YouTuber Gets Inside Smishing and Social Engineering

A brilliant new video from young French YouTuber Michaël de Marliave, more commonly known as Micode (pictured), reveals the inner workings of criminal operations that use SMS messages to steal personal data and raid bank accounts. The video is entitled “J’ai infiltré un réseau d’arnaqueurs au SMS” (“I infiltrated a network of SMS scammers”) and Micode is true to his word, showing how he followed a trail of digital breadcrumbs that begins with clicking the link in an SMS message, involves fake webpages and social media channels that are exclusively for criminals, exploits a method that anyone could use to reverse-engineer a list of phone numbers registered with Amazon, and ends with introductions to people who phone victims and pretend to work for their bank.

Interest in smishing exploded in France after the discovery that a gang was blasting thousands of SMS messages from radio devices driven around the suburbs of Paris. Similar criminal operations have been found in other countries, but the threat has received little press coverage in the Anglosphere. This suggests that comms, fraud and security experts working in many countries have underestimated the danger of similar scams. It would be a mistake to assume the crime is not occurring just because it has not been reported, especially as the use of a radio transmitter in close proximity to a victim’s phone means there is no network traffic to analyze. Draw your own inference from the fact Micode says French banks are moving away from using SMS for two-factor authentication whilst a plethora of English-speaking ‘experts’ insist we should all rely upon SMS more than ever.

Micode’s story focuses more on the technology of phishing than the use of SMS as an on-ramp for phishing websites, though he makes some valid points about the bad messaging practices of reputable French institutions. Nevertheless, the way Micode tracked down the imposters who call their victims and pretend to work in fraud prevention illustrates how much more could be done to combat crime, if the authorities were sufficiently motivated. YouTubers keep locating the criminals who are behind the frauds that plague comms networks and their users, so why are police forces around the world reluctant to do the same?

Few professionals who do not speak French are likely to be familiar with Micode’s investigation because his video has not been translated into any other languages. That is a shame, because he spins an entertaining yarn whilst providing insights that even the most hardened anti-fraud professionals will value. To encourage greater awareness of this work, our team used artificial intelligence to produce an English version of the transcript. You can both play the video and scroll through the translation below; readers using a mobile phone will need to switch to a larger screen to get the best results.

Are you ok? All right? I put the script in front of you but if he has money it will fuck his mother.

We are on December 30, 2022. A police car patrols the 10th arrondissement of Paris, near Porte Saint-Denis [a famous landmark].
Around 8.30 p.m., the agents decide to stop a Ford to carry out a simple routine check.
On board, a 23-year-old driver.
They quickly realize that the woman is drugged and that the vehicle is not in her name.
For a Friday night, nothing particularly original.
But what they do not know yet is that the car they have just stopped is not that of an inoffensive young reveler who has just returned from a party.
In reality, totally by chance, they are about to control a very special vehicle involved in one of the most mysterious cases that Paris has known in recent years.
As usual, they decide to stop the patrol.
They take out the lady and open the door.
On the back seat, a strange device attracts their attention.
There are several phones and a kind of big white antenna fixed to the seat.
It seems to be connected by a wire to something.
They open the trunk and discover, amazed, a very strange device.
This time, no doubt, something strange is going on.
Carefully, they open the box and come face to face with an electronic device.
It is huge.
Wires come out of everywhere and a digital screen indicates that there is no connection.
It seems to be connected by a wire to something.
They open the trunk and discover, amazed, an imposing and enigmatic black box.
It is huge.
Wires come out of everywhere and a digital screen indicates 04.9.
The first explanation that comes to the police, which is not a cybersecurity expert, is that they just laid their hands on an improvised bomb.
Panicked, they call the bomb defusing service as quickly as possible, take some photos and hurriedly shut down the area around the arch.
The exits of the Strasbourg-Saint-Denis metro are also closed.
Soon we hear a…
No more briefcase.
and it is no longer a question of analyzing the device.
Quickly, the defusers noticed that in fact the suitcase did not contain any traces of explosives.
So it was not a bomb.
Several theories are formulated until the case and the photos are published on Twitter by a journalist.
And there, it's a tidal wave.
The tweet attracts the attention of the bigwigs around the world
who analyze the mysterious photos in the slightest detail.
The conclusion is unanimous, this device is in fact much more expensive
and perhaps even more devastating than a bomb, it's an IMSI Catcher.
An IMSI Catcher is an ultra-sophisticated professional espionage device
which is perfectly illegal to use in France.
And for good reason, it simulates a pirate relay antenna
and siphons all the telephone traffic around.
To achieve this, it uses a flaw in the 2G protocol designed at the beginning of the 90s.
And as often at that time,
the creators did not plan a robust and encrypted authentication system
between your phone and the antenna of your operator.
Which means that once turned on,
it is enough for the IMSI Catcher to blur the 3G signal of the other antennas
to recover the connection of all the SIM cards in a radius of several kilometers.
In an unsafe way, of course.
The IMSI Catcher is therefore in a position to intercept all the SMS
and telephone calls sent in proximity
and to transmit them instantly to real relay antennas.
It's dreadful because it's almost impossible for the victims to realize
that there is a new intermediary spying on them and that they are overheard.
Except if they look at their phone at the exact moment when they lose their 4G.
So it's advanced hacking equipment.
Okay, but after all,
the police officers are used to finding all kinds of strangeness.
There are people who use the word driving
to map vulnerable Wi-Fi networks in business districts.
So why does this discovery make experts from all over the world so perplexed?
Already in most countries,
this kind of very sensitive equipment is mainly used by the authorities.
And again, no matter how.
In France, until 2016,
even the intelligence or police investigation services
did not have an official authorization to use these briefcases.
They did it anyway.
The Inquiry Act ended up legalizing their use,
but it is supposed to be relatively exceptional
for the fight against terrorism or organized crime.
Incredible thing,
we know in particular that there may be some near demonstrations
or at customs.
