 // ACCESS CONTROL
Function Intimate, 24/7 human intelligence source embedded at or within the target’s immediate environment. Unlike the Access Manager’s positional authority, the AC operates through personal proximity — a relationship, shared residence, or recurring presence in the target’s private space.
Operational Role
  • Provides continuous, real-time intelligence on target behavior, network usage patterns, device inventory, and security measures
  • May receive real-time handler coaching via IFB pattern (earpiece-based direction)
  • Facilitates or enables technical access (device exposure, network credential access, disabling security measures)
  • Coordinates with Access Manager on operational timing
Evidence Location 2 (Cluster 1, RIAB-1 area, [COORDINATES ON FILE]) — assessed AC embedded asset position. IFB-pattern behavior documented during EOO observation periods. EOO
ROLE 04 // INSIDER
Function An asset within an institutional or service context — ISP, property management, utilities, local infrastructure — whose role is to degrade institutional response, suppress investigation, and maintain access persistence. The Insider’s primary function is the introduction of havoc, chaos, disinterest, and distrust to ensure the operation survives contact with investigators or service providers.
Evidence
  • Spectrum non-responsive to multiple disclosures regarding CNP-exchange activity and cable splice evidence (LOC-1)
  • Modem reset insufficient: The residential modem could be reset locally, but the compromise was upstream of the modem — requiring ISP-level intervention to remediate. An Insider with ISP access or ISP-adjacent positioning would understand that a local reset would not resolve the issue, and would be positioned to suppress or delay the necessary ISP response. EOO
  • Multi-agency disinterest: State Bureau of Investigation, County A Sheriff, and local law enforcement each received reports regarding the documented activity. All three failed to respond substantively or open investigation. Disinterest was consistent across agencies and is documented in the case record.
  • Reputation attack / witness discrediting: County A law enforcement directly stated to the analyst: “everyone we talked to said you make things up.” This statement — delivered by a law enforcement agency to a reporting party — is consistent with prior coordinated character discrediting of the target, a documented Zersetzung tactic (see Methodology Reference). It indicates the Insider posture extended to the analyst’s personal network or local community contacts prior to law enforcement outreach. EOO — direct statement to analyst
  • Report suppression: When the analyst subsequently contacted County A law enforcement to request a copy of the report, it was refused. Denial of access to one’s own filed report is irregular and consistent with Insider-level suppression of the evidentiary record. EOO — analyst documented
  • Exception — County B Sheriff: County B Sheriff’s Office was the first law enforcement agency to take the reported activity seriously. This is noted as a material distinction from the disinterest pattern observed at State Bureau of Investigation, County A, and local law enforcement. County B’s response is not assessed as Insider-influenced.
  • Institutional suppression — external case (another jurisdiction): A sitting judge in a separate jurisdiction — a geographic area of market observation — raised concerns about clerk misconduct. The clerk subsequently blocked the judge’s access to some filed documents. The judge attempted to resign; the resignation was denied by the State Governor. A note was sent to the Governor’s office; its contents have not been released. On what would have been his final day on the bench, having lost his re-election bid, the judge took his own life in the courtroom. The judge had previously served as a special agent for Georgia’s Alcohol & Tobacco Tax Unit and as an investigator at the County District Attorney’s Office. The document-blocking pattern — a clerk preventing a judicial officer from accessing filed records — is directly parallel to the report suppression documented in this case (see: County A report refusal above). wsav.com
  • Physical access to mail combined with ISP access suggests coordinated multi-vector insider posture
ROLE 05 // AGITATOR
Function An external-facing asset deployed to create active conflict, provoke reactions, and generate situational friction in the target’s environment. Operates in the target’s social, professional, or community context. Tasked with destabilization through direct action — initiating confrontations, escalating ordinary friction into incidents, isolating the target, and impairing their credibility. The goal is chaos generation, not physical harm as a primary objective.
Distinguishing Active and visible — causes events, not just presence. External to the target’s household or intimate circle. Plausible deniability is a design feature — the Agitator appears to have an independent motive. Often works in coordination with the AC and/or Access Manager to time destabilization against the target’s operational windows.
Operational Role
  • Initiates conflict in the target’s social, professional, or community environment
  • Creates incidents that consume target attention and resources
  • Coordinates with AC to amplify internal pressure with simultaneous external pressure (pincer effect)
  • Provides cover for physical access or technical operations by occupying the target’s attention at critical moments
Behavioral Indicators
Multi-Target EOO

