Kodama the Chameleon

Threat Intelligence and Other Contemplations…

   ___       __  _     __   
  / _ | ____/ /_(_)___/ /__ 
 / __ |/ __/ __/ / __/ / -_)
/_/ |_/_/  \__/_/\__/_/\__/

Scamming the Scammer

kodama

|

🚨 SPOILER ALERT: This article shares IoF (Indicators of Fraud). Yeah, I just made that up.

They say knowledge is power. So when I got a random text from (470) 361-8476 asking, “Wendy [Not my real name], are you going to play golf this weekend?” they had no idea who they were dealing with. If you’re familiar with the term “pig butchering,” you know where this is heading.

I played along—because why not? I think I can make a pretty convincing Wendy. If you take nothing else from this article, watch for the 🚩’s, because this story is riddled with them.

After admitting to “dialing the wrong number,” my mystery texter, now known as Anthea, keeps chatting about how kind I am.🚩 Sure, Anthea, I’m just the best. By Day 2, she suggests we move to Telegram.🚩 Because nothing says “trustworthy” like switching apps after 24 hours.

On Telegram, Anthea’s small talk continues, sprinkled with not-so-subtle nudges toward crypto investments. Her English is broken🚩, but that’s not the real red flag. After all, she’s “from Singapore… living in Los Angles.”

Anthea19880823

Meanwhile, I decided to go on the offensive. Using a secondary research account, I reached out to Anthea again. This way, if “Wendy” gets ghosted or burned, I still have a backup conversation going. While digging around with this second alias, I stumbled upon another Telegram that looked eerily similar to Anthea’s.🚩 That’s when I managed to snag their IP using a Grabbify. Eventually Anthea got me started on boarding to their fraudulent cryptocurrency exchange Zacoin-if. Seriously, if you’re taking investment advice from someone you haven’t even known for a week, you might want to rethink your choices.🚩

Anthea1988

🔨 Playing whack-a-mole—that’s what tracking and submitting takedown requests for these fraudulent sites feels like. They’re like the cockroaches of the internet, crawling out from the dark corners every time you think you’ve squashed one – yes, I’m mixing metaphors. But the key point here is that in the constant cycle of getting torn down and rebuilt, many of these sites use templates that can be fingerprinted. At any given time, Zacoin-if and possibly hundreds of other scam sites are living and dying on the web. The silver lining? Their security, especially in the early stages, is often laughably weak.

If you ever need to check if a particular email is registered on one of these scam sites using the same template, you can use this Python script:

# python
import requests

def check_user(scam_domain: str, email: str):
    """
    Check if a user is registered to a scam domain
    Responses:
      - 'Username does not exist'
      - 'Incorrect password'
    """
    url = f"https://{scam_domain}/api/login/doPhoneEmailLoginYZ"
    payload = {
        "phoneemail": email,
        "pwd": "asdf"  # Doesn't really matter what you put here
    }
    response = requests.post(url, data=payload)
    return response.json()

To wrap up this little drama, Anthea eventually ghosted “Wendy,” but not before linking me to another WhatsApp scammer at +1 (305) 586 1914. I ended up deliberately burning my secondary alias just to check on “Anthea’s” well-being. While exposing scammers on Youtube might make for great clickbait, it’s crucial to remember that these are real people on the other end. Whether “Anthea” is involved voluntarily or through “force, fraud, or coercion” doesn’t change the fact that people matter. My goal in sharing this story is to warn potential victims and assist law enforcement and other organizations in tracking the ever-expanding criminal enterprise of “pig-butchering.”

…and if your left thinking “he could have also done ____” or feeling like I missed adding another 🚩… Keep fighting the good fight!

, , , , ,