Bridging VM to VPN only

I’m in the process of setting up headless VMs for some automated scambaiting. I want to set up a virtual network topology where scammers are on VMs that are exclusively connected to VPNs without them realizing it. But I need the host machine connected without a VPN. I’m thinking of configuring a virtual box private network, with the VMs only connected to the virtual box private network. Deploying a “router” on the virtual network that runs a DHCP server and is bridged to my local network but running a VPN locally on the “router” VM.

Anyone done something similar and experienced issues?

1 Like

I don’t have an answer, just questions about your setup.

How many VMs can you get on one machine? Have you considered any cloud VMs? Have you shared any of the details of how you’re automating scambaiting with VMs, I’d be interested

1 Like

How many VMs can you get on one machine? Realistically, because each ‘user’ doesn’t constantly max out usage you can manage about 1.5 users per physical thread on CPU. Ergo, an 4/8 thread CPU could handle VMs for 5.333 users for basic web browsing/etc. An 8C/16T CPU could handle 10.666… users. That said, the scammers are not typical end users so…they can deal with resource limitations.

Have you considered any cloud VMs? I’d rather not rely on any cloud services due to costs of running 24/7 and whatnot. Also, with a whole virtual network/router I can utilize certain VPN services that offer residential IP addresses and refresh the VPN IP as needed. Making it much much more difficult for scammers to identify.

Have you shared any of the details of how you’re automating scambaiting with VMs, The VMS are a ‘small’ part of it. I currently have a full featured scambaiting bot that can call a number/receive calls, answer basic questions and try to keep people engaged, it is capable of multiple voices/identities and has a basic ‘state tracking’ system to pretend if a ‘computer’ is on/off. Right now I’m just lacking real world testing for all the possible things that could be said on a call and responding appropriately. Call duration is usually a minute or two because it doesn’t recognize how to handle a phrase and says something wrong. Long term goal, I want to accomplish the first ‘self driving scambait’ where a computer catches a number, calls the scammer, lets them remote in, mess around, and then waste the scammer’s time with a bunch of bad credit cards.

Realistically, technology is getting to the point where in less than 2-5 years scammers will have automated call centers and no longer need physical people. Might as well try to get ahead of their own game. If you want, shoot me a DM and I can give you a DID one of the bots are operating on and you’re welcome to call it and mess around with it.