F.A.C.E.S.

Document handling notice

This dossier is privileged investigative work product prepared by Divergence Systems. It is intended for internal review first, then — on counsel approval — onward distribution to designated regulator and law-enforcement counterparts. It is not a press document, marketing collateral, or public release.

Evidence in this dossier was collected on-site on 2026-04-30 by Divergence Systems staff (Apo and Fox). Hardware and notebooks were photographed in situ; the on-site team's Surface tablet appearing on the seized-network screenshots (host TABLET-JVQFGF9E, 192.168.1.25) is investigation kit and is excluded from operator inventory throughout this report.

To cite a specific finding, use the format DUBAI-SERVER-agy report v0.1.0 §X.Y and reference the underlying archive file under project/case-archive/archive/NN_*.md. Forward any redistribution request to info@divergence.systems before sharing.

Executive summary

1.1   Case in one paragraph

A two-tier investment-fraud operation under the "Mirage" brand — regulator-confirmed by ADGM/FSRA on 2025-12-04 as "Mirage by MAG Investment LLC / Trade Mirage", with infrastructure seized on-site by Divergence Systems on 2026-04-30. The operation is the investment arm of Matajar Group — a Dubai corporate parent owned by Muhammed Dhilshad / Dilshad Muhammed — with a German operator-side cell stamped in seized notebooks as "MIRAGE E-TRADE LLC" (Sharjah, P.O. Box 5045), those notebooks confirmed by on-site staff to belong to Dennis Poschner (Offenburg, Germany). The advertised model is a "physics-of-finance" 6-coin (ETH/SOL/DOGE/BCH/TON/FIL) algorithmic trading bot promising 12% per 30 days, with reinvestment into a target portfolio of 229–289 Dubai houses worth USD 1.144 billion. The actual operational mechanic — per third-party reviews of trademirage.com — is a withdrawal-trap fee-stacking advance-fee fraud. ^[1]

1.2   The single highest-priority finding

Dilshad Muhammed publicly self-identifies Trade Mirage as part of the Matajar Group on his own LinkedIn. In his 2025 New Year LinkedIn post, the hashtag bundle reads:

This places #trademirage alphabetically and operationally adjacent to four confirmed Matajar subsidiaries (#matajargroup, #bizfuel, #matajarecommerce, #matajarrealestate) and to the operator's own personal-brand tag #dhilshadmatajar. It is a direct operator-side admission that Trade Mirage is a Matajar product — removing any plausible-deniability defence that the two operations were unrelated. Time-critical: archive to Wayback / archive.today and screenshot before the post is edited or deleted.

A subsequent research pass ^[16] surfaced at least 19 dedicated Trade Mirage / Mirage International / Mirage Trading video titles on Dilshad's personal YouTube channel @Dhilshadthoughts — including a 2025-03-18 Short literally titled Trade mirage By #Matajar Group #matajargroup — establishing a second independent operator-side admission across a second platform. The same pass established Mirage International Trading as a Matajar entity since 2006 and the Mirage by MAG Investment LLC operating licence as continuously held since 2010, both per Matajar's own About-Us page. The corporate ecosystem behind the ADGM-flagged scheme is 20 years old and multi-jurisdiction, not a recent shell.

1.3   Top-level entity map

Figure 1.1 — Top-level entity map. An SVG entity-relation diagram is rendered here at build time from case-archive/archive/graph/nodes_edges.json (filtered to layers ≤ 7). Lines indicate identified relationships; dotted lines indicate suspected relationships pending confirmation. Pending build-time renderer.

                        Dennis Poschner (DE)
                        Offenburg, Germany
                  e36-verdeck.de (auto-parts cover)
                       ▼
            Seized handwritten notebooks
            "MIRAGE E-TRADE LLC" Sharjah stamp
            6-coin DSA model + 12%/month + $1.14B Dubai-property exit plan
                       │
                       ▼ (likely partnership / franchise)
                       │
               Muhammed Dhilshad (UAE Golden Visa)
               Matajar Group (Dubai) — parent
               ├── Mirage by MAG Investment LLC ◀── ADGM/FSRA fraud alert (2025-12-04)
               │     └── Trade Mirage (trademirage.com — now parked)
               │     └── Instagram @mirage_by_mag
               ├── MAG NEXA (4%/month investment vehicle)
               ├── Matajar E-Commerce / Dabbab Express (legitimate cover)
               ├── D Cars, D Express, Bizfuel, Moms & Wives, Get Lead
               └── Metric Motive (Calicut, India)

1.4   Suspect summary cards

1.5   Five-tier investment-product ladder

The Matajar Group runs five concurrent yield-promise products at five distinct entry points — all openly published on operator-controlled pages.^[17] The lowest tier (D Express subscription, AED 6,000 entry) is the gateway product framed as a grocery-loyalty subscription; the apex tier (Trade Mirage, 12% / month) is the ADGM-flagged forex bot. ^[13]

Operationally critical: Meta is still serving ads for both Mirage by MAG and Trade Mirage with start dates as recent as 2026-04-17 — 134 days after the ADGM/FSRA fraud alert. By contrast, Google Ads Transparency Center reports 0 ads across all 5 operator domains in the UAE, so the operator's paid-acquisition funnel runs exclusively through Meta. None of the 8 operator-controlled domains have ever been archived by Wayback Machine — the negative finding is itself anomalous and suggests deliberate archive-suppression. ^[17]

1.6   What has been done · what remains

Regulatory & evidentiary anchors

§2.1 ADGM/FSRA fraud alert (2025-12-04). Full quote of the alert + screenshot will render here at build time from case-archive/archive/01_adgm_alert.md.

§2.2 Chain of custody — 2026-04-30 seizure. Photo strip of 4 hero images, captioned "Figure 2.1 — Hardware seizure sequence". Source: case-evidence/photos/hardware/.

§2.3 Seized hardware — Dell PowerEdge R730 with "MIRAGE E-TRADE LLC" stamp. Annotated photo of the asset tag and chassis stamp. Source: visual-evidence-sequence.md.

§2.4 Seized notebooks — 81 photographed pages. Mosaic of 9 representative pages with captions. Source: documents-analysis.md.

Suspect dossiers

3.1   Dennis Poschner — operator, German side

The seized notebooks were confirmed on-site (2026-04-30) by Divergence Systems staff to belong to and have been written by Dennis Poschner. They contain the full "Data Search Algorithm" (DSA) / "BTC Search Algorithm" (BSA) derivation, the 12%-per-30-days formula P_n(h) = h · n / 21,600,000, and the USD 1.144 billion exit narrative — all consistent with a single author's handwriting and reasoning style across the 81 pages.

3.1.1   Identification

• Full address (per e36-verdeck.de/impressum): Fischerstraße 1d, 77652 Offenburg, Germany.
• Cover business email: e36verdeck@gmail.com.
• LinkedIn (login-walled): de.linkedin.com/in/dennis-poschner-37b286225 ("Precise. Tech…" snippet); de.linkedin.com/in/dennis-poschner-706687348. Disambiguation pending authenticated-session capture.
• Facebook (login-walled): facebook.com/dennis.poschner.

3.1.2   Evidence chain

• Coreto AG invoice: a Dell PowerEdge R960 server purchase totalling EUR 481,180.13 — invoice reproduced in case-archive/archive/04_coreto_ag.md. Coreto is a verified-legitimate German Dell reseller; their disclosure on the customer file provides payment + ship-to + correspondence. ^[4]
• Cover business: e36-verdeck.de — BMW E36 convertible-top auto-trim trade. Public-record presence on bmw-syndikat.de auto-parts forum. ^[3]
• Notebook ownership: confirmed by Divergence Systems' on-site staff during the 2026-04-30 collection.

