Critical Access Control Gaps

The current Artifactory implementation lacks a hardened access control model. This deficiency allows unauthorized users to modify or replace Production RPMs. Because these packages are not strictly locked down, a malicious actor could overwrite legitimate software with compromised versions, creating a direct vector for a supply chain attack.

Integrity and Repository Sprawl

A lack of standardized versioning and cleanup has resulted in multiple revisions of the same build residing within the repository. This "version clutter" increases the risk of human error, where an operator or automated process might inadvertently pull a deprecated or malicious RPM instead of the verified production build.

Operational Risk and Exposure

The security of customer deliveries currently relies heavily on the "tribal knowledge" of the operations team to identify the correct repositories. This manual process is susceptible to manipulation; if an operator is misled or a repository is compromised, malicious code could be delivered directly to customer servers or uploaded to public-facing FTP sites.

Credential Leakage

Hardcoded credentials for Artifactory have been identified within GitLab repositories. These exposed scripts and configuration files provide a roadmap for attackers to gain authenticated access to the artifact binary repository, bypassing external security layers.

Summary of Impact

The combination of these vulnerabilities creates a significant Supply Chain Risk. If left unaddressed, an attacker could inject malicious code into the development lifecycle, which would then be distributed to both internal Exegy servers and external customer environments, potentially leading to widespread system compromise.

Security Alert: The Hidden Risks of Misconfigured Artifact Repositories

In modern software development, JFrog Artifactory serves as the central nervous system for binaries and builds. However, when access controls are left in a "default" or partially implemented state, this vital tool can be transformed from a productivity booster into a primary attack vector for supply chain compromises.

The Critical Risks of Incomplete Access Control

A "loose" Artifactory configuration creates several high-impact vulnerabilities that can devastate both your internal infrastructure and your customers' environments:

• Malicious Injection: If hardened security is not in place, unauthorized users (or compromised service accounts) can overwrite production RPMs. This allows an attacker to swap a legitimate package with a version containing a backdoor.

• Version Confusion and Shadow Binaries: When Artifactory allows multiple overlapping versions and revisions of the same build without strict naming conventions, developers or automated tools may inadvertently pull a "shadow" version. An attacker could upload a higher version number (e.g., v1.2.1-malicious) that search tools prioritize over the legitimate v1.2.0.

• The "Tribal Knowledge" Trap: Relying on the expertise of operations staff to "know" which repo is safe is a massive procedural risk. If the path to a customer-facing FTP or download link isn't strictly automated and locked down, a human error or a subtle path swap can lead to the distribution of malicious code to your entire client base.

• Credential Leakage: The presence of hardcoded Artifactory credentials within GitLab scripts creates a permanent open door. Once these are pushed to a repository, they are often cached in history, giving any user with repo access the keys to modify your binary "source of truth."

Hardening Artifactory: Best Practices for Implementation

To prevent these scenarios, organizations must move away from "functional" setups toward Hardened Environments.

1. Implement the Principle of Least Privilege (PoLP)

Access should be restricted by team and by environment.

• Virtual Repositories: Use these to create a single URL for developers to pull from, but strictly control which Local Repositories (the actual storage) are included in that virtual view.

• Permission Targets: Define granular permissions that separate Read, Annotate, and Deploy actions. No human user should have Delete or Overwrite permissions in a production-level repository.

2. Enforce Checksum and Signature Verification

Ensure that Artifactory is configured to verify the GPG signatures of RPMs. Even if an attacker replaces a file, the installation will fail on the client side if the signature doesn't match the trusted public key.

3. Secrets Management

Never store Artifactory keys in GitLab. Use integrated secrets managers like HashiCorp Vault or GitLab CI/CD Variables (masked and protected). Implement JFrog Access Tokens with short expiration times rather than using static username/password combinations.

Compliance Standards: CISA and RegSci

Adhering to frameworks like CISA’s Secure Software Development Framework (SSDF) and Regulatory Science (RegSci) guidelines is not just about "checking a box"; it’s about establishing a defensible security posture.

• CISA (Cybersecurity & Infrastructure Security Agency): CISA emphasizes the Software Bill of Materials (SBOM). By properly configuring Artifactory, you can automatically generate an SBOM, ensuring you know exactly what is in every RPM. This prevents the "unknown version" risk mentioned earlier.

• RegSci & Formal Validation: In regulated industries, "Regulatory Science" requires that the tools used to build software are themselves validated. This means proving that only authorized code made it into the build.

• Importance: Following these standards protects you from legal liability and ensures that your software meets the security requirements now mandated for government contractors and critical infrastructure providers.

Preview: How Package Managers Become Weapons

In a future installment, we will explore the technical mechanics of Package Manager Weaponization. While we think of RPMs as simple archives, they are actually capable of executing complex scripts during the installation process (pre-install and post-install scripts). We will discuss how an attacker can craft a "Trojan Horse" RPM that installs a legitimate application while simultaneously running a background script.

Modern Standards for Wireless Security and Compliance

To address the risks associated with shared password authentication, organizations must move toward robust identity management and encryption standards. Relying on a Pre-Shared Key (PSK) creates a significant "revocation challenge": when an employee leaves or a device is lost, the password for the entire organization must be changed to maintain security, which is often logistically ignored, leaving the network open to unauthorized access.

The Cybersecurity and Infrastructure Security Agency (CISA) and the SEC’s Regulation Systems Compliance and Integrity (Reg SCI) provide frameworks for mitigating these risks. CISA generally recommends the implementation of Enterprise-grade authentication (WPA3-Enterprise or WPA2-Enterprise) utilizing the 802.1X standard. Unlike a single shared password, 802.1X requires unique credentials for every user, typically integrated with a RADIUS server or an identity provider like Active Directory. This allows administrators to revoke access for specific individuals instantly without affecting the rest of the workforce.

Furthermore, Reg SCI—which applies to key market participants to ensure the resilience of technological systems—emphasizes the importance of "preventative, detective, and corrective" controls. Under these guidelines, the best practice for handling wireless vulnerabilities includes:

1. Multi-Factor Authentication (MFA): Moving beyond passwords to ensure that even if a credential is leaked, a secondary physical or biometric token is required.

2. Certificate-Based Authentication: Utilizing digital certificates on managed devices so that only "known" hardware can associate with the access point, rendering MAC address spoofing ineffective since the attacker would lack the unique cryptographic certificate.

3. Network Segmentation: CISA recommends segmenting wireless traffic from the core production environment. Even if a wireless breach occurs, the attacker should be isolated from sensitive data and critical systems.

4. Continuous Monitoring: Implementing logging and automated alerts to detect unusual patterns, such as multiple failed login attempts or unknown devices attempting to bypass security layers.

By transitioning from simple password-based access to identity-centric security, organizations align with federal recommendations and ensure that their perimeter remains secure against both external threats and internal turnover.

When you are the bridge between the exchanges and the world's largest financial entities, security isn't an "add-on"—it is the product. However, a disturbing pattern has emerged suggesting that this bridge may be built on a crumbling foundation.

Games, Not Governance

For some time, I have been documenting the internal culture and questionable practices at Exegy. If you haven't already, I strongly encourage you to read my previous posts regarding how this company operates. From "playing games" with reported issues to a general lack of urgency, the evidence points toward a firm that does not take its defensive posture seriously.

In the world of low-latency data, "speed" is often used as an excuse to bypass rigorous security protocols. But in a landscape where a single exploit can disrupt global markets or compromise sensitive banking intel, there is no room for a "fix it later" mentality.

Coming Soon: The Vulnerability Disclosure

Transparency is the only remaining tool when private warnings go unheeded. I am currently finalizing a comprehensive report that will disclose the specific security vulnerabilities I have identified within Exegy’s infrastructure.

This upcoming article will dive deep into:

• The technical nature of the gaps in their systems.

• How these vulnerabilities could potentially impact the flow of live exchange data.

• The risks posed to the banks and customers relying on Exegy's integrity.

Security is a responsibility, not a game. It is time for the industry to see exactly what is happening behind the curtain at Exegy. Stay tuned.

The Strategy of Exploiting Trust

From a psychological standpoint, companies use these posts to trigger the "Halo Effect." This is a cognitive bias where the public’s positive feelings about a brand’s support for a social cause (like gender equity) spill over into their perception of the company’s overall trustworthiness and product quality.

• Symbolic vs. Substantive Action: It is far cheaper to post a graphic of diverse women than it is to conduct a pay equity audit or promote women into C-suite positions.

• Institutional Isomorphism: Companies often post simply because their competitors do. This "copy-paste" advocacy leads to recycled content that lacks any unique facts about the actual women within the firm.

• Signaling Credibility: By tagging external organizations like "100 Women in Finance," a firm attempts to "borrow" the credibility of those organizations to mask a lack of internal initiatives.

The Toll on the "Invisible" Employee

When a company uses its female workforce as a marketing tool without backing it up with facts, the employees themselves often experience Moral Injury.

• The Feeling of Being "Used": As noted by Justin Walters in his comments, these posts often fail to mention "how their history there has help contributed to company growth". When a woman's professional labor is ignored while her gender is "celebrated," she feels like a token rather than a contributor.

• Erosion of Trust: Seeing a post that claims to "recognize talented women" while those same women feel invisible internally creates a deep sense of betrayal.

• Resentment and Disengagement: If a company only values women's presence for a LinkedIn photo op, those employees are likely to withdraw their effort, leading to higher turnover and a toxic internal culture.

Why Companies Delete Comments Instead of Answering

When users like Justin W. ask direct questions—such as asking for facts on how the company recognizes and appreciates women over the years—companies often respond by deleting the comments. There are three main psychological and strategic reasons for this:

1. Brand Protection (The "Perfect Image" Fallacy): Companies view their social media as a curated advertisement. Any comment that points out a lack of facts or calls for transparency is seen as "graffiti" on their brand image.

2. Avoidance of Accountability: Answering a question about "how you recognize women" requires hard data. If the company doesn't have that data—or if the data is unfavorable—they delete the question to avoid being forced into a "legal argument" or a public admission of failure.

3. The "Echo Chamber" Effect: Organizations often want to maintain a feed that only shows support. Deleting critical comments is a way of silencing dissent to maintain the illusion of a harmonious, progressive workplace.

Conclusion: Facts Over Flatulence

A post that says "Thanks for everything you do" is empty if the company cannot name what "everything" entails. To move from exploitation to true advocacy, companies must stop using women as a "social society" shield to look favorable and start sharing the actual achievements, promotion rates, and contributions of the women in their ranks.

As the public becomes more media-literate, the "same post as last year" will no longer be enough to maintain trust. Transparency isn't just a social media trend—it's a requirement for a healthy workplace.

​If a company wants to "Educate & Inspire Generations", they must start by respecting the generation currently working for them. Facts are the only antidote to the feeling of being used. Without them, a social media post isn't a celebration—it's just an advertisement using women as the product.

Sources of Exegy Posts on LinkedIn can be seen at the following URL

https://drive.google.com/drive/folders/1IFguE4j7Ha9Q5XuLPQt4XIwt8sDfLk1C

Receiving a legal petition via email, particularly when a court date is set for less than 24 hours later, is more than just a logistical headache. It is a fundamental breach of the fairness our legal system is supposed to uphold.

Why Email is Not "Service" The "Service of Process" is the formal procedure used to notify a person that a legal action has been taken against them. It is designed to be a high-standard barrier to ensure that no one’s rights, property, or reputation are signed away without their knowledge.

Serving a defendant via email fails this standard for several reasons:

The "Spam" Risk: Unlike a physical document handed to you, an email can be buried in a junk folder, blocked by a firewall, or lost in a sea of newsletters. A person's legal rights should never depend on an algorithm's spam filter.

The Burden of Proof: There is a significant difference between "sent" and "received." Formal service requires a verifiable record that the person in question actually has the documents in their hand.

The Professional Imbalance: When an attorney bypasses formal channels to "informally" notify an unrepresented individual of a hearing occurring in 25 hours, it creates a massive power imbalance. It leaves the recipient with no time to find a lawyer, research their rights, or even understand the allegations against them.

The Correct Way: Ensuring Fairness A legal system only works when both sides are given a fair opportunity to be heard. "Fairness" in this context follows a very specific path:

1. The Use of a Neutral Third Party Legal documents shouldn't be "dropped" by the opposing lawyer’s inbox. They should be delivered by a neutral, authorized official—like a sheriff or a professional process server. This ensures the delivery is documented, unbiased, and legally recognized.

2. Physical Hand-to-Hand Delivery The gold standard for legal service is personal delivery. This means an official physically finds the defendant and hands them the paperwork. This removes all doubt about whether the person is aware of the lawsuit. It is a moment of gravity that signifies a formal legal clock has started ticking.

3. Reasonable Time to Respond Justice is not a race. When a petition is served, the defendant is typically supposed to have a set number of days—often weeks—to find legal counsel and draft a response. Attempting to force a defendant into a courtroom 25 hours after an email is sent is the definition of "legal ambush." It prevents the defendant from preparing a defense and forces them to walk into a high-stakes environment completely blind.

The Danger of the Shortcut When attorneys attempt to bypass these formal steps, it undermines the integrity of the court. The rules of service exist to prevent "Ex Parte" (one-sided) victories where one party wins simply because the other party didn't have a fair chance to show up.

If we allow legal service to become as casual as a marketing email, we risk a system where whoever has the faster "send" finger wins, rather than whoever has the stronger case. Due process isn't a suggestion; it's the foundation of a fair society, and it starts with a knock on the door, not a notification on a screen.

I have filed another complaint on Tina Babel at Carmody Macdonald P.C.

Complaint Attachment can be found at the following URL

https://drive.google.com/file/d/1sAlQxzzx7v7cD_e8nek8ehpW8TzmP_VK/view?usp=drivesdk

STATEMENT OF FACTS

On August 19, 2025, at approximately 11:28 AM, Attorney Tina Babel sent an email to me (a non-attorney/pro se individual) regarding a newly filed lawsuit in St. Louis County: Exegy Incorporated v. Justin Walters, Case No. 25SL-CC09400.