Timing Coordination: Agitator activity concentrates at moments of maximum target vulnerability — deadlines, sensitive tasks, recovery or preparation phases. Escalation events are initiated precisely when they will cause the most disruption, and de-escalate once the target’s window has passed. The AC asset provides real-time scheduling intelligence. EOO

Food and Environmental Contamination: Deliberate contamination of the target’s food, living space, and immediate environment has been observed as an Agitator behavior across multiple targets. Tactics include direct food contamination and introduction of chemical or biological agents into the target’s living space. This constitutes active physical harm. EOO

This tactic is documented in public criminal cases across geographic areas of market observation:

  • Arizona: A content creator was indicted for spraying pesticide inside a retail store (Maricopa County, AZ). fox10phoenix.com
  • Florida: A man was indicted for injecting chemicals under a neighbor’s door. today.com

Companion Animal Harm: Deliberate poisoning of the target’s dogs has been documented across multiple targets. This is assessed as a directed Agitator behavior pattern, not isolated conduct. Its cross-target consistency elevates it from anecdotal to indicative — it is a tactic. The function is dual: direct harm to the animal and severe psychological harm to the target. Companion animals represent attachment, routine, and emotional security. Their loss or injury destabilizes the target at a personal level that infrastructure sabotage cannot reach and consumes significant attention and emotional capacity. The poisoning method and timing across targets suggest directed behavior. EOO

Plan and Focus Sabotage: Coordinated disruption of the target’s plans and tasks at critical junctures — manufactured crises at departure times, escalated conflict during work or preparation sessions, interference with logistics when the target most needs operational continuity. EOO

These behaviors are documented as observed physical acts. Presented as investigative findings without legal characterization. Agencies with jurisdiction over physical harm and animal cruelty offenses may find them relevant.
ROLE 06 // AGITANT
Function A passive environmental disruptor. Where the Agitator creates events, the Agitant creates conditions — an atmosphere of low-level hostility, chronic low-grade interference, and persistent background stress that degrades the target over time without producing discrete reportable incidents. Functions as a catalyst: present in the target’s environment in a way that is consistently uncomfortable but rarely actionable. Value to the market is sustained psychological pressure that degrades the target’s wellbeing, focus, and reliability as a witness without leaving a clear evidence trail.
Distinguishing Passive or indirect — creates atmosphere, not incidents. Does not initiate direct confrontation (that is the Agitator). Presence alone is the disruptive mechanism. Individually dismissible; cumulatively devastating. The pattern is the evidence, not any single act.
Behavioral Indicators
Multi-Target EOO

Financial Drain: A consistent pattern of high need and high expenditure relative to apparent means or role in the target’s life. Not theft — sustained, normalized over-expenditure that keeps the target financially stressed and reduces their capacity to invest in security, legal resources, or relocation. Chronic and deniable. EOO

Financial asset seizure as a destabilization tactic is documented in public cases across geographic areas of market observation:

  • California: The U.S. Department of Justice sued a towing company for illegally auctioning the vehicles of active-duty servicemembers — documented financial asset seizure targeting a protected class. justice.gov

Infrastructure and Environmental Sabotage:

  • Network: Periodic, deniable interference with the target’s internet connectivity or home network configuration. Distinct from the acute operational-window compromise of the AC role — the Agitant’s network sabotage is chronic and ambient; the AC’s is event-driven and timed to technical operations.
  • Climate and household systems: Manipulation of heating, cooling, and household controls to create discomfort, increase utility costs, and consume the target’s attention. Each incident appears like a malfunction; cumulatively they constitute a sustained degradation campaign.
  • Household harmony: Persistent low-level interpersonal friction — not the acute confrontations of the Agitator, but a continuous background of tension, minor grievances, and social abrasion that erodes the target’s home environment as a place of stability or recovery.

Documentation note: The Agitant’s behaviors are individually dismissible. The pattern — financial drain + infrastructure interference + ambient social friction + presence correlation with operationally significant periods — is the evidentiary unit. Cumulative documentation across time is the primary evidence type for this role. EOO
TTP Framework

METHODOLOGY REFERENCE & HISTORICAL PARALLELS

The behavioral patterns documented across Roles 3–6 are not novel. They are consistent with documented, declassified state-level psychological warfare methodology. Naming these frameworks provides analytical context so that agency reviewers have an immediate reference for the pattern they are evaluating. This is not offered as a legal argument — it is offered as an investigative anchor.