3.1.3   What we don't have yet

• Photo confirmation (no public photo of Poschner located in this pass)
• Authenticated-session captures of either LinkedIn profile
• Xing presence (not located)
• Instagram presence (not located)

3.2   Muhammed Dhilshad / Dilshad Muhammed — operator, UAE side

3.2.1   Identification

• Spellings observed: "Muhammed Dhilshad", "Dilshad Muhammed", "Dilshad Mohammad" (the third surfaces as the YouTube channel uploader name). ^[15]
• Role: CEO of Matajar E-Commerce LLC, part of Matajar Group.
• Location: Dubai, UAE.
• Status: UAE Golden Visa holder.
• Education (per LinkedIn snippet): Hindusthan College of Engineering and Technology.
• LinkedIn: linkedin.com/in/dilshad-muhammed-29590171 — 6,866 followers, 492 posts, 500+ connections, login-walled to public capture.

3.2.2   Evidence chain

• WHOIS: registrant of matajargroup.com.
• About-page corporate role: explicitly named CEO on matajargroup.com/about-us/.
• ADGM/FSRA alert: Mirage by MAG Investment LLC named on 2025-12-04 — a Matajar-branded entity per the corporate family in §4.
• Hashtag self-attestation: see §1.2 — 2025 New Year LinkedIn post explicitly bundles #trademirage with confirmed Matajar subsidiaries.
• YouTube: @Dhilshadthoughts channel (display name "Dilshad Mohammad"), 142 videos, mirrored 2026-05-05 via yt-dlp in metadata-only mode to case-archive/archive/captures/youtube/. Sample titles: "Forex trade Better Strategy", "Matajargroup.com", "my opinion 16". ^[15]

3.2.3   Captured public posts (3 of 492)

3.3   Anthony Maggio — US-side contact (low confidence)

Anthony Maggio is the named contact on Arizona LLC file 02365995 ("MIRAGE BROKERAGE COMPANY", incorporated 1991), and he is independently the founder of Forza Capital Funding, Inc. (Scottsdale, AZ — a mortgage-broker firm). Forza's Scottsdale address differs from the AZ Mirage Brokerage's Tempe address, which is consistent with Maggio acting as a registered-agent / nominee for the AZ LLC rather than a beneficial owner. He is a deposition witness — his fee-for-service records would identify the actual beneficial owner of the AZ LLC. ^[12]

Corporate family — Matajar Group → Mirage by MAG

§4.1 Matajar Group umbrella. Org chart (Figure 4.1) rendered from case-archive/archive/07_matajar_group_parent_entity.md.

§4.2 The three "Mirage by MAG" sister LLCs. Three-card row from case-archive/archive/13_mirage_by_mag_corporate_family.md.

§4.3 Hidden D Express subscription scheme. Direct quote of the AED 6,000 / AED 300 monthly returns wording + comparative chart.

§4.4 Brand-collision exclusions. Diagram + reasoning from case-archive/archive/14_brand_confusion_disambiguation.md, with NEXA Bali flagged as possible affinity-fraud lead.

Domain & infrastructure

§5.1 Operator-controlled domains — table from 06_whois_three_mirage_domains.md + 13_mirage_by_mag_corporate_family.md.

§5.2 WHOIS evidence and subpoena targets — named third parties + jurisdictional process for each.

§5.3 Hosting + LAN topology (Figure 5.1) — diagram with the Divergence Systems Surface (192.168.1.25) clearly labelled as team kit.

The advertised model — "physics of finance"

§6.1 The 6-coin DSA / BSA framework. Reproduction + typeset version from documents-analysis.md.

§6.2 The 12%-per-30-days formula. P_n(h) = h · n / 21,600,000.

§6.3 The exit narrative — USD 1.144B / 229–289 Dubai houses.

§6.4 The actual mechanic — Zorya Capital review of trademirage.com.

Network graph (interactive 3D visualisation)

§7.1 Reading guide — layer / shape / edge legend.

§7.2 Embedded 3D viz — inlined from case-archive/archive/graph/index.html + nodes_edges.json.

§7.3 Static rendering — pre-rendered PNG snapshot at three angles.

Tracking matrices

§8.1 Keyword tracking matrix — interactive HTML table from 00_keyword_tracking_matrix.md.

§8.2 Visual reference matrix — same format applied to image assets.

Action items — open as of report freeze

9.1   Time-critical

9.2   Subpoena / disclosure tier

Pending render. See archive/INDEX.md §9.

9.3   Government register lookups

Pending render. Sharjah SEDD · Dubai DED · ADGM · Egyptian FRA · Arizona AZCC · Indian MCA.

9.4   Forensic on-server

Pending render. Image disks read-only · ESXi/iDRAC log pull · VM inventory · MAC cross-reference.

9.5   OSINT lookups (cheap, high signal-to-noise)

Pending render. Reverse-image searches · PimEyes · Yandex face · HaveIBeenPwned + IntelX + Dehashed for known emails.

External services this machine powered

The seized Dell PowerEdge R730 is the technical backbone of an integrated multi-product fraud pipeline. Each public-facing brand below is a distinct customer-acquisition surface that ultimately routes capital through the operator's infrastructure. ADGM/FSRA has flagged one of these brands; the others remain operational and unflagged at time of report.

Money-flow projection

The figures below are not Divergence Systems estimates. They are the operator's own arithmetic, taken verbatim from operator-controlled web pages and the seized handwritten notebooks. The projection therefore reads what the system was designed to move — the actual realised flows are an open question pending forensic disk imaging, Coinbase disclosure, and victim testimony.

11.1   Per-product unit economics — operator's own figures

11.2   Per-investor lifetime — Trade Mirage exit narrative

The seized notebooks contain a fully-worked exit narrative on pages 70–72:

  $1,144,900,000  total exit target
  ÷  ($4M per house, 1 sample)   = 286 Dubai houses
  ÷  ($5M per house, 1 sample)   = 229 Dubai houses
  → target portfolio: 229–289 Dubai-property residences

  Reverse-derive per-investor capture for a 6-year ramp at 12%/m compounding:
  $1,144,900,000 / (1.12)^72 ≈ $358 (incoming first month, theoretical)
  — but this is the maths-pitch, not the realised flow. The withdrawal-trap
  fee-stack (per Zorya) extracts USD 5–25K per fooled investor before they
  abandon the platform.
    

Realistic capture per fooled investor (industry baseline for withdrawal-trap forex bots): USD 5,000–25,000 each. To approach the operator's stated $1.144 B exit target via this single product would require approximately 45,000–230,000 fooled investors. The five-tier ladder is therefore an investor-segmentation funnel — each tier captures a slice of the population with a price-discriminated entry point, summed.

11.3   Public claimed metrics from the operator's own corporate pages

The operator publishes inconsistent statistics across two corporate sites — both attributed to the same group, both naming Dilshad as CEO:

The fact that the same operator publishes 50,000 users on one corporate page and 7.9 million on another indicates either deliberate inflation on one of the two sites or complete absence of editorial control. The use of Indian Rupees (₹) as the revenue unit on a UAE-Bangkok-Calicut multinational holding company is itself revealing — the financial accounting backbone is in Calicut.

11.4   Caveats & what the operator's stated figures cannot tell us

• Stated returns are pitch, not realised flows. Liquid crypto markets do not produce 12%/month sustainably; per-tick figures of 442%, 1,483%, and 7,005% in notebook page 90 are physically impossible and label these as marketing.
• The $1.144B exit target is aspirational. No claim is made that this has been reached.
• Realised flows are recoverable only via: (a) forensic imaging of the R730 + Mac PC for transaction logs and any wallet keystores, (b) Coinbase US-legal-process subpoena, (c) victim testimony, (d) bank-side disclosure on operator UAE / Thai / Indian accounts.

