Translation troubles.

Something short and sweet here.  Let’s just say that some translation software is better than others, as can be demonstrated by this wonderful gibberish when trying to translate a “we put spyware on your PC and recorded you” scam email using Chrome’s built in translation facility:


I have a good deal.
22/08/2018 – I am disappointed, my best regards you Operating system Complete Visit Completion Check your

In your case, Tianyi Indirect Juggling Device Software, Existence One piece of a gut.
We have ahead of our predecessor.
When you are importing Internet, I’d like to have a wooden horse cake installation your own operation control system.

This later, we finished Ryo你的磁盘转储(We Yes你Possessive Institute Add book,查看网站basis历史records, owned Bunken, Telephone No.码和owned联系human land ruins).

A month ago, Ideal Stacy 你 的 设置 设计 Request small amount funds.
我 我 看看 看 您 常 normally 訪問 的 网站. 你 Most Joyful Resource Order.
I think that adult 网站.

My idea – 你 是 个 个人. 你 有 一个 Order eye flower disgusting illusion!

Lady Nagoya, I was thinking Shinichi ‘s idea law.
Yeah Yeah Yeah Yeah Young adult 网站 的 图图 (你 知道 我 的 意意, 是 是?).
Afterwards, we are in a good location. We are pleased to hear from you. (Used 你 accomplished facility).
RESULT REASON! Unnecessary 犹!!

I’m sorry to inquire about your relatives, friends or the same exhibit.
My acknowledgment 327 Mimoto 对 于 I silence 是 minority.
Outside this time, I’ve got time to spare time and time to live!

Ikuhito Farewell receipt.
We specifically BTC钱包: 1P7bLeCJywaaDRQpT7iwb4qzUHa4CpRFyP

您不Tomomichi how补充ratio especially币钱wrapped?
How many searches are undertaken pull – in copying “How to supplement btc package”.
这 很 简单.

Attached articles, 你 有 两 天 N point (好 好 50 个 时).
Complaints of mind, timing instruments ladies Please do when you believe in this case. Strategy, 是 的 .. 其 已 经 Started!

After the supplementary notice, my disease poisoning hazards compromised self – destruction.
As a result you have received a wealthy designation amount, your own equipment coverage, your own ownership 联系 联系 系 系 娱 娱 娱 娱 娱 娱 娱 娱 娱 娱 娱 娱 娱 娱 娱…………

Necessary attention!
– Unnecessary trial 到 Congratulations 毁 我 的 毒毒! (您的own number据都ERROR传到远程clothing务器)
– required试图联系I (这是impossible manner, we communication过您manner帐户countercurrent您发OkuRyo此电Ko邮件)
– each种安All clothes务对您没chromatic帮助; formality of磁盘Certainly, you are in a situation.

Attachment: WEBOOKEN, after the supplementary notice, we are misunderstood.
Hacker criteria for black and white customers.

Ũ Start now, I Chen Yo Used good antiseptic victims Software update period (每 天 則)!

Unnecessary living my 气, 个 个 人 都 有 有 self work.
Looking again.


If you want to see a better translation, here’s one using Google translate:


I greet you!

I have a bad news.
22/08/2018 – On this day, I attacked your operating system and fully accessed your account

That’s it.
There is a vulnerability in the software of the router you are connecting to that day.
I first attacked this router and put malicious code on it.
When you type over the Internet, my Trojan is installed on your device’s operating system.

After that, I completed your disk dump (I have all your address books, view the history of the site, all files, phone numbers and addresses of all contacts).

A month ago, I wanted to lock your device and ask for a small amount of money to unlock it.
But I looked at the websites you visit frequently. I am shocked by your favorite resources.
I am talking about adult websites.

I want to say – you are a big pervert. You have a dazzling fantasy!

After that, I thought of an idea.
I made a screenshot of your favorite adult website (you know what I mean, is it?).
After that, I took photos of you and your entertainment while browsing this website (I used your device’s camera).
The result is great! Do not hesitate!

I am convinced that you do not want to show these photos to your relatives, friends or colleagues.
I think the $327 is a small amount for my silence.
In addition, I spent a lot of time on you!

