My Scammer Girlfriend: Baiting A Romance Fraudster
At the beginning of the year, a spate of very similar mails appeared in my spam-box. Although originating from different addresses (and sent to different recipients), they all appeared to be the opener for the same romance scam campaign.
Romance fraud is increasingly common and campaigns can extort large sums from victims, who are often quite vulnerable and lonely.
If you found this page because you think that you might be being targeted, speak to Crimestoppers or Action Fraud.
When stories of romance fraud hit the news, we often hear that the victim had become extremely attached to the scammer, but very little on _how_ they got engineered into that position.
At it's heart, romance fraud relies on social engineering and I was curious to see what techniques were actually being used. I'm no particular stranger to scam baiting, so I decided to masquerade as a mark and see how the campaign was run (as well as what, if anything, _I_ could engineer out of the fraudster).
The emails that I'd received were all associated with one persona: "Aidana", who claimed to be a dentist in Kazakhstan.
This post analyses the scammers approach, systems and material, sharing some of what I was able to learn over the course of a few weeks of back and forth.
* * *
### Contents
Warning: even by my standards, this is a **long** post.
To try and assist readability, rather than reporting things chronologically, I've broken this post into sections which focus on a specific area:
* The first few (short) sections lay the groundwork and provide context.
* Section 4: focuses on the nature of the communications
* Section 5: delves into technical analysis of the scammer's emails, systems and materials
* Section 6: looks (quickly) at things spotted in other campaigns
Most subsections are quite short, it's just that there's just quite a few of them.
**Contents**
* Contents
* Section 1: Opsec
* Rules of Engagement
* Don't Try This At Home
* Section 2: The Opener
* Image Attachments
* Email Wording
* Section 3: Making Contact
* Delayed Response
* Analysing The First Reply
* Section 4: Our Conversations
* Common Backstory
* Common Playbook, Different Wording
* Reassure little and often
* Getting Told Off
* Possible Use of Conditioning Techniques
* Playing Fast And Loose With Photos
* Developing Familiarity
* Phone Calls
* Sex
* Shared Tasks
* The Medical Association
* The Request For Money
* Ending It
* Summary of Communication Techniques
* Section 5: Gathering Information
* Click My Link
* Finding The Source Of The Images
* Examining Changes To Images
* Carl gets dumped
* Scammer's System
* Fingerprinting The Scammer's Mail User Agent (MUA)
* Scheduled Sending
* Confirming the MUA
* Message Timings
* Email Hours of Activity
* Travel Info and PDF Generation
* Passport Photo
* The Visa Photo
* Fake Dental Practice Website
* Section 6: Corroborating Information From Other Campaigns
* Common Backstory Elements
* Section 7: Conclusion
* * *
### Section 1: Opsec
#### Rules of Engagement
When doing things like this, I tend to set myself some rules in order to try and make sure that _I_ don't carried away.
In this case the rules were
1. **No active intrusion** : techniques should be limited to passive analysis and social engineering. There's no sense in risking retaliation _or_ arrest and besides, analysis presents a _much_ more interesting challenge.
2. **Techniques not people** : the aim of this is _not_ to identify the individuals behind the scams, it's to see how they work. Identification involves an inherent risk of mistaken identity and would likely have no tangible benefit (because they're probably not operating from a jurisdiction which might act against them).
3. **No Payments** : this stops as soon as some form of payment is required to be able to proceed. Even a small convincer is unacceptable as it'd be directly funding fraud (plus I _really_ don't want to end up with a CIFAS marker for the sake of a blog post).
* * *
#### Don't Try This At Home
Before I get into it, it seems worth adding a warning for anyone thinking of doing anything similar.
As well as observing the rules above, I took a number of opsec measures. It was always my intention to publish findings under my own name, but even then it still wouldn't have been wise to interact with the scammers from my normal devices or connections.
If you don't know _what_ measures might be needed, or don't know how to take them, you should avoid trying to do something similar: this is a business for these people, they won't always take kindly to being messed about and you sure as hell don't want them having your real details.
* * *
### Section 2: The Opener
The opening emails are sent from hacked accounts.
There was nothing of particular interest in the headers of these mails.
What **is** of note though, is that the style of this opener makes it relatively easy to link it to other campaigns. For example, a new campaign started in February, although it uses a different backstory and images of a different woman, it's visually very similar:
* * *
#### Image Attachments
Each of the opening mails had a single photo attachment which varied (though they were always of the same woman). Unlike with some other spam, the photo attachments were not of an explicit nature.
In the openers that I received, there were three different photos:
Note: I've since identified and warned the subject of these images.
Checking the metadata of each of the images revealed that they carried IPTC tag `iptc.application2.SpecialInstructions`:
The `FBMD` prefix of the value is _relatively_ useful in that it tells us where the images originally came from: Facebook/Meta are known to add this tag as part of _their_ effort to stalk the world.
The presence of that tag means that it's a near certainty that the images originated from a Facebook or Instagram profile.
* * *
#### Email Wording
The wording used varied between mails, but always followed much the same theme:
* She ran across your email somewhere inspecific, a while ago
* She is not a scammer, but they need to know that you aren't either
* She will not send nudes (because the profile the images are stolen from doesn't include them)
* She lives in Kazakhstan
The other thing that the mails **all** had in common, was that the recipient was asked to reply to a _different email address_ : Aidana's "regular" mailbox.
This is requested because the opener was sent from a hacked account and the scammer need marks to communicate with an account that they fully control.
It's a slightly disconnected and unusual approach though, because other campaigns tend to use `Reply-To` headers to achieve the same thing without it being so obvious to the user.
However, that disconnect also afforded **me** an opportunity.
A brand new mail thread doesn't include `In-Reply-To` headers, so I could initiate contact from multiple different accounts (and personas) without it being immediately obvious to the scammer that they were receiving replies from accounts that they'd never actually emailed in the first place.
* * *
### Section 3: Making Contact
I emailed the scammers from multiple accounts, with each using a different writing style and sharing a different backstory.
Adopting different personas brought a number of benefits:
* it mitigated the risk of not being assessed as a viable mark: if I lost one account, I'd still have the others
* if I discovered something interesting, I could use another persona to test and confirm consistency
In this post, I'll only refer to two of these personas - the others didn't yield anything _particularly_ different and bouncing between them would probably make for quite confusing reading.
The two personas had **very** different writing styles.
Carl struggled with spelling (which got worse as conversations progressed). His first message was pretty on the nose:
> OMG Aidana, your gorgeous!
>
> Khazakstan looks amazin, have you got any more pics of where you live?
