DBHunter
Infinity Member
Golden Member
- Joined
- August 23, 2025
- Messages
- 2,215
- Reaction score
- 4,599
- Points
- 113
- Thread Author
- #1
COMPLIANCE BUILT BETTER™
Three weeks ago we published a preview of the MyComplianceOffice (MCO) breach. We gave the opportunity to resolve this quietly. They made the wrong choice, thus obligating us to post the data in its entirety.
This post is addressed in particular to the regulated financial services firms whose communications were archived by MCO and are now in our possession. Read carefully. Your legal counsel will need to see this.
WHAT WE ARE RELEASING TODAY
This release contains the complete exfiltrated data if approximately 165gb (82gb compressed) across two AWS accounts:
The full directory structure with individual file paths is at the bottom of this post.
THE TRADING FIRM DATA -- IN DETAIL
GUNVOR GROUP
Geneva-headquartered independent commodity trading firm. Annual revenue approximately $100 billion.
What we have: 19,317 emails from 260 unique Gunvor employee senders to 932 recipients. Date range August 9 to September 6, 2018 : 29 days of complete email surveillance. The complete organisational chart of Gunvor’s US and global operations: crude, gasoil, gasoline, light products, bitumen, biodiesel, shipping, freight, operations, accounts payable, middle office, risk, compliance. Functional mailboxes: crudetraders@gunvorgroup.com, crudeops@gunvorgroup.com, gasoil@gunvorgroup.com, shipping@gunvorgroup.com, compliance@gunvorgroup.com.
The OFAC exposure:
Pierre-Edouard Lassau (pierreedouard.lassau@gunvorgroup.com, Geneva, office +41 22 718 7933, mobile +41 79 648 2635) broadcast to all Gunvor crude traders on August 21, 2018:
Kharg Island -- yes, the one in the news on a daily basis as of late March, 2026 due to the US/Iran war and blocking of the Strait of Hormuz -- is Iran’s primary crude export terminal. UNIPEC is Sinopec’s trading subsidiary. This is a 270,000 metric tonne Iranian crude cargo, documented in a US compliance archive, three months before Executive Order 13846 reimposed Iran crude sanctions on November 4, 2018. The same thread includes: “Iranian impact starting to kick in more.” The traders knew what they were doing. OFAC violation? Maybe, maybe not, but definitely proof of dangerously skirting the edges of one.
Jose Orti (jose.orti@gunvorgroup.com) forwarded internally on September 4, 2018 a Venezuela crude tender from venz.tender@rosneft-trading.ch -- Rosneft Trading SA, which was placed on the OFAC SDN list in February 2020 for facilitating exactly these PDVSA oil sales.
Additional intelligence exposed: Gunvor’s daily P&L reports
All 19,317 emails are in the release package. Gunvor’s General Counsel and Chief Compliance Officer should retrieve their copy. OFAC self-disclosure obligations may apply.
PETROCHINA USA
US subsidiary of PetroChina Company Limited (CNPC), a Chinese state-owned enterprise. Parent revenue approximately $400 billion.
What we have: 13,378 emails, same August 2018 window. 136 unique senders across petrochina-usa.com, petrochina-br.com (Brazil), and petrochina.com.cn (Beijing headquarters). Complete exposure of trading desks — HoustonCrudeTraders@, TradingProducts@, CrudeOps@, PCIACleanOps@, PCIACrudeOps@ — plus risk, legal, treasury, and margin call operations.
Named employees with emails and role context: Brian Kelly (brian.kelly@petrochina-usa.com), Wang Ning (wang.ning@petrochina-usa.com), Zhang Yu (zhang.yu@petrochina-usa.com), Eric McGuire (eric.mcguire@petrochina-usa.com), Satya Paravastu (satya.paravastu@petrochina-usa.com), Kiansan Ong (kiansan.ong@petrochina-usa.com), Justin Amoah (justin.amoah@petrochina-usa.com), and 129 others.
The OFAC exposure:
Eunice Vega (eunice.vega@petrochina-usa.com) wrote to PetroChina Brazil and Wang Qing:
PCIA (PetroChina International America) severed direct PDVSA contact while maintaining a Venezuela-based employee to handle it. The cargo in question: vessel ISOLA BLU, port JOSE, PLC, Venezuela — $116,850 demurrage dispute. The routing is: PetroChina Brazil → PetroChina USA → Venezuela office → PDVSA, with the US entity in the middle.
Brian Kelly forwarded to William Sudhaus (wsudhaus@corepetrol.com) at Core Petroleum LLC:
Subject: CLIPPER: IRAN’S TANKER FLEET LOADINGS SLIP AHEAD OF SANCTIONS
Sudhaus replied:
PetroChina is a Chinese state-owned enterprise. Its US commodity trading communications, archived by a US compliance vendor, exfiltrated by us, represent a specific CFIUS and OFAC disclosure consideration that we leave to their counsel to assess.
Additional intelligence: Lake Charles LNG Confidentiality Agreement circulating for signatures in August 2018. CFTC combined Crude & Products Position Limits reports showing how close PCIA/PCIC positions were to speculative limits. Oriente crude deal recap with counterparties ENAP and Core Petroleum LLC, STS transfer pricing options at Mejillones port, Chile.
HARTREE PARTNERS
Global commodity trading and investment firm. Annual revenue approximately $30 billion.
What we have: 3.88 gigabytes of pre-parsed Bloomberg Instant Bloomberg (IB) chat data from FirmNumber 836177, dated January 25, 2024. 51,248 lines of JSONL. In the first 10,000 lines alone: 4,507 unique senders and 4,503 unique recipients. The date range is 24 hours: January 24–25, 2024.
Named Hartree traders confirmed in the data:
Kristi Jones — kjones@hartreepartners.com, kjones415@Bloomberg.net, Bloomberg UUID 31192526
Jay Shah — jshah@hartreepartners.com, jshah457@Bloomberg.net, Bloomberg UUID 23823166
Sample messages from the archive:
This is Hartree’s complete Bloomberg IB conversation history for that period.
TOTSA / TOTALENERGIES TRADING SA et al
TotalEnergies’ commodity trading subsidiary, Geneva.
What we have: 329 megabytes of Bloomberg IB chat logs, January 13 to July 20, 2019 — 104,254 messages from 934 participants. Additionally: a 50-megabyte Reuters Eikon compliance monitoring export (ComplianceSetup ID 169799 “Totsa Total Oil Trading (EXT FD)”), dated December 11–12, 2018, containing 1,443 counterparty contacts from Totsa’s complete Reuters Eikon trading network.
