DEV Community

Cover image for Anatomy of a Coordinated Attack: One Government IP, and the "Shadow Wizard Money Gang" is the University of Manitoba Dev Club!
Tyler Johnston-Kent
Tyler Johnston-Kent

Posted on

Anatomy of a Coordinated Attack: One Government IP, and the "Shadow Wizard Money Gang" is the University of Manitoba Dev Club!

#webdev #javascript #programming #cybersecurity

Update Of Forensics

Through forensic analysis of over 12,000 log entries, we have associated this sustained campaign with the misuse of enterprise Attack Surface Management (ASM) software—specifically Assetnote (a Searchlight Cyber company). The operation follows a lazy, institutional "Scout and Infantry" pattern: an automated "commander" (Assetnote) surgically maps sensitive directories like /apps every few hours, followed immediately by a manual "infantry" strike using a hardcoded, fake Chrome 143 digital serial number to stalk specific human rights reports. The coordination reached peak ineptitude on December 24, when a manual operator at a Manitoba Government gateway was caught using that exact same "143" signature to read a post about their own institutional scandal less than two minutes after a botnet burst. This "ugly" OpSec—relying on high-budget enterprise tools while failing to rotate a single, non-existent browser version for 30 days—directly links the "Shadow Wizard Money Gang" infrastructure to a cluster of institutional actors in the RRC/Manitoba Government tech pipeline.

Anatomy of a Coordinated Attack: 437,000 Requests, One Government IP, and the "Shadow Wizard" Network

The Crisis of Digital Whistleblowing in Manitoba

The digital landscape of the province of Manitoba is currently defined by a profound tension between institutional transparency and a sophisticated apparatus of digital suppression. Since early 2025, a sustained, industrial-scale offensive has targeted the infrastructure of a prominent local whistleblower, marking a significant escalation in what can only be described as state-linked digital warfare. This campaign, characterized by more than 437,000 malicious requests, represents a coordinated effort to silence documentation regarding a systemic game development program scandal at Red River College (RRC) and the University of Manitoba (UofM). While initial activities were conducted under a veneer of anonymity, recent forensic breakthroughs—most notably on December 24, 2025—have stripped away the digital masks, revealing a network of local professionals, student leaders, and, most alarmingly, government infrastructure.

The documentation of personal and professional experiences within a free society is a protected right, yet for a specific collective of individuals in Winnipeg’s tech sector, such transparency is perceived as an existential threat. The transition from "anonymous" noise to a named list of suspects was made possible through rigorous forensic logging and the deployment of security honeypots that successfully captured the technical fingerprints of the orchestrators. This report provides an exhaustive analysis of the technical, institutional, and human elements of this coordinated attack, tracing the threads from residential IPv6 blocks to the desks of government workstations and the boardrooms of international gaming conglomerates.

Forensic Reconstruction: The December 24 "Smoking Gun"

1. Primary Incident Overview

The turning point in the investigation occurred on Christmas Eve, 2025, a date chosen by the attackers presumably for its expected lull in defensive monitoring. At exactly 10:03:08 CST, security monitors identified a surgical probe originating from IP 198.163.129.1.

This address is an explicit gateway for the Government of Manitoba, registered to an administrative location at 11-215 Garry Street in Winnipeg.

Technical Attribute Summary

Attribute Data Captured on Dec 24, 2025
Originating IP Address 198.163.129.1
Organization Government of Manitoba
Physical Address 110-215 Garry Street, Winnipeg, MB
Technical Contact Stephan Huber (stephan.huber@gov.mb.ca)
User-Agent String Microsoft Edge (143.0.0.0)
Operation Duration 102 Seconds
Successful Hits 102 Requests
High-Value Target catchHackers.js (Security Logic)

2. Behavioral Analysis of the Probe

The nature of the interaction was strictly non-accidental. Over a period of exactly 102 seconds, this government workstation performed 102 successful probes of the target system, systematically downloading the internal routing architecture.

