Have a Break (TryHackMe)
Published
•10 min read
Investigation is a TryHackMe challenge inspired by a real cargo theft incident, set in a fictional ECTA (European Cargo Threat Assessment) framework. The scenario involves a missing refrigerated truck carrying 400,000 units of KitKat product on the Italy–Poland transit corridor. Playing the role of a CZ Node investigator on Project HAVEABREAK, the challenge covers email header forensics, OSINT, and access log analysis to identify both the whistleblower who sent an anonymous tip and the insider who leaked the shipment details to the thieves. It's a blue team / DFIR-flavoured room that rewards methodical evidence analysis over technical exploitation.
Investigation
Disclaimer: This challenge is inspired by a real cargo theft that occurred in March 2026, in which a shipment of KitKat products was stolen in transit between Italy and Poland. All companies, agencies, individuals, documents, and investigative findings presented in this challenge are entirely fictional. No real employees, law enforcement personnel, or organisations are implicated. The real theft remains under investigation by the relevant authorities.
Background
On 26 March 2026, a refrigerated truck carrying over 400,000 units of KitKat product vanished somewhere between Central Italy and Poland. Nestlé confirmed the theft two days later. The vehicle has not been found.
The European Cargo Threat Assessment (ECTA) does not believe this was opportunistic. A shipment of this size, on a contracted route, does not disappear without someone helping it along.
An anonymous tip reached a journalist the following evening. ECTA obtained it under judicial authority. That is where your investigation begins.
Your Assignment
You are a CZ Node investigator on Project HAVEABREAK. Your goal is to identify the culprit behind the heist by using the following files:
Answer the questions below
Which VPN service was used to send the anonymous email from the .eml file? Mullvad
cat exhibit_a.eml | head -60
Delivered-To: redakce@novinybrno.cz
Received: by 2002:a05:640c:2247:b0:261:9202:4f12 with SMTP id h7csp418823eiw;
Thu, 27 Mar 2026 23:14:58 +0100 (CET)
X-Received: by 2002:a05:6402:4112:b0:55d:741:a88c with SMTP id
4fb4d7f45d1cf-55d0741a632mr880241a12.4.1774903498112;
Thu, 27 Mar 2026 23:14:57 +0100 (CET)
ARC-Seal: i=1; a=rsa-sha256; t=1774903497; cv=none;
d=google.com; s=arc-20240605;
b=Rk9Lm2awqoHf4KvOmErTWtV2WuOiz17Sq3Vi4Errea90wbn/yEusD3E5BvvhhAHhqZ
TYlzHWa4xclKw6+xFtYxEPbC64xXYj6IGrXi9jM8ROwFtl3qMIgNNOx5SGV58DhVrQgn
oSc/KTjx/oipuN5H5DfUDSPLtzZBuppoMEEdv7k6AI9jPza3+QZ84Yi7wKtgCHMFEXTC
kmhXaXudxzFSIFUMj4fcT8qBT4veB3/yM1UQvAt0FhBxlIclweQ4HMO5Mb6MfqDz+cFl
toTuFR1GmBskW8raiyqlWoqXVgArArInHmEgiC3IcmOhx2wDVLUrrtQPAZErtBCGVUAx
ZcDQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20240605;
h=content-transfer-encoding:mime-version:message-id:user-agent
:subject:to:from:date:dkim-signature;
bh=PQjqYwtpl/t+dOdAkHK9pPbBiFsK83HI6z5h/7TUtQ4=;
fh=q/LR6eZLpYAtbPWURJRmSY/XBACLHwBYJTCfJKSkZ+4=;
b=WNQxzO1MfMIMIyMQKxQGV588ueD/wMN0mm90WfQ3HTPxR3vqWe5O+rTnEu69Fg/R7Z
+8i2m2yNeFqWpUUY1nFo5BidkWqxJ9jLEE8y21liadSyx3DynWjk6knMUDRrZJQXHEMe
