Jim Browning has dedicated himself to combatting scammers, taking a proactive stance by infiltrating their computer systems. Through his efforts, he not only disrupts these fraudulent operations but also shares his findings publicly on YouTube, shedding light on the intricacies of scam networks. His work uncovers a myriad of intriguing insights into the digital underworld, which he articulately discusses, offering viewers a behind-the-scenes look at his methods for fighting back against scammers.Jim’s YouTube channel: https://www.youtube.com/c/JimBrowningSponsorsSupport for this episode comes from NetSuite. NetSuite gives you visibility and control of your financials, planning, budgeting, and of course - inventory - so you can manage risk, get reliable forecasts, and improve margins. NetSuite helps you identify rising costs, automate your manual business processes, and see where to save money. KNOW your numbers. KNOW your business. And get to KNOW how NetSuite can be the source of truth for your entire company. Visit www.netsuite.com/darknet to learn more.This episode is sponsored by Intruder. Growing attack surfaces, dynamic cloud environments, and the constant stream of new vulnerabilities stressing you out? Intruder is here to help you cut through the chaos of vulnerability management with ease. Join the thousands of companies who are using Intruder to find and fix what matters most. Sign up to Intruder today and get 20% off your first 3 months. Visit intruder.io/darknet.This show is sponsored by Shopify. Shopify is the best place to go to start or grow your online retail business. And running a growing business means getting the insights you need wherever you are. With Shopify’s single dashboard, you can manage orders, shipping, and payments from anywhere. Sign up for a one-dollar-per-month trial period at https://shopify.com/darknet.CLAIM=a6e199f5f9fd5954e532117c829c8f0a8f0f1282=CLAIM
Hello, Jack. Hello, hello. Good, well, it's good evening for me. I guess you're in the States, so it's probably the afternoon.
Okay.
Oh, yes. There's very, well, there's very few people I think don't like chocolate. I know. Yeah. Yeah, chocolate's great. Yeah, yeah. Keeps you going, bit of energy.
Yeah, a little caffeine hit. Indeed. You know, there's only like a few places in the world that have caffeine. There's tea, coffee, cola, chocolate. And I think that's it. That's the natural sources.
Yeah. It's hard to do without it. I do like a bit of chocolate. You're actually making me hungry. I probably got you at a bad time. I wasn't actually expecting you to say, yeah, I'm ready to go and we can just do this. But it absolutely suits me down to the ground.
You know what? The thing is that you are the most requested guest maybe I've ever had. Wow.
Okay.
So if you're available, I'm available. Let's go. I'm going to put the chocolate to the side and let's make a podcast.
Yeah, that's cool. I've got to say, even before we do this, I have listened to loads of your podcasts. And honestly, it's an honor for me even to be asked on to it. So there you go.
So you're the guy that everyone knows. You're ready to go. Oh, I'm ready. Yeah, far away. These are true stories from the dark side of the internet. I'm Jack Recider. This is Darknet Diaries. This episode is brought to you by SpyCloud. For some people, ignorance is bliss. But for you, as a security practitioner, that's not the case.
I went to spycloud.com to check into my darknet exposure, and I won't tell you what it is, but spoiler alert, I found some things that are pretty eye-opening. From breach exposures to info stealing malware infections, knowing what criminals know about you and your business is the first step to setting things right.
Resetting stolen passwords and addressing the enterprise access points that have been stolen by malware helps you protect your business from ransomware, account takeovers, and online fraud. With SpyCloud, you have a trusted partner to fight the good fight with.
Their automated solutions, which is built on over 350 billion recaptured assets from the criminal underground, ensure you're not in the dark when it comes to your company's exposure to cybercrime. To get your full Darknet exposure report, visit spycloud.com slash darknetdiaries. That's spycloud.com slash darknetdiaries. This episode is sponsored by Delete Me.
In episode 133, I spoke to Connor Tumbleson about some people from who knows where who were stealing his identity. Luckily, they weren't out to destroy his reputation or extort him, but think of the damage that could be done. We all have data out there, which data brokers use to make profit. Anyone on the web can buy your private details to do anything they want.
This can lead to identity theft, phishing attempts, harassment, and unwanted spam calls. But there's a solution called Delete Me. Bye. Bye. Bye. Now at a special discount for my listeners, you can get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code DD20 at checkout.
The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code DD20 at checkout. That's joindeleteme.com slash darknetdiaries code DD20. Today, I have the absolute pleasure to speak with Jim Browning. Jim was the first person I ever saw do scam baiting, and I was blown away that someone even does this sort of thing. Scam baiting is just as it sounds.
He tries to bait scammers to scam him, and he records it for YouTube, and it's really quite amazing to watch. So it still says connecting?
Yeah, I don't know why. Yeah.
Oh, is the virus doing this? All right.
Yes. Nothing to do with the live stream then. Actually, the alert which you got, that is the security block alert, which is coming from internet. Because right now you haven't know any internet security. That is the reason while browsing over the internet by mistake or by accidentally, you might have a click any link, which was not secure. Okay.
OSC. How did all this get started for you? What's your origin story with this whole scam thing?
Well, I wish it was a bit more like Batman. You know, Batman has got this, you know, an injustice done and, you know, he's after the Joker and all this sort of thing. Very, very different for me. The way I got started was probably like most people, I receive lots of scam phone calls and you keep hearing those incessant phone calls, people pretending to be Microsoft.
pretending to be Amazon, your bank and so on. And most people know just to hang up those calls. But I'm one of those people who I love to dig a little bit deeper. Because I'm an engineer, I know about computers, know about networks. And I thought to myself, surely someone is doing something about this. And if they're not, maybe I can do something.
I'm sure you're familiar with the fake Microsoft support scam calls. It's typically where someone from India calls you up and says you have a problem with your computer and it sounds something like this. Hi, hello? And they'll try to convince you that your computer has a virus and they can help. And they'll ask for control of your computer to fix it.
But the thing is, you don't actually have a virus at all. They just made up this problem. And they want to take your money. And Jim finds this whole thing really fascinating and just can't stop thinking about this.