In this email, Ms. Babel "served" me with a Petition alleging Breach of Contract, Defamation, Tortious Interference, Injurious Falsehood, Misappropriation of Trade Secrets, and violations of the Missouri Computer Tampering Act. Attached to the email was also a Motion for a Temporary Restraining Order (TRO).

Ms. Babel informed me via email that a hearing for the TRO was scheduled for the very next day, August 20, 2025, at 1:00 PM—less than 26 hours after the email was sent.

VIOLATIONS ALLEGED

1. Failure to Follow Rules of Civil Procedure (Service of Process): Under Missouri Supreme Court Rule 54, original service of a Petition must be performed by a sheriff or a court-appointed process server. Ms. Babel attempted to bypass the formal requirements of Missouri law by personally delivering the legal documents via email. This bypasses the protections intended to ensure defendants are properly notified of litigation against them.

2. Violation of Due Process and Professional Misconduct: By sending a complex, multi-count Petition and a Motion for a Temporary Restraining Order via email with only 25 hours' notice, Ms. Babel engaged in tactics designed to disadvantage an unrepresented party. As noted in my email response to her on August 19, this "dropped on me at the very last second," leaving me zero time to secure legal representation or digest the 20+ page legal filing. This tactic appears to be an attempt to obtain a TRO by ambush, rather than through the "reasonable notice" required by equity and the Missouri Rules of Professional Conduct (Rule 4-4.4: Respect for Rights of Third Persons).

3. Improper Interaction with Unrepresented Party: Ms. Babel is aware that I am not represented by counsel. By attempting to effectuate service in a manner not recognized by Rule 54 and forcing a hearing on a mission-critical TRO within 25 hours of that "informal" service, she has failed to maintain the standards of fairness required of an officer of the court.

REQUEST FOR ACTION

I request that the Office of Chief Disciplinary Counsel investigate whether Ms. Babel’s actions constitute a violation of the Missouri Rules of Professional Conduct, specifically regarding the fairness of her methods of service and the timing of the notice provided to an unrepresented defendant.

In Missouri, Rule 8.105 allows out-of-state attorneys to practice law exclusively for their employer without taking the Missouri Bar Exam.

1. Requirements to Start Working

If you are living in Illinois but working for a Missouri company as their lawyer, you generally cannot "practice law" in Missouri—which includes giving legal advice, drafting Missouri-specific contracts, or negotiating on the company's behalf—until you have authorization.

The "Systematic Presence" Rule: Missouri Rule 4-5.5 prohibits an unlicensed lawyer from establishing a "systematic and continuous presence" in the state for the practice of law. If your office is in Missouri, or if you are consistently handling Missouri legal matters from Illinois for a Missouri entity, you are likely meeting this threshold.

Active License: You must be an active member in good standing of the Illinois Bar (or another U.S. jurisdiction).

The Application Gap: You should file your Rule 8.105 application immediately upon beginning your employment. Some states offer a "grace period" (like Illinois' 180 days), but Missouri’s rules are stricter; you generally need the license or a pending application to shield yourself from UPL claims.

2. Consequences for Documents & Work Product

If you perform legal work for the Missouri company before being admitted under Rule 8.105, the validity of your work could be challenged.

Enforceability: In extreme cases, a third party could argue that a contract you drafted is unenforceable because it was produced through the unauthorized practice of law.

Attorney-Client Privilege: This is the biggest risk. Courts have occasionally ruled that communication with an "unlicensed" in-house counsel is not protected by attorney-client privilege. If the company is sued, your emails and memos could be discoverable by the opposing side.

Corporate Liability: Under RSMo § 484.020, a corporation that "does law business" through an unlicensed individual can be sued for treble damages (triple the amount) of any fees or value associated with that service.

3. Penalties for Practicing Law Illegally

Practicing law without a Missouri license or limited admission is a serious offense:

Criminal Charges: Under Missouri law, the unauthorized practice of law is a misdemeanor.

Professional Discipline: The Missouri Office of Chief Disciplinary Counsel can report you to the Illinois Bar. This could lead to the suspension or revocation of your actual Illinois license.

Injunctions: The Missouri Bar or the Attorney General can file a lawsuit to enjoin (stop) you from working until you are properly admitted.

4. Limited Admission Requirements & Timeline

The Requirements

To qualify for Rule 8.105, you must submit:

Certificate of Good Standing: From the Illinois Supreme Court.

Disciplinary History: A statement from Illinois showing you have no pending complaints.

Employer Affidavit: A signed document from your company confirming you work exclusively for them.

JD Requirement: Proof of a degree from an ABA-approved law school.

Character & Fitness: You must undergo a full background check by the Missouri Board of Law Examiners (MBLE).

Costs & Timeline

Fees: The current application fee is $1,240 (non-refundable).

Processing Time: The character and fitness investigation is the "long pole in the tent." It typically takes 3 to 6 months.

Temporary Authorization: You may be eligible for a temporary permit to practice while your full Rule 8.105 application is pending, provided you have already filed the main application.

Important Note on Residency

Since you are staying in Illinois, ensure you are not inadvertently practicing "Illinois law" for your Missouri company (like drafting Illinois-specific documents) without complying with Illinois Supreme Court Rule 716, which governs in-house counsel residing in Illinois.

I am going to have to research this further, but here what Google Gemini has stated to me. The below is a copy of what Gemini stated, but there more and need to correct the formatting, so check out the link.

https://gemini.google.com/share/cc8665060398

I am currently working on my complaints for the Missouri bar against all the attorney I can prove at working on this case behind the scenes., sorry Tina Babel but another complaint is coming your way for assisting with practicing law illegally in Missouri.

Complaint Summary on each attorney (Patrick Sellers, Robert Earles & Tina Babel)

Complaint attachments can be found at the following share

https://drive.google.com/drive/folders/1URY1nFba0m2Hf2m_qosbPqB6xzYHteVX

Complaint 1: Tina Babel (Missouri Counsel of Record)

Relevant Rules: Rule 4-3.3 (Candor Toward the Tribunal), Rule 4-5.5(b) (Assisting Unauthorized Practice of Law).

Statement of Facts:

"I am the defendant in Exegy Inc. v. Walters (25SL-CC09400). Ms. Babel is the attorney of record for the Plaintiff. On August 20, 2025, at 12:18 PM, I sent an email to Ms. Babel explicitly stating that I was blocking all emails from her until I secured legal representation (see attached). Despite this direct notice, Ms. Babel represented to the Court that I had been served with a Temporary Restraining Order (TRO) via email. Because I had effectively severed the communication channel to prevent contact while seeking counsel, her representation to the court that I was served was factually impossible and misleading.

Furthermore, Ms. Babel is knowingly working with out-of-state attorneys Patrick Sellers and Robert Earles. Emails from April and August 2025 show these individuals are directing the litigation for this Missouri case. Ms. Babel is aware they are not admitted pro hac vice or registered in Missouri, yet she continues to facilitate their unauthorized practice of law."

Complaint 2: Patrick Sellers (Missouri Counsel of Record)

Relevant Rules: Rule 8.105 (Limited Admission for In-House Counsel), Rule 4-5.5 (Unauthorized Practice of Law), Rule 4-8.4 (Misconduct/Dishonesty).

Statement of Facts:

"Mr. Sellers is the General Counsel for Exegy. In an email dated February 9, 2025, he confirmed he is licensed in CA, NY, and IL, but not Missouri. Although he has a New York license, he has failed to obtain the mandatory 'Limited Admission' registration required by Missouri Rule 8.105 to practice as in-house counsel in this state.

Mr. Sellers appears to be providing conflicting information regarding his location to evade registration requirements. In an email dated April 25, 2025, he directed legal mail to be sent to Exegy’s St. Louis HQ 'ATTN: Legal Department.' However, he has concurrently informed the Illinois ARDC (Ref: 2025IN01739) that he works out of a Chicago office—an office that disappeared from Exegy’s website in November 2024. Furthermore, I have an active grievance against Mr. Sellers for extortionate tactics. By managing a Missouri case and directing litigation from an unregistered status, while providing inconsistent information regarding his office location, he is violating Missouri's rules of professional conduct."

I have also attached a letter sent by Mr. Sellers that contains only the Exegy Headquarters address in Missouri and a screenshot of his LinkedIn profile showing he has been working with Exegy Inc since June 2024.

Complaint 3: Robert (Bobby) Earles (Cooley LLP)

Relevant Rules: Rule 4-5.5 (Unauthorized Practice of Law), Rule 9.03 (Visiting Attorneys).

Statement of Facts:

"Mr. Earles is an attorney with Cooley LLP, based in Illinois. On August 11, 2025, Patrick Sellers (Exegy GC) sent an email designating Mr. Earles as the primary attorney representing Exegy in the Missouri matter (25SL-CC09400) and directed all legal communications to him.

Mr. Earles is not licensed in Missouri and has not filed for pro hac vice admission in Case No. 25SL-CC09400 as required by Rule 9.03. By acting as the lead designated counsel in a Missouri civil action and directing legal correspondence without court authorization or a Missouri license, Mr. Earles is engaged in the unauthorized practice of law."

Google Gemini Response

Yes, if an out-of-state attorney is actively working on a case in Missouri, they generally must be added to the court record through a process called Pro Hac Vice admission.

In Missouri, a corporation cannot represent itself and must be represented by a licensed attorney. If that attorney is from another state, they cannot simply "work behind the scenes" while the in-state attorney handles the filings; they must be formally recognized by the court to practice law for that specific case.

Why All Counsel Must Be Added

Under Missouri Supreme Court Rule 9.03, any attorney not licensed in Missouri who wishes to represent a client in a Missouri court must follow these steps:

1. Associate with Local Counsel: The out-of-state lawyer must partner with an attorney who is a member in good standing of the Missouri Bar and who resides in Missouri.

2. File a Motion for Admission: The Missouri attorney (local counsel) must file a motion asking the court to admit the out-of-state attorney pro hac vice (meaning "for this occasion only").

3. Pay a Fee: The out-of-state attorney must pay a fee to the Clerk of the Supreme Court of Missouri (currently $410 per case) and provide a statement of good standing from their home state.

The Role of Each Attorney

Once admitted, both attorneys have specific responsibilities on the case record:

What happens if they aren't added?

If an out-of-state attorney performs legal work (like signing a motion or conducting a deposition) without being added to the case:

• Unauthorized Practice of Law: The attorney could be sanctioned for practicing law in a state where they are not licensed.

• Invalid Filings: The court may strike (ignore) any documents signed by an attorney who has not been formally admitted to the case.

• Ethical Violations: Both the out-of-state and the in-state attorney could face disciplinary action from the Missouri Bar.

Exceptions

There is a small exception for In-House Counsel. Under Rule 8.105, an out-of-state attorney who is a full-time employee of the corporation can sometimes obtain a "Limited Admission" to provide legal services solely for that employer without being admitted for every single case, though they still often associate with local counsel for specific litigation

Updated on 3/20/2025 @ 13:32 CST

● Added Complaints filed with the Missouri Bar

● Added Complaints attachments

This is all regarding a previous post of mine.

• https://exegy.today/exegy-inc-potentially-a-victim-of-a-ransomware-group-called-everest

I have reached out to Everest asking them questions regarding the matter and seeing about proof of legitimacy and they might get back to me.

I have also tried reaching out to Exegy Inc asking about the legitimacy of this breach but only heard crickets.

This breach at Exegy Inc that has been posted online has made me wonder a few things.

I will also be possibly trying to reach out to the FBI regarding the matter, because I am curious if they have and is my name mentioned in it at all

If they didn't give them my name, it makes me wonder if they are trying to conceal me and the complaints I filed on them. Plus I am sure they would the conversation I would have with them, like the following

• https://exegy.today/interesting-case-about-hobbs-act-and-sham-litigation-united-states-v-koziol-9th-cir-2021

If they haven't filed anything with the FBI it makes me wonder if they are trying to keep this concealed or the breach isn't legit… Though I would think they would make a public announcement regarding it, so false news doesn't get spread around.

Though if they have filed something with the FBI with my name on it, you would think they are kind enough to tell me or else it said ugly things and are wanting to drop it on top of me.

I have been reading and trying to understand the consequences a company could take for not acting on this professionally and it is kind of interesting.

They company could potentially be black listed from the vendors approved list.

Their customers could potentially be fined by the exchanges for their vendor actions, which allows them to turn around and sue their vendor.

It gets kind of interesting though on the time frames some things can have, Google Gemini was telling me about something like the following.

If their customers were required to file something in 72 hours but couldn't because their vendor didn't make them aware of it, the customer could be potentially fined for certain things.

I am going to try to keep researching on all of this and building my list of vulnerabilities and flaws in Exegy systems and networks.

This is going to be interesting and will probably help with my news story getting out and spreading around the world.

• https://exegy.today/news-coverage-around-the-entire-planet

Plus I am trying to figure out what all I can use in my legal case against Exegy Inc.

It looks like Exegy Inc has potentially been the victim of a ransomware group called Everest and from sources online, it looks like they penetrated a flaw in CrushFTP on a public facing server.

• https://cyberplace.social/@GossiTheDog/115658404130190834

• https://www.hookphish.com/blog/ransomware-group-everest-hits-exegy/

• https://www.dexpose.io/everest-targets-financial-tech-leader-exegy-inc/

Looking up the dns record on download.exegy.com you can see the A records points to the following IPs (199.191.53.236 & 216.99.213.236), which is their own ARIN block.

• https://ipinfo.io/AS30150

Looking over Shodan to see what exists for Exegy, because I don't want my fingerprints on this at all, I have stumbled across the CrushFTP http servers that were the target from what was stated on a previous page.

