A chronological record of unauthorized computer access, data theft, and digital stalking
This timeline documents a focused window of provable incidents. The pattern of unauthorized access and coercive control extends across 3+ years of documented communications.
The wellandsepticlife@gmail.com account was created from Nashville, TN using a Starlink IPv6 address.
First text message between James Butler and the suspect. Over the next 3.6 years, 65,987 messages would be exchanged.
Someone used James's business Google account to translate the suspect's biographical text from English to Russian. The translation appeared 82 times in activity logs.
Translation: "Hi All! My name is [REDACTED]... I spent nearly eighteen years of my life in the small city of Sevastopol on the Crimean Peninsula..."
James searched "how to check and see if I have a delegate for my gmail" — he was already suspicious months before the main attacks began.
The suspect explicitly admits she uses self-harm threats to get James's attention.
10:56 PM: "I had only you. But i barely can get your attention. Only when i almost want to kill myself. I am so close to that"
The suspect creates "zbooks" and "zbooks2" in Zoho CRM and saves a Flow automation — late night activity that would later prove significant.
James discovers the suspect secretly applied to MB Haynes, a direct competitor, while still employed.
"I just learned who you are and how you really operate. You and I are done. I never NEVER in a million years figured you would stab me in the back like you just did."
This message — sent by the suspect nine minutes before the first unauthorized system access — is the thesis statement of the entire case. A direct declaration of retaliatory intent.
Nine minutes after the threat, the suspect logs into Zoho CRM from her iPhone. She has been fired. She is no longer authorized.
Device: iPhone 15 Pro Max, iOS 26.1. Zoho CRM mobile app. Weaverville, NC.
Over four days, the suspect logs into Zoho CRM seven times from locations across North Carolina, Georgia, and Tennessee.
Locations: Weaverville NC, Athens GA, Ft Oglethorpe GA, Monterey TN. Jan 14 login occurred 9 minutes after office manager deactivated her account.
The suspect requests login credentials to company systems, framing it as wanting to "help."
Jan 16: "I need the password for my work email to be able to log in to Podium." Jan 17: "For me to be able to help i need log in to my work email."
While James slept, someone using an iPhone browsed Google Help pages about password management, passkeys, and credential management. James uses Samsung, not iPhone.
Device identifier "genie-eng:is_iph_nd4c" (automatic iPhone flag) in Google API calls. Pages: "Manage passkeys in Chrome — iPhone & iPad", "Google Password Manager PIN — iPhone & iPad". Samsung Smart Switch used at 2:26 AM.
Someone watched 25 Russian-language music videos on James's YouTube between 1:56 and 3:06 AM. James does not speak Russian. The suspect is from Sevastopol, Crimea.
Titles include: "Прости за любовь" (Forgive for Love), "Ты мой" (You're Mine), "Закричу на весь мир" (I'll Scream to the Whole World), "Черная кошка" (Black Cat). Chrome Remote Desktop also accessed at 3:04 AM.
Final unauthorized login to the company's financial system. Traced to Gatlinburg, TN. iPhone 16 Pro Max.
The suspect logs into her former company email — dormant for 102 days — and immediately begins changing security settings to lock the owner out.
10:44 — Changed recovery phone. 10:44 — Changed recovery email. 10:45 — Changed recovery email AGAIN. 10:46 — Tried to sign out owner's devices — BLOCKED by Google. 10:46 — Tried again — BLOCKED AGAIN. Google flagged 4 actions as suspicious. IP: 2600:1004:b34a:c59d:9c62:3c02:1563:798f
Same day as the takeover attempt. Google Takeout downloads ALL account data — emails, photos, contacts, documents, location history. Preparation for data theft.
Someone searched "locate my device" and visited Google's Find Your Phone page while James was sleeping. Physical surveillance.
Two drafts found in the business Gmail containing Chrome Remote Desktop setup commands — an OAuth code for persistent remote access and a download URL for the Linux installer.