I accept money in Bitcoin.
My BTC wallet: 1P7bLeCJywaaDRQpT7iwb4qzUHa4CpRFyP

You don’t know how to add Bitcoin wallet?
Write “How to add a btc wallet” in any search engine.
this is very simple.

For payment, you have a little more than two days (just 50 hours).
Don’t worry, the timer will start when you open this letter. Yes, yes.. it has already started!

After the payment, my virus and your compromise are automatically destroyed.
If I don’t receive the amount you specify, your device will be blocked and all your contacts will receive your entertainment photos.

Be cautious!
– Don’t try to find and destroy my virus! (all your data has been uploaded to the remote server)
– Don’t try to contact me (this is not possible, I sent you this email through your account)
– Various security services don’t help you; formatting a disk or destroying a device doesn’t help, because your data is already on a remote server.

PS: I promise that I will not bother you after payment, because you are not my only customer.
This is a honour criterion for hackers.

From now on, I recommend that you use good anti-virus software and update it regularly (a few times a day)!

Don’t be angry with me, everyone has their own work.

“Too good to be true” is old hat now.

Recently I was invited to a “Preventing MMF” seminar.  Sounds fancy, but it was simply some presentations regarding research on internet fraud.  It was a good chance to make some new contacts and touch base with some old ones.  A lot of what was said confirmed what we’ve been saying for years, and isn’t worth mentioning here as it’d be preaching to the choir.  However, a few things are worth discussing further.  One of them was the opinion “If it seems too good to be true….” doesn’t work anymore.  Let’s look further into it to explain why.

This was specifically related to job scams, and the initial messages.  You see, unlike your common or garden 419 scam email, these don’t immediately offer large sums of money.  Some barely mention money at all, and some are vague to the point of not actually saying anything at all.  That’s the problem – there’s nothing in the early stages that say “this is definitely a scam”.  By the time the scam is in full effect, the person is already sucked in.  Let me ask this question.  What can we do to deal with this?  Do we need to change the phrase to “If it seems too good, or too vague to be true…”?  Your guess is as good as mine right now.  All I do know is that we need to do something to counteract it.

Sometimes real life gets in the way.

It’s worth pointing out that what we do here, we do purely on a voluntary basis.  We don’t get paid, but do this because we feel it’s the right thing to do.  We all have lives away from the site.  We work, have families, need to do our laundry, drive the kids to hospital appointments etc.  These past few weeks for example have been particularly hectic for me.  As the only member of the family that drives, when our eldest moved into his first flat, it was up to me to transport all his belongings to the new place.  Add to that my car deciding to refuse to work (still not fixed, but I have the new part ready and it’ll be done as soon as the weather stays dry long enough to fit it), redecorating and moving my “office” into his old bedroom (still in disarray as I’m waiting on a new carpet to go down before permanently getting things fixed in position), me being hit by a stomach bug (thankfully over now) and still having to do all the normal things that need doing on a daily basis, the site has had to take a bit of a back seat lately.  Next week I’m away at a conference as a representative of the site, and that’s sandwiched between seeing three different live shows around the country.  But I promise after all that, things’ll be back to normal.

What happens to the information we receive?

It’s a question we get asked a lot, so let’s explain.  Firstly, we get our information from three sources.  The first is ourselves and the accounts we set up specifically to be contacted by scammers.  The second is by people who fill in the forms we created.  Thirdly, people contact us with information after seeing details on our forum.  That last sentence is the key.  The information we get is posted on our forum and made publicly available for everyone.  Not everyone does that.  Some bodies only ever use the information they receive for their own databases, or to be shared with companies.  The general public never get the benefit of being able to search for someone’s email address, phone number etc. and be given proof they’re a scammer.  So this is the main thing the information we receive is used for, getting the word out to the public.  There are however other uses for that information.  Everything we receive gets researched, and sometimes is the key we need to burst open the floodgates with other information.  A single email may for example lead to the discovery of dozens (or even hundreds) of fake websites used by scammers.  With this information we can do some serious damage to the scammers as we have connection we can contact to get these sites closed.  Likewise with bank accounts.  An email with enough proof can lead to a scammer’s assets being frozen.  There’s also the times law enforcement has contacted us about the details we’ve posted asking for more information or how we were able to connect the dots between an email address and a scammer’s real life details.  Every piece of information we’re given is used to track down or financially hurt the scammers.  That’s why we constantly ask for more information.  Information is power.  Information is also the best weapon in the fight against scammers, especially when it’s shared.