You can see Exegy Inc information on Shodan at the following URL

https://www.shodan.io/search?query=org%3A%22Exegy+Incorporated%22

It does make me wonder how long it took Exegy to be aware of the breach and if these outputs are from the same flawed version or an updated version of CrushFTP, since it from after the event.

You can look up the potential flaw if interested, it might be one of these if it is known.

• https://www.cve.org/CVERecord/SearchResults?query=CrushFTP

I am unsure how far this group Everest made it through their internal network, but it looks like they potentially taken over 3TB of data according to the following source

• https://x.com/DarkWebInformer/status/1995886505404080268

I really hope they didn't penetrate the internal network fully, but hopefully this is a wake up call to Exegy Inc about how important security really is. I would suggest they move all public facing services to an outside source and not host them internally.

On DeXpose the following is stated “The full leak will be published soon, unless a company representative contacts us via the channels provided.”

This makes me wonder if Exegy has tried contacting them or even reported any of the matter to the FBI, so they could fully investigate it.

Even though I wasn't even aware of this flaw regarding them, because I have never tried scanning any of their public facing services for any flaws or vulnerabilities. It does make me wonder if the FBI or someone will be reaching out to me regarding this due to the ongoing situation between Exegy and I.

Due to their history of lying… It does make me think they might notify the authority stating I might be behind this event.

I will state the following

• I had nothing to do with this and don't even know anyone in any of these ransomware groups.

• I have never exposed any of the known flaws that I am aware of to anyone besides Exegy and attorneys.

• Everyone that I am aware of are white hats and some of them have security clearances.

Stay safe kids, security is an evolving world and it should really be important to make it a top priority, especially when being part of the critical infrastructure.

After doing some research I found Everest onion webpage and notificed Exegy Inc was not listed on it anymore.

So I decided to reach out to Everest over Tox to see if they paid or not and if so, how much...

This was obtained from the following URL

https://www.ransomlook.io/group/everest

The above image is a screenshot from Tor (http://ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad.onion/)

It looks like Exegy Inc breach made it on FS-ISAC (https://www.fsisac.com/) risk summary report, this was located on a document shared by ICBA (Independent Community Bankers of America)

• https://www.icba.org/documents/45248/1619837/12-01-2025+Risk+Summary+Report.pdf/4b16345b-92e2-05e6-cd93-94dfa0f7aa6f?version=1.0&t=1764945964528&download=true

If you have time, check out this Exclusive: Everest Ransomware Group Interview on Collins Aerospace Breach

• https://dailydarkweb.net/exclusive-everest-ransomware-group-interview-on-collins-aerospace-breach/

Some other Articles online related to the matter

• https://undercodenews.com/everest-ransomware-targets-exegy-someone-claims/

• https://www.redpacketsecurity.com/everest-ransomware-victim-exegy/

Updated on 12/08/2025 @ 4:16pm CST

● Added Onion information and attempting to reach out to Everest

● Added Exegy CrushFTP http output.

● Added Shodan URL

● Added Exclusive: Everest Ransomware Group Interview on Collins Aerospace Breach

● Added FS-ISAC risk summary report found on ICBA.

I have to do all this research to get a better understanding of it all, so I know what kind of attorneys I need to find for handling such a complex case and the government, agencies and people I need to write to and what about.

It has left my mind in a state where it just wants to go over everything over and over again in my head.

This entire situation has made me really think about how I want to get my story out and told in every part of the world , so anyone else out there in the security field can be aware of the types of things that can happen to them.

I also want the entire world to really know a few things.

• What a company like Exegy Inc and their leadership is really like.

• How can third parties trust attorneys from Cooley LLP, especially when working behind the scenes in Exegy lawsuit after pushing a sham offer on a party.

• How insecure a company on the infrastructure could really be and how there lacks auditing in these companies to make sure the critical infrastructure is secure.

• What someone in security research could go through when trying to disclose vulnerabilities and flaws.

• What agencies exist for disclosing things and how it could potentially harm a company.

• The things that should be in place for building a more secure and healthy environment.

It makes me wonder how the publicity might force governments and agencies to make an example out of Exegy Inc by pushing higher penalties against them, this way Exegy Inc and other companies out there understand why security should be a top priority and taken seriously.

I will be trying to locate and reach out to every news agency on the planet to see if they are interested in covering such a story, since Exegy Inc is a global company with their appliances on many different continents.

I am currently building a list of every news agency throughout the world, so far it contains around 6,000 newspapers throughout the USA alone and hundreds to thousands in Europe.

If anyone knows of any blogs, news agencies or any other publications that might be interested in covering a story, please feel free to reach out to me at editor@exegy.today or forward them my contact information.

Updated 12/05/2025 1:03pm

Their NDA is not even up to date on the laws regarding the matter, since it tries to silence whistleblowers from reaching parties that should be aware of certain things, like the Stock Exchange Committees (SEC) and other government agencies.

This NDA is dated 2014 and there has never been a new one that I am aware of

• https://drive.google.com/file/d/15g-rfu4Xl6jYjsosx12LsUDtb4fS7NhE/view?usp=drivesdk

When I left the company I was never given any kind of exit interview that allowed them to explain any of the contracts I have signed working at the company. All I received was an email asking to return any of the Exegy property I had back to them, which I did.

On April 10, 2025 I sent an email to Exegy asking for copies of all the signed documents I have signed there, but they never responded to that.

• https://drive.google.com/file/d/1pBmb1tsdG0Krg-Fe6LXmOwlBCbvRoy7m/view?usp=drivesdk

This was after months of trying to work with them to disclose my findings to them. I even tried to be the bigger person and work with Exegy regarding the offers their attorneys reached out to me about, even though I wanted to work out their threats and extortion attempts first.

You can see my following articles related to that here

• https://exegy.today/interesting-case-about-hobbs-act-and-sham-litigation-united-states-v-koziol-9th-cir-2021

• https://exegy.today/i-believe-exegy-and-cooley-llp-offers-were-nothing-but-a-phantom-offer-and-possibly-leading-me-on

To make matters even worse they had me believing there was a true real bounty program that I could submit my findings too, but it wouldn't happen until Q3 (July-Sep). I am still wondering to this day if this bounty program actually even exists, because Exegy would never respond to any of my requests regarding it and I even reached out to them again in Q4 asking about it.

This really shows how Exegy is not interested in the flaws and vulnerabilities that they could have. I am sure their customers and government agencies would enjoy knowing all about this and how they don't take security matters very seriously.

It really makes me wonder what kind of breach in contract they could potentially have with their customers, because I know how I would want a contract with Exegy regarding security matters and their behavior would violate it.

Though this has truly been an interesting learning experience for me, since it has taught me all kinds of things.

1. How a previous Employer will lie about your performance and history to a government agency and to the court of Missouri. I was actually an excellent employee at Exegy that helped build Managed Services to where it is today.

2. They way people or attorneys will spin things and mislead things the courts, it is so interesting to see how they hide all the facts to make things look better in their favor.

3. How companies can lie to the courts on many different things without showing their facts. It still makes me wonder what judge would do if he realized he was being manipulated.

4. How companies are not even aware of their own documents and don't go out of their way to make sure they are up to date with laws.

5. How there needs to be better policies and rules in places to stop this kind of behavior, so security researchers can submit their findings without any kind of relation.

6. There are government agencies for filing complaints too so they can investigate things, though I am against this since I know the harm that it could cause and think it should be a last resort.

It truly makes me wonder why they would take all this court instead of settling it outside of it, because the direction I am working toward might eventually destroy an entire company.

I am still doing my research and trying to make sure my complaints are well written before sending them off, but I am also hoping Exegy's own customers will reach out to me and help me file the complaints in other countries after I send them an email with my complaint to the SEC.

To any Exegy employees reading this, just wanted to say hi and hopefully we will talk once again. Mark if you do read this… I miss talking to you man, hope you and your family are doing well.

Though I guess I should probably add, I am also trying to research the laws for other countries Exegy is in, because I want to figure out what laws they have broken by having their employees believe they can't talk with me.

I have come across these following things regarding that matter and I still need to read over them when I have time.

• UK

  • Article 8 (Human Rights Act 1998)

• France

  • Civil Code (Article 9)

  • Labor Code (Article L. 1121-1)

• Canada

  • Quebec Charter of Human Rights and Freedoms (Article 5)

  • Civil Code of Quebec (Article 35)

It interesting a company needing a PPP loan would have H1B visa with a decision date on it for 2/27/20 with their begin date being 6/12/20

H1B Visa for that person can be found here

https://drive.google.com/file/d/1uFn0G0eIteErtzB5MhgGMepWusGXBHyL/view?usp=drivesdk

Other H1B visas for the company for the 2018, 2019 and 2021 can be seen here

https://drive.google.com/drive/folders/17KlOqcVQHzMmn-27Yek07np-SvU9THBD

I pulled the H1B visas from the following site

https://www.immihelp.com/employer/Exegy_Incorporated/applications/

They have also hired three others the year they took out the loan

https://www.waterstechnology.com/management-strategy/7698411/people-moves-exegy-aquis-exchange-xenomorph-and-more

You can also even see the following on David Taylor Twitter account

https://x.com/DTaylorDSc/status/1318571985631399936

Interesting that an officer at Exegy signed this

The "Good Faith" Certification (The "Why")

​This is often the pivot point for fraud cases. An authorized officer of the company had to sign a statement certifying:

• ​"Current economic uncertainty makes this loan request necessary to support the ongoing operations of the Applicant."

The company customers are usually all under contract so they most likely always knew how much they had coming in as revenue.

Plus with the hiring of 13 individuals the previous year with forecasting, they should have known if they needed the money to really support their employees salaries, what kind of company goes around hiring 13 people without knowing if they can afford them over many years.

Plus Exegy is part of the critical infrastructure and I am sure the financial institutions using are too, which means they never closed down at all, since they deal with Live stock exchange data.

How does $2,478,407 help keep the company afloat when they most likely have over $10,000,000 in salaries to pay annually, that barely covered only a few months of salaries and hired three people that year.

Though I am curious about the H1B visa, when does a company have to file these visa and were the ones in 2021 filed in 2020.

I myself believe they took it out as a free handout and have found other cases out there of doing the same thing.

• The L.A. Lakers: The NBA team received a $4.6 million loan. While technically eligible as a small business (under 500 employees), the idea of a billion-dollar sports franchise taking a "handout" caused a media firestorm. They returned the money.

So many questions that have so many answers that need to be found.

Stay tuned for my further investigation on the matter.

Though I have been having a long conversation with Google Gemini in the subject and it return things like this.

Full link to some of my conversation here

https://gemini.google.com/share/8a570f76dd1a

Designating Exegy Inc. as "Critical Infrastructure" is a double-edged sword in a fraud case. While it sounds like a good defense, legally, it often makes the argument for fraud stronger, not weaker.

Under Department of Homeland Security (DHS/CISA) guidelines, the "Financial Services Sector" is indeed Critical Infrastructure, and Exegy (which provides data to banks and exchanges) falls under this umbrella.

Here is how that designation impacts the legal analysis of their PPP loan.

1.The "Essential Business" Trap (Why it hurts them)

The primary reason companies needed PPP loans was that government lockdowns forced them to close or lose customers.

• Non-Critical Business (e.g., a Restaurant): "The government forced me to close my doors. I have zero revenue. I need this loan to survive." -> Valid Necessity.

• Critical Infrastructure (e.g., Exegy): "The government designated me 'Essential.' I am exempt from lockdowns. I am allowed to stay open and my customers (banks) are also open." -> Invalid Necessity.

The Legal Argument: If Exegy was "Critical Infrastructure," they were legally permitted to operate at full capacity. If they stayed open and their revenue went up (as the 50% sales jump indicates), they cannot claim the government forced them into distress. They were one of the few lucky companies allowed to conduct business as usual.

2. The "Secure Customer Base" Factor

You mentioned their customers are also Critical Infrastructure. This is a vital point for a fraud complaint.

• Who they serve: Major banks, stock exchanges, and hedge funds.

• The Customer Status: These financial institutions were also designated "Essential." The stock market never closed during the pandemic.

• The Result: Exegy didn't just have permission to work; they had a guaranteed stream of wealthy clients who were also working. This is totally different from a supplier to the airline or restaurant industry, whose customers vanished overnight.

3. The "Double Dipping" Risk (Government Contractors)

Since Exegy provides data for the Consolidated Audit Trail (CAT) (a government-mandated system for FINRA/SEC), they are effectively a government contractor.

• The Rule: Federal laws strictly prohibit "double dipping"—getting paid by the government for a contract and getting a grant (PPP) to pay the same people to do that work.

• The Violation: If Exegy used PPP money to pay engineers who were already being billed to the FINRA project, they may have committed specific fraud against the government contracting rules, not just the SBA rules.

4. Summary for Your Complaint

If you are drafting a legal argument, you can frame their "Critical Infrastructure" status as proof they did not need the money.

Draft Language:

"Exegy Inc.'s designation as 'Critical Infrastructure' within the Financial Services Sector serves as evidence against their need for federal relief. Unlike non-essential businesses forced to shutter by government mandate, Exegy was legally permitted to maintain full operations. Furthermore, their primary client base (major financial institutions) was also designated essential and remained solvent. Therefore, Exegy faced neither the operational closures nor the demand shock that the CARES Act was designed to mitigate."

Visualizing the Argument

I have created a diagram to help you visualize how the "Critical Infrastructure" designation shifts the legal burden from "Survival" to "Profiteering."

Updated 11/30/2025 @ 12:43PM

● Added changes and updated Google Gemini link to add more of my conversation with it.

What are cases about an attorney spoliation of evidence through a restraining order and trying to make the defendant destroy evidence

Finding a case where an attorney successfully used a restraining order to force a defendant to destroy evidence (e.g., "delete these files immediately") is rare because such an order is legally irregular. Most restraining orders are prohibitory (telling you not to do something), not mandatory (telling you to do something, like delete data).