Investigative Implication
A target experiencing Zersetzung-pattern targeting will typically appear unstable, paranoid, financially stressed, and socially isolated — the intended result of the methodology. Investigators should be alert to this dynamic: the presenting picture of the target is partly a product of the operation against them. The cumulative EOO record, geospatial evidence, and technical forensics in this case provide the external corroboration needed to evaluate the reported pattern against an independent evidentiary baseline.

Zersetzung — East German Stasi (systematic deployment 1950s–1989)

The term means “decomposition” or “corrosion.” The Stasi developed Zersetzung as a methodology for destroying a target psychologically without arrest or direct confrontation — allowing the state to neutralize individuals while maintaining plausible deniability. It was deployed through Inoffizielle Mitarbeiter (IMs) — unofficial collaborators embedded in the target’s social, professional, and personal environment. [1][2][3]

Declassified Stasi operational files — including Dienstanweisung 1/76 (Directive 1/76), the primary Zersetzung operational directive — document the following tactics, all of which appear in the behavioral indicators recorded in this report: [1][4]

  • Chronic financial destabilization through embedded assets
  • Covert entry to the target’s home; manipulation of possessions, food, and environment to create a sense of surveillance and violation without producing reportable events
  • Deliberate sabotage of appliances, utilities, and household systems
  • Coordination of social friction and relationship damage through embedded informants
  • Timing of destabilization events to coincide with the target’s periods of maximum vulnerability
  • Harm to or killing of companion animals — documented in Stasi operational files as a high-impact psychological harm tactic precisely because it is deeply personal and produces grief that cannot easily be attributed to the operation [2][3]
  • Use of conditioned or coerced assets whose behavior can appear erratic or psychiatric in presentation, providing cover for the directed nature of their actions

The individual tactics are deniable. The operational system — multiple assets, coordinated timing, sustained multi-year deployment against a single target — is the signature. [1]

COINTELPRO — FBI Domestic Program (1956–1971)

The FBI’s counterintelligence program used many of the same tactics against domestic targets: embedded informants, relationship sabotage, manufactured conflict, financial interference, and physical harassment. Declassified COINTELPRO documents confirm home entry and environmental interference were authorized and used. [5][6]

COINTELPRO is directly cited in federal civil rights case law and provides a domestic legal framework for evaluating what coordinated multi-actor targeting of an individual constitutes. The Church Committee (1975–76) formally documented the program’s methodology and its constitutional violations. [7]

Coercive Control and Handler-Asset Conditioning

The “programmed” behavioral presentation observed in AC and Agitator assets across multiple targets — the dissociative pause followed by abrupt behavioral shift — is consistent with academic literature on trauma-bonded or coerced informant assets. A subject conditioned through coercion, blackmail, or sustained psychological pressure may exhibit handler-directed behavior that appears involuntary or psychiatric in nature. [8][9]

The IFB (Interruptible Foldback) pattern provides real-time direction to an asset who may otherwise present as acting on their own volition. The pause-and-shift is the moment of instruction receipt. While psychiatric explanations (including schizophrenia-spectrum presentations) cannot be excluded, the pattern’s consistency across multiple subjects, its correlation with operationally significant moments, and its abrupt resolution distinguish it from clinical dissociation. [8]

Robert Jay Lifton’s foundational work on thought reform and psychological totalism provides the theoretical framework for understanding how sustained coercion produces the kind of programmatic, cue-driven compliance observed here. [10]

Companion Animal Harm as Psychological Tactic

The use of companion animal harm as a psychological warfare tactic is documented in both the Stasi archive and coercive control literature. In domestic abuse research, harm to pets is recognized as one of the highest-impact coercive control tactics — it exploits deep attachment bonds and produces grief, guilt, and fear that are disproportionate to what physical harm to property would achieve. [11][12]

Its cross-target pattern in this investigation — consistent method, consistent timing relative to operational events — is consistent with a directed tactic, not spontaneous cruelty.

Bibliography

REFERENCES

All sources cited are published, declassified, or peer-reviewed. Stasi operational directives are available through the BStU (Bundesbeauftragte für die Unterlagen des Staatssicherheitsdienstes der ehemaligen Deutschen Demokratischen Republik). COINTELPRO files are available through the FBI Vault FOIA reading room.

