4th of July 2025 - Surveillance continues

Automated reconnaissance sweep using BrowserAutomationStudio bots from two Meta data center IPs.
Running on Windows virtual machines with Chrome spoofing and VPN rotation.

Purpose:
Post-exposure visibility test. Attempted to re-enter site undetected via automation.

Outcome:
Flagged.  Logged. Attribution: High probability linked to same actor group behind June surveillance.

Below: Overview of attempts at observation

Cyberstalking Campaign: Security Analysis Report

 

Executive Summary

Between June 27-30, 2025, this website was subjected to a sophisticated cyberstalking campaign involving 30 separate surveillance sessions conducted by known threat actors. The operation demonstrates professional-grade technical capabilities, significant financial resources, and systematic intelligence gathering that can only be described as organized harassment.

This campaign represents a direct escalation from November 2024 attacks where the same perpetrators successfully compromised over 20 accounts and attempted cryptocurrency theft. During those attacks, one exchange captured an unmasked IP address from Hemmoor, Germany, establishing the geographic connection to "Dom," the technical accomplice assisting my abuser in these cyberstalking activities.

 

Four-Day Surveillance Campaign Analysis

 

June 27, 2025: Initial Panic Response 6 Sessions across 12 Hours

The surveillance campaign began with coordinated attacks from multiple international datacenters. Sessions originated from Amazon AWS (Oregon), Google Cloud (Iowa), Level3 (Central US), and Scaleway (Paris). The attackers deployed sophisticated automation tools including Puppeteer Stealth, HeadlessChrome, WebDriver, and Selenium - all enterprise-grade browser automation frameworks typically used by security professionals or malicious actors.

Two sessions executed just 4 seconds apart from the same Amazon AWS IP address demonstrate coordinated scripted attacks rather than human browsing. The use of premium cloud infrastructure across multiple providers indicates significant financial resources and some technical sophistication.

 

June 28, 2025: Defense Testing 3 Sessions across 12 Hours

 

A more measured approach suggesting the attackers were testing detection capabilities and refining their methods. Sessions showed returning visitor fingerprints and infrastructure reuse, proving coordinated rather than random attacks. The deployment included VPN-masked mobile device simulation and virtual machine usage for forensic protection.

 

June 29, 2025: Full-Scale Assault 15 Sessions across 18.5 Hours

 

The most intensive surveillance day, spanning multiple continents with an estimated daily cost of $200-400 in cloud infrastructure. Infrastructure usage included Google Cloud (Belgium, Iowa), Amazon AWS (Oregon), HostRoyale Technologies, M247 Europe (Denmark), Scaleway (Paris), and Level3 backbone networks.

Multiple visitor fingerprints returned across different IP addresses and countries, proving persistent identity management across infrastructure changes - hallmark behavior of professional surveillance operations. The sustained intensity and resource commitment indicate this is far beyond casual monitoring.

 

June 30, 2025: Strategic Surveillance 6 Sessions across 12 Hours

 

The campaign evolved to include systematic content archival and geographic expansion. Critical developments included the first Middle Eastern deployment from Saudi Arabia using advanced browser spoofing, direct connection from Germany (Hetzner Online, Falkenstein region - near the previously identified Hemmoor location), and most significantly, deployment of professional data collection tools.

The Dataprovider.com spider deployment represents a major escalation - systematic archival of entire website content indicating preparation for legal action or evidence gathering.

 

Technical Analysis

Automation Tools Deployed:

• HeadlessChrome: 11 total sessions (server-side browser automation)
• Selenium: 6 sessions (classic web automation framework)
• WebDriver: 5 sessions (W3C standard automation protocol)
• PuppeteerStealth: 4 sessions (detection evasion specialist)
• Mobile device simulation: 4 sessions (iOS/Android spoofing)

Infrastructure Investment: Premium cloud services across 8+ countries and 4 continents including Google Cloud Platform, Amazon AWS, Hetzner Online, Scaleway, M247 Europe, HostRoyale Technologies, and OVH. The geographic distribution and infrastructure costs indicate substantial financial resources dedicated to this surveillance operation.

Operational Security Practices:

• VPN rotation across multiple countries
• Browser fingerprint manipulation (anomaly scores >0.90 in multiple sessions)
• Virtual machine deployment for forensic protection
• Persistent visitor identity management across infrastructure changes

The German Connection

The November 2024 attacks established the hackers connection to Hemmoor, Germany through unmasked cryptocurrency exchange access. The June 30th deployment from Hetzner Online in Falkenstein, Germany (approximately 100km from Hemmoor) without VPN masking suggests confidence in local jurisdiction and reinforces the geographic attribution to the same technical operator.

