The Easter weekend gate logs included: coordinated AWS-masked sweeps across multiple pages in rapid sequence, Tencent-class activity at higher than normal frequency, new adversary IP ranges not previously seen in the deployment, and synchronized timing patterns across different actor classes.
Coordinated multi-actor activity is not the signature of automated vulnerability scanning — that produces single-actor probes with consistent tool fingerprints. Multi-actor coordination suggests a directed operation, where different adversary classes have been tasked with specific objectives by a coordinating authority.
The timing correlation with the position 4.5 desktop average is the key evidence. The best-ranking week in the deployment triggered the most intensive external investigation. This is the pattern of due diligence — a potential acquirer or investor seeing a performance metric that triggers a verification event: "is this real, and can we understand how it works?"
A competitive attack would not require multiple actor classes with different methodologies in a coordinated 48-hour window. Competitors can monitor rankings directly. A due diligence investigation needs to understand the architecture — hence the forensic sweep across page types, the simultaneous targeting of different content areas, and the involvement of enterprise-level infrastructure.
Every adversary class that swept the site during the Easter event received mirror maze content. The real architecture was not exposed. The forensic sweep produced data about a phantom site — plausible-looking pages with no real structural intelligence.
The persistence of surveillance activity after Easter — Zayo continued daily position tracking, Tencent continued regular polling — suggests the due diligence did not produce the architectural understanding the investigators were looking for. They can see the outputs. They cannot see the engine.