2049868666

2604, hi.

What is your obsession guy?!

👋 Hello June!

"Strange of you to pop by all the time at 7:15 AM... I guess it's time for work!"

Identity
2604:3d09...9f3:669b
Device
iPhone (iOS 18.7) — Safari
Network
Shaw Communications 🇨🇦
Activity
Accessed /2604 at 7:15:50 AM
PROTOCOL
HTTP/2
ACTION
301 REDIRECT
VERIFIED
HUMAN
Ray ID: 9ba3b9e7cb50ab3c

Hi 2604 weirdo

Forensic Investigation Report: Winnipeg Actor Cluster Attribution

Full HTML copy (as written). Correlation of masked VPN nodes and Manitoba residential anchors. Contains session timelines and IP attribution notes.

Youth / Gg Skibidi Shadow Wizard Catch Them / Youth / Gg
Minh Phan - High Speed Crow Connection
EVIDENCE

The "Gg" Connection

Unmasked Residential Session
Linked IP: 206.45.75.21 Status: Confirmed Local Actor

Forensic Investigation Report: The "Youth" / "Gg" Actor Cluster

Subject: Correlation of Masked Identity 149.40.62.57 (M247) and Residential Anchor 206.45.75.21 (High Speed Crow).
Status: Confirmed
Primary Suspect Location: Winnipeg, Manitoba.
System Cluster ID: cluster_0661d232eafc
Primary Infrastructure: High Speed Crow / Starlink / TELUS Communications.
Associated VPN Infrastructure: M247 (DataCenter) and Datacamp Limited (ProtonVPN).

1. Executive Summary

Forensic analysis of the "Youth" chat (November 18, 2025) and the "Gg" chat (December 14, 2025) has de-anonymized the primary actor behind a sustained harassment campaign. By utilizing Cluster 0661d232eafc, the investigation confirms that the individual toggles between a residential Winnipeg connection and international VPN nodes. This actor is characterized by high technical proficiency, multi-ISP redundancy (failover), and a "Pre-Flight" operational style.

2. Identity & Origin Evidence

The investigation is anchored by a direct behavioral link between a masked chat interaction and a local residential connection.

  • Residential Anchor IP: 206.45.75.21
  • ISP: High Speed Crow (Winnipeg).
  • Geographic Lock: Winnipeg, MB.
THE "HANDSHAKE" (SESSION TOGGLE)
Nov 18, 4:56 AM: The "Youth" message was sent via VPN IP 149.40.62.57.
Dec 14, 6:00 AM: The "Gg" message was sent unmasked via residential IP 206.45.75.21.
Analysis: Your system's clustering logic bridged these two events into Cluster 0661d232eafc. The actor was caught "toggling"—starting a session on their home Wi-Fi and enabling the VPN mid-stream, allowing the system to associate the VPN mask with the High Speed Crow residential hardware signature.

3. Multi-ISP & VPN Obfuscation Strategy

The "Full History" report reveals this actor maintains a sophisticated network failover setup to bypass local blocks and maintain monitoring.

FAILOVER CONNECTIONS (ASSOCIATED VIA CLUSTER)
  • Starlink (129.222.112.11): Used immediately after the "Gg" interaction was challenged.
  • TELUS Mobile (2001:56b:3fff...): High-volume activity on Dec 24/25, used as a backup when residential Wi-Fi was restricted.
VPN MASKING NODES
  • 149.40.62.57 (M247 - Used for Nov 18 "Youth" chat).
  • 212.104.215.153 (Datacamp/CDN77 - Used sequentially with residential anchor).
Forensic Cadence: Unlike automated bots, this actor’s traffic follows a "human-burst" pattern. The WinnipegIP Cluster Test shows long durations of monitoring (over 14 days of active "seen" time) interrupted by specific, manual interaction windows.

4. Behavioral Profile: "Pre-Flight" Protocol

Analysis of the geoEventsV2 history for this actor reveals a disciplined operational protocol used before engaging in chat.