I really want to find out about what makes the scam tick.
So Jim finds himself on these calls to hear how it works and watch their whole operation. And then he calls them out on it like this.
Yes, I just need to inform you that we have finished all the work with the computer now and everything is working fine with it.
Right. Did you find any Trojans or anything?
Yes, we have already removed all your network infections and also we have blocked them so they will not enter from now onwards.
right just that i was watching everything you were doing and also recording what you're doing and recording your voice because you've removed nothing whatsoever from this machine it was never infected in the first place and all you've done i'm sorry it was never infected with anything in the first place and you know that so you you say that you've removed a trojan tell me what trojan you've removed and show me evidence of that then
Right now, we have already removed and everything is recordable at our end as well. Yes. Yeah, show me. Tell me what Trojan I had then.
Like we have removed all the Trojans.
Yeah, show me one Trojan that you've removed.
Okay, let me explain it to you.
Like there were Trojan horses in it. Yeah, show me evidence of that. That's what I'm asking. But how should I show you now? But they are already removed.
Because if it was something like, oh, this particular tool, it would have logs and it would show you in the history what was removed. Okay, there's nothing been removed here.
This is an anti-malware software.
So go on then, tell me what software you use to remove any Trojan. Bear in mind, I've recorded everything you've done. So are you going to still stand by that story that you removed a Trojan?
So may I put the line in hold for one to two minutes?
You can do what you want, but don't forget, all of this is going to be uploaded to YouTube very shortly. So be very careful what you say in the next few minutes.
Jim is pretty good at catching them in a lie. And then he tries to get them to explain themselves. And when they continue denying it, he reports them.
What I will do is now that I've got your IP address, this one, and the timestamp, which is Mumbai, so it's now 6 p.m. It's been running for a few hours, this one, though.
um i can go to your isp and that's tata teleservices in italy they they provide that ip address to you and that's the one you're using at the minute so i'm going to get them to identify exactly who you are because i know your address isn't in california i know you're located in india or i'll probably just publish all of this on youtube anyway Thank you for choosing Scammers in Mumbai.
My background is that I have been in IT really all my professional life, all my working life. Yeah, let's hear about that. What's the specialty that you are in IT? Yeah, so I guess up until very recently, I had a real job as in a real normal IT job. I worked for a large company, should we say, in the UK. And part of their specialty was dealing with IT services and setup. And I
I've personally supported an organization with more than 200 or 300 people in it. So I'm the kind of admin, the sysadmin for a large IT company. So that's my background. As part of that, I'm also a programmer. I'm a network engineer. But I have no form of qualifications in, for example, cybersecurity. Although at this stage, I think I could probably do fairly well in a cybersecurity exam.
But my background is a normal IT job. That's it.
A lot of times what these scammers will do is type commands on your computer to prove you have a virus, but all they're doing is just showing you really normal computer activity, and it doesn't prove anything. In fact, one time I saw a video of his where a scammer just typed on the screen that the firewall is damaged and is at 2%.
And this camera was trying to say, hackers are going to soon break through and get everything. But the thing is that firewalls don't have a percentage. And it's great that Jim knows a lot about IT and can easily spot every one of these bad attempts at showing him that there's a problem on his computer.
Type these things into your computer and look, you've got hackers, you've got viruses, you've got computer problems. You're going to have to pay me $200, $300 to fix that problem.
Now, these scammers are not sophisticated at all. Their scam is really basic, but their method of collecting payment is crazy ridiculous. What they should do is just act like a normal company and set up a website where you enter in your credit card details and send them money.
But they can't do that because payment processors will quickly spot and shut them down and freeze their money, maybe even charge them a fee. So Stripe and PayPal are just out of the question here, which means they've got to come up with some creative alternative ways to get money from you.
They will get you to buy a gift card. They won't use the word gift card. What they say to their victims is, you've got a security problem. you're going to have to solve it with a security card and you'll have to go to your local Walmart or whatever to get the security card. And they won't use the word gift card if they can avoid it.
But of course, whenever you go in there and you're outside the store, they will say, right, I need you to go in and buy an Apple card or an eBay card or whatever it is. And as soon as you read out that number, that's as good as them taking the value of that card because they can launder that almost immediately.
Yeah, so I'm curious on that. How do they launder it? Because if you give someone an eBay card, they're not going to buy something on eBay. They're probably selling that for pennies on the dollar.
They do, exactly. And they'd be lucky to get maybe 50% of the actual value of the card. But what they do is they take those numbers and there is quite a, well, should we say a black market for gift card numbers? There are legitimate websites like Paxful, for example, where people will buy gifts.
Google Play cards, eBay cards, you name it, any sort of gift card, and they will give you 50% of the value and they will mark that up and they may directly or indirectly buy items from those stores. So yes, absolutely, you're going to lose half the value.
But if you're a scammer, you have completely, cleanly washed that money because there's almost no way of getting money back when someone's bought a gift card and it's been used.
This always seems surprising to me. To convince your victim to hang up the phone, go drive to the store, buy a gift card, then drive back home and call the scammer back up to give them the gift card details. I just think you're going to lose your victim every time in that process. And on top of that, they're only getting half the value that's on the card. But this seems to be pretty effective.
I mean, these scam centers are making quite a bit of money this way. And I guess this means that even though the scam is hilariously bad and the method of collecting money is ridiculously complex, the thing that makes this work is the numbers, the relentless attempts at scamming people. If they try over and over and over and over, they'll eventually get people to pay them.
Now, of course, some victims don't want to send gift cards. So the scammers say, that's fine. There's another way. Send us cash.
They actually persuade people to go to their local bank and withdraw cash. And they will say, I'll instruct you in a moment what you do with the cash. So they generally get the victim to take the cash home and then they'll say, and this is typically for a bank type scam, they'll say, we're going to create a new account for you and you need to send that money to a secure facility.