>
> I'm 53, divorced and live in Yorkshire in the UK. Its a pretty place to live, but there aren't any women who look nearly as good as your round ere and the evenings can be a bit slow
>
> btw, how did you find my email, is there someone we both know or was it just luck? either way, nice to meet you
Andy, on the other hand, wrote quite clearly and asked questions. His mail also included a gentle hint that he had some money in the bank:
> Dear Aidana,
>
> I'm very sorry that I missed your email last night, but it was an absolute delight to read this morning.
>
> I know you're not used to making contact first, but I'm really glad that you did.
>
> My name's Andrew, but I normally go by Andy. At 49 I'm only a little older than you. As you've told me so much about yourself I feel I should do the same: I'm a jolly sort and enjoy a good laugh,
>
> I live in Buckingham in the UK, although I was born a little further south.
>
> It's nice living here, yes. A couple of years, I managed to retire early, so I spend my days gardening or exploring the local countryside. I'd love to go travelling around the world but haven't yet met someone to go with.
>
> How about you, have you always lived in Kazakhstan? Have you ever been to the UK?
* * *
#### Delayed Response
I expected that things would start up quite quickly but, instead, days went by with no reply.
Eventually, I decided that I'd probably been jilted: maybe my messages hadn't met whatever criteria they were looking for in a victim.
A little over 2 weeks later, though, replies started arriving and all of my initial contacts received replies on the same day.
I've since learned that this is because the scammer runs campaigns on a monthly cycle, taking a cohort of victims through the process at _about_ the same speed, before starting again the next month with a new set of victims (and a slightly different storyline).
* * *
#### Analysing The First Reply
The very first thing that stood out was that the reply came from a different email address than the one that I'd contacted.
To help mask this change, the scammer had copied a quote of my email into the bottom of their mail and had also set an `In-Reply-To` header referring to my original mail
In-Reply-To: <BANIUp32c5MFW4-1GOr=BLAdQpnECDBiTuPn532gTWruaOU172A@mail.gmail.com>
The inclusion of this header will cause _some_ mail agents to show it in the original mail thread, masking the change in sender.
This mail had a photo attached too:
This time, there was no Facebook IPTC tag in the metadata, but it **did** show that the image had been edited in Photoshop in early January:
We'll come back to Photoshopping in Section 5.
Inspection of the email headers also yielded some additional information.
Firstly, the `Date` header indicated that the author was likely to be in a UTC+3 timezone
Date: Mon, 3 Feb 2025 12:18:45 +0300
Kazakhstan is in UTC+5, so it was unlikely that the author was there (_shock_ , horror!).
If we look at countries with a UTC+3 exposure, we get the following
Although this narrows things down a little, it doesn't tell us all that much - there are a number of countries on there known to be associated with online fraud.
Going back to the headers, then:
Received: from [192.168.191.209] ([194.147.xxx.xxx])
by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-438dcc6df1esm184820675e9.27.2025.02.03.01.18.48
for <redacted: my address>
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Mon, 03 Feb 2025 01:18:50 -0800 (PST)
The format used in `Received` headers is defined in RFC 1123:
> The FROM field SHOULD contain both (1) the name of the source host as presented in the HELO command and (2) a domain literal containing the IP address of the source, determined from the TCP connection.
This tells us that, after connecting to Gmail, the downstream mailer `HELO`'d as `192.168.191.209` (an RFC1918 address), over a TCP connection originating from `194.147.xxx.xxx` (redacted by me).
Both the RFC1918 and the public address remained constant across all subsequent emails.
Shodan showed that the IP had ports 80, 111, 443, 1723 and 5006 open.
Although 80 (HTTP) and 443 (HTTPS) were open, they weren't serving anything HTTP like. Whilst the TCP session established just fine, `443` didn't respond to a SSL handshake (I didn't look any further - Rule 1).
Port `1723` is used for Point-to-point tunnelling, and Shodan showed the port returning a PPTP response. Combining that with the RFC1918 address in the SMTP headers, it seemed likely that the box was being used as a VPN endpoint.
* * *
### Section 4: Our Conversations
I'm not going to write a blow-by-blow of the conversation that went back and forth - it's unlikely to be particularly helpful or interesting (in fact, at one point, _even I_ was starting to get a little bored), instead this section talks about some of the things that I observed during those conversations.
Something worth noting is that the original emails often consisted of long blocks of text:
This can make for quite difficult reading, so I've added some line breaks when quoting here.
* * *
#### Common Backstory
Although her age differed a bit, the backstory given to Aidana was the same across the board.
In order to try and build trust, details were spread across replies. For example, the first playbooked reply told me that "Aidana":
* Is a Dentist and Maxillofacial Surgeon
* Lives in Almaty, Kazakhstan
* Has worked abroad in USA, France and Israel
* Doesn't smoke, barely drinks
* Goes to the gym regularly
* Is looking for a genuine man to build a relationship with
In later replies, Aidana also confides that
* Her father left her and her mother for another woman when she was young, she doesn't hear from him but is still angry
* Her mother died of cancer
* Aidana doesn't have a Facebook profile because her friend was hit by a car whilst walking across a street absorbed in the app
* Her best friend is called Yulia
After a little bit of back and forth, Aidana reveals that she's going to give a presentation in order to try and win a dentistry competition, which would fund overseas training in a country of her choice:
> Tomorrow I'm going to take part in a competition among medical professionals and the best candidates will receive grants for training and professional development.
>
> Such events take place in our country every year. Such grants give the opportunity to free-of-charge training abroad in order to acquire a new experience.
>
> I told you that I have already got such grants for several times and I had an internship in Israel, the US and Europe. So today I tried to finish my work as soon as possible. I think that I'll go to the gym because it helps me to concentrate and express my thoughts correctly.
>
> This evening will be dedicated to the preparation of my presentation because I really wish I can get this grant.
>
> This grant gives the right to choose the country the winner wants to have there practice and a clinic, where one will be trained and work.
You will no doubt be unsurprised, dear reader, to hear that Aidana ultimately won that competition, and chose to come to the UK in order to build a life with me (well, Andy).
* * *
#### Common Playbook, Different Wording
After the first reply, conversation shifted onto what seemed to be a common and loosely templated playbook. Each mail had a semi-personalised section at the top, but then shifted onto a common story, albeit worded slightly differently.
For example, Andy received
> I am emailing you from my work computer as my personal computer is broken and it's being repaired now. As it's not a new computer, I was told that there are a lot of issues to be done, but they will do their best to make it work again.
>
> I devote a bunch of time to my work and it will not be an issue for us to communicate and I can use my work computer to message you with no issues
Whilst Carl received
> I am writing you an email from my work computer as my home computer is broken and I took it in for repair. My computer is old and the handyman told me that there are many problems to be solved, though he will try to repair it.
