143: Jim Hates Scams

1h 6m

Jim Browning has dedicated himself to combatting scammers, taking a proactive stance by infiltrating their computer systems. Through his efforts, he not only disrupts these fraudulent operations but also shares his findings publicly on YouTube, shedding light on the intricacies of scam networks. His work uncovers a myriad of intriguing insights into the digital underworld, which he articulately discusses, offering viewers a behind-the-scenes look at his methods for fighting back against scammers.


Jim’s YouTube channel: https://www.youtube.com/c/JimBrowning



Sponsors

Support for this episode comes from NetSuite. NetSuite gives you visibility and control of your financials, planning, budgeting, and of course - inventory - so you can manage risk, get reliable forecasts, and improve margins. NetSuite helps you identify rising costs, automate your manual business processes, and see where to save money. KNOW your numbers. KNOW your business. And get to KNOW how NetSuite can be the source of truth for your entire company. Visit www.netsuite.com/darknet to learn more.


This episode is sponsored by Intruder. Growing attack surfaces, dynamic cloud environments, and the constant stream of new vulnerabilities stressing you out? Intruder is here to help you cut through the chaos of vulnerability management with ease. Join the thousands of companies who are using Intruder to find and fix what matters most. Sign up to Intruder today and get 20% off your first 3 months. Visit intruder.io/darknet.


This show is sponsored by Shopify. Shopify is the best place to go to start or grow your online retail business. And running a growing business means getting the insights you need wherever you are. With Shopify’s single dashboard, you can manage orders, shipping, and payments from anywhere. Sign up for a one-dollar-per-month trial period at https://shopify.com/darknet.


CLAIM=a6e199f5f9fd5954e532117c829c8f0a8f0f1282=CLAIM



Listen and follow along

Transcript

Hello, Jack.

Hello, hello.

Good.

Well, it's good evening for me.

I guess you're in the States, so it's probably the afternoon.

Yeah, yeah, I just ate lunch.

I'm having some chocolate.

You like chocolate?

Okay.

Oh, yes.

There's very

well, there's very few people, I think, don't like chocolate.

Oh, no.

Yeah.

Yeah, chocolate's great.

Yeah, yeah.

Keeps you going, bit of energy.

Yeah, a little caffeine hit.

Indeed.

You know, there's only like a few places in the world that have caffeine.

There's tea, coffee,

cola, chocolate.

And I think that's it.

That's the natural sources.

Yeah.

No, it's, yeah.

It's hard to do without it.

Yeah.

I'd do like a bit of chocolate.

You're actually making me hungry.

I probably got you at a bad time.

I wasn't actually expecting you to say, yeah, I'm ready to go and we could just do this, but it absolutely suits me down to the ground.

So, you know what?

The thing is, is that you are the most requested guest, maybe I've ever had.

Wow, okay.

So, if so, if you're available, I'm available.

Let's go.

I'm gonna put the chocolate to the side and let's get

a podcast.

Yeah, that's cool.

I've got to say, even before we do this, I have listened to loads of your podcasts, and honestly, it's an honor for me even to be asked onto it.

So, there you go.

So,

you're the the guy that everyone knows.

You're ready to go.

Oh, I'm ready.

Yeah, yeah, far away.

These are true stories from the dark side of the internet.

I'm Jack Reeseider.

This is Darknet Diaries.

This episode is sponsored by my friends at Black Hills Information Security.

Black Hills has earned the trust of the cybersecurity industry since John Strand founded it in 2008.

Through their anti-siphon training program, they teach you how to think like an attacker.

From SOC analyst skills to how to defend your network with traps and deception, it's hands-on, practical training built for defenders who want to level up.

Black Hills loves to share their knowledge through webcasts, blogs, zines, comics, and training courses, all designed by hackers.

For hackers.

But do you need someone to do a penetration test to see where your defenses stand?

Or are you looking for 24-7 monitoring from their active SOC team?

Or maybe you're ready for continuous pen testing, where testing never stops and your systems stay battle-ready all the time.

Well, they can help you with all of that.

They've even made a card game.

It's called Backdoors and Breaches.

The idea is simple.

It teaches people cybersecurity while they play.

Companies use it to stress test their defenses.

Teachers use it in the classroom to train the next generation.

And if you're curious, there's a free version online that you can try right now.

And this fall, they're launching a brand new competitive edition of Backdoors and Breaches where you and your friends can go head to head hacking and defending just like the real thing.

Check it all out at blackhillsinfosec.com/slash darknet.

That's blackhillsinfosec.com/slash darknet.

This show is sponsored by Delete Me.

DeleteMe makes it easy, quick, and safe to remove your personal data online at a time when surveillance and data breaches are common enough to make everyone vulnerable.

Delete Me knows your privacy is worth protecting.

Sign up and provide DeleteMe with exactly what information you want deleted, and their experts will take it from there.

DeleteMe is always working for you, constantly monitoring and removing the personal information you don't want on the internet.

They're even on the lookout for new data leaks that might re-release info about you.

Privacy is a super important topic for me.

So a year ago, I signed up.

Delete Me immediately got busy scouring the internet looking for my name and gave me reports of what they found.

Then they got busy deleting things.

It was great to have someone on my team when it comes to protecting my privacy.

Take control of your data and keep your private life private by signing up for Delete Me.

Now at a special discount for my listeners, get 20% off your Delete Me plan when you go to join DeleteMe.com slash Darknet Diaries and use promo code DD20 at checkout.

The only way to get 20% off is to go to joindeleatme.com slash darknet diaries and enter code dd20 at checkout.

That's joindeleatme.com slash darknet diaries code dd20.

Today I have the absolute pleasure to speak with Jim Browning.

Jim was the first person I ever saw do scam baiting, and I was blown away that someone even does this sort of thing.

Scam baiting is just as it sounds.

He tries to bait bait scammers to scam him, and he records it for YouTube.

And it's really quite amazing to watch.

So it still says connecting?

Okay, no, but I also take things to a long time because I think that

your computer internet is working really well because it got infected with the virus.

Oh, the virus stains.

All right.

Yes,

nothing to do with the license.

The alert which you got, that is a security block alert which is coming from internet.

Because right now you haven't known any internet security.

That is a reason while browsing over the internet by mistake or by accidentally,

you might have a click any link which was not secure.

Okay.

Oh, I see.

How did all this get started for you?

What's your origin story with this whole scam thing?