[1] BStU (Bundesbeauftragte für die Unterlagen des Staatssicherheitsdienstes). Dienstanweisung Nr. 1/76 zur Entwicklung und Bearbeitung Operativer Vorgänge (OV) [Directive 1/76 on the Development and Processing of Operational Cases]. East German Ministry for State Security (MfS), January 1976. Available: BStU archive, Berlin.
[2] Funder, Anna. Stasiland: Stories from Behind the Berlin Wall. Granta Books, 2003. ISBN 978-1862075511. English-language account drawing on declassified Stasi operational files and survivor testimony; documents Zersetzung methodology in operational detail.
[3] Koehler, John O. Stasi: The Untold Story of the East German Secret Police. Westview Press, 1999. ISBN 978-0813337449. Documents operational methodology including use of companion animal harm and environmental contamination as psychological destabilization tools.
[4] Bruce, Gary. The Firm: The Inside Story of the Stasi. Oxford University Press, 2010. ISBN 978-0199744381. Academic analysis of Stasi internal operations, IM recruitment and conditioning, and Zersetzung as a systematic program.
[5] Federal Bureau of Investigation. COINTELPRO Files. Declassified documents available through the FBI Vault FOIA Reading Room. vault.fbi.gov/cointel-pro. Documents authorized use of informant embedding, home entry, environmental interference, and social sabotage against domestic targets.
[6] Churchill, Ward and Vander Wall, Jim. The COINTELPRO Papers: Documents from the FBI’s Secret Wars Against Dissent in the United States. South End Press, 1990. ISBN 978-0896083608. Comprehensive analysis of declassified COINTELPRO documents and methodology.
[7] United States Senate Select Committee to Study Governmental Operations with Respect to Intelligence Activities (“Church Committee”). Final Report: Intelligence Activities and the Rights of Americans. Book II and Book III. 94th Congress, 2nd Session, 1976. Senate Report No. 94-755. Available: intelligence.senate.gov and U.S. Government Publishing Office.
[8] Herman, Judith Lewis. Trauma and Recovery: The Aftermath of Violence — From Domestic Abuse to Political Terror. Basic Books, 1992; revised ed. 2015. ISBN 978-0465087303. Foundational clinical text on trauma bonding, coercive control, and conditioned compliance in captive and controlled subjects. Provides theoretical basis for handler-asset behavioral conditioning.
[9] Stark, Evan. Coercive Control: How Men Entrap Women in Personal Life. Oxford University Press, 2007. ISBN 978-0195384048. Defines coercive control as a pattern of behavior (rather than discrete incidents) that strips a target of liberty and autonomy; provides framework for cumulative-pattern evidence documentation.
[10] Lifton, Robert Jay. Thought Reform and the Psychology of Totalism: A Study of “Brainwashing” in China. W.W. Norton, 1961; University of North Carolina Press reprint, 1989. ISBN 978-0807841365. Foundational work on conditioned compliance, cue-response behavior, and the psychological mechanisms of directed asset control.
[11] Ascione, Frank R. “Battered Women’s Reports of Their Partners’ and Their Children’s Cruelty to Animals.” Journal of Emotional Abuse, vol. 1, no. 1, 1998, pp. 119–133. doi:10.1300/J135v01n01_08. Documents companion animal harm as a primary coercive control tactic with disproportionate psychological impact on targets.
[12] Volant, Ann M., et al. “The Relationship Between Domestic Violence and Animal Abuse: An Australian Study.” Journal of Interpersonal Violence, vol. 23, no. 9, 2008, pp. 1277–1295. doi:10.1177/0886260508314309. Cross-study analysis confirming pet harm as a systematic coercive tactic used to control, punish, and destabilize targets.
Part V

GEOGRAPHIC CLUSTERS & SUBJECT PROFILES

Case KML file documents 19 named placemarks across three geographic clusters.