MG6PF9UpStILew+tzdrgHjPvtQaxHs9xvC+SArjKv7D1q09kjJAGiXdxiA7mNtM94/xM
FDeVfz2rxmQdgZNOvlA4opy8p40WhgwssooH1fjl8WcMUQCIoA9mPzSU3826dHRhIOcF
pGzMIxdqjFqqJ5I1D4Nfsg3kyWSNUktEUbWmnFR84sgISl7ZMs8rQ2G2P+1xXQU6/yer
ZqYg==;
dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@gmail.com header.s=20251104 header.b=nFGXUmGC;
spf=pass (google.com: domain of notmyname2847@gmail.com designates
209.85.220.41 as permitted sender)
smtp.mailfrom=notmyname2847@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <notmyname2847@gmail.com>
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])
by mx.novinybrno.cz with SMTPS id
4fb4d7f45d1cf-55d033ad114sor221136a12.8.2026.03.27.23.14.57
for <redakce@novinybrno.cz>
(Google Transport Security);
Thu, 27 Mar 2026 23:14:57 +0100 (CET)
Received-SPF: pass (google.com: domain of notmyname2847@gmail.com designates
209.85.220.41 as permitted sender) client-ip=209.85.220.41;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com header.s=20251104 header.b=nFGXUmGC;
spf=pass (google.com: domain of notmyname2847@gmail.com designates
209.85.220.41 as permitted sender)
smtp.mailfrom=notmyname2847@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20251104; t=1774903497; x=1775508297;
h=content-transfer-encoding:mime-version:message-id:user-agent
:subject:to:from:date:from:to:cc:subject:date:message-id:reply-to;
bh=PQjqYwtpl/t+dOdAkHK9pPbBiFsK83HI6z5h/7TUtQ4=;
b=nFGXUmGCjbAdHMoRvUeruvskR5JmSiEHXmCvrUpmQDz8Mk7t7gXWgTOi595nC5m9iU
Q7xfb13gqFBfZ7ezw1zYnnDHSYU/F7i+5thptGMIjIvhmTlpFGAmB/NxyI4L5sROa/WI
SLpyGIG/fVLqJHEKW4MpYoobWZXdb/ihPDrBP/k9xYhZLvKA7I1kgp0o+ckIQJ3kLtGm
t+sn4Xd4pImfkRd3cbvxMbER1DTqXwn0J4tk04epZauFlzfVKL3TD4u5dBT1Vsqv1zsf
g9pLDxEMDmZaM5id3lrXeG7cWvfcK5d7LuTkHE9NOf3SprTgmByjDdMPNms/L7k///I9
JqdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
FICTIONAL DOCUMENT — Created for educational/CTF purposes only. ECTA does not
exist. No real law enforcement data is represented herein. ⚠
ECTA
EST. 2011
EUROPEAN CARGO THREAT
ASSESSMENT
Freight Crime Intelligence Division — Cross-Border
Operations
PRELIMINARY INTELLIGENCE
ASSESSMENT
Case Ref: EC-2026-0847-CZ
Project: HAVEABREAK
File: OCG / FREIGHT / CZ-IT
Issued: 28 March 2026
Page: 1 of 2
SUBJECT Organised Cargo Theft — Nestlé / KITKAT Shipment — Italy to Poland
Transit Corridor
REQUESTING
AUTHORITY
Polizia di Stato (Italy) — NCA Liaison / Project HAVEABREAK Node
CONTRIBUTING
AGENCIES
Polizia di Stato (IT), Policie České Republiky (CZ), Policja (PL)
DISTRIBUTION Project HAVEABREAK Nodal Officers — IT / CZ / PL only
HANDLING CODE EXFOR — Not for public release. Not to be shared with media or third parties.
⬛ ⬛ E C T A R E S T R I C T E D — L A W E N F O R C E M E N T S E N S I T I V E ⬛ ⬛
ARY
1. INCIDENT SUMMARY
On or around 26 March 2026, a refrigerated HGV operated by TransEuro Logistics s.r.o. (Brno, Czech Republic;
IČO: 293 XXXXX March 2026. No injuries have been reported.
PRELIMIN ) departed a Nestlé production facility in Central Italy carrying 413,793 units of KITKAT
confectionery product, total weight approximately 12 tonnes. The consignment was destined for distribution in
Poland, with an estimated transit route of 1,250–1,350 km via Austria and the Czech Republic.