And they will say, look, you need to put the cash into pages of a book. So between pages of book, wrap that in silver foil. And they will actually get you then to go to the nearest FedEx or post office and mail your cash to an address. And it's a money mail address.
Gosh, that sounds even more bizarre. Have these victims never paid for anything in their life before? In what world is it normal to wrap cash up in pinfoil and stuff it in a book and then ship it somewhere to get your computer fixed?
Like, I don't want to be victim-blaming here, but come on. How colorblind do you have to be to not see these giant red flags? One of the scams that Jim sees often is called a refund scam, and it might start out with a phone call that sounds like this.
Hi, we are calling you from your computer maintenance department. If you remember, you have a contract with us. For computer support and services, unfortunately, we are closing the business. So you can give us a call for the refund of the amount you paid to claim your refund.
This is a real voicemail or phone call that somebody got. And people are falling for this and calling up the number to you and me. That phone call sounds ridiculous, doesn't it? Like it's a crappy robo voice and it's not fooling us. But just think about the mechanics of this call. I mean, they're clearly using some text-to-speech software, right?
And I don't know why, but they're using a terrible version and have terrible English. But technology is rapidly improving. There's way better software out there today. And I just wonder, you know, someday the scammers are going to upgrade and use the good stuff. Let me demonstrate. Here's what I'm going to do. I'm going to improve this whole scam attempt. Are you ready?
First, I'm going to take the text that they said in that call and ask ChatGPT to rewrite this, but make it sound more like a natural English speaker would say. Cool. Now take that and make it sound even more casual, like something you just hear on a phone call or something. Okay, that looks good. Now I'll run this through a more modern text-to-speech software. Okay, it's done.
Let's take a listen to this call now.
Hello, sorry to bother you. My name is Sarah from the Computer Maintenance Department. I need to talk with you about your support contract with us. Here's the thing. We're closing the business. I know. It's a bummer. I'm sorry. But here's the good news. You'll be getting a refund for the amount you've already paid us whenever you have a moment. Can you call me back?
I want to get this refund to you as soon as possible. Hope to chat with you soon.
You see how much better it is with modern tools? And seriously, that took me two minutes of just using automated tools to fix it up. The audio went from stupid to scary. I know. It's a bummer. And maybe you can still spot that that's AI-generated. But would your grandparents think that?
I improved it because I want you to be aware of the tools that scammers have at their disposal today if they wanted to. And I want you to think about how much better their scams are going to be in the future. We see that they're using text-to-speech software today, and it's just a matter of time that that text-to-speech software sounds really convincing. And then what?
What red flags would you notice in this audio to make you think it's a scam? Now you've really got to think, well, hold on. Do I actually have a support contract somewhere? Who are these people? Let me call them up and find out. And now you're on a phone call with a scammer, a position you really don't want to be in.
And you can see how this whole thing is going to get trickier and trickier in the future.
The scam is what you call a refund scam. So they'll pretend to be a big organization, typically Amazon, and the conversation will start off with, they say they're going to refund this charge, which the victim will know nothing about. Okay.
If I'm the victim, I'd be like, okay, I have no memory of this charge. Go ahead, refund me and see you later. But it's trickier than that. Here's one of the actual scam calls that Jim captured.
We can easily send you the money into your account within five to ten minutes and you will get your amount right back right now. Okay? All right. So do you do online banking then? So which bank do you do online banking?
This victim mentions Mid Oregon Bank.
Just go ahead and login to your bank. Login to your bank first of all sir. Alright, that's great. Now sir, you have to tell me like your account has been opened right? Alright sir. I don't need that. You have to be telling me like in which account do you need your money back?
Now, here's where the scam part comes in. The scammer will say that they want to make sure the money goes into the proper bank account and will ask to see the victim's screen by using some screen sharing application. And then they'll ask to take control of the victim's computer.
Once they have control of the victim's computer and can see their online bank balances, then they'll say they're initiating the refund for whatever, say $300. And since the victim is logged into the bank's website, what the scammer will do is edit the web page in the browser to make it look like the money was just deposited into the account. But it's a fake deposit, though.
It just looks like the money went in. But the scammer just faked the whole transaction by editing the HTML on the victim's screen. But here's the tricky part. The scammer will put in the wrong amount for the refund. If the victim was expecting a $300 refund, the scammer would instead put in a $5,000 deposit instead. Then act all surprised that they put in the wrong amount.
$5,300 you said? Oh my goodness, will you please hold on for a minute, sir?
So the scammer obviously knows that he's overpaid this victim, so the key to this scam is how they get the money back again. Our scammer comes up with a solution.
Sir, I just got a mail from my hate server, and unfortunately that you got extra amount in your account by mistake, really, sir. So, sir, will you please refund me my money back?
Inevitably, the victim asks how he can refund the money. Surely they can just take it back themselves.
Oh, sir, I can tell you, like, I can tell you, sir, what you have to do to refund my money back to me, all right? Let me have a speak with my manager, okay, sir? Let me have a word with them. A few moments later, there's a proposal. I have a word with my manager, sir, and they said there is some financial institution where you can send our money back to us, all right?
So do you know any Apple store near from your place?
Yes, he said Apple store. He wants his victim to go to an Apple store in order to get his money back.
He searches on the victim's PC for the nearest Apple store.
He spends the next few minutes explaining that he's going to need $5,000 worth of Apple gift vouchers.
Jim says he's seen scammers also try to get people to send back the money using Zelle and bank wires too. And some people have lost quite a bit of money to these refund scams. It really does look convincing when you look at your bank balance and it shows $5,000 more than what you were expecting. And the victim could just refresh the page and the whole thing would reset.
But the scammers are really good at preying on the victim's goodwill, you know. And the victims will give back the money, which is a pretty jerk thing to do, to exploit the goodness in people. You said that up until recently you had a real job. Is this now your full-time job as a content creator?
Yeah. It is, yeah. So as of just over a year and a bit ago, I gave up my full-time job, my IT job. And my full-time job is now making YouTube videos and going after scammers. So it sounds like...
this is something you're really passionate about, to leave your career behind, go right into chasing after scammers and exposing them. Is that true? This is your passion?