Additional counterparties confirmed in the archive: Goldman Sachs, Shell IT&S (Kofi Ofori-Quaah, Oliver Morning, Sarah Lamy, Tarek Al Hassan), BP Europe (Daniel Wise), Cargill (Desmond Yeo, Brandon Schlake), PIMCO (Lewis Hagedorn), EDF Trading (Stefan Schlueter), DRW Holdings (Mike Dixon), OMV (Robert Pejkovic), Vattenfall (Philipp Cueppers), RWE Supply & Trading (Chris Page), ENI Trading & Shipping (Saad Rahal), Mitsui Bussan Commodities (Liam Henry), Louis Dreyfus Company Brasil (Marcos Porto).
From the IB chats:
Goldman Sachs’ Roy Golender, in communication with a TOTSA counterparty on a transaction:
Morgan Stanley’s Lionel Haroche, on a pending client order:
Maximo Whitelaw (TOTSA) in direct communication with Luis Arias at Banco de Mexico, discussing the “K factor” -- Mexico’s sovereign crude oil pricing formula for Pemex exports. VTB Bank’s presence in Totsa’s active counterparty directory creates ongoing OFAC compliance obligations for TotalEnergies that exist regardless of what MCO does or does not disclose.
NEXTERA ENERGY / FLORIDA POWER & LIGHT
NextEra Energy is the largest US electric utility. Florida Power & Light (FPL) is its primary subsidiary.
What we have: Complete ICE Chat archive from the NextEra power trading desk, July 13, 2023. We extracted the full user manifest from the ICE Chat XML — 253 NextEra/FPL/NEE employees with ICE Chat access, with name, email, and platform handle for each.
Additionally: 3,451 Skype for Business EML conversation files from 28 named FPL employees, September–November 2018, archived from goxsa4191.fplu.fpl.com (FPL’s Lync archiving appliance).
Named FPL employees in the Skype archive: Ana Lozada, Shawn Singleton, Barry Tycholiz, Jakeob Kennedy, Paul Zhang, Jeffrey Dunn, Joseph Dwyer, Joshua Rosenthal, Katherine Hoffmaster, Kathleen Fraga, Lystra Loutan, Matthew Small, Mirielys Nieto, Myra Kemp, Oriana Eysaman, Paul Jones, Shirley Steff, Timothy Gerrish, W. Miller, Yujie Wu, and others.
The FERC market manipulation evidence [CRITICAL]:
From the ICE Chat archive, July 13, 2023. External counterparty Evan Westering to NextEra’s Sharon Sebastian (sharon.sebastian@nexteraenergy.com) at 13:25:53:
Fifty-six seconds later, at 13:26:49:
Day-Ahead Spinning Reserve (DA SR) sold to collect capacity premiums. Purchased back in Real-Time (RT) to avoid dispatch obligations. The trader’s own words: “not have any obligation to respond to a signal.” FERC fined JP Morgan Ventures $410 million and Barclays $453 million for structurally identical virtual/physical gaming. The conduct is documented. The timestamp is documented. The individuals are identified. These few lines alone are enough to make these traders, and their orgs, regret the day they ever chose MCO as their compliance partner.
The wash trading [CRITICAL]:
Houda Sahyoun (Houda.Sahyoun@nee.com) to Justin Tyo (justin.tyo@nee.com) at 17:33:52 the same day:
Tyo:
Trades executed through a colleague’s account with P&L splitting. Both individuals are identified by name and email.
The M&A leak:
Iryna Maslennikova (Iryna.Maslennikova@nexteraenergy.com) to Fernando Bangs (Fernando.Bangs@nee.com) at 14:54:30:
“Myers” is Mark Myers (mark.e.myers@nee.com), confirmed in the user manifest.
Additional findings from the ICE Chat archive:
J. Lee (external) to Haddon Mindnich (Haddon.mindnich@nee.com) at 12:59:52:
NextEra to EQT, re August pricing:
NextEra to Wincoram, re Calyx assets:
NextEra on production issues shared with a pipeline counterparty before public posting:
MOTIVA ENTERPRISES
Shell/Saudi Aramco 50/50 joint venture. Operators of Port Arthur Refinery (636,000 bpd — the largest refinery in North America), Deer Park (340,000 bpd), and Puget Sound (149,000 bpd).
What we have: Microsoft eDiscovery export of 13,284 Teams messages for 11 named employees, exported December 17, 2022:
Alberto Cantafio, Alexandra Frenzel, Chuck Haynes, David Guarino, James Martin, John Masek, Joon Bae, Joseph Leblanc, Kurt Brower, Anneliese Taylor, Basel Kombargi — all @Motiva.com.
The complete export is in the release package. Alberto Cantafio alone has over 1,200 messages in his Teams export.
The tax entity fraud:
Tony Miller:
Tanzania Lockhart:
Murtuza Husain:
Aramco Trading Americas (ATA) trades systematically booked under Motiva because ATA lacked proper tax registrations. A compliance and tax fraud risk documented in Teams messages, archived by MCO.
The untracked loss:
David Herel:
Joseph LeBlanc:
The position exposure:
Neil Mendelow’s daily flat price reports — North America’s largest refinery’s exact trading book, line by line:
Every position, every day of the compliance window, is in the release.
ADDITIONAL CLIENTS
Mercuria Energy Ltd — Bloomberg terminal message archive for Soon Nean Chik (SCHIK3@Bloomberg.net, schik@mercuria.com, Bloomberg UUID 23348494), December 2022. 3,081 news alert messages confirming Mercuria’s crude market intelligence subscriptions and named trader identity.
PBF Holdings [CRITICAL] — ICE Chat archive, March 27, 2020. COVID market crash period. Content includes: employees discussing buying PBF stock (NYSE: PBF) based on internal survival strategy and debt offerings — “How do I personally capitalise on that” / “Buy Canadian Crude stocks... shares... Warrants” — Force Majeure invoked as a retaliatory tactic against Valero — “we can FM them” — anti-Semitic and racist comments on a monitored compliance platform — “so Jew-ish.....” and “fucking asian peeps did it.” All archived. All in the release.
Boston Energy Marketing — ICE Chat archive, November 1, 2019. Named employees: Andy Stahl (Andy.Stahl@betm.com), Shanshan Zhou (shanshan.zhou@betm.com), Brian Sinclair (brian.sinclair@betm.com), Christopher McDowall (christopher.mcdowall@betm.com), David Moore (David.Moore@BETM.com).