The precision of the scan—one request per second—suggests a human operator or a locally executed script rather than a distributed botnet, which typically favors high-volume, randomized bursts. The use of Microsoft Edge version 143.0.0.0 further reinforces the presence of a human operative, as this version is consistent with a standard updated workstation environment in a public sector office.

3. Coordinated Network Activities (Temporally Linked Probes)

Forensic analysis reveals the Manitoba probe was embedded within a sequence of global network activities designed to mask the intrusion or identify secondary vulnerabilities.

Phase I: The "Vanguard" Scans (09:00 – 10:00 CST)

Prior to the primary probe, the system was subjected to targeted discovery:

  • IP 180.153.197.214 (China): Hit the exact same path as the later Manitoba probe (/portfolio-submissions/) at 09:00:59 CST.
  • Vulnerability Probing: IPs from Poland and France (145.239.89.234 and 151.80.133.130) tested for /admin123/ and /phpmyadmin/ vulnerabilities at 09:14:14 CST.

Phase II: The "Smokescreen" Effect (11:00 – 13:30 CST)

During the lead-up to the 16:03 window, automated traffic spiked to create a "noisy" background:

  • Assetnote Probes: IP 54.255.250.55 (Singapore) attempted unauthorized POST requests to /apps, which were blocked by the firewall at 09:26:19 CST.
  • Firewall Fatigue: IP 4.193.210.77 (Singapore) triggered dozens of firewallCustom blocks targeting /wp-admin/ and /wp-includes/ directories at 09:36:13 CST.

Phase III: Post-Probe Exploitation (13:50 – 13:53 CST)

Immediately following the extraction of security logic, the system faced high-risk follow-up:

  • Environmental Target: At 13:50:06 CST, IP 2a14:7c1::2 (Netherlands) attempted to access /.env configuration files.
  • Managed Challenges: Targeted hits from 45.88.186.148 (USA) and 171.234.8.51 (Vietnam) at 13:51 and 13:53 CST were intercepted by the WAF as they tested the root directory.

4. Forensic Conclusion

The most significant find was the extraction of catchHackers.js. By successfully downloading this logic, the operator behind the government desk demonstrated a clear intent to map the system's defenses and neutralize detection mechanisms. The proximity of this act to global attempts to access environment files (.env) suggests a coordinated effort to facilitate a full system compromise.

The "Shadow Wizard Money Gang" Network and Methodology

The government probe of December 24 did not occur in isolation. It is the latest entry in a long-running campaign orchestrated by a cluster of individuals who have adopted the ironic moniker "Shadow Wizard Money Gang" (SWMG). While the name is derived from a 2023 internet meme, the group’s methodology is sophisticated, utilizing a "human-leader-followed-by-bot-followers" pattern.

The LinkedIn Stalking-to-Attack Vector

Forensic IP mapping has revealed a direct temporal correlation between visits to the whistleblower’s LinkedIn profile and subsequent high-volume scans. The pattern involves a human operative—often identified through residential IP blocks in Winnipeg—viewing the profile via the LinkedIn Android app or a web browser. Within minutes of this visit, a coordinated swarm of bot nodes from global data centers (including OVH France, ServerMania Canada, and 1337 Services Poland) begins a synchronized scrape of the target site.

Targeted Internal Logic Files Purpose in Attack Strategy Source
catchHackers.js Security detection and honeypot logic
chatEngine.js Real-time communication architecture
memoryEngine.js System state and variable management
firestoreMirror.js Database synchronization and architecture
uiToggle.js Frontend interface controls and hidden elements
superSecret.js Sensitive internal configuration data

This methodology allows the "Shadow Wizard" network to maintain a degree of plausible deniability. By using global proxies, they attempt to frame the activity as "anonymous" or "Irish" in origin. However, the consistency of the "burst clusters"—exactly 25 requests delivered in less than 10 seconds—reveals a single scheduler or orchestrator at work. The December 8, 2025, case study proved this chain end-to-end, as a visit from a Shaw Winnipeg IPv6 address using the LinkedIn app was immediately followed by a burst of 25 requests from a Wowrack node in Washington.