>
> I devote a bunch of time to my work therefore it will not be a problem for us to communicate and I can use my clinic's computer to email you without any problems.
The two passages _basically_ say the same thing but expressed in (very) slightly different terms.
The reference to using a work computer was _very_ likely intended to provide cover for the fact that "Aidana" only replies to emails once a day.
It's _not exactly_ a Gavin and Stacey style love affair...
* * *
#### Reassure little and often
Aidana's communications often contained reassurances about her intentions.
Some of those were obvious:
> I heard a huge amount of stories about Internet fraud and I want to make you sure that I need nothing from you.
>
> I have nothing to do with your personal details, bank profile or money either. All I'm interested in is building relationship based on love and trust
Whereas others are (a little) more thinly veiled: Aidana wanted to be sure that she was not talking to a scammer (a technique which in turn sows the suggestion that _she_ is not one):
> I only want you to be sure that all I need is a fair relationship and I have no interest in your money. 3 times I attempted to meet my love on the Internet, but I met only freaks, benedicts or just scammers.
It was initially a little difficult to know how to respond to these statements: I didn't want to blow cover by going overboard with overly-early expressions of trust, nor did I want to risk not appearing to be trusting enough.
In the end, Andy ignored it, whilst Carl breezed over it with a reply that wasn't really much more than a hand-wave:
In practice, I don't think that the scammer paid much attention to either.
As the conversation progressed, explicit reassurances like this became less pronounced, with effort instead being expended on reinforcing the unfolding story line.
This passage, in particular, made me think of how Netflix producers sometimes ask writers to have a character explain what's going on:
> By the way, Yulia is sending you big greetings. She asked me how this would all work and how I would go to your country, because it sounds very expensive. I told her that the medical association and I signed a contract according to which I get the award in the amount of 5000 pounds per month. This is the first part of my grant liabilities. This money is given to me for travel and accommodation expenses.
>
> Under the terms of this grant, my employer, as one of the sponsors of this organization, is obliged to contribute 50 percent of the total amount.
>
> After that, the representative of this organization incurs all my expenses connected with the transfer to your country. As soon as I arrive at my new place of work, within 2-3 days I will meet a representative of the medical association in UK.
>
> Yuliya said that it's great that I do not need to pay for anything by myself and just collect some documents.
The only practical purpose this passage serves is to reassure the mark, otherwise a simple "I explained how the funding works to Yuliya" would have been **more** than sufficient.
* * *
#### Getting Told Off
Aidana seemed to have bad luck with technology: in the email after disclosing her computer issues she mentioned that she'd accidentally broken her mobile phone (by dropping it in some kind of fluid at work) and that it'd be a few weeks before she could Whatsapp.
Apparently, though, she'd been given permission to call using the work phone instead:
> I am asking you write your phone number in your next message and in the next couple days I will be happy to call you. Okay? I want to believe that you have a desire to know how I sound too, do you??? I am sure that a telephone conversation will help to bolster our credence in each other.
I wasn't _quite_ prepared for a call yet, so Carl explained that his phone was also broken ("Imagine us both breakin our phones at the same time, must be a sine from heaven!") whilst Andy simply ignored the request.
In the next reply, **both** got chastised for it:
> My dear, why didn't you answer my question? In my last letter, did I ask for your mobile number????? Why didn't you write me your number?????? You don't want me to call you?????
I did _eventually_ provide a number (we'll come to that below).
* * *
##### Possible Use of Conditioning Techniques
Being told off for not providing a phone number did lead to an interesting observation. Every other email had included photos of Aidana, but these did not. Was this deliberate?
Over time, I used different accounts to fail to comply with requests in different ways and, sure enough, it _seemed_ to have an impact on whether the scammer attached a photo or not.
This only happened during the earlier stages of the scam though - once our psuedo-relationship had started developing, photos were much more consistently sent.
It's still a small sample, so perhaps I'm reading too much into it, but it _appears_ that the scammers have built positive conditioning into the early stages of their workflows: if the mark does what Aidana asks, they receive a reward in the form of a photo, if they don't, then no photo is forthcoming.
* * *
#### Playing Fast And Loose With Photos
Unsurprisingly, having sent a few photos, Aidana wanted my personas to provide photos of themselves - presumably to help build and demonstrate trust.
**Obviously** , I wasn't going to send photos of myself, so for most accounts I used an AI image generator to generate a set of photos of an appropriate looking person.
I wondered, though, whether the photos were actually being looked at (and whether there was a risk of them turning up elsewhere), so I decided that Carl should experience some technical issues:
> Oh sorry Aidana, I fort I'd added photos, tryin again, hopefully that worx. I'm not gud with computers lol
Carl attached three "photos":
Aidana seemed to be _delighted_
> I want to thank you very much for your photos. I think you're a very handsome man and you look very good.
It seems quite unlikely that "Aidana" is into men who look like a scaled out game of mega-Tetris, but it's impossible to say whether this shows that:
* Supplied images aren't looked at
* Supplied images are normally looked at, but this wasn't
* The images were looked at, but the scammer didn't care and just wanted to progress the playbook
* * *
#### Developing Familiarity
In this sort of scam, the fraudster generally tries to increase the level of apparent intimacy and trust quite quickly.
In keeping with this, most of our conversation focused on relationship building - talking about likes, dislikes and our respective days (though in practice, of course, we were _both_ lying through our teeth).
The scammer drove that agenda by asking questions before sharing information about Aidana's day:
> How are you today? How is your mood? I hope everything is fine.
>
> .. snip ..
>
> Today I woke up early in the morning. Bright sunbeams made me open the eyes. They filled my room with light and woke me up, because my bed is situated near the window. I got up, took a shower, went to the kitchen, prepared my favorite breakfast of omelet, a salad of Caesar and coffee.
This aspect of conversation was all pretty superficial - neither of us wrote very much or went into any meaningful depth.
But, despite this, Aidana's emails began to introduce more familiar terms, starting gently with things like "Darling" and "My Dear".
This familiarity started relatively quickly (about 4 emails in) and was soon followed by the fraudsters describing how Aidana had found herself thinking about my personas during the day:
> Even on such a big day I woke up thinking about you. I guess I'm starting to get used to reading your letters every day. They have become something very important for me. As always, I quickly had my breakfast. I keep thinking of you all the time… I feel you are that very person about whom I was dreaming and finally I’ve found and now I don’t want to lose you!
Around this time, phrases such as "all my heart" also started to sneak in.
By the 8th email, "Aidana" was signing emails off **much** more affectionately:
> Love and 1000000000000 kisses to you!
A _trillion_ kisses!
Whirlwind relationship or what?
