Tactics
Methods used by the actors targeting the case subject. Each entry names a pattern, defines it, traces where it appeared in the storm, and cross-references the underlying tradecraft on plausibledenial.org where applicable. Where techniques names what the case subject does, tactics names what is done against the case subject.
This is editorial scaffolding, not how-to material. The point is naming what is done — so the same pattern, when it appears under a different cover story, can be recognized again. Entries are grouped by domain. Groups will be added, renamed, or split as the vocabulary fills out.
Technical
Operations against the target's accounts, devices, communications, and networks. Phishing, account compromise, scanning, and the wireless / RF surface.
-
Attachment phishing
An unsolicited SMS containing an attached file (PDF, image, document) designed to deliver malware, harvest credentials, or compromise the recipient's device when opened. Distinct from hop seeding (no metadata edge needed) and from phantom account (no account is being maintained) — the payload is the point.
also known as bad attacher, smishing with payload, SMS-borne malware, PDF smishing
-
Hop seeding
The deliberate injection of a target's phone number into someone else's contact graph — typically via an unsolicited "wrong number" text designed to elicit any reply at all — for the purpose of pulling the target into a contact-chaining query.
also known as graph injection, metadata seeding, metadata fabrication, pretextual contact (umbrella)
-
Proximity wireless exploitation
Attacks against a target's WiFi and Bluetooth devices from within radio range — no network credentials needed. Exploits the long, continuing CVE history in consumer wireless protocols (WPA2/WPA3, Bluetooth Classic and LE, vendor chipset firmware) plus the protocol-level weaknesses (evil-twin, deauth) that work even on unpatched-defended networks. Range is measured in meters, not network hops.
also known as close-access radio attack, WiFi-adjacent attack, over-the-air exploitation, same-building threat
-
Push bombing
Repeatedly triggering a system-level approval prompt on a target's trusted device — for Apple accounts, the "Reset Password" dialog — in the hope that the target eventually taps Approve by reflex, accident, or fatigue. The attacker needs no password; they need one mistaken tap.
also known as MFA fatigue, prompt bombing, MFA bombing, push fatigue, Apple ID reset attack (the Apple-specific variant)
-
Web property scanning
Automated and semi-automated reconnaissance against a target's web properties — typically triggered by Certificate Transparency log monitoring within minutes of a new domain's first TLS certificate — looking for exposed credentials, configuration files, secret tokens, and backup archives before the operator has finished hardening. Includes both Nuclei-class burst scans from bulletproof-hosting clusters and slower curated curl/LLM-assisted recon passes.
also known as fresh-deploy scanning, CT-log scraping, credential reconnaissance, Nuclei-class probing, secrets-wordlist sweep
-
WiFi sensing
Passive surveillance technique that extracts presence, motion, gait, and respiration data from the radio reflections of ambient WiFi signals — including, critically, the target's own router. Dramatically more accurate when the target operates a WiFi radio inside the environment being observed, because the observer no longer needs to penetrate walls with their own signal.
also known as CSI sensing, WiFi-based human sensing, through-wall WiFi imaging, RF imaging, device-free sensing
Identity
Acting as the target — using the target's identity, voice, signature, accounts, or documents — to interact with third parties as if the target had.
-
Impersonation
Acting as the target (using the target's identity, name, voice, image, accounts, signature, or documents) to interact with third parties in ways the target did not authorize. The third parties take the actions as the target's; the target finds out later or not at all. Distinct from acting as someone else (a "support agent," a fake institution) against the target — this is the flipped direction: the operator is the target, to outsiders. Modern voice cloning, signature lifting, and account compromise have moved this from rare-and-skilled to routine and cheap.
also known as identity theft (the financial-fraud subset), voice cloning, signature forgery, speaking-as, identity hijack, identity capture
-
Outbound impersonation
Someone other than the account holder sends messages out of the account holder's own communication channel — iMessage, email, social-media DM — making the recipient believe the account holder sent them. Distinct from phantom account (which uses the holder's number on a third-party service) — this is the holder's own account, used against the holder.
also known as account compromise (outbound), speaking-as, channel takeover, identity hijack, linked-device exploitation
-
Phantom account
An account opened on a third-party commercial service using a target's phone number as the contact identifier. The target receives verification codes, transactional SMS, and notifications, but does not own the account and cannot access it.
also known as phantom registration, ghost account, customer impersonation, number-as-identifier injection
Reputational
Operations against how the target is perceived. Manufactured narratives, recirculated stories, and person-to-person channels — the material that travels through the people around the target.