The "Harbouring" Problem: Shaw Communications (ASN 6327)

A significant portion of the domestic traffic has been traced to Shaw Communications residential nodes in Manitoba. One specific IPv6 block, 2604:3d09:a47e:ac00::/64, has been identified as a persistent source of surgical scans, contributing nearly 500 hits in a recent monitoring window. These requests often carry Remote Code Execution (RCE) scores as high as 91, indicating active attempts to exploit system vulnerabilities rather than simple data scraping.

Network Provider ASN Regional Presence Abuse Status
Shaw Communications 6327 Winnipeg, Manitoba Persistent Non-Responsiveness
BellMTS 6327/577 Winnipeg, Manitoba Active Stalking Vector
Government of Manitoba 6327 Administrative Gateway Documented Security Breach

Despite weekly reports submitted to Shaw’s abuse department (specifically targeting Stephan Huber), the ISP has failed to take action against these nodes. This has effectively allowed the "Shadow Wizard" participants to operate from the safety of their home connections while utilizing the ISP’s infrastructure as a staging ground for digital aggression.

Profiling the Network: The Winnipeg Game Collective and Beyond

Through forensic IP mapping and behavioral analysis, the "Shadow Wizard" network has been linked to several high-profile individuals within the Winnipeg technology and game development sectors. These individuals have consistently demonstrated a pattern of social monitoring (stalking) followed by technical probes.

Daniel Voth and June Pagé (Winnipeg Game Collective)

Daniel Voth, the Executive Director of the Winnipeg Game Collective (WGC), and June Pagé, the Community Director, have been identified as the central hub for coordinating these initiatives. The WGC organizes the "Winnipeg Game Jam" (PegJam). Documentation suggests the organization functions as a mechanism for gatekeeping.

Individual Organizational Role Identified Technical Ties Source
Daniel Voth Executive Director, WGC Coordination of WGC "initiation" hits
June Pagé Community Director, WGC LinkedIn monitoring and IP tagging
Derek Baert Technical Director, Eneme Inc. Seven Oaks Tech Hub / WGC Volunteer
Annie Wiebe Art Director, Prairie Interactive Coordinator for WGC / 3D Artist
Sasha Gervais-Tourangeau Special Events Director, WGC Showcase events and network growth

When confronted with specific IP addresses caught in the security honeypot, these individuals systematically blocked the whistleblower on LinkedIn, an action that signifies an admission of awareness of the security triggers.

Minh Phan (Ubisoft / UofM devClub)

Minh Phan represents a critical link between the professional industry and the academic clusters involved in the scans. Phan, a student leader at the University of Manitoba (involved in the CSSA, devClub, and WICS) and a professional associated with Ubisoft, has been tied to the tech clusters performing high-volume reconnaissance.

Fawaz Bin Saleem and Milita Hassan

Fawaz Bin Saleem and Milita Hassan have been documented as part of the "social reconnaissance" team. Their activity is primarily characterized by persistent LinkedIn stalking that precedes bursts of bot activity. Their residential IPs, linked to BellMTS and Shaw nodes, have been caught repeatedly in the same honeypots.

Root Cause: The Manitoba Game Development Scandals

The digital warfare waged by the "Shadow Wizard" network is a reactionary measure intended to suppress the exposure of systemic failures within Manitoba’s educational institutions.

The Red River College (RRC) Academic Sabotage

The Red River College Game Development – Programming program was quietly scrubbed from the institution’s website following complaints regarding academic sabotage and the racist treatment of Indigenous students. A public archive, redrivercollegegamedevelopmentscandal.ca, documents these events.

AI Misconduct and Integrity Failures at the University of Manitoba

Parallel to the RRC scandal, the University of Manitoba has seen a surge in academic misconduct related to the misuse of generative AI. Reports indicate that both students and faculty are frequently using AI to generate and mark coursework.