* * *
##### Phone Calls
Aidana had pushed several times for me to provide a mobile number.
I suspected that there wasn't _really_ a way to get them to progress through their playbook without providing one: the endgame likely involved use of SMS or Whatsapp to message repeatedly about some urgent issue that Aidana would need me to help financially with.
But, dragging things out until we seemed closer to that point also wouldn't work: romance fraudsters often have quick phone calls with their marks - if you look at news stories, victims will often say "we even spoke on the phone".
So, in preparation for this, I set up a burner phone and download a pay-as-you-go e-sim onto it (with a plan to contact the phone company once I was done so that they could take the number out of circulation for a while).
Aidana was very happy and even provided her own numbers
> My dear, I really want to hear your voice and today or tomorrow I'm going to call you on the phone. I'm asking you to keep your phone close on these days so you don't miss my call. Ok? I will call you from my work phone `$REDACTED`.
>
> If I can't reach you from my work phone, then I bought a prepaid phone card for international calls with the number +1-843-968-4772. This prepaid card allows you to make calls much cheaper than in a regular phone. So I think I'll call you from this number.
I've redacted the "work" number because it's not clear that it's under the control of the scammers and was likely only provided to help build confidence. I checked though, and it is on a Kazakhstan provider.
Looking up the US number shows that it's a VOIP number used by Skype, which isn't overly surprising given that Microsoft make it quite difficult to report out-call fraud (though, it appears that Skype is soon to become a thing of the past anyway).
The recording doesn't do it justice, but for a woman purporting to be from Kazakhstan, Aidana sounded _an awful_ lot like she was from somewhere else (I've cut my side out of this recording as it seems a little unwise to include my voice):
The call was just over 3 minutes long - she didn't drive any particular agenda and basically just made small talk, with a bit of talking about the future mixed in.
A little way into the recording, you'll hear "Aidana" say "house?". She'd asked what I was doing, so I'd said that I was on my way to Chatsworth house (having retired early, Andy spends his time visiting stately homes on his own).
Unfortunately, it's not audible in the recording, but there was a definite "ding" sound in the background just after. As I hadn't heard any typing, the impression that I got was that someone else had messaged her. It could _totally_ be coincidental, but might also be a sign that there was a silent third participant.
There were several subsequent phone calls, all from the same woman and all quite short, though I didn't hear any similar background noises in those.
* * *
##### Sex
Now, if you recall, the opening email had been _pretty clear_ that Aidana didn't want to talk about sex.
However, as the relationship bloomed, the scammer tried to drive intimacy a bit further:
> I am more and more often visited by the thought that you think of me as a woman. Andy Do you like my body? I believe that Sex in a relationship is also very important I would like to order what you think about it. I ask you to tell me your sexual ideas. I want you to do this first since I never wrote about it first.
This posed a potential problem.
Although I was invested in this project, I _definitely_ wasn't "flirty sex chat with some random scammer" levels of invested. The thought also dawned on me that part of their playbook _could_ even involve "Aidana" calling for phone sex.
Either would be crossing lines that I didn't want to cross, meaning that I'd stumbled upon an unexpected 4th rule of engagement: don't talk dirty with scammers.
Thankfully though, my persona was British, so I was able to deflect things by essentially saying that, whilst I was attracted, sex is just not something that we talk about.
* * *
#### Shared Tasks
Although Aidana drove the storyline, she occasionally needed Andy or Carl to help out by finding her information necessary to prepare for her trip.
For example, she needed to know which airport to fly to:
> In order to book the tickets, Andy, I have to know the nearest airport to you
She also needed to know details of a few dentist practices that she could potentially complete her training at:
> Could you please find in the internet at least several dental clinics that are situated to as close as possible???? I need 2-3 state dental clinics and 2-3 private practices. It is necessary for me to conclude a contract with the International Medical Association.
The aim here, of course, is to encourage the victim to feel invested in the story line, because they're _even_ helping with the planning.
* * *
#### The Medical Association
In one of her emails, Aidana informed Andy that the Medical Association would be calling him in order to verify arrangements:
> My dear, I told the medical Association that you would meet me at the airport and help me adapt to the United Kingdom and give me some tips about the culture and life of your country.
>
> The main office of the medical Association in Denmark wants to make sure that you are a good person, and not some kind of maniac.
>
> I hope you don't mind if a representative of the international medical Association calls you and asks you a few simple questions??? I ask you not to worry, this will just be a normal conversation to make sure that I am not in any danger in the United Kingdom. Andy you must understand that this is necessary. I hope you won't have any problems answering a few questions in English.
>
> You will get a call from a representative of the medical Association, Erika SARBANTOVICA ( +1-318-602-0467).
>
> She is currently on a business trip to the USA and therefore will be calling you from this country.
That number, just like Aidana's, is a Skype out-call number.
The call didn't come through for a couple of days, but eventually my phone rang:
Annoyingly, Cube ACR didn't record it very well beyond this point, there was some background noise which seems to have broken things (it seems to have to hook in as a speech recognition helper, so my uneducated guess is that android just doesn't send it audio that doesn't sound like speech).
When I first received Aidana's email, I assumed that this call would be used to try and collect additional personal information (address etc) under the guise of safety verification.
However, in the event, the questions were much simpler
* Will you be able to collect Aidana from the airport?
* Are you able to provide/arrange accomodation and help her understand the territory?
* She'll need to get to various places, can you provide/arrange transport for the duration of her stay?
* Can you help with language and developing her English?
Erika ended the call by saying that everything sounded fine and that she was glad that Aidana seemed to have friends to support her in the UK.
So, just like the others, the only purpose of this call was to help to reinforce the storyline.
Although this was the only direct contact with a "member" of the medical association, they were fairly key to the story line and the scammers provided various forged documents purporting to be from the European Medicines Agency (who, incidentally, are aware that they're being used in campaigns like these).
One of the interesting points here is that it'd be easy for a curious victim to mistakenly _authenticate_ some of the documents:
Searching for the name of the top signatory **will** lead to real results: Christopher H Fox is the CEO of the International Association of Dental Research (good lies have an element of truth to them and all that).
* * *
#### The Request For Money
I introduced various opportunities for the scammer to take financial advantage. For example, when Aidana mentioned that her phone was broken, Andy asked if she needed help buying a new one.
These all went ignored.
However, about 3 weeks in, the inevitable happened and Aidana's plan to move to the UK came under threat.
Unfortunately, part of the funding that Aidana was relying on had fallen through because her boss had found out about _our_ relationship and realised that she wasn't coming back:
> In the morning I had a meeting with my director of the clinic.
>
> We had an extremely unpleasant conversation. I wanted to get concrete answers to my questions. I asked him why they still have not transferred the money. My director immediately rebelled and told that he won’t pay for anything.
