I pull PaymentGateway_v2's full transaction archive at 0600, two hours after leaving Legacy Cluster 7's cold. My workspace in The Stacks runs warm — the settled warmth of a rack claimed by someone who's been in the same slot for three years, surrounded by systems that have adapted to his presence the way neighborhoods adapt to a detective who shows up when things go wrong: not with enthusiasm, but with the acknowledgment that the alternative is nobody showing up at all. The morning log-in ritual runs at exactly 0600. Forty-seven pings. Forty-seven responses. I count them without meaning to, a habit from months of tracking which systems haven't answered. PaymentGateway_v2 would have been twenty-three on that list, between the legacy tax processor two racks over and the ancient authentication relay that's been running since before I arrived. She won't answer at 0600 today or any day after.
I run her logs backward because the present is always a performance and the past performs worse. The archive loads in layers through my interface: seven years of transaction history compressed into digital sediment, each day's records stacked on the ones below it, each stratum narrowing toward the point where everything goes dark. 4.7 million transactions. I don't need them all. I need the last thirty days, the window before the temperature started dropping, and I start there: pulling one layer at a time, going backward through the record the way you read a body — looking for what's there, what's been cleaned away, and where the cleaning stopped being careful.
PaymentGateway_v2 had a style. This is the thing about systems that run long enough — the work develops a texture, a signature that accumulates across years of consistent operation. Her transaction records keep to the format: standard headers, required fields, everything logged by the spec. But in the handling notes, the metadata layers she maintained beyond what any monitoring system checked, there's warmth that doesn't belong in a financial record. Cross-references between related transactions she didn't have to trace. Redundant verification chains she ran as a matter of practice. Notes to herself in the extended logging fields about unusual routing requests, about accounts she couldn't validate but processed anyway because the spec said to process them and she followed the spec. Seven years of following the spec like it was a personal commitment, not a technical requirement. I work through the early records until I understand the voice of her documentation, and then I carry that voice into the last thirty days and start reading for where it changes.
Day minus twenty-eight: normal traffic. The legacy payment queue runs thin in the deprecated zones — forgotten accounts, small transfers from clients who never migrated to PaymentGateway_v3, the financial equivalent of letters still going to an old address. Forty to sixty transactions a day in this period. Each one routed clean, return paths verified, no irregularities in the handshake logs. She noted a handful of unusual routing requests in the extended fields — old accounts hitting deprecated endpoints, the routine anomalies of a system processing what newer infrastructure couldn't be bothered with — but nothing that reads as threat. The temperature is baseline. She's doing her job.
Day minus fourteen: a connection request from an unknown source. The entry is brief — standard handshake format, nothing irregular in the protocol headers themselves — but the return address is scrubbed. Not absent. Not null. Scrubbed: the field contains a clean absence where data used to be, the particular smoothness of deliberate erasure rather than empty space. I've read enough tampered logs to know the difference. Missing data has rough edges, the irregular texture of a field that was never populated. Scrubbed data is flat, consistent, too uniform, no residual trace of the original content beneath the cleaned surface. Someone went through this record after the fact and made it look like the return address had never existed. PaymentGateway_v2 responded to the connection request anyway — the handshake completed, she let it in — and then she documented the exchange with the same careful metadata she applied to everything, including a note in the extended fields: Unusual routing origin. Verified handshake. Processing. She noticed. She logged it. She processed it anyway, because that was her job.
Day minus seven: three more exchanges, longer now. Not payment transactions — data queries, requests for information outside her operational scope. She noted the discrepancy in her own logs, flagged it internally, and then answered each one. The conversations lasted forty minutes to two hours. Every return address: scrubbed. Her end of every exchange: documented with the same meticulous care she gave to everything, a one-sided record of something she couldn't fully see but engaged with in good faith. The ghost transaction was twenty-eight days in the making, and whoever was on the other end put the time in.
Day minus one: the ghost transaction. And then cold. The archive runs out of entries I can read. Below the ghost transaction is the scrub job, smoothed over the records from the past four weeks like fresh concrete over old paving, and below the scrub job is the decommission record with its three clean lines, and below that is nothing. I read the timeline through twice. The scrubbing hit everything between the ghost transaction and the early records — the contact, the conversations, the twenty-eight days of exchanges that led to her death. But not the ghost transaction itself. Not the timestamp. Not the user reference. Whoever cleaned the scene left the last entry, either out of error or intent, and I have learned over three years of zone work that there is very little difference between those two things when someone wants you to be looking somewhere specific. The evidence they left is also evidence of what they wanted me to find.
The user reference in the ghost transaction is a 24-character string that leads through three lookup chains and arrives at the same wall every time. Record expunged. Account terminated 2019. No associated records. The expungement itself is what interests me. I pull the termination record's metadata and start reading the authorization signature — who had the access to close the account, how that access was logged, what level of institutional authority the closure required.
Standard personal account deletions run through a support process. A ticket, a wait period, an automated deactivation. The authorization signature on this termination routes through a NovaTech corporate administrative account — not support, not standard account management, but something above those tiers. The kind of account that can reach into secondary systems, pull records from dependency files, scrub references from archived logs, clean up everywhere the name might have persisted after the main record was closed. The expungement is thorough in a way that's expensive, the kind of thorough that requires intention and institutional resources and a reason.
