- Jim's initial motivation was curiosity and an engineering background.
- He started by receiving scam calls and decided to investigate.
- He exposes the scammers' basic and easily-detectable scams.
Shownotes Transcript
Hello, Jack. Hello, hello. Good. Well, it's good evening for me. I guess you're in the States. It's probably the afternoon. Yeah. Yeah. I just ate lunch. I'm having some chocolate. You like chocolate? Okay. Oh, yes. There's very, well, there's very few people I think don't like chocolate. I know. Yeah. Yeah. Chocolate's great. Yeah. Yeah. Keeps you going. Bit of energy. Yeah. A little caffeine hit. Yeah.
Indeed. You know, there's only like a few places in the world that have caffeine. There's tea, coffee, cola, chocolate, and I think that's it. That's the natural sources.
Yeah. It's hard to do without it. I do like a bit of chocolate. You're actually making me hungry. I probably got you at a bad time. I wasn't actually expecting you to say, yeah, I'm ready to go and we can just do this. But it absolutely suits me down to the ground. You know what? The thing is that you are the most requested guest maybe I've ever had.
Wow. Okay. So if you're available, I'm available. Let's go. I'm going to put the chocolate to the side and let's make a podcast. Yeah, that's cool. I've got to say, even before we do this, I have listened to loads of your podcasts. And honestly, it's an honor for me even to be asked onto it. So there you go. So you're the guy that everyone knows. You're ready to go. Oh, I'm ready. Yeah. Far away. These are true stories from the dark side of the Internet.
I'm Jack Recider. This is Darknet Diaries. This episode is sponsored by Delete Me. I hope Darknet Diaries has taught you something about how people can use your data against you. But what do you do once your data is out there? Because it feels impossible to try to take it off the internet. How are you meant to fight these massive data brokers who are selling your info?
Well, you could try out the service called Delete.me. Delete.me does all the hard work of constantly monitoring and removing the personal information you don't want on the internet. Data brokers hate Delete.me because your personal profile is no longer theirs to sell. And then Delete.me will tell you what they found and where they found it and what they managed to remove.
I tried it, and they immediately got busy scouring the internet for my name and gave me reports on what they found on me. And then they got busy deleting things for me. It's great to have someone on my team when it comes to my privacy. Take control of your data and keep your private life private.
by signing up for Delete Me. Now at a special discount for Darknet Diaries listeners. Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code DD20 at checkout. The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code DD20 at checkout. That's joindeleteme.com slash darknetdiaries code DD20.
Thank you.
ThreatLocker implements a proactive, deny-by-default approach to cybersecurity, blocking every action, process, and user unless specifically authorized by your team. This least privileged strategy mitigates the exploitation of trusted applications and ensures 24/7, 365 protection of your organization.
The core of ThreatLocker is its Protect Suite, including application, allow listing, ring fencing, and network control. Additional tools like the ThreatLocker detect EDR, storage control, elevation control, and configuration manager enhance your cybersecurity posture and streamline internal IT and security operations. To learn more about how ThreatLocker can help mitigate unknown threats in your digital environment and align your organization with respect and compliance frameworks, visit ThreatLocker.
That's threatlocker.com. Today, I have the absolute pleasure to speak with Jim Browning. Jim was the first person I ever saw do scam baiting, and I was blown away that someone even does this sort of thing. Scam baiting is just as it sounds. He tries to bait scammers to scam him, and he records it for YouTube, and it's really quite amazing to watch. ♪
So it still says connecting. I don't know why. Yeah, I don't know why.
Oh, is the virus doing this? Alright. Nothing to do with the live stream then. Actually, the alert which you got, that is the security block alert, which is coming from internet, because right now you haven't know any internet security. That is the reason, while browsing over the internet, by mistake or by accidentally, you might have clicked any link, which was not secure, okay? Oh, I see.
How did all this get started for you? What's your origin story with this whole scam thing?
Well, I wish it was a bit more like Batman. You know, Batman has got this, you know, an injustice done. And, you know, he's after the Joker and all this sort of thing. Very, very different for me. The way I got started was probably like most people, I receive lots of scam phone calls. And you keep hearing those incessant phone calls, people pretending to be Microsoft, pretending to be Amazon, your bank and so on.
And most people know just to hang up those calls, but I'm one of those people who I love to dig a little bit deeper because I'm an engineer. I know about computers, know about networks. And I thought to myself, surely someone is doing something about this. And if they're not, maybe I can do something about it.
I'm sure you're familiar with the fake Microsoft support scam calls. It's typically where someone from India calls you up and says you have a problem with your computer. And it sounds something like this. Hi, hello?
Oh, yes. Hello. I'm calling from Visa Portal LLC and my name is Sandeep. Jim? And they'll try to convince you that your computer has a virus and they can help. And they'll ask for control of your computer to fix it. But the thing is, you don't actually have a virus at all. They just made up this problem and they want to take your money. And Jim finds this whole thing really fascinating and just can't stop thinking about this. I really want to find out about what makes the scam tick.
So Jim finds himself on these calls to hear how it works and watch their whole operation. And then he calls them out on it like this. Oh yes, I just need to inform you that we have finished all the work with the computer now and everything is working fine with it. Right. Did you find any Trojans or anything? Yes, we have already removed all your network infections and also we have blocked them so they will not enter from now onwards.
Right, just that I was watching everything you were doing and also recording what you're doing and recording your voice because you've removed nothing whatsoever from this machine. It was never infected in the first place and all you've done is... I'm sorry? It was never infected with anything in the first place and you know that. So you say that you've removed a Trojan. Tell me what Trojan you've removed and show me evidence of that then.
Right now we have already removed and everything is recordable at our end as well. Yes. Yeah, show me. Tell me what Trojan I had then. Like we have removed all the Trojans. Yeah, show me one Trojan that you've removed. Okay, let me explain it to you. Like there were Trojan horses in it. Yeah, show me evidence of that. That's what I'm asking. But how should I show you now? But they are already removed.