As proven by these two small lines,
unfortunately forgotten in a public market document.
Then there is the question of the price.
We are not on hacking equipment, Wi-Fi or radio
that can be found for a few tens or hundreds of euros on Amazon.
To get an IMSI Catcher,
you will have to pay between 30 and 300,000 euros
depending on the models.
If you unnaturalize a seller,
because we may easily find Chinese suppliers on the Internet,
it is not said that the delivery is that simple.
It is a type of package that does not go unnoticed.
The question is therefore who in France
has enough means to offer this kind of toy?
And above all, what could justify a risky operation
of massive communication interception in the heart of Paris?
Well, it didn't take long to get answers.
Behind this mysterious case
would actually be a vast scam operation with fake SMS.
You know, these short messages on behalf of Chronopod, taxes, etc.
encouraging you to click on a link as soon as possible
to steal your banking information.
According to the police, this IMSI Catcher
would have been a way to capture phone numbers
and send large amounts of SMS.
This is what the investigation leads to
after the arrest of five people on February 14
in Neuilly-sur-Seine, Noisy-le-Sec and Pantin.
This would explain in particular why
Parisians have been receiving so much spam since the end of 2022.
Once in custody, the young woman who was driving the Ford explained that she was on a mission to drive slowly in Parisian neighborhoods in exchange for a few hundred euros.
Her 'Sauron eye v2.0' would have been installed behind the seat of her car in an underground parking lot in the Goutte d'Or, north of Paris.
Apparently, her mission was to capture phone numbers, nearly 17,000 at the time of her arrest.
While the police are tracing this trace, the cyber gendarmes of the Comme Cyber are notified of strange areas of disturbance that have been detected on the Parisian mobile network.
I imagine that a 2G desert that wanders in the heart of the capital, it ends up seeing you.
Finally, the leads lead to two men, managers of a digital marketing company based in Neuilly.
On their site, they offer in particular a funny service, the mass sending of SMS at low cost, and above all the location of a database of more than 20 million mobile phone numbers,
of which the owners agree to be requested, of course.
A search will allow to find another car with a tracker, 12 phones, 8 computers, a few diamonds, and to identify 3 other suspects.
According to the investigators, the gang would have acquired several handcrafted IMSI catchers at 20,000 euros a piece from an intermediary who owned bank accounts in China.
Thanks to this arsenal, they would have sent 424,000 fraudulent SMS containing a link to a false site of the insurance company Maladie.

I settled the amount to have my so-called new vital card.
That's how they put the banker's coordinate, in fact, and they were able to make their purchases on sites for a total amount of 2,842 euros.

Case concluded, a priori, we have the motive of the crime.
Circulated, there is nothing more to see.
Except that I also wanted to carry out my little investigation on my side, and the more I dig, the less this story seems logical to me.
Following what seems to be a lot of net, a lot of people expected to see the number of false SMS significantly decreased in the Paris region.
Except that this is not at all what happened.
It may even be the opposite in reality.
If you have a phone number in Île-de-France or elsewhere, you still have to receive it, but very regularly.
So that means that either our malpractices were simple executors, quickly replaced, or they were not alone.
And if there are others, we may be able to find them.
It's time to get down to business.
To begin with, we can notice that SMS always have the same pattern.
A short message, imitating a delivery service or a public service, urgently asking you to take action by clicking on a link.
This is often a simple domain name, such as or antaï, etc.
Already several interesting things to note.
They only use .com, .fr or .org to inspire confidence.
Their sites are always secured in HTTPS.
And they have abandoned everything that is typographic trick, such as impô with an L instead of I,
to go back to the word sequences of the brand's lexical field.
This is what we call combo-squatting.
It may make you smile that people actually fall into this kind of trap.
But you would be wrong, because in fact, there are excellent reasons to be fooled.
Look, let's take this SMS that I received this week.
It is written in good French, sent by CHQ Energy,
and it invites you to click on to get a free state super cheque.
So, did you find what was wrong?
Did you see the hole?
Well, that's normal, because there is none.
This is really an official message from the public service.
And yes, the state also sends massive SMS campaigns,
and in this one, it explains to you in the greatest calm that to earn up to 200 euros,
you should click on a weird link.
Excellent idea, isn't it?
No risk that our dear fellow citizens are definitely lost.
Same thing for chronopost and company,
sometimes you really have to click on a weird link to reschedule a delivery or pay customs fees.
Not surprising that no one understands anything and that the list of victims continues to grow.
Well, this one, for once, is a real fake.
Finally, a fake true.
I received it a few days ago.
So what happens if I click on the link?
Do pirates use a fault in our phone to empty our bank account?
Well, we'll see.
I click.
And, a priori, my phone didn't explode, and my money didn't move.
For now.
As we could expect, this is actually a phishing site.
Chronopost wants to make us pay 2 euros in fees to unlock our package.
For a long time, I wondered how this kind of campaign could be profitable.
Sending SMS en masse, it must cost money.
And although the pages are extremely well done, with withdrawals of 2 or 10 euros,
it would make them the most harmless criminals in history.
But in fact, that's where the fun begins.
According to some testimonies, 2 euros are generally not even taken on your card.
They are only used as an excuse for you to fill out a form with your bank details.
What do they do next?
That's an excellent question.
I've heard of several theories, where they try to fill out a Lydia or Apple Pay account,
or to call you directly on the phone.
In reality, I have the impression that no one really knows,
because strategies change very often.
So, to be sure, I decided to enter the codes of my blue card in this form,
meticulously, and click on Pay.
This way, we can observe the history of the account in real time and see what they are trying to do.
Don't worry, I didn't go crazy, I didn't put my real card.
I rather used a feature of my bank that allows you to create virtual cards with ceiling.
It doesn't cost me anything, I can do it indefinitely,
and above all, it will be blocked after 10 euros of payment,
which should be largely enough to verify its validity without me being ruined.
Well, I hope this shit works anyway.
I also got a temporary phone number for the occasion,
which I will always keep close to me in case they try to call me.
