chocolatkey
Here are the original posts themselves, probably more interesting to people here:

https://blog.smithsecurity.biz/hacking-the-scammers

https://blog.smithsecurity.biz/systematic-destruction-hackin...

merek
I recently came across NanoBaiter on YouTube. He baits scammers and hacks their systems, often disrupting their entire operation.

He identifies the culprits in detail, scares the hell out of them, reports them to police, and tries to inform / refund the victims. In at least one video, he accesses the scammer's Stripe account and refunds the victims (often elderly) for their payments on bogus IT security products. I recall another video where gains access to the CCTV in the scammer's office building, and captures a police raid on the scammers.

https://www.youtube.com/@NanoBaiter

Fokamul
Noticed the salt used for encrypting password, in the writeup?

"wangduoyu666!.+-"

Whoops, this looks like username -> wangduoyu666 (same for "wangduoyu8", "wdy666666". Seems like they're incrementing numbers in username too, but probably false positives, maybe popular username)

Google it. Probably skid's github, linkedin, etc. (not verified)

And looks like OP missed this. Also name on telegram is fake of course, Wang Duo Yu is singer in China, so skid is using singer's name as username and also as a full name in Telegram.

Ps.: From their backup telegram, also "wangduoyu12"

Ps2: From OP write up -> https://t.me/wangduoyu0 -> there is youtube channel https://www.youtube.com/@duoyuwang4820 which links in description to this telegram channel wangduoyu0

And it's full of videos of someone making tutorials to bypass china firewall? etc. Multiple 30min-1hour videos, there must be treasure trove of info. Videos is leaking these gmail accounts: https://i.imgur.com/LUiKbF6.png

janalsncm
> The Smishing Triad network sends up to 100,000 scam texts per day globally

This should not be possible. I guess the iMessage scams used e2ee, but the SMS scams should have been caught. It would be great if there was law enforcement that competently handled cybercrime, or at least triaged it.

More broadly, and at the risk of creating another TLA, the US needs a Blue Team version of the NSA. In other words, identify critical infrastructure, figure out how it can be hacked, and require that companies fix the issues. Use national security if need be. Banks have to undergo stress tests to prove they are solvent, there is no reason that critical infrastructure should be able to leave their doors unlocked.

cvoss
> The creator is a current computer science student in China who is using the skills he's learning to make a pretty penny on the side.

There's a strong argument right here for teaching technology ethics as part of a typical CS curriculum. I'm not saying that would have stopped this student from making his own unethical choices, but it does highlight the fact that we equip people with these really powerful technical skills, but we don't even try to equip them with the ethics to be responsible about it. We just sort of hope they were raised right, I guess.

Anyone here have experience with a curriculum that includes the ethics aspect?

Joker_vD
Can you be prosecuted for hacking cybercriminals back? Because I am pretty certain that you, if you had something stolen from you, are not actually allowed to break and enter the thief's house, take your stuff back and leave, and you're definitely not allowed to make a copy of keys for their locks while you're at it.
localghost3000
ianhawes
Congress desperately needs to carve out an exemption in the CFAA for situations like this.
prmoustache
we need a new phone/text messaging infrastructure that prevent number spoofing AND force operators to filter out scams attempts.
ChrisMarshallNY
I've learned to leave hackers and scammers alone; no matter how much they piss me off.

Most of them are quite capable of delivering a nasty counterattack. Some, IRL.

Had a friend hack a spammer that hijacked his server, and they blasted his server into LEO.

happymellon
What's quite interesting about this is the iMessage integration, as this is a good example that directly contradicts Apple supporters claims on this very site.
forinti
When I have the time, I like to script an attack on phishing sites by posting false data. The idea is to fill their databases with trash, and make it more difficult for the criminals to weed out real data entered by victims.
paul7986
Amazing over 400K people entered their credit card information.. mind boggling to me yet like all to most of us here we just about ignore every phone call and text message not from someone already in our contacts.

I always thought there should be a driver license and test to use the Internet to cut down on people being ignorant. As well or a class you must pass in high school that teaches ignore all phone calls, text, emails and etc from people you have not met offline. If you do meet them online make them snap or facetime you fairly quickly to verify veracity.

jeffwask
I wonder if these are the ones I constantly get saying I have a package at USPS and they need info but the texts all originate from an international number, so they are obviously fake to me.
hot_gril
I used to get frequent iMessages that look just like this, except with links to a different domain name. Last one was July 21, linking to https://us-usps-mg.top/us

Seems it's no longer active. If I send "Y", the message is not delivered. The domain points to 404 on a "King Ice" website selling jewelry shaped like guns or penises, I'm not joking.

wizardforhire
Heres my off the cuff take on law enforcement not going after scammers to the fullest extant that I think we can all agree they should…

The US has roughly 340 million people now.

The US gdp is roughly 28 trillion dollars.

Which means that on average the dollar value per citizen is roughly 82 thousand dollars…

Divided by days in year, hours and minutes its roughly 15 cents per minute.

So if we assume 100% of the population is getting at least one scam a day of some sort and that the disruption to thought to get back on track as result of the anger induced is about 30 minutes…

That puts the loss to the US at little over 1.5 trillion dollars in lost productivity.

The US currently spends roughly 840 billion on defense…

So almost twice the yearly national defense budget is potentially lost to scams.

Seems crazy, as I said off the cuff. I would love to see some way more accurate numbers.

But arguing in dollar amounts I think will go a long way to putting the problem in perspective. And who knows, maybe we’ll get to some drone strikes on scammers in our lifetime.

rererereferred
I got one of these texts just last week. In Spanish and pretending to be my country's national postal office. Also using a .top domain.

What's freaky is I just got a package through the post office a few days before. These guys are maybe accessing package tracking tools looking for phone numbers. I would expect that's not heavily secured data.

Edit: I reported the domain to the registrar and they took it down.

smm11
I broke into VT-100 terminals (the real ones, not the modern terminal app derivative) at my university library over 40 years ago.

Can't tell you how, it's been a minute.

wdb
Why are they not accepting a whole bunch of credit card (types)?
batch12
One wife is enough I guess
RockRobotRock
Opps wanted some initiative, blew up their entire quadrant
idunnoman1222
How come vigilanteeism is accepted for computer related crimes but not other ones?
0xEF
I hate that it kicks off with "DISCLAIMER: This is not my work. I would never and don't condone illegal hacking of scammers"

You know what? I do. We all should. These scammers are awful people and deserve to be attacked. I am tired of toothless authorities like CISA and the alphabet agencies in the US doing next to nothing about it unless some YouTube scam baiter does the work for them. Scammers destroy people, not just financially, but emotionally as well, even driving some victims to suicide. As far as I am concerned, any wannabe hacker out there should be using these scammers for target practice.

OfficeChad
[dead]
advisedwang
[flagged]
VikingCoder
Remember *69? You'd get the phone number of the person who just called you? (Theoretically - it didn't always work.)

How in the hell do we not have a trivial "report a scam" option on phone calls and text messages? Which reports it to the FTC or FBI or something?

Scoundreller
> Michael Martel, a national public information officer at USPIS, says the information provided by Smith is being used as part of an ongoing USPIS investigation and that the agency cannot comment on specific details.

Oh, they 100% can. There's a US Constitution thing allowing them to comment on things. They just chose not to comment because they don't want to.