InfoDesk reports IDT Solutions AS to the police - alleges insurance fraud

By Tobias Tobiassen, Nettsak | Published 22.06.2025

Update after publication

After Nettsak published this story, both Fremtind and Crawford have withdrawn their recourse claim. Going forward, we will remove information from the article that is no longer relevant.

Crawford nevertheless maintains its account of the course of events, despite the fact that this does not match the available logs and documentation.

InfoDesk has indicated that it will analyse the case anew, and it is expected that the police reports may be withdrawn, since the recourse claim has now been dropped and there is therefore no financial loss - beyond the working hours required to produce a correct basis for decisions at the insurance companies.

At the same time, the case raises questions about the sense of justice in situations where serious financial claims are not assessed thoroughly before they reach the public, and where press coverage is ultimately required to obtain fair treatment.

SANDEFJORD (Nettsak) - Small, specialised IT communities rely on insurance and the legal system to protect them against unreasonable claims. After two and a half years in the spotlight, the Sandefjord-based company InfoDesk AS is experiencing exactly the opposite: A recourse claim of NOK 430,514 from Fremtind Forsikring, built on what general manager Håkon Berntsen calls "a fictitious history".

The attack no one can agree on

During the night of 3 April 2023, the WooCommerce online store idtsports.com is infected. A pirated backup extension is installed, WordFence is deactivated, and visitors are sent to spam domains. The logs show a login from IP addresses in Cebu City, the Philippines - under the account [email protected], created the day before by Morten Iversbakken (Sales & Marketing Manager at IDT Solutions AS).

Ten days later, InfoDesk hands over a report to the anonymous web designer behind the site. The report points to Kloner AS as the source. IDT Solutions bypasses its suppliers, activates the cyber insurance and hires Truesec for full forensics.

The information above comes from documents submitted by InfoDesk AS.

"We never hosted idtsports.com, we only developed features for idt.no on a completely different server. But the recourse claim points only at us," says Berntsen in an interview with Nettsak.

A bill - and a new online store

The Truesec invoice alone comes to NOK 305,484. The rest is hours and modules for Magento - a completely new platform that Kloner AS had already started weeks before the attack. Everything is included in the recourse claim.

Who has been reported - and for what

"A pattern over several years" - Berntsen is interviewed

Tobiassen, Nettsak: Why the police?

Berntsen: "Because the puzzle shows intent: first a dispute over unpaid invoices to the web designer, then an attack that legitimises a new platform, then a recourse claim that shifts the bill to us. Between these moves, IDT Solutions AS has used BAHR lawyers in an attempt to silence our technical case studies, and sent a phishing PDF to the web designer to steal her login."

Tobiassen: What do you say to the claim about the failure to update Elementor Pro?

Berntsen: "The Truesec report mentions it, but our logs show no exploit traffic against Elementor endpoints. They do, however, show an admin upload of a pirated backup plugin from the Philippines the same minute that WordFence is switched off. That is a known modus for nulled malware."

Tobiassen: The case started as recourse against the web designer - now everything points at you?

Berntsen: "We helped her with documentation; that is our culture. Since then, all the arrows have shifted to us, while the core facts remain: We had no operating agreement, no server access before we assisted TrueSec, and no roles in the Magento project."

Notified everyone - the email that documents the claim

Today InfoDesk sent a copy of its latest reply letter to Crawford, Truesec, Kloner and IDT Solutions. The email demands:

• The full report from Truesec with all attachments.
• An explanation of why the admin account [email protected] is created before Kloner formally comes on board.
• A comment on the fact that Magento hours are invoiced as "clean-up".
• A statement of principle from Crawford/Fremtind on placing societal risk on subcontractors.

The phishing attempt - the straw that broke the camel's back

A few days before the recourse letter arrived in June 2025, the web designer received an email from the IDT domain: "You have a new assigned document". The PDF concealed a fake Outlook page and was flagged as malware by both InfoDesk and the US company Intruig Inc.

"Using your own company email for phishing suggests either desperation or an attempt to compromise evidence," says Berntsen.

Small suppliers, large corporations

InfoDesk states that it has spent 40+ hours and estimates total additional costs at over NOK 500,000. The company delivers solutions for the public sector and industries with strict security - with no history of breaches.

"When recourse tools are used like this, it sets a precedent that scares small companies away from taking on demanding projects," says Berntsen.

Crawford responds to Nettsak that the apportionment of blame is "still being assessed" and that the Truesec report is decisive. Fremtind has until 1 July 2025 to make a decision.

The numbers that don't add up

Report from TrueSec kept secret

In an email from TrueSec in response to a demand for access, TrueSec refuses to share the report, citing that they do not share the report with anyone other than their clients.

• This casts doubt on whether there even exists a report that points to InfoDesk as the responsible party, says Håkon Berntsen. This is a central piece of evidence on which the entire recourse claim is built, and when it is withheld, that says a lot about the report.

The recourse claim

InfoDesk AS has shared the recourse claim and its reply in full and consents to us sharing this.

Håkon Berntsen states:

The recourse claim appears groundless and poorly documented, with several factual errors and assertions with no basis in reality. Firstly, the claim is based on incorrect dates; among other things, it is alleged that IDT Solutions discovered the attack on 05.03.2023, a month before the actual attack took place. Furthermore, it is claimed that the breach was reported to the Norwegian Data Protection Authority on 13.04.2023, while the Authority's own logs show that the report was received on 22.05.2023.

InfoDesk's investigations have been set aside without any genuine assessment. It is claimed that InfoDesk tried to win IDT back as a customer from Kloner AS, despite the fact that no such customer relationship has ever existed. This testifies to a lack of insight into the case and a lack of access to the actual documentation by whoever drew up the claim. The review of the recourse claim reveals a number of similar inaccuracies and speculations that cannot be substantiated with documented facts.

It is also crucial to point out that the relevant vulnerability in Elementor Pro first became known through a blog post on 28.03.2023, while the infection took place on 03.04.2023. Within established industry standards for operation and maintenance, fixed update intervals of between 7 and 14 days are normally applied. In its claim, Fremtind assumes a significantly shorter interval than what may have been agreed between IDT and the main supplier, and at the same time brings a claim against InfoDesk, which was only a subcontractor for the hosting and development of idt.no - not idtsports.com. This is a conflation of roles and responsibilities that cannot be accepted.

In summary, the recourse claim is marked by serious factual errors, inadequate documentation and unreasonable allocations of responsibility. It is therefore not tenable as it now stands.

Further reading on the case

https://nettsak.no/idt-solutions-forsikringssvindel-infodesk-cyberangrep/

Editorial note

Nettsak publishes in accordance with Article 100 of the Norwegian Constitution and Article 10 of the ECHR. All those reported have been notified of publication and offered the right to simultaneous rebuttal (Ethical Code of Practice for the Press 4.14). The web designer is referred to anonymously at her own request.
The information is taken from submitted police reports and associated case documents. Publication has been carried out following editorial assessment and complies with press ethics rules (Ethical Code of Practice for the Press) and the Personal Data Act's exemption for journalistic activity. The information is considered to be of significant public interest.