Which means that normally,
even if all this information circulates in the darkest corners of the Internet,
I'm not risking anything.
Anyway, it's too late, the hook is in place,
all that remains is to hope for it to bite.
Don't do that, of course.
But if you want to be useful, I have something else to offer you.
With Bouygues Télécom, which are the partners of this game,
we decided to repost and launch a movement.
To participate, you just have to take a screenshot of your SMS
and post it on Twitter with the hashtag
« Pire Arnaque SMS ».
This way, we're going to build a gigantic sample and wake everyone up to this problem.
In order to motivate the most lazy among you,
we even won a Samsung Galaxy S23 Ultra
with a year of Bouygues Télécom bribes.
On Twitter on Thursday, June 1st
and also on the Bouygues Télécom website which is in the description.
Besides, look, their bribes have a little novelty.
They now include smartphone security solutions with Norton.
It helps to protect you against intrusion attempts
and alerts you directly if you click on a fraudulent link.
Before it's too late.
I let you discover all this in the description and I'm counting on you for the screenshots.
In the meantime, it's time to look at their website.
The domain name was purchased just a week ago
on an American platform called NameSilo.
As expected, the buyer's coordinates were hidden.
This domain name then points to a web server located in Moldova
at the host Alex Host, which I didn't know.
At first glance, it could look like any other host.
But by searching the site, you can find some nuggets.
You may know the DMCA.
When a rights holder detects that a server illegally shares works under copyright,
he sends this legal document to the host,
who has the responsibility to unhook it.
It's called a takedown.
Normally, the host is expected to pay FISA if he doesn't want any problems.
Well, not with Alex Host.
Especially with their exceptional offer,
Offshore DMCA Ignored Hosting.
For a few euros, trample on copyright.
We'll leave you alone.
Because, I quote,
the Moldovan justice is showing a lot of indulgence.
I've never seen people say
Buy our silence in such an assumed way on a sales page.
It's fabulous.
In the middle, we say of these hosts that they are bulletproof.
They are hosted in Russia, China, Romania, Panama.
They are very popular with online casino sites,
spam or downloads.
In general, only terrorism and child pornography are formally prohibited.
It is possible to pay your subscription in cryptocurrency.
With our starting domain name,
it was easy to get the IP address of the Moldovan server.
But know that it is also possible to do the opposite.
Namely, leave the IP address of the server
and get a list of all the other sites that are hosted there.
In fact, some services spend their time scanning the Internet
to build giant network cartographies
and then be able to do this kind of reverse research.
Even if it doesn't work every time, it's really amazing.
Imagine, for example, that our target had the bad idea
to host his scam and a personal site in the same place.
Well, bam, we got it.
Well, as you can imagine, in the present case, it won't be that simple.
In particular because this server does not contain a scam site,
not even 10, but very precisely 47 phishing sites.
And yes, it's not a joke.
'',,, it's infinite.
I admit that I didn't expect this volume.
That they have several scams running in parallel,
I'm not surprised, but 47?
Especially since it's not even a history of their past operations.
They are all very recent.
Out of curiosity, I also went to see other servers from the same datacenter.
And it's the same circus.,
hundreds and hundreds of fraudulent domains.
Oh no, more to finish.
It gives me vertigo.
For me, there are two possible explanations.
Either the scams have extremely short lifespans
and they constantly have to change sites, like several times a day.
Either these servers are actually shared between lots of little scammers
who sometimes end up at 25 on the same IP address as sardines.
What makes me rather look for this second possibility,
is the presence of another type of domain name on the server.
Just as strange, but very different from the first.
They end up in
And from what I understood,
it is in fact a domain generated automatically by the Plesk software.
Plesk is a server management tool
to be able to easily deploy hundreds of sites,
manage user accounts, certificates, HTTPS, etc.
In general, it is often used by web hosts
to allow their clients to install a WordPress in a few clicks.
But then, what does it do on a cybercriminal server?
Well, it would seem that,
despite the fact that they absolutely defend encouraging illegal practices
and do whatever they can to undergo the phenomenon,
the creators of Plesk have designed the perfect tool for the hamster.
You can put it on an old virtual server at 3 euros per month,
install your scams without technical knowledge,
change domain name if you are detected,
and above all, create user accounts for your friends.
All you need to create the mass phishing platform of your dreams.
And indeed, for a good year,
we find them on an incalculable number of malicious servers,
including ours.
If we click on the link, we land on a connection page, of which we do not have the password,
obviously. It's very frustrating because right behind is all their administration.
I looked to see if some leaks of information existed, like on WordPress for example,
where without breaking the password, you can sometimes enumerate the users. But no,
no interesting bug exists on Plesk. So I looked at the other domain names.
After all, on 47, they may have missed something. Among all the information
that can be found in the DNS area of ​​a domain name, there is a fairly little known field called SOA.
It is used in particular to give the coordinates of the domain admin. Here for example,
it is the OVH email. And normally, we never see real personal emails here. Well, that's what
I thought. But by wiping the entire server with a magnifying glass, I came face to face with this. At first I thought it was the official contact of a
family DNS server. But in fact, it is unlikely. Especially because I ended up finding
several others. Emails, typically personal, on Yandex, Gmail or Proton, which are nowhere
else on the Internet. No doubt possible, these emails must belong to the pirates.
We can also check where these emails have been used to open accounts. And we see
Amazon, Spotify, Discord ... Ah, a little coconut! It's interesting, but unfortunately,
it does not advance us as much as that. I tried to cross these information,
but apart from a vaguely similar Spotify account, I did not find anything interesting.
What would really help us to go back up the track, in fact, would be to access the servers
that host the phishing site. Or at least get your hands on the code. Because if you think about it,
once the victim has reported these information in the form, there is inevitably a stage
where the scammer recovers them. A database, an email, a Discord server, it doesn't matter,
but there is inevitably a communication between the two at some point.