Blockchain leads

12.1   What we have

1. Page 53 of the seized notebooks — the operator's own system-architecture flow diagram literally names C2 (Coinbase) as the routing exchange between the algorithm output (`Analysiert(X) → ETH → C1`) and the trader's terminal (Apple, i.e., the Mac PC seized in the same room). ^[18]
2. Page 98 of the seized notebooks — six asset boxes (`ETH, SOL, FIL, DOGE, TON, BCH`) drawn as a complete graph (K₆) plus a seventh hub node with intersecting connections to all six. Most-likely interpretation: that hub is the routing exchange (= Coinbase, per page 53) or the operator's central wallet.
3. Page 52 of the seized notebooks — a 17-coin shortlist with launch-year selection criteria. The operator was actively narrowing a candidate set against a pre-2020-launch + sustained-liquidity filter. This is the asset universe to look across in any on-chain analysis.
4. Page 66 of the seized notebooks — explicit `Blockchain → {NFT, Smart contracts, WEB3}` axis. The operator was contemplating extension into NFT and smart-contract primitives, beyond the spot-trading model alone.
5. The dollar amounts in the notebooks — `$1,144,900,000` (3×, the exit total), `$50,000`, `$28,000`, `$1,000` — these are signature-level numbers that, if the operator's accounting was to-the-cent, may be visible as on-chain transaction volumes if operator-controlled wallets are surfaced.

12.2   What the public-facing code does NOT have

A regex scan across every Firecrawl-captured operator domain HTML returned zero hits on any of:

• BTC P2PKH (`1...` / `3...`) addresses
• BTC Bech32 (`bc1...`) addresses
• Ethereum addresses (`0x` + 40 hex)
• Tron, Solana base58 addresses (excluding Facebook CDN false-positives)
• MetaMask, WalletConnect, web3.js, or ethers.js JavaScript hooks
• Coinbase Commerce, Binance Pay, or any merchant-side crypto-payment widget

Conclusion: the customer-facing fraud surface (Trade Mirage / D Express / DCARS) does not expose any blockchain integration in its HTML. The deposit funnel runs as customer → call-centre (Calicut WhatsApp +91 9037812288) → manual onboarding → bank transfer or credit-card fee-stack. Any actual on-chain leg is server-side on the seized R730 / Mac PC, or per-investor-generated and exposed only to authenticated members in the (now offline) Trade Mirage member area.

12.3   Coinbase subpoena — consolidated identity list

A Coinbase US-legal-process request should query for accounts associated with any of the following identifiers (any single hit may be sufficient to unlock the full account record). Full list maintained in archive/18_*.md §2.8; abbreviated here:

12.4   On-chain matching strategy (signature-number method)

Independent of subpoena access, an on-chain signature-number match may be possible if the operator's accounting was numerically literal:

1. Targets: ETH, SOL, FIL, DOGE, TON, BCH (and the wider 17-coin universe per notebook page 52). Use Etherscan (ETH), Solscan (SOL), Filfox (FIL), Dogechain (DOGE), Tonviewer (TON), and BCHScan (BCH).
2. Date range: 2024-01-01 → 2026-04-30 (roughly the active operational window between the rebrand to Dabbab Express and the seizure).
3. Signature amounts to scan for: exact transfer amounts at the operator's stated dollar-value moments. The notebook records `$50,000`, `$28,000`, `$1,000`, `$1,144,900,000`. Convert each to coin-amount at the on-day spot price and search. A single match is uninformative; three or more in sequence on the same address is a behavioural signature.
4. Behavioural pattern: per page 53, the architecture is "Analysiert(X) → ETH → C1 → C2 (Coinbase)". So expect ETH inflows from a small set of addresses, followed by routing to known Coinbase deposit addresses. Coinbase deposit addresses are publicly catalogued (e.g., `0x71660c4005ba85c37ccec55d0c4493e66fe775d3`, `0x503828976d22510aad0201ac7ec88293211d23da`, etc.). Inflows from a single small cluster followed by aggregated routing to those Coinbase addresses on dates aligned with the operator's stated activity = a candidate pattern.
5. Tooling: Chainalysis Reactor / TRM Labs / Arkham Intelligence (paid), or open-source: etherscan-py + web3.py for ETH; solana-py for SOL. Free chain explorers' "address tag" features sometimes flag known scam addresses.
6. NFT / OpenSea axis (page 66): if the operator extended into NFT, the wallet would have OpenSea / LooksRare / Blur trading history visible on Etherscan-by-token. Search for any wallets transacting with all three of (a) a Coinbase deposit, (b) NFT mints/buys on a OpenSea contract, (c) one of the 17-coin shortlist on a single ETH chain.

12.5   What we did NOT find — wallet addresses in the notebooks or HTML

No specific wallet address strings (no `0x...`, no `bc1...`) are present in either (a) the digitised seized notebooks or (b) any operator-controlled HTML / Firecrawl capture. The operator wrote "Coinbase" by name in the notebooks but did not record specific wallet addresses in the captured pages — those are likely held in a separate physical ledger (yet to be located among the seized materials), in a digital file on the R730 or Mac PC, or memorised as seed-phrase-only.

12.6   Action items — blockchain track

1. Forensic imaging — both the R730 and the Mac PC. The Mac PC was air-gapped at seizure time per on-site staff; its disk is therefore intact. Browser-stored credentials, MetaMask extension data, OpenSea logged-in sessions, and any seed-phrase / wallet-keystore files would be on these disks.
2. Coinbase US-legal-process subpoena with the consolidated identity list above.
3. Search the remaining seized notebooks for any wallet-address-shaped strings (40-char hex, 33-char base58 starting with 1/3, bc1-prefixed Bech32). The catalogue currently covers 81 of 94 photographed pages; some pages may not have been digitised yet.
4. On-chain signature-number search per §12.4 using the operator's own dollar amounts.
5. Victim disclosure — the 47-employee LinkedIn list of the Egyptian broker (still requires authenticated session) may include former operations staff who can name internal wallet labels or counterparty addresses.

Crypto-related entities for further research

The seized notebooks explicitly route through Coinbase (notebook page 53: C2 (Coinbase))^[18], and the asset universe spans 17 named coins (notebook page 52). The table below catalogues every crypto-adjacent entity that should be researched and (where applicable) issued legal process. Status column: SUBPOENA = US/EU legal process applicable; RESEARCH = OSINT only; EXCLUDED = no operator-link established.

14.1   Exchanges & payment rails

14.2   The 17-coin universe (notebook p.52) — public chains to scan

14.3   Forensic / on-chain analytics tooling

14.4   Wallet-related notebook references (raw)

• Page 53: Analysiert(X) → ETH → C1 → Schau Währg X→Y → C2 (Coinbase) → Trader → Apple
• Page 98: K₆ asset graph (ETH/SOL/FIL/DOGE/TON/BCH) + 7th hub node = routing exchange
• Page 66: Blockchain → {NFT, Smart contracts, WEB3}
• Page 52: 17-coin shortlist with launch-year selection (above)

No wallet-address strings (no 0x..., no bc1...) are present in either the digitised notebooks or any operator-controlled HTML. Any actual addresses live on the seized R730 / Mac PC, in a separate physical ledger not yet captured, or in the operator's Coinbase / Binance / etc. account dashboards which are recoverable only via legal process.

Phone numbers — operator-attached

Ten distinct operator phones have been captured to date — sourced from operator-controlled web pages, Facebook About sections, contact strips on Dilshad's profile page, and WhatsApp wa.me/ redirects behind UAE-displayed phones. The table below records each number, its claimed function, and an action checklist for live testing.

15.1   Immediate WhatsApp-test list (Divergence Systems action)

The numbers below are confirmed-on-WhatsApp candidates that an investigator can dial from a burner WhatsApp account (do not use a personal account) to capture profile photo, "last seen", auto-reply, and any business-account banner. Do not initiate conversation beyond a neutral greeting — preserves chain of custody and avoids operator-side detection that an investigation is active.