Well, I wish it was a bit more like Batman.

You know, Batman has got this, you know, an injustice done and, you know, he's after the Joker and all this sort of thing.

Very, very different for me.

Um, the way I got started was probably like most people, I receive lots of scam phone calls, and you keep hearing those incessant phone calls, people pretending to be Microsoft, pretending to be Amazon, your bank, and so on.

And most people know just to hang up those calls, but I'm one of those people who I love to dig a little bit deeper

because I'm an engineer,

a know about computers, know about networks and I thought to myself, surely someone is doing something about this and if they're not maybe I can do something.

I'm sure you're familiar with the fake Microsoft support scam calls.

It's typically where someone from India calls you up and says you have a problem with your computer and it sounds something like this.

Hi, hello.

Oh, yes, hello.

I'm calling from vSupport LLC and my name is Sandeep.

Jim?

And they'll try to convince you that your computer has a virus and they can help and they'll ask for control of your computer to fix it.

But the thing is, you don't actually have a virus at all.

They just made up this problem and they want to take your money.

And Jim finds this whole thing really fascinating and just can't stop thinking about this.

I really want to find out about what makes the scam tick.

So Jim finds himself on these calls to hear how it works and watch their whole operation.

And then he calls them out on it, like this.

Right, did you find any Trojans or anything?

Right.

Just that I was watching everything you were doing and also recording what you're doing and recording your voice because you've removed nothing whatsoever from this machine.

It was never infected in the first place, and all you've done is

it was never infected with anything in the first place, and you know that.

So, you say that you've removed a Trojan.

Tell me what Trojan you've removed, and show me evidence of that then.

Right now, we have already removed, and everything is recordable at our end as well.

Yes, yep, show me.

Tell me what Trojan I had, then.

Like, we have removed all the Trojans.

Show me one Trojan that you've removed.

Okay, let me explain it to you.

Like there were Trojan horses in it.

Yeah, show me evidence of that.

That's what I'm asking.

But how should I show you now?

But they are already removed.

Because if it was something like, oh,

this particular tool, it would have logs and it would show you in the history what was removed.

Okay, there's nothing been removed here.

This is an anti-malware software.

So go on then.

Tell me what software you use to remove any Trojan.

Bear in mind I've recorded everything you've done.

So are you going to still stand by that story that you removed a Trojan?

So may I put the line on hold for one to two minutes?

You can do what you want, but don't forget all of this is going to be uploaded to YouTube very shortly, so be very careful what you say in the next few minutes.

Jim is pretty good at catching them in a lie, and then he tries to get them to explain themselves.

And when they continue denying it, he reports them.

What I will do is now that I've got your IP address, this one,

and the timestamp, which is Mumbai, so it's now 6 p.m.

It's been running for a few hours, this one though,

I can go to your ISP.

and that's Tata Tele Services in Italy.

They provide that IP address to you and that's the one you're using at the minute.

So I'm going to get them to identify exactly who you are because I know your address isn't in California.

I know you're located in India

or I'll probably just publish all of this on YouTube anyway.

Right?

So thank you for choosing VisaPoint.

Thank you for choosing.

Thank you for choosing Scammers in Mumbai.

Yes.

Okay.

Yeah.

In my, I mean, my background is that I have been in IT

really all my professional life, all my working life.

Yeah, let's hear about that.

What's the specialty that you are in IT?

Yeah, so I guess up until fairly recently, I had a real job as in a real normal IT job.

I worked for a large company, shall we say, in the UK, and part of their specialty was dealing with IT services and setup.

And I have personally supported

an organization with more than two or 300 people in it.

So I'm the kind of admin, the sysadmin for a large IT company.

So that's my background.

As part of that, I'm also a programmer, I'm a network engineer,

but I have no form of qualifications in, for example, cybersecurity.

Although at this stage, I think I could probably do fairly well in a cybersecurity exam.

But my background is a normal IT job.

That's it.

A lot of times what these scammers will do is type commands on your computer to prove you have a virus, but all they're doing is just showing you really normal computer activity and it doesn't prove anything.

In fact, one time I saw a video of his where a scammer just typed on the screen that the firewall is damaged and is at 2%.

And the scammer was trying to say hackers are going to soon break through and get everything.

But the thing is that firewalls don't have a percentage.

And it's great that Jim knows a lot about IT and can easily spot every one of these bad attempts at showing him that there's a problem on his computer.

Type these things into your computer and look, you've got hackers, you've got viruses, you've got computer problems.

You're going to have to pay me $200, $300 to fix that problem.

Now, these scammers are not sophisticated at all.

Their scam is really basic, but their method of collecting payment is crazy ridiculous what they should do is just act like a normal company and set up a website where you enter in your credit card details and send them money but they can't do that because payment processors will quickly spot and shut them down and freeze their money maybe even charge them a fee so stripe and paypal are just out of the question here which means they've got to come up with some creative alternative ways to get money from you They will get you to buy a gift card.

They won't use the word gift card.

What they say to their victims is, you've got a security problem, you're going to have to solve it with a security card, and you'll have to go to your local Walmart or whatever to get the security card.

And they won't use the word gift card if they can avoid it.

But when, of course, whenever you go in there and you're outside the store, they will say, Right, I need you to go in and buy an Apple card or an eBay card or whatever it is.

And as soon as you read out that number, that's as good as them taking the value of that card because they can launder that almost immediately.

Yeah.

So

I'm curious on that.

How do they launder it?

Because if you give someone an eBay card, they're not going to buy something on eBay.

They're probably selling that for pennies on the dollar.

They do, exactly.

And they'd be lucky to get maybe 50% of the actual value of the card.

But what they do is they take those numbers.

And there is quite a,

well, shall we say, a black market for gift card numbers.

There are legitimate websites like Paxful, for example, where people will buy Google Play cards, eBay cards,

you name it, any sort of gift card, and they will give you 50% of the value and they will mark that up and they may directly or indirectly buy items from those stores.

So yes, absolutely, they're going to lose half the value.

But if you're a scammer, you have completely cleanly washed that money because there's almost no way of getting money back when someone's bought a gift card and it's been used

this always seems surprising to me to convince your victim to hang up the phone go drive to the store buy a gift card then drive back home and call the scammer back up to give them the gift card details it just

I just think you're going to lose your victim every time in that process.

And on top of that, they're only getting half the value that's on the card.

But this seems to be pretty effective.