By doing research, I realized that I was far from being the first to make this
reflection. There is in particular an expert from the Stalkfish site who has been analyzing this
universe for quite a long time. And on this issue, this gentleman made a discovery that was
at least disconcerting. He noticed that, quite regularly, pirates leave a zip file
on their servers. So is it necessary for the operation of the scam? Does it contain
malware? Absolutely not. It actually contains the entire source code. An exact copy of the
program that runs on the server, which we are not at all supposed to be able to access. In a zip,
downloadable by the whole world. When I read that, I first thought it was a bad joke.
But no, there is no joke. We don't really know if it's by coincidence or if it comes from the
way they install their site. But it happens quite often. So often that Tad, the author of the blog,
decided to create a monitoring tool based on this principle. He locates the new URLs that
contain a keyword, like chronopost. Then he will search their servers in search of archives
that would have been forgotten. These archives, researchers call them phishing kits. Often,
it is a PHP code file that contains the different steps of the form, as well as a
config.php file with the attacker's coordinates. Scammers call it scams. And it seems
that they are products in their own right. They sell them, compare their efficiency, modify them.
And I have the impression that there is often a lot of common code.
Indeed, there is a lot of reuse of code. You can recover source code and modify it,
adapt it. I think they are not much to develop scams like that.
Before discovering all this, I knew that there were several versions of the scam on SMS.
But I imagined that there must be a big dozen sites. Well, ladies and gentlemen,
let me introduce you to a detailed list of all the kits that have been detected
for 3 years. It's terrifying. Especially because there are lots of names that I would not have imagined
seeing there. Like WeTransfer, Netflix. Really, these people eat at all the workshops.
Besides, if you remember correctly, the scammer we are looking for also had a Netflix domain
on his server. I was curious to go and search for it, but look at what happens if I click on it.
A 404 error. Obviously, we have to arrive too late or too early. In any case, no doubt,
this site is empty. Finally, are we sure? Let's think about it. If we were to develop a
scam site, wouldn't we be interested in making people believe that it is empty, so that
curious people like us can pass their way? To check, I tried to load the site on
a phone emulator, just in case it filters the browser version. And if we reload the page,
it still doesn't work. Here, another 404. But then I remembered that in the office,
we have a slightly weird internet operator. It's a Fibre Pro. Maybe it can come from there.
Without believing it, I share my phone connection to have a 4G IP. I reload the page.
And there, bingo! It works! We were right. The site was actually there from the start.
It's really fascinating, I think, because it means that they have developed a filter system
that combines both the user agent of the browser and the connection you use.
That must be what explains why Google is sometimes slow enough to detect them.
Because from their point of view, this site seems perfectly harmless.
In any case, now that we have understood that, we will be able to move on to the higher speed
and scan all the fields that interest us. By pretending to be an iPhone 14.
We never know, they may have a rich filter. I watched it run for a good ten minutes.
Most of the sites were actually dead. And the others didn't contain any forgotten files.
I was starting to believe my case when suddenly...
Guys, guys, guys, look, look. It was running, it was running. And...
Finally! I'm so happy! I've been waiting for hours.
The mysterious file we unsealed is called ''.
And this archive is very interesting. As we could expect, we find all the PHP code
that makes the scam work. We will be able to unseal all this.
So there are the different pages of the site. Of course, we know a little bit about it,
but there is nothing interesting to report. Here, there are all the images.
It's funny because it looks like they didn't get bored and that they didn't get bored.
Here, it looks like this is the place where they compile all the information of the victim
in a nice message. With emoji, be careful. Credit card, phone.
But also the device you used and your location.
And we were talking about it earlier. Here is the famous anti-bot filter.
It is cut into several files and indeed, it contains black IP addresses lists,
with in particular servers from Google, Microsoft and so on.
What is curious is that with such violent filters,
they must necessarily lose a lot of data.
So why would you shoot yourself in the foot like that?
Well, in fact, it would seem that it is a matter of survival.
Survival of the page. I hadn't realized it, but it has become extremely complex
to make a phishing page survive. In the sense of making sure
that it is not detected as such and avoid that a huge red alert
warns everyone. I originally thought that once you had put your clone online,
nothing could really happen. But then I realized that it was not the case.
Once you have put your clone online, nothing could really happen to it,
except possibly if someone reported it manually.
But in fact, it has changed a lot.
Today, from the moment you put anything online,
it will be scanned by anti-phishing robots.
All the links in emails, messages, new domain names,
everything is constantly scanned by robots.
It's a bit like sniffing dogs, but for cybercriminals.
And it would seem that the best way they found to escape them
is to never send them their site. Instead, a 404 or the Mediapart site.
It's not a joke, most French scams
are really redirecting to Mediapart.
Look, they must be wondering where all these new visitors are coming from.
Enough joking around, we just have to look at the most promising file,
the famous config.php. And here's what it contains.
An email, that's cool. Instructions, which also confirm to us
that the one who installs the scam is not the one who develops it.
The good old email is quite classic, but a telegram key is more original
and even more interesting. Because if we look further,
we see that it is actually used to control a discussion bot on the app
via the official API. Which means two things.
One, that our scammer must have a conversation
where his bot continuously sends him new victims with emojis.
Two, that we currently have the key that allows us to control it.
A scenario that I think was not anticipated at all by its creator.
Because there, we really have a horse of three at home.
Well, if the identifiers are still working.
Because if that's the case, we came across an old account that is no longer relevant.
We can check it quite easily. According to the Telegram doc,
the first available command is slash get me, to have details on the bot.
And it works! It's super cool!
So the bot is called Rez Amande.
Then with get chat, we can see that it is in a private group.
Only accessible on invitation. In which there are currently five people.
And with get chat administrators, we even get the name of the group's admin.
And something quite precious, its unique Telegram identifier.
Carried away by enthusiasm, I even hoped that we would be able to access the content of the conversations.
And discover the victim hunting board. But in fact, it's impossible.
The only command that is authorized is get update.
