Metro North Computer Consulting logo — IT support White Plains Westchester
METRO NORTHComputerConsulting
Case Studies

Hacking and Cyber Security Stories

Robert Brake March 3, 2026 8 min read

We get calls for direct "new client" or "subcontracted" Cybersecurity Consulting about four times a year. We have had some very interesting cases over the years that have included political figures, wealthy individuals, opponents in court cases, co-workers, and even just plain spite. Often, the victim knows the attacker — or the person who paid an attacker, or even a service team. Our first question when the attacker is known would always be: can you make peace with them? The answer is always no, but we have to ask, because it is the shortest way to a resolution.

One time, the victim said no and I asked why. He said because the very wealthy person who had paid a service to make his life miserable had died and could no longer call off the attack. Another interesting case involved a client who was sure people were getting into her house. She wanted hidden cameras, so we ordered a collection and went on-site to install them. The client and our engineer were struggling to open a device to locate the data card inside. They decided to leave it on the entryway table while they went to get food — and upon their return, the device was left disassembled for them on that very same table. One client had an attic window removed and left at the bottom of the stairs for them to find.

What They Can Do Digitally

So outside of things being moved and physical security, what kind of drama can they really do digitally? That is a great and entertaining question. I have had clients report that their car was breached and every time it rained, their windows would automatically roll down. Another client reported that her GPS kept redirecting her to new locations other than her destination. One client could not keep a digital fingerprint anywhere on the web for more than a day. Every time she would start up an account at Facebook, Etsy, any email service, a new credit card, even simply browsing the internet, she would be compromised — in a single day. We cleaned up computers, tablets, and phones, inserted business-class firewalls, changed antivirus and software packages, but they kept coming. Eventually, playing whack-a-mole long enough either closed enough entry points or the funding ran out.

The Law Firm Email Interception

Attackers can make life difficult in a great number of ways. In one case, I was called in to a new client and noticed the law firm's email server was outdated and not secure. We made the decision to lock down the service and shortly after doing so, realized that someone had been intercepting emails between the law firm and a prominent client with active cases. The attacker had been changing instructions to counsel, comments from the client, even instructions to the court — in favor of the opposing party. They would intercept the email, make changes, and then deliver it to its original intended recipient.

After the firm's email server was no longer accessible, the attacker bought a domain name almost identical to the law firm's. The difference: instead of LAW, it had two V's and read lavv.com. Almost an imperceptible deception unless you are looking for it. They were able to continue affecting the firm's client for a time because her free public email was compromised. For the end client, I added an email filtering service that would redirect to her new mail server, with an account I set up. The email service was the only one capable of contacting her server directly. I gave her my laptop, freshly rebuilt. The only thing on this laptop was one paid email account that had every i dotted and every t crossed. Her password was 256 characters long, had never been typed on her network, and she didn't have a copy of it. All available server security settings were updated and steps taken. Even her home network was freshly locked down and all other network devices removed.

From the time of the first email to a friend, it took under two hours for them to access her account and subsequently the laptop. They wouldn't even let her have a cell phone. What could they do to a cell phone, you ask? Anything and everything. A modern cell phone is a powerful computer without antivirus or strong security. Sure, they keep kids out, but not nation-state actors or people who have access to that level of software.

I went so far as to buy two burner phones — one for her accountant and one for her — telling her to never use that phone for anything or anyone else. These were flip phones, definitely not smartphones. Each phone had the other's number saved in it and worked flawlessly. When I delivered the phones to the client with instructions, I left for a short time. When I returned, the client told me that she had texted a friend. I dropped my head in disgust, grabbed both phones, and dropped them in a trash can. Shortly after, when my business was complete, I left. The client called me from a landline shortly after to say that within 20 minutes of the trash can incident, both phones started calling and texting each other — without her intervention. The attackers had a list of all her associates and had hacked them all. Any contact by her to anyone on her list would immediately alert the bad actor that she had a new open door. They were determined to close it. That type of isolation would drive most people in today's connected world quite insane. This was one of the sad stories where the attacker won the day. The cases were dropped so she could move on with her life in peace.

What These Cases Teach Us

When nation-state level hacking can be taught in common US universities with no oversight, when vendors leak software from three-letter agencies to hacker communities, and foreign organizations will do the dirty work for hire, it makes this world a very digitally insecure place. These stories are ones of targeted persistence, where the goal isn't just data theft but psychological and operational exhaustion. There isn't always a clear winner.

What options do we have to fight back? We have to move past software and into Operational Security (OpSec) and Hardware-Rooted Trust. In plain English: business-class firewalls, complex passwords, encrypted email servers, and MFA (Multi-Factor Authentication) on every possible site — from social media to email and banking. Not MFA to a text message, but to a YubiKey or similar hardware authentication device. An attacked person needs to review their entire digital life. Phones become a phone only. Text likely goes away as a service you rely on. Every open door is closed — not locked and permanently shut from you and everyone else, just shut. You need to make sure that you, the real you, are the only person who can sign in.

