Mount Royal University Accountability Archive

They silenced the story. We documented the truth.

Home About Staff Profiles Timeline Evidence Honorary Degree Hackers
Timeline graph showing a sharp spike in traffic immediately after posting to MRU Reddit, with data points from geolocation logs, Cloudflare request details, and a spoofed email form submission.

Initial Data Collection Initiative

For controlled testing, the domain and related stories were deliberately left unpromoted to establish a baseline of normal traffic activity. This ensured that any future spikes could be attributed to specific external triggers. After posting the website link to the MRU Reddit, our traffic monitoring system recorded an immediate and significant surge in activity, clearly visible in the graph above. Within hours of this spike, spoofed emails began arriving. Coincidence? Highly unlikely.

Combined evidence: spoofed email form submission + geolocation logs + Cloudflare request details

Threat Detection & Capture documents how Formant’s monitoring linked a harassment submission to live network activity. The sender spoofed an email identity, but did not spoof location—letting us associate their form post with real geolocation pings and Cloudflare request details. This ties the message to a Mount Royal University student footprint and correlates with the same time-window probes recorded in our logs.

For months, analytics quietly logged automated probes (primarily from an Ireland-based botnet). On August 7, 2025, the pattern escalated—human-driven hits and a targeted strike originating from Los Angeles appeared alongside these artifacts, all preserved here.

The Lead-Up

At 7:25 AM UTC-5, our geo-location tracker logged a direct probe from Los Angeles, California. The request hit the root path (/), confirming that a human-controlled system was conducting reconnaissance before the attack.

The Moment of Initiation

At 8:14:35 AM UTC-5, the assailant engaged — targeting a decoy analytics file (/analytics6x4Z72xq1.html). This timestamp matched a visible spike in Cloudflare’s network data, marking the start of the breach attempt.

Bypassing the Shield

At exactly 8:15 AM, Cloudflare analytics confirmed a CDN bypass — serving formant.ca directly from the origin server. This was the moment the LA threat actor revealed themselves, and the moment our systems caught them in real time.

Tracked, Logged, Preserved

Our custom bot trap systems and firestoreMirror.js logging recorded everything: IP address, geo-location, timestamp, and user agent — down to the second. This entry is now part of our active threat report archive.