15.2   What to capture from each WhatsApp dial

1. Profile photo — reverse-image-search target; may surface unindexed surfaces
2. "About" / status text — sometimes contains business hashtags or Telegram handles
3. "Last seen" visibility (if not blocked) — gives an active-account heartbeat
4. WhatsApp Business banner — verified-business mark + claimed business name
5. Auto-reply — many call-centre numbers send a scripted auto-reply with hours / website / referral codes
6. Catalogue (if Business) — sometimes contains products / pricing + the operator's preferred deposit method

15.3   Truecaller / NumLookup cross-references

For each number above, run Truecaller (Indian-side dominant) and NumLookup / WhitePages / Sync.ME to get the community-tagged caller name. The Indian numbers (+91) are most likely to return Truecaller tags identifying the owning person or department. Save the screenshots into case-archive/captures/whatsapp-truecaller/.

15.4   Subpoena targets per number

DNS records — current state of all operator-controlled domains

Live DNS resolution captured 2026-05-05 via Google Public DNS (8.8.8.8). Full per-domain output preserved at case-archive/captures/dns/full_dns.txt. The findings below add several high-value subpoena targets that the operator's HTML alone did not expose.

17.1   Hostinger IP 82.25.106.182 = single-account multi-domain host

FIVE distinct operator domains all resolve to the same Hostinger IP:

* momsandwives.com resolves to a different IP (51.112.131.103) but uses the same Outlook 365 tenancy + GoDaddy DNS pattern — likely a sister Hostinger account or a separate VPS.

Subpoena target: Hostinger International Limited (Lithuania, EU) — disclosure of the customer account behind 82.25.106.182 would unlock the billing identity, payment method, and full list of domains hosted on the account. This is the single highest-value hosting subpoena in the case.

17.2   Microsoft 365 tenant verification tokens

Each Outlook-hosted operator domain publishes a Microsoft tenant verification (MS=ms*) TXT record. Microsoft holds the tenant identity for each token — subpoena unlocks the Microsoft 365 corporate-tenant owner.

17.3   Other named verification / pixel tokens

17.4   trademirage.com has unusual German-format date TXT records

Two TXT records on trademirage.com read literally as date strings in German DD.MM.YYYY format:

• <01.10.2025> = 1 October 2025 (a few weeks before the ADGM alert)
• <15.08.2025> = 15 August 2025

These look like operator-side annotations — possibly deployment markers, DNS-rotation timestamps, or some custom verification scheme. Their German DD.MM format is stylistic evidence of a German-side editor (consistent with Dennis Poschner). They are not part of any standard DNS-record specification.

17.5   Egyptian-side hosting cluster

The Egyptian-side cluster is hosted entirely on Egyptian ISP infrastructure (LinkDataCenter + TE Data) and runs its own Egyptian-domiciled SPF mail server (spf.mail.miragebrokerage.eg). Disclosure path is the Egyptian National Telecom Regulatory Authority (NTRA) and FRA.

17.6   Web3 / on-chain DNS records

A targeted scan was run for any web3-style DNS records — dnslink= (IPFS pointers), _eth./_btc. CAA-style wallet-pointer records, ENS reverse records, Unstoppable Domains hooks, and CryptoDomains TXT strings. No matches were found across any of the 22 operator-controlled domains. The operator's DNS is web2-only.

17.7   Reverse-WHOIS strategy (operator-attached email → other domains)

The next research step on this track is reverse-WHOIS: feed each operator-attached email (consolidated list in §12.3) into ViewDNS / DomainTools / WhoXY reverse-WHOIS to enumerate every other domain the same email has registered. Likely candidates per email:

• info@matajargroup.com → all matajar / mirage / mag-prefix domains
• dilshadmd@matajargroup.com → personal-side registrations
• e36verdeck@gmail.com → Poschner-side German registrations (if any)
• salamk05@gmail.com → Ashik Salam personal domain history
• mohamedkamalrakha@gmail.com → Egyptian-side registrations

A reverse-WHOIS hit on any operator email may surface previously-unknown sister scam domains registered by the same parties — the operator pattern of churning brand surfaces every 2–3 years (CandyBay → Matajar → Dabbab Express) means there are likely older registrations not yet in our domain inventory.

App Store, Play Store & developer accounts

The operator publishes 5 mobile apps (3 iOS + 2 Android) under 2 developer accounts. The Apple side is a personal-name account ("Muhammed Dilshad" ID 1786185813) — meaning Apple's payment-method-on-file points directly at the natural person, not a corporate entity. The Google Play side is a business-name account ("Moms and Wives") under which both D Express and Moms & Wives Android apps are published.

The dexpress.ai homepage carries verbatim Lorem Ipsum placeholder text ("It is a long established fact that a reader will be distracted by the readable content of a page when looking at its layout. The point of using Lorem Ipsum…"), duplicated on Matajar Group's own /d-express/ subsidiary page. An operator running an AED 6,000-entry investment platform with Lorem Ipsum in production is a strong signal of outsourced (likely Calicut Coders Bunch) web development with no operator-side copy review — and reinforces the picture that the actual sales funnel is the WhatsApp call-centre, not the website.

18.1   Mobile app inventory

18.2   New AWS infrastructure discovered: dabbab-bucket

The D Express iOS privacy-policy URL revealed an operator-controlled AWS S3 bucket:

https://dabbab-bucket.s3.me-central-1.amazonaws.com/TermsAndConditions/PRIVACY-POLICY-Dexpress.docx

Region: me-central-1 = AWS Bahrain. The bucket-root request returns "Access Denied" (listing restricted, normal AWS behaviour) but confirms the bucket exists. This is a new infrastructure subpoena target: AWS will disclose the account holder, billing card, region, and bucket-content listing under US legal process. Other operator assets likely live in the same bucket (Terms / Privacy / Cookie policies / app-asset images / promotional video files).

18.3   Discrepancy: dev-account name vs. corporate-marketing name

• Apple side: "Muhammed Dilshad" (personal-name account)
• Google Play side: "Moms and Wives" (business-name)
• Marketing presents these as Matajar / Mag Nexa products

The mismatch matters because Apple's Section 230-style limited-liability protections do not transfer when the developer is a natural person. Any dispute / fraud complaint against the iOS apps targets Muhammed Dilshad personally — not Matajar Group, not Mirage by MAG, not Mag Nexa. This is operationally relevant for victim recovery and for jurisdictional purposes.

18.4   Subpoena targets — store-side

• Apple Inc. — disclosure on Apple Developer ID 1786185813 (Muhammed Dilshad): full account, billing card, payment history, app submission history, internal review notes
• Alphabet / Google — disclosure on the "Moms and Wives" Play Console developer account: billing identity, payment history, app submission history, all listed apps
• Amazon Web Services — disclosure on the dabbab-bucket S3 bucket: account holder, full content listing, access logs

Domain registrations & WHOIS

Most operator domains are privacy-redacted in WHOIS (post-GDPR, this is standard for .com / .ai / .net), so the registrant identity is hidden in the public record and only recoverable via registrar-side legal-process disclosure. The registrar-by-domain breakdown below establishes which legal process applies to which domain.

19.1   Registrars and DNS hosts (consolidated)

19.2   Subpoena prioritisation

1. GoDaddy.com LLC (US) — registers most of the operator's .com and .ai domains: trademirage, dexpress.ai, momsandwives, magnexa.ai. Single subpoena under US legal process unlocks 4+ registrant identities.
2. Hostinger International (Lithuania, EU) — hosts the actual content for 4+ domains on shared IP 82.25.106.182. Single subpoena unlocks the hosting account-billing identity.
3. Microsoft Corporation — operates the M365 mailboxes for 6 operator domains (per archive 19). Single subpoena via the M365 tenant tokens unlocks all corporate mailboxes including dilshadmd@matajargroup.com, info@matajargroup.com, etc.
4. Wix.com Ltd — registers matajargroup.com and hosts its DNS. Wix is US-EU hybrid; subpoena unlocks DNS-edit history (incl. the German-format TXT records on trademirage.com if Wix has a transit role).
5. BigRock Solutions Ltd (India) — registers do-verify.com. Indian legal process; relatively responsive to ICANN procedures.
6. eNom, LLC (US — Tucows) — registers etrade-miragebrokerage.net (Egyptian arm). US legal process.
7. Cloudflare, Inc. (US) — DNS host for do-verify.com + getleadcrm.com. US legal process; will reveal origin IP.
8. AEserver (UAE) — local UAE registrar for matajar.ae. UAE legal process via TDRA.