And it only allows you to read the new messages on which the bot has been identified.
I managed to intercept a message, but it was quite cryptic.
And it never happened again.
Another clue I tried was to generate an invitation link.
To add myself to the convo.
But no luck, the bot didn't have enough rights.
Too bad, I would have liked to see their reaction when they saw that my code had been added to the group.
It would have been funny.
I wondered for a long time what we would be able to do with this user's name, Telegram.
He doesn't appear anywhere on the Internet, his bio is empty, we can possibly send him a message
like, dear scammer, what is your pretty name? But I have a little doubt about the method,
especially because in fact we must be able to do a lot better. On Telegram, it is quite annoying to
create several accounts, so it is likely that our scammer uses it both to receive
his victims and to discuss normally. However, if you don't know Telegram, most of the groups
are public, there are for all tastes, news, travel, financial advice, but there are also
myriads of small underground groups on which no one ever falls. Technically,
their access is not restricted, but to find them you have to have the unique identifier of the channel,
identifying that even your contacts cannot see on your profile. We can possibly
hit random things in the search bar and come across interesting things,
but on the 825,000 groups of the network, we are unlikely to find our type like that.
No, the solution would be to scan the entire network and filter the list of participants
until we find the one we are interested in. Easy to say, because if it takes a second
per group and we test all combinations of lowercase and capital letters up to
14 characters, we have 30 billion years. But with a little luck,
someone smarter has already made the effort to develop this tool. It would be good,
it would be practical. Well, that's the case. By doing some research, I found a dark Reddit post
which mentioned a dark bot paid for by a Russian, all alone, who would have more or less
mapped the entire platform since the beginning of its existence. I have no idea how
it works, but for example today he found 2,300 new groups and 415,000 new users.
On the other hand, the payment of the service is in rubles, which is not very reassuring,
but apart from that, it works very well. I tested with my contacts to see if it works.
For example, at random, this very famous YouTuber and ... What is that?
A group of CryptoPanda. Wow, too weird. Cut, cut, cut. And more seriously,
if we try with our target. Look at this wonder, there are so many
dozens and dozens of groups with names that make you feel the pain. And the date when it was
seen for the first time. Carding, spam, SMS, phishing, but it's unexpected. In fact,
it's almost only scammers who are talking. Yeah, the guy who revolted in Libya. Those who
are interested, they put money on it, we do moitse, moitse. There you go, in solemn mode,
calmly. And really, the level of balikoui is amazing. They send each other vocals,
videos, as if they were in private. I'm not sure they realize that we can find them,
really, like that. It's crazy. On the other hand, if I show you an excerpt from a discussion,
there is a good chance that you do not understand anything at all. Not because they would use
a coded language, but rather because there is a whole very opaque argotic vocabulary around
their business.

I sell 'boite rez' and I buy nl or esim.

Uh, I mean? So at first,
I was really lost. But after several days of swallowing this horror, listening to hundreds
of vocals, reading almost a year of historical messages, I will not only be able to
translate it for you, but above all, I will tell you all the craziness that I discovered.
Really, hang on, you will both laugh, cry and hit your head against a wall.
Let's start with the beginning, the scam. It is in fact much more complex and clever than
what I had understood at the beginning. And above all, it is very rare that it is conducted by
a single and same entity from start to finish. As in a rush or a parallel economy,
there are a multitude of independent actors who each have their specialties in money. The spammer,
the scammer, the checker, the developer, the host and finally the most mysterious of all,
the scammer. You will see, it's crazy.
All starts with the spammer.
The job of the spammer is to find a way to send SMS in bulk.
And there are several schools.
Originally, they often used Twilio or Amazon SNS, services with API that allow
companies to send SMS to their customers.
With a few euros and a simple script on a computer, you could send the message
of your choice to thousands of people.
Obviously, it ended up being seen, and security has been hardened.
Same thing for Onoff, the app that allows you to rent virtual numbers.
It would seem that today, it has been downgraded to good old phones with
mobile subscriptions, disposable SIMs, or even better, eSIMs, which have the advantage
of leaving fewer traces.
Then they will install a sender, a very special Android app.
Unlike your normal messaging, it is able to send thousands of
SMS to the chain automatically.
However, this is not unlimited, because the operator always ends up detecting
a suspicious activity after a few hours.
And the SIM will be dead.
To remedy this, these big sick people will then release heavy artillery.
Pro eSIMs, more difficult to obtain.
They are normally reserved for companies to equip a fleet of connected objects,
for example.
Do you remember the SMS from earlier?
Well, if you look at the sender, you should notice something strange.
No, you're not drunk.
This number is not 10 digits long, but 14.
I think we were many to not know that it was possible.
But indeed, it is a valid number.
In fact, it is a new slice, in 0.7, introduced by ARCEP in July 2017,
which targets connected objects.
This is called M2M, for Machine to Machine.
And originally, it was intended to equip a fleet of vehicles, for example.
And that, it does not help before 10,000 SMS.
Sales price on the black market, 200 euros, against 120 for a
classic subscription.
The question we can ask ourselves is how do they do to get
subscriptions again and again, even though identity checks,
always more difficult, are required?
Well, that's where the fraud comes in.
This one, they sell complete identity files, PAC ID.
They could easily generate false identity cards or other
legal documents.
But in reality, it's much easier to steal the real ones.
For example, by publishing a false ad for a dream apartment in the
heart of Paris.
People are so desperate that they will send their files without
And bingo, he has everything he needs to open bank accounts,
ask for credits in their name or order telephone bills.
Sales price of a pack, 30 euros.
Now that they've found something to spam, we're going to have to
find out who's spamming.
And yes, you can contact random numbers, but it would be very
stupid, because by combining 06 and 07, we reach 200 million
possible combinations, mainly made up of disaffected numbers,
old lines, machines.
Tapping at random means throwing money out the window.
So how do we do it?
They're going to have to find what they call a numlist, a huge
file made up of phone numbers that we know are valid.