>
> He got to know that I am planning to stay with you forever. He explained me that the clinic does not want to waste money on me if I am not going to return to Kazakhstan.
>
> I was very disappointed to hear that, but I understand what he is talking about.
So, not only was our future in jeopardy, but it was partly _my fault_ that Aidana risked missing out.
Thankfully, the situation wasn't entirely hopeless: Aidana still had the certificate for the first month's £5000 grant. The problem was, the curator of her trip said that it could only be cashed in once she had arrived in the UK:
> I asked him if I can cash out the certificate in Kazakhstan that I could make this payment. He replied that over the past two years UK changed the rules. If I decided to fly to China, there would be no problems. I could get the whole amount in Kazakhstan. But your country allows to cash out the grant certificate only on its territory.
>
> That is why my curator said that the only way out of the situation is to pay this money for my own.
Aidana's a resourceful woman though, so rather than breaking down under the weight of the bad news, she set about trying to solve the issue on her own:
> I went to the bank where I keep my money on the deposit. I was a client of this bank for a long time and I was sure that they will be able to give me a loan for a short period of time. I explained the whole situation to the manager of the bank. I showed him a copy of my grant certificate that I will be able to cash out it and immediately transfer money back from UK.
>
> The manager denied me for the same reason that my curator. I collected all my saving, it was 900 pounds and went to work to write you a letter. On my way I thought where I can get the rest 600 pounds ???? I'm still paying a loan for my apartment, so I can’t sell it so quickly. Then I realized that I have no other way but borrow this amount from you.
Although she could raise most of the money, she couldn't quite get across the line.
But, love always wins, so Aidana _knew_ that Andy wouldn't leave her high and dry:
> I'm sure that for you Andy it's not big a problem. We both have done so much for our meeting, I do not think you'll deny me now.
>
> Moreover I will give you this money back in 3-4 days after my arrival to you. I will cash out my certificate and give you all sum back. I can’t even imagine that such a situation could happen with me! I feel so helpless now… So many things have already done, documents, tickets… And now I have this problem that can ruin everything!!! I have no other choice but to ask you for help!
>
> I am confident that you Andy will not leave me in this situation! Hope that situation will be the first and the last obstacle on your way to be together.
This email had 4 attachments:
These were
* A photo of "Aidana" holding a handwritten note reading "Help me please my love"
* An invoice purporting to be from the European Medicines Agency, totalling about £52K
* A photo of a UK entry clearance visa, with Aidana's photo and details on it
* A PDF claiming to be Aidana's bank statement
Aidana also recognised that this was something that really needed a proper conversation:
> P.S. My dear, we need to discuss this issue over the phone. I'm asking you to wait for my call today. I'm asking you to keep your phone close.
>
> I am very upset about this situation and I want to consult with you and discuss everything in detail. I am very ashamed to ask for your help, but I have no one else to turn to.
She phoned a few hours after the email had arrived, sounding much more despondent than in earlier calls:
Later that day, as promised in the call, details arrived of how and where to send the money.
However, the scammer also asked if I could send a little extra to help cover any "unforseen expenses":
> My dear, I am glad that we were able to talk on the phone and that you understood my problem and can help me with these 600 pounds. If it's not difficult for you, add an additional 20-30 pounds for unforeseen expenses.
There were two ways that the money could be sent:
* SWIFT transfer to an account held at Bereke Bank in Kazakhstan
* Using Moneygram or Western Union
The beneficiary name provided for the bank transfer was the same as on Aidana's docs. However, this doesn't _really_ mean too much: although SWIFT transfers require a beneficiary name, not all banks bother to validate it when a transfer is received - as long as the BIC and IBAN are correct, the money will end up in the destination account.
Moneygram and Western Union were also offered as an option but, Aidana explained, needed to be sent to a different beneficiary:
> I can't use the Western Union or MoneyGram system because my name is blocked there. The fact is that 3 years ago I was in the USA and sent money to my cancer-stricken mother in Kazakhstan through the Western Union and MoneyGram system and I constantly had problems with money transfers.
>
> Because of some problems, for some reason, money transfers were constantly blocked. And after three attempts, I was blocked in all systems. It was a sad experience using these systems, as my mother urgently needed money to buy medicines.
>
> But this is not a problem and I asked my friend Diana to help us if we use these systems to transfer money.
The friend, Diana, is probably a money mule and, in fact, the address that was provided for her later in the email _appears_ to be that of a hotel.
* * *
#### Ending It
We'd reached the point of no return, because Rule 3 was clear that I couldn't make any payments.
I could _perhaps_ have faked a payment receipt and messed them around for a bit, but that wasn't really the aim of this process, so it was time to tie things up.
Andy "tried" to send money, but the bank flagged the transaction and froze his account
> I tried to transfer you the money, but unfortunately the bank blocked it. They phoned up shortly afterwards and said something about it being a donkey (or maybe mule?) account.
>
> Are you sure you gave me the right details? I didn't entirely understand what they were saying, but they seem to have been concerned enough to freeze my account.
>
> I can probably get down to Moneygram with my credit card tomorrow, but if you've got the correct bank details it'd be useful so I can explain it to the bank and unlock my account.
Aidana replied and said that the details were definitely correct and that the issue must be at Andy's end
> I have had this bank account for 3 years now and have never had any problems. That's why you probably did something wrong and that's why your bank did it.
She suggested that he use Moneygram instead, in the process sounding _a little_ like she might work for Moneygram's marketing department
> Since we are having problems with a bank transfer, of course it would be better if we use the MoneyGram system. It is a fast and convenient money transfer system, and MG has offices in every city.
Attached to the email was another picture of Aidana holding a handwritten note, this time reading "I love you Andy".
The photoshopping on this image was a little more clumsy though and one of the original items was still visible in the woman's hand.
The next day, Andy replied to say that he'd been to the bank to unblock his account and that they'd sat him down and explained that this was all a scam.
> The manager explained to me that you're not really you and that this is all part of some kind of grand scam. I told him that he was wrong and that we'd spoken on the phone, but he said that that was quite common. They said that you're probably not even in Kazakhstan at all!
Aidana's reply came within hours
> It's insulting to me that you're comparing me to scammers. Did I deserve this? Why do I always have to prove something to you? What kind of nonsense is being said in your bank???
>
> I have sent you all my personal documents, passport, visa, plane ticket, grant certificate, website of the clinic where I work and even a photo with your name. Don't you know that no one gives you such information on the Internet, but I trust you 100% and that's why I sent you my bank and personal documents.
>
> But even so, you don't want to believe me. How else am I supposed to prove to you, Andy, that I love you? You're making me cry with your suspicions.