Because if it was something like this particular tool, it would have logs and it would show you in the history what was removed. There's nothing been removed here. This is an anti-malware software. So go on then, tell me what software you use to remove any Trojan. Bear in mind, I've recorded everything you've done. So are you going to still stand by that story that you removed a Trojan?
So may I put the line in hold for one to two minutes? You can do what you want, but don't forget all of this is going to be uploaded to YouTube very shortly. So be very careful what you say in the next few minutes. Jim is pretty good at catching them in a lie and then he tries to get them to explain themselves. And when they continue denying it, he reports them. What I will do is now that I've got your IP address, this one and the timestamp, which is Mumbai. So it's now 6 p.m. It's been running for a few hours, this one though.
I can go to your ISP and that's Tata Teleservices in Italy. They provide that IP address to you and that's the one you're using at the minute. So I'm going to get them to identify exactly who you are because I know your address isn't in California. I know you're located in India.
or I'll probably just publish all of this on YouTube anyway. Right? So thank you for choosing Vsupport. Thank you for choosing Scammers in Mumbai. Yes. Okay. Yeah. I mean, my background is that I have been in IT really all my professional life, all my working life. Yeah, let's hear about that. What's the specialty that you are in IT?
Yeah, so I guess up until very recently, I had a real job as in a real normal IT job. I worked for a large company, should we say, in the UK. And part of their specialty was dealing with IT services and setup. And I have personally supported them.
an organization with more than 200 or 300 people in it. So I'm the kind of admin, the sysadmin for a large IT company. So that's my background. As part of that, I'm also a programmer, I'm a network engineer, but I have no form of qualifications in, for example, cybersecurity.
Although at this stage, I think I could probably do fairly well in a cybersecurity exam. But my background is a normal IT job. That's it.
A lot of times what these scammers will do is type commands on your computer to prove you have a virus. But all they're doing is just showing you really normal computer activity, and it doesn't prove anything. In fact, one time I saw a video of his where a scammer just typed on the screen that the firewall is damaged and is at 2%. And the scammer was trying to say, hackers are going to soon break through and get everything.
But the thing is that firewalls don't have a percentage. And it's great that Jim knows a lot about IT and can easily spot every one of these bad attempts at showing him that there's a problem on his computer. Type these things into your computer and look, you've got hackers, you've got viruses, you've got computer problems. You're going to have to pay me $200, $300 to fix them.
to fix that problem. Now, these scammers are not sophisticated at all. Their scam is really basic, but their method of collecting payment...
is crazy ridiculous. What they should do is just act like a normal company and set up a website where you enter in your credit card details and send them money. But they can't do that because payment processors will quickly spot and shut them down and freeze their money, maybe even charge them a fee. So Stripe and PayPal are just out of the question here, which means they've got to come up with some
creative, alternative ways to get money from you. They will get you to buy a gift card. They won't use the word gift card. What they say to their victims is, you've got a security problem. You're going to have to solve it with a security card and you'll have to go to your local Walmart or whatever to get the security card. And they won't use the word gift card if they can avoid it.
But when, of course, whenever you go in there and you're outside the store, they will say, right, I need you to go in and buy an Apple card or an eBay card or whatever it is.
And as soon as you read out that number, that's as good as them taking the value of that card because they can launder that almost immediately. Yeah. So I'm curious on that. How do they launder it? Because if you give someone an eBay card, they're not going to buy something on eBay. They're probably selling that for pennies on the dollar.
They do, exactly. And they'd be lucky to get maybe 50% of the actual value of the card. But what they do is they take those numbers and there is quite a, well, should we say a black market for gift card numbers? There are legitimate websites like Paxful, for example, where people will buy gifts.
Google Play cards, eBay cards, you name it, any sort of gift card, and they will give you 50% of the value and they will mark that up and they may directly or indirectly buy items from those stores.
So yes, absolutely, you're going to lose half the value. But if you're a scammer, you have completely, cleanly washed that money because there's almost no way of getting money back when someone's bought a gift card and it's been used.
This always seems surprising to me. To convince your victim to hang up the phone, go drive to the store, buy a gift card, then drive back home and call the scammer back up to give them the gift card details. I just think you're going to lose your victim every time in that process. And on top of that, they're only getting half the value that's on the card.
But this seems to be pretty effective. I mean, these scam centers are making quite a bit of money this way. And I guess this means that even though the scam is hilariously bad and the method of collecting money is ridiculously complex, the thing that makes this work is the numbers, the relentless attempts at scamming people. If they try over and over and over and over, they'll eventually get people to pay them.
Now, of course, some victims don't want to send gift cards. So the scammers say, that's fine. There's another way. Send us cash. They actually persuade people to go to their local bank and withdraw cash. And they will say, I'll instruct you in a moment what you do with the cash. So they generally get the victim to take the cash home. And then they'll say...
And this is typically for a bank type scam. They'll say, we're going to create a new account for you and you need to send that money to a secure facility. And they will say, look, you need to put the cash into pages of a book. So between pages of a book, wrap that in silver foil.
And they will actually get you then to go to the nearest FedEx or post office and mail your cash to an address. And it's a money mail address.
Gosh, that sounds even more bizarre. Have these victims never paid for anything in their life before? In what world is it normal to wrap cash up in pinfoil and stuff it in a book and then ship it somewhere to get your computer fixed? Like, I don't want to be victim-blaming here, but come on. How colorblind do you have to be to not see these giant red flags?
One of the scams that Jim sees often is called a refund scam, and it might start out with a phone call that sounds like this. Hi, we are calling you from your computer maintenance department. If you remember, you have a contract with us for computer support and services. Unfortunately, we are closing the business so you can give us a call for the refund of the amount you paid to claim your refund.