The vehicle failed to complete scheduled check-ins and did not arrive at the destination distribution centre. As of 28
March 2026, both the vehicle and its entire cargo remain unaccounted for. Nestlé confirmed the theft publicly on 28
2. INTELLIGENCE ASSESSMENT
Preliminary analysis indicates characteristics consistent with insider-facilitated cargo diversion rather than
opportunistic highway theft:
1. The vehicle deviated from its check-in schedule without triggering automated alerts, suggesting prior knowledge
of monitoring intervals or deliberate suppression of telematics data.
2. The shipment was part of a newly launched product range with limited external visibility, suggesting the
perpetrators had advance knowledge of the consignment contents and value.
3. TransEuro Logistics s.r.o. operates exclusively on contracted routes. The Italy–Poland corridor is handled solely
by the Brno operational office. Access to route scheduling data is restricted to logistics coordinators and route
planning personnel within that office.
These indicators suggest a moderate-to-high probability of insider involvement at the subcontractor level. This
assessment is preliminary and subject to revision pending forensic analysis.
3. INTELLIGENCE LEADS
EXHIBIT A — Electronic Communication: On 27 March 2026 at 23:14 CET, an anonymous electronic
communication was received by a journalist at Brno Regional News (redakce@novinybrno.cz). The sender claims
to be a TransEuro employee with knowledge of irregular internal system activity the night before the vehicle's
departure. The communication has been obtained by law enforcement under judicial authority.
EX-A / EC-2026-0847-CZ
Investigators are directed to conduct full header and metadata forensic analysis of Exhibit A. Any identity
indicators recovered must be cross-referenced against TransEuro Logistics s.r.o. personnel records (IČO:
293 case data package.
XXXXX ). The company registration number is required to access the subpoenaed staff records provided in the
EXHIBIT B — Dashcam Image: During canvassing of vehicles recorded on the D1 corridor on the night of 26
March 2026, a dashcam SD card was recovered from a vehicle stopped for an unrelated traffic matter near Hulín.
One image of evidentiary value was extracted and is attached as Exhibit B. EX-B / EC-2026-0847-CZ
The image was captured through the vehicle's windscreen and shows a service station stop consistent with the
transit corridor. A large HGV consistent with the description of the missing vehicle is visible at the truck parking
area. The dashcam unit recorded a timestamp of 26.03.2026 — 22:31 at time of capture. Investigators are directed
to identify the precise service station depicted and confirm whether the location and timestamp are consistent with
the vehicle's expected transit window. Note: the vehicle departed Central Italy on the morning of 26 March.
Investigators should factor transit time into their assessment.
4. REQUESTED ACTIONS
1. [CZ Node] Conduct full forensic analysis of Exhibit A. Identify all origin indicators including sending
infrastructure, timezone data, and client metadata. Cross-reference any recovered identity indicators against
TransEuro Logistics s.r.o. Brno office personnel — route planning staff are primary persons of interest.
2. [CZ Node] Identify the service station depicted in Exhibit B. Confirm whether the location and timestamp
(26.03.2026 — 22:31) are consistent with the vehicle's expected transit window on 26 March 2026.
3. [CZ Node] Review the subpoenaed TransEuro IT records included in the case data package. Identify any
anomalous access to route planning files in the period immediately preceding the vehicle's departure.
4. [IT Node] Obtain and preserve telematics records for the vehicle from TransEuro Logistics s.r.o. operational
systems.
5. [PL Node] Monitor unofficial resale channels for KITKAT batch series identified by Nestlé. Report any
confirmed sightings immediately.
5. BACKGROUND — PROJECT HAVEABREAK
This assessment is issued under Project HAVEABREAK, the ECTA-coordinated initiative targeting mobile
organised crime groups specialised in cargo theft across EU transit corridors. Italy and the Czech Republic are both
assessed as severe risk jurisdictions under the current threat matrix. The Italy–Austria–Czech Republic–Poland
corridor has been identified in prior assessments as a high-frequency route for both opportunistic and insider-
facilitated freight crime.