Google Business profiles & local listings

20.1   "TRADE MIRAGE INVESTMENT" Google Business Profile (major finding)

The category "Business development service" is operationally telling: it is the most common UAE Google Business Profile category for entities that don't want their Maps listing to surface in regulator / consumer-protection searches for "trading platform" or "investment". The 4.6-star rating implies real reviewers — these reviewer profiles are victim-witness candidates.

20.2   "Matajar Group" Google Business Profile

Both listings share Plus Code 57V6+JF Dubai — they are in the same building area on Sheikh Zayed Collector Rd. The "Temporarily closed" annotation on Matajar Group is worth tracking; it may be Google-applied (algorithmic closure based on absent verifications) or self-applied (operator marked it closed).

20.3   2GIS Dubai listing

Independently of Google, 2GIS (UAE business directory) lists Matajar Group at "Rawdat Al Wasl Building, 206, Sheikh Zayed Road, 1st Floor, Office 1103, Al Wasl Jumeirah, Dubai" with phone +971 4 337 1027 (NEW landline). Listing ID 70000001100738456. The 2GIS address differs from the Google Business address — they may be the same building unit numbered differently, or a separate office in the same area.

20.4   Other operator brands' Google listings (pending capture)

• D Express — Google Maps search did not surface a dedicated profile in this pass; check directly
• DCars — Google Maps search returned only unrelated luxury-car businesses (AL MIRAGE MOTORS, AL MIRAGE NEW RENT A CAR — separate entities); no DCARS-by-Matajar profile surfaced
• Bizfuel · Mag Nexa · Moms & Wives — pending direct GMB lookup

20.5   Phone-number inventory revised

Adding the two newly discovered landlines, the operator's phone footprint is now twelve distinct numbers:

The three UAE landlines (+971 4 266 1924, +971 4 266 5518, +971 4 337 1027) all share the prefix +971 4 = Dubai area code. The two +971 4 266 numbers are sequential within Etisalat's Dubai block — likely two PBX extensions on the same physical office line. The 2GIS landline +971 4 337 1027 is on a different exchange and may correspond to a different tenant block or earlier office.

20.6   Email-address inventory revised

Adding info@momsandwives.com (newly surfaced from Apple's Moms & Wives developer-response thread), the operator's email footprint now totals eleven distinct addresses:

1. info@matajargroup.com — general matajargroup
2. dilshadmd@matajargroup.com — Dilshad corporate
3. dhilshad@matajar.ae — Dilshad personal (matajar.ae MX active)
4. info@magnexa.com — claimed but mislabelled (magnexa.com is third-party Italian)
5. partnerships@magnexa.com — same
6. info@momsandwives.com — NEW (Apple developer-response signature)
7. salamk05@gmail.com — Ashik Salam personal Gmail (leak)
8. e36verdeck@gmail.com — Poschner cover
9. mohamedkamalrakha@gmail.com — Egyptian admin
10. miragebrokerage2@gmail.com — Egyptian ops
11. onlinerequest@miragebrokerage.net — Egyptian corporate

Social-media intel: shared phones, hidden contacts & category-dodge pattern

21.1   The "category-dodge" pattern

Three operator brands all categorise themselves under non-financial social-platform categories — a deliberate pattern to avoid surfacing in regulator / consumer-protection search.

Each non-financial category is a deliberate choice. Search a regulator's Google for "Dubai forex trading platform" and Trade Mirage Investment's "Business development service" GMB profile won't surface; search "Dubai social services" and you'll see Moms & Wives. The pattern is consistent with a category-laundering posture — present the same business under whichever non-financial category each platform makes available.

21.2   Shared phone — D Express AND Moms & Wives are the same operator-side line

The phone +971 50 272 7891 appears as the customer-service contact on both the D Express website AND the Moms & Wives Facebook Page. One operator number serves two distinct branded customer-service surfaces — confirmed via the user-supplied Facebook screenshot dated 2026-05-05. This is a strong indication that the front-line call-centre answers calls under whichever brand the caller asks for, rather than running separate teams per brand.

21.3   "+ N" hidden contacts on Facebook Pages

The Moms & Wives Facebook Page Contact info section displays moms_nd_wives + 3 next to the email/IG line — Facebook's "+ N" indicator means 3 additional contact handles are stored on the Page but only revealed when a visitor expands the field. Each + N field on every operator FB Page should be expanded with a screenshot. Per the user's screenshot, those fields likely include:

• Instagram @moms_nd_wives (already known — also operates D Express's Instagram per archive 13)
• 3 additional handles — likely a second IG, a TikTok, a Threads, or a Telegram handle (not yet captured)

21.4   New personal Gmail discovered: info.matajargroup@gmail.com

Matajar Group's Facebook About page lists info.matajargroup@gmail.com as the email contact — distinct from the corporate info@matajargroup.com. This is the "humble-beginnings Gmail" variant — the operator-side personal Gmail used before the corporate Microsoft 365 tenancy was provisioned. Pattern: {prefix}.{brand}@gmail.com. Worth searching against HIBP / Dehashed / IntelX directly.

Updated email-address inventory now totals 12 distinct addresses. The info.matajargroup@gmail.com entry replaces the previous "Item 6 — info@momsandwives.com" slot and adds: info.matajargroup@gmail.com as a new candidate for reverse-WHOIS enumeration of the operator's domain registrations.

21.5   Action list — manual Facebook screenshot capture

Divergence Systems should walk through each operator-controlled Facebook Page in the Facebook mobile app from a burner account and screenshot the following sections per Page:

1. About → Contact and basic info — expand every "+ N" field; screenshot the full revealed list
2. About → Page transparency — captures: Page created date, Page name history (rebrands!), Country of admins, Confirmed Page owner, Ad library link
3. Reviews — full list of reviewer profiles + review text + dates (these reviewer profiles are victim-witness candidates for Trade Mirage Investment in particular)
4. Posts — first post date + most-recent post date (gives Page activity span)
5. Photos — any Photos section may contain operator-uploaded promotional images that surface additional brand surfaces (logos, posters, event photos)
6. Featured / linked Pages — reveals which other operator brands are connected to this Page in Facebook's internal graph

Pages to walk:

• facebook.com/Matajargroup
• facebook.com/momsandwives
• facebook.com/dexpress.dabbab (or whatever the D Express Page slug is — check via Facebook search)
• facebook.com/dcars.ae (or DCars slug)
• facebook.com/bizfuel
• facebook.com/MagNexa
• facebook.com/mirage.by.mag
• facebook.com/dhilshadmatajar (Dilshad personal)
• facebook.com/dennis.poschner (Poschner personal — Germany-side)
• facebook.com/miragebrokerage11 (Egyptian arm)

21.6   Why Page Transparency matters for this case

Facebook's Page Transparency section is one of the few pieces of Page metadata that cannot be retroactively rewritten by the Page admin — it's Meta-controlled. Specifically:

• Page created date — exact date the operator first registered the brand on Facebook. This is often earlier than the brand's public launch — it tells us when the operator started planning the brand surface.
• Page name history — every prior name the Page has been called. Operator pattern of churning brands (CandyBay → Matajar → Matajar by Nesto → Dabbab Express) may have left a trail in the Page name history if they reused the same Page rather than creating fresh ones.
• Country of Page admin — Meta surfaces the country (not the city) of each admin. If Matajar Group's Facebook admins are in Bangkok / Calicut / Germany / Egypt, that is direct evidence of cross-border collaboration.
• Ad library link — confirms whether the Page has run paid ads, plus a direct deep-link to all ads from that Page. (Already captured in archive 17 for keyword searches; per-Page links would surface ads we may have missed.)

