By Tobias Tobiassen, Nettsak | Published 22.06.2025
Update after publication
After Nettsak published this case, both Fremtind and Crawford have withdrawn their recourse claims. Going forward, we will remove information from the article that is no longer relevant.
Crawford nevertheless maintains his account of the course of events, despite the fact that this does not correspond with available logs and documentation.
InfoDesk has announced that they will analyze the case again, and it is expected that the police reports may be withdrawn, as the recourse claim has now been waived and there is thus no financial loss - beyond the work hours required to produce correct decision-making bases for the insurance companies.
At the same time, the case raises questions about the sense of justice in situations where serious financial claims are not thoroughly assessed before they reach the public, and where press coverage is ultimately required for fair treatment.
SANDEFJORD(Nettsak) - Small, specialized IT environments rely on insurance and the legal system to protect them from unreasonable claims. After two and a half years in the spotlight, the Sandefjord-based company is experiencing InfoDesk AS the exact opposite: A recourse claim of kr 430 514 from Fremtind Insurance, built on the daily manager Håkon Berntsen calls "a fictional history".
The attack no one can agree on
Night to April 3, 2023 becomes the WooCommerce online store idtsports.com Infected. A pirated backup extension is installed, WordFence is disabled, and visitors are sent to spam domains. The logs show logins from IP addresses in Cebu City, Philippines - under the account rune@kloner.no, created the day before by Morten Iversbakken (Sales & Marketing Manager at IDT Solutions AS).
Ten days later, InfoDesk submits a report to the anonymous web designers behind the page. The report points to Cloner AS As a source. IDT Solutions skips its suppliers, activates its cyber insurance and hires Truesec to full forensics.
The information above comes from documents submitted by InfoDesk AS.
"We never hosted idtsports.com, we only developed features for idt.no on a completely different server. But the recourse claim points only on us," says Berntsen in an interview with Nettsak.
A bill - and a new online store
The Truesec invoice alone reads kr 305,484. The rest are hours and modules for Magento - a brand new platform Cloner AS had already started weeks before the attack. Everything is included in the recourse claim.
Incorrect information to Insurance, bill placed on third party
Svein Iversbakken (general manager)
Participation § 15, cf. §§ 376, 221
Overall decisions and confirmations
Morten Iversbakken (Sales & Mkt.)
§ 376, § 221
Created admin user linked to infection
Cloner AS
Section 2-1 of the Damages Act (negligent damage), possibly aiding and abetting section 351 of the Damages Act.
Development tracks before, during and after the attack
"A pattern over several years" - Berntsen is interviewed
Tobiassen, Nettsak: Why the police?
Berntsen: "Because the puzzle shows intent: first a dispute over unpaid invoices to the web designer, then an attack that legitimizes new platform, then a recourse claim that shifts the bill to us. In between battles, IDT Solutions AS has used BAHR lawyers in an attempt to gag our technical case studies, and sent a phishing PDF to the web designer to steal her login."
Tobiassen: What do you think about the claim that Elementor Pro has not been updated?
Berntsen: "The Truesec report mentions it, but our logs don't show any exploit traffic to Elementor endpoints. However, they do show admin-upload of pirated backup plugin from the Philippines the minute WordFence shuts down. This is a known mode for nulled-malware."
Tobiassen: The case started as a recourse against the web designer - now everything points to you?
Berntsen: "We helped her with documentation; that's our culture. Since then, all the arrows have moved to us, but the core facts remain: We had no operating agreement, no server access before assisting TrueSec and no role in the Magento project."
Notified everyone - the email documenting claims
Today, InfoDesk sent a copy of its latest response letter to Crawford, Truesec, Cloners and IDT Solutions. The email requires:
Full report from Truesec with all attachments.
Explanation of why the admin account rune@kloner.no is created before Clones formally come in.
Comment on Magento hours being billed as "cleanup".
Fundamental assessment from Crawford/Fremtind about placing social risk on subcontractors.
The phishing attempt - the straw that broke the camel's back
A few days before the recourse letter arrived in June 2025, the web designer received an email from the IDT domain: "You have a new assigned document". The PDF hid a fake Outlook page and was flagged as malware by both InfoDesk and US Intruig Inc.
"Using your own company email for phishing suggests either desperation or an attempt to compromise evidence," says Berntsen.
Small suppliers, large corporations
InfoDesk states that it has used 40+ hours and estimates total additional costs at over kr 500 000. The company delivers solutions for the public sector and industries with strict security - with no history of breaches.
"When recourse tools are used like this, it creates a precedent that scares small companies away from taking on demanding projects," says Berntsen.
Crawford replies to Nettsak that the apportionment of blame is "still being assessed" and that the Truesec report is controlling. Fremtind has a deadline July 1, 2025 to make decisions.
The numbers that don't rhyme
Parameter
Normal WordPress cleanup
The recourse figures
Time spent
4-8 t
112.5 t (Truesec)
Costs
6,000-10,000 SEK
430 514 kr
Report from TrueSec is kept secret
In an email from TrueSec in response to a request for access, TrueSec refuses to share the report, stating that they do not share the report with anyone other than their clients.
- "This casts doubt on whether there is even a report pointing to InfoDesk as the responsible party," says Håkon Berntsen. "This is a key piece of evidence on which the entire recourse claim is based, and when this is withheld, it says a lot about the report.
Recourse claim
InfoDesk AS has shared the recourse claim and its defense in its entirety and agrees that we share this.
Håkon Berntsen says:
The recourse claim appears unfounded and inadequately documented, with several factual errors and assertions that have no basis in reality. First of all, the claim is based on incorrect dates; among other things, it is claimed that IDT Solutions discovered the attack on 05.03.2023, one month before the actual attack took place. Furthermore, it is claimed that discrepancies were reported to the Norwegian Data Protection Authority on April 13, 2023, while the Data Protection Authority's own logs show that the notification was received on May 22, 2023.
InfoDesk's investigations have been disregarded without any real assessment. It is alleged that InfoDesk attempted to regain IDT as a customer from Kloner AS, despite the fact that no such customer relationship has ever existed. This demonstrates a lack of insight into the case and a lack of access to real documentation from the person who prepared the claim. The review of the recourse claim reveals a number of similar inaccuracies and speculations that cannot be substantiated with documented facts.
It is also crucial to clarify that the relevant vulnerability in Elementor Pro first became known through a blog post on 28.03.2023, while the infection took place on 03.04.2023. Within established industry standards for operation and maintenance, fixed update intervals of between 7 and 14 days are normally used. Fremtind's claim is based on a significantly shorter interval than what may have been agreed between IDT and the main supplier, and at the same time claims against InfoDesk, which was only a subcontractor for the hosting and development of idt.no - not idtsports.com. This is a confusion of roles and responsibilities that cannot be accepted.
In summary, the recourse claim is characterized by serious factual errors, inadequate documentation and unreasonable allocations of responsibility. It is therefore not sustainable in its current form.
Nettsak publishes in accordance with the Norwegian Constitution § 100 and ECHR art.10. All respondents have been notified of the publication and have been offered the opportunity to respond at the same time (VVP 4.14). The web designer is referred to anonymously at his own request. The information is taken from submitted police reports and associated case documents. The publication is based on an editorial assessment and follows the rules of press ethics (VVP) and the Personal Data Act's exceptions for journalistic activities. The information is considered to be of significant public interest.
English 
Norsk bokmål