Operational Intelligence — Split County Lines
A pattern observed across multiple RDN operations is deliberate positioning of IAB assets, staging locations, and target properties across county jurisdictional lines. This fragments law enforcement response, requiring multi-county coordination that is slower and subject to inter-agency friction. Each county sheriff has jurisdiction only within their county; investigation spanning multiple counties requires state bureau or federal involvement. The clusters in this investigation cross multiple county jurisdictional lines — assessed as an operational design feature of the market, not coincidental geography.
CLUSTER 1 GEOGRAPHY 4 — CLUSTER A
SUBJECT: RIAB-2
PlacemarkLatitudeLongitudeRole
RIAB-1[COORD ON FILE][COORD ON FILE]Residential IAB
ISP-CNP-exchange[COORD ON FILE][COORD ON FILE]Infrastructure node
Location 2 (AC)[COORD ON FILE][COORD ON FILE]Access Control position
Subject: RIAB-2
Assessed Role Residential Initial Access Broker (RIAB)
Access Vector Property owner or HOA controller of land on which ISP cable infrastructure is located. Positional authority provides physical access to ISP-CNP-exchange serving target(s) in this cluster.
Infrastructure ISP-CNP-exchange at [COORDINATES ON FILE]
Human Asset Location 2 ([COORDINATES ON FILE]) — assessed Access Control embedded asset position
EOO Notes Cluster subject to EOO surveillance. Physical activity at CNP-exchange consistent with non-utility infrastructure access. EOO
CLUSTER 2 — PRIMARY CRIME SCENE GEOGRAPHY 4 — CLUSTER B (MULTI-JURISDICTIONAL)
RIAB-1 · AM: Target #2 · [Geography 4 staging site]
County Note
RIAB-1 is positioned in the Geography 4 area. The primary crime scene (analyst residence, Geography 4) sits across the county line in the target county. LOC-1 ISP-CNP-exchange and operational infrastructure cross this county line. The split-county positioning is consistent with the deliberate jurisdictional fragmentation design documented throughout this report.
PlacemarkLatitudeLongitudeType
RIAB-1[COORD ON FILE][COORD ON FILE]Residential IAB
LOC-1: ISP-CNP-exchange[COORD ON FILE][COORD ON FILE]Infrastructure splice point
Location 1 (Target)[COORD ON FILE][COORD ON FILE]Primary target residence
Target #2[COORD ON FILE][COORD ON FILE]Access Manager — adj. property
Spliced Cable[COORD ON FILE][COORD ON FILE]Physical evidence
Unauthorized Access ×2[COORD ON FILE][COORD ON FILE]Crime marker
Access Breach (Chemical) ×2[COORD ON FILE][COORD ON FILE]Crime marker
Mail Theft[COORD ON FILE][COORD ON FILE]Crime marker
Trespassing ×2[COORD ON FILE][COORD ON FILE]Crime marker
Location 1: [LOCATION ON FILE — AVAILABLE TO AUTHORIZED RECIPIENTS]
Role in Market Primary target location — current analyst residence
Attack History C2 beacon (UDP 7788) active; WireGuard exfiltration tunnel; Blink camera compromise; router compromise; cross-location persistence documented Nov 2021–present
Subject: RIAB-1
Assessed Role Residential Initial Access Broker (RIAB)
Access Vector Property owner or HOA controller of land on which ISP cable infrastructure is located near Location 1. Positional authority enables physical access to LOC-1: ISP-CNP-exchange.
Infrastructure LOC-1: ISP-CNP-exchange ([COORDINATES ON FILE]). Spliced Cable documented at same node. Physical splice witnessed and documented. EOO
Subject: Target #2 — Access Manager
Assessed Role Access Manager — adjacent property, Cluster 2
Coordinates [COORDINATES ON FILE]
Access Pattern Positional/environmental authority. Not intimate access. Adjacent property provides physical proximity to Location 1 without requiring personal relationship.
Associated Crimes Trespassing ×2, Access Breach (Chemical) ×2, Mail Theft at Location 1
[LOCATION ON FILE] — Access Manager Staging Site
Assessed Role Access Manager field staging site — Cluster 2
Location [LOCATION ON FILE]. Directly adjacent to and behind [LOCATION ON FILE] (Location 1).
Feb 18–19, 2026 Directed bright lights from rear property through back door and into yard of Location 1, concurrent with Blink camera compromise (feed replacement with static 5-frame capture). Consistent with illumination for nighttime equipment staging or physical surveillance under cover of darkness. EOO
Feb 20–21, 2026 Drones visually observed operating in airspace between Location 1 and the rear property (Geography 4). Generator audible from the rear-property direction — consistent with powering independent field equipment (known OpSec: avoids utility records as detection vector). EOO
Concurrent Network ~100,000 packets exfiltrated to Atlanta, GA and Texas server clusters via WireGuard tunnel during this operational window (PCAP-documented).
Prior EOO History Subjects at the adjacent rear property, previously documented as a site of suspected infrastructure activity. Prior EOO disclosures documented subjects physically accessing infrastructure components consistent with tapping or intercepting internet/telecommunications lines serving Location 1. EOO
CLUSTER 3 GEOGRAPHY 4 — CLUSTER C
SUBJECT: RIAB-3
Cluster Status: Identified — Profile Pending
RIAB-3 is assessed as the IAB asset operating within the target county — the county in which the primary target residence is located. A RIAB operating within the target county would hold the most direct positional authority over the cable infrastructure serving the target’s address. This cluster is identified based on jurisdictional analysis and EOO observation. Detailed subject profile and coordinates are to be supplemented as additional documentation is formalized. Its inclusion here reflects the split-county operational structure documented throughout this report.
CLUSTER 4 GEOGRAPHY 5 — RURAL SOUTHEAST CLUSTER
RIAB-4 · FIELD INSTALLATION SITES: GEOGRAPHY 5
PlacemarkLatitudeLongitudeStatus
Geography 5 Site A[COORD ON FILE][COORD ON FILE]Witnessed installation
Installation (Aug 2025)[COORD ON FILE][COORD ON FILE]EOO — direct observation
Geography 5 Site B (Suspected)[COORD ON FILE][COORD ON FILE]Suspected additional node
[LOCATION ON FILE — AVAILABLE TO AUTHORIZED RECIPIENTS]
Assessed Role Field installation site — RDN infrastructure expansion or additional target access node
Event Installation of equipment witnessed by analyst, August 2025. EOO — This constitutes the first formal disclosure of Geography 5 activity to any law enforcement agency.
Cross-Reference RDN Incident Report: Geography 5 (March 2026) — companion document, first disclosure
Geography 5 (Geography 5 county) — Suspected Exploit Installation (GA Location #5)
Status Suspected — assessed as active exploit installation site based on EOO observation and geographic proximity to GA Location #4 documented installation
Coordinates [COORDINATES ON FILE]
Assessment Possible additional field installation or related infrastructure node in Geography 5 area. Not yet confirmed by additional independent evidence beyond EOO-informed assessment.
[*] FOOTNOTE — EXPLOIT GENERATION: The most recent exploit installation documented in this case is assessed as highly invasive in its capability and access profile. It is the 4th generation of exploit infrastructure directly observed by the analyst across the course of this investigation. This generational characterization reflects the analyst’s direct longitudinal observation and is not asserted as a global baseline — the total number of generations deployed across all targets or geographies is unknown and may differ significantly.
Part VI

