@hrefna I think that the "state actor" assumption is the safer one. Here's why: if it was an extremely persistent and clever kid, then this might be the only instance of this kind of attack. But if it is a well funded group, state or not, this might be a technique that has been used elsewhere, perhaps successfully, and this is the only one that has been caught. So: look for other instances of the same or a similar attack. There were multiple very clever steps here: were they used elsewhere?