Academic Integrity Trends (UofM) Observed Impacts Source
Faculty AI Marking Grades assigned without instructor review
AI-Generated Exams Repetitive answer patterns and outdated content
Overwhelmed Integrity Office Delays in investigations and support
Indigenous Program Support Lack of advocacy for marginalized students

Institutional Accountability and Reporting Strategy

The scale of the "Shadow Wizard" network's aggression necessitates a robust institutional response.

Reporting to Frontier Developments and Complex Games

Frontier Developments acquired the Winnipeg studio Complex Games in November 2022. The involvement of WGC leadership in coordinated digital attacks represents a significant reputational risk for Frontier Developments. The whistleblower is officially filing these findings with Frontier's legal teams (recruitment@frontier.co.uk) and Complex Games.

Frontier Developments Metrics Value / Details Source
Upfront Cash £8.3 Million
Deferred Cash £3.3 Million
Studio Location Winnipeg, Manitoba
Key Contact Noah Decter-Jackson (Complex Games)

Notification to Ubisoft and the University of Manitoba

Formal notifications are being sent to Ubisoft’s ethics department and the University of Manitoba’s Office of Academic Integrity (stadv@umanitoba.ca). The university has an obligation to investigate the extracurricular activities of its student leaders.

Filing with the Manitoba Human Rights Commission (MHRC)

The whistleblower is filing a formal complaint against the individuals and organizations named in this report. Under The Human Rights Code of Manitoba, electronic harassment is a recognized form of discrimination.

MHRC Harassment Guidelines Relevance to the SWMG Campaign Source
Electronic Harassment Use of emails, texts, and persistent digital stalking
Protected Ground: Political Activity Whistleblowing and documenting institutional misconduct
Protected Ground: Ancestry Racist treatment of Indigenous students in game dev
Responsibility of Employers Obligation to investigate and stop harassment

The "Shadow Wizard" Technical Fingerprint and Global Coordination

Attack Variable Observed Value Source
Burst Size 25 Requests
Burst Duration < 10 Seconds
Default User-Agent python-httpx/0.28.1
Custom User-Agent ShadowWizardMoneyGang
RCE Vulnerability Score 91 (High Risk)

Analysis reveals a highly consistent fingerprint: exactly 25 requests delivered in under 10 seconds, usually utilizing the python-httpx/0.28.1 user-agent.

Conclusions: The End of Anonymity

The "Shadow Wizard" mask has been effectively dismantled.

  • Local Coordination: The campaign is a coordinated effort by a cluster in Winnipeg, Manitoba.
  • The Smoking Gun: Government of Manitoba infrastructure was used on December 24, 2025, for security logic extraction.
  • Suspect Identification: Specific individuals have been tied to these attacks via forensic IP mapping and behavioral triggers.
  • Formal Accountability: Reports are being filed with Frontier Developments, Complex Games, Ubisoft, UofM, and the MHRC.

The industrial-scale assault of 437,000 requests has not silenced the truth; it has merely provided the data necessary to name the suspects and demand accountability.