For sure, yeah. It's definitely a passion. I can't stand scammers. That is my little tagline, if you like, on my YouTube channel. I can't stand scammers. And
The thing about you, Jim, though, when I'm watching you and I'm listening to you, your voice is just so calm and cool. And I never hear passion in there. And I never hear things like, I can't stand scammers. You don't even have inflection when you say that. You're just like, I can't stand scammers.
But this is the thing. Maybe it's something to do with my Irish accent or whatever, but honestly, when it comes to scams and scammers, I'm now devoting my life. But it is for that reason. If you watched what I do, if you listen to the calls that I hear every single day, You can't help not going after these guys.
I build up a bit of a hatred for them, but it probably doesn't come across in the way I make the YouTube videos or my inflections or anything else. But in a lot of ways, that helps me because if I appear calm, if I try to think it through, if I try to rationalize what I'm doing, it gives me in some way a bit of strength
to try and combat these scammers because I like to think I've got a level head when it comes to tracking these guys down. And I think that's why I've been as successful as I have been.
Yeah. Yeah, you have a unique approach that... You're not sensationalizing it. This is what I loved about it, actually, honestly, is, you know, there's kind of been a trend of people doing things similar to you now. And they're making it into a big game and lots of excitement. They're trying to get the other person to just lose their mind, you know, and start screaming back or something.
And you're always very calm and calm.
And of course, there's room for that. You know, I encourage everyone to be a formal scam bidder. And if you can waste someone's time who you know is trying to steal money from you, it means they're not stealing money from your parents, grandparents and whatever. So absolutely, there's room for everyone. I encourage everyone to do what I do.
Well, maybe not quite as far as I go because, you know, it could land you in trouble. And, you know, but there's nothing wrong with wasting a scammer's time.
Huh, he's encouraging everyone to waste scammers' time. And that's an interesting idea, I think. Imagine if every time you got a call from one of these scammers, you instantly got excited and you're like, oh boy, this is going to be a fun call. And of course, you don't give them access to your computer or send them money, but what could you do to waste their time?
I say someone should just create an app on my phone that's AI-driven that I could just pass the call over to it, and it acts like me, and it talks to the scammers for hours, keeping them going just a little longer, like maybe there's really long loading screens or web pages aren't loading right or something, and things just keep timing out, and they have to start all over again.
And, you know, there are a few scambaiters out there, and one of them is called Kitboga, and I did see him dabbling with an AI bot tool to try to waste scammers' time. But as Jim spent more and more time with these scammers, something really fascinating happened to him one day. He somehow ended up controlling one of the scammers' PCs. And this sent Jim in a whole new direction.
The very first time that I was able to connect to a scammer's computer... was that the scammer actually gave me his user ID and password to connect to him, and then he would switch sides. So there was a period of time where if the scammers were using a bit of remote access software called Teamviewer.
If they were using Teamviewer and the connections were coming from India, Teamviewer noticed that a lot of them were scams and they actually banned the entire country for a period of time.
and during that time they wanted to keep the scams running so what the scammers would do is say well you connect to me and there's a little bit of software internally that says switch sides with partner and then they would connect back to the victim supposedly so i was actually given the scammers username and password so i can connect to their computer
The first time you did that, that must have been such a wild moment. It was unbelievable because what you can do is exactly what the scammers do, which is as soon as you make that connection, you can lock their keyboard and mouse and blacken their screen. So I knew how to do that because I'd seen it so often. So this was like a real gift for me.
So I connected to them, locked them out of their computer, started to download all the files to try and figure out who this was.
Now, just beside communicate, you see the option which says connect to partner.
Yeah, okay.
Hey, what are you doing?
I can't see communicate. Hi, are you still there? Hey, you mother... Well, you're the one who's scamming, aren't you? And of course, because their computer is completely locked and black screened, they're not really quite sure what goes on. You know, they maybe hadn't encountered this before. So I knew that my time was probably limited.
So I grabbed as much as I could from, I could download all their files. They weren't seeing any of this. And I was able to work out exactly who they were.
This is why I love watching Jim's YouTube videos. This isn't the only time he hacked into a scammer's computer. He does it practically every video now. He's figured out so many different ways to get in to the scammer's computers. You just heard one way he does it.
And he won't tell me any of the other ways that he gets into these computers because he says if he tells us, then the scammers are going to hear this and fix it and he'll lose access. So he keeps his little hacking method secret. But my mind cannot help but start to brainstorm ideas on how you could hack into a scammer's computer. So let me just think out loud here for a minute.
Okay, so when you connect, like when the scammer connects into Jim's computer to do that remote support, right, that scammer is going to be coming from a specific IP, and Jim could probably see that, right? If he does Wireshark or something, he can capture that IP, and then he's got their public IP. And from there...
Could he then like port scan that IP and look for open ports and then try to find like some exploits or vulnerabilities to hit those ports? Maybe. Maybe that is possible. Another thing is if they're using like some remote desktop software, is there a bug in that software that Jim can exploit to reverse the connection? Yeah.
I don't know how he does it, but even if I hit the nail on the head, Jim's not going to admit to how he hacks into their computers.
No, and I probably never will, simply because scammers will learn from that. And unfortunately, they watch my videos just like a lot of other people do. And I don't want to reveal that as a secret. But suffice to say... A lot of it is social engineering as opposed to some zero day compromise of the remote access software that I'm using.
So I'm far more of a social engineer than a hacker, if that makes sense.
We're going to take a quick commercial break. But when we come back, I'm going to play you some of my favorite clips from his channel. And you're not going to want to miss this. Support for this show comes from Black Hills Information Security. This is a company that does penetration testing, incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there and I can vouch they do very good work. If you want to improve the security of your organization, give them a call. I'm sure they can help. But the founder of the company, John Strand, is a teacher, and he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more. But get this, the whole thing is pay what you can. Black Hills believes that great intro security classes do not need to be expensive, and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills and showing them off to potential employers. Head on over to blackhillsinfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training. That's BlackHillsInfosec.com. BlackHillsInfosec.com.