This is a real voicemail or a phone call that somebody got. And people are falling for this and calling up the number to you and me. That phone call sounds ridiculous, doesn't it? Like it's a crappy robo voice and it's not fooling us.
But just think about the mechanics of this call. I mean, they're clearly using some text-to-speech software, right? And I don't know why, but they're using a terrible version and have terrible English. But technology is rapidly improving. There's way better software out there today. And I just wonder, you know, someday the scammers are going to upgrade and use the good stuff.
Let me demonstrate. Here's what I'm going to do. I'm going to improve this whole scam attempt. Are you ready? First, I'm going to take the text that they said in that call and ask ChatGPT to rewrite this, but make it sound more like a natural English speaker would say. Cool. Now take that and make it sound even more casual, like something you just hear on a phone call or something. Okay, that looks good. Now I'll run this through a more modern text-to-speech software.
Okay, it's done. Let's take a listen to this call now. Hello, sorry to bother you. My name is Sarah from the Computer Maintenance Department. I need to talk with you about your support contract with us. Here's the thing. We're closing the business. I know. It's a bummer. I'm sorry. But here's the good news. You'll be getting a refund for the amount you've already paid us whenever you have a moment. Can you call me back?
I want to get this refund to you as soon as possible. Hope to chat with you soon.
You see how much better it is with modern tools? And seriously, that took me two minutes of just using automated tools to fix it up. The audio went from stupid... Computer maintenance department. ...to scary. I know. It's a bummer. And maybe you can still spot that that's AI-generated. But would your grandparents think that? I improved it because I want you to be aware of the tools that scammers have at their disposal today if they wanted to.
And I want you to think about how much better their scams are going to be in the future. We see that they're using text-to-speech software today, and it's just a matter of time that that text-to-speech software sounds really convincing. And then what?
What red flags would you notice in this audio to make you think it's a scam? Now you've really got to think, well, hold on. Do I actually have a support contract somewhere? Who are these people? Let me call them up and find out. And now you're on a phone call with a scammer, a position you really don't want to be in. And you can see how this whole thing is going to get trickier and trickier in the future.
The scam is what you call a refund scam. So they'll pretend to be a big organization, typically Amazon. And the conversation will start off with, they say they're going to refund this charge, which, you know, the victim will know nothing about. Okay. If I'm the victim, I'd be like, okay, I have no memory of this charge. Go ahead, refund me and see you later.
But it's trickier than that. Here's one of the actual scam calls that Jim captured. We can easily send you the money into your account within 5 to 10 minutes and you will get your amount right back right now. Okay? Alright. So do you do online banking then? So which bank do you do online banking? This victim mentions Mid Oregon Bank. Just go ahead and log into your bank. Log into your bank first of all, sir.
Alright, that's great. Now sir, you have to tell me, like your account has been opened, right? Alright sir, I don't need that. You have to be telling me like in which account do you need your money back. Now here's where the scam part comes in. The scammer will say that they want to make sure the money goes into the proper bank account. And will ask to see the victim's screen by using some screen sharing application. And then they'll ask to take control of the victim's computer.
Once they have control of the victim's computer and can see their online bank balances, then they'll say they're initiating the refund for whatever, say $300. And since the victim is logged into the bank's website, what the scammer will do is edit the web page in the browser to make it look like the money was just deposited into the account. But it's a fake deposit, though. It just looks like the money went in. But the scammer just faked the whole transaction by editing the HTML on the victim's screen.
But here's the tricky part. The scammer will put in the wrong amount for the refund. If the victim was expecting a $300 refund, the scammer would instead put in a $5,000 deposit instead. Then act all surprised that they put in the wrong amount. $5,300, he said? Oh my goodness, will you please hold on for a minute, sir?
So the scammer obviously knows that he's overpaid this victim, so the key to this scam is how they get the money back again. Our scammer comes up with a solution. Sir, I just got a mail from my hate server and unfortunately that you got extra amount in your account by mistake really sir. So sir will you please refund me my money back?
Inevitably, the victim asks how he can refund the money. Surely they can just take it back themselves. Oh sir, I can tell you. Like, I can tell you sir what you have to do to refund my money back to me, alright? Let me have a speak with my manager, okay sir? Let me have a word with them. A few moments later, there's a proposal. I have a word with my manager, sir. And they said there is some financial institution where you can send our money back to us, alright?
"Sir, do you know any Apple store nearest from your place?" Yes, he said Apple store. He wants his victim to go to an Apple store in order to get his money back. "You don't know? Okay, let me find Apple store for you, sir. Hold on for one minute." He searches on the victim's PC for the nearest Apple store. "Can you see, sir? There is a place called Simply Mac. Do you know this place?" He spends the next few minutes explaining that he's going to need $5,000 worth of Apple gift vouchers.
Jim says he's seen scammers also try to get people to send back the money using Zelle and bank wires too. And some people have lost quite a bit of money to these refund scams. It really does look convincing when you look at your bank balance and it shows $5,000 more than what you were expecting. And the victim could just refresh the page and the whole thing would reset. But the scammers are really good at preying on the victim's goodwill, you know? And the victims will give back the money.
Which is a pretty jerk thing to do, to exploit the goodness in people. You said that up until recently you had a real job. Is this now your full-time job as a content creator? It is, yeah. So as of just over a year and a bit ago, I gave up my full-time job, my IT job.
My full-time job is now making YouTube videos and going after scammers. So it sounds like this is something you're really passionate about, to leave your career behind, go right into like...
chasing after scammers and exposing them. Is that true? This is your passion? For sure, yeah. It's definitely a passion. I can't stand scammers. That is my little tagline, if you like, on my YouTube channel. I can't stand scammers. The thing about you, Jim, though, when I'm watching you,
And I'm listening to you. Your voice is just so calm and cool. And I never hear passion in there. And I never hear things like, I can't stand scammers. There's not even like, you don't even like have inflection. When you say that, you're just like, I can't stand scammers. But this is the thing. I really don't. Maybe it's something to do with my Irish accent or whatever. But honestly, it was...