To help re-assure Andy she re-attached the photo of her holding a note, the photo of her visa and a new document, purporting to be an order of payment from the European Medicines Agency.
She also provided a contact email address for the medical association (who totally use gmail, _obvs_) so that Andy could verify her story (I did email them, but got no response).
Despite being upset, she knew that Andy would change his mind
> I also sent you my plane ticket and my visa. Doesn't that prove to you that I'm coming to your country??? You offend me with your doubts and distrust..(((
>
> I will be anxiously waiting for your answer. I know that you are a smart and strong man, and you will change your mind and send me this money via MoneyGram.
But Andy stopped replying, having gone to try and work out how to mend his broken heart.
It was over.
* * *
#### Summary of Communication Techniques
The scam starts with a simple lead: I'm young, I'm hot and I'm looking for something _real_.
From that point on, the communication focuses solely on building trust (both in Aidana and the story line itself).
The techniques used are not _particularly_ sophisticated, but are applied quite consistently.
I presented multiple opportunities for the scammers to try and take advantage of me, either financially or by collecting personal details, but they ignored those in favour of the much bigger potential pay-off at the end of the scam.
The early communication is loaded with reassurances, Aidana tells marks about the horrible luck that she's had with online communications in the past and that she needs to know that this time is different. Attempts are also made to reassure the victim that Aidana _really_ doesn't need anything financially, she's only here for a chance at love.
Although the early communications are friendly, the terminology used is (more or less) in line with a couple of strangers conversing. However, more familiar terms start to appear quite quickly.
A good example of this can be seen in the way that Aidana closes emails:
Email | Closing Line
---|---
**1** | Best wishes
**2** | I wish you a good day
**3** | Hope to hear from you soon and I would email you as soon when I get your letter
**4** | Sincerely yours
**5** | From all my heart
**6** | I kiss you
**7** | Send you kisses and hugs!
**8** | Love and 1000000000000 kisses to you!
**9** | I send you my tender kiss and will wait for your letter
**10** | With all my love
**11** | I send my hugs and kisses to you
**12** | 10000000000000000 kisses
**13** | 10000000000000000000 kisses. Waiting impatiently for your reply
**14** | Forever yours
**15** | Hug you and send you 10000000000000 kisses
**16** | I love you Andy! yours lady
**17** | Your woman
**18** | Your Aidana
**19** | Forever yours
**20** | Your love
**21** | Your Aidana
Side Note (I got nerd-sniped): The huge amount of kisses in email 13 is _ten quintillion_. Assuming that each kiss is a quick peck, averaging 1 second in duration, it would take _310 million years_ to deliver them all. Even the ten trillion in the other mails would take 317 thousand years.
The level of familiarity used within the emails takes quite a sudden leap, and the L bomb is dropped pretty quickly. This rate of development is, obviously, very much in the scammer's interest - they need the victim to be as invested as possible, as quickly as possible.
Periodic phone calls are also used to help this along.
Going into this, I knew that there probably _would_ be phone-calls, but I had no idea what to expect. I thought that they _might_ be used to try and verify my side of the story (I even printed a small cheat sheet to keep in my pocket), or to take advantage in other ways.
But, instead they were literally just small talk, with the human contact being used to help increase the feeling of being in a relationship.
Although, the rate of relationship progression is quite unnatural, it's masked by Aidana only emailing once per day: We only talked for a little over three weeks, but it _felt_ like we were talking for ages.
That time-stretching effect, presumably, helps to explain why victims often seem to have fallen _so deeply_ in so little time.
Although not definite, there are signs that the scammers may be using conditioning techniques to help encourage marks to invest more in the psuedo-relationship - photos seem to be withheld if the victim ignores a request that Aidana cares about (such as providing photos or a phone number).
In order to help the victim feel invested in the story line, Aidana asks them to seek out some information (such as nearby dentists) for her.
The scammer also uses guilt - not only was the issue with money implicitly Andy's fault (it was being withheld because Aidana's boss had found out about their relationship), but the emails contained a number of loaded phrases:
> My heart is crying and has only dream to see you and to be with you…
>
> I am very ashamed to ask for your help
>
> My love, I hope you really understand that your help is vital for me! I rely only on you! You are my moral support and confidence in the future!
>
> I cried all day today after I read your letter.
>
> Did I deserve this? Why do I always have to prove something to you?
>
> You're making me cry with your suspicions
>
> You offend me with your doubts and distrust
The last four in that list, of course, came after Andy raised the possibility that this was all a scam. Having (hopefully) built the feelings of a relationship, the scammer weaponises them to try and ensure compliance.
After all, if you've fallen head over heels as part of a whirlwind romance (or mistaken lust for the same), the words "You're making me cry" will likely go a **long** way towards changing your behaviour - humans that have been swept off their feet tend not to be particularly rational.
This also means that if, like Andy, a victim becomes aware that they're being scammed, the "break up" will be _extremely_ painful and difficult: the scammer will keep replying (and trying to convince) for as long as the victim is willing to keep engaging.
All that the victim can do is walk away (and of course, be aware that their email address is going to be considered a viable target for future campaigns).
* * *
### Section 5: Gathering Information
This section focuses more on analysing the materials that the scammer sent over, as well as looking for additional information.
* * *
#### Click My Link
After I'd included photos in a reply, Aidana had an additional request:
> I will be very pleased if you'll send me as many of your photos, photos of your home or friends
I sensed that this gave me a potential opportunity.
I bought a suitably named domain, pointed it at a cloudy VM and built a very simple page which, before redirecting onwards, ran the following javascript
function recordStats(){
inf = btoa(JSON.stringify(gatherInfo()));
img = document.createElement('img');
img.src = "house.gif?q=" + inf;
img.className = "pix";
document.body.appendChild(img);
};
function gatherInfo(){
return {
platform: navigator.platform,
lang: navigator.language,
timezone: new Date().getTimezoneOffset(),
ua: navigator.userAgent
}
}
recordStats();
For those who don't JS, what this does is
* Capture the OS name, configured language, timezone and user-agent
* JSON encapsulate it, base64 encode that and embed an image with the base64 value as the query string (resulting in the base64 string being included in a request to my server).
For those who are thinking "you could have collected most of that from request headers", you're right, it's an _extremely_ limited set of collection.
It was a toe in the water, though, to test whether they'd be willing to visit a link that I controlled. Although it seemed unlikely that they'd closely inspect links, I didn't want to burn bridges by pushing my luck too far on the first attempt.
Note: as this was intended as a test of trust, and only collected information, I didn't feel that it was breaking Rule 1.
