D Notes 9/17 Amnesty

All right so I looked at the little bit and I’ll just see it fepends on compression… Maybe the k8s cluster is doing the analysis for useable frames and just outputting the content, it’s really impossible to tell… But here’s my educated guess…
I think it’s database exfil , and the 200gb is deltas.
The initial 2–4 TB/day could have been bulk staging of high-value data or the init copy.
There’s asynchronistic and synchronistic ways to do it. Could also be sync of shared drives, records, or evidence repositories. However I still think since it’s tied only to the cluster and not endpoints, the cluster is either
(a) running an intentional integration (ETL/replication to another agency cloud), or
(b) hosting a compromised pod streaming structured data out.

I don’t know how much insight you have but if you could run kubectl pods —list or something Pod labels/namespaces you would be looking for: anything “etl”, “replicator”, “backup”, “forwarder”, “fluent”, “vector”, “splunk”, “elastic”, “s3-sync”. That would tell us a lot more. Assuming they don’t name them stupid things.t

I mean I hate to say this but literally I could just be GIS data streamed … I still really think that… The ratio (~1.5 outbound per inbound) suggests it isn’t just serving the same file to many clients (no multiplier effect). Looks like point-to-point sync.

So best guess is there some kind of live data stream but the 47 terabytes rules out any kind of live video feed. It would have to be bulk data staged for transfer which points back to databases
This lines up with the fuck the social security administration shit. I wonder if that’s the same server that Charles saw the data move to, and it’s just doing all the other agencies at the same time I don’t know what the size of the database of the FAA or SAA is and that’s the problem here
Just NOAA has peta bites of GIS data, but that’s low value to an AI, mayyyyybe value to overseas but you need to gather more heuristics to diagnose…
Like burrst vs trickle … Bursts = batch export jobs. trickle = logs/telemetry.

Destination (obviously)

Ports/protocols you can gleen, HTTPS = replication. Syslog/Fluent/Vector flows logs. Custom ports or odd TLS fingerprints would be a huge red flag. App layer clues to … Any namespaces/pods named “replicator,” “etl,” “fluentd,” “backup,” “mirror,” etc… really just any pod names would help.. they’re going to name them with their function is because it’s hard to remember what they all are inside a cluster if you don’t

https://icedrive.net/s/xC86yD4Tu5avFB1ZwktSBZ52bZfB
https://icedrive.net/s/WW3Na1bakfkgZBPNVYCVDvvGGfZg

i tried sending the files direct in this chat, i cld select the files but when i hit send the whole thing vanished

682-231-0002

9/15
Dfyz_bk@bk.ru is tied to one of the receiving provider IPs. - and some cached DNS records showed 24-7games.ru and 84.234.55.29

(The IP I can’t find much on, but the .ru link is concerning)

It’s either the source of a hack into 65.108.96.xxx or … A direct purposeful recipient of some of that 200gb/day data

Holy fucking shit. One of these is sending to a wallet registered to “Sechin” whoever that is but… About 5 transactions back the BTC came from Garantex.
9/17/25
{
“scan_metadata”: {
“tool”: “mvt-android”,
“version”: “1.2.3”,
“host”: “macbook-pro”,
“date”: “2025-09-17T17:23:10Z”
},
“indicators”: [
{
“id”: “IND-0001”,
“indicator_type”: “device_admin”,
“name”: “Unknown Device Admin App”,
“package”: “com.pegas.adminsvc”,
“evidence”: {
“enabled”: true,
“device_admin_info”: “com.pegas.adminsvc.DeviceAdminTransmit”,
“apk_signature”: “mismatch_with_checksum”,
“first_seen”: “2025-04-19T03:12:02Z”
},
“confidence”: “high”
},
{
“id”: “IND-0002”,
“indicator_type”: “accessibility_service”,
“name”: “Accessibility service abuse”,
“package”: “com.system2.agent”,
“evidence”: {
“service_name”: “com.system2.agent/.AccessibilityHandler”,
“permissions”: [“BIND_ACCESSIBILITY_SERVICE”, “READ_SMS”, “INJECT_EVENTS”,“TRACK_LOC”],
“last_interaction”: “2025-09-14T19:05:11Z”
},
“confidence”: “high”
},
{
“id”: “IND-0010”,
“indicator_type”: “binary_artifact”,
“name”: “Suspicious native binary”,
“path”: “/data/app/com.null.agent-1/lib/arm64/libpayload.so”,
“evidence”: {
“file_entropy”: 7.9,
“size_bytes”: 923892,
“elf_sections”: [“.text”, “.rodata”, “.data”],
“signature”: “unknown”
},
“confidence”: “high”
},
{
“id”: “IND-0022”,
“indicator_type”: “network”,
“name”: “Outbound connections to suspicious endpoint”,
“evidence”: {
“destination_ip”: “213.159.64.19”,
“destination_host”: “rzgirl.an.lead”,
“first_seen”: “2025-04-27T03:30:15Z”,
“total_bytes_out”: 21472483648
},
“confidence”: “medium”
}
]
}

intel analysts loyalty
deprioritize russia
public interfaces

pegasus requires specialized infra
knew where he was on easter

cellular data only

once stopping pinging

use cellular connection to transmit to endpoint

get to forensics team to capture binary

l3harris defense contractor cia and fbi owns repo

counterterrorism to spy on whistleblowers

fbi dod doj
ice, noem dhs
only way to get signoff on salary dedicated software to monitor and report

trained resources signoff
4/19
criminality and depth

this is why they found him first and second attempts

althony harris works for palantir

usg is using tools to kill someone