XXXXXXXXXXXXXXXXX
Analyst: Unit: Organised Property Crime — Project HAVEABREAK Analytical Cell
Date: 28 March 2026
EC-2026-0847-CZ // ECTA RESTRICTED // EXFOR European Cargo Threat Assessment — Freight Crime Intelligence Division
cat exhibit_a.eml | grep -E "^(User-Agent|Message-ID|X-Mailer|X-Forwarded|X-Originating|X-Original|Received):"
Received: by 2002:a05:640c:2247:b0:261:9202:4f12 with SMTP id h7csp418823eiw;
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])
Received: from [193.32.249.132] ([193.32.249.132])
User-Agent: K-9 Mail for Android
Message-ID: <A28CEF9B-4E09-5DB7-C7BB-52F6315EDD7C@gmail.com>
VPN Answer: Mullvad
The originating IP 193.32.249.132 is a Mullvad VPN exit node. That's the real sender IP before it hit Google's servers. You can verify with:
bash
curl https://ipinfo.io/193.32.249.132
It will return Mullvad's AS details (AS39351, owned by 31173 Services AB — Mullvad's infrastructure).
Summary of what each line tells you:
| Header | Value | Meaning |
|---|---|---|
Received: from [193.32.249.132] |
Mullvad VPN exit node | Actual sending IP |
User-Agent |
K-9 Mail for Android | Email client used |
Return-Path |
notmyname2847@gmail.com | Burner Gmail account |
The sender used K-9 Mail on Android routed through Mullvad VPN — hence the Google SPF/DKIM all passing cleanly (it still went via Gmail's servers), but the originating connection came from Mullvad's infrastructure.
What is the full street address of the petrol station where the missing vehicle was last seen? Kroměřížská 1281, 768 24 Hulín, Czechia
At what time did the suspicious action take place in the route planning system on March 25th, 2026?
Format: HH:MM:SS 22:14:09
cat transeuro_data/access_log.csv
date,time,employee_id,file,action
2026-03-24,07:11:03,BR-0291,ROUTE_IT_PL_Q1_2026.pdf,AUTH_FAILED
2026-03-24,08:44:12,BR-0204,ROUTE_CZ_SK_Q1_2026.pdf,VIEW
2026-03-24,08:58:03,BR-0334,ROUTE_DE_PL_Q1_2026.pdf,VIEW
2026-03-24,09:14:33,BR-0291,ROUTE_AT_HU_Q1_2026.pdf,VIEW
2026-03-24,09:51:07,BR-0291,ROUTE_IT_PL_Q1_2026.pdf,VIEW
2026-03-24,09:55:22,PR-0122,ROUTE_IT_PL_Q1_2026.pdf,VIEW
2026-03-24,10:04:17,BR-0334,ROUTE_IT_PL_Q1_2026.pdf,VIEW
2026-03-24,10:22:18,BR-0291,DRIVER_SCHEDULE_WK13.xlsx,VIEW
2026-03-24,10:32:44,PR-0114,CAPACITY_MARCH_2026.xlsx,VIEW
2026-03-24,10:48:55,PR-0122,ROUTE_CZ_SK_Q1_2026.pdf,VIEW
2026-03-24,11:05:02,BR-0204,DRIVER_SCHEDULE_WK12.xlsx,VIEW
2026-03-24,11:34:08,BR-0334,DRIVER_SCHEDULE_WK13.xlsx,VIEW
