Hello Scambaiters,
I am turning to you for an advice. Couple months ago, I started trolling some scammers, wasting their time. It is an fake inheritance scam. They created an account under my name in their “banking application”. The account locks with first attempt to transfer money, unlocking it costs money. Thousands of dollars, which is nothing compared to the inherited amount. I am sure you are aware of this type of scam.
I was playing with the website for a while and I found a vulnerability. And I exploited it. Dumped their entire database with personal information of many victims. I started to sending warning emails to affected people, some responded, lots of them already sended a lots of money, but at least they woun’t send more.
Then I discovered one table from dumped database which I missed before for some reason. ‘smtp_settings’ table with email address and password in plain-text. That email account is used by the scammers to communicate with victims. I entered the credentials to Thunderbird and now I have access to actively used email account and inbox has more than 800 emails. Reading through them I found one man, who is their most profitable victim. Active since 2023 till today, he send them around 170k Eur. And he is still in contact with them and they want another 12k. I did send him a warning, expaining him the situation, but he did not respond. So I alerted his bank and national CSIRT team, but I got no responce either. I even offered to send them the email credentials and dumped data.
I don’t know what to do. So far I was acting anonymously and that might be the reason for the silence from everybody. I have an option to report all of that more official way, contact CSIRT team through my company where I work, which could have more impact. I work as a pentester. Problem is, that I would have to admit to hacking, which is ilegal and I could be punished for that. I expoited vulnerability and got access to data that were not supposed to be seen by anyone, even if they were obtain by criminals with ill purposes in the first place. My motivation was to safe people, nothing more, but I broke the law. I have no idea, if I could get in trouble for that.
I found more scam sites with identical looks and I got some more contact information of victims, operating all around the world. Again, I send them warning about the scam. Law enforcing agencies could stop them. I don’t know, what I got myself into, I want to stop them, but I don’t know how to do it and not get in trouble myself. It started as an inocent game, but them I stopped thinking. I had no idea, how far I can get and what I would uncover. Maybe I am making a big deal from this, thinking that I found some big criminal operation, I don’t know. But using urlscan.io I found another 800 structurally similar sites, so number of victims and total monetary lost could get very high.