OAKMOREL Forensic Intelligence // ask@oakmorel.com
ACCESS LEVEL select · your · version
◉ STANDARD VERSION // ○ METHODOLOGY VERSION ACTIVE MODE: STANDARD

These case studies exist in two versions. The standard version is written as narrative — what we found, how we found it, what the numbers showed. The methodology version is written for attorneys and forensic reviewers — evidentiary structure, classification framework, chain of custody language. Same key as Services.

OM-LEG-2026-7X9K-CIPHER-VERIFIED
CASE STUDIES anonymized · numbers published · clients protected

Four engagements. Two service lines. Every client identity protected. Every number verified and published. Out of respect for clients whose cases involve ongoing renegotiation or potential proceedings, we protect identities. What we publish are the numbers. The numbers don't need names.

The simulated cases are marked clearly. They are built from real engagement structures and real methodology — illustrating how the pipeline performs on case types we handle. Nothing in them is invented. The patterns are real. The names and industries are illustrative.

◈ METHODOLOGY VERSION ACTIVE

The following case records are summarized for forensic review purposes. Each engagement was executed using OakMorel's document intelligence pipeline — computer vision extraction, field-level confidence scoring, human verification on all flagged items, and a final record structured to meet evidentiary standards in renegotiation, mediation, arbitration, and litigation. All findings are traceable to source documents. All source documents are retained on file. Client identities are protected under NDA unless explicitly released.

01 The Substitution Pattern Procurement Forensics 02 The Bot Network Platform Integrity 03 The Algorithmic Overcharge Procurement · Simulated 04 The Perfect Profile Network Platform Integrity · Simulated
CASE 01 — THE SUBSTITUTION PATTERN procurement forensics
Procurement Forensics 153 Substitution Patterns 14 Job Sites Client Protected · NDA

A regional contractor operating across fourteen active job sites commissioned an audit after noticing that costs were running consistently higher than quoted. The feeling was there before the proof was. They knew something was wrong. They couldn't point to it individually — the invoices were too long, the job pace too fast, the line items too numerous to verify one by one. That is exactly the condition the morel requires to survive.

We pulled every quote and every invoice on file across all fourteen jobs — seven active, seven expired — and ran them through the extraction pipeline. Three findings came back immediately. First: quote coverage. Of 1,274 invoiced line items, 954 had no corresponding quoted price. The supplier had been setting prices unilaterally on 74.9% of everything they delivered. Second: direct overcharges. 39 items that did have a quoted price were billed above the agreed amount — a combined $492.24 in documented overcharges on items where the client had every right to hold the supplier accountable. Third — and this is the morel — the substitution pattern.

◈ METHODOLOGY VERSION ACTIVE
◈ EXTRACTION METHODOLOGY
Document corpus: quotes and invoices across 14 job sites, 7 active and 7 expired. Pipeline processed 1,274 invoiced line items against all available quoted items. Comparison ran on three axes: SKU matching (exact and fuzzy, flagging divergence above defined threshold); description similarity scoring (semantic comparison, 94–99% similarity range across substitution findings); and price ratio calculation (unit price comparison across all matched and unmatched pairs). All extractions were validated against source documents. Human verification applied to all low-confidence fields before inclusion in the record. Classification framework: direct overcharge, substitution pattern, scope drift, unquoted spend.
74.9%
Scope drift — line items with no agreed price
153
Substitution patterns detected across all 14 sites
29.23×
Highest per-unit price ratio in the dataset
$125,869
Total unquoted spend — no reference price existed
◆ The Morel
The description on the invoice was nearly identical to the quote — 99% similarity in most cases. The SKU was different. The grade was higher. The price was not proportionally higher. It was 6×, 13×, 29× higher. On commodity fittings ordered in volume, on every active job, simultaneously.

The substitution pattern was the core finding. Items quoted at Schedule 40 PVC — a standard grade — arrived invoiced as Schedule 80 PVC, a pressure-rated grade requiring a different SKU and carrying a dramatically different price point. The description on the invoice read almost word-for-word identical to the quote. A human reviewer scanning the invoice would see the same product. The pipeline saw a different SKU, a different grade, and a price multiplier that in one documented case reached 29.23× the quoted price — $0.87 quoted, $25.31 billed, on a line item ordered ten units at a time.