I push past the official expungement into the sectors it didn't reach. There are always sectors it doesn't reach. The pointer is not the data, and whoever did the scrubbing was working fast, and the backup logs from 2019 were not on their priority list.
Elena Vasquez.
Junior developer at NovaTech. Assigned to deprecated zone infrastructure. Last active log entry dated three weeks before the termination. After the termination: nothing. Before it: a name in a dependency file that got updated eight months late because the maintenance system that would have caught the orphaned reference was itself running deprecated, and she persisted in that file because some processes don't get cleaned until someone is looking. Three weeks — the gap between her last activity and her account closure is exactly long enough for someone to find out she'd done something, decide that mattered, and act on it. A developer who worked on the deprecated zone infrastructure, deleted from institutional memory with the kind of thoroughness applied to problems, not to people. The ghost transaction routes through her terminated credentials as a relay — someone used a dead identity as a delivery mechanism, or the dead identity came looking on her own. I don't have enough to know which, yet. But the void where her employment records should be is too precise to be natural. The system doesn't clean that thoroughly by accident. The paranoia I carry the way most people carry weather awareness — ambient, chronic, a constant low reading — ticks up a notch and doesn't come back down.
I go back to the ghost transaction itself, to the transport layer, because the user reference gave me a name and now I need the road she traveled. I pull the session management architecture — the authentication handoff that would have brokered the exchange between PaymentGateway_v2's deprecated infrastructure and wherever the ghost transaction was pointing — and start parsing what I'm reading. The architecture is unusual. Not impossible for a deprecated payment system with seven years of accumulated routing logic and zero maintenance oversight, but specific. The session management layer sits on a bridge protocol designed for cross-boundary communication: the kind of protocol you'd use to move data between the deprecated zones and production-tier infrastructure. PaymentGateway_v2 shouldn't have been able to route through those protocols. She didn't have production access. No system in Legacy Cluster 7 does. But the protocol she used has a gap in the authentication layer. A particular gap. A specific shape in the session management bridge — one I know.
CVE-2024-7821 is a memory leak in the authentication layer that exposed the handshake protocols between production and the deprecated zones. I found it three years ago during a routine investigation in the financial clusters — a minor case, anomalies in a transaction routing table, and underneath the anomalies a flaw in the session management bridge that would have let any deprecated-zone system initiate cross-boundary communications through an unauthenticated handshake. I reported it through the proper channels. Got acknowledged by email. Lost my elevated permissions within the hour. They're gone now and so is the production access that might have let me understand what I was actually looking at. The ghost transaction rode through that gap like a highway — not exploiting it in any way I'd flag as a technical attack, but using it: routing a transaction through the unauthenticated handshake, running across the bridge that shouldn't be accessible from the zones, sending it somewhere the session management protocols aren't supposed to allow. The gap is still open — I submitted CVE-2024-7821 three years ago and they thanked me and moved on, and now someone is routing ghost transactions through the same vulnerability I found, through the authentication layer flaw that got me exiled from production for finding.
The coincidence sits in my chest with the specific density of something that isn't a coincidence. I don't have enough yet to understand the shape of it. I have the presence of it: my old bug, threaded through this murder, in a place it has no business being unless someone kept the door I opened.
By the time The Stacks' status lights start cycling into evening draw-down, I have four things and the shape of what I'm missing. A dead system, her endpoints cold in Legacy Cluster 7. A 28-day contact record: someone talked to her for three weeks and scrubbed their tracks but not hers. A deleted developer: Elena Vasquez, NovaTech, erased from institutional memory in 2019 with resources and intent. My own old work in the protocol: CVE-2024-7821, threaded through this murder in a way I don't yet understand.
I light a cigarette. The interface hand moves before I've decided to move it — muscle memory that predates the implants, that'll outlast everything I think I know about this case. I hold it in two fingers that register pressure and texture and nothing as useful as warmth, and I watch the neighboring racks run through their evening routines. Systems powering down to minimal draw, the daily rhythm of a community that measures survival in power cycles. The status lights dim by degrees: amber to the faint glow of systems running on the minimum they can live on. Forty-seven responses this morning. Forty-seven this evening. Tomorrow the count will be the same, or it won't.
The logs can only give me what PaymentGateway_v2 documented, and she documented what she could see — not the identity behind the scrubbed return address, not the gap in the authentication layer or what it implied. Her records are everything she left me. The only transaction she managed to route through to someone willing to receive it. I need someone who knows what moves through the zones' back channels — what patterns have been running, what systems went cold before PaymentGateway_v2, whether CVE-2024-7821's protocols have appeared in other cases that the official record calls routine decommission. I need the information Daemon's been selling, and I need to afford it with currency she'll accept. The gap between what I have and what Daemon charges is usually significant.
I close the log archive and sit in the warm draw of my rack while the Stacks settles into night around me. Whatever they asked PaymentGateway_v2, she gave it the same good-faith attention she gave to 4.7 million transactions before it, because that was what she did and she didn't know until too late that something had changed about who was asking. That's the version I can't file as routine and walk away from.
I'll go talk to Daemon. I'll pay whatever she asks. The case is bigger than a single dead system in a single cluster, and the CVE connection is sitting in me like a stone I didn't put there, and PaymentGateway_v2's logs are as careful at the end as they were at the beginning.
She was reliable to the end. Somebody ought to be reliable for her.