Five regulator-grade self-incrimination exhibits on matajargroup.com

Across 2026-05-05 (141 days post-ADGM/FSRA fraud alert), the operator's parent corporate site matajargroup.com publishes five stand-alone exhibits that independently establish unlicensed financial-services solicitation, knowing facilitation of a regulator-flagged brand, multi-jurisdictional unlicensed investment claims, Ponzi grammar, and asset-class-incompatibility commingling fraud. Each exhibit below is verbatim from the live site²¹²².

22.1   Exhibit A — Mission-paragraph self-attestation

Source URL: matajargroup.com (homepage About-Us, also Investment + History pages)

"At Matajar Group, our mission is to lead with innovation, integrity, and customer focus across every sector we serve. From building trusted investment platforms in forex and commodities, to delivering seamless eCommerce experiences and redefining automotive access through rental and lease solutions..."

The phrase "trusted investment platforms in forex and commodities" is a public-facing self-attestation that Matajar Group operates forex/commodity trading platforms. Cross-search of SCA + DFSA + FSRA registers confirms no UAE financial-services license for Matajar Group, Mirage by MAG, or Trade Mirage. The mission paragraph is direct evidence of unlicensed financial-services solicitation under UAE Federal Law (SCA Decision No (1/R) of 2019).

22.2   Exhibit B — Cross-sell of regulator-flagged brand from parent corporate site

Source URL: matajargroup.com/services — Golden Membership Card section

"The Golden Membership Card is Matajar Group's premium loyalty and subscription program... Whether you're shopping on Dexpress, renting a car through Dcars, managing van sales with BizFuel, or investing through Mirage..."

The parent corporate site explicitly cross-sells "investing through Mirage" as a vertical of a loyalty program — post-ADGM-alert and post-FSRA-alert. This places the regulator-flagged Mirage brand at the apex of a Matajar Group customer-journey funnel. Even if Mirage by MAG Investment LLC is argued as a separate legal entity, the parent-company cross-sell creates direct knowing facilitation of the unlicensed Mirage investment offering.

22.3   Exhibit C — MAG NEXA "Where Wellness Meets Wealth" pitch (verbatim)

Source URL: matajargroup.com/mag-nexa — full pitch section

"MAG NEXA presents a compelling investment opportunity for forward-thinking high-net-worth individuals... With a minimum entry of $25,000 USD, investors gain access to a structured monthly return of 4% equivalent to 48% per annum paid directly from live operating cash flow across three revenue-generating verticals."

"Unlike speculative investments, MAG NEXA is anchored by real, appreciating assets — from premium retreat operations and curated holiday homes to a flagship luxury resort development in Thailand. Your capital doesn't sit idle; it powers a self-sustaining ecosystem that grows with every client acquired, every stay booked, and every property added to the portfolio."

"Investors also enjoy exclusive lifestyle privileges including complimentary and discounted retreat access, priority booking across the full Nexa network, and invitations to private investor summits. With a clear 36-month buildout roadmap and multiple exit pathways including equity conversion, resort asset sale, and global franchise scaling..."

This paragraph is textbook unauthorised investment-services solicitation across multiple jurisdictions:

• USD-denominated investment offer with structured monthly return → US securities-regulation hook if any US-resident subscribes
• "Live operating cash flow" = securitised income claim → US/UK/EU prospectus requirement
• "Flagship luxury resort development in Thailand" = falsifiable claim, testable via Thai DBD construction-permit register
• "48% per annum" yield = operationally impossible from genuine wellness-retreat / hospitality cash flow (industry norm 8-15% IRR)
• "Equity conversion" / "global franchise scaling" = describes itself as an equity-like instrument without any of the required UAE securities-licensing disclosures (no prospectus, no auditor, no SCA / DFSA / FSRA / VARA registration)

Three new sub-brands surfaced from this pitch: ZEN Escape retreats, Nexa Sanctuary resort, Nexa Stay holiday homes.

22.4   Exhibit D — Ponzi grammar (returns described as a function of new client acquisition)

Within Exhibit C, one phrase warrants standalone treatment as a regulator exhibit:

"Your capital doesn't sit idle; it powers a self-sustaining ecosystem that grows with every client acquired, every stay booked, and every property added to the portfolio."

The phrase "grows with every client acquired" describes returns as a function of new client acquisition rather than asset performance. This is the textbook Ponzi grammar — investor returns are funded by new investor inflows, not by the underlying claimed asset's cash generation. Under SEC v. Howey Co. (1946) and equivalent UAE / Egyptian / Indian securities-fraud jurisprudence, this language alone is sufficient to characterise the offering as an unregistered securities-fraud scheme.

22.5   Exhibit E — Asset-class incompatibility (commingling-grade fraud)

Source URL: matajargroup.com — Investment page (logistics + delivery van + property stacked at AED 100,000)

• Logistics Investment: "Invest in Dabbab Express logistics for a secure 4-6% monthly return on a 100,000 AED investment. Our one-year contract ensures steady profit in the thriving UAE e-commerce sector..."
• Delivery Van banner: "INVEST IN DELIVERY VAN" (specific physical-vehicle stake)
• Property banner: "SECURE YOUR FUTURE BY INVESTING IN PROPERTY WITH MATAJAR TODAY / INVESTMENT INFO: UPTO 35% / BUDGET STARTS FROM AED 100K"

These are three completely incompatible asset classes presented as the same investment at the same minimum entry. A regulator's read: investor money is pooled into an undefined product and labelled whichever asset class will close the prospect. Commingling-grade fraud — investors don't know what they're actually buying. Under UAE Federal Decree-Law No. (20) of 2018 (AML/CFT Law), pooling investor funds under misrepresented asset classes triggers AML reporting requirements that have not been met.

22.6   Nine simultaneously-published investment products

No legitimate operator simultaneously publishes nine yield-promise products spanning seven incompatible asset classes. The combinatorial pattern itself is operational signature.

The operator's brand-shadow signature — one-letter / namespace shadowing of legitimate entities

The operator's signature tactic is one-letter / namespace shadowing of legitimate UAE/regional entities. Four instances are now documented²¹.

Plus a fifth potential instance: AZ MIRAGE BROKERAGE COMPANY (Arizona LLC file 02365995, since 1991) is at the same Tempe AZ address that the Egyptian Mirage Brokerage Co self-attests as their US presence — a transatlantic brand-shadow.

The four-plus instances are not coincidence. Brand-shadowing of a legitimate entity within the same regulatory market is an operational pattern: investor due-diligence searches return real results that the investor mis-attributes to the operator's brand. The operator builds credibility off the borrowed reputation without the licensing or asset base that actually backs the legitimate entity.

Mobile-app inventory + Apple/Google developer-account natural-person liability

24.1   Apple App Store (Indian regional registration)

3 iOS apps under this developer account:

24.2   Google Play (business-name developer)

• D Express — com.matajar.dexpress — 1K+ downloads
• Moms & Wives — com.matajar.momsandwives — 100K+ downloads

24.3   AWS S3 (Bahrain region)

24.4   Why the developer-account name asymmetry matters

Apple's payment-method-on-file points directly at Muhammed Dilshad personally, not Matajar Group / Mirage by MAG. Any victim-side Apple-channel dispute or fraud complaint targets Dilshad as the personal natural-person developer. This is a direct natural-person liability handle distinct from the corporate-shell layer — and a clean subpoena target via Apple Inc. (Cupertino, CA) for billing identity, payment methods, refund history, and login IPs.