-
Circular reporting
A single unverified claim from one source, passed laterally between agencies, databases, or observers, accumulates the appearance of corroboration with each handoff. By the time the claim reaches a decision-maker it looks like four independent confirmations; in reality it is the original single source echoing through the system. The downstream-pipeline companion to citizen-informant deployment — that tactic gets reports into the system; this one makes them look corroborated once they're in.
also known as corroboration laundering, information laundering, source-collision masking, single-source corroboration, lateral-sharing inflation, echo-chamber intelligence, Curveball-pattern reporting
-
Citizen-informant deployment
Co-opted civilian observers — neighbors, fellow customers, store clerks, security guards — recruited or activated through community-policing channels to monitor, report on, follow, and sometimes harass a target across all the necessary errands a person cannot avoid: grocery, bank, pharmacy, medical, gas station, post office. Every participant has plausible cover as a concerned citizen; the aggregate is a distributed surveillance and pressure layer. No clean counter exists.
also known as community policing (when weaponized), gangstalking (the TI-community term), citizen-informant network, distributed civilian surveillance, SAR-lateralization (Suspicious Activity Reporting, extended), watch-list lateralization, Stasi-style informant network (historical analogue)
-
Reputation smear
The sustained operation of building and circulating a false negative narrative about the target (gossip, posts, anonymous tips to institutions, planted articles, social-media campaigns, calls to employers and family) to degrade the target's standing with the specific people and institutions whose opinion of the target matters. The long-game variant builds a poisoned Googleable footprint so that anyone searching the target's name finds the smear first. The short-game variant routes specific information to specific recipients at the moment a decision is being made.
also known as whisper campaign, character assassination, poison-pill narrative, planted-narrative campaign, DARVO (the inversion variant where the actor casts the target as the actor), flying-monkey campaign (covert-relational register)
Legal
Operations conducted through legal and institutional process. Litigation as weapon, manufactured evidence aimed at institutional decisions, captured fiduciary authority.
-
Family court squeeze play
Using family court process (custody motions, contempt filings, ex parte orders, repeated re-litigation of settled questions) against a target as the actual operation, not because there is a real grievance the court is being asked to resolve. The three outputs it is built for: drain the target's finances, keep them in sustained emotional crisis, and build an on-paper record that can later be characterized as "litigious" or "unstable." The case is the means. The costs the case imposes are the end.
also known as litigation abuse, post-separation litigation abuse, family court warfare, vexatious litigation against an individual, lawfare via custody
-
Frame job
The deliberate manufacturing of evidence (placed items, fabricated communications, recruited witnesses, staged scenes, manufactured paper trails) designed to be discovered and to look like the target did something the target did not, in order to trigger a specific adverse institutional response: arrest, prosecution, firing, license revocation, custody loss, restraining order, involuntary commitment, social exile. The frame is the procedural cousin of the smear: where the smear aims at degraded standing, the frame aims at a decision a specific institution will make about the target on the basis of the manufactured material.
also known as frame-up, set-up, fit-up (British register), evidence fabrication, manufactured evidence, false-flag attribution, SWATing (the violent law-enforcement-deployment variant)
-
Power of attorney capture
Obtaining a power of attorney over a target by fraud (forgery, undue influence, signature during a moment the target was not in a position to consent meaningfully) or by soft-coercion (talking the target into a "just in case" instrument the target did not actually need) and then using it to act on the target's finances, medical decisions, contracts, property, and correspondence. The acquired instrument does the work that direct compulsion could not. Banks, hospitals, attorneys, and courts generally honor a facially-valid POA on its face, so the burden of un-doing it falls on the target.
also known as POA abuse, fraudulent power of attorney, coerced power of attorney, undue-influence POA, soft-coerced POA, pre-positioned power of attorney, standby POA used as leverage
Presence
Operations conducted in the target's physical environment. In-person actors, staged scenes, neighborhood-and-street-level pressure.
-
Street theater
Staged public performances near the target — audible statements, visible objects, color cues, "overheard" conversations — designed to plant specific content in the target's mind under the cover of public-space ambient noise. Each individual instance has a perfectly innocent explanation; the aggregate is the message.
also known as street theatre, noise campaign, sensitization staging, coordinated coincidence, the bump-into, ambient harassment
-
Vehicle interference
Manipulation of the target's vehicle (direct sabotage, subtle tampering, tracking-device placement, repair-shop interference) and of the target's broader ability to move (rideshare routed past staged sites, transit connections engineered to fail, travel infrastructure flagging the target at gates). The target's own mobility envelope, the part of their life that depends on getting from A to B, becomes the operating surface. Some events are dangerous on their face. Most are deniable, ambiguous, and cumulative: each one absorbable as bad luck, the pattern unmistakable across enough of them.
also known as vehicle tampering, mobility interference, transportation interference, automotive sabotage (the dangerous-on-its-face variant), vehicular gangstalking (the popular but low-discipline term)