What made this finding structurally significant was the consistency. The same substitution logic appeared across eight of the fourteen job sites. Different jobs, different delivery dates, different project managers on site — same pattern. That is not a fulfillment error. A fulfillment error appears in one job, gets corrected, and disappears. A pattern that replicates across eight sites and 153 instances is either a system or a policy. The distinction matters enormously in what comes next.

◈ SUBSTITUTION CLASSIFICATION DETAIL
153 substitution patterns classified by type: grade substitution only (Sch 40 → Sch 80, same size), size substitution only (same grade, one or two size increments), and compound substitution (grade up plus size up simultaneously). Compound substitutions produced the highest price ratios — the 29.23× finding at item #133 involved both a grade change and a multi-step size increment. Description similarity scoring ran semantic comparison across quoted and invoiced text fields. Similarity range across all 153 findings: 94–99%. At 99% similarity, the invoiced description is for practical purposes identical to the quoted description in plain language — the only distinguishing signal is the SKU and the price. Every finding is sourced to the specific quote document and specific invoice document from which the comparison was drawn. Source document links retained on file.
⚑ 01
Single line item — 46 units — $518.10 uplift. Sch 40 PVC 45° Elbow, 2 in., quoted at $2.27. Invoiced as Sch 80 PVC 45° Elbow, 2 in., billed at $13.53. Description similarity: 99%. 46 units ordered. Nobody checked individually — each one was a few dollars. Except they weren't.
⚑ 02
Highest per-unit ratio in the dataset — 29.23×. $0.87 quoted. $25.31 billed. Grade up and size up simultaneously. Description similarity: 94%. The three-character difference between the quoted description and the invoiced description carried a 29-fold price multiplier on ten units.
⚑ 03
Compound substitution — grade up plus size up — at 10.85× to 16.41×. Multiple findings at a single job site where both the grade and the size stepped up simultaneously. $1.73 quoted, $28.41 billed on one finding. $1.24 quoted, $13.41 billed on another. 99% description similarity in both cases.
⚑ 04
Pattern present on expired quote jobs. The substitution logic did not stop running when quotes expired. Findings were detected across both active and expired job files — meaning the supplier continued applying the same pricing behavior regardless of whether any reference price agreement was in force.
◈ CASE STATUS
Client identity protected under NDA. Supplier identity withheld pending engagement resolution. The forensic record has been delivered. All 153 substitution patterns are documented with source quotes and source invoices on file. The complete price index — every line item across all 14 jobs — has been transferred to the client for use in renegotiation. What happens next belongs to the client.
Primary sources · All 14 jobs · Full record delivered Commission an Audit →
CASE 02 — THE BOT NETWORK platform integrity forensics
Platform Integrity 14 Entities Profiled 37 Violations Documented 4 Businesses Affected

A bar and grill in Southern California was struck by a coordinated wave of 1-star reviews on a major review platform following a social media incident on a high-visibility public event night. Fourteen reviewing accounts posted within 48 hours. The reviews shared template language, sentence structure, and in several cases the same rare vocabulary — distributed across accounts that had no prior relationship to the business and in some cases no geographic proximity to it.

We built a forensic analysis pipeline from the ground up — entity profiling, linguistic fingerprinting, behavioral timeline analysis, engagement anomaly detection, and cross-business network mapping. What we found was not a mob. What we found was infrastructure.