Liberty Mutual, William Blair, Acadian — These firms are not in the communications archive. They are MCO’s compliance platform clients, and what we found concerning them is documented in the product failures section below.
THE PRODUCT THAT DOESN’T WORK
We found 41 internal MCO engineering sprint recordings. The engineers in these recordings are identified by name: Jason Rowsey (Product Manager), Vlad Boiko (Lead Engineer), Ken Cruz (Senior Engineer), Slava (Teams/voice pipeline), Vadim (memory optimisation), Mikhail (Teams media pipeline).
The Zoom recording blind spot:
In a recorded Zoom meeting, a developer describes what they discovered when delivering the product to ExxonMobil:
Every MCO client that has joined a Zoom call hosted by an external party had that call go unarchived. CFTC Regulation 1.31 and SEC Rule 17a-4 require complete capture of electronic communications. MCO knew. The clients did not. The recording is in the release package.
The pending rules failures:
Developers troubleshoot live in production at Liberty Mutual and William Blair:
Compliance review rules stuck in “pending” execution since 2021 at Liberty Mutual, since 2023 at William Blair and Acadian. Trades that should have been flagged for compliance review were not. The firms may not know. The regulators do not know. We do.
The Fairwords engineer’s personal conduct:
A separate recording captures Vlad Boiko (v.polosatov@honcho.works), a Fairwords engineer with ITSuperUser access to the production compliance platform, discussing personal asset restructuring to avoid Ukrainian military mobilisation laws:
Also: vehicle registration fraud across county lines to reduce taxes. A compliance vendor’s production engineer, captured on the compliance vendor’s own recording infrastructure, discussing his personal legal evasions.
THE ICE CHAT COMPLIANCE BYPASS
We found source code pasted into an ICE Chat session — the compliance monitoring channel — by a user identified as “smener”:
Code:
Hardcoded UserID exclusions — specific accounts deliberately blinded from compliance monitoring. Which accounts? What were they trading? The source code does not say. But someone decided those three accounts should not be visible to the compliance system. They did it by modifying the C++ source and they used the compliance monitoring channel to share the code.
Additionally:
Code:
Proprietary risk management source code -- the mechanism for processing risk limits and tracking positions -- shared on an ICE Chat monitored compliance channel.
THE MCO PRODUCTION CREDENTIALS
From honcho-prod-us-west-2-config/config.yaml.
Code:
CLEARTEXT PASSWORDS, CRITICAL DATABASES
AppUser.bson. 164 accounts on MCO’s Honcho compliance surveillance platform. 159 of them with passwords in plaintext. In a production MongoDB database.
The accounts monitoring your traders could not hash their own passwords.
Domain breakdown: traden.onmicrosoft.com (55 accounts), honcho.works (25), getwhistler.io (19), pensivesecurity.io (11), fairwords.com (11), and others across gmail.com, fairwords.co, aimprosoft.com, petrosolutions-usa.com, intspirit.com, computerlaw.com.
Passwords in plaintext: cl!ck123 (Jessica Dunn, Sarah Mener, others), Click123 (Matt Stege, Jessica Neuman, Esther Hong, Jessica Jones, others), AutomatedPasswordSet#2017 (Emily Wing [ITSuperUser], Jack Wilcox [Supervisor], Walead Johnson, Samantha Van Horn, Louisa DiAngelo, Ada Lovelace, Nedim Sahovic, Alex Petrovna, Carson Toll, Norris Schutt, and dozens more across @getwhistler.io, @honcho.works, @pensivesecurity.io).
17 accounts were confirmed to still exist at both Microsoft 365 tenants after the breach. The passwords have since been changed. jrusso@computerlaw.com was locked — presumably after suspicious activity. The data remains in our possession regardless.
TO THE REGULATED FIRMS
Your communications were archived by MCO because the law required you to retain them with a qualified vendor. MCO was not a qualified vendor in any meaningful sense of the word. You were not told that. You should have been.
We suggest you begin building your case against MCO starting NOW.
On regulatory exposure:
Gunvor Group -- The Kharg Island Iran crude cargo, the Rosneft Trading Venezuela tender, and related communications require OFAC analysis. Their existence in a US compliance archive creates independent self-disclosure considerations. Retrieve your file and engage OFAC counsel before your regulator does it for you.
PetroChina USA -- The PDVSA contact admission, the Iran tanker intelligence forwarded to Core Petroleum, and the Venezuela fuel oil shipment documentation are now public. CFIUS, OFAC, and CFTC all have potential jurisdiction. Your parent’s communications with the US subsidiary are also in the archive.
NextEra Energy / Florida Power & Light -- The DA/RT virtual gaming conduct and the wash trading exchange are documented with exact timestamps, named individuals, and verbatim quotes. FERC has fined $410M and $453M for structurally identical conduct. The voluntary disclosure framework exists; your counsel knows it.
Motiva Enterprises -- The ATA-under-Motiva tax registration workaround is now a matter of public record. Shell and Saudi Aramco each have independent compliance obligations with respect to this.
Liberty Mutual, William Blair, Acadian -- Your compliance rules have been stuck in “pending” execution since 2021 and 2023 respectively. Trades that should have been reviewed, were not. Your regulators do not know this. MCO has not told you. You are now informed.
On your legal case against MCO, you have strong grounds on several possible theories.
Breach of contract: cleartext password storage, credentials in a single unprotected YAML, and a Zoom recording architecture that silently failed to capture externally-hosted meetings are almost certainly express or implied contract breaches, as are the pending rules failures.
Negligence: unpatched servers, one ECS task role credential giving access to everything, with no network segmentation or IP-whitelisting, falls well below the standard of care for a company entrusted with regulated financial communications.
Product liability: Liberty Mutual and William Blair in particular have a clean warranty claim that the compliance product they paid for simply did not work -- a claim that predates and is entirely independent of the breach itself.
MCO’s contracts likely contain limitation of liability caps. However, a persuasive argument exists that the combination of gross negligence, active concealment of product failures, and the resulting regulatory exposure to multiple clients constitutes the kind of conduct courts have been willing to pierce those caps for.
TO MCO
You built a product premised on trust. Financial services firms gave you their traders’ most sensitive communications -- not because they wanted to, but because the law required them to retain those records with a qualified vendor. They chose you.
You stored those records with cleartext passwords in a production database. You deployed a Zoom recording architecture that silently failed to capture external-hosted meetings for clients including ExxonMobil and ConocoPhillips. You let compliance rules run stuck in “pending” for years at Liberty Mutual and William Blair without telling them.