I mean, these scam centers are making quite a bit of money this way.

And I guess this means that even though the scam is hilariously bad and the method of collecting money is ridiculously complex, the thing that makes this work is the numbers, the relentless attempts at scamming people.

If they try over and over and over and over, they'll eventually get people to pay them.

Now, of course, some victims don't want to send gift cards.

So the scammers say, that's fine.

There's another way.

Send us cash.

They actually persuade people to go to their local bank and withdraw cash.

And they will say, I'll instruct you in a moment what to do with the cash.

So they generally get the victim, take the cash home, and then they'll say, and this is typically for a bank type scam.

They'll say, we're going to create a new account for you, and you need to send that money to a secure facility.

And they will say, look, you need to put the cash into pages of a book.

So, between pages of book, wrap that in silver foil.

And they will actually get you then to go to the nearest FedEx or post office and mail your cash to an address.

And it's a money mail address.

Gosh, that sounds even more bizarre.

Have these victims never paid for anything in their life before?

In what world is it normal to wrap cash up in pinfoil and stuff it in a book and then ship it somewhere to get your computer fixed?

Like, I don't want to be victim blaming here, but come on, how colorblind do you have to be to not see these giant red flags?

One of the scams that Jim sees often is called a refund scam, and it might start out with a phone call that sounds like this.

Hi, we are calling you from your computer maintenance department.

If you remember, you have a contract with us for computer support and services.

Unfortunately, we are closing the business.

So you can give us a call for the refund of the amount you paid to claim your refund.

This is a real voicemail or phone call that somebody got and people are falling for this and calling up the number.

To you and me, that phone call sounds ridiculous, doesn't it?

Like it's a crappy robo voice and it's not fooling us.

But just think about the mechanics of this call.

I mean, they're clearly using some text-to-speech software, right?

And I don't know why, but they're using a terrible version and have terrible English.

But technology is rapidly improving.

There's way better software out there today.

And I just wonder,

you know, someday the scammers are going to upgrade and use the good stuff.

Let me demonstrate.

Here's what I'm going to do.

I'm going to improve this whole scam attempt.

Are you ready?

First, I'm going to take the text that they said in that call and ask ChatGPT to rewrite this, but make it sound more like a natural English speaker would say.

Cool.

Now take that and make it sound even more casual, like something you just hear on a phone call or something.

Okay, that looks good.

Now I'll run this through a more modern text-to-speech software.

Okay,

it's done.

Let's take a listen to this call now.

Hello, sorry to bother you.

My name is Sarah.

From the Computer Maintenance Department, I need to talk with you about your support contract with us.

Here's the thing: we're closing the business.

I know, it's a bummer.

I'm sorry.

But here's the good news: you'll be getting a refund for the amount you've already paid us.

Whenever you have a moment, can you call me back?

I want to get this refund to you as soon as possible.

Hope to chat with you soon.

You see how much better it is with modern tools?

And seriously, that took me two minutes of just using automated tools to fix it up.

The audio went from stupid

to scary.

I know.

It's a bummer.

And maybe you can still spot that that's AI generated, but would your grandparents think that?

I improved it because I want you to be aware of the tools that scammers have at their disposal today if they wanted to.

And I want you to think about how much better their scams are going to be in the future.

We see that they're using text-to-speech software today, and it's just a matter of time that that text-to-speech software sounds really convincing.

And then what?

What red flags would you notice in this audio to make you think it's a scam?

Now you've really got to think: well, hold on, do I actually have a support contract somewhere?

Who are these people?

Let me call them up and find out.

And now you're on a phone call with a scammer, a position you really don't want to be in.

And you can see how this whole thing is going to get trickier and trickier in the future.

The scam is what you call a refund scam.

So they'll pretend to be a big organization, typically Amazon, and the conversation will start off with they say they're going to refund this charge, which

the victim will know nothing about.

Okay.

If I'm the victim, I'd be like, okay,

I have no memory of this charge.

So yeah, go ahead, refund me, and see you later.

But it's trickier than that.

Here's one of the actual scam calls that Jim captured.

We can easily send you the

Alright, that's great.

Now, sir, you have to tell me like your account has been open, right?

Alright, sir.

I don't need that.

You have to be telling me, like, in which account do you need your money back?

Now, here's where the scam part comes in.

The scammer will say that they want to make sure the money goes into the proper bank account and will ask to see the victim's screen by using some screen sharing application.

And then they'll ask to take control of the victim's computer.

Once they have control of the victim's computer and can see their online bank balances, then they'll say they're initiating the refund for whatever, say $300.

And since the victim is logged into the bank's website, what the scammer will do is edit the web page in the browser to make it look like the money was just deposited into the account.

But it's a fake deposit, though.

It just looks like the money went in.

But the scammer just faked the whole transaction by editing the HTML on the victim's screen.

But here's the tricky part.

The scammer will put in the wrong amount for the refund.

If the victim was expecting a $300 refund, the scammer would instead put in a $5,000 deposit instead.

Then act all surprised that they put in the wrong amount.

5,000 piano DGS?

Oh my goodness, will he please hold on for a minute, sir?

So the scammer obviously knows that he's overpaid this victim, so the key to this scam is how they get the money back again.

Our scammer comes up with a solution.

Sir, I just got a mail from my hate server.

And unfortunately that you got extra amount in your account by mistake, really, sir.

So sir, will you please refund me my money back?

Inevitably, the victim asks how you can refund the money.

Surely, they can just take it back themselves.

Oh, sir, I can tell you.

Like,

I can tell you, sir, what you have to do to refund my money back to me, alright?

Let me have a speak with my manager, okay, sir?

Let me have a word with them.

A few moments later, there's a proposal.

And they said there is some financial institution where you can send our money back to us, alright?

So, do you know any Apple store near my place?

Yes, he said Apple store.

He wants his victim to go to an Apple store in order to get his money back.

Do you don't know?

Okay, let me find Apple store for you, sir.

Hold on for one minute.

He searches on the victim's PC for the nearest Apple store.

Can you see, sir?

There is a place called Simply Mac.

Do you know this place?

He spends the next few minutes explaining that he's going to need $5,000 worth of Apple gift vouchers.

Jim says he's seen scammers also try to get people to send back the money using Zell and bank wires too.

And some people have lost quite a bit of money to these refund scams.

It really does look convincing when you look at your bank balance and it shows $5,000 more than what you were expecting.