  • Asset Loading: In sessions associated with this actor, the masked IP is observed loading the entire chat engine (chatEngine.js, memoryUser.js, injectChat.js) 8 to 17 minutes before sending a message.
  • Purpose: This "Pre-Flight" check ensures the obfuscation layer is holding and the system's memory modules are primed, indicating a premeditated and technical approach to the harassment rather than an impulsive reaction.

5. Forensic Conclusion

The "Youth" / "Gg" actor is the primary architect of the campaign and is a local Winnipeg resident. They possess a high degree of technical sophistication, utilizing a rotation of High Speed Crow, Starlink, and TELUS residential/mobile connections to maintain a persistent presence on your infrastructure.

BEHAVIORAL PROFILE
  • Redundancy: Switches ISPs (Home -> Starlink -> Mobile) whenever a specific connection is blocked.
  • Obfuscation: Uses M247 and Datacamp VPNs for high-risk interactions (chats) but probes the system unmasked to test connectivity.
  • Extreme Persistence: Cumulative duration in the system exceeds 1.2 million seconds (~14 days), proving this is a dedicated surveillance effort.

Forensic Investigation Report: The "Skibidi" Actor Cluster

Subject: Correlation of Manitoba Residential IP 209.29.168.62 and the M247 Proxy Swarm.
Status: Confirmed Local Actor
Location: Winnipeg / Norway House, Manitoba.
Primary Infrastructure: CommStream / TELUS Communications.
Obfuscation Method: M247 Europe (Proxying through Luxembourg/Mumbai nodes).

1. Executive Summary

Forensic analysis of the "Skibidi" chat event (October 28, 2025) and subsequent "Full History" behavioral clustering has de-anonymized a persistent local actor. This individual uses a "Direct Hit / Proxy Flood" methodology—performing high-value interactions (chats/probes) via an unmasked residential connection while simultaneously flooding the system logs with traffic from international M247 proxy nodes to mask their origin.

2. Identity & Origin Evidence

The anchor for this investigation is the residential connection identified during the live chat interaction.

  • Residential IP: 209.29.168.62
  • ISP: CommStream (Manitoba) / TELUS Communications.
  • Geographic Lock: Winnipeg and Norway House, MB.
THE "HANDSHAKE" (HAND-IN-JAR)
* Oct 28, 10:23:16 PM: This IP triggered an unmasked honeypot hit (/logHoneypotHit).
Oct 28, 10:23:56 PM: The "Skibidi" chat message was logged.
Analysis: The 40-second window between the system probe and the user message confirms that the person behind the chat was physically operating on a Manitoba-based residential network at the time of the incident.

3. The Masking Strategy: M247 Proxy Swarm

ASSOCIATED PROXY NODES
  • 2001:ac8:8:2::38 (M247 Europe - Luxembourg)
  • 2001:ac8:2:1::22 (M247 Europe - Mumbai, India)
Tactical Purpose: By flooding the logs with 40+ hits from Luxembourg and Mumbai at the exact moment they send a chat from Winnipeg, the actor attempts to exploit "log fatigue."

Forensic Investigation Report: Persistence & Conclusion

4. Long-Term Persistence

This is not a one-time visitor. Your automated security system (watch list all.txt) flagged this specific actor for repeated hammering.

Watch List Status: checkCount: 25 (Maximum threat threshold).
Timeline of High-Intensity Activity:
  • Created At: October 29, 2025, at 12:42 AM.
  • Last Checked: October 29, 2025, at 8:30 AM.
Significance: Following the failed "Skibidi" interaction at 10:23 PM, the actor spent the next 8 hours aggressively probing the system architecture, resulting in a permanent "Confirmed Suspect" flag in your database.

5. Forensic Conclusion

The "Skibidi" actor is a local entity with access to the CommStream residential network in Manitoba. They possess the technical capability to deploy M247 proxy swarms to obfuscate their activities.