And then you let all of it walk out the door.
You can only keep your head buried in the sand for so long before the regulatory and class action wolves move in for the kill. They are now approaching.
COMPLETE FILE INVENTORY / DATA MAP
The structure below maps directly to the AWS S3 bucket layout you will find in the tar.gz archive.
Code:
HIGHEST-VALUE FILES — START HERE:
Code:
Highlights package (~4 GB uncompressed / ~1 GB compressed -- curated selection of the highest-value raw data):
Code:
Three weeks ago we published a preview of the MyComplianceOffice (MCO) breach. We gave the opportunity to resolve this quietly. They made the wrong choice, thus obligating us to post the data in its entirety.
This post is addressed in particular to the regulated financial services firms whose communications were archived by MCO and are now in our possession. Read carefully. Your legal counsel will need to see this.
WHAT WE ARE RELEASING TODAY
This release contains the complete exfiltrated data if approximately 165gb (82gb compressed) across two AWS accounts:
- 5.7 GB live MongoDB database dumps (85,131 communication records, 374,545 audit entries, 159 cleartext passwords)
- Gunvor Group - 19,317 emails
- PetroChina USA - 13,378 emails
- Hartree Partners - 3.7 GB Bloomberg IB trader chats, January 2024
- Totsa/TotalEnergies - 329 MB Bloomberg IB chats + Reuters Eikon counterparty directory (1,443 contacts)
- NextEra Energy / Florida Power & Light - ICE Chat archive + 3,451 Skype EML files
- Motiva Enterprises (Shell/Saudi Aramco JV) - 13,284 Teams messages, December 2022
- PBF Holdings - ICE Chat archive, March 2020
- Boston Energy Marketing - ICE Chat archive
- ~395,200 email archive files from staging ETL (~20 GB)
- 476 meeting recordings (Teams + Zoom) with 341 speaker-attributed transcriptions
- 709 T-Mobile commodity trader SMS texts
- 93 source code builds of the Honcho compliance platform (~1.5 GB)
- Complete production credentials (MongoDB Atlas, MySQL, Kafka, Redis, JWT, EPM PKI, ML model keys)
- NextEra Energy-specific ML compliance model (2yr training data)
The full directory structure with individual file paths is at the bottom of this post.
THE TRADING FIRM DATA -- IN DETAIL
GUNVOR GROUP
Geneva-headquartered independent commodity trading firm. Annual revenue approximately $100 billion.
What we have: 19,317 emails from 260 unique Gunvor employee senders to 932 recipients. Date range August 9 to September 6, 2018 : 29 days of complete email surveillance. The complete organisational chart of Gunvor’s US and global operations: crude, gasoil, gasoline, light products, bitumen, biodiesel, shipping, freight, operations, accounts payable, middle office, risk, compliance. Functional mailboxes: crudetraders@gunvorgroup.com, crudeops@gunvorgroup.com, gasoil@gunvorgroup.com, shipping@gunvorgroup.com, compliance@gunvorgroup.com.
The OFAC exposure:
Pierre-Edouard Lassau (pierreedouard.lassau@gunvorgroup.com, Geneva, office +41 22 718 7933, mobile +41 79 648 2635) broadcast to all Gunvor crude traders on August 21, 2018:
Kharg Island -- yes, the one in the news on a daily basis as of late March, 2026 due to the US/Iran war and blocking of the Strait of Hormuz -- is Iran’s primary crude export terminal. UNIPEC is Sinopec’s trading subsidiary. This is a 270,000 metric tonne Iranian crude cargo, documented in a US compliance archive, three months before Executive Order 13846 reimposed Iran crude sanctions on November 4, 2018. The same thread includes: “Iranian impact starting to kick in more.” The traders knew what they were doing. OFAC violation? Maybe, maybe not, but definitely proof of dangerously skirting the edges of one.
Jose Orti (jose.orti@gunvorgroup.com) forwarded internally on September 4, 2018 a Venezuela crude tender from venz.tender@rosneft-trading.ch -- Rosneft Trading SA, which was placed on the OFAC SDN list in February 2020 for facilitating exactly these PDVSA oil sales.
Additional intelligence exposed: Gunvor’s daily P&L reports
— and pipeline space deal terms with Jump Trading Futures LLC (“buy/sells for physical bbls at different locations”), Libya market intelligence (“Stormy ambiance in Libya... Oil fields-pipelines-Terminals are untouched”), and Trafigura counterparty pricing intelligence.
All 19,317 emails are in the release package. Gunvor’s General Counsel and Chief Compliance Officer should retrieve their copy. OFAC self-disclosure obligations may apply.
PETROCHINA USA
US subsidiary of PetroChina Company Limited (CNPC), a Chinese state-owned enterprise. Parent revenue approximately $400 billion.
What we have: 13,378 emails, same August 2018 window. 136 unique senders across petrochina-usa.com, petrochina-br.com (Brazil), and petrochina.com.cn (Beijing headquarters). Complete exposure of trading desks — HoustonCrudeTraders@, TradingProducts@, CrudeOps@, PCIACleanOps@, PCIACrudeOps@ — plus risk, legal, treasury, and margin call operations.
Named employees with emails and role context: Brian Kelly (brian.kelly@petrochina-usa.com), Wang Ning (wang.ning@petrochina-usa.com), Zhang Yu (zhang.yu@petrochina-usa.com), Eric McGuire (eric.mcguire@petrochina-usa.com), Satya Paravastu (satya.paravastu@petrochina-usa.com), Kiansan Ong (kiansan.ong@petrochina-usa.com), Justin Amoah (justin.amoah@petrochina-usa.com), and 129 others.
The OFAC exposure:
Eunice Vega (eunice.vega@petrochina-usa.com) wrote to PetroChina Brazil and Wang Qing:
PCIA (PetroChina International America) severed direct PDVSA contact while maintaining a Venezuela-based employee to handle it. The cargo in question: vessel ISOLA BLU, port JOSE, PLC, Venezuela — $116,850 demurrage dispute. The routing is: PetroChina Brazil → PetroChina USA → Venezuela office → PDVSA, with the US entity in the middle.
Brian Kelly forwarded to William Sudhaus (wsudhaus@corepetrol.com) at Core Petroleum LLC:
Subject: CLIPPER: IRAN’S TANKER FLEET LOADINGS SLIP AHEAD OF SANCTIONS
Sudhaus replied:
PetroChina is a Chinese state-owned enterprise. Its US commodity trading communications, archived by a US compliance vendor, exfiltrated by us, represent a specific CFIUS and OFAC disclosure consideration that we leave to their counsel to assess.