And if possible, not too much burned by the others.
It can come from a leak of client data, but most often it will
be created from scratch with an ultra-ingenious process.
It's the role of the checker.
Think about it, if your scam is to make you go through Amazon,
what would be your ideal victims?
What number should you target to get the best success rate?
Well, those of Amazon customers, of course.
But how do you get this information?
How do you access this database?
Because there has been no recent hacking, no leaks.
Well, the answer is right in front of you from the start.
It's the create an account function.
And yes, because on many sites, you will not be allowed to create
several accounts with the same phone number.
So to find out if someone is registered,
all you have to do is try to create an account for them.
If the server sends an error, it means that the number is valid and
registered in the database.
They're fucking geniuses.
Look at this script I found.
Checker Amazon UHQ.
It does exactly that, but in an automated way.
Too strong.
You add proxies and you have enough to generate lists of
valid and ultra-targeted numbers.
Now that they have their victims, we're going to have to create the APA,
the site or the scam, as they call it.
It's the role of the developer.
Clones are often impressive in terms of realism,
with loading scams,
formulae in several stages.
Like, you're looking for a fine.
It loads and a fine is found.
Well, that's so well done.
Sales price between 20 and 80 euros.
Antibodies are there just to prevent your page from turning red, you see.
But it's useless.
Well, yeah, my page has only turned red since I bought it.
Yeah, you have to use the Tascam antibody.
I can do that for you.
Then the host.
You already know him.
He manages the Plesk account and guarantees his customers that their site
will survive for between 20 and 30 euros per month.
At first, I thought they were using only foreign,
not very frequent, but in fact, it's false.
Yesterday, as I was analyzing a new
SMS campaign, I realized that it was on a host that I didn't know.
I'm going to see on the site and that she's not my surprise when I discover
that not only is it a small French host located in Nanterre,
but that the CEO is just 21 years old.
I go on his Twitter and there I see that he follows me.
I tell myself, it's too beautiful.
I absolutely have to call him to warn him.
So I'm about to send him a DM and I come across a message history.
It's totally unlikely, but in reality,
he contacted me in 2017 to create my YouTube channel.
And six years later, I'm the one who calls him.

I'm going to contact you to warn you that you have scams of this kind that are hosted.
I am well aware of that because I had a search of a VM two months ago.
What happened is that we gave them a backup of the VM, as well as all the logs that I had of connections to the client space, IP addresses, etc.
I can give it to you, it's the 4590161107.
I have
For example, I received an abuse concerning a phishing site on this server.
You will see it live, it is no longer accessible now.
I can't load anymore.

But it never happens, you never know the sign of the host normally.
Well, I didn't expect it, but here's a good thing done.
Congratulations to him for his reactivity.
Well, except if the server is disconnected on the way, a scam of 1000 messages will generally generate 10 to 15 results.
You can see that on campaigns of shipments of 1000 or 10000, I made stats around 1 to 1.5% success.
It's not huge, but is it enough when you do a campaign of 10,000?
These 'rez', as they say, can then be used to make online purchases or on Uber Eats.
It seems obvious and old as the Internet.
We steal cards, we use them, but in fact no.
It's far from over and that's where it's all going to play out.
For a few years, almost no site has used a simple card code to authorize a payment.
Above a few tens of euros, you will always have to confirm the transaction by SMS or notification.
It's 3D Secure or Verified by Visa.
So how to do it?
You have codes, information about the victim.
How to extract the treasure despite this damn security?
How to cash out?
The first method would be to contact the victim's mobile operator and try to get you to deliver a new SIM card in his name.
If it works, you will have a short window of fire to activate it, make the payment, receive his SMS and throw the SIM before your prey realizes what's going on.
This is called a SIM Swap.
The problem is that the operators are starting to know the technique and the banks are slowly giving up SMS for this exact reason.
No, there is much better and much, much smarter.
You're going to need ingenuity.
And above all, a huge ass.
You're going to need a swindler.
The job of a swindler is to take his phone and call the victim by pretending to be his bank.
And there, it's diabolical because she's going to tell him about the theft of his card.
As if she had fallen into a SMS scam and that payments are currently underway abroad.
Payments that must be canceled at all costs by validating payment duplicates on his phone.
The victim then thinks that she has escaped a disaster.
Except that the disaster is just happening.
The first time I came across this term of swindler and these photos of female profiles, I first thought it was a scam.
Given how rare it is to meet girls on these cybercriminal networks, I thought it was a naive catch to allow swindlers to get rid of the competition.
So, to have a clear heart, you have to be a swindler.
So, to have a clear heart, you have to be a swindler.
I had an idea. An idea that should not only allow us to hear these girls, but to attend a call in real time from behind the scenes.
I'll explain.
Being in these groups for a while, I have been in contact with a number of these swindlers.
It's not hard, they report regularly as available for Halo.
In general, they will ask you to do 50-50.
A first payment for the spammer and another for her.
However, to give a gauge of confidence to the one who provides the cards, the call is made live.
This means that he is online on another phone and attends the scam live.
Just to check that he is not himself getting his share of the loot stolen.
This means that if we manage to pretend to be a spammer, we should be able to have a speaker on the phone and hear everything that is happening.
Are you interesting? Well then, let's go.
First we will create a fake list of victims to call by imitating a typical formatting of Rez.
Inside I will put my own card and a temporary phone number.
This number I'll give to my associate Arthur.
In it, I'm going to slip my own card and a temporary phone number.
I'm going to give this number to my accomplice Arthur,
who will play the role of the victim in the room next door.
We will have an open discussion channel, just in case, to be able to communicate.
And then, we're going to go fishing for the allotters.
Guys, guys, it worked.
I sent messages to a guy, using their vocabulary and everything.
I said, available for allo, machin, and he told me go, he told me go.
So there, he's going to call me from one moment to the next.
And I'm not going to die.
I'm going to have to keep my voice down.
And he's going to think I've been doing this for 10 years.