When it comes to scams and scammers, I'm now devoting my life. But it is for that reason. If you watched what I do, if you listen to the calls that I hear every single day, you can't help...
not going after these guys. I've kind of, I build up a bit of a hatred for them, but it probably doesn't come across in the way I make the YouTube videos or my inflections or anything else. But in a lot of ways that helps me because if I appear calm, if I try to think it through, if I try to rationalise what I'm doing, it gives me in some way a bit of strength to
to try and combat these scammers because I like to think I've got a level head when it comes to tracking these guys down. And I think that's why I've been as successful as I have been. Yeah, you have a unique approach that...
You're not sensationalizing it. This is what I loved about it, actually, honestly, is, you know, there's kind of been a trend of people doing things similar to you now, and they're making it into a big game and lots of excitement. They're trying to get the other person to just lose their mind, you know, and start screaming back or something. And you're always very calm and calculated. And, of course, there's room for that. You know, I...
I encourage everyone to be a formal scam bidder. And if you can waste someone's time who you know is trying to steal money from you, it means they're not stealing money from your parents, grandparents and whatever. So absolutely, there's room for everyone. I encourage everyone to do what I do. Well, maybe not quite as far as I go because, you know, it could land you in trouble. And, you know, but there's nothing wrong with wasting a scammer's time.
Huh. He's encouraging everyone to waste scammers' time. And that's an interesting idea, I think. Imagine if every time you got a call from one of these scammers, you instantly got excited and you're like, oh boy, this is going to be a fun call. And of course, you don't give them access to your computer or send them money, but what could you do to waste their time?
I say someone should just create an app on my phone that's AI-driven that I could just pass the call over to it, and it acts like me, and it talks to the scammers for hours, keeping them going just a little longer, like maybe there's really long loading screens or web pages aren't loading right or something, and things just keep timing out, and they have to start all over again. And, you know, there are a few scambaiters out there, and one of them is called Kitboga, and I did see him dabbling with an AI bot tool to try to waste scammers' time.
But as Jim spent more and more time with these scammers, something really fascinating happened to him one day. He somehow ended up controlling one of the scammers' PCs. And this sent Jim in a whole new direction. The very first time that I was able to connect to a scammer's computer was that the scammer actually gave me his user ID and password to connect to him.
And then he would switch sides. So there was a period of time where if the scammers were using a bit of remote access software called TeamViewer, if they were using TeamViewer and the connections were coming from India, TeamViewer noticed that a lot of them were scams and they actually banned the entire country for a period of time.
And during that time, they wanted to keep the scams running. So what the scammers would do is say, "Well, you connect to me and there's a little bit of software internally that says switch sides with partner." And then they would connect back to the victim, supposedly.
So I was actually given the scammers' username and password so I can connect to their computer. That must have been, the first time you did that, that must have been such a wild moment. It was unbelievable because what you can do is exactly what the scammers do, which is as soon as you make that connection, you can lock their keyboard and mouse and blacken their screen. So
I knew how to do that because I'd seen it so often. So this was like a real gift for me. So I connected to them, locked them out of their computer, started to download all the files to try and figure out who this was. Now, just beside communicate, you see the option which says connect to partner. Yeah, okay. Hey, what are you doing? I can't see communicate. Don't try to communicate.
Hi, are you still there? Well, you're the one who's scamming, aren't you? And of course, because their computer is completely locked and black screened, they're not really quite sure what goes on. You know, they maybe hadn't encountered this before. So I knew that my time was probably limited. So I grabbed as much as I could from, I could download all their files. They weren't seeing any of this. And I was able to work out exactly who they were.
This is why I love watching Jim's YouTube videos. This isn't the only time he hacked into a scammer's computer. He does it practically every video now. He's figured out so many different ways to get in to the scammer's computers. You just heard one way he does it. And he won't tell me any of the other ways that he gets into these computers because he says if he tells us, then the scammers are going to hear this and fix it and he'll lose access. So he keeps his little hacking method secret.
But my mind cannot help but start to brainstorm ideas on how you could hack into a scammer's computer. So let me just think out loud here for a minute. Okay, so when you connect, like when the scammer connects into Jim's computer to do that remote support, right? That scammer is going to be coming from a specific IP and Jim could probably see that, right? If he does Wireshark or something, he can capture that IP and then he's got their public IP. And from there...
Could he then port scan that IP and look for open ports and then try to find some exploits or vulnerabilities to hit those ports? Maybe. Maybe that is possible. Another thing is if they're using some remote desktop software, is there a bug in that software that Jim can exploit to reverse the connection?
I don't know how he does it, but even if I hit the nail on the head, Jim's not going to admit to how he hacks into their computers. No, and I probably never will, simply because scammers will learn from that. And unfortunately, they watch my videos just like a lot of other people do. And I don't want to reveal that as a secret. But suffice to say...
A lot of it is social engineering as opposed to some zero day compromise of the remote access software that I'm using. So I'm far more of a social engineer than a hacker, if that makes sense. We're going to take a quick commercial break. But when we come back, I'm going to play you some of my favorite clips from his channel. And you're not going to want to miss this.
This episode is sponsored by Grammarly. Do you struggle to stay on task when there are different bits of work all needing your attention at the same time? It might be a message from a colleague here or an email there and a presentation you need to finish editing. So where do you start? Why
Why not the same way I do? By opening Grammarly. My time is valuable and yours is too. So now that we're spending what feels like half our time writing, it makes sense to get some help. Grammarly is an AI writing partner. There to help you stay focused and get through your work faster with relevant real-time suggestions wherever you write. Grammarly helps me respond to emails quickly. And once that's done, it's time to work on the show notes for a new episode. And Grammarly's great at generating suggestions. And with their business model that doesn't sell my data, I don't have to worry about who's watching.
