My client was a major company with offices in every major city in the world. They have tens of thousands of employees system-wide and we had implemented a new electronic time-card system for their staff. We had time-card servers in all the major cities and attached modern badging and fingerprint recognition systems for punching in/out.
The hacker was an employee at one of the major locations. He had some type of arrangement with other employees that he was login and edit their time card records giving them more hours, even though they weren’t at work at those times. They would share their extra pay with him. It was causing excessive payroll in that area and we knew something was wrong. But what and how?
I wrote a system script that ran and routinely looked for signs of hacking / unauthorized access. It searched for a number of things that would alert me if anything unusual was happening. One of the things it looked for was someone changing the time by more than two hours. It was my thought that this guy was setting the clock back, pushing a punch-in, then changing the clock and pushing a punch-out somehow. Turns out that’s what he was doing.
Once we were alerted to this, we were able to detect the exact time of day he was doing this and notified the FBI. The FBI tracked him down through the local telecom services to determine where he was located and found his exact address. He was arrested and prosecuted. I don’t think the company took action against the participating employees, but they did catch the guy actually committing the cyber-crime and he did go to jail. Tens of thousands of dollars were lost due to him. This was my biggest success in catching a hacker.