And the victim could just refresh the page and the whole thing would reset.

But the scammers are really good.

at preying on the victim's goodwill, you know?

And the victims will give back the money, which is a pretty jerk thing to do, to exploit the goodness in people.

You said that up until recently, you had a real job.

Is this now your full-time job as content creator?

It is, yeah.

So as of just over a year and a bit ago, I give up my full-time job, my IT job.

And my full-time job is now making YouTube videos.

and yeah, going after scammers.

So it sounds like this is something you're really passionate about to leave your career behind, go right into like

chasing after scammers and exposing them.

Is that true?

This is your passion?

For sure, yeah.

It's definitely a passion.

I can't stand scammers.

That is my little tagline, if you like, on my YouTube channel.

I can't stand scammers.

The thing about you, Jim, though, when I'm watching you and I'm listening to you, your voice is just so calm and cool.

And I never hear passion in there.

And I never hear things like, I can't stand scammers.

There's not even that, you don't even have inflection when you say that.

You're just like, I can't stand scammers.

But this is the thing.

I really don't, maybe it's something to do with my Irish accent or whatever.

But honestly,

when it comes to scams and scammers, I'm now devoting my life.

But it is for that reason.

If you watched

what I do, if you listen to the calls that I hear every single day, you can't help not going after these guys.

I've kind of built up a bit of a hatred for them, but it probably doesn't come across in the way I make the YouTube videos or my inflections or anything else.

But in a lot of ways, that helps me because if I appear calm,

if I try to think it through, if I try to rationalize what I'm doing,

it gives me in some way a bit of strength to try and combat these scammers because I like to think I've got a level head when it comes to tracking these guys down.

And I think that's why I've been as successful as I have been.

Yeah.

Yeah.

You have a unique approach that

you're not sensationalizing yet.

This is what I loved about it, actually, honestly, is, you know, there's kind of been a trend of people doing things similar to you now, and they're making it into a big game and lots of excitement.

They're trying to get the other person to just lose their mind, you know, and start screaming back or something.

And you're always, you're always very calm.

And that, and

of course, there's room for that.

You know,

I encourage everyone to be a form of scam baiter.

And if you can waste someone's time who's, you know, is trying to steal money from you, it means they're not stealing money from your parents, grandparents, and whatever.

So absolutely, there's room for everyone.

I encourage everyone to do what I do, or maybe not quite as far as I go, because,

you know, it could land you in trouble.

And, you know, but there's nothing wrong with wasting a scammer's time.

Huh.

He's encouraging everyone to waste scammers' time.

And that's an interesting idea, I think.

Imagine if every time you got a call from one of these scammers, you instantly got excited and you're like, oh boy, this is going to be a fun call.

And of course, you don't give them access to your computer or send them money, but what could you do to waste their time?

I say someone should just create an app on my phone that's AI driven that I could just pass the call over to it and it acts like me and it talks to the scammers for hours, keeping them going just a little longer.

Like, maybe there's really long loading screens, or web pages aren't loading right, or something, and things just keep timing out, and they have to start all over again.

And you know, there are a few scam baiters out there, one of them is called Kit Boga, and I did see him dabbling with a AI bot tool to try to waste scammers' time.

But as Jim spent more and more time with these scammers,

something really fascinating happened to him one day.

He somehow ended up controlling one of the scammers' pcs and this sent jim in a whole new direction the very first time that i was able to connect to a scammer's computer was that the scammer actually gave me his user id and password to connect to him

and then he would switch sides so there was a a period of time where if the scammers were using a bit of remote access software called Team Viewer.

If they were using Team Viewer and the connections were coming from India, Team Viewer noticed that a lot of them were scams and they actually banned the entire country for a period of time.

And during that time, they wanted to keep the scams running.

So what the scammers would do is say, well, you connect to me and there's a little bit of software internally that says switch sides with partner.

and then they would connect back to the victim supposedly.

So I was actually given the scammers scammer's username and password, so I can connect to their computer.

That must have been the first time you did that, that must have been such a wild.

Oh man, it was unbelievable because what you can do is exactly what the scammers do, which is as soon as you make that connection, you can lock their keyboard and mouse and blacken their screen.

So I knew how to do that because I'd seen it so often.

So this was like a real gift for me.

So I connected to them, locked them out of their computer, started to download all the files to try and figure out who this was.

Now just beside communicate you see the option which says connect to partner.

Yeah, okay.

Hey, what are you doing?

I can't see communication.

Hi, are you still there?

Hey, you mother.

Hey.

Well, you're the one who's scanning, aren't you?

And of course, because their computer is completely locked and black screened, they're not really quite sure what goes on.

You know, they maybe hadn't encountered this before.

so i knew that my time was probably limited so i grabbed as much as i could from i could download all their files they weren't seeing any of this and i was able to work out exactly who they were

This is why I love watching Jim's YouTube videos.

This isn't the only time he hacked into a scammer's computer.

He does it practically every video now.

He's figured out so many different ways to get in to the scammers' computers.

You just heard one way he does it.

And he won't tell me any of the other ways that he gets into these computers because he says if he tells us, then the scammers are going to hear this and fix it and he'll lose access.

So he keeps his little hacking method secret.

But my mind cannot help but start to brainstorm ideas on how you could hack into a scammer's computer.

So let me just think out loud here for a minute.

Okay, so when you connect, like when the scammer connects into Jim's computer to do that remote support, right?

That scammer is going to be coming from a specific IP and Jim could probably see that, right?

If he like does Wireshark or something, he can capture that IP and then he's got their public IP.

And from there, could he then like port scan that IP and look for open ports and then try to find like some exploits or vulnerabilities to hit those ports?

Maybe.

Maybe that is possible.

Another thing is if they're using like some remote desktop software,

Is there a bug in that software that Jim can exploit to reverse the connection?

I don't know how he does it, but even if I hit the nail on the head, Jim's not going to admit to how he hacks into their computers.

No, and I probably never will, simply because scammers will learn from that.

And unfortunately, they watch my videos just like a lot of other people do.

And I don't want to reveal that as a secret.

But suffice to say,

A lot of it is social engineering as opposed to some zero-day compromise of the remote access software that I'm using.

So I am far more of a social engineer than a hacker, if that makes sense.

We're going to take a quick commercial break, but when we come back, I'm going to play you some of my favorite clips from his channel, and you're not going to want to miss this.

This episode is sponsored by Shopify.

