Tactics

Methods used by the actors targeting the case subject. Each entry names a pattern, defines it, traces where it appeared in the storm, and cross-references the underlying tradecraft on plausibledenial.org where applicable. Where techniques names what the case subject does, tactics names what is done against the case subject.

This is editorial scaffolding, not how-to material. The point is naming what is done — so the same pattern, when it appears under a different cover story, can be recognized again. Entries are grouped by domain. Groups will be added, renamed, or split as the vocabulary fills out.

Technical

Operations against the target's accounts, devices, communications, and networks. Phishing, account compromise, scanning, and the wireless / RF surface.

  • Attachment phishing

    An unsolicited SMS containing an attached file (PDF, image, document) designed to deliver malware, harvest credentials, or compromise the recipient's device when opened. Distinct from hop seeding (no metadata edge needed) and from phantom account (no account is being maintained) — the payload is the point.

    also known as bad attacher, smishing with payload, SMS-borne malware, PDF smishing

  • Hop seeding

    The deliberate injection of a target's phone number into someone else's contact graph — typically via an unsolicited "wrong number" text designed to elicit any reply at all — for the purpose of pulling the target into a contact-chaining query.

    also known as graph injection, metadata seeding, metadata fabrication, pretextual contact (umbrella)

  • Proximity wireless exploitation

    Attacks against a target's WiFi and Bluetooth devices from within radio range — no network credentials needed. Exploits the long, continuing CVE history in consumer wireless protocols (WPA2/WPA3, Bluetooth Classic and LE, vendor chipset firmware) plus the protocol-level weaknesses (evil-twin, deauth) that work even on unpatched-defended networks. Range is measured in meters, not network hops.

    also known as close-access radio attack, WiFi-adjacent attack, over-the-air exploitation, same-building threat

  • Push bombing

    Repeatedly triggering a system-level approval prompt on a target's trusted device — for Apple accounts, the "Reset Password" dialog — in the hope that the target eventually taps Approve by reflex, accident, or fatigue. The attacker needs no password; they need one mistaken tap.

    also known as MFA fatigue, prompt bombing, MFA bombing, push fatigue, Apple ID reset attack (the Apple-specific variant)

  • Web property scanning

    Automated and semi-automated reconnaissance against a target's web properties — typically triggered by Certificate Transparency log monitoring within minutes of a new domain's first TLS certificate — looking for exposed credentials, configuration files, secret tokens, and backup archives before the operator has finished hardening. Includes both Nuclei-class burst scans from bulletproof-hosting clusters and slower curated curl/LLM-assisted recon passes.

    also known as fresh-deploy scanning, CT-log scraping, credential reconnaissance, Nuclei-class probing, secrets-wordlist sweep

  • WiFi sensing

    Passive surveillance technique that extracts presence, motion, gait, and respiration data from the radio reflections of ambient WiFi signals — including, critically, the target's own router. Dramatically more accurate when the target operates a WiFi radio inside the environment being observed, because the observer no longer needs to penetrate walls with their own signal.

    also known as CSI sensing, WiFi-based human sensing, through-wall WiFi imaging, RF imaging, device-free sensing

Identity

Acting as the target — using the target's identity, voice, signature, accounts, or documents — to interact with third parties as if the target had.

  • Impersonation

    Acting as the target (using the target's identity, name, voice, image, accounts, signature, or documents) to interact with third parties in ways the target did not authorize. The third parties take the actions as the target's; the target finds out later or not at all. Distinct from acting as someone else (a "support agent," a fake institution) against the target — this is the flipped direction: the operator is the target, to outsiders. Modern voice cloning, signature lifting, and account compromise have moved this from rare-and-skilled to routine and cheap.

    also known as identity theft (the financial-fraud subset), voice cloning, signature forgery, speaking-as, identity hijack, identity capture

  • Outbound impersonation

    Someone other than the account holder sends messages out of the account holder's own communication channel — iMessage, email, social-media DM — making the recipient believe the account holder sent them. Distinct from phantom account (which uses the holder's number on a third-party service) — this is the holder's own account, used against the holder.

    also known as account compromise (outbound), speaking-as, channel takeover, identity hijack, linked-device exploitation

  • Phantom account

    An account opened on a third-party commercial service using a target's phone number as the contact identifier. The target receives verification codes, transactional SMS, and notifications, but does not own the account and cannot access it.

    also known as phantom registration, ghost account, customer impersonation, number-as-identifier injection

Reputational

Operations against how the target is perceived. Manufactured narratives, recirculated stories, and person-to-person channels — the material that travels through the people around the target.

  • Circular reporting

    A single unverified claim from one source, passed laterally between agencies, databases, or observers, accumulates the appearance of corroboration with each handoff. By the time the claim reaches a decision-maker it looks like four independent confirmations; in reality it is the original single source echoing through the system. The downstream-pipeline companion to citizen-informant deployment — that tactic gets reports into the system; this one makes them look corroborated once they're in.

    also known as corroboration laundering, information laundering, source-collision masking, single-source corroboration, lateral-sharing inflation, echo-chamber intelligence, Curveball-pattern reporting

  • Citizen-informant deployment

    Co-opted civilian observers — neighbors, fellow customers, store clerks, security guards — recruited or activated through community-policing channels to monitor, report on, follow, and sometimes harass a target across all the necessary errands a person cannot avoid: grocery, bank, pharmacy, medical, gas station, post office. Every participant has plausible cover as a concerned citizen; the aggregate is a distributed surveillance and pressure layer. No clean counter exists.

    also known as community policing (when weaponized), gangstalking (the TI-community term), citizen-informant network, distributed civilian surveillance, SAR-lateralization (Suspicious Activity Reporting, extended), watch-list lateralization, Stasi-style informant network (historical analogue)

  • Reputation smear

    The sustained operation of building and circulating a false negative narrative about the target (gossip, posts, anonymous tips to institutions, planted articles, social-media campaigns, calls to employers and family) to degrade the target's standing with the specific people and institutions whose opinion of the target matters. The long-game variant builds a poisoned Googleable footprint so that anyone searching the target's name finds the smear first. The short-game variant routes specific information to specific recipients at the moment a decision is being made.

    also known as whisper campaign, character assassination, poison-pill narrative, planted-narrative campaign, DARVO (the inversion variant where the actor casts the target as the actor), flying-monkey campaign (covert-relational register)

Presence

Operations conducted in the target's physical environment. In-person actors, staged scenes, neighborhood-and-street-level pressure.

  • Street theater

    Staged public performances near the target — audible statements, visible objects, color cues, "overheard" conversations — designed to plant specific content in the target's mind under the cover of public-space ambient noise. Each individual instance has a perfectly innocent explanation; the aggregate is the message.

    also known as street theatre, noise campaign, sensitization staging, coordinated coincidence, the bump-into, ambient harassment

  • Vehicle interference

    Manipulation of the target's vehicle (direct sabotage, subtle tampering, tracking-device placement, repair-shop interference) and of the target's broader ability to move (rideshare routed past staged sites, transit connections engineered to fail, travel infrastructure flagging the target at gates). The target's own mobility envelope, the part of their life that depends on getting from A to B, becomes the operating surface. Some events are dangerous on their face. Most are deniable, ambiguous, and cumulative: each one absorbable as bad luck, the pattern unmistakable across enough of them.

    also known as vehicle tampering, mobility interference, transportation interference, automotive sabotage (the dangerous-on-its-face variant), vehicular gangstalking (the popular but low-discipline term)