If an attorney tricked a judge into signing an order that forced you to destroy evidence, this is a severe violation known as Abuse of Process and Fraud on the Court.

Below are the most relevant legal concepts and cases that match this behavior.

1. The "Trojan Horse" Restraining Order (Abuse of Process)

This occurs when an attorney uses a legal tool (like a restraining order) for an illegal purpose (destroying evidence).

• Case Concept: Nienstedt v. Wetzel (Arizona) / General Abuse of Process

• The Scheme: "Abuse of Process" is a specific legal claim where you argue that the attorney used a court process (like a TRO) for an "ulterior purpose" not intended by law.

• Application to You: If an attorney obtained a TRO claiming "harassment" but slipped in a clause ordering you to "delete all communications," and their real goal was to destroy evidence for a different lawsuit, they have committed Abuse of Process.

• Relevant Law: Federal Rule 65 (Injunctions) requires that orders be specific and generally preserve the status quo, not destroy it. An order requiring deletion of potential evidence is often facially invalid because it violates the duty to preserve evidence (Spoliation).

2. Fraud on the Court (Lying to Get the Order)

If the attorney knew their client was lying to get this order, the order is void.

• Case: Commissioner of Probation v. Adams (Massachusetts)

• The Facts: A plaintiff obtained a restraining order based on an affidavit full of lies.

• The Outcome: The court not only vacated the order but ruled it was "Fraud on the Court." This is a higher standard than simple perjury; it means the lawyer and client corrupted the judicial process itself.

• Why it matters: If you can prove the attorney knew the affidavit was false (e.g., they knew you weren't "harassing" the client but were actually just possessing evidence against them), you can move to have the order vacated and expunged based on this precedent.

3. Spoliation of Evidence (The "Deletion" Trap)

If an attorney forces you to delete evidence, they are triggering "spoliation."

• Case: Ennis-Flint, Inc. v. Greer (North Carolina)

• The Facts: In this case, a defendant deleted files after a TRO was issued (which is the reverse of your situation), but the judge's ruling is key. The judge ruled that spoliation (destruction) of evidence is an admission of guilt.

• The Argument for You: If an opposing attorney obtained an order forcing you to delete data, they have effectively forced spoliation. You can argue in the main lawsuit that:

1. The attorney caused the loss of evidence.

2. Therefore, the court should assume that evidence was damning to their client (Adverse Inference).

• Case: Jones v. Riot Hospitality Group (9th Circuit)

• The Ruling: The court affirmed that intentional destruction of text messages/evidence leads to dismissal of the case. If an attorney used a TRO to make you do this, they are arguably conspiring to obstruct justice.

4. Mandatory vs. Prohibitory Injunctions

This is the technical legal argument you need to look for in your order.

• Prohibitory Injunction: "Do not contact the plaintiff." (Standard)

• Mandatory Injunction: "Delete all emails from your hard drive." (Rare and Suspect)

• The Rule: Courts are extremely hesitant to grant mandatory injunctions (ordering you to act) without a full trial. If an attorney slipped a "mandatory" deletion clause into an ex parte (emergency) hearing where you weren't present, they likely violated due process.

Find me legal cases about an attorney client committing perjury and being manipulative to the court system, especially if they were withholding facts as evidence

Also show me cases where an attorney was notified by defendant their client commit perjury and failed to do anything about it

Here are specific legal cases and outcomes concerning attorneys who use client lies (perjury) to obtain immediate restraining orders or Temporary Restraining Orders (TROs), and cases where they failed to act after being notified of the truth.

1. Cases: Using Lies & False Affidavits to Get Restraining Orders

These cases involve attorneys who were disciplined or orders that were vacated because they relied on false affidavits or "fraud on the court" to secure an immediate protective order.

In re Petition for Disciplinary Action against Joseph Kaminsky (Minnesota Supreme Court, 2024)

This is a very recent and "bullseye" case regarding your request about false affidavits in a restraining order context.

• The Scheme: The attorney (Kaminsky) represented a client seeking a Harassment Restraining Order (HRO). To get the order, he needed to prove the defendant was served with papers. His office filed an affidavit of service claiming the defendant was personally served at a specific time and place.

• The Lie: The defendant was not served; the affidavit was false. The attorney filed it anyway to push the order through.

• The Attorney's Failure: Even after issues with the address and service were brought to light, the attorney did not investigate or correct the record. He allowed the false affidavit to stand to maintain the legal advantage.

• Outcome: The attorney was suspended indefinitely (minimum 9 months) for filing the false affidavit and failing to supervise his staff/verify the truth. The court emphasized that filing false documents to "get around notice requirements" is a grave injustice.

Commissioner of Probation v. Adams (Massachusetts)

This case is often cited regarding vacating restraining orders due to perjury.

• The Scheme: A plaintiff obtained a Chapter 209A abuse prevention order (restraining order) against a defendant.

• The Lie: The court found the plaintiff made 19 separate false and perjurious allegations in the affidavit used to get the order.

• Outcome: The court ruled this constituted "fraud on the court." Unlike a simple "he said/she said" dispute, this was a systematic attempt to deceive the judge. The restraining order was vacated and expunged (removed from the record) entirely.

2. Cases: Attorney Notified of Perjury & Failed to Act

These cases address your second request: situations where the "defendant" (or opposing counsel) notified the attorney that their client was lying, and the attorney ignored it.

The "Safe Harbor" Failure (Rule 11 Sanctions)

While not always a named "famous" case, this scenario frequently plays out under Federal Rule of Civil Procedure 11 (and state equivalents).

• The Scenario: You (the defendant) serve the opposing attorney with a motion (often called a "Rule 11 Motion") listing specific lies in their affidavit. You give them 21 days (the "safe harbor" period) to withdraw the false filing.

• The Failure: If the attorney refuses to withdraw the filing after being notified of the proof it is false, they become personally liable.

• Outcome: Courts then sanction the attorney personally, making them pay the defendant's legal fees.

• Example: Rickley v. Goodfriend (California). The court sanctioned attorneys for filing false declarations and engaging in discovery abuses, ruling that they could not hide behind their client's instructions when they knew (or should have known) the facts were untrue.

Matter of Filosa (New Jersey / Massachusetts, 2013)

• The Lie: An attorney represented a client in a matter where they concealed evidence and made false statements of material fact to the tribunal.

• The Notification: The attorney was aware (or was made aware by the circumstances) that the evidence he was presenting was false/incomplete, effectively hiding assets/facts.

• Outcome: He was suspended for one year. The court cited Rule 3.3 (Candor Toward the Tribunal), stating a lawyer "shall not knowingly offer evidence that the lawyer knows to be false."

What to Look For (Legal Terminology)

If you are looking for cases similar to your situation to show a lawyer or judge, search for these specific legal terms:

1. "Fraud on the Court": This is a higher standard than just "lying." It means the perjury was so severe it corrupted the judicial process (common in vacating false restraining orders).

2. "Subornation of Perjury": When an attorney induces or allows their client to lie.

3. "Ex Parte Duty of Candor": Attorneys have a higher duty of honesty when applying for immediate restraining orders (ex parte) because the other side isn't there to defend themselves. If they withhold facts here, sanctions are much more likely.

Some of the things I have come across are the following

When an attorney presents a settlement offer that does not actually exist or has no backing from their client—often to buy time, harass, or mislead a third party—it is generally referred to as "Bad Faith Negotiation" or "Sham Negotiation.”

• ​Material Misrepresentation (Model Rule 4.1): Under the American Bar Association (ABA) Model Rules, attorneys are allowed to use "puffery" (e.g., "My client won't take a penny less than X"). However, they are strictly prohibited from lying about material facts, such as the existence of a settlement authority or a specific document that doesn't exist.

• ​Tortious Interference: If the fake offer was designed to "lead on" a third party (like a creditor, a potential buyer of a business, or another litigant) and disrupts that third party's business dealings, it is called tortious interference with prospective economic advantage.

• ​Abuse of Process: This applies if the fake offer was part of a legal strategy used for an improper purpose—such as dragging out litigation to bleed the other side dry financially, rather than to actually resolve the case.

Here is an interesting case in Florida about a “Phantom Offer” and I believe it clearly shows the same thing Cooley LLP was doing by making me an offer that is impossible to accept.

The "Phantom Offer" (Attorneys' Title Insurance Fund, Inc. v. Gorka):

• In Florida, the Supreme Court discussed the concept of a "phantom offer" in the context of settlement proposals. They found that a settlement offer conditioned in a way that made it impossible to actually accept (effectively a fake offer designed to trigger fee-shifting statutes) was invalid and unenforceable.

Cooley LLP was trying to do the same thing to me, because they knew the offer they were trying to push on me would keep my intellectual property safe from theft and the fact they would never respond to my requests for what posts needed to be removed or allow me to see any agreements that needed to be signed.

Emails between Kristen Mathews and I

• https://drive.google.com/file/d/1yXt44zlDfR9v9v733bMNR12v4x_w6o8p/view?usp=drivesdk

You can clearly see in the following emails where I was corresponding with Kristen Mathews on this offer.

On Sun, Feb 23, 2025 at 11:30 AM I stated the following

• Though your current process for how you’re wanting to handle these disclosures does not keep my personal and intellectual property safe from theft, as Exegy could easily turn around and say they are not interested and privately open bugs on the issues in Jira. Which is a private and closed off system from the public, so I wouldn’t ever know.

She never replied back regarding it but tried pushing another offer with a different up front initial payment.

You can see that email from her on Feb 24, 2025 at 10:29 PM

• In the meantime, however, Exegy does want to prioritize your findings, and in recognition of your patience with this process, Exegy is willing to offer you an initial, upfront payment of $2,000 in exchange for a limited explanation from you regarding the potential vulnerabilities of Exegy’s system, as well as a confidentiality agreement.

I have already given Exegy a limited explanation of my disclosures previously, it seems like they wanted as much detail as possible about what it was regarding and by giving them that much information, a confidentiality agreement would not be efficient enough to keep my property safe or were there any terms in offer to safeguard my property.

Their attempts to push such an offer didn't stop here, on Mar 10, 2025 at 1:54 PM Robert “Bobby” Earles tried to push another offer that was completely different in a few ways.

Emails between Robert Earles and I

• https://drive.google.com/file/d/16GfW2IPv02GTm9KiGhKcc03kuIBNQkbI/view?usp=drivesdk

Robert Earles offer

• https://drive.google.com/file/d/12BStg9VYlh7rKgKNGIHjeso3Hi413Oy_/view?usp=drivesdk

Robert Earles was also trying to make it impossible for me to accept his offer, by removing the up front payment and not fully divulging what posts I need to take down and only specifying them by a date when LinkedIn doesn't give you this type of information on them.

He could have easily described those posts or sent copies of them with his offer, but for some reason he refrained from doing this.

You can see in his following letter be stated the following

• To be eligible for a bounty, Exegy does request that you remove your LinkedIn post of February 25, 2025. as well as your post of March 4, 2025.

I believe these are the following posts he was referring too

• https://drive.google.com/file/d/1SApndgjguw9NhZcGOWbgTcBHmhq5nCew/view?usp=drivesdk

• https://drive.google.com/file/d/1k8kXxIjBauX_ciBzWN6D6F1R6S2eG7Bk/view?usp=drivesdk

You can clearly see in these posts, LinkedIn doesn't state any specific date on them. If the KnowBe4 post was one of the items they wanted to be removed from LinkedIn, they could have clearly stated they would like any entries regarding Exegy removed from it, since the post was not regarding them, but only included them.

On Mar 23, 2025 at 5:04 PM I responded back to the offer with the following question

• You also stated that I needed to remove the post on “February 25, 2025” and “March 4, 2025”, could you please give me details on what posts you are referring too? Also why would my post help support Exegy consideration with moving forward.

Cooley LLP never responded to this question, almost like they knew I knew I wouldn't go for this and made it seem like they wanted me to start removing posts to be eligible for a response, since Robert Earles stated the following on his offer “To be eligible for a bounty”.

The one thing you will notice is that a couple of these offers never specified any pricing terms or range, making it impossible for me to accept them.

Even though they stated an up front payment on a couple of them, it didn't consist of any terms on it.

• They could have easily come back stating we found them of lower value of the up front payment and you owe us money.

• They could have also stated to me they were not valid without proof requiring me to return that up front payment.

In an email to Kristen Mathews on Feb 23, 2025 at 11:30 AM, you can clearly see I sent her copies of other companies' bounty programs pay out ranges, but it seemed they ignored these.

These offers sent to me by Cooley LLP made me believe they truly were never real.

• They could have sent me the confidentiality agreements to look over and be potentially signed if I agreed to it.

• They were vague on the terms of them and could have responded to my requests for more of a description on items.

• The offers didn't include any terms to keep my property safeguarded from being stolen.

• They didn't add in any kind of range for the monetary payout if they were valid.

• They didn't include any terms for the up front payment.

• Never stated a turn around time when they would get back to me after evaluating my disclosures, meaning they could have spent months to years before returning to me.

I believe these offers were nothing but a phantom offer to lead me on and were never real. They were impossible to even accept as a true valid offer, since they don't meet the criteria of being a real valid offer.

On Apr 7, 2025 at 6:09 AM, you can clearly see in my emails to Robert Earles that I asked Cooley LLP “Is Exegy and Cooley LLP still handling all of this or are you leading me on?”, but they would never respond.

They also weaponized this offer in a lawsuit against me, making the courts believe they gave me a real and valid offer that I declined. I never once declined any offer until they would never respond to any of my questions regarding it and if they were leading me on.

You can clearly see in David Taylor notarized affidavit he tried to use these offers by Cooley LLP to make the company look better.