And normally, if all goes well,
I put Arthur's number at the top of the list.
So normally, he's going to call him first.
If he calls the others, I'm in trouble.
Because the others don't exist.
And so I'm going to be dead.
And fuck, I'm stressed out.
I'm fine, I'm fine.
Are you okay?
I'm fine, don't worry.
I'm enjoying myself.
And what, we're not breaking up today, I feel like?
I have three to start with.
Are you okay with that?
Go ahead, I'll call Gachi, you know.
Because she, you see, she's her job, you know, it's her job, you see.
Yeah, let's go.
You're okay?
It's okay, I'll put the script in front of you, so if you ever have a problem, you can handle it.
It's okay, it's in France, isn't it?
Luce, Luce, he's got talons.
In France?
It's in France, it's in 93, I don't like France.
But if he's got talons, it's going to piss his mother off.
But go ahead, I'll call her anyway.
I'll put the script in front of you.
Yeah, yeah, he's calling, he's there.
Yes, hello sir.
Mrs. Lahaye, from the Bank of Canton's Fraud Repression Service.
We have seen several operations and operations coming from Senegal.
Wait a minute, can I see my bank account for two seconds?
Yes, no problem.
So you let him confirm the operations since you showed him the last numbers on his card.
Wait, I'll look for two seconds.
And so you saw operations going to Senegal these last few days?
I can confirm the last four numbers on the card.
Oh yes, go ahead, I'm listening to you.
1884, is that the one?
That's it, yes.
If you can just confirm, sir.
First name, address and date of birth?
It's June 12, 1993.
And your postal address, sir, if you please.
Postal address, so it's 7 Rue Ernest Psycharie.
Thank you, sir.
As a security measure, I prefer to inform you that the conversation is recorded.
You were able to block the transactions, that's good.
And the cancellation will be effective once I have transferred you the transaction duplicate.
So if you want, we'll do it together while we're online.
Okay, okay.
That's it.
And after that, the operation will be canceled.
Okay, great.
I just saw him arrive in my mailbox, that's good.
So, I'll check, sir.
Because on my side, the cancellation is not done.
Excuse me?
Tell him you sent it back.
If you hear me, it's a joke.
You just have to accept the operation.
On my side, the validation ...
You, that's good.
You were able to cancel the transactions.
No, precisely, on my side, that's not validated.
He hung up.
He hung up.
I remind you, I tell him that I am responsible for taking the file.
Yes, hello?
Yes, hello, Mr. Perrier Michaël?
Yes, I am responsible for the lady that you had, my colleague that you had just now,
of the financial service Quonto.
So, are you sure it was Quonto?
So yes, on our side, we are the service of the repression of frauds.
As I wanted to tell my colleague.
In fact, I admit that I rather have the impression that it was a scam.
So no, not at all, not at all, Mr. Perrier.
I assure you, I want to reassure you about all this.
For us, it is the usual procedure of cancellation of European transactions.
Can I be sure that it is Compto on the phone and not people who pretend to be Quonto?
So, for us, there is no problem.
On our side, we call you from the London financial centre.
And I have eyes on your file.
So, don't worry about all this.
You are Mr. Perrier Michaël, born on 12-06-1993?
I gave this information to your colleague before.
So, she...
So yes, we gave it to my colleague before.
But don't worry, we have it under our eyes.
Your personal information.
There is no problem with that.
She hung up, that's it.
Hey, are you bad? Are you bad or what?
I feel it.
I'm going to do a job, bro.
Go ahead.
But bro, in any case, it's very good that it's not everyone who does it.
He has...
He has his own bank.
He's a business leader.
He's not a...
He's not a slacker.
How much did you make this week?
I made 6 points.
Oh yeah, not bad.
And how much did you spend on average?
I don't know, out of 5, I would say 3 out of 5.
But I'm next.
It's good.
It's good.
This thing is stressful.
Me too, it was...
I'm hot right now.
I saw the guy, the girl, I heard everything, you know.
You heard everything?
I was in the room.
Oh yeah, I heard everything you said.
So I tried to make them spit out information.
How much money did they make?
They made 6,000 balls this week.
Did you see?
It's impressive.
The moment they transition from their normal voice to...
Your banker advisor for fraud repression.
And indeed, it was a girl.
Coached by a guy.
Ah, it's sure that a sweet, reassuring voice is devilishly effective.
The victims fall like flies.
Old people, young people.
So there you go.
Because I was waiting for a package that I didn't receive, that's why.
And that I ordered via DiscoPrint.
Be careful.
Yes, I understand.
But don't worry.
In any case, really, ma'am, if I contact you, so that there is no problem afterwards.
So there you go, don't worry.
So now you like to talk to me.
But March 1, 1972?
That's right.
Happy birthday, sir.
Thank you, it's nice.
And sometimes, he comes across improbable interlocutors.
You are at the Portugal embassy, yes?
The Portugal embassy?
Yes, you got the number wrong.
Are you really a gendarme, sir?
Yes, yes, yes, of course.
After, you know that I just swindled you, sir.
What do you mean?
I just swindled you 700 euros.
After, sir, you don't do your job well.
Normally, you are aware of all this.
If you are a gendarme.
Come on, ciao.
What struck me the most was the level of violence and absolute contempt they have for their own.
Go fuck yourself, sir.
What did you say?
I'm not a policeman, I don't care.
There is no problem, there will be no police, sir.
You are simply going to be banned from the banks.
Because right now, you have just threatened a fairly high-ranking person
at the Fraud Repression Service, who is only calling you to make remunerations.
I have to hang up.
Have a good evening.
Okay, good evening to you, sir.
Son of a bitch.
In addition, he refused me, he has no money.
There are some where they are mothers, you feel that they are at the end of their lives,
you hear the kids screaming behind.
The count is in the red.
And the girl's reflex is to ask what is the limit of discovery.
Just to really scratch the max.
And then we are a kind of vicious pleasure to explain to his victim that we have just stolen it
and humiliate him.