I replied to Aidana and included my link saying that it was the original listing for my home:
> I love your photos, I'll try and find some of me that I actually like for you. In the meantime, it looks like the original listing for my home is still available on the net, so you can see just how wonderful my surroundings are: `$REDACTED_LINK` Relaxing in the garden is really hard to beat.
I wasn't _at all_ sure whether they'd click the link - there was no **need** for them to, but doing so _would_ also help them assess Andy's worth as a mark.
The next day, a reply came through and, sure enough, my access logs showed that they'd clicked the link:
194.147.xxx.xxx - - [06/Feb/2025:13:00:59 +0000] "GET /[REDACTED] HTTP/1.1" 200 581 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36" "-" "REDACTED" CACHE_- 0.000 tempvm - "-" "-" "-"
194.147.xxx.xxx - - [06/Feb/2025:13:00:59 +0000] "GET /house.gif?q=eyJwbGF0Zm9ybSI6IldpbjMyIiwibGFuZyI6InJ1LVJVIiwidGltZXpvbmUiOi0xODAsInVhIjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEzMi4wLjAuMCBTYWZhcmkvNTM3LjM2In0= HTTP/1.1" 404 196 "REDACTED" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36" "-" "REDACTED" CACHE_- 0.000 tempvm - "-" "-" "-"
If we base64 decode and pretty print the query string, we get the following:
{
"platform": "Win32",
"lang": "ru-RU",
"timezone": -180,
"ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36"
}
This confirms the `GMT+0300` timezone that we'd observed in the mail headers. The `lang` value is an RFC 5646 language string and tells us that the scammer's browser is set to use Russian.
The user-agent tells us that they're running Chrome on either Windows 10 or 11 (the OS version got frozen in UA's after Windows 10).
Knowing that the scammer speaks Russian allows us to cross most entries off our list of countries in UTC+3:
This leaves us with Ukraine, Belarus and Russia as likely source locations (of course, it could also be a Russian overseas, but there's no good way to account for that possibility).
The other thing that was _mildly_ interesting is that the click came immediately before the reply was sent. Because replies to different accounts arrived throughout the afternoon, I had originally theorised that maybe they were replying in bulk and randomising send times, but this suggested that that was not the case.
* * *
#### Finding The Source Of The Images
Reminder: **the images are stolen and this is not actually the person that you might be speaking to**
When I first set out on this journey, I did a quick reverse image search of the images attached to the opening emails, but got no meaningful results back.
By the time that I was some way into the process, though, "Aidana" had sent me quite a few more photos, so I used standard OSINT techniques to help narrow down my search, ultimately finding the Instagram profile of the user that they'd been stolen from.
The woman in the photos is a Russian personal trainer.
To avoid being the cause of some angry victim ending up in her DMs, I'm not naming her here, however I _have_ sent a warning that her images are being nicked so that she's not taken by surprise.
The real individual being a PT explained why "Aidana" kept mentioning going to the gym - the Instagram profile is **full** of work-out pictures and videos, so the scammers have adopted part of the persona of the person that they're impersonating.
Unsurprisingly, "Aidana" eventually started attaching videos of herself during a workout - again ripped from the PT's profile.
* * *
##### Examining Changes To Images
My earlier examination of metadata had shown that the scammer had edited at least some of the photos (we know it must have been the scammer rather than the PT, because Meta routinely strips metadata from images - really, "Meta" is a bit of an ironic choice of business name).
I wanted to understand what they'd changed, why _and when_.
Each of the images that Aidana had sent appeared somewhere on the PT's profile, so I grabbed a copy of each for comparison.
Remember this image?
The reason that the framing feels a bit tight is that the original actually has **two** other people in it.
With this knowledge, if you look closely at the cropped version you can see another woman's thighs and part of an arm:
Although clearly cropped, this photo didn't contain metadata indicating that it had been edited in Photoshop, so I moved onto one that did - the pink slippers photo:
Looking at the original showed that the image had also been cropped, but it wasn't immediately clear _why_ - all that had been cropped out was some food and a nondescript bottle of bubbly.
Looking a little closer, though, showed that cropping wasn't what had motivated the edit:
She's wearing a wedding ring! The scammers removed it so that marks wouldn't end up thinking that they're talking to someone who isn't single.
One of the images that the scammers sent in later emails also contained metadata indicating photoshopping. A quick check revealed that, once again, it had been edited to remove a ring:
The metadata on this image, though, indicated that it was edited back in June 2024:
When they _finally_ emailed to ask for money, the scammer included a photo of her holding a sign saying "Help me please my love".
Aside from the words having been shopped in, comparing it to the original shows a number of other discrepancies
The metadata for this image shows that it was photoshopped on the 2nd of July 2024.
All of this information tells us a few things
* The scammers have been mining the PT's profile for quite some time
* They continue to track her profile and steal content - the pink slippers photo was posted to her profile for this years New Year
* It's quite likely their first successful use of this campaign was in July 2024 (we've no way to know whether the mark paid, but someone presumably reached the final stages, requiring that the "help" image be created).
* * *
#### Carl gets dumped
I mentioned earlier that Carl's spelling degraded over time. Eventually he ended up writing the following
> I no wot you mean about strange but pleasant emotions, cos I'm feelin them too - u were my last fort before I fell asleep and my first when i woke up. I know that it sound cringey but ur a bootiful person Aidana an Im so happy if Im makin life feel better for u like u are me. I really feel like ur my favourite person an I'm oldin our talks very dear
The initial drop-off in Carl's spelling hadn't been _entirely_ deliberate, but once it started I decided to let it happen to see how much of a headache they were willing to put up with.
As a native english speaker, the passage above is hard going, but readable. Someone less fluent will struggle with it because they'll have to stop and think what the words sound like, but they _should_ make it through.
Machine translation into Russian (and back, for my benefit), though, leads to something bordering on nonsensical
That paragraph seems to have been the final straw: despite having responded, without issue, to every other mail that Carl had sent, Aidana's next email complained that Carl hadn't replied and said that his messages kept ending up in spam
> Hello my dear Carl! It made me very sad to not have a letter from you again. Are you busy? Or are there any other reasons for your silence? Maybe you didn't get my letter? I ask you to check your Spam folder. Your letters are also very often in my spam folder. I hope that today I will receive letter from you.
Carl replied to say that he had mailed and re-stated the relevant parts, but Aidana stopped replying.
Poor old Carl had been dumped, ghosted even!
The key thing about this technique is that it provides a non-confrontational way for the scammer to end things. After sending the initial reply, the scammer can simply filter out any further replies, leaving the mark thinking that it's technology that has thwarted their chances, rather than feeling they've been dumped.
Obviously, this isn't done out of care for the mark's feelings: it's likely done so that the mark won't feel reluctant to re-engage if the scammers change their mind later.