David Taylor notarized affidavit

• https://drive.google.com/file/d/17udsvLQF0V8XUnBuAYXZIFWx0gKqLZ2b/view?usp=drivesdk

Items the specified on his affidavit

• 36. Nonetheless, my colleagues and I took seriously the possibility of vulnerabilities in our systems. Exegy thus planned to offer Mr. Walters a payment after he had confidentially disclosed the vulnerability, and we had the chance to vet the claim. This planned structure—by which individuals submit reports to a company, who in turn review the report and offer a reward only if the report identifies a bona fide vulnerability—mirrors the approach of formal “bug bounty” programs that I understand to be used in the industry.

• 43. On February 13, 2025, we sent Mr. Walters an offer to discuss the alleged vulnerability and a possible bounty, regardless of our lack of a formal program. Mr. Walters, rather than work towards a compromise, claimed that our resistance to his own extortionate attempts somehow constituted extortion in turn.

• 45. Despite this, we continued to make reasonable efforts to resolve the situation with Mr. Walters, once again going above and beyond the industry standard to offer an upfront fee for information necessary to determine whether a vulnerability existed, with an additional reward, priced from the industry standard, contingent on those findings. I also expressed a willingness to create a formal “bug bounty” program.

You can also see they used these offers on a Memo in Support of TRO

You can see the Memo in Support of TRO here

• https://drive.google.com/file/d/1kXK8Trtp8o1prwncsJbofRJ619763YAS/view?usp=drivesdk

One of the items they stated on it was

• To put the situation to rest and protect its network in the event there was some basis to Plaintiff’s claims, Exegy tried to mollify Defendant. On February 13, 2025, Exegy sent Defendant an offer to discuss the alleged vulnerability and a possible bounty, notwithstanding that Exegy had no formal bounty program. Id. at ¶ 43.

You can clearly see they tried to use these offer as a way to work out disclosing the vulnerabilities to make the company look better and never disclosing the facts above.

You will also see that they never stated to the court how they removed the up front fee and talk about each of the different offers they tried to give me and made it seem like there was only one offer.

Things I do wonder what this offer

• Were they leading me on and making it impossible to accept it so they can tell their customers they could not work out a deal

• Were they leading me on for some other reason

• Were they hoping to lock me into it to steal my property, but knew that wouldn't be possible, since I pointed that out.

• Was they always planning to sue me and use this offer as a way to make them look like they tried to make an offer? This actually eventually did this as seen in the lawsuit.

They did eventually try a different tactic by stating there would now be a bounty program that would be up Q3 and they would never return any response about if this happened.

It does make me wonder what they have said to their customers about all of this and what kinds of things have they communicated if thry have.

You can see here in the following emails I asked about the Q4 bounty program in Q3 but never received a response.

• https://drive.google.com/file/d/1wXM8zk_SXeFaKe3vHjOJR-6DURX70375/view?usp=drivesdk

A couple of other interesting cases regarding this matter, that could potentially be a result of this offer.

​State Farm Florida Ins. Co. v. Laughlin-Alonso (Florida Appellate Court)

• ​The "Sham" Offer: State Farm offered a nominal amount ($250) to settle a substantial homeowner's insurance claim. The plaintiff argued this was a bad-faith "sham" offer made solely to set up a claim for attorney's fees later.

The offer from Exegy and Cooley LLP did not consist of any terms about disclosing my findings to them. They could have easily felt like I violated some contract by knowing this information and filed a fictitious civil lawsuit against me.

​Dryden v. Pedemonti (Florida Appellate Court)

• ​The "Sham" Offer: The defendant made an offer that required the plaintiff to execute a "full and complete release and satisfaction," but the attorney did not attach the release or summarize its specific terms.

• ​Why it was Invalid: The court struck the offer down as a "phantom" offer because the plaintiff could not know what rights they were giving up. The court ruled that the burden of clarifying the terms cannot be placed on the party receiving the offer.

There was never any terms or confidentiality agreement for me to see what rights I could have been signing away.

Summary of Tactics to Watch For

​If you are looking for case law regarding a specific type of "sham" offer, look for these keywords in your jurisdiction:

• ​"Illusory Promise": An offer where the offeror retains an "out" or the benefit is vague.

• ​"Conditioned on Mutual Acceptance": The specific Gorka defect.

• ​"Patent Ambiguity": When the terms (like a release) are missing or unclear.

• ​"Bad Faith Nominal Offer": An offer of $1-$100 made when there is clear liability.

Updated on 11/282025 @ 4:44PM

● Added more details and fixed some spelling issues.

Sure they hate having their customers be aware of their security issues and the amount of time and resources they will have to use to fix them, but at the same time it helps build a more secure environment for them.

If a customer has to wait for a company to disclose those flaws and vulnerabilities to them, how can they ever prepare and design some kind of risk management for potential issues that could affect their own business.

It does make me wonder if anything was ever disclosed to Exegy, what kind of precautions do they have in place for telling their customers how they should deal with any such issues being disclosed to them until they have a fix or the types of things they should monitor.

Do they just inform them and hope those potential issues just don’t happen… or do they design a plan for how they can take precautions. What if they have a bad actor in their own company that might see those issues and use them for their own mental or monetary gain.

I do not see issues with a company's customers being informed of potential issues their vendors might have, it helps them get ahead of the curve before a potential disaster could strike.

Sure the company might not like the reputation it could bring, but that is only because they don't know how to handle the matter professionally.

Look at Microsoft… They have tons of bugs and issues at times and no one really cares. That's because they try their best at being professional about them and laugh at the jokes people pass around.

Would Exegy get mad if someone reached out to them about flaws regarding their firewalls or would they reach out to their vendor to see if it was disclosed or if it needed to be reported, who knows because I tried to talk about KnowBe4 issues they pushed me off to Mitire when KnowBe4 wouldn't help.

This whole situation between Exegy and I has taught me a lot about the legal landscape a security researcher should actually use, but at the same time it showed me that depending on the type of sector a business is in, it could potentially cause more harm to them and who really wants to do that.

This is all due to fines and penalties that can be pushed on top of them, even though they should have been aware of that from the beginning.

The landscape has changed drastically over the years and things have changed. I believe companies should be required to be fully transparent with bugs and issues with one another when it comes to being part of the critical infrastructure, this way we can keep each other aware of potential security issues.

If you are scared about this and can't stand the jokes and reputation it could bring your company, then obviously you don't care enough about your product to make your consumers feel safe and secure.

Obviously there is no agency that checks if a company is setting the right policies and security in place when being part of it. It only seems to warrant investigating a company when Whistleblowers speak out about it.

Who actually wins from that, just the government agencies that demand the company pay in fines, when really that money could of benefits company instead.

Why should any company get harmed in this way, you almost think there should be some agency that does periodical checks every so many years for certain types of companies, because maybe they aren't even fully aware of the evolving legal framework and regulations that get pushed out every so often.

Where is the world going if everyone feels threatened over nothing at all…

I thought it was interesting, but first let's look at Exegy in-house counsel Patrick Sellers email and extortion letter.

You can see my previous email here that led up to this.

• https://drive.google.com/file/d/1UbyJxLkQvCxw2GRQOJhvDEXT8y2vnUo6/view?usp=drivesdk

You can see Patrick Sellers extortion letter here with our correspondence between each other here

• https://drive.google.com/file/d/1d4zSKzUXsSfNhhwZ6aJGFLXUF-GIGBca/view?usp=drivesdk

• https://drive.google.com/file/d/1k8khohlbsCTLHKcQ8sdiBM_TlgDHSqw6/view?usp=drivesdk

You can clearly see in Patrick Sellers letter that he makes false claims by stating I was making threats and demanding payment, since he stated the following in it

• Threatening Exegy’s business and disclosure of the purported Vulnerabilties to Exegy’s customers if the Company does not respond to your threats and demands for payment is textbook extortion.

If you look over what I stated on February 7, I stated the following

• I know people can have a lot going on and it hard to find the time to get back to someone when you are busy, but think it interesting how I can't even get a single response about wanting to talk about disclosing vulnerability in your network and architect that have a high potential for affecting your customer, which i thought is required and important to disclosing to them.

• I would like to talk, if not I will move to trying to talk with your customers and seeing if they have a bounty program and give me time about the things that could affect their network.

You can clearly see I never made any threats or demands for payment. I was only saying if they wouldn't give me any time to talk, I would move on to trying to talk to their customers and see if they had a bounty program.

Exegy is aware that they are required to report all vulnerabilities and flaws to their customers and possibly any Exchanges depending on the circumstances, so there really shouldn't be any problem with someone reaching out to their customers or SEC about possible concerns on things that can affect their network or the stock market.

There are many acts out there to protect people and Whistleblowers, Exegy and their in-house counsel should be fully aware of this.

As you look further on in Patrick Sellers extortion letter you will clearly see where he threatens me. He basically stated he will contact the FBI immediately and seek civil remedies unless I turn over everything in a matter of hours

• If you do not respond to this letter before 6:00 p.m. Central Time today, 7 February 2025, with all information necessary for Exegy to identify, assess, and, if necessary, remedy the Vulnerabilities, Exegy will immediately contact the FBI about your Emails and violation of the CFAA. Exegy will also seek all available civil remedies against you under state and federal law.

• If Exegy determines, at any time and in its sole discretion, that you are not providing your best efforts to cooperate with any evaluation or remedy or other efforts related to the Vulnerabilties, Exegy will refer this matter to the FBI and seek all available civil remedies against you under state and federal law.

This is clearly text book extortion by Exegy…

It's too long to post it all here, but on February 7 you can clearly see I replied back to Patrick Sellers as soon as possible since he demanded I respond back in a matter of hours with everything I have or I will face his threats.

I tried explaining to him that I had nothing belonging to Exegy at all and none of it was their proprietary property.

He turned around and replied back that he will be following through with his threats, which you can see here

• I interpret your response below to be a refusal to disclose the alleged vulnerability you referenced in your emails to Exegy on 29 January, 4 February, and 7 February 2025. That is unfortunate.

• Exegy will proceed to take action as described in the letter sent earlier today.

You can clearly see he stated he was following through with his threats to immediately contact the FBI and seek civil remedies against me.

I found this really interesting and unsure if he followed through with his threat at this time, since they never notified or let me know if they did.

Though after I stated to him I was going to sue Exegy he replied back with “We are continuing to review this matter internally and will be in touch later this week.”

This is when Cooley LLP came into play with all of this, which seemed like a way to conceal their extortion attempt and work with me by trying to make an offer.

It wasn't until February 17 I found out Exegy never followed through with their threat, since Kristen Mathews from Cooley LLP stated to me “they do not plan to make a report with the law enforcement” . You can see that in the following set of emails

• https://drive.google.com/file/d/1yXt44zlDfR9v9v733bMNR12v4x_w6o8p/view?usp=drivesdk

This shows Patrick Seller committed wire fraud by never actually pursuing with immediately contacting the FBI and seeking all available civil remedies against me under state and federal law like he stated through his electronic communications by email.

There probably more areas in which he is lying, like telling me that I am being the extortionist and the things I have violated

A case I want to look up on about Extortion that includes Wire Fraud is United States v. Avenatti. It showed that if you use deceit (lying to a client/victim) alongside the threat (shakedown), you can be convicted of both crimes simultaneously.

This case below really illustrates how sham litigation is illegal and what Patrick Sellers is doing looks like it falls under the Hobbs Act, especially with him being in Illinois and the other parties who are CC on the Extortion letter are in Missouri and possibly one other state.

Exegy obviously knew they had no lawful claim to my property, since they tried to conceal their extortion attempt with an outside attorney and have them try to work out an offer with me.

The lawsuit they eventually filed against is not seeking access to my property or information regarding it. This shows Exegy was lying when they stated they would seek civil remedies against me.

Obviously my property has monetary value, because the SEC would put penalties on my discoveries and bug bounties programs exists that also put a value on such property. Even though Exegy has shown they are unaware of what these values are, because they wouldn't ever work with me to feel fully protected to full disclose them without being robbed of my property.

Another interesting case that shows you cannot use the threat of reporting someone to the authorities as an attempt to gain money and possibly property through an attorney was Flatley v. Mauro and Mendoza v. Hamzeh

​Flatley v. Mauro (California Supreme Court, 2006)

• ​Reporting Crimes vs. Getting Paid: You can report a crime, or you can sue for civil damages. You generally cannot say, "Pay me $100,000 or I will report this crime." That "linkage" converts the demand into extortion.

• ​Unrelated Threats: Threatening to expose secrets or crimes unrelated to the dispute (like the immigration/tax issues in this case) is strong evidence of extortion.

• ​No "Litigation Privilege" for Crime: While attorneys usually have "litigation privilege" protecting them from defamation suits for what they say in court or demand letters, Flatley v. Mauro established that this privilege does not protect conduct that is conclusively illegal (extortion).

Mendoza v. Hamzeh (California Court of Appeals, 2013)

• ​The Situation: Attorney Hamzeh sent a letter to a former manager of his client's business. The letter claimed the manager had committed fraud and theft. It stated, "If you do not pay us $75,000, we will proceed with filing a civil complaint and report you to the District Attorney and the IRS."

• ​The Outcome: The court found this to be "civil extortion." Because the attorney explicitly linked the payment of money to silence regarding criminal/tax authorities, it was illegal.

You can clearly see from Patrick Sellers DEMAND letter he used this type of scenario and language in hopes of receiving my property of monetary value.

Still trying to research more on this, but maybe some attorney out there would be interested in showing me more cases or talking about this one.

I haven't actually looked or read through this at all but here something on the following case below

https://cdn.ca9.uscourts.gov/datastore/opinions/2021/04/13/19-50018.pdf

I might have to do more research on this, because I am starting to wonder how much this lawsuit Exegy brought against me can compare to it as well.

Case Summary: United States v. Koziol (9th Cir. 2021)

Citation: United States v. Koziol, 993 F.3d 1160 (9th Cir.1 2021)

This case is a significant decision regarding the Hobbs Act (federal extortion law). It established that threatening to file a lawsuit can constitute criminal extortion if the threatened lawsuit is a "sham"—meaning it is objectively baseless and the threatener knows they have no lawful claim to the money they are demanding.