2026-03-24,13:08:55,BR-0188,INSURANCE_Q1_TEMPLATE.docx,VIEW
2026-03-24,14:08:22,BR-0188,INSURANCE_Q1_TEMPLATE.docx,EDIT
2026-03-24,14:44:11,BR-0312,DRIVER_SCHEDULE_WK13.xlsx,VIEW
2026-03-24,15:20:08,PR-0098,CAPACITY_MARCH_2026.xlsx,EDIT
2026-03-24,15:47:33,PR-0122,ROUTE_IT_PL_Q1_2026.pdf,VIEW
2026-03-24,16:05:30,BR-0204,ROUTE_DE_PL_Q1_2026.pdf,VIEW
2026-03-24,21:03:44,PR-0122,ROUTE_CZ_SK_Q1_2026.pdf,VIEW
2026-03-24,23:12:04,BR-0312,DRIVER_SCHEDULE_WK13.xlsx,EDIT
2026-03-25,08:55:19,PR-0114,CAPACITY_MARCH_2026.xlsx,VIEW
2026-03-25,09:05:41,BR-0334,ROUTE_DE_PL_Q1_2026.pdf,VIEW
2026-03-25,09:20:33,BR-0204,ROUTE_CZ_SK_Q1_2026.pdf,VIEW
2026-03-25,09:21:14,BR-0204,ROUTE_AT_HU_Q1_2026.pdf,VIEW
2026-03-25,09:44:07,BR-0291,DRIVER_SCHEDULE_WK13.xlsx,VIEW
2026-03-25,10:05:22,BR-0291,ROUTE_IT_PL_Q1_2026.pdf,VIEW
2026-03-25,10:19:08,PR-0122,ROUTE_IT_PL_Q1_2026.pdf,VIEW
2026-03-25,11:30:44,PR-0098,DRIVER_SCHEDULE_WK12.xlsx,VIEW
2026-03-25,12:02:17,BR-0334,CAPACITY_MARCH_2026.xlsx,VIEW
2026-03-25,13:17:33,BR-0188,INSURANCE_Q1_TEMPLATE.docx,EDIT
2026-03-25,14:02:18,PR-0114,CAPACITY_MARCH_2026.xlsx,EDIT
2026-03-25,14:44:55,BR-0312,DRIVER_SCHEDULE_WK13.xlsx,VIEW
2026-03-25,16:44:08,BR-0204,DRIVER_SCHEDULE_WK13.xlsx,VIEW
2026-03-25,19:55:02,PR-0122,ROUTE_IT_PL_Q1_2026.pdf,VIEW
2026-03-25,22:14:09,BR-0291,ROUTE_IT_PL_Q1_2026.pdf,EXPORT
2026-03-25,23:41:17,BR-0312,DRIVER_SCHEDULE_WK13.xlsx,EDIT
2026-03-26,08:40:22,PR-0114,CAPACITY_MARCH_2026.xlsx,VIEW
2026-03-26,09:12:33,BR-0204,ROUTE_DE_PL_Q1_2026.pdf,VIEW
2026-03-26,09:44:05,BR-0334,ROUTE_CZ_SK_Q1_2026.pdf,VIEW
2026-03-26,09:55:14,BR-0291,DRIVER_SCHEDULE_WK13.xlsx,VIEW
2026-03-26,10:30:07,BR-0188,INSURANCE_Q1_TEMPLATE.docx,VIEW
2026-03-26,11:14:22,BR-0204,ROUTE_CZ_SK_Q1_2026.pdf,VIEW
2026-03-26,20:14:38,PR-0122,ROUTE_DE_PL_Q1_2026.pdf,VIEW
2026-03-27,09:05:44,BR-0204,ROUTE_CZ_SK_Q1_2026.pdf,VIEW
2026-03-27,09:12:07,BR-0291,ROUTE_IT_PL_Q1_2026.pdf,ACCESS_DENIED
2026-03-27,09:14:33,BR-0204,ROUTE_IT_PL_Q1_2026.pdf,ACCESS_DENIED
2026-03-27,09:18:55,BR-0334,ROUTE_IT_PL_Q1_2026.pdf,ACCESS_DENIED
2026-03-27,09:22:41,PR-0122,ROUTE_IT_PL_Q1_2026.pdf,ACCESS_DENIED
2026-03-27,10:14:55,PR-0098,CAPACITY_MARCH_2026.xlsx,VIEW
2026-03-27,11:22:08,BR-0255,ROUTE_IT_PL_Q1_2026.pdf,VIEW
What is the employee ID of the person who sent the anonymous email? BR-0312
cat transeuro_data/employees.csv
employee_id,role,office,hometown,email
BR-0188,Finance & Compliance,Brno,Brno,br0188@transeuro-log.cz