There are a bunch of other cool features like how Grammarly can help you get the right tone by suggesting a better word based on the context and audience. Next time you're feeling the crunch to write, edit, or brainstorm, see if you can get more done with Grammarly. Download Grammarly for free at grammarly.com. That's grammarly.com.
Jim is known for hacking into scammers computers and exposing them. It's really quite wild to watch. He has over a 100 videos on YouTube now, and many of them are exactly this. It's amazing just to hear the scammers reaction when he tells them some detail about them that he shouldn't know. For instance, there's one where he hacked into someone's computer in the call center and got a list of everyone's names and their fake names.
And this is one of my favorite videos. Let me just play a clip for you from it. Hello? Hello. Hello. Yeah, hi, sir. My name is Carolina Fernandez. I am calling you from the Microsoft. Oh, hi, Priya. Hi. Who are you? I'm a ghost. Don't call me an idiot. I'm a ghost. What's your name? Tell me your name. My name is...
Ghost. I don't understand. You tell me. You already tell my name. I know. You're Priya. I'm a ghost, you see. Priya. At least talk to me.
Hello? Hello? Hello? Yeah, who's this? Hello? Who's this? Yeah. Do you know my name? I don't know. What is your name? I love this part. You can hear this guy's brain just breaking real time. What is your name? I'm talking about your... Yeah, I'm talking about your computer. You have a Windows computer, right? I do, but I don't understand why you can't tell me your name.
At this point, the entire call center is listening in on this call, like what is happening here? And they even have them on speakerphone and this new lady jumps on the call. Hello. Yes, hello, who's this? Yes, hello. Who am I talking to? Yes, who am I talking to? Hi, this is Mary William from the headquarter of Microsoft security department. Tell me what happened. Mary, are you sure your name's Mary?
Yeah, definitely. I know my name. I'm very sure for it. But it's actually Sushmita.
No, I'm not Sushmita. My name is Mary William. Are you getting a little bit hot, Sushmita? Sorry, no. Listen, you are speaking to me and my name is Mary. Now Priya picks the phone back up and she's really curious and wants some answers. Can I request you, sir? Yeah. Just one.
Just one request. Can you please tell me, sir, how do you know the name that like Priya, Sushmita, like these Indian names? Where are you getting from? Did I get that right? Because I was just guessing. No. Do you using some technology or anything? How do you know the names?
I'm just very good at reading people's thoughts over the phone and I get this aura. I'm like a ghost. Really? Yeah, yeah. But it's quite impossible. How do you know the name by hearing their voice? Just simply because whenever you speak to me, I can pick up on vibes and I kind of know you create like an aura around you. I'm a little bit like a ghost.
Okay, yeah, I'm from Microsoft, so, and you are talking about a widget, like, right? Oh, Priya, please don't do this to me. Come on, you don't really work for Microsoft, do you? Sir, my name is not Priya. I'm not Priya, so, again, you made a mistake. Okay, but you confirmed that to me earlier, and you said your friends were Suspita and Mimi, and, you know, you told me that earlier, so...
You've already confirmed that. Yes, and then you can use another name for me. Well, is Priya not your name? No, I'm not. Oh, Carolina Fernandez, you're sticking to that, are you? Yes, I'm Carolina Fernandez. Carolina Fernandez. Why are you using the Indian name for me? Right, okay. Well, what if you want Carolina? I don't really mind. So what's wrong with my computer?
Hello?
Hello? Sorry, your colleague's listening in, but I can hear her talk as well. Oh, she's hung up. That's okay. Yeah, I know. She wasn't very good, was she? Oh, my God. Who are you, sir? May I know who are you? I just told you. You can call me Ghost, because...
Like, that's kind of the way I feel. I get this aura around people. I can tell who's around them. I can tell just from the tone of their voice. How long have you been working there, Priya? How long have you been working there? A fake Microsoft. Salt Lake Sector 5? Salt Lake Sector 5? Salt Lake Sector 5? Salt Lake Sector 5? You heard.
Hello. Please don't hang up. Hello. No, no. I'm here. I'm here. I'm here. What's the weather like there? Weather? Now it's... What's the weather like in Kolkata? You tell me. You know everything about me. I'd say about 33 degrees. What is the weather? What's my name? It's 33 degrees. Do you know my father's name? It's raining. It's raining.
Yeah, I don't know. Do you know my father's name? I don't know, but is your father proud of you, what you do? Does he think you work for Microsoft? Yes, of course. But you don't work for Microsoft. Did you tell him that? Sir, you just tell me one thing. Why are you wasting my time? I'm not wasting time. I'm talking about your computer. I'm trying to, you know, you give off this aura, and I'm trying to kind of work out why you do all this scamming stuff. That's really what I wanted to know.
then why are you wasting your time can't you get like a different job that doesn't steal money how do you know the name i know everybody's name another name yes everybody you know everybody tell me the name everybody tell me my colleague's name i'll tell you one more name will i tell you one more name yes so he needs so he needs
And tell me another name? No, no, I'm not gonna... Look, I get this from the aura. Any male name? Well, apart from Abjit. Any male name? Yeah, apart from Abjit. So, I do respect your talent, okay? Can you please tell... Yes, I'm here. Can you please tell me who is beside me right now? Which side? Which side?
Uh, in my left hand side? Um, I think that's Mimi. Hello? Did I get that right? Hello? Hello?
Hello. You went very quiet. Can you tell me, did I get it right? I'm so excited. Did I get it right though? Because this doesn't always work. Who are you? Did I get it right? Wait, wait, wait. Can you hear me properly? You keep asking me questions. Can I ask you one thing? Did I get that right? Because I can never tell. Is Mimi on your left? And right-hand side?
In my right hand side. It's coming through to me. I'm not sure. I'm pretty sure that's Sushmita.