1. What was it about? (The Facts)

The case centered on a scheme by the defendant, Benjamin Koziol, to extort money from a well-known celebrity (referred to in the opinion as "the Entertainer," identified in court documents as Andy Grammer) by threatening to file a lawsuit containing false sexual assault allegations.

• The Incident: In 2016, Koziol's wife, a masseuse, was hired to give a massage to the Entertainer's manager at an apartment. The manager allegedly made unwanted advances, and Koziol (who was present in the apartment) confronted him.

• The Extortion Scheme: Although the incident involved the manager, Koziol later targeted the Entertainer, who was much wealthier and more famous.

• The Threat: Koziol demanded $1 million from the Entertainer. He threatened that if the money wasn't paid, he would file a lawsuit falsely accusing the Entertainer of sexually assaulting his wife and physically battering Koziol.

• The Fabrication: Koziol claimed to have photographic proof that the Entertainer was at the apartment. However, the photo he provided was actually taken a year after the alleged incident. Koziol knew the Entertainer was not the person involved but pursued the demand anyway.

2. What were the charges?

Koziol was charged with and convicted of attempted extortion under the Hobbs Act (18 U.S.C. § 1951).

• The Hobbs Act prohibits obtaining property from another with their consent induced by the "wrongful use of actual or threatened force, violence, or fear."

• The Defense: Koziol argued that threatening to file a lawsuit is a constitutional right (protected by the First Amendment) and therefore cannot be "wrongful" under the statute, even if the lawsuit is frivolous.

3. How does "Sham Litigation" fit into it?

This is the most legally significant part of the case. The Ninth Circuit had to decide when a threat to sue crosses the line from aggressive legal negotiation to criminal extortion.

The court used the concept of sham litigation to draw this line.

• The General Rule (Noerr-Pennington Doctrine): Under the First Amendment, people have a right to petition the government for redress of grievances, which includes filing lawsuits. Generally, you cannot be punished for threatening to sue someone, even if your case is weak.

• The "Sham" Exception: The court held that this protection does not apply to "sham litigation." It adopted a definition from antitrust law (Professional Real Estate Investors, Inc. v. Columbia Pictures), ruling that a litigation threat is "wrongful" (and thus extortionate) if it meets two criteria:

1. Objectively Baseless: The lawsuit is so meritless that no reasonable litigant could realistically expect success on the merits.

2. Subjectively Wrongful: The defendant knew the claim was baseless and used the threat solely to harass or extract money they knew they weren't entitled to.

In Koziol's case:

The court found his threat was a "sham" because:

• It was objectively baseless: He knew the Entertainer wasn't the man who assaulted his wife.

• It was subjectively wrongful: He fabricated evidence (the photo) and admitted to the FBI that he was just trying to get a "payday."

Key Takeaway: You can't be charged with extortion just for threatening a frivolous lawsuit. But if you know the lawsuit is a lie (a "sham") and use that threat to demand money you have no right to, it becomes a crime.

Updated this at 1:52PM CST on 11/25/2025

● Added Flatley v. Mauro

● Added Mendoza v. Hamzeh

https://drive.google.com/file/d/17B8JkmewzqzgwdqltsR2ql5pW4nDUS7z/view?usp=drivesdk

I decided to ask Google Gemini to do a deep research on the following

If a Delaware corporation in the USA that has a headquarters in Saint Louis, MO set up a bug bounty program for not just outside parties but also their own employees to use for helping disclose flaws and vulnerabilities in their system and code.

What kind of charges could the officers and the people involved in this bounty program be charged with in all the following countries and states they are in. If they believe they did not have to pay out on genuine bounties

Remember this is only about if the bounty submitted to them is genuine.

Missouri, USA

New York, USA

Chicago, USA

Belfast, Ireland

Paris, France

Montreal, Canada

Makita, Philippines

Google Gemini Deep Research returned the following

Transnational Legal Liability Assessment: Criminal and Civil Exposures for Breach of Vulnerability Disclosure Programs

I. Introduction and Jurisprudential Framework

The Unilateral Contract Model in Cybersecurity

The legal architecture of a "bug bounty" program—wherein a corporation invites external security researchers and internal employees to identify vulnerabilities in exchange for monetary compensation—rests fundamentally on the principles of the unilateral contract. Unlike bilateral contracts, which involve a mutual exchange of promises between parties (a promise for a promise), a unilateral contract consists of an offer that calls for acceptance through performance. In this context, the corporation (the offeror) publishes a vulnerability disclosure policy that acts as a standing offer to the world or a specific class of individuals. The terms are set: if a researcher (the offeree) successfully identifies a qualifying flaw and reports it according to the guidelines, the contract is formed and executed simultaneously.

Legal scholars and practitioners in the domain of digital contract law emphasize that the offeror in a unilateral contract can only breach the agreement after the offeree has performed. Once the researcher has invested the time—often hundreds of hours—and delivered the "consideration" (the vulnerability report), the corporation’s obligation to pay becomes absolute. The refusal to pay on a "genuine bounty"—a submission that meets the technical criteria of the program—transforms the issue from a mere operational decision into a breach of contract. However, when this refusal is predicated on a belief that payment is optional, or if the program was established with no intention of honoring valid claims, the liability transcends civil torts and enters the realm of criminal fraud, theft of services, and statutory wage theft.

The "Authorization" Paradox and the CFAA

A critical dimension of this legal landscape is the concept of "authorization" under statutes like the Computer Fraud and Abuse Act (CFAA) in the United States and similar laws globally. Bug bounty programs function as a "safe harbor," granting researchers prospective authorization to access systems that would otherwise be off-limits. When a corporation refuses to pay a researcher who has operated within the scope of this authorization, they not only breach the contract but potentially weaponize the CFAA. Recent jurisprudence, such as the United States v. Sullivan case, highlights the tension between retroactive authorization and criminal liability. If a corporation attempts to revoke authorization or deny the validity of the work to avoid payment, they risk accusations of inducing researchers to incriminate themselves or, conversely, of obtaining valuable security services through fraudulent misrepresentation.

This report provides an exhaustive analysis of the liabilities facing a Delaware corporation headquartered in Missouri that refuses to honor its bounty obligations. The analysis distinguishes between two classes of victims: external researchers, whose claims generally fall under commercial fraud and theft of services statutes; and internal employees, whose claims trigger aggressive wage theft and labor protection laws. The jurisdictional scope encompasses Missouri, New York, Illinois, Northern Ireland, France, Canada (Quebec), and the Philippines.

II. United States Jurisdiction: The Headquarters and Major Hubs

The United States legal system presents a fragmented but potent array of liabilities. While Delaware law governs the internal affairs of the corporation (fiduciary duties, shareholder rights), the criminal and trade practice liabilities are governed by the state where the conduct occurs or the effects are felt.

A. Missouri: The Operational Headquarters

As the physical headquarters of the corporation, Missouri law dictates the primary exposure for deceptive trade practices and the conduct of corporate officers.

1. Deceptive Business Practices and Consumer Fraud

The refusal to honor the terms of a public bug bounty program implicates the Missouri Merchandising Practices Act (MMPA). The MMPA is a broadly construed consumer protection statute designed to preserve the integrity of the marketplace. It expressly prohibits "any deception, fraud, false pretense, false promise, misrepresentation, unfair practice or the concealment, suppression, or omission of any material fact in connection with the sale or advertisement of any merchandise".

While "merchandise" typically refers to goods, the statute defines it to include "any object, ware, good, commodity, intangible, real estate, or service". By soliciting the "service" of vulnerability reporting from the public (researchers), the corporation is engaging in trade or commerce. If the corporation establishes the program with the belief that they do not have to pay, they are making a "false promise" in connection with the advertisement of a commercial exchange.

Criminal Liability Elements: Under Section 570.140 of the Missouri Revised Statutes, a person commits the offense of Deceptive Business Practice if, in the course of engaging in a business, occupation, or profession, they recklessly use materially false or misleading statements to promote the sale of property or services.

• The Act: Promoting the bug bounty program creates a public image of security and reliability (promoting the corporation's services). If this promotion relies on the "false promise" of rewards that are never intended to be paid, the officers responsible may be charged with a Class A misdemeanor.

• The Intent: The statute criminalizes the reckless making of false statements. If the officers knew the budget was insufficient or intended to use "discretion" clauses to deny valid claims systematically, this satisfies the reckless standard.

Civil Class Action Risk: Missouri is a historically active jurisdiction for consumer class actions under the MMPA. Section 407.025 authorizes civil actions to recover damages for these deceptive practices. If the corporation systematically denies payments to multiple researchers, these individuals can form a class, alleging a pattern of unfair practices. Unlike simple fraud, which requires proving specific intent, the MMPA covers "unfair practices," which can include subtle, misleading conduct designed to exploit the researchers' labor.

2. Filing False Documents and Corporate Fraud

If the corporation’s officers execute financial documents, reports, or compliance filings that misrepresent the liabilities owed to researchers (i.e., failing to book the accrued bounties as accounts payable), they risk liability under Section 570.095: Filing False Documents.

• Felony Exposure: A person commits this offense if they file a document with a government entity or financial institution with the intent to "defraud, deceive... or negatively impact financially" another party.

• Application: If the corporation submits financial statements to a bank or the Secretary of State that omit the "debt" owed to researchers to make the company appear more solvent, this constitutes a Class D Felony.

3. The "Worker's Compensation Fraud" Analogy

While Missouri generally treats unpaid wages as a civil matter, the state is aggressive regarding fraud in employment-adjacent benefits. Under Section 287.128, it is unlawful for an employer to "knowingly and intentionally refuse to comply with known and legally indisputable compensation obligations with intent to defraud". While this specific statute applies to worker's compensation, it establishes a prosecutorial mindset: the intentional withholding of legally owed compensation is a species of fraud. A creative prosecutor could argue that the refusal to pay internal employees for bug bounties (a "compensation obligation") with the intent to save money mirrors the conduct criminalized in the worker's comp arena.

4. Emerging Legislative Threats: Wage Theft Criminalization

The legal landscape in Missouri is shifting toward criminalizing wage theft. House Bill 1841, the "Missouri Wage Theft Prevention and Wage Recovery Act," was introduced to make unpaid wages over $5,000 a Class A Misdemeanor and subsequent violations a Class E Felony. The bill defines "final compensation" to include "earned bonuses," which would encompass bug bounties.

• Status: As of May 2024, the bill was referred to the General Laws committee. While not yet enacted, its existence signals legislative intent to close the gap between civil non-payment and criminal theft. If passed, the retrospective application or future conduct of the corporation would be subject to felony prosecution.

B. New York: The epicenter of "Wage Theft as Larceny"

For operations or employees based in New York, the corporation faces the most severe criminal exposure in the United States. New York has recently redefined the legal understanding of unpaid compensation, moving it from a regulatory infraction to a serious felony.

1. The 2023 Penal Law Amendment: Wage Theft is Grand Larceny

In September 2023, New York amended its Penal Law to explicitly include "wage theft" within the definition of Larceny (Section 155.05).

• The Statute: Section 155.05(2)(f) states that a person obtains property by wage theft when they hire a person to perform services and fail to pay wages.

• Aggregation of Claims: Crucially, the amendment allows prosecutors to aggregate non-payments across an entire "workforce" into a single count of larceny. The "workforce" is defined as a "group of one or more persons who work in exchange for wages".

• Application: If the corporation owes ten different researchers/employees $2,000 each, the prosecutor treats this not as ten small claims, but as a single $20,000 theft.

• Felony Thresholds:

• Grand Larceny in the Fourth Degree (Class E Felony): Theft exceeding $1,000.

• Grand Larceny in the Second Degree (Class C Felony): Theft exceeding $50,000.

• Grand Larceny in the First Degree (Class B Felony): Theft exceeding $1,000,000. This carries a maximum sentence of 25 years in prison.

2. Bounties as "Wages" or "Earned Bonuses"

The corporation may attempt to argue that bug bounties are "discretionary bonuses" and thus exempt from wage theft laws. New York Labor Law, however, makes a sharp distinction between "purely discretionary" bonuses (not wages) and "earned" bonuses.

• Discretionary: A bonus is discretionary if it is not tied to specific criteria and depends solely on the employer's whim (e.g., a holiday gift).

• Earned: A bonus is "earned" if it is linked to specific events or productivity, such as closing a sale or, in this case, finding a vulnerability.

• Legal Conclusion: Because the bug bounty program outlines specific requirements for valid submissions and specific compensation tiers, the bounties are "earned bonuses." Consequently, they are "wages" under NY Labor Law. Withholding them is not merely a breach of contract; it is the criminal theft of the employee's property.

3. Personal Liability of Shareholders (Section 630)

New York law pierces the corporate veil uniquely regarding employee compensation. New York Business Corporation Law Section 630 provides that the ten largest shareholders of a privately held corporation are jointly and severally personally liable for all debts, wages, and salaries due to any of its employees for services performed in New York.

• Implication: Even if the corporation is insolvent or refuses to pay, the top shareholders (often the founders or VC firms) can be sued personally for the unpaid bounties owed to NY-based employees. This liability is absolute and does not require proving fraud.

C. Chicago (Illinois): Theft of Services and Statutory Damages

Illinois law presents a dual threat: aggressive criminalization of "theft of services" and punitive civil damages that accrue monthly.

1. Criminal Theft of Labor or Services

Under 720 ILCS 5/16-3, a person commits theft when they knowingly obtain the temporary use of property, labor, or services of another which are available only for hire, by means of threat or deception.

• Deception: The act of soliciting bug reports (labor/services) through a published program with no intention of paying constitutes "deception." The corporation "obtained" the service (the knowledge of the vulnerability) and used it (to patch the system) without compensating the provider.

• Felony Classification:

• If the value of the services exceeds $500, it is a Class 4 Felony.