Anti vigilante.

The media seem to love the term “vigilante” when it comes to anyone in the anti scam community.  Some may love it, but we definitely don’t.  It implies doing things outside the law, and that’s not how we work.  There have been times when the police have approached us asking us to explain how we managed to identify a scammer’s real details.  It would be impossible to do that if we in any way did anything that wasn’t completely legal.  Likewise, when the media contacts us, we have to be able to jump through numerous hoops to keep their legal departments happy.  Most of the time we even have to prove that it was the scammer that contacted us first so we can’t be accused of entrapment.  In short, we have to be whiter than white and be seen to be so.  That’s why seeing the media bandy round the term vigilante drives us round the bend.  We’re not Batman.  Most of the time we’re nothing more than people sitting at a desk copy and pasting information between Google and our forum.  It’s not exciting, it’s not glamorous and it’s definitely not vigilantism.

No news is good news.

Nothing to report.  Seriously, there’s not been anything exciting or even remotely interesting to post about here.  Is that a bad thing?  Nope.  We’ve had no issues, no threats, nothing major to complain about and nothing to write about.  I mean sure, we’ve had a few gripes, but not anything worth kicking up a fuss over.  There’s some news on the horizon, but we’ll talk about that when it happens.  Until then, this post is the equivalent of “9am and all’s well”.

It had to happen eventually. I’ve been sextorted.

Today when I checked my inbox, I saw an email titled “account was hacked”.  Nothing unusual there.  I often get people writing me saying that their account was hacked and asking for help.  On second glance, I noticed it had one of my own email addresses showing as the “From” address.  To be precise, it’s my @RomanceScamBaiter account.  That was my very first site, and hasn’t been updated in years after being superseded by StupidScammers.  First thought, “Oh crap, someone’s hacked the server”, followed a second later by “Oh hang on, I know what this is going to be”.

Sure enough, on clicking it I saw this:

account was hacked

I’m a member of an international hacker group.

As you could probably have guessed, your account was hacked, because I sent message you from it.

Now I have access to you accounts!
For example, your password for is XXXXXX

Within a period from July 7, 2018 to September 23, 2018, you were infected by the virus we’ve created, through an adult website you’ve visited.
So far, we have access to your messages, social media accounts, and messengers.
Moreover, we’ve gotten full damps of these data.

We are aware of your little and big secrets…yeah, you do have them. We saw and recorded your doings on porn websites. Your tastes are so weird, you know..

But the key thing is that sometimes we recorded you with your webcam, syncing the recordings with what you watched!
I think you are not interested show this video to your friends, relatives, and your intimate one…

Transfer $700 to our Bitcoin wallet: 13DAd45ARMJW6th1cBuY1FwB9beVSzW77R
If you don’t know about Bitcoin please input in Google “buy BTC”. It’s really easy.

I guarantee that after that, we’ll erase all your “data” :)

A timer will start once you read this message. You have 48 hours to pay the above-mentioned amount.

Your data will be erased once the money are transferred.
If they are not, all your messages and videos recorded will be automatically sent to all your contacts found on your devices at the moment of infection.

You should always think about your security.
We hope this case will teach you to keep secrets.
Take care of yourself.

We’ve been reporting this kind of scam since August of last year.  You can see the thread at and follow along with how the scam has evolved during this past year.  Spoiler alert:  It hasn’t changed that much at all.

Back to my email though.  The first thing I did was check for a “Reply to” address, but unfortunately it doesn’t have one.  It did however have an IP address we could check out.  That leads to a mobile connection originating from Kosice in Slovakia.  Checking out the  Bitcoin reference shows that one person appears to have paid; not the $700 demanded, but around $90.  Not much info that can be used unfortunately, but it does mean that I can now speak as someone who’s received one of these emails myself, and not just posted up ones others have sent us.  What I can say is that the password is old.  It’s VERY old.  I haven’t used that account to sign up to anything in around seven years.  It’s so long ago I can’t even remember what the password was for, which is a shame as I could have said what breach it came from if I could.

Now I’ve received one myself, can I call myself an “expert”?