Starting a new solo project is really overwhelming.

When I started this podcast, I suddenly had to worry about writing, editing, researching, interviewing, and so much more, all alone.

And when you're starting something new, finding the right tool that not only helps you out, but simplifies everything can be a game changer.

For millions of businesses, that tool is Shopify.

Shopify is the commerce platform behind millions of businesses around the world and 10% of all e-commerce in the U.S.

From household names like Mattel and Gymshark to my own t-shirt shop, which is shop.darknetdiaries.com.

And I love Shopify because of how easy it makes getting my business online.

And once it's there, Shopify has built-in tools to help me create, execute, and analyze my online marketing campaigns.

So get started with your own design studio.

With hundreds of ready-to-use templates, Shopify helps you build a beautiful online store to match your brand's style.

If you're ready to sell, you're ready for Shopify.

Turn your big business idea into

with Shopify on your side.

Sign up for your $1 a month trial and start selling today at shopify.com/slash darknet.

Go to shopify.com/slash darknet, shopify.com/slash darknet.

Jim is known for hacking into scammers' computers and exposing them.

And it's really quite wild to watch.

He has over a hundred videos on YouTube now, and many of them are exactly this.

And it's amazing just to hear the scammers' reaction when he tells them like some detail about them that he shouldn't know.

Like, for instance, there's one where he hacked into someone's computer in the call center and got a list of like everyone's names and their fake names.

And

this is one of my favorite videos.

Let me just play a clip for you from it.

Hello?

Hello?

Hello?

Yeah, hi, sir.

My name is Carolina Fernandez.

I am calling you from the Microsoft.

Oh, hi, Priya.

Hi.

Who are you?

I'm a ghost.

Don't call me an idiot.

I'm a ghost.

What's your name?

Tell me your name.

My name is

Ghost.

I don't understand.

And

you tell me, you already tell my name.

I know, you're Priya.

I'm a ghost, you see.

Priya.

Please talk to me.

Hello?

Hello?

Hello.

Yeah, who's this?

Hello.

Who's this?

Yeah.

Do you know my name?

I don't know.

What is your name?

I love this part.

You can hear this guy's brain just breaking real time.

What is your name?

I'm talking about your

computer.

You have a Windows computer, right?

I do, but I don't understand why you can't tell me your name.

At this point, the entire call center is listening in on this call.

Like, what is happening here?

And they even have him on speakerphone, and this new lady jumps on the call.

Hello.

Hello.

Yes, hello.

Who's this?

Yes.

Hello.

Who am I talking to?

Yes, who am I talking to?

Hi, this is Mary William from the headquarter of Microsoft Security Department.

Tell me what happened.

Mary,

are you sure your name's Mary?

Yeah, definitely.

I know my name.

I'm very sure for it.

But it's actually Susmita.

No, mine not

I'm not Shushmita.

My name is Mary Williams.

Are you getting a little bit hot, Shushmita?

Sorry, no.

Listen,

you are speaking to me and my name is Mary.

Now Priya picks the phone back up and she's really curious and wants some answers.

Can I request you, sir?

Just one request.

Can you please tell me, sir, how do you know the name that likes Priya, Shushmita, like this Indian names?

Where are you getting from?

Did Did I get that right?

Because I was just guessing.

No, do you using some

technology or anything?

How do you know the names?

I'm just very good at reading people's thoughts over the phone and I get this aura.

I'm like a ghost.

Really?

Yeah.

But

it's quite impossible that how do you

know the name by hearing their voice?

Just simply because whenever you speak to me, I can pick up on vibes and I kind of know you create like an aura around you.

I'm a little bit like a ghost.

Okay, yeah,

I'm from Microsoft, so and you are talking about a widget, like, right?

Oh, Priya, please don't do this to me.

Come on, you don't really work for Microsoft, do you?

Sir, my name is not Priya.

I'm not Priya, so again, you made a mistake.

Okay, but you confirmed that to me earlier, and you said your friends were Suspita and Mimi and you know you told me that earlier so you've already confirmed that.

Yes, and then

you used you can use another name for me.

Well is Priya not your name?

No, I'm not.

Oh Carolina Fernandez, you're sticking to that are you?

Yes, I'm Carolina Fernandez.

Carolina Fernando is the Indian name for me.

Right, okay.

Well whatever you want Carolina, I don't really mind.

So, what's wrong with my computer?

Sir, your computer is completely infected by some hackers.

That's why we are receiving some warning signals from your computer.

Okay.

Okay.

Okay.

And that point of time, so

we are calling you to make you aware about your computer problem.

Okay?

Okay.

Hello?

Yeah, are you still there?

Hello.

Hello?

Sorry, your colleague's listening in, but I can hear her talk as well.

Oh, she's hung up.

That's okay.

Yeah, I know.

She wasn't very good, was she?

Oh, my God.

Who are you, sir?

May I know who are you?

I've just told you, I'm...

You can call me Ghost, because

that's kind of the way I feel.

I get this aura around people.

I can tell who's around them.

I can tell just the tone of the.

How long have have you been working there?

How long have you been working there?

Where I'm working.

Tell me the location.

Fake Microsoft.

I am working.

Salt Lake Sector 5?

Yeah, then why are you

taking the name of Sector 5?

Salt Lake Sector 5?

Sorry?

You heard.

Hello.

Please don't hang up.

Hello.

No, no.

I'm here.

I'm here.

I'm here.

What's the weather like there?

Weather.

Now it's the.

What's the weather like in Kolkata?

You tell me.

You know everything about me.

Do you know my father's name?

It's raining.

Yeah, I don't know.

Do you know my father's name?

I don't know, but is your father proud of you, what you do?

Do does he think you work for Microsoft?

Yes, of course.

But you don't work for Microsoft.

Did you tell him that?

Sir, you just tell me one thing.

Why are you wasting my time?

I'm talking about your computer.

I'm trying to, you know, you give this aura

and I'm trying to kind of work out why you do all this scamming stuff.

That's really what I wanted to know.

Then why are you wasting your time?

Can't you get like a different job that's the name?

How do you know the name?

I know everybody.

Do you know another name?

Yes, how many names do you know?

Everybody.

Tell me the name.

Everybody.

Tell me my colleague's name.

I'll tell you one more name.

Will I tell you one more name?

Yes.

Sohini.

Sohini.

And tell me another name?

No, no, no, I'm not gonna look.

