CloudAtlas fired senior engineer Ravi Nair on May 6, 2025. On May 9, production deployment scripts were deleted and a server note appeared saying, "Maybe revoke accounts faster." Login records show access through Nair old SSH key from a VPN endpoint he had used before. Nair says CloudAtlas invited former engineers to report security gaps under a bug-bounty policy and that he only tested whether his key still worked. Prosecutors charge unauthorized access and damage under the Computer Fraud and Abuse Act.
SSH and VPN access logs
Logs show Nair old SSH key authenticated at 1:12 AM through VPN endpoint 185.73.44.19, an endpoint associated with his personal VPN account in prior HR reimbursement records. Defense says commercial VPN endpoints are shared. Trial use: Ties access to Nair credentials and a familiar VPN endpoint, while shared commercial infrastructure leaves attribution open to attack. Foundation: A custodian, author, recipient, or investigator should authenticate when it was made, how it was preserved, and how it connects to the disputed event. Cross-examination focus: Attribution Dispute FRE 702.
Deleted deployment scripts and recovery report
CloudAtlas SRE report shows three deployment scripts deleted and restored from backup after 9 hours of outage risk. No customer data was accessed. CloudAtlas claims $34,000 in response labor. Trial use: Shows actual production-system modification and response costs, but absence of data access limits damage severity. Foundation: A custodian, author, recipient, or investigator should authenticate when it was made, how it was preserved, and how it connects to the disputed event. Cross-examination focus: Damage Calculation.
Server note left after access
A text file named revoke-your-keys.txt stated: "Maybe revoke accounts faster." Prosecutors call it a taunt; Nair says it was a security warning consistent with responsible disclosure. Trial use: Supports intent by framing the file as a taunt, while Nair can characterize it as a security-warning disclosure. Foundation: A custodian, author, recipient, or investigator should authenticate when it was made, how it was preserved, and how it connects to the disputed event. Cross-examination focus: Ambiguity.
Bug-bounty policy page
The policy invites "security researchers" to report vulnerabilities, excludes destructive testing, and says production data must not be modified. It does not expressly exclude former employees. Trial use: Gives the defense an authorization theory, but policy limits on destructive testing and production changes undercut it. Foundation: A custodian, author, recipient, or investigator should authenticate when it was made, how it was preserved, and how it connects to the disputed event. Cross-examination focus: Contract Interpretation.
Laptop forensic image
Forensics found no CloudAtlas files on Nair laptop but did find a terminal history command testing ssh cloudatlas-prod on May 9. Nair says he did not delete anything and the history proves only a login test. Trial use: Provides forensic context for attempted access, while no stolen files and limited history evidence weaken proof of deletion. Foundation: A custodian, author, recipient, or investigator should authenticate when it was made, how it was preserved, and how it connects to the disputed event. Cross-examination focus: Completeness; Authentication.
Priya Menon (CloudAtlas SRE manager)
Manager responsible for production deployment infrastructure
Nair was terminated and had no permission to access production. The deleted scripts created serious deployment risk. The note was not a report; it was left after damage was done.
Ravi Nair (defendant)
Former CloudAtlas senior engineer
I tested whether my key still worked under their security reporting policy. I did not delete scripts. The note was a warning because they had left former employee keys active. Shared VPN logs cannot prove I performed destructive actions.
Special Agent Marcus Reed (FBI cyber squad)
Cybercrime agent who analyzed access logs
The timing, SSH key, VPN endpoint history, and terminal command all point to Nair. The bug-bounty policy prohibited modifying production systems, and scripts were deleted.
Computer Intrusion After Termination — Federal
Choose a role to start