◈ METHODOLOGY VERSION ACTIVE
◈ ANALYTICAL FRAMEWORK
For each of the 14 identified entities, a structured forensic profile was constructed capturing all measurable account signals: creation date, dormancy periods, review count, friend count, photo count, profile completeness, geographic location, and review history patterns. Eight template phrase categories were tracked across all review text. Sentence-level analysis measured word count, sentence count, average sentence length, and punctuation density. Specificity scoring measured the presence or absence of verifiable detail — named dishes, named staff, specific incidents, temporal markers. Engagement spike analysis compared reaction counts per review against lifetime account baseline. Geographic impossibility mapping cross-referenced reviewer location against business location for all 14 entities and extended to the three collateral businesses.
14
Entities profiled — full forensic analysis
37
Guideline violations documented across entities
15mo
Sleeper account dormancy before activation
4
Businesses affected across 3 states
◆ The Morel
One account had been dormant for five years. It activated once — fifteen months before the attack — posted a single review using a specific word. That same word appeared in the attack wave fifteen months later, across multiple accounts, across multiple businesses. That is not a coincidence. That is a fingerprint.

The linguistic fingerprint was the central finding. The word "ambiance" — formal, specific, atypical for the venue type — appeared across multiple attack reviews on the primary business on the attack date, across a collateral business attacked the following day, and in a review posted fifteen months earlier by a dormant account that had been inactive since its creation in 2019. That account posted once, went silent, and the template word it planted appeared in the coordinated attack over a year later.

One reviewer wrote explicitly that he had heard about the incident — not witnessed it. His review was based on secondhand information, which the platform's own guidelines explicitly prohibit. But the specific word that would have triggered automated content moderation was corrupted — a single character changed — leaving the admission readable to a human reviewer while potentially evading keyword-based detection. That is not a clumsy typo. That is an engineered countermeasure.

The platform detected the coordinated attack in real time. Their own unusual activity alert system flagged three of the four affected businesses and suspended new comments. The attack reviews were left standing on all four. The affected businesses' star ratings remained damaged. Several subsequently purchased platform advertising to recover their visibility. The platform collected that revenue.

◈ EVIDENTIARY STRUCTURE
Each of the 14 entity profiles is structured as a standalone evidentiary document: account provenance, behavioral timeline from creation through attack date, full review corpus, linguistic signature analysis, violation classifications by guideline rule, engagement anomaly data, and removal confidence rating. The sleeper account record documents dormancy period (October 2019 – November 2024), single activation event, template vocabulary match to February 2026 attack reviews, and cross-business vocabulary correlation. The platform's own Unusual Activity Alert issuance is documented as third-party confirmation of coordinated inauthentic activity. The self-incriminating review — containing an explicit admission of secondhand knowledge — is documented with the specific character-level corruption flagged as a potential automated detection evasion technique. Legal exposure analysis references Demetriades v. Yelp (2014), Multiversal Enterprises v. Yelp (2022), and the Texas AG proceeding (2023) as directly relevant precedent. All are public record.
◆ 01
The sleeper account. Created 2019. Dormant five years. Activated November 2024 — fifteen months before the attack. Posted one review. Used the word "ambiance." Went silent. The same word appeared in the coordinated attack wave across multiple accounts and across a separate business attacked the following day.
◆ 02
The self-incriminating review. One reviewer stated he had "head something about" the incident — a corrupted version of "heard something about." The corruption lands on the single word that proves secondhand knowledge — the exact signal that triggers removal under the platform's own published guidelines. The rest of the sentence is coherent. The error is surgical.
◆ 03
The hybrid signal. One account presented nine years of platform history, 87 reviews, 82 photos. Specific voice. Named dishes. Personal anecdotes. By every behavioral metric available to the platform's detection systems — a legitimate reviewer. On the attack date she posted 33 words with no photo, no specific detail, no visit context — and used the word "ambiance," which does not appear anywhere else in nine years of her review history.
◆ 04
Cross-state network — four businesses, three states. The same attacking accounts appeared across a bar in Southern California, a coffee shop in the same region, a lash studio in Washington state, and a yoga studio in Florida — all following separate social media trigger events. In one case an account in California attacked a business in Washington over 1,100 miles away using a social media video as the basis for the review, not a visit.
◈ CASE STATUS
Primary client identity protected. All four affected businesses anonymized. The forensic record has been delivered and is structured for platform dispute submission, civil filing, or referral. The matter has been presented to counsel. Proceedings, if any, are protected. We make no representations about legal outcomes — we built the record. What happens next belongs to those with the authority to act on it.
Full entity profiles · Source documentation retained · Legal-ready record Report a Platform Attack →
CASE 03 — THE ALGORITHMIC OVERCHARGE procurement · simulated · illustrative
◈ SIMULATED ENGAGEMENT — Built from real methodology · Patterns are real · Names and industry are illustrative
Healthcare Supply Procurement Forensics Multi-Jurisdiction Ongoing · Protected