Additional intelligence: Lake Charles LNG Confidentiality Agreement circulating for signatures in August 2018. CFTC combined Crude & Products Position Limits reports showing how close PCIA/PCIC positions were to speculative limits. Oriente crude deal recap with counterparties ENAP and Core Petroleum LLC, STS transfer pricing options at Mejillones port, Chile.
HARTREE PARTNERS
Global commodity trading and investment firm. Annual revenue approximately $30 billion.
What we have: 3.88 gigabytes of pre-parsed Bloomberg Instant Bloomberg (IB) chat data from FirmNumber 836177, dated January 25, 2024. 51,248 lines of JSONL. In the first 10,000 lines alone: 4,507 unique senders and 4,503 unique recipients. The date range is 24 hours: January 24–25, 2024.
Named Hartree traders confirmed in the data:
Kristi Jones — kjones@hartreepartners.com, kjones415@Bloomberg.net, Bloomberg UUID 31192526
Jay Shah — jshah@hartreepartners.com, jshah457@Bloomberg.net, Bloomberg UUID 23823166
Sample messages from the archive:
This is Hartree’s complete Bloomberg IB conversation history for that period.
TOTSA / TOTALENERGIES TRADING SA et al
TotalEnergies’ commodity trading subsidiary, Geneva.
What we have: 329 megabytes of Bloomberg IB chat logs, January 13 to July 20, 2019 — 104,254 messages from 934 participants. Additionally: a 50-megabyte Reuters Eikon compliance monitoring export (ComplianceSetup ID 169799 “Totsa Total Oil Trading (EXT FD)”), dated December 11–12, 2018, containing 1,443 counterparty contacts from Totsa’s complete Reuters Eikon trading network.
Additional counterparties confirmed in the archive: Goldman Sachs, Shell IT&S (Kofi Ofori-Quaah, Oliver Morning, Sarah Lamy, Tarek Al Hassan), BP Europe (Daniel Wise), Cargill (Desmond Yeo, Brandon Schlake), PIMCO (Lewis Hagedorn), EDF Trading (Stefan Schlueter), DRW Holdings (Mike Dixon), OMV (Robert Pejkovic), Vattenfall (Philipp Cueppers), RWE Supply & Trading (Chris Page), ENI Trading & Shipping (Saad Rahal), Mitsui Bussan Commodities (Liam Henry), Louis Dreyfus Company Brasil (Marcos Porto).
From the IB chats:
Goldman Sachs’ Roy Golender, in communication with a TOTSA counterparty on a transaction:
Morgan Stanley’s Lionel Haroche, on a pending client order:
Maximo Whitelaw (TOTSA) in direct communication with Luis Arias at Banco de Mexico, discussing the “K factor” -- Mexico’s sovereign crude oil pricing formula for Pemex exports. VTB Bank’s presence in Totsa’s active counterparty directory creates ongoing OFAC compliance obligations for TotalEnergies that exist regardless of what MCO does or does not disclose.
NEXTERA ENERGY / FLORIDA POWER & LIGHT
NextEra Energy is the largest US electric utility. Florida Power & Light (FPL) is its primary subsidiary.
What we have: Complete ICE Chat archive from the NextEra power trading desk, July 13, 2023. We extracted the full user manifest from the ICE Chat XML — 253 NextEra/FPL/NEE employees with ICE Chat access, with name, email, and platform handle for each.
Additionally: 3,451 Skype for Business EML conversation files from 28 named FPL employees, September–November 2018, archived from goxsa4191.fplu.fpl.com (FPL’s Lync archiving appliance).
Named FPL employees in the Skype archive: Ana Lozada, Shawn Singleton, Barry Tycholiz, Jakeob Kennedy, Paul Zhang, Jeffrey Dunn, Joseph Dwyer, Joshua Rosenthal, Katherine Hoffmaster, Kathleen Fraga, Lystra Loutan, Matthew Small, Mirielys Nieto, Myra Kemp, Oriana Eysaman, Paul Jones, Shirley Steff, Timothy Gerrish, W. Miller, Yujie Wu, and others.
The FERC market manipulation evidence [CRITICAL]:
From the ICE Chat archive, July 13, 2023. External counterparty Evan Westering to NextEra’s Sharon Sebastian (sharon.sebastian@nexteraenergy.com) at 13:25:53:
Fifty-six seconds later, at 13:26:49:
Day-Ahead Spinning Reserve (DA SR) sold to collect capacity premiums. Purchased back in Real-Time (RT) to avoid dispatch obligations. The trader’s own words: “not have any obligation to respond to a signal.” FERC fined JP Morgan Ventures $410 million and Barclays $453 million for structurally identical virtual/physical gaming. The conduct is documented. The timestamp is documented. The individuals are identified. These few lines alone are enough to make these traders, and their orgs, regret the day they ever chose MCO as their compliance partner.
The wash trading [CRITICAL]:
Houda Sahyoun (Houda.Sahyoun@nee.com) to Justin Tyo (justin.tyo@nee.com) at 17:33:52 the same day:
Tyo:
Trades executed through a colleague’s account with P&L splitting. Both individuals are identified by name and email.
The M&A leak:
Iryna Maslennikova (Iryna.Maslennikova@nexteraenergy.com) to Fernando Bangs (Fernando.Bangs@nee.com) at 14:54:30:
“Myers” is Mark Myers (mark.e.myers@nee.com), confirmed in the user manifest.
Additional findings from the ICE Chat archive:
J. Lee (external) to Haddon Mindnich (Haddon.mindnich@nee.com) at 12:59:52:
NextEra to EQT, re August pricing:
NextEra to Wincoram, re Calyx assets:
NextEra on production issues shared with a pipeline counterparty before public posting:
MOTIVA ENTERPRISES
Shell/Saudi Aramco 50/50 joint venture. Operators of Port Arthur Refinery (636,000 bpd — the largest refinery in North America), Deer Park (340,000 bpd), and Puget Sound (149,000 bpd).
What we have: Microsoft eDiscovery export of 13,284 Teams messages for 11 named employees, exported December 17, 2022:
Alberto Cantafio, Alexandra Frenzel, Chuck Haynes, David Guarino, James Martin, John Masek, Joon Bae, Joseph Leblanc, Kurt Brower, Anneliese Taylor, Basel Kombargi — all @Motiva.com.
The complete export is in the release package. Alberto Cantafio alone has over 1,200 messages in his Teams export.