I I get this from any male name

well apart from Abjit.

Any male name?

Yeah, apart from Abjit.

So I do respect your talents.

Okay, can you please tell yes I'm here.

Can you please tell me who is beside me right now?

Which side?

In my left-hand side.

I think that's Mimi.

Hello?

Did I get that right?

Hello?

Hello.

Hello.

Okay,

you went very quiet, everybody.

Can you tell me?

Did I get it right?

I'm so excited.

Did I get it right, though?

Who are you?

Did I get it right?

Who is who?

Wait, wait, wait, wait.

You keep keep asking me questions.

Can I ask you one thing?

Did I get that right?

Because

I can never tell.

Is Mimi on your left?

And the right-hand side?

In my right-hand side?

It's coming through to me.

I'm not sure.

I'm pretty sure that's Susmita.

I love it.

Jim caused such chaos in that scam call center.

He told told them their real names, their location, even the name of the company that employed them.

And they passed this phone around to at least five different agents to talk to him.

And of course, any information that Jim does get from hacking these scammers, he reports it.

So like if he sees that they use a certain service, he'll report that to the service provider that scammers are using their product and this is their user ID.

And he's gotten some of them actually banned from using certain software, but they could just like make a new company and then register the software again under a new company name.

And sometimes when these scam centers make new company names, they even get their company listed by the better business bureau and then even get some people to make fake reviews about their company.

So if he can find this, he'll definitely report that to the better business bureau and he'll do everything he can to slow down these scammers and waste their time.

Once he got into a scammer's computer and grabbed all their files, and in there was a plane ticket for a recent trip.

So Jim had this guy's real name, his travel details, and from there, he could look the guy up on Facebook and find his friends and family.

And yeah, when these scammers call him up and have no idea that Jim has all this information on them, it's quite a riot to watch the whole thing unfold.

The question does come up, though, and I'm sure you've answered this a thousand times, which is like,

hold on a second.

Hacking is illegal.

You can't just go hack people's stuff.

And here you are hacking into someone else's machine what's going on here where's your justification where's your moral compass or ethical framework in this way i mean the the moral bit is quite easy for me because i quite deliberately let the scammers attempt to scam me that they i i cannot and i don't have the technical expertise shall we say to arbitrarily hack into anything okay i can't do it i i'm not able to do that a lot of the people that you've spoken to on this podcast probably would be able to do that I cannot I have to rely on a scammer connecting to me and trying to steal money from me and that's the only way that I can ever access their computers they have to try to steal money from me first so this is a this is a really nice ethical line you've painted yourself like okay you know what unless you walk into my home and get onto my computer and attempt to steal money from me, I'm not going to do anything to you.

And once they do that, and you, and you open your door to allow that to happen, and you see that, okay.

I mean,

I'm not, and I hate to be known as a hacker because that always has quite negative connotations.

And

I hate the term because it just has all of that baggage.

But that is true.

And every single person that I feature on any video on YouTube has at some point connected to my computer.

And don't forget, scammers don't always make it clear that what you're typing out gives them access to my computer because they will quite deliberately say just type this this on your command line when they when people question

well what is this thing that you're getting me to download and run and it's in fact a remote access tool they will not explain that so already there is a remote access connection which is a sort sort of hacking attempt because the scammer doesn't make it clear to the victim.

They are taking access of your computer and they are not making it clear.

Obviously they're scammers and

I just go a little bit further to say well okay you're trying to

misuse my computer so internally I'm thinking you're now fair game for me to do the same to you.

So the only people, and I've said this a number of times in other interviews as well, the only people who could ever have a problem with what I do are the people who try to steal money from others.

Okay, and if they ever want to

raise a legal complaint or whatever, please bring that on because what I will have done is record how I managed to get access to their computer and the answer is because they were trying to steal money from me.

Now that's not a defense on its own,

but it just means that if I ever have to defend myself for any reason, I have a good reason as to why I have access to their computer.

And it's just because of this theft that they're attempting.

There's almost no recourse that they can have.

I mean, I'm assuming you haven't had any legal complaints that you've had to actually

seriously take care of.

The only complaints I've ever had are privacy complaints on YouTube.

Scammers don't like their faces or voices or documents displayed on YouTube.

And tough.

Okay, so my absolute favorite video of Jim's is when he hacked into an entire call center and could watch everything that was going on there.

Wait, first, before we get into this story, how do you typically find these scammers?

Yeah, I have my email address on YouTube, and a lot of people just simply email me saying, hey, have you seen this pop-up?

Or I've just had a phone go from this number and or I've had this email and it's a fake invoice or

my grandparents have just been scammed.

Here's the phone.

I get all of that all the time.

But actually, in a lot of ways, I don't even have to use that because I'm on what's called a mugs list.

So, in the past, I have pretended to pay scammers because, remember this bit where I say I actually need the scammers on?

I give them fake information, including credit card details.

And if you work your way onto a list of people who they think they've scammed in the past, they will call you again and again.

Those lists are like gold dust for scammers.

So, the end result of that is I get so many phone calls directly to my home phone number that I don't need anyone else's input.

I'm already in the middle of a load of scams.

And honestly, there's nearly too many to cope with.

So what do you have, like 16 different phones over there?

I do, literally.

I mean, I have one phone service with 10 different phone numbers in the UK.

And I have something similar with US phone numbers, although I've dropped a lot of those recently from the number.

It just has nearly got to the point where I just can't, you know, have an evening free of scam phone calls.

Okay, but this story doesn't start with an inbound phone call.

Instead, someone told Jim about a malvert.

This is an ad on a website which has malware on it.

Basically, if you went to a website, you would hear this.

Important security message.

Your computer has been locked up.

Your IP address was used without your knowledge or consent to visit websites that contains identity theft virus.

To unlock the computer please call support immediately.

Please do not attempt to shut down or restart your computer, doing that may lead to data loss and identity theft.

The computer lock is aimed to stop illegal activity.

Please call our support immediately.

Now this was just an ad on a website but it had some malicious JavaScript in it which maximized the browser, showed this giant warning, played this audio on repeat, and then made the mouse disappear, which made it seem like the screen was frozen.

It's not actually a virus, though.

You can just tap on Ctrl-Alt-Delete and close the browser, and all is fine.

But to someone who doesn't know better, this could be scary, and they might call the number to get help.

So Jim called the number and said that his computer is infected, and the scammers immediately tried gaining remote access to Jim's computer and tried to scam him for money.