Advance Fee Fraud – more than a problem of semantics

Every minute of the day, somewhere in the world someone is being defrauded online. The media, the ordinary people and experts use different names for the same problem. If it happens to a business, it’s called online fraud. If it targets a state it is called cybercrime. If that targets a regular Internet user it is called a scam.

We all agree that fraud is a crime. The rest is a matter of semantics …

The malicious parties committing fraud are also known by various names. If they are targeting a business, they are called hackers. If they are targeting a state they are called cybercriminals. If they are targeting an ordinary person they are called scammers. The same party targeting a bank with the exact same malicious activity as consumers, will be considered a fraudster by the bank, but will be called a scammer by the media for targeting consumers.

We have laws against fraud, online or not, and the commercial arena invests billions each year to prevent being victimized while also proactively mitigating online threats. We also have laws against cybercrime, governments are investing billions each year to protect their interests, their institutions and their integrity. When it comes to average people defrauded online, we have a system where victims are blamed for being a victim and and that is where it ends. If the victim is lucky, there might be a recognition of the abuse, but hardly any chance of justice or restitution unless you are a famous person. The laws might apply, but it appears not implemented in the same way.

We have people so specialized in the online crime arena, that the average Internet user cannot even begin to understand what they are talking about when they are talking about online crime. Not understanding the experts leaves the victims feeling inferior and even less willing to communicate with the others or even the experts. Most of the experts are talking from a commercial or governmental interest arenas. Victims of Advance Fee Fraud are not part of that arena. Ironically most of the experts do not even understand the convoluted details of Advance Fee Fraud.

We have financial systems in an online environment trying to shift responsibility for risk and loss to anyone else if possible, instead of implementing valid options to avoid and prevent online abuse and fraud. We see the same blame shifting paradigm at the providers of online services.

On the other hand, we have non-recognized, yet knowledgeable people, trying to warn others and save them from fraud by exposing online fraud. This is done in to promote consumer protection. Sadly, their good intentions are not enough most of the time. They cannot do more than to expose the cyber fraud, while proactively reporting it to those whose services are abused and attempting to escalate such cases to the appropriate authorities after a fraud incident. By then consumer protection is too late and we are trying to pick up the pieces after failed protection.

In this equation we have the law enforcement authorities established to protect their citizens from any form of abuse and usually failing because of issues having nothing to do with their mission, facing jurisdictional problems, lack of resources or verifiable information for online crimes. Then other factors intent on protecting their finite capacities comes into play, the typical ‘loss above or below’ a certain amount, statistically known  most serious and most reported threats, while other less reported online fraud slips between the cracks. In the meantime they are forced to deal with physical world infractional events that needs to be solved.

Basic online badness


Using the Internet to acquire somebody else’s money in illegitimate ways can take many forms. We encounter malware infecting the victim’s computer and encrypting it for ransom, or getting access to their content without the victim’s consent or knowledge, with the intention of reusing that content to defraud the owner of that computer, their network or friends.

In phishing we encounter a malicious link or email impersonating a real entity with the purpose of harvesting login credentials like passwords, usernames or similar authentications we use to identify ourselves to an online service, compromising our email address, our online profile on a social platform, our bank account, our credit card details or any other of our online activities.

Then we encounter Advance Fee Fraud; a lie based on the idea of offering something that doesn’t exist with the victim having to pay upfront to obtain it.

We have clear statistics for malware and phishing. Yet when it comes to Advance Fee Fraud, nothing is clear. While we may have a generally accepted definitions of it, many of the elements used in  Advance Fee Fraud are incorrectly labeled as phishing. Many of its elements are not even recognized as fraud, rather considered social engineering. It is one of the most under reported areas of online fraud and where consumers have the least protection. There is no standard accepted procedure for dealing with Advance Fee Fraud and prosecuting, nor concerted efforts to stop  it, despite growing annually for more than two decades and being an entry level crime for later serious threats.

Background for confusion


Using words without knowing their meaning can only confuse people and it’s maybe a good time to  clarify this mess. We all use common terms, but we understand different things when using them. We’ll consider the term hacker.

In the real life, hacking was initially the ability of a person to mess about with something in a way to investigate it, improve it or give it a new purpose. It was neither good nor bad. Online hacking was a progression of real life hacking, messing about with the new technology.