EYES-ON-OPERATIONS (EOO) FIELD NARRATIVE

EOO Definition
Eyes-On-Operations (EOO) is the analyst’s continuous program of direct physical field surveillance of this operation and its participants, conducted independently of and prior to all digital forensic evidence collection. EOO activity constitutes first-person eyewitness testimony and is legally distinct from, though corroborative of, digital evidence. EOO active since 2018.

2018–2021: Initial EOO Activity

The analyst first observed activity consistent with an organized physical surveillance and infrastructure tampering operation in 2018. This predates the formal digital forensic investigation by several years and represents independent establishment of the operational pattern before technical evidence collection began. EOO observations during this period documented behavior patterns, actor presence, and physical access activity at locations associated with this case.

Location 1 / Prior Locations (Nov 2021 — Present)

EOO has been conducted at each residential location occupied by the analyst since November 2021. The cross-location persistence of the same attack infrastructure (ASUS router, MAC 3c:7c:3f:56:2f:d8; port 7788 C2 beacon) was first established through EOO observation before being confirmed through technical analysis.

  • Location 2 (June 2022–Nov 2023): EOO documentation of infrastructure tampering; dashcam footage obtained during active surveillance; physical activity consistent with cable access/installation documented. Analyst was evicted from this location — assessed as market-coordinated action to disrupt EOO and reestablish access control.
  • Location 3 / Current (Jan 2026–Present, [LOCATION ON FILE]): EOO active throughout the SITREP 1–5 window. the rear property (Geography 4) under EOO observation. Drone operations, generator staging, and directed illumination all EOO-observed and cross-confirmed with PCAP data showing concurrent network exfiltration.

LOC-1: ISP-CNP-Exchange (Cluster 2)

Physical cable splice at the streetside CNP-exchange node serving Location 1 was directly observed and documented under EOO. Splice evidence is geospatially documented in the case KML file. EOO

Geography 5 / Geography 5 county Installation (August 2025)

Equipment installation at [LOCATION ON FILE], Geography 5 was directly witnessed by the analyst in August 2025. This is EOO evidence of active market infrastructure expansion or maintenance. No prior disclosure to any law enforcement agency had been made regarding this site. This report constitutes the first such disclosure. EOO

RIAB-1 and RIAB-2 (EOO)