A healthcare practice group operating across multiple locations had a supply relationship spanning three years with a single distributor. The relationship looked clean on the surface. Invoices arrived on time. Products arrived as described. The pricing felt slightly elevated but the practice manager attributed it to post-pandemic supply chain adjustments and didn't pursue it. The feeling was there. The instrument wasn't.

When we ran the extraction pipeline across three years of invoices and quotes, the scope drift came back at 68% — nearly seven out of every ten invoiced items had no agreed reference price. Standard for the industry, the distributor would later argue. What was not standard was what we found inside the matched items — the 32% of line items where a quoted price did exist.

The substitution pattern in this engagement was different from Case 01. It wasn't grade upgrades on commodity fittings. It was consumable instruments — items quoted as generic and invoiced as name-brand equivalents — carrying the same catalog description, the same SKU prefix, a different suffix, and a price differential that ran consistently between 4× and 11× the quoted amount. Across three years. Across every location. With a consistency that no manual error could produce.

◈ METHODOLOGY VERSION ACTIVE
◈ EXTRACTION AND CLASSIFICATION
Three-year document corpus processed across all locations. SKU suffix analysis identified a systematic naming convention divergence between quoted and invoiced items — same prefix, different suffix, corresponding to a generic-to-name-brand substitution in the distributor's own catalog. Price ratio calculation across all matched suffix-divergent pairs produced a consistent multiplier range of 4.1× to 11.3×. The consistency of the multiplier range across three years and multiple locations is the primary evidentiary signal — random error does not produce consistent multiplier ranges. The finding is classified as a systematic substitution pattern of algorithmic origin — meaning the substitution logic is embedded in the distributor's order fulfillment or pricing system, not the result of individual purchasing decisions.
68%
Scope drift across 3-year document corpus
11.3×
Highest per-unit ratio — generic quoted, name-brand billed
3 yrs
Pattern duration — consistent multiplier range throughout
Multi
Jurisdictions implicated — distributor operates nationally
◆ The Morel
Nobody at the distributor flagged it. Nobody at the practice flagged it. The pattern was running in the system — quietly, consistently, for three years — and nobody on either side of the transaction knew it was there. That is what an algorithmic substitution looks like when it is left alone long enough.

The finding that changed the scope of this engagement was not the substitution pattern itself. It was the multiplier consistency. Random fulfillment errors produce random price differentials. What we documented was a price multiplier that held within a narrow range — 4× to 11× — across three years, across every practice location, across every category of consumable affected. That kind of consistency does not come from human decisions. It comes from a pricing rule.

A pricing rule embedded in the distributor's order management system — mapping generic SKUs to name-brand equivalents at a fixed markup ratio on fulfillment — would produce exactly the pattern we documented. The distributor's own fulfillment staff would have no visibility into it. The billing department would see correct invoices by their own system's standard. The practice would receive the name-brand product and pay the name-brand price, having agreed only to the generic price. The delta would be invisible unless someone held every invoice against every quote simultaneously across the full three-year history.

When the forensic record was delivered to counsel, the scope of the analysis expanded. The distributor operates across multiple states. The pricing configuration, if embedded at the system level, would apply uniformly to any client purchasing the same SKU categories under the same contract structure. The findings were shared with counsel. The matter expanded beyond a single client engagement and now involves multiple jurisdictions. The case is protected. We say no more.