• Aggravating factors, such as the use of an access device or previous convictions, can escalate the charge.

• Venue: Illinois courts have broad discretion regarding venue. In People v. Bochenek, the court ruled that identity theft/fraud can be prosecuted where the victim resides. This means the corporation can be charged in Chicago if the researcher resides there, regardless of the HQ location.

2. The Illinois Wage Payment and Collection Act (IWPCA)

For employees, the IWPCA provides a mechanism that is punitive in nature.

• 5% Monthly Damages: Under 820 ILCS 115/14, any employee not timely paid wages (which includes "wage supplements" like bonuses) is entitled to recover the underpayment plus damages of 5% of the underpayment for each month it remains unpaid. This penalty continues to accrue until paid, creating a rapidly ballooning liability for the corporation.

• Criminal "Willful Refusal": The IWPCA is not just civil. Section 14(a-5) states that any employer who willfully refuses to pay wages with the intent to "annoy, harass, oppress, hinder, delay or defraud" is guilty of a crime.

• Class B Misdemeanor: For amounts under $5,000.

• Class A Misdemeanor: For amounts over $5,000.

• Felony: A subsequent violation within two years constitutes a Class 4 Felony.

• Officer Liability: The statute explicitly applies to "any agent of an employer" who knowingly permits the violation , exposing the CISO and HR directors to personal criminal charges.

III. International Jurisdictions: The Global Fraud Landscape

The corporation’s liability extends beyond US borders, interacting with legal systems that often have lower thresholds for "fraud" and stricter definitions of "loyalty" in business.

D. Belfast, Northern Ireland (United Kingdom)

Northern Ireland, operating under the Fraud Act 2006 (which applies broadly across the UK), has abandoned the complex "deception" standards of the past in favor of a simpler, more encompassing "False Representation" model.

1. Fraud by False Representation (Section 2)

The primary criminal exposure in Belfast is Fraud by False Representation under Section 2 of the Fraud Act 2006.

• Elements of the Crime:

1. Dishonesty: The defendant acted dishonestly according to the standards of ordinary decent people.

2. False Representation: A representation is false if it is untrue or misleading, and the person making it knows that it is, or might be, untrue or misleading.

3. Intent to Gain/Loss: The defendant intended to make a gain for themselves (getting security data for free) or cause a loss to another (the researcher’s unpaid time).

• Application to Bug Bounties: The bug bounty program terms constitute a "representation" that payment will follow a valid submission. If the corporation accepts the submission but refuses payment based on a "belief" they don't have to pay (despite the terms), they are making a false representation. The "implied" representation that they are a paying customer is also captured under Section 2(4).

• Penalty: On conviction on indictment, the maximum sentence is 10 years imprisonment.

2. Liability of Company Officers (Section 12)

The Fraud Act 2006 contains a "piercing" provision that presents a catastrophic risk to corporate officers. Section 12 (Liability of Company Officers) states that if a fraud offense is committed by a body corporate with the consent or connivance of a director, manager, or secretary, that individual is also guilty of the offense and liable to be punished accordingly.

• Connivance: This legal standard includes "turning a blind eye." If a director knows that the security team is refusing valid payouts to save budget and does nothing to stop it, they are guilty of connivance. This liability is personal and criminal.

E. Paris, France

French law imposes a rigorous duty of good faith (bonne foi) in commercial and labor relations. The non-payment scenario triggers liabilities under the Penal Code that protect both "trust" and "labor."

1. Escroquerie (Fraud) vs. Abus de Confiance (Breach of Trust)

• Escroquerie (Article 313-1): This is the act of deceiving a natural or legal person to determine them to hand over funds, valuables, or provide a service. If the corporation used the bounty program as a "manoeuvre frauduleuse" (fraudulent maneuver) to trick researchers into working for free, this is Escroquerie. Punishment: 5 years imprisonment and a €375,000 fine.

• Abus de Confiance (Article 314-1): This offense involves the misappropriation of funds, valuables, or property that were entrusted to a person on the condition that they be returned or used for a specific purpose.

• The Asset: A vulnerability report is intellectual property. It is "entrusted" to the company for the purpose of verification and payment.

• The Misappropriation: If the company uses the report to patch the vulnerability (thereby consuming the value of the asset) but refuses to pay the agreed price, they have misappropriated the property entrusted to them. Punishment: 3 years imprisonment and a €375,000 fine.

2. Travail Dissimulé (Concealed Work)

For employees, or external researchers who could be reclassified as de facto employees due to the regularity of their work, non-payment triggers the offense of Travail Dissimulé.

• The Offense: It is a crime to intentionally mention fewer hours on a pay slip than were actually worked. If an employee spends 50 hours finding bugs under the promise of a bounty, and the company refuses to pay (and thus fails to report these hours/earnings to social security), the crime is committed.

• Consequences:

• Criminal: Up to 3 years imprisonment and a €45,000 fine for individuals; €225,000 for the legal entity.

• Civil: The employee is automatically entitled to a lump-sum indemnity equal to 6 months of salary.

• Administrative: The URSSAF (social security) will reassess all unpaid social contributions on the estimated value of the work, often with 40% penalties.

3. Personal Liability of Corporate Officers

French courts are uncompromising regarding officer liability. In a landmark 2020 ruling, the Cour de Cassation held that an intentional criminal offense committed by a corporate officer is a "personal act" separable from their corporate functions.

• Implication: This means the officer cannot hide behind the company’s insurance or assets. They are personally liable for the fines and damages owed to the victim, and the company is prohibited from reimbursing them.

F. Montreal, Canada (Quebec)

Quebec presents a hybrid legal environment, combining the federal Criminal Code of Canada with the provincial Civil Code of Quebec (CCQ).

1. Criminal Fraud (Section 380)

Under the Criminal Code of Canada, Section 380(1) criminalizes defrauding the public or any person of property, money, or service by deceit, falsehood, or "other fraudulent means".

• "Other Fraudulent Means": Canadian courts interpret this phrase broadly to include conduct that is not strict deceit but is "dishonest" by the standards of reasonable people. Refusing to pay a valid debt (the bounty) when the service has been irreversibly rendered constitutes "other fraudulent means" if the intent was to deprive the victim of compensation.

• Penalties:

• Indictable Offense: If the value exceeds $5,000, the maximum term is 14 years imprisonment.

• Aggravating Factors: Section 380.1 mandates that courts consider the "magnitude, complexity, duration or degree of planning" as aggravating factors. A structured, automated bug bounty program is inherently complex and planned.

2. Directors' Liability for Wages

• Federal Liability: Under the Canada Business Corporations Act, directors are jointly and severally liable for up to 6 months of unpaid wages if the corporation fails to pay.

• Quebec Civil Code (Stipulation for Another): The legal structure of the bounty in Quebec is governed by Article 1444 CCQ (Stipulation for Another) or the general binding nature of offers. The offer to pay the bounty is a stipulation for the benefit of the researcher. Once the condition is met, the beneficiary has a direct right of action against the promisor.

• Monetary Penalties: The Commission des normes, de l'équité, de la santé et de la sécurité du travail (CNESST) can impose administrative monetary penalties on employers who fail to pay wages, ranging from hundreds to thousands of dollars per violation, and can pursue directors personally.

G. Manila, Philippines

The Philippines jurisdiction poses the most immediate physical threat to the officers due to the criminalization of what Western jurisdictions might consider civil debt, under the doctrine of Estafa.

1. Estafa (Swindling) - Article 315, Revised Penal Code

While the Philippine Constitution prohibits imprisonment for non-payment of debt, it allows imprisonment for Estafa—which is debt contracted through fraud or deceit.

• The Elements: Estafa requires (1) deceit/abuse of confidence, (2) resulting in damage/prejudice, (3) intent to gain.

• The Critical Distinction: If the corporation borrowed money or contracted a service intending to pay but later failed due to insolvency, it is civil debt. However, if the corporation solicited the services (bug reports) with deceit (i.e., representing they had a bounty program when they had no intention of paying, or using false pretenses to induce the work), it is Estafa.

• Article 315(2)(a): Using a fictitious name or false pretenses to deceive. The "false pretense" here is the existence of a bona fide bounty program.

• Penalty: The penalty depends on the amount defrauded. Recent laws have adjusted the thresholds, but significant amounts still carry long prison terms.

2. Syndicated Estafa: The "Non-Bailable" Nightmare

If the fraud involves five or more persons (e.g., the Board of Directors and C-Suite acting in conspiracy) and results in the misappropriation of funds or solicitation of funds/investments from the public, it may be charged as Syndicated Estafa under PD 1689.

• Risk: Syndicated Estafa is a non-bailable offense punishable by life imprisonment (Reclusion Perpetua). While typically applied to investment scams, the solicitation of "services" from the general public via the internet falls into a grey area that aggressive prosecutors utilize.

3. Officer Liability and Double Indemnity

• Criminal Liability: Since a corporation cannot be jailed, the Philippine Revised Penal Code imputes liability to the officers who directed the act. Officers who participated in the fraud or were the "moving spirit" behind the non-payment are personally criminally liable.

• Wage Liability: Under RA 8188 (Wage Rationalization Act), officers can be fined and imprisoned for non-payment of mandated wages. Furthermore, employees are entitled to double indemnity (payment of double the unpaid amount) in certain wage violation cases.

IV. Comparative Data Analysis

The following tables synthesize the legal exposure across the seven jurisdictions.

Table 1: Primary Criminal Exposures for Corporate Officers

Table 2: Financial and Civil Liability Multipliers

V. The "Discretion" Defense: A Legal Dead End

The corporation will likely attempt to rely on the standard "Terms of Service" defense, arguing that the program rules state payments are "at the sole discretion of the company". Legal analysis suggests this defense will fail in the face of the criminal statutes outlined above.

1. The Good Faith Covenant

In all jurisdictions (particularly the US, UK, and France), commercial contracts contain an implied covenant of good faith and fair dealing. A "discretion" clause allows a company to judge the quality of a submission (e.g., is it a duplicate? is it severe?); it does not grant the right to arbitrarily deny payment for a submission that objectively meets the published criteria. Exercising "discretion" to defraud a researcher of their earned reward is evidence of bad faith, which supports the mens rea (intent) required for fraud convictions.

2. Performance-Based Acceptance

Under the unilateral contract theory (US/Canada/UK), the contract is formed upon performance. Once the researcher finds the bug, the "discretion" to form the contract is gone; the obligation to pay has crystallized. Courts in New York and Quebec generally hold that if the benefit (the vulnerability report) is accepted and used, the obligation to pay the quantum meruit (value of services) is absolute, rendering "discretion" clauses unconscionable or void regarding the payment itself.

VI. Conclusion and Strategic Outlook

The analysis indicates that the corporation's belief that they "did not have to pay out on genuine bounties" is not merely a mistaken interpretation of contract law—it is a potential admission of criminal intent.

For External Researchers: The refusal to pay constitutes Deceptive Business Practice in Missouri, Theft of Services in Illinois, and Fraud by False Representation in the UK and Canada. The "discretion" defense offers minimal protection against statutes designed to punish the fraudulent inducement of labor.

For Internal Employees: The exposure is catastrophic. In New York, the officers face Grand Larceny charges for wage theft, with the ability of prosecutors to aggregate claims into serious felonies. In France, they face Travail Dissimulé charges that pierce the corporate veil. In the Philippines, the specter of Estafa presents a non-bailable risk of imprisonment.

The "Domino Effect": A criminal charge in one jurisdiction (e.g., a "Wage Theft" indictment in NY) establishes the "fraudulent intent" required to prosecute in others (e.g., Estafa in the Philippines or Fraud in the UK). The officers involved are not shielded by the corporate structure; statutes in NY (Shareholder Liability), UK (Section 12), and France (Personal Fault) specifically target the individuals who authorized or connived in the non-payment scheme. The corporation faces not only civil restitution but potential dissolution, massive punitive damages, and the incarceration of its leadership.