I love it. Jim caused such chaos in that scam call center. He told them their real names, their location, even the name of the company that employed them. And they passed this phone around to at least five different agents to talk to him. And of course, any information that Jim does get from hacking these scammers, he reports it. So like if he sees that they use a certain service, he'll report that to the service provider that scammers are using their product and this is their user ID.
He's gotten some of them actually banned from using certain software, but they can just make a new company and then register the software again under a new company name. Sometimes when these scam centers make new company names, they even get their company listed by the Better Business Bureau, and then even get some people to make fake reviews about their company. If he can find this, he'll definitely report that to the Better Business Bureau, and he'll do everything he can to slow down these scammers and waste their time.
Once, he got into a scammer's computer and grabbed all their files, and in there was a plane ticket for a recent trip. So Jim had this guy's real name, his travel details, and from there, he could look the guy up on Facebook and find his friends and family. And yeah, when these scammers call him up and have no idea that Jim has all this information on them, it's quite a riot to watch the whole thing unfold.
The question does come up, though, and I'm sure you've answered this a thousand times, which is like, hold on a second. Hacking is illegal. You can't just go hack people's stuff. And here you are hacking into someone else's machine. What's going on here? Where's your justification? Where's your moral compass or ethical framework in this way?
I mean, the moral bit is quite easy for me because I quite deliberately let the scammers attempt to scam me. I cannot and I don't have the technical expertise, shall we say, to arbitrarily hack into anything. I can't do it. I'm not able to do that. A lot of people that you've spoken to on this podcast probably would be able to do that. I cannot do
I have to rely on a scammer connecting to me and trying to steal money from me. And that's the only way that I can ever access their computers. They have to try to steal money from me first. This is a really nice ethical line you've painted yourself. Like, okay, you know what? Unless you walk into my home and get onto my computer and attempt to steal money from me,
I'm not going to do anything to you. And once they do that and you open your door to allow that to happen and you see that, okay. I mean, I'm not, and I hate to be known as a hacker because that always has quite negative connotations. And I hate the term because it just has all of that baggage. But...
That is true. And every single person that I feature on any video on YouTube has at some point connected to my computer. And don't forget, scammers don't always make it clear that what you're typing out gives them access to my computer.
because they will quite deliberately say, just type this on your command line. When people question, well, what is this thing that you're getting me to download and run? And it's in fact a remote access tool.
they will not explain that. So already there is a remote access connection, which is a sort of hacking attempt because the scammer doesn't make it clear to the victim. They are taking access of your computer and they are not making it clear. Obviously, they're scammers. And I just go a little bit further to say, well, OK, you're trying to
misuse my computer. So internally, I'm thinking you're now fair game for me to do the same to you. So the only people, and I've said this a number of times in other interviews as well, the only people who could ever have a problem with what I do are the people who try to steal money from others. Okay. And if they ever want to raise a legal complaint or whatever,
Please bring that on because what I will have done is record how I managed to get access to their computer. And the answer is because they were trying to steal money from me. Now, that's not a defense on its own.
But it just means that if I ever have to defend myself for any reason, I have a good reason as to why I have access to their computer. And it's just because of this theft that they're attempting. There's almost no recourse that they can have. I mean, I'm assuming you haven't had any legal complaints that you've had to seriously take care of. Not once.
The only complaints I've ever had are privacy complaints on YouTube. Scammers don't like their faces or voices or documents displayed on YouTube. And tough. Okay, so my absolute favorite video of Jim's is when he hacked into an entire call center and could watch everything that was going on there. Wait, first, before we get into this story, how do you typically find these scammers?
I have my email address on YouTube and a lot of people just simply email me saying, "Hey, have you seen this pop-up?" or "I've just had a phone go off on this number" or "I've had this email and it's a fake invoice" or "My grandparents have just been scammed to use their phone." I get all of that all the time. But actually, in a lot of ways, I don't even have to use that because I'm on what's called a mugs list.
In the past, I have pretended to pay scammers because remember this bit where I say I actually need the scammers on. I give them fake information, including credit card details. And if you work your way onto a list of people who they think they've scammed in the past, they will call you again and again. Those lists are like gold dust for scammers. So the end result of that is
I get so many phone calls directly to my home phone number that I don't need anyone else's input. I'm already in the middle of a load of scans and honestly, there's nearly too many to cope with. So what do you have, like 16 different phones over there?
I do, literally. I mean, I have one phone service with 10 different phone numbers in the UK and I have something similar with US phone numbers. I've dropped a lot of those recently from their number. It just, it has nearly got to the point where I just can't, you know, have an evening free of scam phone calls.
Okay, but this story doesn't start with an inbound phone call. Instead, someone told Jim about a Malvert. This is an ad on a website which has malware on it. Basically, if you went to a website, you would hear this. Important security message. Your computer has been locked up. Your IP address was used without your knowledge or consent to visit websites that contains identity theft virus. To unlock the computer, please call support immediately.
Please do not attempt to shut down or restart your computer. Doing that may lead to data loss and identity theft. The computer lock is aimed to stop illegal activity. Please call our support immediately.
Now, this was just an ad on a website, but it had some malicious JavaScript in it, which maximized the browser, showed this giant warning, played this audio on repeat, and then made the mouse disappear, which made it seem like the screen was frozen. It's not actually a virus, though. You can just tap on Control-Alt-Delete and close the browser, and all is fine. But to someone who doesn't know better, this could be scary, and they might call the number to get help.
So Jim called the number and said that his computer's infected and the scammers immediately tried gaining remote access to Jim's computer and tried to scam him for money. So that means, in Jim's mind, they crossed the line and it was time for him to try to hack them back.
The way that I got access to the reverse access to that, I'll not go into that part in detail, but suffice to say that when I did get access, I got access to just one PC and it was from a supervisor.
