Deleting Files/Running Viruses = Pointless

Over the past couple of years in Scambaiting a trend has occurred were people have deleted files and destroying computers. Typically, this is done by people who don’t know what they’re doing and just want to either troll the scammer or help but I am here to say, it doesn’t do much damage and even in cases it does, it isn’t the best option.

Now, I have made a thread like this before but it isn’t the best laid out etc. so I thought I’d make a new one.

So lets get started:
A while ago I was dealing with a scammer and noticed he had a program on his computer to recover deleted files https://twitter.com/ReconScammers/status/1433809495289958401 and how it works is files aren’t actually deleted

it is still their but the operation system is basically like ‘yeah this space is free’ and then once those files are overwritten with new files that’s when they are fully gone. This allows file recovery software tools to get files back if they have not been overwritten. This applies even if removed from the Recycle Bin which is what happens when ScamBaiters delete the scammers files, but those files are still recoverable.

In the US: https://www.cga.ct.gov/2012/rpt/2012-r-0254.htm
In the UK:

The Act also makes it an offence to make, adapt, supply or obtain articles for use in unlawfully gaining access to computer material or impairing the operation of a computer.

Access is defined in the Act as:

altering or erasing the computer programme or data
copying or moving the programme or data. (Department of Health, 2015)

Department of Health (2015). The Computer Misuse Act 1990 | Department of Health. [online] Department of Heath. Available at: The Computer Misuse Act 1990 | Department of Health [Accessed 1 Dec. 2022]. The Act also makes it an offence to make, adapt, supply or obtain articles for use in unlawfully gaining access to computer material or impairing the operation of a computer.

Access is defined in the Act as:

altering or erasing the computer programme or data
copying or moving the programme or data.

Now, you may be thinking scammers are too stupid to recover files this way and that is false. Now, most scammers probably don’t do this when their files get deleted, most scammers aren’t bothered and can just move on as the usual files like leads list and victim data isn’t that important as the victims numbers will be in their VOIP logs and in some cases sent to a higher or the boss but either way they will get new victims in the future so loosing some victims is not that big of a deal. Same with lead lists and if its saved they probably already dialled that leads list anyways making it used and not important to the scammers.

They can just setup again easily making it pointless. If you look at people like Jim Browning they have gained access to CCTV and a raid Scammers Arrested! - YouTube and another baiters raid I Got Scammers ARRESTED On Their CCTV Cameras! - YouTube, notice how they all have cameras, that seems to be one of the keys for these raids, just downloading files won’t cause a raid looking at these videos. Destroying scammers computers destroys that opportunity and it removes evidence for the police. It can also destroy other scam baiters operations for example DESTROY BIG CALL CENTER SCAMMER !! [+20K FILES DELETED] + EXPOSING FILES - YouTube while you should not send hate to this person, my friend @TheMidnight aka Midnight Scambaits MidnightSB - YouTube was watching this computer called Bob Docsta (this happened in 2021) and ended up loosing the connection because of this, other people I work with have had other run in’s with baiters who have deleted files.

Me and Midnight were watching this scammer and attempting to save victims in the process, this stopped that.

Same with running viruses/malware such as ransomware or memz etc. that is destructive or otherwise would alert the scammer that they have been hacked (different from what someone like Jim Browning does), while I don’t do it, it all depends on the situation, if your not effecting other baiters and you have monitored for a while and have good information then you do you, I have friends who do this once they’ve watched for a while if they plan on making a video out of it. I don’t completely agree with this, I know that they know they aren’t being stupid while doing it.

All this really does is teach them that they are vulnerable to this and most I have seen end up realising its done and uninstalling any software that could make them vulnerable to this which prevents this method being done in the future by more experienced baiters like Jim Browning or Scambaiter etc.

On the topic of victims, deleting files doesn’t save victims either. For some it may cause a small down time but any victims they had actually won’t be saved. Here are the reasons for this: the victim will still have the remote software on their computer, if its something like ConnectWise/ScreenConnect then the scammer will still have access to the victims computer and will be able to monitor, the victim has not been warned of the scam and has not been given a resource on scams and will most likely be victimised again in the future, their information is not secure the scammer could have their SSN or banking information; that information needs securing and their passwords changed and help with trying to recover the fund. Deleting files just isn’t enough in that situation. Now, you may be thinking ‘but the scammer still has the victim information, they will recontact and scam them’ and what I can say is they have a resource on scams, a way to contact back for help then this shouldn’t be too huge of an issue as it will prepare them for scams, plus it’s better than making the scammer aware he’s been accessed and research and learn how to prevent it in the future or realise.

I do not suggest people access scammers computers due to the fact it is illegal and the fact new baiters won’t know what to do. It could turn into giving victims back advice or nuking the computer by not knowing what to do. I suggest leaving this stuff to people like; Jim Browning, Scammer Payback, Scambaiter, NanoBaiter, Midnight Scambaits, HowToDelete Took me a while to learn the proper way to do things, before then I would either screw things up or miss important things. Caused issues and learnt. You don’t want to be a problem in this community, you wanna have people to guide you but not a lot of people would do that with random people as you need trust for this side of scambaiting as you see victim information, scammers information such as ID cards that a bad actor could easily mis-use, won’t mention names but I know of a Scambaiter (who me and the people I work with was told he was reported to the police by someone with his actual information) who was stealing from victims using information he got off the scammers computer. This is one of the main reasons I don’t teach people what I and others like Jim do.