Both RIAB subjects have been observed by the analyst in proximity to their assessed access infrastructure under EOO. Observations are consistent with their assessed roles as property/HOA controlling-interest holders facilitating physical ISP infrastructure access. EOO observations of both subjects predate and are independent of the KML geospatial evidence. EOO

The IFB Pattern

During EOO, the analyst observed behavioral patterns in individuals assessed as Access Control assets consistent with real-time handler coaching via IFB (Interruptible Foldback) — earpiece-based direction that allows a handler to coach an embedded asset in real time without visible two-way communication. This is a known technique in both intelligence and organized crime contexts. The pattern has been documented across multiple locations and multiple individuals. EOO

Part VII

MARKET OPERATION: END-TO-END FLOW

The following describes the assessed operational sequence of this RDN. All steps are represented by evidence already in the agency record or documented herein.

1
TARGET PRICING

Market identifies and prices the target. The target’s data value is assessed and a market commission established. This pricing function is upstream of all physical access activity.

Evidence: Sustained multi-year investment in maintaining access across multiple locations is inconsistent with opportunistic crime. Consistent recommitment of resources after each disruption (factory reset, router replacement, relocation) confirms a pre-monetized target with ongoing market value.
2
RIAB ACTIVATION

The market tasks a RIAB (RIAB-1 or RIAB-2) to establish physical ISP access. The RIAB’s property or HOA position provides physical access to the CNP-exchange serving the target. A cable splice or tap is installed.

Evidence: LOC-1: ISP-CNP-exchange; Spliced Cable marker (case KML); ISP-CNP-exchange Cluster 1 (RIAB-1); EOO direct observation of splice at LOC-1; Spectrum non-responsive to disclosure.
3
ACCESS MANAGER PLACEMENT

The Access Manager establishes a physical staging position adjacent to the target’s residence. This provides surveillance capability, operational coordination, and physical access to the target’s premises.

Evidence: Target #2 (adjacent property, Cluster 2); [LOCATION ON FILE] as field staging site; crime markers (Trespassing ×2, Access Breach Chemical ×2, Mail Theft) at Location 1.
4
ACCESS CONTROL PLACEMENT

The Access Control asset is placed in the target’s intimate environment. The AC provides real-time intelligence on target behavior, network use, device inventory, and countermeasures. Handler coaching via IFB pattern facilitates AC coordination.

Evidence: Location 2 (Cluster 1, assessed AC position); IFB pattern observed during EOO.
5
TECHNICAL EXPLOITATION

With physical infrastructure access and human intelligence assets in place, technical exploitation begins. The router is compromised via CVE-2021-45039 or related ASUS cfg_server vulnerability. C2 beacon activates on UDP port 7788.

Evidence: Beacon capture (Jan 2–5, 2026); initial technical disclosures on file; PCAP corpus on file.
6
INSIDER SUPPRESSION

The Insider asset degrades institutional response — ISP non-responsiveness, suppression of normal escalation channels. The goal is the introduction of delay, distrust, and chaos sufficient to allow the operation to continue.

Evidence: Spectrum non-responsive to multiple disclosures regarding CNP-exchange activity; ISP modem reset available only to ISP/attacker.
7
DATA COLLECTION AND EXFILTRATION

Active exfiltration occurs. WireGuard tunnel established to C2 at 23.234.108.3:10607. Drones deployed from the Geography 4 rear property concurrent with digital exfiltration.

Blink Camera — Supply Chain Attack / Implant Confirmed
The Blink camera system is assessed as a supply chain attack. An implant has been confirmed present; full forensic analysis is ongoing. Prior behavioral indicators (frame timing violations in Photo Capture compilations; static 5-frame feed substitution; live-view download activity not initiated by the homeowner) are now assessed as consistent with a firmware or hardware-level implant rather than application-layer credential compromise alone.

Significance: A supply chain attack means the device was compromised before or at delivery — prior to deployment on the target’s property. Standard factory reset and credential rotation do not remediate. The implant constitutes a persistent, hardware-anchored surveillance capability independent of the target’s network credentials or cloud account. Supply chain attack surface extends to manufacturer, distributor, fulfillment, or last-mile delivery.