And I was able to watch what that supervisor was doing and one of the things that he was doing was watching CCTV. So I could see the IP address of the server that he was using. It wasn't an internal server, it was an external one. And when he logged into it, he logged in with the username of admin and a password of eight characters.
And for the particular CCTV system that he was using, I did a Google search of what is the default password for this system. And would you believe they were still using the default password?
I guess you could call that hacking, but I could see the IP address, the username, and I just tried the default password and I was straight in. Admin123 was his password to protect this scam operation.
Okay, so he got into a supervisor's PC in a scam call center. But then from there was able to get into the CCTV system. Now this scam call center had a lot of cameras. The supervisor could watch all the scammers do their calls and go on break and go outside. And there was even a camera in the boss's office. But that wasn't it. The supervisor also had the ability to listen in on the calls. In fact, all these calls were being recorded with some software.
It was gold dust for me because they had records of all their calls. I could see it on which server they were using, and I could directly download these things because I had access to that scammer's supervisor's scammer's computer. So I managed to download nine months worth of calls, about 70,000 separate calls. Holy moly, 70,000 calls? Man, this is a much bigger operation than I thought.
But Jim started going through this and was able to match up some of the time codes of the CCTV footage and the recorded calls and could essentially watch the scammers as they called these victims and listen in on the calls. It's quite fascinating to watch because sometimes the scammers are like playing video games or looking bored. But this also means he's starting to identify what they look like.
where their desk is, where they sit in the room, and how this operation looks from the inside. On top of that, on the supervisor's PC, there was a list of victims, which included the amount that was stolen from everyone and their names. It was quite a find. And just imagine having this access, being in Jim's position.
I mean, if I was in that position, I'd just like put the computer down and take a walk around the lake or something like that, right? Like, what do you do? What do you do with all this?
Recalling support, my name is Alwin. How can I help you today?
He pretty much had full supervisor access to this whole scam call center and could watch and listen to anything.
But what do you do with that access? Like, it's really tempting to just call them up and be like, hey, hey, I can see you, scammer. I can see you wearing a hat and playing video games. I got you. Yeah, it's so tempting that whenever you, I mean, I am watching live on the CCTV. I know the number that they're using.
the victims to call that day so I can call that number and I'll be speaking to somebody in a room that I can see on CCTV hello yes sir yeah so what's all this about stop services then when they should be running I don't get it yeah sir you need to go ahead and get it fixed and there will be a one-time charge sir okay
I don't always know who I'm speaking to and sometimes if the room is full it can be quite difficult to work out which agent, there may be 20, 30 agents in the room and I can't always work out who I'm speaking with and there's four cameras each corner of the room's got a camera and
what I do was actually invite the scammer onto a computer. I had my desktop background set to a purple or a green color. And then what I would do is look around the cameras and look for that green screen or that purple screen. And then I knew, ah, right, there's the guy. That's who I'm talking to. And sometimes I had to do that just to work that out. And
The really, really tempting thing would be to say to the guy, hey, that's a nice Czech shirt you're wearing. Or, you know, stop playing Pac-Man whenever you're speaking to me. You know, can you stop doing that? But I couldn't give the game away. I couldn't be just as obvious as that. Although it was incredibly tempting to do that. Yeah, and I mean, 70,000 calls with a whole list of victims here,
this is too much for one person to process all. So what did you end up doing with this access? So I kind of figured out I was really on to something quite big at that stage. And
I thought I would bring it to the attention of more mainstream media, specifically the BBC. I had never had contact with the BBC until that point. But because I had personally tried to close down a lot of scam operations and been pretty unsuccessful about it, so I have previously gone to the police in India to say, here's a scam call centre on your doorstep. Here...
here's where they're located. I was able to get that sort of information, but nothing really ever came of it. And I thought, perhaps I'm going about this wrong. Perhaps what I really need is more mainstream media involved. So I got in touch with really a general purpose BBC email address and
And before too long, I was reached out by a team called Panorama. Panorama are like a very long-running documentary program where they cover all sorts of current affairs issues. But this particular team were interested anyway in scam phone calls. And as soon as I got in touch and said, look, this is what I have, of course, that team were very, they wanted to work with me from that point. ♪
The BBC has more resources than Jim. They can parse through this massive trove of data quicker and started putting pieces together even more. And together they built quite a detailed understanding of this whole scam operation. They figured out the name of the company, its address, who owns it, the employees who work there, and the victims.
and how much money this whole place was making. And again, it was all clearly documented with the video footage and the recorded calls and the files that they got from that supervisor's computer. They had a ton of evidence. And they even reached out to the victims to let them know they were scammed. I feel angry. Angry and upset. Angry that someone could do that, knowing that there's nothing wrong with the computer just to extort money from you.
and upset with myself that I fell for it. Well, with all this proof, it was time to learn who is leading this operation. We've identified the man behind the fraud, Amit Chauhan. But Amit Chauhan's not an ordinary businessman. The hacked footage includes recordings from the CCTV in his office. ...
Okay, this is super interesting. There was a CCTV camera inside Amit's office, the head boss of this whole thing. And it's the only camera that actually had sound on. And so there's hundreds of hours of him talking on the phone and having meetings with people. And in those meetings, he's scheming up new ways to scam people and basically admitting to all this criminal activity on camera. It's extraordinary.
Well, with all this evidence in hand, the BBC reporter went to India to try to meet with him. I want to meet Mr Chowen, but he's away on a luxury holiday in Thailand. So I can only reach him on the phone. Hello? Hello, is that Amit?
Yes. Hi, Amit Chowon? Yes. I want to get your comment, please, on allegations that you're scamming people in the UK out of thousands of pounds. What would you like to say to that, Mr Chowon? No, I don't think so there is any case like that.