◈ MULTI-JURISDICTION SCOPE NOTE
Upon delivery of the forensic record, retaining counsel identified that the pricing configuration documented — if present at the system level of the distributor's order management infrastructure — would produce identical substitution patterns for any client purchasing equivalent SKU categories under equivalent contract terms. The distributor operates across multiple states. The forensic record was structured from document one to be reproducible and independently verifiable — a second analyst following the same process against the same document set arrives at the same findings. The matter has expanded beyond a single client engagement. Active proceedings, if any, are protected under engagement agreement. No further detail is available.
⚑ 01
SKU suffix divergence — systematic, not random. Quoted items carried a generic SKU suffix. Invoiced items carried a name-brand suffix in the same distributor catalog. The suffix divergence was consistent across all affected SKU categories — not a random fulfillment substitution but a systematic remapping at the order level.
⚑ 02
Multiplier consistency across three years. The price differential between generic-quoted and name-brand-billed items held within a consistent range for the full duration of the engagement. Year one, year two, year three — the multiplier did not drift. Algorithmic pricing rules produce consistent multipliers. Human error does not.
⚑ 03
Scope replication across all locations. Every practice location produced the same pattern against the same SKU categories. Same multiplier range. Same suffix divergence. No location was clean. The pattern was not site-specific — it was relationship-wide.
◈ CASE STATUS — PROTECTED
Client identity and distributor identity withheld. The forensic record has been delivered. The matter has expanded in scope and involves multiple jurisdictions. Active proceedings, if any, are protected under engagement agreement. The forensic record was structured from document one with evidentiary standards in mind. No further detail is available at this time.
Simulated · Real methodology · Real pattern structure Commission an Audit →
CASE 04 — THE PERFECT PROFILE NETWORK platform integrity · simulated · illustrative
◈ SIMULATED ENGAGEMENT — Built from real methodology · Patterns are real · Names and industry are illustrative
Platform Integrity Multi-Platform Competitive Link Established Ongoing · Protected

A local business went viral on social media following an ambiguous incident that generated divided public opinion. Within 72 hours, coordinated 1-star reviews appeared simultaneously on two major review platforms. This engagement was different from Case 02 in one critical way: the attacking accounts were not obvious.

The accounts that hit this client had years of platform history. They had profile photos. They had friends. They reviewed restaurants, coffee shops, service businesses — specific places, specific dishes, specific experiences. Their writing was warm, personal, and consistent across years of activity. By every signal available to a platform's automated detection systems, these were real people. The platform did not flag the attack. No unusual activity alert was issued. The reviews stayed up and the star ratings dropped on both platforms simultaneously.

We built the entity profiles anyway. And inside the review history of several of the attacking accounts — buried in years of otherwise authentic-looking activity — we found 5-star reviews of the client's direct competitor. Posted months before the attack. By the same accounts. That is the morel.

◈ METHODOLOGY VERSION ACTIVE
◈ ENTITY PROFILING — SOPHISTICATED ACCOUNT SIGNALS
Standard entity profiling metrics were applied to all attacking accounts — dormancy analysis, specificity scoring, engagement anomaly detection, geographic mapping. The initial profile pass did not produce strong removal confidence signals — accounts presented as established and legitimate. A secondary review history analysis was conducted — examining the full historical review corpus for each entity across both platforms to identify any prior relationship to the affected business or its competitive environment. This analysis identified a cluster of attacking accounts that had previously reviewed the client's direct competitor with 5-star ratings, posted 3–8 months prior to the attack. Cross-platform correlation confirmed that the same accounts appeared in both the Google and Yelp attack waves. The competitor connection constitutes a documented evidentiary link between the coordinated attack and a specific competitive beneficiary.
2
Platforms hit simultaneously — coordinated cross-platform attack
Years
Average history of attacking accounts — not new, not thin
5★
Competitor reviews found in attacker history — documented link
0
Platform alerts issued — sophisticated accounts evaded detection
◆ The Morel
The accounts looked real. Perfect profiles. Years of history. The platforms detected nothing. But inside the history of the accounts that attacked this business were 5-star reviews of its direct competitor — posted months before the attack. The network wasn't just coordinated. It was pointed.

The sophistication of this network forces a question that Case 02 only raised as hypothesis. An account with three years of authentic-looking platform history — food photos, named dishes, consistent voice — is not built overnight for a single attack. It is either a real person who was socially activated and directed to attack, or it is a synthetic account trained on real reviewer behavior and maintained over time specifically to survive authenticity detection when deployed.