Later a portion of hackers evolved into a movement fighting for the freedom of information and for the right of knowing what states and corporate entities tries to hide from them. It was done by gaining access to computers or networks and then viewing and copying data without the intention of destroying it or maliciously harming the computer. Sharing that information publicly was the purpose of the hacking. The perception of hacking as good or bad, depended on the type of information exposed and who was exposed in it. This was a subjective view. Obviously this was a threat to any state and made illegal.

At the same time, hacking extended into finding vulnerabilities in programs and reporting those vulnerabilities to avoid the program getting under malicious control. Allowing hacking became accepted in advanced forms of protection, counting on the help of independent people testing online platforms, interfaces or programs to identify any potential vulnerability before someone will use it maliciously.

On the opposite side there are crackers, using their technical skills to gain access to a computer or network with malicious intent, from spreading viruses or malware to stealing money or information that can be sold further for stealing money.

In and between we find the script kiddies, wanna-be hackers fooling themselves that they are hackers by obtaining software created by someone else, and using it without having any idea how the software really works.

The conflict between hackers and corporations or states resulted in hackers being labeled as bad. Even parties trying to expose flaws for better security were targeted and sometimes still are, for the embarrassment they may create. Media played a major role in this conflict creating stereotypes, either good or bad, likewise societal views on who was exposed. It took some time until the roleplayers understood the difference between various types of hackers. The final decision was more or less to work with the good hackers to stop the bad hackers. Only after this point did the media paint a different picture in the public mind. Now it was about so called “white hats” being the IT sec wizards trying to do good, and the “black hats” as the bad ones trying to harm. The damage was already done in the collective mind, unable to understand all this confusion or to make any distinction between white and black, simply using the term hacker in the negative way.

The players


Let’s look at the ones defrauding victims online and named in different ways.

Far away from this entire conflict, the scammer is usually someone without any technical skills, whose only skills are deception, holding out false promises and asking to be paid in advance for it.  The promises can be prizes, money or even fictitious love and promises of a future together. The money he steals can be used in two ways. The stupid scammer lives a lavish life, wasting the money in a bling-bling lifestyle meant  to impress others. The smarter one, while also splashing out, will use some of the stolen money to invest in something he doesn’t have to refine his fraud; knowledge and help. Where can he buy that from? From the ones knowing how to abuse the online environment to their advantage, the black hats.  

The Advance Fee Fraud seen today would be near impossible without the entire infrastructure built and created with money obtained from fraud. Stolen money is being used to pay  for fake sites used in fraud, while stolen credit cards are used to register/validate profiles online. Many of these stolen credit card details are purchased with stolen money. This money is paying for bulletproof hosting (where these providers self-blind to the numerous reports they receive) where fraudsters keep their fraudulent websites alive. This stolen money is buying privacy for the fraudster while he exposes victims details online, easy to be found by anybody knowing where to look for it and allowing further abuse of those victims. The stolen money is being used to pay for SEO campaigns, sometimes allowing fraudulent presences to be better positioned in the search engines results as the real entities. In certain countries, stolen money pays for bribes needed to keep the culprits out of jail. Fraud may even fuel a large portion of a community’s economy.


The playground


An important part of our lives is spent online. Internet commerce thrives in the good and the bad. The regular innocent Internet user is the main testing ground for anyone able to gain enough information and use it to achieve proposed goals.  

On one side of the screen we have the victim, usually alone and operating a computer, mobile phone or, to use the new phrase, Internet of Things device, without knowing exactly how that device works but  having an expectation of it working properly. He does not understand the various levels that can be compromised, rather simply trust other specialists to take care of that.

On the other side of the same screen are entire crowds of malicious parties trying to steal his money, his identity or abuse the target in some way.  

The victim may have anti-virus software able to protect him from malware or phishing, but sadly there is no software able to protect him from Advance Fee Fraud.

Internet users are the main source of identities and credentials stolen to be reused for stealing more. They are the silent majority, victims of online abuse, learning from bitter experiences that complaining will do them no good and will not solve the problem. There is no one out there to protect them despite trying to protect themselves. Even so, they share their details with other entities for online services. When an online platform, corporation or a state institution database is breached, the information stolen is that of Internet consumers using those online services.