The tax entity fraud:
Tony Miller:
Tanzania Lockhart:
Murtuza Husain:
Aramco Trading Americas (ATA) trades systematically booked under Motiva because ATA lacked proper tax registrations. A compliance and tax fraud risk documented in Teams messages, archived by MCO.
The untracked loss:
David Herel:
Joseph LeBlanc:
The position exposure:
Neil Mendelow’s daily flat price reports — North America’s largest refinery’s exact trading book, line by line:
Every position, every day of the compliance window, is in the release.
ADDITIONAL CLIENTS
Mercuria Energy Ltd — Bloomberg terminal message archive for Soon Nean Chik (SCHIK3@Bloomberg.net, schik@mercuria.com, Bloomberg UUID 23348494), December 2022. 3,081 news alert messages confirming Mercuria’s crude market intelligence subscriptions and named trader identity.
PBF Holdings [CRITICAL] — ICE Chat archive, March 27, 2020. COVID market crash period. Content includes: employees discussing buying PBF stock (NYSE: PBF) based on internal survival strategy and debt offerings — “How do I personally capitalise on that” / “Buy Canadian Crude stocks... shares... Warrants” — Force Majeure invoked as a retaliatory tactic against Valero — “we can FM them” — anti-Semitic and racist comments on a monitored compliance platform — “so Jew-ish.....” and “fucking asian peeps did it.” All archived. All in the release.
Boston Energy Marketing — ICE Chat archive, November 1, 2019. Named employees: Andy Stahl (Andy.Stahl@betm.com), Shanshan Zhou (shanshan.zhou@betm.com), Brian Sinclair (brian.sinclair@betm.com), Christopher McDowall (christopher.mcdowall@betm.com), David Moore (David.Moore@BETM.com).
Liberty Mutual, William Blair, Acadian — These firms are not in the communications archive. They are MCO’s compliance platform clients, and what we found concerning them is documented in the product failures section below.
THE PRODUCT THAT DOESN’T WORK
We found 41 internal MCO engineering sprint recordings. The engineers in these recordings are identified by name: Jason Rowsey (Product Manager), Vlad Boiko (Lead Engineer), Ken Cruz (Senior Engineer), Slava (Teams/voice pipeline), Vadim (memory optimisation), Mikhail (Teams media pipeline).
The Zoom recording blind spot:
In a recorded Zoom meeting, a developer describes what they discovered when delivering the product to ExxonMobil:
Every MCO client that has joined a Zoom call hosted by an external party had that call go unarchived. CFTC Regulation 1.31 and SEC Rule 17a-4 require complete capture of electronic communications. MCO knew. The clients did not. The recording is in the release package.
The pending rules failures:
Developers troubleshoot live in production at Liberty Mutual and William Blair:
Compliance review rules stuck in “pending” execution since 2021 at Liberty Mutual, since 2023 at William Blair and Acadian. Trades that should have been flagged for compliance review were not. The firms may not know. The regulators do not know. We do.
The Fairwords engineer’s personal conduct:
A separate recording captures Vlad Boiko (v.polosatov@honcho.works), a Fairwords engineer with ITSuperUser access to the production compliance platform, discussing personal asset restructuring to avoid Ukrainian military mobilisation laws:
Also: vehicle registration fraud across county lines to reduce taxes. A compliance vendor’s production engineer, captured on the compliance vendor’s own recording infrastructure, discussing his personal legal evasions.
THE ICE CHAT COMPLIANCE BYPASS
We found source code pasted into an ICE Chat session — the compliance monitoring channel — by a user identified as “smener”:
Code:
Code:
if(stOrderData.m_strUserID.compare("PFSI") == 0 ||
stOrderData.m_strUserID.compare("GPS_POSITION") == 0 ||
stOrderData.m_strUserID.compare("ASSIGN") == 0 )Hardcoded UserID exclusions — specific accounts deliberately blinded from compliance monitoring. Which accounts? What were they trading? The source code does not say. But someone decided those three accounts should not be visible to the compliance system. They did it by modifying the C++ source and they used the compliance monitoring channel to share the code.
Additionally:
Code:
Code:
void DrawingModel::OnRiskLimits(sx_riskParamBucketlessLimitSet *rl) {
InstrumentWrapper instrumentWrapper(rl->header.szSymbol);
StockPosition *pSP = StockPosition::findStockPosition(&instrumentWrapper);Proprietary risk management source code -- the mechanism for processing risk limits and tracking positions -- shared on an ICE Chat monitored compliance channel.
THE MCO PRODUCTION CREDENTIALS
From honcho-prod-us-west-2-config/config.yaml.
Code:
Code:
MongoDB Atlas:
Host: honcho-stage.dpjiq.mongodb.net
Database: fw_appv2
Username: parsers_stage_user
Password: MRwK24F9B7rHsMd0
Guide Application MongoDB:
Host: guide-staging.dpjiq.mongodb.net
Username: guide_app_user
Password: VKFw0M5Yf8AzsG92
MySQL/RDS Production:
Host: prod-us-west-2-honcho-cluster.cluster-cxovht0c5o3f.us-west-2.rds.amazonaws.com
Username: whistler
Password: wohgh7mi5A
Confluent Kafka:
Username: 7COSDPYNZ7KSPCEI
Password: oZjI4yoEC3//x0Si90tvIFKRplAPslQWj+5QFSgDevV9eiwYax2syMgOGDi5Cs5k
EPM Certificate Passphrase: Dy3!2WyXeE@mi
JWT Secret (Guide): zTy3pfuEzy40+AcBhBtXx/vEeXeTd1l2G0vg7wqe8PEUBeT6lkoQQuWGbbQBvrw4...
MCO JWT Secret: 5CD900C34BF71AB7965D602AE35CDAEE8AE096B64AEC5E1227F22DD8236E4C4D
Replicate AI (Meta Llama 3.3 70B): r8_Y04ETxV6UIbjsKwZvr7jn9FsFXvnleW4YQo0R
Datadog API Key: 898fdf4aed716dddb6f5d0288b9ba1a9
Teams Client ID: 8fbbd97d-fa4f-460b-b985-e571b35e6735CLEARTEXT PASSWORDS, CRITICAL DATABASES
AppUser.bson. 164 accounts on MCO’s Honcho compliance surveillance platform. 159 of them with passwords in plaintext. In a production MongoDB database.
The accounts monitoring your traders could not hash their own passwords.