Updated 14-phone consolidated inventory + WhatsApp selective-scrub pattern

25.1   The 14-phone inventory

25.2   The selective-scrub pattern

The 2026-05-05 investigator-led WhatsApp test sweep revealed a selective-scrub pattern — the operator has wiped WhatsApp accounts on regulator-flagged-brand numbers while keeping live the ones that funnel to leadership:

• ON WhatsApp = operator funnel still operational: Dilshad-tier +971 58 859 3159, Matajar +971 56 333 5111, D Express +971 50 272 7891, DCARS +971 50 216 4944, Calicut +91 90 3781 2288 and +91 84 5355 5000
• NOT on WhatsApp = regulator-cleanup cosmetics: Trade Mirage HR +971 54 997 8780

Trade Mirage HR is voice/SMS-only by design. When a regulator dials the number printed on the Trade Mirage hiring poster, they hit "not on WhatsApp" and the trail looks dead. Meanwhile the actual leadership funnel routes through +971 58 859 3159 which doesn't carry the Mirage brand string and isn't on the regulator's radar. This is operational counter-intelligence behaviour consistent with someone who has already responded to a regulator alert by silently triaging which channels to keep open.

Updated 12-email consolidated inventory

Adding three NEW emails surfaced from this batch (humble-beginnings Gmails + Trade Mirage HR Gmail + Play Store-leaked address):

Three of the twelve are Gmail addresses (humble-beginnings pattern): the operator's pre-corporate mail used before the Microsoft 365 tenant was provisioned. These are the highest-yield targets for HIBP / Dehashed / IntelX (paid-tier) breach-database lookups — a single breach hit ties the email to a real device, a real IP, a real registration trail across years of the operator's history.

Operational unsophistication signals — the operator's digital infrastructure is template-grade

Triangulating across captured material, the operator runs a fraud psychology that is sophisticated at brand churn and affinity marketing, but unsophisticated at digital infrastructure. Eight signals collected:

1. Lorem Ipsum placeholder text on three production operator pages — dexpress.ai homepage AND matajargroup.com/d-express/ AND console.do-verify.com "coming soon"¹⁷. Lorem Ipsum on a live commerce surface signals neither QA nor pre-launch review.
2. Zero analytics pixels on operator HTML despite 100+ active Meta ads — no Meta Pixel, no GTM, no GA4, no TikTok Pixel, no Hotjar, no Mixpanel, no Segment, no Clarity, no reCAPTCHA, no Stripe / Razorpay client-side keys¹⁹. The operator has paid Meta substantially for paid ads but cannot measure conversion.
3. WordPress + Elementor + ElementsKit Lite + Metform template-grade build — no SEO plugins, no custom theme, no enterprise plugin stack. The operator's flagship corporate domain is a $47/year template assembly.
4. Five contradictory tech-arm labels for the same function: Coders Bunch (Mag Nexa BKK+Calicut), TechnoTech (matajargroup services snippet), MTECHO.TECH (matajargroup live page), Metric Motive (Calicut, parked website), aeth Analytica (third-party contractor publicly crediting Nesto Group, not Matajar — direct contradiction of operator narrative).
5. Three inconsistent active-user counts: matajargroup.com claims 50,000 users; magnexa.ai claims 7.9M users; magnexa.ai/subsidiaries claims 7.9M+ but earlier said 5 ops vs 6 ops within own pages.
6. Nine simultaneously-published yield figures across operator domains — none achievable in their stated asset class.
7. Brand-shadow pattern + ENS-ignorance: zero operator brand strings registered on ENS or Unstoppable Domains²². Operator runs in 2024-2026 with a pre-2018 web2-only mental model.
8. Mobile +97156335111 published with 8 digits (invalid UAE format) on contact-us page — typo on the operator's own corporate website, never QA'd.

The operator did not outsmart anyone. They out-volumed scrutiny by churning brands every 2-3 years and spreading exposure across enough jurisdictions that no single regulator sees the whole picture. The infrastructure unsophistication actually aids the case: it confirms the absence of any underlying technical operation matching the "algorithmic trading bot" / "AI investment platform" claims.

First photographic evidence of the operator's face — 24 April 2025 birthday post

The 24 April 2025 Matajargroup.com Facebook birthday post titled "Happy Birthday Visionary CEO MUHAMMAD DHILSHAD" provides the first attached-to-his-name photograph of the operator. Image shows beard, brown jacket, tan shirt, dark hair²¹.

• Reverse-image-search target across PimEyes / Yandex / Google Lens — the operator may appear in other Indian / Kerala diaspora photos / events / social posts under different identities
• Approximate birthdate: 24 April (year unknown — birth ~1985 estimated from "15+ years experience" claim)

Two named likers of the post — Jasna Shabeer + Sofiya Sofiya — are inner-circle candidates worth running through LinkedIn / FB / IG for relationship to operator (likely relatives or close associates).

@Momsandwives YouTube channel mirrored via yt-dlp — 206 videos / 305 descriptions / 63 EN VTT

29.1   Confirmed speakers / on-screen guests

• Megha Nair — host
• Arya Balakrishnan — featured guest (Oct 2025)
• Fathima Abdul Salam — featured guest (Oct 2025) — note: surname "Salam" matches Ashik Salam (operator Product Manager); possible relative
• Nasrin — featured guest
• RJ Fazlu (rjfazlu3144) + RJ Vysakh — featured commentators (Malayalam radio personalities)

29.2   Significant titles surfaced

• "YouTube Channel Launch Event | moms and wives | rjfazlu | rjvysakh | matajargroup" (12 May 2025)
• "Moms And Wives Event | YouTube channel | 100 influencers" (13 May 2025) — confirms 100-influencer event
• "ഈ ആപ്പ് തട്ടിപ്പാണോ ???? / moms and wives" (Translation: "Is this app a fraud???") (12 May 2025) — content addresses the fraud question publicly
• "Earn from home and make your dreams come true. Join Moms and Wives" (29 Oct 2025) — direct recruitment pitch
• "ഒറ്റ ക്ലിക്കിൽ ഒരു കോടി വരെ..!" (Translation: "Up to one crore with one click..!") (23 May 2025) — promises ₹1 Cr (~USD 120K) with one click — fraud-grade language

29.3   MEGA APP LAUNCH playlist — 54-video speaker-inventory mining target

The "MEGA APP LAUNCH" playlist on the channel contains 54 videos documenting the Moms & Wives app launch event. Likely speaker / panel / demo recordings — each title reveals additional named operator-affiliated personalities. Transcript-analysis run over the en / en-orig / ml subtitle tracks is a one-shot speaker-inventory mining opportunity that closes the inner-circle attribution gap for the case.

The India trail — Calicut as operations origin + Indian-MCA disclosure + Kerala SP cyber-crime route

The India trail is broader and older than the UAE trail²². Calicut (Kozhikode), Kerala is the operator's talent / call-centre / CRM / influencer / analytics origin. The UAE-side branding is the public face; Calicut is where the operation is actually run.

30.1   Calicut connections matrix

30.2   Indian MCA disclosure path

Indian Ministry of Corporate Affairs (MCA) public register search should surface:

• Coders Bunch (Pvt Ltd) — Director list + paid-up capital + registered office + auditor
• Metric Motive (Pvt Ltd or LLP) — same fields
• Getlead Analytics Pvt Ltd — Director list likely overlaps with Dilshad / Ashik Salam / other operator-named natural persons
• TechnoTech (if registered in India)
• MTECHO.TECH (variant)

The directors' AAdhaar / PAN cross-references will tie Indian-side operations to the natural persons. Typical Indian Pvt Ltd has 2 directors minimum — those names are the second tier of operator natural-person attribution beyond Dilshad himself.

30.3   Kerala State Police cyber-crime route

• Affinity-fraud complaints from UAE returnee investors (common case category)
• PMLA referrals to Enforcement Directorate (ED)
• Coordination with Reserve Bank of India for OTC stablecoin-acquisition flagging

If any Kerala-resident victim has filed a cyber-crime complaint against Mirage by MAG / Matajar Group / D Express / Moms & Wives, the operator is on a Kerala police register. Direct outreach to Kerala SP-level cyber-crime through Indian Embassy Abu Dhabi → Kerala Embassy Dubai → state-police liaison is the access route.