I know we all have our own methods but as someone who knows about this topic, it really isn’t the right way. It gets actual baiters mad who put time and effort into finding out who these scammers are and saving victims etc. Plus, the baiters who do this for the most part I have seen just be immature in baits, curse a lot at the scammers and reveal treating it more as a game than being professional. While, you should have fun while baiting you shouldn’t be like ‘oh my I deleted your files’ and then make them aware you did it and teach them. If your going to do something where you have the up and up on a scammer such as gain wire information etc. why would you reveal and make it so they won’t give up that stuff in the future, I think it’s dumb.

TL;DR deleting files is illegal and just makes the scammers aware, they can restore from backups or recover deleted files and it could effect other baiters work and theirs a lot more you can do.

I agree about deleting files being pointless. And if you’re on the system, definitely don’t let them know, otherwise chances of linking it back to you go up. Not to mention you’ll probably end up telling them how you got into the system.

A better idea in my opinion would be keylogging, screenshot logging, and using their cameras to find out more information about what they’re doing and to find their accounts and track them down. If you’ve got a shell on the system you can also use it to pinpoint their location.

And if you can find their accounts and like a file of who they have scammed and how much (which I bet at least some do keep), you could potentially automate sending money from the scammer back to the victim.

So yeah the most destructive route is not always the most productive route. From what I’ve seen here a lot of people who want to do the hacking would be so easy to track down as well. Leave it up to those who know what their doing.

As someone who did digital forensics for quite a few years, I will attest to how easy it really is to recover “deleted” files. With today’s massive hard drives/ssd’s, etc, even files you thought were long gone may very well still exist on the drive in a number of ways. It truly doesn’t take an expert to run a file recovery program or even some free digital forensic software and recover files. Even just using Windows built-in functions makes grabbing lost files easy in many instances.

I’ve seen Scambaiter talk about deleting files and also destroying their operations in such a way that neither the computer or any recovery software is of use. He also talked of permanent backdoors which will tend to survive OS reinstalls. How far are these true? As far as I know he collects victim information before destroying the computers.

Which scambaiter, I don’t think scambaiter the YouTuber said that as those things don’t sound true. The scammers can reinstall windows and unless theirs a rootkit that’s in the motherboard something (not likely) then you won’t survive a reinstall.

Collecting information is good but destroying it isn’t.

I wouldn’t be asking if he had mentioned that. I’m not computer savvy myself so I don’t know which is true/false.

It sounds false, I have never heard of malware capable of that. I mean, if you had external devices on the computer/network compromised, you could possibly make your way back in, but to what point? Delete some more files? If you want to mess up files I’d rather screw up the file contents, for example of they keep a list of more scam-able people, replace it with numbers of just scambaiters. Or robot numbers. And a lot of Rick Astley hotlines =P

If you just delete files though, they could have a backup and you’ve just exposed that you’re on the network. Or they could pay to get the files recovered because a lot of times you won’t delete it as much as you need to. I can’t think of much important that they can’t replace - worst case they call their other scammer friends to get new lists. And if they have 20 computers and you just wipe one, that’s not really going to do anything either.

Going to reply to this, one of the centers the people I work with are working on just had this happen to them, now they are suspicious, annoying but whatever. Just means I am going to have to be more sneaky and possibly risk the center just to save this victim, which wouldn’t of been the case otherwise.

so then what should we do instead?

I don’t want to guide people on how to commit illegal acts especially people on a forum where most people have no trust… All I can suggest is leaving it to people like 1. Jim Browning, Pierogi, Scambaiter, Nanobaiter and whoever else is trustable and have police connections etc. As most people won’t do damage to a call center (such as a raid), or know what to do on their networks and could do more harm than good such as contacting victims without proper training etc. (feel free to message me with victim info if anyone here’s comes across it, I work with certified victim advocates).

Gathering info in other ways is always good (such as bank accounts) and you can always message me any information you get.

Well said mate

Thank you for sharing…

I agree, deleting files in that way isn’t deleting anything just merely telling the os to make them overwritable. Many who do this as a simple gotcha isn’t helping anyone esspecially us cause it makes it harder for us to do the right thing to protect victims. Scammers now are getting smarter and a simple delete isn’t gonna do damage what so ever. Now I do agree intrusion can be a viable method for recon, take down, or general disruption. But it does need to be done right because I think we can argue again that it isn’t useful done wrong all day I agree with that. But simply calling while it is important to keep that up esspecially with new people coming in it is viable. But again things are changing many scam operations as most know are growing so infrastructure such as voip providers, numbers, and even a slight bit of professionalism on there part. It is way harder now a days to disrupt a significant amount of their operation by simply calling.

What Im about is meaningful well rounded info-gathering with some offensive techniques to create an enviroment to do some real work to their organization. These scumbags are terrible. Just my two cents hahaha

Have a good one

I 100% agree with you! All deleting files on a scammer’s computer dose is alert them that A: someone is on their system, and B: their setup is probably vulnerable, which is not good for the actual experts who are genuinely trying to shut down the scammers, and more importantly, help victims. There is truly an art to the whole gaining remote access to scammers computers thing, and that’s why I will never attempt to remote in to scammers computers. Its not that its hard to reverse a connection, its actually quite easy, its just that I really don’t want to mess things up. So I just leave that whole mess up to the experts like Jim Browning who have done this many times before, and who know exactly what to do and what not to do. Its also truly not that hard at all to recover those “deleted” files, because when you delete something, what your actually doing is, pretty much just saying “hey, this space over here is now available… its free real-estate”, which dose not actually get rid of the files…

I agree. It seems to me a more useful tactic would be to change some of the information they have saved, e.g. alter a bank account # digit. That way the back up files become corrupted and useless as well.