Status: ANALYSIS PENDING. Evidence preserved. Supplemental report forthcoming.
Evidence: SITREPs 4–5; EXFIL-2-22-26.pcapng; WireGuard capture; Blink camera feed substitution (Feb 18–21, 2026); Blink implant (confirmed, analysis pending); ~100,000 packet exfiltration Feb 20–21, 2026; 1.03 GB exfiltration Feb 27–28, 2026; 12 attacker IPs exposed (NOCLOAK, SITREP 5).
Part IX

EVIDENCE AVAILABLE

Digital / Network Forensics

  • Beacon captures: UDP 7788, adaptive payload, 60-second interval, cross-location persistent (Jan 2–present; prior sessions 2022–2023)
  • WireGuard exfiltration PCAPs: EXFIL-2-22-26.pcapng and related captures; C2 23.234.108.3:10607; bidirectional confirmed
  • Full PCAP corpus indexed (Mar 19, 2026)
  • 12 attacker IPs exposed via NOCLOAK event (SITREP 5)
  • Blink camera — SUPPLY CHAIN ATTACK (analysis pending): Implant confirmed present. Prior indicators (frame timing violations; static feed substitution; live-view download not initiated by homeowner) consistent with firmware/hardware-level implant. Device compromised before or at delivery. Factory reset and credential rotation do not remediate. Supplemental report forthcoming.
  • Router forensics: ASUS RT-AX82U, MAC 3c:7c:3f:56:2f:d8, factory-reset defeat confirmed, cross-location persistence chain
  • Steganographic payload decode (Feb 2, 2026)

Geospatial

  • Case KML file: 19 named placemarks, 3 geographic clusters
  • LOC-1: ISP-CNP-exchange with Spliced Cable co-location
  • All subject and crime-marker coordinates preserved (see Part V)

Eyes-On-Operations (EOO) / Eyewitness

  • Physical infrastructure tampering observed at multiple locations (2018–present) EOO
  • LOC-1 splice: direct observation, geospatially documented EOO
  • Geography 5 / Geography 5 county installation: August 2025 EOO
  • Geography 4 rear-property operations: Feb 18–21, 2026 (drones, generator, directed illumination) EOO
  • RIAB-1 and RIAB-2 observed in proximity to assessed access infrastructure EOO
  • IFB-pattern behavior documented across multiple individuals and locations EOO

Physical

  • Dashcam footage: infrastructure tampering, prior location (2022–23)
  • Photographic documentation: prior location infrastructure (2021)
  • Blink camera still captures: Feb 18–19, 2026 (3 dated image files)

Supporting Evidence Corpus

  • SITREPs 1–5 (Jan 3 – Feb 28, 2026 incident timeline)
  • Beacon payload corpus and ZIP (SHA-256: c4fffe1af3f9939a3b942f9a1970997d8df4c2bc7fb3edc38707ed8ced04e7ac)
Part X

DECLARATION OF EVIDENCE INTEGRITY AND METHODOLOGY

Backwater Forensics — Digital Forensic Science (Champlain College) — hereby attests to the following regarding the evidence referenced in this report:

  1. COLLECTION: All digital evidence was collected using accepted forensic methodologies, including write-blocked acquisition where applicable and packet capture using Wireshark and equivalent tools under controlled conditions.
  2. PRESERVATION: Evidence has been preserved in its original form. All PCAP files and digital artifacts are stored locally on encrypted media. No cloud services have been used for evidence storage or transmission.
  3. INTEGRITY: Hash values (SHA-256) have been computed and retained for all primary evidence files. Hash records are maintained separately from evidence to enable independent verification.
  4. PRESENTATION: Evidence is presented as collected, without alteration, enhancement, or modification. Analysis and interpretation are clearly distinguished from raw evidence.
  5. CHAIN OF CUSTODY: All evidence referenced herein has been under the continuous custody and control of the analyst from the point of collection to the point of disclosure. Any transfers to law enforcement agencies have been documented with receipt.
  6. EOO ATTESTATION: All Eyes-On-Operations (EOO) observations documented herein are direct, first-person eyewitness accounts by the analyst. EOO findings are presented as factual observation of what was seen, not as conclusions regarding meaning or significance.

This document presents investigative findings for agency evaluation. No legal conclusions are offered herein. All role attributions and organizational assessments represent investigative characterization based on observed evidence and are not findings of fact or determinations of guilt. The analyst is not acting as an agent of any law enforcement agency.

Signed Backwater Forensics Date March 27, 2026
KML Evidence Integrity Note
The original geospatial evidence file is preserved unmodified. Subject names as labeled in that file have been anonymized in all derived reporting documents. The KML itself is not altered — doing so would compromise chain of custody and evidence admissibility. Any agency requiring the original named KML should request it directly from the analyst with chain-of-custody documentation.

RDN MARKET INTELLIGENCE REPORT · BACKWATER FORENSICS · MARCH 2026

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by