While a business does, the average person doesn't need a $1,000 firewall and YubiKeys. The average person does need complex passwords, MFA on everything possible, and an understanding of the basics of security. Don't click on emails you don't expect. Don't click on text messages from a stranger. Never open attachments in text or email that you were not expecting.

For crypto investors, open a new email account and never use it for anything but crypto. Consider using ProtonMail or CounterMail. Change all your accounts over to this new web-only email. Never check crypto or banking from your phone. Ever. Never save passwords on your phone — not in encrypted apps, contacts, or pictures. They are not safe.

With the advent of AI, having smart "duress codes" for family members is a fantastic idea. An AI calls your family and says you are hurt and need money — only it sounds just like you. Your family says: what's the code word? After arguing that "I forgot" or "we didn't finalize that" and trying to push forward, it simply hangs up and moves on to the next victim. Or in the opposite scenario: a husband calls the wife and says "We just won the lottery! Quit your job today." The wife says: what's the code word? The husband replies: Fluffy! It's freakin' Fluffy! And the wife quickly calls the office to let them know there will be a change in staffing.

In the case of hacking, there are phones and tech that can be employed to stop most exploits. Email can be secured. Solutions can be employed to match your level of need — not want, need. If you are experiencing a suspected breach, call us today at (914) 417-8249.

At Metro North, we take the Bite out of IT.

High-Risk OpSec Checklist: The "Ghost" Protocol

This checklist is designed for individuals facing Targeted Persistence — where the attacker is not a random hacker but a motivated entity with a specific goal and a significant budget. In these scenarios, technology is often the secondary battlefield; the primary battlefield is Operational Security (OpSec).

Phase 1: Physical & Environmental Sanity

If your physical space is compromised, digital security is an illusion.

  • Sweep for Physical Access: Change all physical locks to high-security cylinders (e.g., Medeco or Abloy) that cannot be easily bumped or picked.
  • Tamper-Evident Hardware: Apply tamper-evident security seals (holographic/void tape) over the screws and ports of your laptops, routers, and desktop PCs. Take high-resolution photos of the seals; if the pattern shifts, the device is compromised.
  • The "Faraday" Habit: When not in active use, place all mobile devices in a Faraday bag. This prevents remote triggers (like windows rolling down or GPS hijacking) by cutting off all RF signals.
  • Secure the Entry Point: If you suspect entry, install standalone, non-networked (SD-card only) cameras that record to a hidden, bolted-down DVR.

Phase 2: Digital Identity & Access

Move from "Strong Passwords" to "Hardware-Rooted Trust."

  • Kill the Homograph Risk (lavv.com): Purchase two YubiKeys. Register them as your only 2FA method for email, banking, and social media. Hardware keys physically check the URL — they will not authenticate on a spoofed domain like lavv.com.
  • Eliminate SMS 2FA: Remove your phone number as a recovery or 2FA method. Nation-state actors use SIM Swapping or SS7 intercepts to steal your codes out of the air.
  • DNS Filtering: Use a service like NextDNS or Cloudflare Gateway at the router level. Explicitly block newly registered domains (less than 30 days old), which is where most spoofed domains live.

Phase 3: Communication & The Social Graph

This is where the burner phone client failed. You must break the link between your new devices and your old contacts.

  • Enable Lockdown Mode: If using an iPhone, turn on Lockdown Mode. It disables just-in-time JavaScript compilation and message previews — the primary vectors for zero-click exploits.
  • Out-of-Band Authentication: Never trust an email or text instruction regarding money, legal matters, or passwords. Establish a code word system with your inner circle (lawyer, accountant, spouse) that must be spoken via phone call or in person before any action is taken.
  • The Burner Rule: If you use a burner phone, it must be purchased with cash. It must never connect to your home Wi-Fi. It must never contact anyone on your old contact list via SMS. Use it only for Signal or encrypted voice to other clean devices.

Phase 4: Network & Hardware Hygiene

  • Egress Filtering (The Whitelist Strategy): Configure your firewall to block all outgoing traffic by default. Only whitelist the specific servers your computer needs to talk to (e.g., your law firm's mail server). This stops "calling home" commands from malicious scripts.
  • Dedicated Work Machine: Use a clean laptop (ideally running Tails OS or Qubes OS) that is used only for the sensitive matter at hand. Never check personal Facebook, Etsy, or news on this machine.

Need IT Help in Westchester?

No contracts. No monthly fees. Just expert support when you need it.