BR-0204,Route Planner,Brno,Zlín,br0204@transeuro-log.cz
BR-0255,IT Systems,Brno,Brno,br0255@transeuro-log.cz
BR-0291,Route Planner,Brno,Králice nad Oslavou,br0291@transeuro-log.cz
BR-0312,Dispatch Operator,Brno,Olomouc,br0312@transeuro-log.cz
BR-0334,Route Planner,Brno,Brno,br0334@transeuro-log.cz
BR-0341,HR & Administration,Brno,Kuřim,br0341@transeuro-log.cz
OS-0047,Senior Driver,Ostrava,Ostrava,os0047@transeuro-log.cz
OS-0061,Dispatch Operator,Ostrava,Opava,os0061@transeuro-log.cz
OS-0078,Driver,Ostrava,Frýdek-Místek,os0078@transeuro-log.cz
OS-0084,Logistics Coordinator,Ostrava,Karviná,os0084@transeuro-log.cz
PR-0098,Logistics Coordinator,Prague,Plzeň,pr0098@transeuro-log.cz
PR-0114,Logistics Coordinator,Prague,Prague,pr0114@transeuro-log.cz
PR-0122,Route Planner,Prague,Kladno,pr0122@transeuro-log.cz
PR-0139,Finance & Compliance,Prague,Prague,pr0139@transeuro-log.cz%
What is the employee ID of the employee responsible for leaking the shipment details? BR-0291
cat transeuro_data/access_log.csv
date,time,employee_id,file,action
2026-03-24,07:11:03,BR-0291,ROUTE_IT_PL_Q1_2026.pdf,AUTH_FAILED
2026-03-24,08:44:12,BR-0204,ROUTE_CZ_SK_Q1_2026.pdf,VIEW
2026-03-24,08:58:03,BR-0334,ROUTE_DE_PL_Q1_2026.pdf,VIEW
2026-03-24,09:14:33,BR-0291,ROUTE_AT_HU_Q1_2026.pdf,VIEW
2026-03-24,09:51:07,BR-0291,ROUTE_IT_PL_Q1_2026.pdf,VIEW
2026-03-24,09:55:22,PR-0122,ROUTE_IT_PL_Q1_2026.pdf,VIEW
2026-03-24,10:04:17,BR-0334,ROUTE_IT_PL_Q1_2026.pdf,VIEW
2026-03-24,10:22:18,BR-0291,DRIVER_SCHEDULE_WK13.xlsx,VIEW
2026-03-24,10:32:44,PR-0114,CAPACITY_MARCH_2026.xlsx,VIEW
2026-03-24,10:48:55,PR-0122,ROUTE_CZ_SK_Q1_2026.pdf,VIEW
2026-03-24,11:05:02,BR-0204,DRIVER_SCHEDULE_WK12.xlsx,VIEW
2026-03-24,11:34:08,BR-0334,DRIVER_SCHEDULE_WK13.xlsx,VIEW
2026-03-24,13:08:55,BR-0188,INSURANCE_Q1_TEMPLATE.docx,VIEW
2026-03-24,14:08:22,BR-0188,INSURANCE_Q1_TEMPLATE.docx,EDIT
2026-03-24,14:44:11,BR-0312,DRIVER_SCHEDULE_WK13.xlsx,VIEW
2026-03-24,15:20:08,PR-0098,CAPACITY_MARCH_2026.xlsx,EDIT
2026-03-24,15:47:33,PR-0122,ROUTE_IT_PL_Q1_2026.pdf,VIEW
2026-03-24,16:05:30,BR-0204,ROUTE_DE_PL_Q1_2026.pdf,VIEW
2026-03-24,21:03:44,PR-0122,ROUTE_CZ_SK_Q1_2026.pdf,VIEW
2026-03-24,23:12:04,BR-0312,DRIVER_SCHEDULE_WK13.xlsx,EDIT
2026-03-25,08:55:19,PR-0114,CAPACITY_MARCH_2026.xlsx,VIEW
2026-03-25,09:05:41,BR-0334,ROUTE_DE_PL_Q1_2026.pdf,VIEW
2026-03-25,09:20:33,BR-0204,ROUTE_CZ_SK_Q1_2026.pdf,VIEW
2026-03-25,09:21:14,BR-0204,ROUTE_AT_HU_Q1_2026.pdf,VIEW