Domain breakdown: traden.onmicrosoft.com (55 accounts), honcho.works (25), getwhistler.io (19), pensivesecurity.io (11), fairwords.com (11), and others across gmail.com, fairwords.co, aimprosoft.com, petrosolutions-usa.com, intspirit.com, computerlaw.com.
Passwords in plaintext: cl!ck123 (Jessica Dunn, Sarah Mener, others), Click123 (Matt Stege, Jessica Neuman, Esther Hong, Jessica Jones, others), AutomatedPasswordSet#2017 (Emily Wing [ITSuperUser], Jack Wilcox [Supervisor], Walead Johnson, Samantha Van Horn, Louisa DiAngelo, Ada Lovelace, Nedim Sahovic, Alex Petrovna, Carson Toll, Norris Schutt, and dozens more across @getwhistler.io, @honcho.works, @pensivesecurity.io).
17 accounts were confirmed to still exist at both Microsoft 365 tenants after the breach. The passwords have since been changed. jrusso@computerlaw.com was locked — presumably after suspicious activity. The data remains in our possession regardless.
TO THE REGULATED FIRMS
Your communications were archived by MCO because the law required you to retain them with a qualified vendor. MCO was not a qualified vendor in any meaningful sense of the word. You were not told that. You should have been.
We suggest you begin building your case against MCO starting NOW.
On regulatory exposure:
Gunvor Group -- The Kharg Island Iran crude cargo, the Rosneft Trading Venezuela tender, and related communications require OFAC analysis. Their existence in a US compliance archive creates independent self-disclosure considerations. Retrieve your file and engage OFAC counsel before your regulator does it for you.
PetroChina USA -- The PDVSA contact admission, the Iran tanker intelligence forwarded to Core Petroleum, and the Venezuela fuel oil shipment documentation are now public. CFIUS, OFAC, and CFTC all have potential jurisdiction. Your parent’s communications with the US subsidiary are also in the archive.
NextEra Energy / Florida Power & Light -- The DA/RT virtual gaming conduct and the wash trading exchange are documented with exact timestamps, named individuals, and verbatim quotes. FERC has fined $410M and $453M for structurally identical conduct. The voluntary disclosure framework exists; your counsel knows it.
Motiva Enterprises -- The ATA-under-Motiva tax registration workaround is now a matter of public record. Shell and Saudi Aramco each have independent compliance obligations with respect to this.
Liberty Mutual, William Blair, Acadian -- Your compliance rules have been stuck in “pending” execution since 2021 and 2023 respectively. Trades that should have been reviewed, were not. Your regulators do not know this. MCO has not told you. You are now informed.
On your legal case against MCO, you have strong grounds on several possible theories.
Breach of contract: cleartext password storage, credentials in a single unprotected YAML, and a Zoom recording architecture that silently failed to capture externally-hosted meetings are almost certainly express or implied contract breaches, as are the pending rules failures.
Negligence: unpatched servers, one ECS task role credential giving access to everything, with no network segmentation or IP-whitelisting, falls well below the standard of care for a company entrusted with regulated financial communications.
Product liability: Liberty Mutual and William Blair in particular have a clean warranty claim that the compliance product they paid for simply did not work -- a claim that predates and is entirely independent of the breach itself.
MCO’s contracts likely contain limitation of liability caps. However, a persuasive argument exists that the combination of gross negligence, active concealment of product failures, and the resulting regulatory exposure to multiple clients constitutes the kind of conduct courts have been willing to pierce those caps for.
TO MCO
You built a product premised on trust. Financial services firms gave you their traders’ most sensitive communications -- not because they wanted to, but because the law required them to retain those records with a qualified vendor. They chose you.
You stored those records with cleartext passwords in a production database. You deployed a Zoom recording architecture that silently failed to capture external-hosted meetings for clients including ExxonMobil and ConocoPhillips. You let compliance rules run stuck in “pending” for years at Liberty Mutual and William Blair without telling them.
And then you let all of it walk out the door.
You can only keep your head buried in the sand for so long before the regulatory and class action wolves move in for the kill. They are now approaching.
~~~ COMPLIANCE BUILT BETTER™ ~~~~
¯\_ (ツ)_/¯
DOWNLOAD HERE
COMPLETE LEAK
¯\_ (ツ)_/¯
DOWNLOAD HERE
COMPLETE LEAK
COMPLETE FILE INVENTORY / DATA MAP
The structure below maps directly to the AWS S3 bucket layout you will find in the tar.gz archive.
Code:
Code:
AWS Account 495283680268 -- Fairwords/Honcho Production (acquired by MCO)
=======================================================
honcho-prod-us-west-2-config/
config.yaml <- ALL PRODUCTION CREDENTIALS IN ONE FILE
guide/backend/.env <- MongoDB Atlas URI, JWT secret, MCO JWT secret
guide/frontend/.env <- Datadog RUM, Teams OAuth, Zoom OAuth
compli/backend/compli.env <- Replicate AI token (Meta Llama 3.3 70B)
bragi/server/bragi.env <- ML classifier decryption keys
emd/WhistlerEndpointAPI.config <- MySQL credentials + AWS keys
datadog/cred.env <- Datadog API key
epm/ <- EPM certificate + passphrase: Dy3!2WyXeE@mi
honcho-prod-us-west-2-clientfiles/
archive/trd/
+-- ib/
| +-- 2019-08-27T153540...export_Totsa.IB.190113-190720.4.xml
| 303 MB <- TOTSA/TOTALENERGIES Bloomberg IB chats
| Jan 13-Jul 20, 2019; 934 participants