Jim is known for hacking into scammers' computers and exposing them. It's really quite wild to watch. He has over 100 videos on YouTube now, and many of them are exactly this. It's amazing just to hear the scammers' reaction when he tells them some detail about them that he shouldn't know.
For instance, there's one where he hacked into someone's computer in the call center and got a list of everyone's names and their fake names. And this is one of my favorite videos. Let me just play a clip for you from it. Hello?
Hello.
Hello.
Yeah, hi, sir. My name is Carolina Fernandez. I am calling you from the Microsoft.
Oh, hi, Priya.
Hi. Who are you?
I'm a ghost. Don't call me an idiot. I'm a ghost.
What's your name? Tell me your name.
My name is Ghost. Ghost.
I don't understand. You tell me. You already tell my name.
I know. You're Priya. I'm a ghost, you see. Priya.
At least talk to me. Hello? Hello?
Hello? Yeah, who's this? Hello? Who's this? Yeah. Do you know my name? I don't know. What is your name?
I love this part. You can hear this guy's brain just breaking real time.
What is your name? I'm talking about your computer. You have a Windows computer, right?
I do, but I don't understand why you can't tell me your name.
At this point, the entire call center is listening in on this call, like, what is happening here? And they even have them on speakerphone, and this new lady jumps on the call.
Hello? Yes, hello, who's this?
Yes, hello.
Who am I talking to? Yes, who am I talking to?
Hi, this is Mary Williams from the headquarter of Microsoft Security Department. Tell me what happened. uh mary um are you sure your name's mary yeah definitely i know my name i'm very sure for it but it's actually susmita no my not i'm not susmita my name is mary william are you getting are you getting a little bit hot susmita sorry no listen You are speaking to me and my name is Mary.
Now Priya picks the phone back up and she's really curious and wants some answers.
Can I request you, sir? Yeah. Just one request. Yeah. Can you please tell me, sir, how do you know the name that like Priya, Shushmita, like these Indian names? Where are you getting from?
Did I get that right? Because I was just guessing.
No. Do you use some technology or anything? How do you know the names?
I'm just very good at reading people's thoughts over the phone and I get this aura. I'm like a ghost.
Really? Yeah, yeah. But it's quite impossible. How do you know the name by hearing their voice?
Just simply because whenever you speak to me, I can pick up on vibes and I kind of know you create like an aura around you. I'm a little bit like a ghost.
Okay. Yeah. I'm from Microsoft. So, and you are talking about a widget like, right?
Oh, Priya, please don't do this to me. Come on. You don't really work for Microsoft, do you?
Sir, my name is not Priya. I'm not Priya. So again, you made a mistake.
Okay. But you confirmed that to me earlier and you said, Your friends were Suspita and Mimi and, you know, you told me that earlier, so you've already confirmed that.
Yes, and then you can use another name for me.
Well, is Priya not your name?
No, I'm not.
Oh, Carolina Fernandez, you're sticking to that, are you?
Yes, I'm Carolina Fernandez. Carolina Fernandez. Why are you using the Indian name for me?
Yeah. Right, okay. Well, what if you want, Carolina? I don't really mind. So what's wrong with my computer?
Sir, your computer completely infected by some hackers. That's why we are receiving some warning signals from your computer.
Okay.
Okay?
Okay.
And that point of time, sir, we are calling you to make you aware about your computer problem. Okay?
Okay. Hello?
Yeah, are you still there?
Hello?
Hello?
Sorry, your colleague's listening in, but I can hear her talk as well. Oh, she's hung up. That's okay.
Yeah, I know.
She wasn't very good, was she?
Oh, my God. Who are you, sir? May I know who are you?
I just told you. You can call me Ghost, because... Like, that's kind of the way I feel. I get this aura around people. I can tell who's around them.
I can tell just from the tone of their voice.
How long have you been working there, Priya? How long have you been working there?
A fake Microsoft. Salt Lake Sector 5. Salt Lake Sector 5. Salt Lake Sector 5.
Salt Lake Sector 5.
You heard it. Hello.
Please don't hang up. Hello.
No, no. I'm here. I'm here. I'm here.
What's the weather like there?
Weather?
Now it's... What's the weather like in Kolkata?
You tell me. You know everything about me. Then you tell me. What is the weather? What's my name? Do you know my father's name?
It's raining.
Do you know my father's name?
I don't know, but is your father proud of you? What do you do? Does he think you work for Microsoft?
Yes, of course.
But you don't work for Microsoft. Did you tell him that?
Sir, you just tell me one thing. Why are you wasting my time? I'm not wasting time.
I'm trying to, you know, you give off this aura and I'm trying to kind of work out Why you do all this scamming stuff? That's really what I wanted to know.
Then why are you wasting your time?
Can't you get, like, a different job that doesn't steal money? And how do you know the name?
How do you know the name? I know everybody's name. Do you know another name? Yes, everybody. How many names do you know?
Everybody.
Tell me the name. Everybody. Tell me my colleague's name.
I'll tell you one more name.
One by one.
Will I tell you one more name?
Yes.
Sohini. Yes, tell me. Sohini.
And tell me another name?
No, no, look, I get this from the aura. Any male name? Well, apart from Abjit.
Any male name?
Yeah, apart from Abjit.
So, I do respect your talent, okay? Can you please tell... Yes, I'm here. Can you please tell me who is beside me right now?
Which side?
Uh, in my left hand side.
Um, I think that's Mimi. Hello? Did I get that right? Hello? Hello? Hello. You went very quiet. Can you tell me, did I get it right? I'm so excited. Did I get it right, though? Because this doesn't always work.
Who are you?
Did I get it right?
Wait, wait, wait. Can you hear me properly?
You keep asking me questions. Can I ask you one thing? Did I get that right? Because I can never tell.
Is Mimi on your left?
And right-hand side? In my right-hand side?