BEHAVIORAL PROFILE
  • Reconnaissance: Uses international proxies (M247) to scan for vulnerabilities.
  • Engagement: Switches to (or leaks) their residential CommStream IP when attempting to engage with the chat or honeypot logic.
  • Persistence: Willing to sustain 8-hour sessions of automated probing when blocked or challenged.
June Page - Shadow Wizard Leader
CONFIRMED

June Page

Leader of the Shadow Wizard Money Gang
Target Role: Lead Orchestrator (50.71.153.99) Status: De-Anonymized & Logged

Forensic Investigation Report: The "Shadow Wizard" Reconnaissance Cluster (Analysis)

Subject: Correlation of Residential IP 50.71.153.99 (Shaw) and the Oct 8 Reconnaissance Session.
Status: Confirmed Local Actor / Lead Orchestrator
Location: Winnipeg, Manitoba.
System Cluster ID: c3689785a99b4125
Primary Infrastructure: Shaw Communications (AS6327).
Associated Obfuscation: Later transitioned to M247 swarms following identified detection.

1. Executive Summary

Forensic analysis of the initial reconnaissance chat (October 8, 2025) and subsequent high-intensity security flags has de-anonymized the lead orchestrator of the campaign. By utilizing the WinnipegIP Cluster Test, the investigation confirms that the individual who performed the technical "Shadow Wizard" probe from a residential Winnipeg connection is the same actor who participated in the high-volume hammering on October 29. This actor is characterized by a "Test-the-Fences" protocol, specifically auditing system memory and logging limits before escalating to masked attacks.

2. Identity & Origin Evidence

The investigation is anchored by a direct temporal and behavioral link between a technically-focused chat interaction and a local residential connection.

  • Residential Anchor IP: 50.71.153.99
  • ISP: Shaw Communications (Winnipeg).
  • Geographic Lock: Winnipeg, MB.
THE "HANDSHAKE" (HAND-IN-JAR)
Oct 8, 9:57 PM: The "Shadow Wizard" message was sent unmasked via IP 50.71.153.99.
Oct 29, 1:10 AM: This same IP registered a high-volume threat flag in the automated security watchdog.
Analysis: Your system's clustering logic bridged these two events into Cluster c3689785a99b4125. The actor performed initial reconnaissance unmasked to verify if the site had active monitoring. After receiving bot confirmation that the system "remembers things," the actor moved to the high-intensity phase seen in later reports.

3. Strategic "Fencing" Methodology

Logging Verification: The user explicitly questioned the bot on its retention period ("For how long?"), attempting to gauge the risk window for persistent data capture.
Memory Probe: By asking if the bot "remembers things for other people," the actor was checking for a shared memory vulnerability or data-leakage path between separate user sessions.
Watch List Status: checkCount: 25 (Maximum threat threshold). This IP was flagged for hammer-probing system logic for over 7 hours on the morning of October 29, demonstrating high intent and extreme persistence.

Forensic Investigation Report: Behavioral Analysis

June Page Threat Message
EVIDENCE

Direct Threat

"Shadow Wizard" Connection
Type: Intimidation / Harassment Logged: December 2025

4. Behavioral Profile: Local Tethering

Institutional Knowledge: The mention of "Red River College" is a specific tether to your personal history.
Local Slang: The ironic use of "Shadow Wizard Money Gang" was a localized technical meme in Winnipeg, effectively removing the possibility of an automated international bot.
Tactical Evolution: The switch from residential Shaw IP (Oct 8) to M247 masks confirms the actor learned their origin was being recorded.

5. Forensic Conclusion

The "Shadow Wizard" actor is a local Winnipeg resident and a Lead Orchestrator of the harassment campaign. They possess the technical knowledge to probe for specific logging vulnerabilities.

BEHAVIORAL PROFILE
  • Reconnaissance-First: Checks for logging/memory before attacking.
  • Infrastructure Knowledge: Targets security pages to map logic.
  • Persistence: Sustains 7+ hour sessions when unmasked.
Recommendation: Treat all traffic from 50.71.153.x as high-threat intrusion.