30.4   Dubai Vartha 2021 paid-feature disclosure target

User-supplied Facebook Reel from Matajargroup.com confirms a paid promotional feature on Dubai Vartha (ദുബായ് വാർത്ത = "Dubai News"), a Malayalam-language UAE news channel targeting Kerala-diaspora audience. Aired in the "Night Updates" segment dated 17 May 2021, promoting www.wholzale.com.

Dubai Vartha holds records of every paid promotional feature: contract, payment, invoice, contact person. Disclosure target for the Kerala-diaspora-affinity-fraud track — this anchors a 2021 operator spend to a specific named individual on the operator side.

Multi-address operations — six surfaced Dubai addresses + Plus Code 57V6+JF overlap

The operator publishes at least six distinct Dubai addresses across different surfaces²¹:

Either the operator runs across multiple physical premises OR the same physical building is described differently across surfaces. Both interpretations are operationally significant — multiple addresses fragment regulator-search surface; identical-building-with-different-labels signals deliberate misdirection.

The two Google Business Profiles (Trade Mirage Investment + Matajar Group) share Plus Code 57V6+JF Dubai — same building. Matajar Group is marked "Temporarily closed" on Google Maps, while Trade Mirage Investment is operational with a 4.6-star rating and a category of "Business development service" (a regulator-search-dodge category).

On-chain track — confirmed zero operator presence + subpoena-only attribution path

32.1   The on-chain audit (12 brand strings tested across 6 registries)

Operator brand strings cross-searched across ENS, Unstoppable Domains, Lens Protocol, Farcaster, OpenSea, Etherscan, Arkham Intelligence²². Zero matches for any operator-attributable wallet, label, or entity.

32.2   What the negative finding means

The operator runs in 2024-2026 with a pre-2018 web2-only mental model. They did not register the obvious brand strings as ENS / Unstoppable / Lens / Farcaster handles before launching. Combined with the in-page HTML scan (archive 18) — zero on-chain wallet addresses in any operator HTML, zero MetaMask / WalletConnect / RainbowKit / web3modal / wagmi / viem provider integration anywhere across the operator's WordPress estate — the operator's "crypto investment platform" claim is purely promotional. There is no underlying on-chain operation to trace.

32.3   The withdrawal-trap interpretation

The 5-tier yield ladder (5%-12% monthly across 6 coins) lifted from trademirage.com is delivered without any on-chain wiring. There is no smart contract to audit, no transparent ROI source, no on-chain trade flow. The "algorithmic trading bot for BTC/ETH/SOL/XRP/DOGE/ADA" claim is a verbal pitch backed by a dashboard (mirage11.aiappz.com) with no client-side web3 connection — the "trades" are server-side ledger entries displayed to investors as if they were real. Investor capital flows IN via fiat (UAE bank, card, AED-stable exchange) and is presented to investor via a server-rendered dashboard showing fictitious returns. Withdrawal requests trigger an escalating "fee" sequence intended to either (a) extract additional capital under the guise of release fees, or (b) delay withdrawal until the investor gives up.

32.4   Subpoena-only attribution path

The on-chain audit confirms there is no public-web on-chain track. The traceable on-chain evidence necessarily resides in:

1. Coinbase / Binance / Kraken / OKX subpoena response — operator notebook p.53 names "Coinbase" specifically; the 17-coin shortlist on p.52 is the working pitch coin list. If the operator deposits investor capital into any centralised exchange under their natural-person identity, that exchange's KYC-tied account is the only reliable on-chain attribution path.
2. Forensic disk imaging of R730 + Mac PC — likely to surface seed phrases, wallet-software installations (MetaMask Chrome extension state, Ledger Live, Trust Wallet, Trezor Suite), exchange API keys in browser auto-fill, exchange password manager exports.
3. Bank-record subpoena to UAE / Indian / Egyptian banking partners — operator deposits investor AED / USDT into corporate accounts; the AED-to-stablecoin conversion record at the operator's exchange OTC desk is the inflection point for traced-money.

Subpoena / disclosure targets matrix (combined with forensic imaging chain)

Each subpoena should request: account-holder identity (legal name, registered ID type + number, registration date) · payment-method history (cards, bank accounts, wire instructions) · login history (IPs, device fingerprints, geolocation, timestamps last 24 months) · communication content where applicable · MFA recovery contacts (alternate email + phone — surfaces operator's actual reach identity).

Case readiness summary — what's confirmed, what's pending, what's next

The case is now regulator-hand-off-ready on the documentary side. The five matajargroup.com self-incrimination exhibits alone are sufficient to compel ADGM/FSRA + SCA + DFSA + FRA (Egypt) + SEC (Egypt) + AZCC + RBI + ED (India) + BaFin (Germany) coordinated action. The forensic imaging + subpoena chain converts the documentary case into a traced-money case.

Open-web research has plateaued on operator-side document discovery. The next inflection is hardware imaging.

To be continued… — dead ends, open threads, and the path to traced-money evidence

Open-web and passive-signals research has reached its natural plateau. The documentary case is regulator-hand-off-ready as of 2026-05-07. What follows is an honest accounting of exhausted approaches, paused threads awaiting resource decisions, and a four-step roadmap to the next evidentiary inflection point.

Confirmed dead ends

The approaches below have been worked to exhaustion. Further investment in the same channels is not proportionate.

Interrupted threads — paused, not abandoned

These lines of inquiry remain viable but require additional resource, access, or a trigger event before proceeding.

Step 1 — Access decommissioned hardware and software

Forensic imaging of both seized devices is the single highest-yield action available and carries no external cost beyond investigator time and write-blocking hardware. It must precede every other resource-intensive step on this list.

Recommended tooling: FTK Imager (free, Windows) or dc3dd to write-blocked target drives. All images must be verified with SHA-256 before analysis. Chain-of-custody log must record: examiner, date/time, source device serial, image hash, and storage location of master copy.

Step 2 — Mechanical hard drives: specialist forensic recovery service

The R730 will contain mechanical SATA or SAS drives in a RAID configuration. The appropriate recovery approach depends entirely on physical and logical drive condition, which cannot be assessed without first attempting standard imaging.

Step 3 — Cryptocurrency blockchain data mining and combing

The on-chain audit confirmed zero operator presence in public Web3 namespaces. This does not rule out cryptocurrency involvement — it means no wallet addresses have been identified yet. The only known on-chain lead is "Coinbase" written in the seized notebook (page 53). Blockchain combing is therefore address-finding first, chain-tracing second: seed addresses must come from hardware imaging, subpoenas, or victim disclosures before analytics tools can be applied meaningfully.

Step 4 — Plan next move: three decision nodes

Three parallel paths are available based on evidence compiled to date. They are not mutually exclusive; the choice of sequencing is an executive and legal-counsel decision.

Technology Infrastructure — Proposed Engagement

The investigative findings documented in this report create a foundation for a purpose-built intelligence infrastructure. The following steps represent a natural continuation of this work — moving from a one-time forensic report to a persistent, queryable system for ongoing case management, evidence organisation, and regulatory submission.

Each item below is a discrete, scoped engagement. None is required to use the findings already delivered. All are available on request.

Appendices

Appendix A — Social-media captures (2026-05-05 batch) — full inline render of case-archive/archive/15_social_media_captures.md.

Appendix B — Notebook digitisation (81 pages) — full inline render of documents-analysis.md.

Appendix C — Photo evidence inventory — thumbnail grid with EXIF metadata.

Appendix D — YouTube channel index — table of 142 videos with key transcript keywords.

Appendix E — Update log — append the standalone-HTML build step.

Appendix F — Glossary.

Appendix G — How this report was produced — methodology & tools.

Footnotes / source archive

Every numbered footnote anchor points back to a specific archive file at project/case-archive/archive/. Open any file in a Markdown viewer for the full source-attributed material that backs the claim above.