Draft 1: Chrome Remote Desktop start-host command with OAuth code. Draft 2: Linux .deb installer URL. Matches "chrome remote desktop" searches at 1:47 AM, 2:13 AM, 2:27 AM, 3:04 AM across multiple dates.
GOROD — a Russian app for topping up Moscow metro Troika cards — accessed on James's account. There is no reason for an American in Weaverville, NC to use a Moscow transit app.
Someone searched for a Claude Code OAuth refresh token from James's business account. James confirmed he did NOT do this. The token matched one stored on his USB drive.
The exact token was found on James's DNR drive. This means the attacker had access to USB drive contents and searched for them online.
Yandex Go — Russia's Uber equivalent — accessed on James's account at 1:51 AM.
A Gmail draft containing Zoho Cliq bot code was found in James's personal email. Last day of the attack wave. The attacker was using his Gmail as a development scratchpad.
Zoho Deluge scripting language. Cliq chatbot handler with message response and context handling. 38 days after the suspect was fired.
A second unauthorized iPhone found on James's personal Google account with 12 days of access.
First sign-in: February 28. Last active: March 5, 3:08 PM. Different device ID from the first iPhone.
Video files renamed in James's Google Drive. The unauthorized iPhone had signed in 2 days prior.
Underscore removed from filenames: _20250106_C0020.MP4 → 20250106_C0020.MP4. Google Drive Trash was empty.
An iCloud Keychain passkey was created on James's Google account. This digital key allows login without the password AND without two-factor authentication.
Created: March 3, 9:12:15 PM. Last used: March 7, 3:56 PM, iPhone in Weaverville. James uses Samsung Galaxy — not iPhone or iCloud. This was the master key.
Another unauthorized iPhone actively signed in, last active 2 hours before discovery while James slept.
T-Bank (Tinkoff) sent a personalized marketing email to James's Gmail addressed to "Джеймс" (James in Russian). Someone registered his email with a Russian bank.
Subject: "Переводите деньги за рубеж без комиссии" (Transfer money abroad without commission). Offers transfers to former Soviet states. The suspect is Russian.
Four Tapo verification codes sent to James's Gmail between 2:41 AM and 4:26 AM. The last three within four minutes — frantic, repeated attempts. James was asleep.
The attacker could read verification codes via Gmail access through the iCloud Keychain passkey. Home cameras were also disabled during the February attack wave.
A bulk export of all personal Google data requested while James slept. Emails, photos, contacts, documents, location history.
Two unauthorized iPhones found on James's ChatGPT account from Nashville, TN. James was in Weaverville, NC.
iPhone 1 (iOS 18.7): March 9, 1:41 PM, Nashville. iPhone 2 (iOS 26.3): February 22, 11:10 PM, Nashville.
A Zoho connector added to James's ChatGPT, giving AI-powered access to all customer records and financial data.
Connector ID: connector_fd0f007550a242459d6dd1f923668769. Codex CLI also connected. Discovered 58 minutes after connection.
A second database copy was found with 65,987 messages removed — targeting one specific conversation. Deletion rates by keyword: kill 100%, threat 100%, hate 100%, password 100%, access 99%.
Original: 152,885 messages (142MB). Wiped: 86,898 messages (138MB). Only 2 messages survived from a 65,989-message conversation. This is surgical evidence destruction — consciousness of guilt.
Analysis of the full message archive reveals sustained psychological abuse exploiting James's TBI, military background, and business ownership.
16+ suicide threats as emotional leverage. 658+ verbally abusive messages. 812+ threats. 801+ password/access requests. 2,416+ financial abuse messages. 250+ controlling messages. Pattern: Evan Stark coercive control model + DARVO.
Every piece of evidence referenced in this timeline has been preserved with SHA-256 cryptographic hashing. SHA-256 generates a unique digital fingerprint for each file. Any modification — even changing a single character — produces a completely different hash, making tampering mathematically detectable. All hashes are recorded in a separate, tamper-evident changelog.