It's coming through to me. I'm not sure. I'm pretty sure that's Susmita.
I love it. Jim caused such chaos in that scam call center.
He told them their real names, their location, even the name of the company that employed them. And they passed this phone around to at least five different agents to talk to him. And of course, any information that Jim does get from hacking these scammers, he reports it.
So like if he sees that they use a certain service, he'll report that to the service provider that scammers are using their product and this is their user ID. And he's gotten some of them actually banned from using certain software, but they can just like make a new company and then register the software again under a new company name.
And sometimes when these scam centers make new company names, they even get their company listed by the Better Business Bureau and then even get some people to make fake reviews about their company. So if he can find this, he'll definitely report that to the Better Business Bureau and he'll do everything he can to slow down these scammers and waste their time.
Once he got into a scammer's computer and grabbed all their files, and in there was a plane ticket for a recent trip. So Jim had this guy's real name, his travel details, and from there he could look the guy up on Facebook and find his friends and family.
And yeah, when these scammers call him up and have no idea that Jim has all this information on them, it's quite a riot to watch the whole thing unfold. The question does come up, though, and I'm sure you've answered this a thousand times, which is like, hold on a second. Hacking is illegal. You can't just go hack people's stuff. And here you are hacking into someone else's machine.
What's going on here? Where's your justification? Where's your moral compass or ethical framework in this way? Yeah.
I mean, the moral bit is quite easy for me because I quite deliberately let the scammers attempt to scam me. I cannot and I don't have the technical expertise, shall we say, to arbitrarily hack into anything. I can't do it. I'm not able to do that. A lot of the people that you've spoken to on this podcast probably would be able to do that. I cannot.
I have to rely on a scammer connecting to me and trying to steal money from me. And that's the only way that I can ever access their computers. They have to try to steal money from me first.
This is a really nice ethical line you've painted yourself. Like, okay, you know what? Unless you walk into my home and get onto my computer and attempt to steal money from me, I'm not going to do anything to you. And once they do that and you open your door to allow that to happen and you see that, okay.
I mean, I'm not... And I hate to be known as a hacker because that always has quite negative connotations. And I hate the term because it just has all of that baggage. But... That is true. And every single person that I feature on any video on YouTube has at some point connected to my computer.
And don't forget, scammers don't always make it clear that what you're typing out gives them access to my computer. because they will quite deliberately say just type this this on your command line when they when people question well what is this thing that you're getting me to download and run and it's in fact a remote access tool they will not explain that so
already there is a remote access connection, which is a sort of hacking attempt because the scammer doesn't make it clear to the victim. They are taking access of your computer and they are not making it clear. Obviously, they're scammers. And I just go a little bit further to say, well, OK, you're trying to
misuse my computer so internally I'm thinking you're now fair game for me to do the same to you so the only people and I've said this a number of times in other interviews as well the only people who could ever have a problem with what I do are the people who try to steal money from others okay and if they ever want to raise a legal complaint or whatever
please bring that on because what I will have done is record how I managed to get access to their computer. And the answer is because they were trying to steal money from me. Now, that's not a defense on its own, but it just means that if I ever have to defend myself for any reason, I have a good reason as to why I have access to their computer.
And it's just because of this theft that they're attempting.
There's almost no recourse that they can have. I mean, I'm assuming you haven't had any legal complaints that you've had to seriously take care of.
The only complaints I've ever had are privacy complaints on YouTube. Scammers don't like their faces or voices or documents displayed on YouTube. And tough cases.
Okay, so my absolute favorite video of Jim's is when he hacked into an entire call center and could watch everything that was going on there. Wait, first, before we get into this story, how do you typically find these scammers?
I have my email address on YouTube and a lot of people just simply email me saying, hey, have you seen this pop up or I've just had a phone call from this number and or I've had this email and it's a fake invoice or my grandparents have just been scammed to use the phone. I get all of that all the time.
But actually, in a lot of ways, I don't even have to use that because I'm on what's called a mugs list. So in the past, I have pretended to pay scammers because remember this bit where I say I actually need the scammers on? I give them fake information, including credit card details.
And if you work your way onto a list of people who they think they've scammed in the past, they will call you again and again. Those lists are like gold dust for scammers. So the end result of that is I get so many phone calls directly to my home phone number that I don't need anyone else's input. I'm already in the middle of a load of scans. And honestly, there's nearly too many to cope with.
So what do you have, like 16 different phones over there? I do, literally. I mean, I have one phone service with 10 different phone numbers in the UK and I have something similar with US phone numbers. I've dropped a lot of those recently from their number. It just, it has nearly got to the point where I just can't, you know, have an evening free of scam phone calls.
Okay, but this story doesn't start with an inbound phone call. Instead, someone told Jim about a Malvert. This is an ad on a website which has malware on it. Basically, if you went to a website, you would hear this.
Important security message. Your computer has been locked up. Your IP address was used without your knowledge or consent to visit websites that contains identity theft virus. To unlock the computer, please call support immediately. Please do not attempt to shut down or restart your computer. Doing that may lead to data loss and identity theft. The computer lock is aimed to stop illegal activity.
Please call our support immediately.
Now this was just an ad on a website, but it had some malicious JavaScript in it, which maximized the browser, showed this giant warning, played this audio on repeat, and then made the mouse disappear, which made it seem like the screen was frozen. It's not actually a virus, though. You can just tap on Control-Alt-Delete and close the browser, and all is fine.
But to someone who doesn't know better, this could be scary, and they might call the number to get help. So Jim called the number and said that his computer's infected, and the scammers immediately tried gaining remote access to Jim's computer and tried to scam him for money. So that means, in Jim's mind, they crossed the line, and it was time for him to try to hack them back.
The way that I got access to the reverse access, I'll not go into that part in detail, but suffice to say that when I did get access, I got access to just one PC, and it was from a supervisor. And I was able to watch what that supervisor was doing. And one of the things that he was doing was watching CCTV. So I could see the IP address of the server that he was using.