Works cited

1. Unilateral Contract: Definition, Examples & Guide 2025 - HyperStart CLM, https://www.hyperstart.com/blog/unilateral-contract/ 2. What is a Unilateral Contract? - Icertis, https://www.icertis.com/contracting-basics/what-is-a-unilateral-contract/ 3. Unilateral vs. Bilateral Contracts: Key Differences, Examples, and Legal Insights - Sirion, https://www.sirion.ai/library/contract-management/unilateral-vs-bilateral-contract/ 4. Legal Perspectives on Bug Bounty Programs and Vulnerability Disclosure - Steele Fortress, https://steelefortress.com/fortress-feed/legal-perspectives-on-bug-bounty-programs-and-vulnerability-disclosure-2 5. A Court Ruling on Bug Bounties Just Made the Internet Less Safe - Infosecurity Magazine, https://www.infosecurity-magazine.com/opinions/court-ruling-bug-bounties-internet/ 6. Consumer Protection | Attorney General Office of Missouri, https://ago.mo.gov/divisions/consumer/ 7. Revised Statutes of Missouri, RSMo Section 407.020 - MO.gov, https://revisor.mo.gov/main/OneSection.aspx?section=407.020 8. 8 Things You Need to Know About The Missouri Merchandising Practices Act - Bell Law, https://bell-law-kc.com/8-things-you-need-to-know-about-the-missouri-merchandising-practices-act/ 9. Revised Statutes of Missouri, RSMo Section 570.140, https://revisor.mo.gov/main/OneSection.aspx?section=570.140 10. Missouri Deceptive Trade Practices Laws - Business Law, https://businesslaw.uslegal.com/deceptive-trade-practices-laws/missouri-deceptive-trade-practices-laws/ 11. 2024 Missouri Revised Statutes :: Title XXVI - Trade and Commerce :: Chapter 407 - Merchandising Practices - Justia Law, https://law.justia.com/codes/missouri/title-xxvi/chapter-407/ 12. Two years since MMPA reform: How has it changed Missouri consumer litigation?, https://news.mobar.org/two-years-since-mmpa-reform-how-has-it-changed-missouri-consumer-litigation/ 13. Missouri Merchandising Practice Act (MMPA) - HD Trial Lawyers, https://hdtriallawyers.com/mmpa/ 14. Revised Statutes of Missouri, RSMo Section 570.095 - MO.gov, https://revisor.mo.gov/main/OneSection.aspx?section=570.095 15. Revised Statutes of Missouri, RSMo Section 287.128 - MO.gov, https://revisor.mo.gov/main/OneSection.aspx?section=287.128 16. Statute: What are the penalties under the law for workers′ compensation fraud? - FAQs for Missouri Department of Labor, https://molabor.uservoice.com/knowledgebase/articles/283187-statute-what-are-the-penalties-under-the-law-for 17. New Workers' Comp Fraud Law Penalties | Webster & Carlton, https://www.webstercarlton.com/blog/2019/february/new-workers-comp-fraud-law-penalties/ 18. HB 1841 -- WAGE COMPLAINTS AND PAYMENTS SPONSOR: Unsicker This bill establishes the "Missouri Wage Theft Prevention and Wag, https://documents.house.mo.gov/billtracking/bills241/sumpdf/HB1841I.pdf 19. HOUSE BILL NO. 1841 - Missouri House of Representatives, https://documents.house.mo.gov/billtracking/bills241/hlrbillspdf/3460H.01I.pdf 20. HB 1841 - Missouri House of Representatives, https://house.mo.gov/BillDocumentMobile.aspx?year=2024&code=R&bill=HB1841 21. New York Makes Wage Theft a Criminal Larceny in New Amendment to Its Penal Law, https://www.laboremploymentlawblog.com/2023/09/articles/labor-and-employment/new-york-makes-wage-theft-a-criminal-larceny-in-new-amendment-to-its-penal-law/ 22. Wage Theft In New York Is Now Criminal Larceny - Hodgson Russ LLP, https://www.hodgsonruss.com/newsroom/publications/Wage-Theft-In-New-York-Is-Now-Criminal-Larceny 23. Wage Theft Now A Form Of Larceny In New York, https://www.wagehourlitigation.com/2023/09/wage-theft-now-a-form-of-larceny-in-new-york/ 24. New York State Makes 'Wage Theft' a Crime - Fox Rothschild LLP, https://www.foxrothschild.com/publications/new-york-state-makes-wage-theft-a-crime 25. Enforceability of Employee Bonuses in New York - LegalMatch, https://www.legalmatch.com/law-library/article/enforceability-of-employee-bonuses-in-new-york.html 26. Fact Sheet #56C: Bonuses under the Fair Labor Standards Act (FLSA), https://www.dol.gov/agencies/whd/fact-sheets/56c-bonuses 27. Protecting New York Employee: The Urgent Need for the Wage Payment Integrity Act - NELA/NY, https://nelany.com/news_manager.php?page=28564 28. What Officers and Directors Need to Know about Personal Liability for Unpaid Wages | Akin, https://www.akingump.com/en/insights/alerts/what-officers-and-directors-need-to-know-about-personal-liability-for-unpaid-wages 29. Employer FAQs on Liquidity Concerns in Light of the SVB Crisis | Fisher Phillips, https://www.fisherphillips.com/en/news-insights/employer-faqs-liquidity-concerns-svb-crisis.html 30. 720 ILCS 5/16-3, https://www.ilga.gov/legislation/ilcs/fulltext.asp?DocName=072000050K16-3 31. 720 ILCS 5/ Criminal Code of 2012. - Illinois General Assembly, https://www.ilga.gov/legislation/ILCS/details?MajorTopic=&Chapter=&ActName=Criminal%20Code%20of%202012.&ActID=1876&ChapterID=53&ChapAct=720+ILCS+5%2F&SeqStart=36900000&SeqEnd=39600000 32. Theft of Labor or Services | Aurora Criminal Defense Attorney - The Law Offices of David Lee, https://www.davidleelegal.com/practice-areas/criminal-defense/theft-crimes/theft-of-labor-or-services/ 33. Illinois Statutes Chapter 720. Criminal Offenses § 5/16-1. Theft - Codes - FindLaw, https://codes.findlaw.com/il/chapter-720-criminal-offenses/il-st-sect-720-5-16-1/ 34. CH 48 Theft And Other Property Offenses - Office of the State Appellate Defender, https://osad.illinois.gov/content/dam/soi/en/web/osad/publications/digest-by-chapter/ch-48-theft-and-other-property-offenses.pdf 35. Wage Payment and Collection Act Penalties - Illinois Department of Labor, https://labor.illinois.gov/laws-rules/fls/wpca-penalties.html 36. 820 ILCS 115/14, https://www.ilga.gov/Documents/legislation/ilcs/documents/082001150K14.htm 37. 820 ILCS 115/ - Illinois Wage Payment and Collection Act. - Justia Law, https://law.justia.com/codes/illinois/chapter-820/act-820-ilcs-115/ 38. Fraud Act 2006: Fraud by false representation - Practical Law - Thomson Reuters, https://uk.practicallaw.thomsonreuters.com/7-602-0946?transitionType=Default&contextData=(sc.Default) 39. The Fraud Act | Counter Fraud and Probity Services (CFPS), https://cfps.hscni.net/information/the-fraud-act/ 40. Fraud Act 2006 - Legislation.gov.uk, https://www.legislation.gov.uk/ukpga/2006/35 41. Fraud Act 2006 - UNODC Sherloc, https://sherloc.unodc.org/cld/uploads/res/document/gbr/2006/fraud_act_2006_html/Fraud_Act_2006.pdf 42. Fraud Act 2006 | The Crown Prosecution Service, https://www.cps.gov.uk/prosecution-guidance/fraud-act-2006 43. Changes over time for: Section 12 - Fraud Act 2006, https://www.legislation.gov.uk/ukpga/2006/35/section/12 44. Fraud Act 2006 - Explanatory Notes - Legislation.gov.uk, https://www.legislation.gov.uk/ukpga/2006/35/notes/division/5/12 45. White collar - criminal offences - Bélot Malan & Associés, https://bmavocats.com/en/white-collar-crime/ 46. Financial Crime in France: Overview - Debevoise, https://www.debevoise.com/-/media/files/pdf/financial-crime-in-france-overview.pdf?la=en&hash=2EC580063845D6AB0259DD0CE209CB27 47. Business Crime Laws and Regulations Report 2026 France - ICLG.com, https://iclg.com/practice-areas/business-crime-laws-and-regulations/france 48. Corporate officer's criminal and civil liability and delegations of authority: Vade mecum and modus operandi - Soulier Bunch - Strategic Lawyering, https://soulierbunch.com/en/corporate-officers-criminal-and-civil-liability-and-delegations-of-authority-vade-mecum-and-modus-operandi/ 49. French Court: Corporate Liability for Corrupt CEOs - Jones Day, https://www.jonesday.com/en/insights/2020/02/french-court-corporate-liability-for-corrupt-ceos 50. Criminal Code ( RSC , 1985, c. C-46) - Department of Justice Canada, https://laws-lois.justice.gc.ca/eng/acts/c-46/section-380.html 51. How is “Fraud” governed in Canada? - Shim Law, https://shimlaw.ca/how-is-fraud-governed-in-canada/ 52. Offences and Criminal Case Summaries under the Bankruptcy and Insolvency Act (BIA) and the Criminal Code - Innovation, Science and Economic Development Canada, https://ised-isde.canada.ca/site/office-superintendent-bankruptcy/en/protecting-public/offences-and-criminal-case-summaries-under-bankruptcy-and-insolvency-act-bia-and-criminal-code 53. Criminal Code - R.S.C., 1985, c. C-46 (Section 380.1) - Laws.justice.gc.ca, https://laws-lois.justice.gc.ca/eng/acts/c-46/section-380.1.html 54. Director Liability – Employment Standards Non-Compliance, https://complianceworks.ca/blog/director-liability/ 55. Directors Liability (PRB 99-44E), https://publications.gc.ca/Collection-R/LoPBdP/BP/prb9944-e.htm 56. ccq-1991 - Civil Code of Québec, https://www.legisquebec.gouv.qc.ca/en/document/cs/ccq-1991/20170616 57. Annotated Civil Code of Québec (updated on 2025-10-20) Section 1383, https://ccq.lexum.com/w/ccq/en#!fragment/sec1383 58. Stipulation for Third Parties - PSP Legal, https://psplegal.ca/en/expertise/stipulation-for-third-parties/ 59. PENALTIES AND INTERESTS - Employer's Guide - CNESST, https://www.cnesst.gouv.qc.ca/sites/default/files/documents/penalties-and-interest_0.pdf?cid=1723558120 60. Workplace Protections in Quebec - Éducaloi, https://educaloi.qc.ca/en/capsules/workplace-protections-in-quebec/ 61. Estafa Case Against a Company in the Philippines, https://www.respicio.ph/commentaries/estafa-case-against-a-company-in-the-philippines 62. Can Failure to Pay Installments Be Estafa? Philippine Rules on Debt and Criminal Fraud, https://www.respicio.ph/commentaries/can-failure-to-pay-installments-be-estafa-philippine-rules-on-debt-and-criminal-fraud 63. Estafa vs Civil Debt: Defenses, Payment Arrangements, and Avoiding Criminal Liability, https://www.respicio.ph/commentaries/estafa-vs-civil-debt-defenses-payment-arrangements-and-avoiding-criminal-liability 64. Concern Regarding Non-Payment of Debt and Potential Estafa Charge - respicio & co., https://www.respicio.ph/dear-attorney/concern-regarding-non-payment-of-debt-and-potential-estafa-charge 65. New Penalties for Estafa or Swindling - Law Firm in Philippines, https://ndvlaw.com/new-penalties-for-estafa-or-swindling/ 66. Corporate Fraud 100K Criminal Liability Philippines - respicio & co., https://www.respicio.ph/commentaries/corporate-fraud-100k-criminal-liability-philippines-1 67. G.R. No. 249606 - ALICIA O. FERNANDEZ, ANTHONY JOEY S. TAN, REYNALDO V. CESA, AND ERGARDO V. MARTINEZ, PETITIONERS, vs. PEOPLE OF THE PHILIPPINES, RESPONDENT.D E C I S I O N - Supreme Court E-Library, https://elibrary.judiciary.gov.ph/thebookshelf/showdocs/1/68454 68. G.R. No. 234818 - THE PEOPLE OF THE PHILIPPINES, PLAINTIFF-APPELLEE, V. FELIX AQUINO, ACCUSED-APPELLANT, IRIS AQUINO (DECEASED), ELEANOR MACABBALUG (AT-LARGE), GENALYN NASOL (AT-LARGE), ARTURO DELGADO, JR. (AT-LARGE), PEARL MILITAR (AT-LARGE, https://elibrary.judiciary.gov.ph/thebookshelf/showdocs/1/64853 69. Employer Liability for Unpaid Wages in the Philippines: Penalties and Remedies, https://www.respicio.ph/commentaries/employer-liability-for-unpaid-wages-in-the-philippines-penalties-and-remedies 70. White Hat Hackers and Unpaid Bounties: What Are Your Legal Rights?, https://www.simonattorneys.com/blog/white-hat-hackers-and-unpaid-bounties-what-are-your-legal-rights 71. Legal Class Action Against HackerOne : r/bugbounty - Reddit, https://www.reddit.com/r/bugbounty/comments/1jzy6o6/legal_class_action_against_hackerone/ 72. A Researcher's Guide to Some Legal Risks of Security Research - Cyberlaw Clinic, https://clinic.cyber.harvard.edu/wp-content/uploads/2020/10/Security_Researchers_Guide-2.pdf

The penalties for violating Regulation SCI (Systems Compliance and Integrity) are significant because the rule governs the critical infrastructure of the U.S. financial markets.1

While the technical "maximum" fine per violation is around $1.2 million, the SEC often aggregates multiple violations to reach settlements in the $1.5 million to $14 million range.

1. The Real-World "Price Tag" (Recent Settlements)

The SEC typically settles these cases for a lump sum that reflects the severity of the system failure or reporting delay.

2. The Legal Limit (Statutory Maximums for 2025)

Under federal law, the SEC calculates fines using a three-tier system. These limits are per "act or omission," meaning a single system outage could theoretically count as hundreds of separate violations.

Effective January 15, 2025:

• Tier 1 (Technical / Administrative):

• Max Penalty: $118,225 per violation.

• Scenario: Forgetting to file a quarterly report or missing a policy review deadline.

• Tier 2 (Fraud / Recklessness):

• Max Penalty: $591,127 per violation.

• Scenario: Recklessly ignoring a known software bug that later crashes the exchange.

• Tier 3 (Substantial Loss / Risk):

• Max Penalty: $1,182,253 per violation.

• Scenario: A massive system outage that halts trading for millions of investors or causes significant financial loss.

3. Why Fines Exceed the Maximums

You might wonder how a $1.2 million maximum turns into a $14 million fine. The SEC uses aggregation:

• Duration: If a system is non-compliant for 10 days, that can be 10 violations.

• Scope: If a bad policy affects 5 different subsidiary exchanges (as in the ICE case), that counts as 5 separate infractions.

• Counts: Every individual email or report that should have been sent but wasn't is a separate "omission."

4. The #1 Trigger for Fines: Notification Speed

The most common reason for a massive fine today is speed.

• The Rule: Reg SCI requires "immediate" notification to the SEC upon confirming a major system event.2

• The Trap: Companies often wait to investigate fully before calling the SEC. This is a violation. In the $10M ICE settlement, the SEC penalized them specifically because they took 4 days to assess the impact before picking up the phone.3

Next Step

Are you reviewing this because you need to draft an Incident Response Plan that complies with the "Immediate Notification" standard? (I can outline the specific triggers that require a call to the SEC).