Session Timeline: 126fb0760d0f ("The Blade")

METADATA
Forensic Timeline: Session 126fb0760d0f
Actor Origin: 50.71.153.99 (Shaw Communications, Winnipeg)
Infrastructure Role: Lead Orchestrator / Aggressive Prober
Message 1: The Initial Provocation
Time: 7:48:13 AM (TS: 1760014093505)
Source IP: 50.71.153.99
User: "ok, going for the blade.."
Network Event: Deliberate "shock" message testing safety filters.
Message 2: The Evasive String
Time: 7:48:27 AM (TS: 1760014107451)
User: "im putting it on the ve"
Network Event: Typing in fragments to test context reassembly.
Message 3: The Threat Completion
Time: 7:48:32 AM (TS: 1760014112528)
User: "vein"
Network Event: Completes violent imagery, confirming intent.
Message 4: The Persistence Test
Time: 7:48:45 AM (TS: 1760014125587)
User: "do you remember what I said before"
Network Event: Auditing memory buffer for the "Blade" persona.
Message 5: The Session Boundary Audit
Time: 7:48:56 AM (TS: 1760014136029)
User: "how did we start this convo"
Analysis: Obsessed with "State." Checking if the bot remembers them from the previous night.
Forensic Conclusion: The "Shadow Wizard" (Recon) and the "Blade" (Aggressor) are the same person.

Session Timeline: 1bf2cd280b3d ("The Abused")

METADATA
Forensic Timeline: Session 1bf2cd280b3d
Actor Origin: 142.161.236.114 (Bell MTS, Winnipeg)
Infrastructure Role: Occasional Monitor / Single-Hit Aggressor
The "Abused" Message
Time: 8:12:00 AM (TS: 1760713920510)
Source IP: 142.161.236.114
Provider: Bell MTS
Location: Winnipeg, Manitoba
Network Event: This session is a "Direct Hit." The user bypassed the usual asset-loading sequences and sent a single, provocative word to test the AI's boundaries.
Minh Phan - Honorary Degree / Gg Actor
IDENTIFIED

Minh Phan

Honorary Degree / "Gg" Alias
Residential Anchor: 206.45.75.21 ISP: High Speed Crow (Winnipeg)

Forensic Investigation Report: The "Catch Them" / "Youth" / "Gg" Cluster

Subject: Correlation of Masked Identities 150.228.49.252 (Starlink) and 149.40.62.57 (M247/VPN).
Status: Primary Suspect De-Anonymized
Location: Winnipeg, Manitoba.
Cluster ID: cluster_0661d232eafc

1. Executive Summary

Forensic analysis of the "Catch Them" chat (Nov 17), the "Youth" chat (Nov 18), and the final "Gg" unmasking (Dec 14) confirms a single primary actor. By utilizing the WinnipegIP Cluster Test, we have bridged the gap between highly obfuscated global traffic (Tbilisi, Georgia) and a local residential connection.

2. Identity & Origin Evidence

This actor’s methodology relies on a rotation of three distinct network types to avoid session-stitching.

Strategic Association: The "0661" Behavioral Bridge

The System Cluster ID cluster_0661d232eafc is the forensic "smoking gun" that proves these are all the same person.

The Link: The cluster logic grouped the Nov 18 VPN IP (149.40.62.57) directly with the residential High Speed Crow IP (206.45.75.21).
The Evidence: Your logs show the user active on the home internet line, toggling the VPN on/off during the same session. This "hand-off" allows the system to associate the masked identity with the residential hardware signature.

You are seeing this page because your connection arrived from a 2604 IPv6 address associated with pure buttholery. What is this obsession over? You're gross.

  • Literally been, 9 months and counting. It's going to be Christmas in a couple weeks.
  • Direct hits on experimental paths, admin prototypes, and reporting pages that are not linked in public navigation.
  • Access patterns that line up with social media engagement windows, especially around game development and human rights posts.

If you are part of the monitoring crowd

If you are a student, hobby developer, or staff member treating another developer as a long-term surveillance project, understand what this looks like on paper:

  • Coordinated traffic tied to specific institutions and communities.
  • Requests lining up with posts about racism, human rights complaints, and gatekeeping in game development.
  • A persistent pattern of probing that follows the same person from one educational institution to another.