It wasn't an internal server, it was an external one. And when he logged into it, he logged in with the username of admin. and a password of eight characters. And for the particular CCTV system that he was using, I did a Google search of what is the default password for this system. And would you believe they were still using the default password.
I guess you could call that hacking, but I could see the IP address, the username, and I just tried the default password and I was straight in. Admin123 was his password to protect this scam operation.
Okay, so he got into a supervisor's PC in a scam call center. But then from there was able to get into the CCTV system. Now this scam call center had a lot of cameras. The supervisor could watch all the scammers do their calls and go on break and go outside. And there was even a camera in the boss's office. But that wasn't it. The supervisor also had the ability to listen in on the calls.
In fact, all these calls were being recorded with some software.
It was gold dust for me because they had records of all their calls. I could see it on which server they were using. And I could directly download these things because I had access to that scammer's supervisor's scammer's computer. So I managed to download nine months worth of calls, about 70,000 separate calls.
Holy moly, 70,000 calls. And this is a much bigger operation than I thought. But Jim started going through this and was able to match up some of the time codes of the CCTV footage and the recorded calls and could essentially watch the scammers as they called these victims and listen in on the calls.
It's quite fascinating to watch because sometimes the scammers are like playing video games or looking bored. But this also means he's starting to identify what they look like. Where their desk is, where they sit in the room, and how this operation looks from the inside.
On top of that, on the supervisor's PC, there was a list of victims, which included the amount that was stolen from everyone and their names. It was quite a find. And just imagine having this access, being in Jim's position... I mean, if I was in that position, I'd just, like, put the computer down and take a walk around the lake or something like that, right? Like, what do you do?
What do you do with all this? Like, he would open up his computer in the morning and would have live cameras of this scam call center on one monitor watching everything that was going on. And then on the other monitor, he could tap into the phone calls and listen to them live as they were trying to scam victims.
We're calling support. My name is Alwin. How can I help you today?
What were you doing on the computer when you got this message?
Can you lower down the volume of your computer?
He pretty much had full supervisor access to this whole scam call center and could watch and listen to anything. But what do you do with that access? Like, it's really tempting to just call him up and be like, hey, hey, I can see you, scammer. I can see you wearing a hat and playing video games. I gotcha.
yeah oh it was so tempting that whenever you i mean i am watching live on the cctv i know the number that they're using uh the victims to call that day so i can call that number and i'll be speaking to somebody in a room that i can see on cctv hello yes sir yeah so what's all this about stop services then when they should be running i don't get it yeah
Sir, you need to go ahead and get it fixed, and there will be a one-time charge, sir, okay?
I don't always know who I'm speaking to, and sometimes if the room is full, it can be quite difficult to work out which agent. There may be 20, 30 agents in the room, and I can't always work out who I'm speaking with. And there's four cameras. Each corner of the room has got a camera. And what I do was actually invite the scammer onto a computer.
I had my desktop background set to a purple or a green color. And then what I would do is look around the cameras and look for that green screen or that purple screen. And then I knew, ah, right, there's the guy. That's who I'm talking to. And sometimes I had to do that just to work that out. And
The really, really tempting thing would be to say to the guy, hey, that's a nice Czech shirt you're wearing. Or, you know, stop playing Pac-Man whenever you're speaking to me. You know, can you stop doing that? But I couldn't give the game away. I couldn't be just as obvious as that. Although it was incredibly tempting to do that.
Yeah, and I mean, 70,000 calls with a whole list of victims here. Yeah. this is too much for one person to process all. So what did you end up doing with this access?
So I kind of figured out I was really on to something quite big at that stage. And I thought I would bring it to the attention of more mainstream media, specifically the BBC. I had never had contact with the BBC until that point. But Because I had personally tried to close down a lot of scam operations and been pretty unsuccessful about it.
So I have previously gone to the police in India to say, here's a scam call centre on your doorstep. Here's where they're located. I was able to get that sort of information, but nothing really ever came of it. And I thought, perhaps I'm going about this wrong. Perhaps what I really need is more mainstream media involved. So I got in touch with, really a general purpose BBC email address.
And before too long, I was reached out by a team called Panorama. Panorama are like a very long running documentary program where they cover all sorts of current affairs issues. But this particular team were interested anyway in scam phone calls. And as soon as I get in touch and said, look, this is what I have. Of course, that team were very, they wanted to work with me from that point.
The BBC has more resources than Jim. They can parse through this massive trove of data quicker and started putting pieces together even more. And together they built quite a detailed understanding of this whole scam operation. They figured out the name of the company, its address, who owns it, the employees who work there, and the victims, and how much money this whole place was making.
And again, it was all clearly documented with the video footage and the recorded calls and the files that they got from that supervisor's computer. They had a ton.
of evidence and they even reached out to the victims to let them know they were scammed i feel angry angry and upset angry that someone could do that knowing that there's nothing wrong with the computer just to extort money from you and upset with myself that i fell for it
Well, with all this proof, it was time to learn who is leading this operation.
We've identified the man behind the fraud, Amit Chauhan. But Amit Chauhan's not an ordinary businessman. The hacked footage includes recordings from the CCTV in his office.
We focus on the borderline. That is how we should measure our actions.
Okay, this is super interesting. There was a CCTV camera inside Amit's office, the head boss of this whole thing. And it's the only camera that actually had sound on. And so there's hundreds of hours of him talking on the phone and having meetings with people. And in those meetings, he's scheming up new ways to scam people and basically admitting to all this criminal activity on camera.
It's extraordinary. Well, with all this evidence in hand, the BBC reporter went to India to try to meet with him.
I want to meet Mr Chauhan, but he's away on a luxury holiday in Thailand. So I can only reach him on the phone.
Hello?
Hello, is that Amit?
Yes.
Hi, Amit Chauhan?
Yes. Yes.
I want to get your comment, please, on allegations that you're scamming people in the UK out of thousands of pounds. What would you like to say to that, Mr. Chown?
No, I don't think so there is any case like that. There is no such cases, but I'll talk to my lawyer first and then we'll get back to you.