So that means, in Jim's mind, they crossed the line, and it was time for him to try to hack them back.

The way that I got access to the reverse access to that, I'll not go into that part in detail, but suffice to say that when I did get access,

I got access to just one PC,

and it was from a supervisor.

And I was able to watch what that supervisor was doing.

And one of the things that he was doing was watching CCTV.

So I could see the IP address of the server that he was using.

It wasn't an internal server, it was an external one

and when he logged into it he logged in with the username of admin and a password of eight characters.

And for the particular CCTV system that he was using, I did a Google search of what is the default password for

system

and would you believe they were still using the default password?

I guess you could call that hacking, but

I could see the IP address, the username, and I could have just tried the default password and I was straight in.

Admin 123 was his password to protect this scam operation.

Okay, so he got into a supervisor's PC in a scam call center, but then from there was able to get into the CC TV system.

Now this scam call center had a lot of cameras.

The supervisor could watch all the scammers do their calls and go on break and go outside.

And there was even a camera in the boss's office.

But that wasn't it.

The supervisor also had the ability to listen in on the calls.

In fact, all these calls were being recorded with some software.

It was gold dust for me because they had records of all their calls.

I could see it on which server they were using.

and I could directly download these things because I had access to that scammer's supervisor's scammer's computer.

So I managed to download nine months worth of calls, about 70,000 separate calls.

Holy moly, 70,000 calls?

And this is a much bigger operation than I thought.

But Jim started going through this and was able to match up some of the time codes of the CCTV footage and the recorded calls and could essentially watch the scammers as they called these victims and listen in on the calls.

It's quite fascinating to watch because sometimes the scammers are like playing video games or looking bored, but this also means he's starting to identify what they look like, where their desk is, where they sit in the room, and how this operation looks from the inside.

On top of that, on the supervisor's PC, there was a list of victims, which included the amount that was stolen from everyone and their names.

It was quite a find.

And just imagine having this access, being in Jim's position.

I mean, if I was in that position, I'd just like put the computer down and take a walk around the lake or something like that, right?

Like, what do you do?

What do you do with all this?

Like, he would open up his computer in the morning and would have live cameras of this scam call center on one monitor watching everything that was going on.

And then on the other monitor, he could tap into the phone calls and listen to them live live as they were trying to scam victims.

What were you doing on the computer when you held this master?

Can you lower down the volume of your computer?

He pretty much had full supervisor access to this whole scam call center and could watch and listen to anything.

But what do you do with that access?

Like, it's really tempting to just call him up and be like, hey, hey, I can see you, scammer.

I can see you wearing a hat and playing video games.

I gotcha.

Yeah,

it was so tempting that whenever you, I mean, I'm watching live on the CCTV.

I know the number that they're using the victims to call that day.

So I can call that number and I'll be speaking to somebody in a room that I can see on CCTV.

Hello?

Hi.

Yeah, so what's all this about stopped services then when they should be running?

I don't get it.

Yeah,

sir, you're ready to go ahead and get it fixed and there will be a one-time charge, sir, okay?

I don't always know who I'm speaking to, and sometimes if the room is full, it can be quite difficult to work out which agent.

There may be 20, 30 agents in the room, and I can't always work out who I'm speaking with.

And there's four cameras.

Each corner of the room's got a camera.

And what I'd do was actually invite the scammer onto a computer.

I had my desktop background set to a purple or a green color.

And then what I would do is look around the cameras and look for that green screen or that purple screen.

And then I knew, ah, right, there's the guy.

That's who I'm talking to.

And sometimes I had to do that just to work that out.

And

the really, really tempting thing would be to say to the guy, hey, that's a nice check shirt you're wearing.

Or, or, you know, stop playing Pac-Man whenever you're speaking to me.

You know, can you, can you stop doing that?

But I couldn't give the game away.

I couldn't be just as obvious as that.

Although it was incredibly tempting to do that.

Yeah.

And

I mean, 70,000 calls with a whole list of victims here.

This is too much for one person to process all.

So what did you end up doing with this access?

So, I kind of figured out I was really on to something quite big at that stage.

And

I thought I would bring it to the attention of more mainstream media, specifically the BBC.

Now, I had never had contact with the BBC until that point.

But because I had personally tried to close down a lot of scam operations and been pretty unsuccessful about it, so I have previously gone to the police in India to say, Here's a scam call center on your doorstep,

here's where they're located.

I was able to get that sort of information, but nothing really ever came of it.

And I thought, perhaps I'm going about this wrong.

Perhaps what I really need is more mainstream media involved.

So, I got in touch with really a general-purpose BBC email address.

And before too long, I was reached out by by a team called Panorama Panorama, or like a very long-running documentary program where they cover all sorts of current affairs issues.

But this particular team were interested anyway in scam phone calls.

And as soon as I got in touch and said, look, this is what I have, of course, that team were very,

they wanted to work with me from that point.

The BBC has more resources than Jim.

They can parse through this massive trove of data quicker and started putting pieces together even more.

And together, they built quite a detailed understanding of this whole scam operation.

They figured out the name of the company, its address, who owns it, the employees who work there, and the victims, and how much money this whole place was making.

And again, it was all clearly documented with the video footage and the recorded calls and the files that they got from that supervisor's computer.

They had a ton of evidence.

And they even reached out to the victims to let let them know they were scammed.

I feel angry.

Angry and upset.

Angry that someone could do that

knowing that there's nothing wrong with the computer just to extort money from you

and upset with myself that I failed for it.

Well with all this proof it was time to learn who is leading this operation.

We've identified the man behind the fraud, Amit Chowan.

But Amit Chowan's not an ordinary businessman.

The hacked footage includes recordings from the CCTV in his office.

Okay, this is super interesting.

There was a CCTV camera inside Amit's office, the head boss of this whole thing, and it's the only camera that actually had sound on.

And so there's hundreds of hours of him talking on the phone and having meetings with people.

And in those meetings, he's scheming up new ways to scam people and basically admitting to all this criminal activity on camera.

It's extraordinary.

Well, with all this evidence in hand, the BBC reporter went to India to try to meet with him.

I want to meet Mr.

Chowen, but he's away on a luxury holiday in Thailand.

So I can only reach him on the phone.

Hello.

Hello, is that Amit?

Yes.

Hi, Amit Chowan.

Yes.