But it's horrible.
How much is the current one?
We have discovered 2,645 euros.
Your advisor at the CICE?
Your mother the bitch.
Yes, are you coming to contact us?
I have to hang up, I have to hang up.
So no, I just hung up because you don't have any money, you son of a bitch.
The scariest thing is the number.
The conversations are counted by dozens
and often contain thousands and thousands of participants.
The question that naturally arises is who are these people?
Where are they?
Intuitively, one might think that it is again a bunch of brutes from Côte d'Ivoire
that we are starting to get to know well for their slightly coarse swindling.
But in fact, no.
In these conversations, being treated as brutes is even a serious insult.
And they are very, very poorly received.
The places that come back the most are in fact the Parisian suburbs.
Evry, Aubert, Sevran, Clichy, Argenteuil, I pass.
And the craziest thing is that they often get to know each other in real life.
They offer physical meetings for sales or for paid training.
So far from a centralized operation with a few bosses,
it is in fact a nebula of small independents.
And who is your branch in there?
I have a friend of mine, he's in there, he's free.
He's strong.
And is he a friend from high school?
I don't know.
And it develops so much, they don't give a damn,
that they even sell on TikTok.
It's quite striking to see the difference between this new delinquent population who never have the shadow of a remorse and a form of older crime that existed on certain forums and which sometimes had a semblance of code of honor.
And I didn't think it would happen to me one day, but really, the fact of having spent weeks in there, it mined my morale, but first degree.
And it has the same effect on all the people I show this to. A state of shock.
I wondered for a long time why it was so shocking. Because, basically, we haven't just discovered the principle of delinquency.
Well, I think I understand. I think that, by default, an honest person will have a lot of trouble imagining that wickedness can be motivated by something other than necessity.
We imagine that behind every criminal is a Jean Valjean in power, that the roller-coaster of justice has forced to use violence to survive.
So, when we witness the theft of an indebted mother to buy iPhone 14s and Dior bags.
Today, I get to Spam, I get to Alomoem, my own ECC. One day, I'm going to have Dior bags.
Yeah, the sting of reality hurts.
Today, there's everything that's going to come out. I'm going to fuck France from abroad. We're going to eat everything.
And yes, they have an official flag.
I activate the mod, do not disturb.
Faced with such impunity, you are probably wondering what the police is doing.
Do they manage to make arrests?
Well, the answer is yes. And I've even followed one since high school.
Among the most famous and appreciated plesk sellers in the community, there was a certain CRN.
We didn't know much about him, except that he was young and talented.
Since May 2022, he has been advertising on servers and sharing satisfied customer testimonials.
Until a few weeks ago, when something terrible is going to happen.
Someone wants him. We don't know exactly why and who.
We just know that an anonymous account threatens to reveal personal information about him.
Threat that he will soon be executed.
A first name, a photo with his apparent face and the approximate position of his high school.
A week later, an article from Le Parisien with the title "Paris: At the age of 16, the pirate 2.0 offered phishing kits for scams".
You guessed it, it was CRN who got caught.
On Telegram, the news made the effect of a bomb.
No one expected it and it's starting to slowly become known.
He's going to talk, he's a little guy, 16 years old.
The thing you don't get is that it's the PG there, not your dindons.
You can see it's a big mouth, he's going to say everything.
There is one who shares a call that he would have received.
Another one who explains that he knows people from the CRN high school
and that he hasn't come back to school since.
A happy mess.
So yes, it's moving.
But you shouldn't get your hopes up either.
A person is a drop of water in the ocean.
And they are themselves fully aware that if the loss does not exceed €3,000,
the police have no means to start an investigation.
As a final clap and to console themselves,
I thought we were going to take them at their own game.
When orchid were stolen,
this didn't seem like the end for Orchidif we had seenheartedly.
But that might have been the beginning of a disaster.
It is apparent for the first time that there has been more scandals
because more than half of her fans had come from overseas.
After all that, it's only for a time.
If you're a victim, it won't make you your money,
but you might want a laugh.
Thanks to Thailand of
at tradéal of Sapinette,
to Mickey, my heroic screenwriter
and to Bouygues Telecom, our partners.
But I'm abroad, I'm in Cameroon.
Ah, but you're not in Amsterdam, because things have been paid in Amsterdam.
No, I'm in Cameroon, I'm in Toulouse.
No problem. So I'm asking you, do you have access to the MetaBank application?
No, but I don't have this bank.
Are you at the MetaBank bank?
No, I'm at Quonto.
Oh, excuse me, I got the wrong file, but it's yours, sir.
Oh, yes, yes.
So, as I was saying, do you have access to your mobile application?
Well, I'm trying, I'm trying to go on it, but I can't because I don't have a hand.
Oh, okay, but do you know your identifier?
Yes, yes, I think. Can I give it to you? You do it for me.
No problem. So, the identifier, I listen to you, and generally the figures?
So, it's 1234.
1234, yes.
427, okay.
The password?
I'm listening to you.
It's [beep]
B-A-I-S-E. Why are you showing me this file?
Why are you showing me this file?
Oh, well, it's my password, sir, I'm sorry, it's a bit vulgar, but ...
Do you think I'm stupid or what?
Hey, what's your spoofer?
It's a stupid spoofer, don't worry.
Bastard, you're dear, why didn't you tell me before?
Come on!
Oh, I wanted to laugh a little, go ahead.
Bastard, I don't know.
I'm in the delirium right now, and I haven't even shown you my ID card, and you're going to get it from me.
How much did you do this week?
This week, I'm not going to lie to you, I'm a little happy.
Oh yeah? I did two points.
Yeah, yeah.
Well, that's not bad, you have a good spoofer.
Thank you.
You don't bug me too much.
And who hooked you up in there?
It's a friend of mine, he's in there, he's free, but he's strong.
And is he a friend from high school?
We'll see about that.
He's struggling!
Oh yeah, high school, he's struggling.
We're calm, this one's not going to do a lot of damage.
Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.