Well, it was true. There was no such criminal case against him. So the BBC reporter went to the police and asked, hey, why don't you crack down on these scam call centers more seriously?
And here's what the Indian police said. This crime is a difficult crime. It's difficult to crack because we don't have victim, we don't have accused, we don't have anything. It's very difficult to link the accused with the victim.
Well, in this particular case, they did have victims, and the BBC recorded the victims' testimony to hear how they got scammed. So when the BBC published this story, and when Jim published his YouTube videos, it couldn't be ignored by the police. They had victims, they had evidence, they had the address, they had the name of the boss. It was a very easy case to process.
So the Indian police raided the scam center.
The police did their raid. They picked up whatever computers they could. They went to the boss's home address. And he lived in like the most luxurious accommodation you could imagine, something like $6,000 a month to rent this place, which is completely unheard of if you're in Delhi where he was.
What I had expected was that this would be such an easy case for them, there would be no problem, and ultimately the guy who ran the thing would be locked up. But that was very far from the truth. And what actually happened was, number one, it took about a year for the trial to even come up. Then COVID kicked in, so it was delayed by another year. But eventually, whenever the case did go to trial,
the police never actually followed up on any of the evidence that was given to them or that they had collected. So they had scripts about scams from the boss's computer, but they didn't, for example, follow the money trail from the victims to the boss.
So they could very easily, if they had any kind of incentive to do so, they could have easily gone to PayPal and say, we need evidence about what happened with this particular PayPal account. They never asked for that. They never followed up on any of the thing. In fact, what they actually relied on was the one laptop that they managed to pick up.
And obviously, because the documentary had gone out, the YouTube video had gone out, all of the computers were immediately wiped before the police actually arrived. So they only really had one laptop to go on, and that wasn't enough for them. And any of the independent evidence of scams, the 70,000 phone calls, the video footage of the scams actually happening was never presented.
In fact, what they said was, well, that YouTube footage could have been done by AI or that YouTube footage could have been faked. And it looked like the judge just accepted that. So there was no pressure whatsoever to present anything which linked the boss to any of that scam victim money.
And that is just a travesty because I couldn't have handed it on a plate any more clearly to the police, or indeed the BBC could have handed the same evidence to the police. But the police never came to speak to me, never came to speak to the BBC. or follow up with any of the evidence that I presented in the video whatsoever. They just didn't bother.
And I can only imagine that's for one of two reasons. One is they're desperately incompetent, which I think is the more likely reason. they've been paid off because the guy who was in charge of this is the equivalent of a multimillionaire as a result of those scams. And unfortunately, in India, corruption is rife. So I don't know for sure, but I would imagine that's what happened.
Well, there you go.
That's disappointing. Indian authorities. seem to not care about scam centers there. It's illegal, but they say they can't prosecute unless they have the victims, and since the victims are far away in another country, they just don't have enough evidence.
But even when the police are given the evidence, wrapped up with a bow by Jim and the BBC, and are even introduced to the victims, they still don't take serious action on this. So despite Jim's huge efforts of dismantling this whole industry, it looks to me at least that it's only going to keep growing since these criminals can scam victims all day with impunity.
Are there situations, I mean, you've been doing this for nine years now, and this probably was one of them where you had this huge database of victims and all this camera footage and stuff. Are there other situations where you have to just do a long stare out a window and take like a walk around the lake or something, whatever, and just think about what do I do with this situation I'm in? Yeah.
What are some of the difficult questions that you're asking yourself?
Well, I mean, we've covered the moral one and I never have a problem with that one for the reasons I've just described. But equally, it's actually quite harrowing listening to victims actually getting scammed because there have been times that I have tried to intervene and I'll have gone as far as because the scammers typically are on the phone with their victims all the time to their cell phone.
And they're going out to buy gift cards or they're going out to a Bitcoin ATM. And the only way that I can try to get that scam stopped is if I can warn a neighbor. If I know they're going to a certain gift card store, I will call that store and say, there's a person about to come in. Here's their name. They're about to buy $500 worth of gift cards. Could you please stop them?
And it's incredibly difficult to watch when stores, for example, warn the victim, but they... Unfortunately, they trust the scammer more than the person in the store talking to them. And it can be very difficult to listen to that. I've had people go to a Bitcoin ATM the store manager has tapped them on the shoulder and said, you're being scammed.
That person who says they're from customs are not who they say they are. And if you put money into that Bitcoin ATM, you are going to lose it. They've actually explained that they're being scammed, but yet they trust the scammer more and they've moved on to the next Bitcoin ATM. And I've had that happen right in front of me. And it's incredibly difficult to watch that because...
That could be my grandmother, my grandfather, your parents. It's someone's relative, yet you can't do anything about it. You try your best, but there are some people who are just going to be scammed. There's very little that can be done about it. And that is very hard to listen to. It is very hard to watch it.
Can I just do one last quick question? Sure, yeah, absolutely, yeah. Have you ever visited India or do you ever plan to go?
Actually, I would love to see India. And I'm honest about that because I've spoken with Karl Rock, so my partner in crime when it comes to all the kind of drone footage and so on. And I actually admire India as a country. And I'm not just saying this jokingly. to kind of justify me slagging off people in India when they're scamming.
This is a country that I genuinely would like to see, and I do intend to go there. I will be at some point in Delhi. The nice thing about my YouTube channel is I don't show my face, so I'm not that scared about going. I probably would stand out a little bit if I went to Kolkata or Calcutta but Delhi I think would be quite a place that I could easily go to.
A big thank you to Jim Browning for coming on the show and telling us all about the scam baiting he's been doing. You can watch all his videos on YouTube by just searching for Jim Browning. This episode was created by me, the fickle finger, Jack Recider. And this episode was edited by the wisdom feather, Tristan Ledger.
Mixing done by Proximity Sound and our theme music is by the mysterious Breakmaster Cylinder. Someone asked me the other day, what's an ethernet? And I said, oh, that's what you use to catch the ether bunny. This is Darknet Diaries.