2026-03-25,09:44:07,BR-0291,DRIVER_SCHEDULE_WK13.xlsx,VIEW
2026-03-25,10:05:22,BR-0291,ROUTE_IT_PL_Q1_2026.pdf,VIEW
2026-03-25,10:19:08,PR-0122,ROUTE_IT_PL_Q1_2026.pdf,VIEW
2026-03-25,11:30:44,PR-0098,DRIVER_SCHEDULE_WK12.xlsx,VIEW
2026-03-25,12:02:17,BR-0334,CAPACITY_MARCH_2026.xlsx,VIEW
2026-03-25,13:17:33,BR-0188,INSURANCE_Q1_TEMPLATE.docx,EDIT
2026-03-25,14:02:18,PR-0114,CAPACITY_MARCH_2026.xlsx,EDIT
2026-03-25,14:44:55,BR-0312,DRIVER_SCHEDULE_WK13.xlsx,VIEW
2026-03-25,16:44:08,BR-0204,DRIVER_SCHEDULE_WK13.xlsx,VIEW
2026-03-25,19:55:02,PR-0122,ROUTE_IT_PL_Q1_2026.pdf,VIEW
2026-03-25,22:14:09,BR-0291,ROUTE_IT_PL_Q1_2026.pdf,EXPORT
2026-03-25,23:41:17,BR-0312,DRIVER_SCHEDULE_WK13.xlsx,EDIT
2026-03-26,08:40:22,PR-0114,CAPACITY_MARCH_2026.xlsx,VIEW
2026-03-26,09:12:33,BR-0204,ROUTE_DE_PL_Q1_2026.pdf,VIEW
2026-03-26,09:44:05,BR-0334,ROUTE_CZ_SK_Q1_2026.pdf,VIEW
2026-03-26,09:55:14,BR-0291,DRIVER_SCHEDULE_WK13.xlsx,VIEW
2026-03-26,10:30:07,BR-0188,INSURANCE_Q1_TEMPLATE.docx,VIEW
2026-03-26,11:14:22,BR-0204,ROUTE_CZ_SK_Q1_2026.pdf,VIEW
2026-03-26,20:14:38,PR-0122,ROUTE_DE_PL_Q1_2026.pdf,VIEW
2026-03-27,09:05:44,BR-0204,ROUTE_CZ_SK_Q1_2026.pdf,VIEW
2026-03-27,09:12:07,BR-0291,ROUTE_IT_PL_Q1_2026.pdf,ACCESS_DENIED
2026-03-27,09:14:33,BR-0204,ROUTE_IT_PL_Q1_2026.pdf,ACCESS_DENIED
2026-03-27,09:18:55,BR-0334,ROUTE_IT_PL_Q1_2026.pdf,ACCESS_DENIED
2026-03-27,09:22:41,PR-0122,ROUTE_IT_PL_Q1_2026.pdf,ACCESS_DENIED
2026-03-27,10:14:55,PR-0098,CAPACITY_MARCH_2026.xlsx,VIEW
2026-03-27,11:22:08,BR-0255,ROUTE_IT_PL_Q1_2026.pdf,VIEW
What is the leaker's full name? Radovan Blšťák
searched on epieos.com
Conclusion:
The investigation came together through three evidence streams. Email header analysis of Exhibit A identified the originating IP as a Mullvad VPN exit node, and the User-Agent revealed K-9 Mail on Android — pointing to a mobile sender trying to stay anonymous. Cross-referencing the access log with employee records identified BR-0312 (Dispatch Operator, Brno) as the whistleblower. The actual leak came from BR-0291, a Route Planner who exported ROUTE_IT_PL_Q1_2026.pdf at 22:14:09 on March 25th — the night before departure — outside of business hours, with no legitimate reason to do so. OSINT via epieos.com confirmed the full identity. The room is a solid reminder that insider threat investigations live or die on log analysis and the ability to correlate behaviour across datasets.