+-- icechat/
| +-- nexteraenergy_20230713.xml 13 MB <- NEXTERA FERC manipulation + wash trading
| +-- pbfholding_20200327.xml 12 MB <- PBF Holdings (COVID, insider trading, racism)
| +-- bostonenergymktwh_20191101.xml 1.5 MB <- Boston Energy Marketing
| +-- honcho_20210128.xml <- Racist trader comms (athacker3/Brian Holsinger)
| +-- honcho_20210222.xml <- Unregistered firearm admission
+-- reuters/
| +-- reuterszipfile.xml 48 MB <- TOTSA Reuters Eikon counterparty directory
| 1,443 contacts incl. VTB Bank (OFAC SDN)
+-- teamsH/
| +-- MOT+Teams+12-17-2022.zip 148 MB <- MOTIVA ENTERPRISES full Teams eDiscovery
| 13,284 messages, 11 employees, Dec 2022
+-- bloomberg/
| +-- f834301.msg.221220.xml 6.8 MB <- Mercuria Energy Bloomberg terminal alerts
| +-- f834301.msg.221221.xml <- Soon Nean Chik (SCHIK3@Bloomberg.net)
+-- skype/
| +-- Skypeerror.zip 7.6 MB <- FPL/NextEra 3,451 Skype EML files
| 28 named FPL employees, Sep-Nov 2018
+-- smsH/
+-- test-csv.csv 185 KB <- 709 REAL T-Mobile commodity trader texts
staging-etl-customers-raw-parsed-messages/
inbox/trd/ib/
+-- f836177.ib19.240125.xml.jsonl 3.7 GB <- HARTREE PARTNERS Bloomberg IB chats
January 25, 2024; parsed JSONL
staging-etl-customers-files/
archive/trd/
+-- email/ <- ~395,200 email archive files (~20 GB)
+-- icechat/ <- ~405 ICE Chat archives (all firms)
+-- bloomberg/ <- ~925 Bloomberg terminal XML archives
+-- linkedinChat/ <- ~276 LinkedIn message archives
+-- telemessage/ <- ~1,404 TeleMessage/WhatsApp archives
+-- teams/ <- Teams compliance exports
+-- teamsHistoricalSource/ <- ~3,246 Teams historical JSONL session files
staging-etl-customers-media/
trd/
+-- teamsMeeting/ <- 263 Teams recordings (audio + video)
+-- zoomMeeting/ <- 213 Zoom recordings
staging-etl-customers-media-transcription/
trd/
+-- teamsMeeting/ <- 272 speaker-attributed Teams transcriptions
+-- zoomMeeting/ <- 69 Zoom transcriptions
+-- 6983e941eb71.../shared_screen_with_gallery_view.MP4
| <- Liberty Mutual/William Blair pending rules
+-- c1fb6444b783.../shared_screen_with_speaker_view.MP4
<- "Exxon recording blind spot" admission
honcho-prod-us-west-2-artifacts/
ra-web/SourceCode/ <- 93 builds x ~17 MB = ~1.5 GB source code
sagemaker-eu-west-1-495283680268/
training-results/58d89da42fe3508c76f9fc70/
+-- NEE-23062021-12072023-5ep/ <- NextEra Energy custom ML model (2yr data)
prod-us-west-2-sink-kafka/
topics/staging.guide.lexicons/ <- Complete compliance keyword detection dicts
MongoDB Atlas -- Live Database Dumps:
--------------------------------------
fw_appv2 (via honcho-stage.dpjiq.mongodb.net):
Communications.bson 2.79 GB 85,131 records with full message bodies
CommunicationLogs.bson 207 MB 197,498 ingestion logs
AuditLogs.bson 120 MB 374,545 admin audit events
CaseMappings.bson 93 MB 359,018 case-message mappings
AppUser.bson 94 KB 164 accounts, 159 CLEARTEXT PASSWORDS
Case.bson 1.1 MB 3,554 compliance review cases
Escalation.bson 156 KB 273 escalated violations
UserIdentity.bson 3.2 MB 1,253 SSO sessions with JWT tokens
guide (via guide-staging.dpjiq.mongodb.net):
__federatedMessagesTest.jsonl 2.5 GB 6,250,494 message events
RawEventsData.jsonl 99 MB 423,771 real-time compliance events
UniqueEndpoints.jsonl 10.6 MB 44,012 monitored device/user endpoints
Second AWS Account 913826030974 -- MCO Tech2High:
nit-mco-data-lake/
tech2high-portal-assets/
aws-glue-assets-913826030974-us-east-1/HIGHEST-VALUE FILES — START HERE:
Code:
Code:
honcho-prod-us-west-2-clientfiles/archive/trd/icechat/nexteraenergy_20230713.xml — FERC market manipulation, wash trading, M&A leak (13 MB)
staging-etl-customers-raw-parsed-messages/inbox/trd/ib/f836177.ib19.240125.xml.jsonl — Hartree Partners complete Bloomberg IB archive (3.7 GB JSONL)
honcho-prod-us-west-2-clientfiles/archive/trd/ib/2019-08-27T153540...export_Totsa.IB.190113-190720.4.xml — Totsa/TotalEnergies IB chats (303 MB)
honcho-prod-us-west-2-clientfiles/archive/trd/teamsH/MOT+Teams+12-17-2022.zip — Motiva Enterprises Teams export (148 MB)
honcho-prod-us-west-2-config/config.yaml — ALL production credentials
MongoDB: fw_appv2/Communications.bson — Full 85,131-record comms index with bodies (2.79 GB)
MongoDB: fw_appv2/AppUser.bson — 159 cleartext passwords (94 KB)
honcho-prod-us-west-2-clientfiles/archive/trd/reuters/reuterszipfile.xml — Totsa 1,443 counterparties incl. VTB Bank SDN (48 MB)
staging-etl-customers-media-transcription/ — 341 meeting transcriptions incl. Exxon blind spot and Liberty Mutual/William Blair pending rules recordingsHighlights package (~4 GB uncompressed / ~1 GB compressed -- curated selection of the highest-value raw data):
Code:
Code:
mco_highlights/
01_trading_comms/
nexteraenergy_20230713.xml 13 MB FERC manipulation + wash trading
2019-08-27T...export_Totsa.IB.190113-190720.4.xml 303 MB Totsa/TotalEnergies IB chats
f836177.ib19.240125.xml.jsonl 3.7 GB Hartree Partners Bloomberg IB
MOT+Teams+12-17-2022.zip 148 MB Motiva eDiscovery export
reuterszipfile.xml 48 MB Totsa 1,443 counterparties (VTB SDN)
pbfholding_20200327.xml 12 MB PBF Holdings ICE Chat
Skypeerror.zip 7.6 MB FPL/NextEra 3,451 Skype EMLs
bostonenergymktwh_20191101.xml 1.5 MB Boston Energy Marketing
honcho_20210128.xml 237 KB Racist trader comms
honcho_20210222.xml 133 KB Unregistered firearm
t_mobile_trading_sms_real.csv 185 KB 709 real trader SMS
f834301.msg.221220.xml 6.6 MB Mercuria Bloomberg alerts
02_mongodb_key_collections/
AppUser.json 129 KB 159 cleartext passwords
Case.json 1.5 MB 3,554 compliance cases
Escalation.json 249 KB 273 escalated violations
03_credentials/
config.yaml 5.0 KB ALL production credentials
guide_backend.env 3.8 KB MongoDB URI, JWT secrets
guide_frontend.env 1.6 KB Teams/Zoom OAuth