I want to get your comment, please, on allegations that you're scamming people in the UK out of thousands of pounds.

What would you like to say to that, Mr.

Chowan?

No, I don't think so.

There is any case like that.

There's no such cases, but I'll talk to my lawyer first and then we'll get.

Well, it was true.

There was no such criminal case against him.

So the BBC reporter went to the police and asked, hey, why don't you crack down on these scam call centers more seriously?

And here's what the Indian police said.

This crime is a difficult crime.

It's difficult to crack because we don't have victim, we don't have accused, we don't have anything.

It's very difficult to link the accused with the victim.

Well, in this particular case, they did have victims.

And the BBC recorded the victims' testimony to hear how they got scammed.

So when the BBC BBC published this story and when Jim publishes YouTube videos, it couldn't be ignored by the police.

They had victims, they had evidence, they had the address, they had the name of the boss.

It was a very easy case to process.

So the Indian police raided the scam center.

The police did their raid.

They picked up whatever computers they could.

They went to the boss's home address.

And he lived in like the most luxurious accommodation you could imagine, something like $6,000 a month to rent the space, which is completely unheard of if you're in Delhi where he was.

And

what I had expected was that this would be such an easy case for them.

There would be no problem.

And ultimately, the guy who ran the thing would be locked up.

But that was very far from the truth.

And what actually happened was,

number one, it took about a year for the trial to even come up.

Then COVID kicked in, so it was delayed by another year.

But eventually, whenever the case did go to trial,

the police

never actually followed up on any of the evidence that was given to them or that they had collected.

So they had scripts about scams from the boss's computer.

But they didn't, for example, follow the money trail from the victims to the boss.

So they could very very easily, if they had any kind of incentive to do so, they could have easily gone to PayPal and say, we need evidence about what happened with this particular PayPal account.

They never asked for that.

They never followed up on any of the thing.

In fact, what they actually relied on was the one laptop that they managed to pick up.

And obviously, because the documentary had gone out, the YouTube video had gone out, all of the computers were immediately wiped before the police actually arrived.

So they only really had one laptop to go on, and that wasn't enough for them.

And

any of the independent evidence of scams, the 70,000 phone calls, the video footage of the scams actually happening was never presented.

In fact, what they said was, well that YouTube footage could have been done by AI or that YouTube footage could have been faked.

And there was

and it looked like the judge just accepted that.

So there was no pressure whatsoever to present anything which linked the boss to any of that scam victim money.

And that is just a travesty because I couldn't have handed it on a plate any more clearly to the police, or indeed the BBC could have handed the same evidence to the police, but the police never came to speak to me, never came to speak to the BBC or follow up with any of the evidence that I presented in the video whatsoever.

They just didn't bother.

And I can only imagine that's for one of two reasons.

One is they're desperately incompetent, or

and which I think is the more likely reason, they've been paid off because the guy who was in charge of this is the equivalent of a multi-millionaire as a result of those scams.

And unfortunately, in India, corruption is rife.

So I don't know for sure, but I would imagine that's what happened.

Well, there you go.

That's disappointing.

Indian authorities seem to not care about scam centers there.

It's illegal, but they say they can't prosecute unless they have the victims.

And since the victims are far away in another country, they just don't have enough evidence.

But even when the police are given the evidence, wrapped up with a bow by Jim and the BBC, and are even introduced to the victims, they still don't take serious action on this.

So, despite Jim's huge efforts of dismantling this whole industry, it looks to me at least that it's only going to keep growing since these criminals can scam victims all day with impunity.

Are there situations?

I mean, you've been doing this for nine years now.

This, this probably was one of them where you had this huge database of victims and all this camera footage and stuff.

Are there other situations where you have to just do a long stare out a window and take like a walk around the lake or something, whatever you're, and just think about what do I do with this situation I'm in?

Yeah, yeah.

What are some of the difficult questions that you have to

asking yourself?

Well, I mean, we've covered the moral one, and I never have a problem with that one for the reasons I've just described.

But equally, it's actually quite harrowing listening to victims actually getting scammed because there have been times that I have tried to intervene.

And I'll have gone as far as because the scammers typically are on the phone with their victims all down to their cell phone.

And they're going out to buy gift cards or they're going out to Bitcoin ATM.

And the only way that I can

try to get that scam stopped is if I can warn a neighbor, if I know they're going to a certain gift card store, I will call that store and say, There's a person about to come in, here's their name, they're about to buy $500 worth of gift cards.

Could you please stop them?

And

that's

it's incredibly difficult to watch when stores for example warn the victim but they unfortunately they trust the scammer more than the person in the store talking to them and it can be very difficult to listen to that i've had people go to a bitcoin atm

um the store manager has tapped them on the shoulder and said you're being scammed that that person who says they're from customs are not who they say they are.

And if you put money into that Bitcoin ATM, you are going to lose it.

They've actually explained that they're being scammed, but yet they trust the scammer more and they've moved on to the next Bitcoin ATM.

And I've had that happen right in front of me.

And it's incredibly difficult to watch that because that could be my grandmother, my grandfather, your parents.

It's someone's relative, yet you can't do anything about it you try your best but there are some people who are just going to be scammed there's very little can be done about it and that is very hard to listen to it is very hard to watch it can i just do one last quick question sure yeah yeah absolutely yeah do you have you ever visited india or do you ever plan to go

actually i would love to see india and i i'm honest about that because and i've i've spoken with carl rocks of my partner in crime when it comes to all the kind of drone footage and so on and i actually admire India as a country.

And I'm not just saying this

to kind of justify, you know, me slagging off people in India when they're scamming.

This is a country that I genuinely would like to see.

And I do intend to go there.

I will be at some point in Delhi.

The nice thing about my YouTube channel is I don't show my face, so I'm not that scared about going.

I probably would stand out a little bit if I went to Kolkata or Calcutta, but Delhi I think would be quite a place that I could easily go to.

A big thank you to Jim Browning for coming on the show and telling us all about the scam baiting he's been doing.

You can watch all his videos on YouTube by just searching for Jim Browning.

This episode was created by me, the fickle finger, Jack Reesider.

And this episode was edited by the wisdom feather Tristan Ledger.

Mixing done by Proximity Sound, and our theme music is by the Mysterious Breakmaster Cylinder.

Someone asked me the other day, what's an ethernet?

And I said, oh, that's what you use to catch the Ether Bunny.

This is Darknet Diaries.