Deleting Files/Running Destructive Viruses = Pointless

Over the past couple of years in Scambaiting a trend has occurred were people have deleted files and destroying computers. Typically, this is done by people who don’t know what they’re doing and just want to either troll the scammer or help but I am here to say, it doesn’t do much damage and even in cases it does, it isn’t the best option.

Now, I have made a thread like this before but it isn’t the best laid out etc. so I thought I’d make a new one.

Intro

So lets get started:
A while ago I was dealing with a scammer and noticed he had a program on his computer to recover deleted files https://twitter.com/ReconScammers/status/1433809495289958401 and how it works is files aren’t actually deleted

it is still their but the operation system is basically like ‘yeah this space is free’ and then once those files are overwritten with new files that’s when they are fully gone. This allows file recovery software tools to get files back if they have not been overwritten. This applies even if removed from the Recycle Bin which is what happens when ScamBaiters delete the scammers files, but those files are still recoverable.

Is this illegal?
In the US: https://www.cga.ct.gov/2012/rpt/2012-r-0254.htm
In the UK:

The Act also makes it an offence to make, adapt, supply or obtain articles for use in unlawfully gaining access to computer material or impairing the operation of a computer.

Access is defined in the Act as:

altering or erasing the computer programme or data
copying or moving the programme or data. (Department of Health, 2015)

Department of Health (2015). The Computer Misuse Act 1990 | Department of Health. [online] Department of Heath. Available at: The Computer Misuse Act 1990 | Department of Health [Accessed 1 Dec. 2022]. The Act also makes it an offence to make, adapt, supply or obtain articles for use in unlawfully gaining access to computer material or impairing the operation of a computer.

Access is defined in the Act as:

altering or erasing the computer programme or data
copying or moving the programme or data.

[center][size=4]Why deleting files is pointless[/size][/center]

Now, you may be thinking scammers are too stupid to recover files this way and that is false. Now, most scammers probably don’t do this when their files get deleted, most scammers aren’t bothered and can just move on as the usual files like leads list and victim data isn’t that important as the victims numbers will be in their VOIP logs and in some cases sent to a higher or the boss but either way they will get new victims in the future so loosing some victims is not that big of a deal. Same with lead lists and if its saved they probably already dialled that leads list anyways making it used and not important to the scammers.

They can just setup again easily making it pointless. If you look at people like Jim Browning they have gained access to CCTV and a raid www.youtube.com/watch?v=P6dhteJIY48 and another baiters raid https://www.youtube.com/watch?v=qmd_gIFTLTo, notice how they all have cameras, that seems to be one of the keys for these raids, just downloading files won’t cause a raid looking at these videos. Destroying scammers computers destroys that opportunity and it removes evidence for the police. It can also destroy other scam baiters operations for example https://www.youtube.com/watch?v=Dl-A1M1RsNc while you should not send hate to this person, my friend @TheMidnight aka Midnight Scambaits https://www.youtube.com/@MidnightSB was watching this computer called Bob Docsta (this happened in 2021) and ended up loosing the connection because of this, other people I work with have had other run in’s with baiters who have deleted files.

Me and Midnight were watching this scammer and attempting to save victims in the process, this stopped that.

Same with running viruses/malware such as ransomware or memz etc. that is destructive or otherwise would alert the scammer that they have been hacked (different from what someone like Jim Browning does), while I don’t do it, it all depends on the situation, if your not effecting other baiters and you have monitored for a while and have good information then you do you, I have friends who do this once they’ve watched for a while if they plan on making a video out of it. I don’t completely agree with this, I know that they know they aren’t being stupid while doing it.

All this really does is teach them that they are vulnerable to this and most I have seen end up realising its done and uninstalling any software that could make them vulnerable to this which prevents this method being done in the future by more experienced baiters like Jim Browning or Scambaiter etc.

Why deleting files on its own doesn’t save victims

On the topic of victims, deleting files doesn’t save victims either. For some it may cause a small down time but any victims they had actually won’t be saved. Here are the reasons for this: the victim will still have the remote software on their computer, if its something like ConnectWise/ScreenConnect then the scammer will still have access to the victims computer and will be able to monitor, the victim has not been warned of the scam and has not been given a resource on scams and will most likely be victimised again in the future, their information is not secure the scammer could have their SSN or banking information; that information needs securing and their passwords changed and help with trying to recover the fund. Deleting files just isn’t enough in that situation. Now, you may be thinking ‘but the scammer still has the victim information, they will recontact and scam them’ and what I can say is they have a resource on scams, a way to contact back for help then this shouldn’t be too huge of an issue as it will prepare them for scams, plus it’s better than making the scammer aware he’s been accessed and research and learn how to prevent it in the future or realise.

