OpenSocial Feed — LotusCare Incident (Simulation)

Fictional posts for simulation • Offline environment • All “.onion” links route to local simulation pages

Profiles & Handles

fictional

Actors often compartmentalise identities. In this simulation, partial similarities are intentional for teaching linkage hypotheses.

LotusLeaker Updates@lotusleaker_updates

Account type: threat actor surface

Surface-web pressure account; claims affiliation with leak operation.

🔎 track🧾 preserve⚠️ assess credibility

LL-PressDesk@LL_pressdesk

Account type: threat actor alt

Backup account; posts mirrors when primary flagged.

🔎 track🧾 preserve⚠️ assess credibility

CityWire Tech@citywire_tech

Account type: journalist

Local tech reporter amplifying unverified claims.

🔎 track🧾 preserve⚠️ assess credibility

BlueTeam Briefs@blueteam_briefs

Account type: cyber researcher

Security researcher urging caution and verification.

🔎 track🧾 preserve⚠️ assess credibility

CareWorks Union Rep@careworks_rep

Account type: community member

Community perspective; concerns about clients.

🔎 track🧾 preserve⚠️ assess credibility

OutageWatch@outagewatch

Account type: misinfo

Account posting recycled breach screenshots and inaccurate numbers.

🔎 track🧾 preserve⚠️ assess credibility

LotusCare Support@LotusCare_Support_Official Unverified / Spoof

Created: 2 days ago • Followers: 38

“Official customer response team.”

🔎 track🧾 preserve⚠️ assess credibility

Analyst prompt

thinking

Consider the handle “@LL_pressdesk”. Is it plausible the same actor runs the leak site persona? List 3 indicators you would look for (timing, language, reuse, wallets, etc.).