The progression from account compromise attempts to professional website surveillance demonstrates escalating cyberstalking behavior by the same threat actors. 

 

Legal and Psychological Assessment

 

Evidence of Systematic Harassment: The persistent visitor fingerprints returning across multiple days and countries prove this is coordinated stalking by identified actors rather than random traffic. The sustained resource commitment ($800-1600 estimated total infrastructure costs) and systematic content archival indicate preparation for legal action or continued harassment. The continued operation will supply ample evidence of cyber harassment and stalking behavior.

 

Psychological Warfare Indicators: The campaign demonstrates classic narcissistic abuse escalation patterns including control obsession (monitoring every published word), resource commitment (extensive financial investment in surveillance), international reach demonstration, and persistent psychological pressure through constant monitoring.

 

Strategic Intent: The deployment of content archival tools and systematic documentation suggests preparation for legal warfare, content suppression efforts, or evidence gathering for defamation claims. The escalation from monitoring to systematic archival represents a critical threat escalation. However, as everything I say on this website is backed up by 100% evidence the intent of the stalkers will fail. 

 

Conclusion

This four-day cyberstalking campaign represents professional-grade surveillance conducted by technically competent  actors with  financial resources. The connection to previously identified actors  through geographic and technical indicators, combined with the systematic nature of the surveillance, constitutes compelling evidence of organized cyberstalking.

The campaign's evolution from panic-driven monitoring to strategic intelligence gathering and content archival indicates the perpetrators view this website as an existential threat requiring sustained surveillance and potential legal countermeasures. The level of resource commitment and technical sophistication employed only makes economic sense if the potential consequences of the documented abuse could fundamentally impact the perpetrator's life circumstances. In other words, the people carrying out this obsessive monitoring and archiving are showing that they have a need to fear the truth from coming out. If you have done nothing wrong you need fear nothing. 

This surveillance campaign constitutes clear evidence of cyberstalking and may itself provide grounds for legal action against the identified threat actors. Investigation is ongoing. 

 

July 1st Surveillance Report: Continued Monitoring Campaign

The July 1st data shows sustained surveillance activity using familiar patterns and infrastructure, indicating the monitoring campaign continues unabated.

Session Analysis:

Returning Visitor Activity:

• Visitor GEnE1KIhHE0ZS00ni9Me continues multi-day monitoring (active since June 29)
• 3 sessions from Google Cloud Belgium across 2 different IP addresses
• Suspect score of 33 - the highest recorded for this visitor
• HeadlessChrome automation with VPN masking and virtual machine deployment

Saudi Arabia Infrastructure:

• Visitor eWa7ydDFyLXiVg0BIHdS conducted 3 sessions within 1 minute (11:42-11:43 UTC)
• Same Riyadh datacenter infrastructure (95.177.180.85) as June 30th
• HeadlessChrome masquerading as iOS Safari 10.0
• High browser tampering scores (0.9628) indicating sophisticated fingerprint manipulation

California Operations:

• New visitor using Leaseweb infrastructure (Santa Clara, California)
• VPN-masked mobile device simulation with timezone mismatch indicators
• High tampering score (0.9713) suggesting advanced evasion techniques

Technical Patterns:

Infrastructure Consistency:

• Continued use of premium cloud providers (Google Cloud, Leaseweb)
• Same geographic regions as previous surveillance (Belgium, Saudi Arabia, California)
• Advanced automation tools (HeadlessChrome) across all sessions

Operational Behavior:

• Multiple rapid sessions from Saudi Arabia suggests systematic content checking
• Returning visitor fingerprints indicate coordinated identity management
• Developer tools active in most sessions indicating technical monitoring capabilities

Surveillance Timeline:

• 08:41 UTC: California (Leaseweb)
• 11:42-11:43 UTC: Saudi Arabia (3 rapid sessions)
• 14:47-15:17 UTC: Belgium (Google Cloud, multiple IPs)

Pattern Assessment:

The July 1st activity demonstrates:

• Sustained monitoring commitment with continued resource investment
• Geographic diversification across three continents
• Technical sophistication with advanced evasion techniques
• Compulsive checking behavior evident in rapid successive sessions

Operational Continuity:

The surveillance campaign shows no signs of reduction despite:

• Previous documentation of their monitoring activities
• Potential legal processes involving evidence collection
• Public exposure of their surveillance patterns

The consistent visitor fingerprints and infrastructure choices indicate this is organized, persistent monitoring rather than casual or coincidental website visits.

Conclusion:

July 1st represents day five of documented surveillance activity, showing sustained commitment to monitoring this website through professional-grade infrastructure and automation tools. The patterns remain consistent with previous days, indicating an ongoing systematic surveillance operation