What I suggest people do
I do not suggest people access scammers computers due to the fact it is illegal and the fact new baiters won’t know what to do. It could turn into giving victims back advice or nuking the computer by not knowing what to do. I suggest leaving this stuff to people like; Jim Browning, Scammer Payback, Scambaiter, NanoBaiter, Midnight Scambaits, HowToDelete Took me a while to learn the proper way to do things, before then I would either screw things up or miss important things. Caused issues and learnt. You don’t want to be a problem in this community, you wanna have people to guide you but not a lot of people would do that with random people as you need trust for this side of scambaiting as you see victim information, scammers information such as ID cards that a bad actor could easily mis-use, won’t mention names but I know of a Scambaiter (who me and the people I work with was told he was reported to the police by someone with his actual information) who was stealing from victims using information he got off the scammers computer. This is one of the main reasons I don’t teach people what I and others like Jim do.

Ending

I know we all have our own methods but as someone who knows about this topic, it really isn’t the right way. It gets actual baiters mad who put time and effort into finding out who these scammers are and saving victims etc. Plus, the baiters who do this for the most part I have seen just be immature in baits, curse a lot at the scammers and reveal treating it more as a game than being professional. While, you should have fun while baiting you shouldn’t be like ‘oh my I deleted your files’ and then make them aware you did it and teach them. If your going to do something where you have the up and up on a scammer such as gain wire information etc. why would you reveal and make it so they won’t give up that stuff in the future, I think it’s dumb.

TL;DR deleting files is illegal and just makes the scammers aware, they can restore from backups or recover deleted files and it could effect other baiters work and theirs a lot more you can do.

I agree about deleting files being pointless. And if you’re on the system, definitely don’t let them know, otherwise chances of linking it back to you go up. Not to mention you’ll probably end up telling them how you got into the system.

A better idea in my opinion would be keylogging, screenshot logging, and using their cameras to find out more information about what they’re doing and to find their accounts and track them down. If you’ve got a shell on the system you can also use it to pinpoint their location.

And if you can find their accounts and like a file of who they have scammed and how much (which I bet at least some do keep), you could potentially automate sending money from the scammer back to the victim.

So yeah the most destructive route is not always the most productive route. From what I’ve seen here a lot of people who want to do the hacking would be so easy to track down as well. Leave it up to those who know what their doing.

As someone who did digital forensics for quite a few years, I will attest to how easy it really is to recover “deleted” files. With today’s massive hard drives/ssd’s, etc, even files you thought were long gone may very well still exist on the drive in a number of ways. It truly doesn’t take an expert to run a file recovery program or even some free digital forensic software and recover files. Even just using Windows built-in functions makes grabbing lost files easy in many instances.

I’ve seen Scambaiter talk about deleting files and also destroying their operations in such a way that neither the computer or any recovery software is of use. He also talked of permanent backdoors which will tend to survive OS reinstalls. How far are these true? As far as I know he collects victim information before destroying the computers.

Which scambaiter, I don’t think scambaiter the YouTuber said that as those things don’t sound true. The scammers can reinstall windows and unless theirs a rootkit that’s in the motherboard something (not likely) then you won’t survive a reinstall.

Collecting information is good but destroying it isn’t.

I wouldn’t be asking if he had mentioned that. I’m not computer savvy myself so I don’t know which is true/false.

It sounds false, I have never heard of malware capable of that. I mean, if you had external devices on the computer/network compromised, you could possibly make your way back in, but to what point? Delete some more files? If you want to mess up files I’d rather screw up the file contents, for example of they keep a list of more scam-able people, replace it with numbers of just scambaiters. Or robot numbers. And a lot of Rick Astley hotlines =P

If you just delete files though, they could have a backup and you’ve just exposed that you’re on the network. Or they could pay to get the files recovered because a lot of times you won’t delete it as much as you need to. I can’t think of much important that they can’t replace - worst case they call their other scammer friends to get new lists. And if they have 20 computers and you just wipe one, that’s not really going to do anything either.

Going to reply to this, one of the centers the people I work with are working on just had this happen to them, now they are suspicious, annoying but whatever. Just means I am going to have to be more sneaky and possibly risk the center just to save this victim, which wouldn’t of been the case otherwise.

so then what should we do instead?

I don’t want to guide people on how to commit illegal acts especially people on a forum where most people have no trust… All I can suggest is leaving it to people like 1. Jim Browning, Pierogi, Scambaiter, Nanobaiter and whoever else is trustable and have police connections etc. As most people won’t do damage to a call center (such as a raid), or know what to do on their networks and could do more harm than good such as contacting victims without proper training etc. (feel free to message me with victim info if anyone here’s comes across it, I work with certified victim advocates).

Gathering info in other ways is always good (such as bank accounts) and you can always message me any information you get.

