Respond

The takeover that uncovered three months of chaos

Distinguishing sabotage from incompetence after an international acquisition

Categories of conduct identified
3
Of downtime explained
3 months
Forensic workstreams completed
4

The situation

An Australian company completed the acquisition of a foreign-based website and application with a substantial user base. Shortly after the acquisition, the new owners observed strange behaviours across the platform and made the decision to take the site offline. They engaged NDF on an emergency basis to determine what had happened and whether the issues were the result of deliberate interference or operational mismanagement.

Details in this case study have been altered to protect client confidentiality. The core facts, forensic methodology, and outcomes are accurate.

What we found

Our investigation uncovered a tangled picture. Previous staff had emailed customers directly, claiming the platform was shutting down. Poorly qualified consultants brought in before the acquisition had caused an email outage and partial website downtime that persisted for approximately three months. The situation involved a mix of poor management decisions, potential negligence, and questions around possible malicious conduct or embezzlement.

How we responded

NDF conducted a multi-stream forensic investigation covering:

  • Source code analysis to examine credit card processing connections and identify any unauthorised modifications
  • Cloud infrastructure review, analysing Docker containers deployed in AWS to establish the operational state of the platform
  • Domain and DNS investigation, tracing domain name record changes to understand how control of the platform had shifted
  • Personnel interviews to establish timelines and intent behind key decisions

Each workstream was designed to distinguish between three categories of conduct: poor management, negligence, and deliberate malicious action.

The outcome

NDF provided the acquiring company with a clear, evidence-based picture of what had occurred during and after the transition period. The investigation distinguished between actions that were incompetent, those that were negligent, and those that warranted further scrutiny as potentially malicious. This enabled the company to make informed decisions about remediation, personnel, and any legal steps required.

Lessons for similar organisations

  • Due diligence must extend to technical operations. Acquiring a digital platform means inheriting its technical decisions, staff conduct, and infrastructure state. Forensic-grade technical review should be part of any acquisition involving technology assets.
  • Separate intent from outcome. When systems fail after a transition, the cause is not always malicious. A structured forensic approach prevents costly assumptions and ensures any legal action is built on evidence.
  • Act quickly when anomalies appear. The acquirer’s decision to take the site offline and engage forensic specialists immediately preserved evidence that might otherwise have been lost.