How to de-anonymize scammers


Almost everyone we know has fallen prey to scammers at one time or another. In fact, I’m pretty sure many of us have that one interesting friend who seemingly can’t learn their lesson and ends up falling for scammer tricks time and time again. If you’re that person, then this article is definitely for you.

Now is the time to fight back. Because the thing is, scammers aren’t going away anytime soon. However, once people become more aware of how they operate and some of the common social engineering and phishing tactics they use, they can easily side-step the tricks and move on with their lives.

Or better yet – de-anonymize scammers.

It’s important to note that scams increased exponentially during the pandemic, even during the war between Russia and Ukraine. It’s safe to say that anytime something is happening worldwide, scammers will take advantage of it and try to benefit from the fear and empathy of others.

So, let’s dive first into how to uncover who they are and where they are operating from. Remember that this tutorial isn’t conclusive, but it will help get you started so you don’t feel helpless. This will help you outmaneuver scammers who aren’t at the top of the food chain. You will see what I mean below.

IP logging unsuspecting scammers

Most of the scammers I’ve personally encountered don’t even own a computer. They’ve figured out how easy it is to launch phishing attacks that provide autonomous infrastructure for phishing campaigns using Termux, which is a Linux terminal emulator. They can pretty much just hit a couple of buttons and be ready to social engineer unsuspecting victims into clicking the automatically generated malicious URL.

So, let’s get started. The good news is that the tools you’re going to need are free. Even if the tactics fail, oftentimes, the scammers are too unknowledgeable to know what you are sending them because they’re not actual hackers. They’ve picked up a trick, and it’s the only trick they know.

The first step is to head over to grabify.link. Go to Create URL and enter the URL of any site you wish to redirect the scammer's browser to. This will allow you to create a tracking link that will capture their IP address, Internet Service Provider, and some other basic essentials. What this will do is generate a custom link with a redirect script.

Grabify will also inform you if the target scammer is hiding their IP address behind a VPN or proxy. However, it doesn’t have to end here with you obtaining. The screenshots below show that the individual was using a VPN server in Kyiv, Ukraine, from an Apple iPhone. The old me would have slammed their internet connection with a botnet attack and prevented them from accessing the internet. I’m older now, and better choices should come with age and experience.

A summary of various attack vectors

This is where you can get creative, as the possibilities are endless. For example, you can redirect their browser to a malicious web page or design a static honey pot that you can use as a persistent tool to catch scammers and other threat actors. To create a simple honey pot, design a quick website on GoDaddy, Wix, and WordPress.

From there, you can embed any malicious script of your choice, such as malicious Cross Site Scripting (XSS) injectable JavaScript, to establish a BeEF hook, which can allow you to gain control over the scammer’s browser. This attack is automated through BeEF, more or less.

BeEF, which stands for Browser Exploitation Framework, can allow you to establish a Man-In-The-Browser attack, which is called a hook. This then establishes a connection to the target’s web browser, which can provide you a limited control over a tab running on the target’s browser. Once that’s established, you can deploy XSS payloads to increase access and control over the target. You can launch a phishing campaign, steal credentials, control the web camera, and DNS poisoning – total domination.

Mind you, just because your target is a scammer doesn’t nullify cybercrime laws. I personally believe companies and individual people should have the right to defend themselves online, as well as use offensive strategies when necessary. But there are no provisions in the law for doing so.

That scammer would think twice about crossing paths with someone like you again. That could be the reason why they go out and get an honest job.

Whichever way you decide to pursue unmasking scammers depends on the desired outcome. Do you wish to scare the scammers? Redirect them to the FBI website. DISCLAIMER: I must note that falsely representing yourself as an FBI agent or any officer online and offline is a federal crime in the United States and punishable under 18 U.S.C. § 912.

This carries a maximum penalty of three years in prison and carries fines. Redirecting a person to the FBI website isn’t considered impersonating an officer or agent.

Social engineering for the truth

In almost every instance where I have outmaneuvered a scammer just by showing them their IP address, city, and country, they have followed me around like a lost puppy, begging to be taught what I know. They largely don’t understand the hacker culture dynamic and are looking for ways to steal more money. This can work to your advantage.

If you play the game with them, their eyes often light up over the prospects of learning from the masters, although I’ve never been a scammer, nor am I a master at knowing the full scope of the many varieties of scams that exist.

Using knowledge as leverage, you can negotiate to have stolen monies returned to their victims and access restored. It won’t take long for many scammers to develop a sense of trust, who will then reveal who they really are in real life, thus successfully de-anonymizing the scammer.

There are so many things you can do with that information. If dangling knowledge isn’t a motivator for them, perhaps danging the knowledge of their identity might be the right element to have stolen monies and accounts returned. I’ve seen this go both ways.

For me, depending on the severity and level of understanding the scammers possess, I could report their IP address to their ISP or inspire them to leave scamming behind in favor of guiding them into a career in cybersecurity. I succeeded in accomplishing this once with a Nigerian scammer. He abandoned those illicit endeavors, enrolled in cybersecurity college courses, and stuck with it.

Final thoughts

Protecting the public should be a foremost priority among hacktivists. When it comes to catching scammers, you have two options: redeem or report. Both of them carry their own consequences, and according to the letter of the law, the latter is totally justified. Only one of them can result in a positive outcome.

I spent over a decade in federal prison for hacking. Because I know too well that spending any amount in a US prison amounts to insurmountable mental pain, sorrow, and trauma, the crime of scamming itself doesn’t morally justify the mental torture and physical violence they will experience behind bars. This is why redemption is so critical.

That is a choice I leave up to you.