Well said mate

Thank you for sharing…

I agree, deleting files in that way isn’t deleting anything just merely telling the os to make them overwritable. Many who do this as a simple gotcha isn’t helping anyone esspecially us cause it makes it harder for us to do the right thing to protect victims. Scammers now are getting smarter and a simple delete isn’t gonna do damage what so ever. Now I do agree intrusion can be a viable method for recon, take down, or general disruption. But it does need to be done right because I think we can argue again that it isn’t useful done wrong all day I agree with that. But simply calling while it is important to keep that up esspecially with new people coming in it is viable. But again things are changing many scam operations as most know are growing so infrastructure such as voip providers, numbers, and even a slight bit of professionalism on there part. It is way harder now a days to disrupt a significant amount of their operation by simply calling.

What Im about is meaningful well rounded info-gathering with some offensive techniques to create an enviroment to do some real work to their organization. These scumbags are terrible. Just my two cents hahaha

Have a good one

I 100% agree with you! All deleting files on a scammer’s computer dose is alert them that A: someone is on their system, and B: their setup is probably vulnerable, which is not good for the actual experts who are genuinely trying to shut down the scammers, and more importantly, help victims. There is truly an art to the whole gaining remote access to scammers computers thing, and that’s why I will never attempt to remote in to scammers computers. Its not that its hard to reverse a connection, its actually quite easy, its just that I really don’t want to mess things up. So I just leave that whole mess up to the experts like Jim Browning who have done this many times before, and who know exactly what to do and what not to do. Its also truly not that hard at all to recover those “deleted” files, because when you delete something, what your actually doing is, pretty much just saying “hey, this space over here is now available… its free real-estate”, which dose not actually get rid of the files…

I agree. It seems to me a more useful tactic would be to change some of the information they have saved, e.g. alter a bank account # digit. That way the back up files become corrupted and useless as well.

I think it really depends on the actual scammer but things I look for: are they using OneDrive? Because if they are their files are going to be restored… I don’t see it often but enough to that One Drive and other technologies exists to back up profile related data.

I have mixed views on this. Deleting files provide very little in the way of Public Education on how to avoid scammers since the vast portion of audience wouldn’t ever have to deal with that… Of course I have shifted gears: I’m more into educating the public about how these scams work and even if I could do an Anydesk reversel and I don’t bother. Most of it’s Ultraviewer or Screen Connect anyway and you could steer them to Anydesk as I see many do, and have done myself, but again that’s not up my alley anymore. I want to to prevent victims by educating the public on how they work and how to avoid them (red flags).

Totaly aggree if you want to delete files and reverse there connection it can be done if you have the knowledge and skills to do but its far better to gather intel on there operations over a corse of months or even years and mointor what they are doing and try contact victams and warn them rather than just deleting there files, even installing a keyloger on there computer could help gather such intel on these scum bags.

I spent the last 10 minutes trying to log back into my account to reply to this - maybe I’m reading it wrong, but no, don’t stay in their system for years. Do you know how many people one call center will scam in that time? We want it shut down as soon as possible.

Instead, do things that would sabotage them (like you said, alerting victims might be a good one). If you’ve been in the system for a year and they’re still successfully scamming, that’s a problem. Inject the country’s government phone numbers into their scammer call lists for example, if the gov is spammed by them they might take action (this is an example, I’ve not fully thought this idea out so there may be other things to consider but on it’s face I like it). You could slow down the clock speed of their CPUs, anything that would slow them down. Inject a file at startup that hogs most of their ram to the point where the computer runs fine but they can’t run any programs. If you can get far enough into the system to not be affected if they wipe a few computers, install some general malware on a few of them, they’ll think it’s something they clicked. Slightly risky but if they take their computers to a technician to fix it for them you could leave a note in some folder that only the technician would look at saying that they are scammers, if he says they will need to buy a new computer, it will increase the scammers operation costs. Send all payment sites to 127.0.0.1 in the hosts.txt file. There’s lots of things you can do while collecting info that won’t quite give you away, but will majorly slow them down. It all really depends on the structure of their operation, if they are pioneering call lists and you have access to all computers and they don’t backup, it could be worth it to delete their files. Most of the time they can probably get the lists back from other scammers.

Scamming will never cease as long as it’s profitable, and it will remain profitable as long as people keep falling for it. You cannot be scammed if you don’t cooperate with the scammer, so EDUCATION is the key. We need to make everyone aware of the processes and techniques scammers use to steal money. I run classes and programs here in my retirement community. I tell everyone to call me if they get a strange email or something that worries them and then I check it out for them. I do a zoom class for anyone interested on scamming techniques and most importantly I emphasize how important it is NEVER to click on a link in an email. For fun I scambait but my goal is to never have them discover they are the ones being scammed. I try to keep them busy trying to scam me so they can’t scam anyone else, but never reveal I know what’s going on. You can see what I do on my channel https://www.youtube.com/watch?v=rCPjEKFtBHE&t=4s for example.