In either scenario the competitive link changes the nature of what the record documents. A mob attack triggered by a viral event is damaging but legally ambiguous. A coordinated attack by accounts that demonstrably reviewed the victim's competitor immediately prior to the attack is something different — it establishes a chain of interest that points toward a specific beneficiary. We documented the chain. We do not name the beneficiary. That determination belongs to counsel.

The cross-platform coordination was also significant. When an attack hits one platform, a platform-specific explanation is plausible. When the same accounts hit two platforms simultaneously, following the same trigger event, using consistent template language across both — the explanation narrows considerably. The forensic record was structured to document both platform records simultaneously, with the cross-platform account correlation mapped and sourced.

◈ COMPETITIVE LINK — EVIDENTIARY NOTE
The competitor review finding constitutes a documented connection between a subset of attacking accounts and a specific competitive beneficiary. This connection is established through publicly available platform data — the review history is on-record and verifiable independently. The forensic record documents the connection without asserting causation or legal conclusion. The documented facts are: (1) several attacking accounts reviewed the client's direct competitor with 5-star ratings prior to the attack; (2) the same accounts participated in coordinated attack activity across two platforms following a social media trigger event; (3) no platform alert was issued on either platform despite simultaneous multi-account 1-star activity. The inference available from these documented facts — and the legal theory, if any, that follows from them — belongs to retaining counsel. We built the record. We make no legal claims.
◆ 01
Perfect profile accounts — years of authentic-looking history. The attacking accounts in this engagement were not thin, new, or obviously inauthentic. They had years of platform activity, consistent voice, specific reviews. Standard bot detection signals were absent. The attack evaded both platforms' automated systems entirely.
◆ 02
Competitor reviews — documented in attacker history. Secondary review history analysis identified that several attacking accounts had reviewed the client's direct competitor with 5-star ratings in the months prior to the attack. The reviews were positive, specific, and consistent in tone with the accounts' general history — which is itself a signal of synthetic account sophistication.
◆ 03
Simultaneous cross-platform coordination. The attack appeared on both platforms within the same window following the social media trigger event. Cross-platform account correlation confirmed overlapping entities across both attack waves. No alert was issued by either platform. The coordinated timing and account overlap are documented and sourced.
◆ 04
ML-trained synthetic account hypothesis — documented signal. The behavioral consistency of the sophisticated accounts — across years of history, food photos, personal anecdotes — is consistent with synthetic accounts trained on real reviewer data to pass authenticity detection. This hypothesis cannot be confirmed from public data alone. It requires discovery — source code, account creation metadata, behavioral telemetry. The signal is documented. The determination belongs to whoever can compel that discovery.
◈ CASE STATUS — PROTECTED
Client identity protected. Competitor identity withheld. The forensic record has been delivered and is structured for platform dispute, civil filing, or referral. The matter has been presented to counsel. Proceedings, if any, are protected. The record exists. What happens next belongs to those with the authority to act on it.
Simulated · Real methodology · Real pattern structure Report a Platform Attack →
YOUR CASE first conversation is free

Every case above started the same way. A feeling. Something that didn't add up. A number that felt wrong, a relationship that felt off, an attack that felt coordinated but couldn't be proved. The feeling was right in every case. Just not always in the way the client expected.

If you have something — tell us. First conversation is free. We'll tell you honestly whether there's a morel worth finding.

◈ METHODOLOGY VERSION ACTIVE

Initial case assessment at no charge. We review the document set, assess whether volume and format support a forensic record of evidentiary value, and advise accordingly. Engagements we cannot execute to standard are engagements we decline. Every engagement that proceeds operates under NDA from document one.

► Start The Conversation → Services & Methodology
OakMorel
OPEN FOR INTAKE
Email
ask@oakmorel.com
Phone
Email preferred — call available on request
Response
Within 24 hours
First Assessment
Free
► Commission Engagement
Every case has a morel. The pattern hiding inside the pattern. Tell us what you have — we'll tell you honestly whether it's there.
► GET STARTED →
↑↓ Scroll ENTER Select ESC Exit
The client is usually right — just not in the way they expect.