Common internet consumers have become the training ground for cyber criminals. They are the first receivers of the phishing links when they are asked to click and confirm their login details. They are the first ones receiving documents infected with malware, dragging their devices into infrastructures of infected devices called botnets, used in more advanced types of cybercrimes. They are the testing ground for all kind of lies and pretenses. If the tests are working on them, the bad actors confidently expand the targets to higher paying targets. Typo-domains so long used against consumers are now extremely problematic in Business Email Compromise (BEC) targeting businesses with great success.


The alliance between the scammers and black hats found the average Internet users can be used and abused as pawns to protect their own anonymity and safety. Romance scams victims may receive a death sentence after being deceived into smuggling drugs, online fraud victims end up in jail after being unwitting money mules and somebody trusting the internet to find a job may be arrested for reshipping stolen goods bought with stolen money and credit cards. Innocent unwitting consumers are the pawns in criminal money laundering initiatives.

The public reaction is almost predictable, blaming and shaming the victim for believing a lie, making the victim responsible for the fraud no victim was ever asking for.  Many a time companies and even the authorities partake in this.


Behind the sceneS


The victim might be alone while communicating with a scammer, but the scammer is not alone. He is a member of a fraud syndicate. The syndicate has a whole infrastructure controlling resources and elements needed for a successful scam. The victim is profiled and analyzed prior to the fraudster starting to “work” the victim. The ring leader pays for the scripts the main scammer uses, pays for the phone numbers, mobile or VoIP. He provides the names and locations of the people receiving the stolen money for money laundering. Many of the recipients are actual victims themselves as mentioned before, having no idea they are using their real identities while laundering money for the fraudsters. The ring leader decides on domain names and pays for the domain names used to perpetrate the fraud,  also paying the ones creating websites for those domains – enter the faker maker.

The faker makers is the technical person that does everything needed to keep the required websites active, from registering the domain name, setting up email accounts, hosting and creating the website to rehosting it if the site gets suspended.  This is the real story that makes the scam succeed, that hardly ever gets told.

We have two main types of domain names used in Advance Fee Fraud:

  • Email only domains having no content:
    These domains are used for the deceptive email address such a domain can provide. The domain will typically have no matching online content, or when a party goes to the domain name in their browser, it will redirects to another legitimate website (often one being spoofed). The main deception is based upon the choice of domain name that would appear in the target victim’s email box. Any further potential online redirection after this is opportunistic to further the deception in the fraud attempt by creating a false sense of association.


  • Domains used for content:
    The content may be stolen from one or more websites, may impersonate the company it was stolen from or be stolen as a crime of convenience. However the content may be totally bespoke as well, yet deliberately deceptive nonetheless. The choice of domain name is a good indicator of intent. A totally unique name for a loan company with a domain name with the word loan in it, would be an example of common loan scam usage. Tactics may be used to hide the content from the casual passer-by. The content may be hidden in folders with an empty or blank landing page. Likewise sub-domains such as login.bad-domain.tld  as opposed to the generic bad-domain.tld may be used. The victim is sent a link in communications to the malicious website, not unlike phishing.


Fake banks


The fake bank is  used in all types of online fraud. There are two types of fake banks:

  • Fake Persona Accounts
    These are ones where the victims is asked to go and verify the “existence” of money the scammer claims to have or have access to and wants to share with the victim. These are typically used for fake accounts of dead person where the victim is asked to be next of kin of this person, or also commonly for the accounts of fake characters used in romance scams asking their victims to help them with the guarantee of a payback.


  • Personalized Accounts
    Here an account is created in the victim’s name, sometimes after being asked to create an account at the fake bank. This is used for  receiving money the scammer promised to deliver and a fictitious amount is entered into a mock accounting system to create the illusion this is real money. This usage is typically seen in lottery scams, inheritance scams, loan scams or typically where the victim expects a payment during a business transaction. An excuse always exists as to why the fraudsters can’t use the victim’s own account and a new one has to be created at the fake bank.