There's no such cases, but I'll talk to my lawyer first and then we'll get back to you. Well, it was true. There was no such criminal case against him. So the BBC reporter went to the police and asked, hey, why don't you crack down on these scam call centers more seriously? And here's what the Indian police said. This crime is a difficult crime. It's difficult to crack because we don't have victim, we don't have accused, we don't have anything. It's very difficult to link the accused with the victim personally.
Well, in this particular case, they did have victims. And the BBC recorded the victims' testimony to hear how they got scammed. So when the BBC published this story and when Jim published his YouTube videos, it couldn't be ignored by the police. They had victims. They had evidence. They had the address. They had the name of the boss. It was a very easy case to process. So the Indian police raided the scam center.
The police did their raid. They picked up whatever computers they could. They went to the boss's home address. And he lived in, like, the most luxurious accommodation you could imagine. Something like $6,000 a month to rent this place, which is completely unheard of if you're in Delhi, where he was. And...
What I had expected was that this would be such an easy case for them. There would be no problem. And ultimately, the guy who ran the thing would be locked up. But that was very far from the truth. And what actually happened was, number one, it took about a year for the trial to even come up. Then COVID kicked in. So it was delayed by another year. But eventually, whenever the case did go to trial,
The police never actually followed up on any of the evidence that was given to them or that they had collected before.
So they had scripts about scams from the boss's computer, but they didn't, for example, follow the money trail from the victims to the boss. So they could very easily, if they had any kind of incentive to do so, they could have easily gone to PayPal and say, we need evidence about what happened with this particular PayPal account. They never asked for that.
They never followed up on any of the thing. In fact, what they actually relied on was the one laptop that they managed to pick up. And obviously, because the documentary had gone out, the YouTube video had gone out, all of the computers were immediately wiped before the police actually arrived. So they only really had one laptop to go on.
And that wasn't enough for them. And any of the independent evidence of scams, the 70,000 phone calls, the video footage of the scams actually happening was never presented. In fact, what they said was, well, that YouTube footage could have been done by AI or that YouTube footage could have been faked. And it looked like the judge just accepted that.
So there was no pressure whatsoever to present anything which linked the boss to any of that scam victim money. And
That is just a travesty because I couldn't have handed it on a plate any more clearly to the police, or indeed the BBC could have handed the same evidence to the police. But the police never came to speak to me, never came to speak to the BBC, or follow up with any of the evidence that I presented in the video whatsoever. They just didn't bother.
And I can only imagine that's for one of two reasons. One is they're desperately incompetent over, and which I think is the more likely reason they've been paid off because the guy who was in charge of this is the equivalent of a multimillionaire as a result of those scams. And unfortunately, in India, corruption is rife. So I don't know for sure, but I would imagine that's what happened. Well, there you go.
That's disappointing. Indian authorities seem to not care about scam centers there. It's illegal, but they say they can't prosecute unless they have the victims. And since the victims are far away in another country, they just don't have enough evidence. But even when the police are given the evidence, wrapped up with a bow by Jim and the BBC, and are even introduced to the victims, they still don't take serious action on this.
So despite Jim's huge efforts of dismantling this whole industry, it looks to me at least that it's only going to keep growing since these criminals can scam victims all day with impunity. Are there situations, I mean, you've been doing this for nine years now, and this probably was one of them where you had this huge database of victims and all this camera footage and stuff.
Are there other situations where you have to just do a long stare out a window and take like a walk around the lake or something, whatever, and just think about what do I do with this situation I'm in? Yeah. What are some of the difficult questions that you're asking yourself?
Well, I mean, we've covered the moral one and I never have a problem with that one for the reason I've just described. But equally, it's actually quite harrowing listening to victims actually getting scammed because there have been times that I have tried to intervene and I'll have gone as far as because the scammers typically are on the phone with their victims all the time to their cell phone.
and they're going out to buy gift cards or they're going out to a bitcoin atm and the only way that i can try to get that scam stopped is if i can warn a neighbor if i know they're going to a certain gift card store i will call that store and say there's a person about to come in here's their name they're about to buy 500 worth of gift cards could you please stop them and
It's incredibly difficult to watch when stores, for example, warn the victim, but unfortunately they trust the scammer more than the person in the store talking to them. And it can be very difficult to listen to that. I've had people go to a Bitcoin ATM store
The store manager has tapped them on the shoulder and said, you're being scammed. That person who says they're from customs are not who they say they are. And if you put money into that Bitcoin ATM, you are going to lose it. They've actually explained that they're being scammed, but yet they trust the scammer more and they've moved on to the next Bitcoin ATM. And I've had that happen right in front of me. And it's incredibly difficult to watch that because...
That could be my grandmother, my grandfather, your parents. It's someone's relative, yet you can't do anything about it. You try your best, but there are some people who are just going to be scammed. There's very little that can be done about it. And that is very hard to listen to. It is very hard to watch it. Can I just do one last quick question? Sure, yeah, absolutely, yeah. Have you ever visited India or do you ever plan to go?
Actually, I would love to see India. And I'm honest about that because I've spoken with Karl Rocks, my partner in crime, when it comes to all the drone footage and so on. And I actually...
India as a country. And I'm not just saying this to kind of justify, you know, me slagging off people in India when they're scamming. This is a country that I genuinely would like to see. And I do intend to go there. I will be at some point in
in Delhi. The nice thing about my YouTube channel is I don't show my face, so I'm not that scared about going. I probably would stand out a little bit if I went to Kolkata or Calcutta, but Delhi, I think, would be quite a place that I could easily go to.
A big thank you to Jim Browning for coming on the show and telling us all about the scam baiting he's been doing. You can watch all his videos on YouTube by just searching for Jim Browning. This episode was created by me, the fickle finger, Jack Reciter. And this episode was edited by the wisdom feather, Tristan Ledger. Mixing done by Proximity Sound and our theme music is by the mysterious Breakmaster Cylinder. Someone asked me the other day, what's an Ethernet? And I said, oh, that's what you use to catch the Ether bunny. This is Darknet Diaries.
you