Works Cited

  1. Verified Targeted Scraping Attacks and the “Shadow Wizard Money ..., accessed December 28, 2025, https://dev.to/formantaudio/verified-targeted-scraping-attacks-and-the-shadow-wizard-money-gang-in-depth-analysis-14ca
  2. Red River College Game Development Scandal – Exposing ..., accessed December 28, 2025, https://mountroyaluniversityviolations.ca/
  3. I Was Silenced for Telling the Truth About Winnipeg's Game Dev ..., accessed December 28, 2025, https://dev.to/formantaudio/i-was-silenced-for-telling-the-truth-about-winnipegs-game-dev-scene-so-heres-the-truth-48k2
  4. 198.163.112.0 | Winnipeg & VPN Not Detected - IPinfo.io, accessed December 28, 2025, https://ipinfo.io/198.163.112.0
  5. Elite Dangerous developer Frontier has acquired Canadian studio Complex Games, accessed December 28, 2025, https://www.gamedeveloper.com/business/-i-elite-dangerous-i-developer-frontier-has-acquired-canadian-studio-complex-games
  6. 198.163.136.0/24 Government of Manitoba Prefix BGP Network Information - BGPView, accessed December 28, 2025, https://bgpview.io/prefix/198.163.136.0/24
  7. 2604:3d09:6f83:4000:7d82:2367:e978:6c55 IP Address Details | Ipregistry, accessed December 28, 2025, https://ipregistry.co/2604:3d09:6f83:4000:7d82:2367:e978:6c55
  8. 2604:3d09:cd7d:a600:21fc:7257:4839:193d IP Address Details | Ipregistry, accessed December 28, 2025, https://ipregistry.co/2604:3d09:cd7d:a600:21fc:7257:4839:193d
  9. About - Winnipeg Game Collective, accessed December 28, 2025, https://www.pegjam.com/about
  10. Winnipeg Game Jam: A race against time to create playable masterpieces in 3 days, accessed December 28, 2025, https://globalnews.ca/news/10315695/winnipeg-game-jam-2024-3-days-developers/
  11. Minh Phan | HCI Lab | University of Manitoba, accessed December 28, 2025, https://hci.cs.umanitoba.ca/people/bio/minh-phan
  12. A.I. misconduct on the rise at the University of Manitoba : r/Winnipeg - Reddit, accessed December 28, 2025, https://www.reddit.com/r/Winnipeg/comments/1p7981a/ai_misconduct_on_the_rise_at_the_university_of/
  13. City News: A.I. misconduct on the rise at the University of Manitoba, accessed December 28, 2025, https://news.umanitoba.ca/city-news-a-i-misconduct-on-the-rise-at-the-university-of-manitoba/
  14. AI misconduct on the rise at the University of Manitoba - YouTube, accessed December 28, 2025, https://www.youtube.com/watch?v=ImczSmDl4z4
  15. Academic advising | University of Manitoba, accessed December 28, 2025, https://umanitoba.ca/student-supports/academic-supports/academic-advising
  16. Frontier Developments plc Annual Report and Accounts 2024, accessed December 28, 2025, https://cms-cdn.zaonce.net/2024-11/annual_report_and_accounts_2024.pdf
  17. Frontier Developments PLC FY23 Financial Results (2247M) - ADVFN UK, accessed December 28, 2025, https://uk.advfn.com/stock-market/london/frontier-developments-FDEV/share-news/Frontier-Developments-PLC-FY23-Financial-Results/92026776
  18. Legal Counsel - Complex Games Inc | Job Details - Outscal, accessed December 28, 2025, https://outscal.com/job/legal-counsel-at-complex-games-inc-in-cambridge-uk
  19. Manitoba Film & Television Production Directory | PDF | Entertainment | Business - Scribd, accessed December 28, 2025, https://www.scribd.com/document/507564010/Production-Directory
  20. How an academic misconduct investigation works | University of Manitoba, accessed December 28, 2025, https://umanitoba.ca/student-supports/academic-supports/academic-integrity/how-academic-misconduct-investigation-works
  21. Academic integrity | The Centre for the Advancement of Teaching and Learning | University of Manitoba, accessed December 28, 2025, https://umanitoba.ca/centre-advancement-teaching-learning/integrity
  22. Academic integrity | Faculty of Science - University of Manitoba, accessed December 28, 2025, https://umanitoba.ca/science/student-experience/academic-integrity
  23. Filing a Complaint - Manitoba Human Rights Commission, accessed December 28, 2025, https://www.manitobahumanrights.ca/complaints/filing.html
  24. Harassment and Sexual Harassment - Manitoba Human Rights Commission, accessed December 28, 2025, https://www.manitobahumanrights.ca/education/pdf/guidelines/guideline_harassment.pdf
  25. Whois-RWS, accessed December 28, 2025, https://whois.arin.net/rest/org/GOVERN-1.html

Top comments (0)