Fake suppliers


These fake sites impersonate a wide range of suppliers, from parties claiming to sell pets, electronic goods, though drugs and fake documents like visas and passports, to high priced items like agricultural equipment, properties, gold and precious stones.  Many of the underlying items used as bait to defraud and the methods used to target consumers, allows us to guess the origin of the fraudsters with amazing accuracy.


Fake couriers


The fake sites impersonating couriers are used in all types of online fraud. It might be used in a job scam where the victim needs to receive visa and work permit, a non-delivery scam with a victim waiting for a product bought online, where the victim believes they will receive a parcel from a loved one. In all the cases involving fake couriers, the victim will receive a link to a tracking page and login details to check the parcel status. Typically this is personal victim data entered into a mock courier database. The courier is typically used to extract more money from the victim using a myriad of excuses, also leading to impersonation of the authorities,  blackmail and extortion.


Fake authorities


Domain names  impersonating the authorities are a major part of Advance Fee Fraud and can be found in various shapes and forms, from domains impersonating law enforcement in various countries (FBI, Interpol, Homeland Security, DEA) to the United Nations, Red Cross, Embassies and lawyers. These type of sites are used mostly in recovery scams, but also in other types of scams and are meant to confirm to the victim the “legality” of the fraudster’s financial requests, many times using coercive methods. Typically the law enforcement domains will not have online websites, rather being used for email only purposes.


There will hardly ever be a single scammer dealing with a victim, nor a single fake site used. Once a victim pays up, another request follows.


We see harvesting campaigns disguised in attempted romances,
We see email only domains used in romance scams originating from East Europe –, some having the same domain owner (registrant) as hundred of other domains, already blacklisted for spreading malware. As we can see, sometimes these may spoof well known email providers like GMail to deceive potential victims.


Cases of fake sites used for a single type of scam are the exception and not the rule. Following a complaint from a victim searching for a loan online,  we uncovered a nest of over 200 fraudulent linked domain names operated from Benin, West Africa, targeting mostly victims in Europe: After the initial nest was reported and the domain names suspended, the fraudsters moved fast to create a new nest of domains:


Mostly, what we see are fake sites used with the same victims while the fraud moves ahead. A military romance scam starting on a dating or social site will lead to a fake delivery company for example. Researching a military romance scam defrauding a victim, we identified a Nigerian fraudster whose online activity goes on since 2004, despite of all the legal ways and reports used to stop him, 314 fraudulent fake sites on our last check: This party is also using many domains registered with fake registrations claiming to be European, getting privacy protection in the new GDPR implementation, yet living in Nigeria in reality. Of late he’s been using .EU and .CA domains for his infrastructure.


In some other cases, a romance scam will lead to fake banks. Researching a scam attempt involving a fake bank, we end up with a nest of 196 fraudulent domains and websites used in online fraud orchestrated from Nigeria:

We saw web-developers from Ghana creating fraudulent domain names for Advance Fee Fraud:


We saw a domain used as a Keybase botnet controller, having the same registrant as few fake sites used in Advance Fee Fraud:


We see escrow scams operated from Eastern Europe: and Then we see escrow scams associated with rental scams:

There are cases of job scam domains (searching for money mules or agents for reshipping stolen goods) originating from East Europe and registered with stolen identities. Some of these domain names are used for spreading malware: This party has been at it since 2012, each time using another stolen identity to register hundred of new malicious domains in waves.


We saw supplier scams originating from the Cameroon:  and


Sometimes, the fraudsters creating the fake sites are also impersonating fake characters in romance scams:  


Sometimes the people involved in the registration process of domain names are actively involved in the Advance Fee Fraud.


A Nigerian reseller living in Malaysia and targeting victims in Asian was reported at He had his reseller account suspended due to continuous fraudulent activities, only to thereafter twice more obtain reseller accounts facilitating the same exact fraud, each wave of attacks requiring mitigation. This facilitator moved to another “tolerant” registrar providing blanket proxy protection. This fraud wave saw over 17,000 known victims targeted.


Another Nigerian living in Malaysia and targeting victims wordwide was exposed at His sites were mostly fake oil companies where the fake characters used in romance scams claimed to work, fake banks where the same fake characters pretended to have their bank accounts while spoofing real banks, showing their victims they have enough money to pay back the money they are asking for, and fake courier companies. He was reported for the first time in 2007. In 2014,  he managed to become an Internet domains reseller for various Registrars. As a reseller, he was abusing his reseller position, altering his scam site registration details, trying to cover his tracks.


There are cases of so called web-developers not only creating fake sites but also coordinating the frauds: The Decyber gang has been active since 2010. Last year, their portfolio included close to 500 fake sites. In the initial stage, they were impersonating banks and courier companies. Some of the fake banks created were using made up names, while others were impersonating real banks all over the world. In the more recent years, the fake sites maker portion of this group expanded their activity from various forms of Advance Fee Fraud to binary options fraud, phishing and also malware.  


Another case we researched, following complaints received from victims, shows how a Nigerian scam syndicate uses fake sites impersonating real owners of various US real estate companies while targeting US victims, while also simultaneously running romance, gold and loan scams:


The above are all only cases reported to us by victims or potential victims. Knowing how many consumer forums are actively exposing Advance Fee Fraud, we can say that the research we do is only scratching the surface. A closer look at an Advance Fee Fraud case can show how developed the fraudulent infrastructure abused is.


Victims complaining to us are also reporting the cases to their local law enforcement authorities. They are contacting their banks, showing how they got defrauded. Banks usually say the victims were negligent and there is no way they can recover the money they lost.


We, and forums similar to us, are reporting frauds and the perpetrators in an easy way for anyone searching for that information to find before being too late. Victims of identity theft are warned about having their identity stolen and used for Advance Fee Fraud. The fake sites discovered are reported to the Registrars with the needed proof showing how they are used to defraud victims online. Bank accounts used in Advance Fee Fraud are reported to the banks as money laundering information.  

In most of the cases there is little or no feedback from authorities.

Defrauding innocent victims online under false pretenses is not just a scam, it has a legal name, fraud. Orchestrated crime needs to be punished. Advance Fee Fraud is slipping through the cracks in an online toxic environment, eroding trust daily.  Advance Fee Fraud is seen as the funny Nigerian Prince, not recognized as a danger at the same level as phishing or malware, yet it holds the exact same danger for consumers and later when evolved, commerce. Advance Fee Fraud requires the threat recognition it deserves. Without acknowledging it as such, there is no awareness or willingness to prevent it, attack it, estimate its effects or even evaluate its magnitude and growth. Statistics are mere assumptions based upon willing victim reports, those brave enough to face ridicule and blaming.

Currently we are seeing formal legal procedures to mitigate bank spoofs being described as phishing, when it’s not. This also disavows much similar abuse. This causes confusion for the investigator and consumers trying to understand what is happening. Advance Fee Fraud desperately needs consistent definitions and formal recognition as an abuse threat not only undermining the integrity of consumers and the internet, but also as one undermining basic human rights.

We need consistent definitions and terms of reference. Without that, we are living in different worlds, pretending to speak the same language, but unable to understand what the other is talking about.

It’s finally complete!

A few weeks ago I started putting together what’s essentially a “webcam blackmail 101” presentation.  I’m pleased to announce it’s finally complete.  A lot of information has been added since it was first mentioned.  You want to know what ages the people who come to use are?  We have it.  Their location?  That’s there.  How many scammers come from what places?  Check.  There’s even a video showing how the scammers create their fake webcams.  If you want to check it out, you can find it at


Not so much a new project as a “side” project.

So, let me explain.  As you may or may not be aware, we do a lot of work related to sextortion/webcam blackmail here.  A lot of other people are also talking right now about the same subject, but there’s a lot of misinformation out there.  Too many “experts” spouting off Chinese whispers versions of advice and getting some of the really important stuff wrong.  I felt the time was right to put out what I feel is a “definitive” guide.  It’s one based on over 6 years’ experience in dealing with these scams and over 25,000 forms containing scammer data.  This one isn’t really for the victims of the scams though, but for everyone else.  Some of the information will be similar to our steps, but again it’s for more of a general overview of the scam, how it works and so on.  It’s still a work in progress right now, as I tend to write up what’s needed all in one go and then rewrite, add to, take away from, shuffle around and generally alter my work until it barely looks like the first draft anymore.  I’m kind of 95% happy with it as it is right now, but there’s still no doubt going to be changes made to it over the next few weeks.  If you want to check it out, go to and please let me know what you think.