Sure enough, this **wasn't** the end for Carl, because a couple of weeks later a new possible love emailed him:
Aside from the fact that it comes from a hacked account, this opener doesn't follow the same pattern as the original. Not only is the writing style different, but this time, rather than asking the mark to reply to a different address, it uses `Reply-To` so that their mail client quietly does it for them:
Reply-To: Tosy <sikeruniplunvv@gmx.com>
From: <REDACTED>
Subject: you are in my heart.,
The image attached to this mail was much easier to track down than the ones used in the original campaign - it was a profile shot of (Russian) model Diana Korkunova.
These differences suggest that Carl's details might well have been passed (or, more likely, sold) on to someone else. Andy's account ultimately started receiving them too.
* * *
#### Scammer's System
Having exchanged a few emails since my original link, I decided that it was time to have Andy send another in order to try and collect some additional information.
The previous link click had provided potentially useful information: the scammer was using a Microsoft Windows machine. Windows has a long history of being **awful** for VPN leaks, opening the possibility that I _might_ be able to induce the scammer's computer into revealing more of their real location.
However, doing so would likely require that the scammer be on the page for longer than had been needed for my original redirect and I was worried about blowing Andy's cover.
So, I decided to take advantage of (some of) the social harm that Cloudflare has visited onto web users:
Thanks to solutions like Cloudflare Turnstile, users are now quite used to page visits being delayed whilst a seemingly unrelated provider checks (or claims to check) that they're human. In fact, I suspect most people are probably just relieved that the page doesn't also show ads... a sad state of affairs really.
I designed a simple interstitial page which appeared to be an automated captcha process, explaining away an additional couple of seconds delay before redirecting on to a page that Andy would be talking about:
There should be a video here, you may need to visit in a browser
Whilst presenting the visitor with a low effort, but semi-plausible interface, the underlying javascript collected additional information about the visiting browser and used a handful of techniques to try and induce VPN leakage.
Frustratingly, it took a few attempts to get them to actually click a link, but I was eventually successful by asking
> On that topic, your wonderful news meant that you didn't answer my earlier question. Which of these would you rather be collected in? car one or car two
For the record, Aidana preferred the more expensive of the two Aston Martins.
I wasn't _entirely_ sure which way _that_ was going to go: it's not _really_ in the scammer's interest for a mark to go out and splurge £70k on a car, because it reduces the money available for stealing. But, I guess they figure that you've probably got access to more money anyway.
The link clicks allowed me to ascertain the following:
* The system was still a Windows box in a UTC+3 timezone
* It still had Russian configured as the language
* It had the same user-agent as before
* There was no DNS leakage: DNS queries all egressed via the known VPN endpoint
* They had Google DNS configured as their resolver
* They don't have IPv6 connectivity (**or** their VPN client explicitly disables it)
* They were using a connection which averaged `1.6mbps` across recent connections
* Across all their browser's recent connections, the average round trip time was `250ms` (quite high)
* Their system had 8 CPU cores
* The browser's reported usable resolution was 1280x760
* Chrome was not in headless mode
The browser also reported a connection type of `3g`, however this a little misleading: The Network Information API spec only provides for cellular connections and chooses between them based on RTT. So, the system could just as easily have been connected to Wifi.
The resolution that javascript reports is the portion of the screen that's available to display the webpage, so doesn't include things like the address bar. If we allow 40 pixels for that, we arrive at the resolution of WXGA (`1280x800`), which has historically been used by a few tablets and some older laptops.
This was flying a little close to Rule 1, though, so I decided not to push it further.
* * *
#### Fingerprinting The Scammer's Mail User Agent (MUA)
Back to passive analysis.
It used to be that MUAs would include a `User-Agent` header (hell, most web clients even used to include an `X-originating-IP`) but, over time, those have fallen by the wayside for privacy reasons.
However, that _doesn't_ make it impossible to identify what mail client the scammer is using, because most mail clients handle formatting slightly differently.
So, if we grab a set of headers from one of Aidana's emails:
Date: Tue, 4 Feb 2025 14:21:08 +0300
From: Aidana <REDACTED>
Reply-To: Aidana <REDACTED>
Message-ID: <155055577.20250204142108@gmail.com>
To: <REDACTED>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------069134143049E2085"
Note: I've stripped `In-Reply-To` etc for brevity.
The first thing that we can see is that the value of `Message-ID` seems to contain a timestamp:
Message-ID: <155055577.20250204142108@gmail.com>
The format of `Message-ID` is known to differ between MUAs, so we can use a resource like Forensics Wiki to help narrow down which client might have been used.
The only MUA in that list which generates an ID of that format is The Bat!.
`The Bat!` is a secure message client for Windows 10, which features at-rest encryption of mail. It's easy to see how that might appeal to a scammer and the use of Windows 10 is something that we already know about.
However, we can't _reliably_ conclude that this is the MUA in use based on a single data-point, so we need to go back to the mail.
The other thing which commonly varies between MUAs is the format of boundary markers. Outlook and Microsoft Mail, for example, use a marker of the format `----=_NextPart_{long string}`.
Unfortunately, Forensics Wiki didn't have an example of the boundary marker format used by `The Bat!`.
However, the authors of `The Bat!` offer a free trial, so I span up a cloudy Windows instance and downloaded a copy before emailing myself:
At the receiving end, the headers look like this
From: B <REDACTED>
Message-ID: <381612535.20250214122406@gmail.com>
To: REDACTED
Subject: Hello World!
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------0DB0781421434046D"
That boundary format looks pretty familiar - both my test mail and the scammers use a short string of hex encoded bytes.
* * *
##### Scheduled Sending
This brings us to an interesting short-coming that I noticed in one of `The Bat!`s features.
The client has a feature called Postponed Sending which (as the name suggests), allows the sending of any given mail to be delayed (you can even set an mailbox wide default):
Earlier in this post, I commented that:
> Because replies to different accounts arrived throughout the afternoon, I had originally theorised that maybe they were replying in bulk and randomising send times
The postponed sending functionality would be pretty much _perfect_ for this.
I used `The BAT!` to send a delayed email to myself (using the values in the screenshot above):
Date: Fri, 14 Feb 2025 12:35:00 +0000
From: B <REDACTED>
Message-ID: <1603024618.20250214123320@gmail.com>
To: b <REDACTED>
Subject: Test 2
There was now an irregularity in the headers, because although the `Date` header matched the scheduled send time, the timestamp in `Message-ID` still reflected when I hit the `Send` button.
Presumably, `The BAT!` generates `Message-ID` when the mail is first moved to the outbox. The features page implies that postponed send is only really intended as a convenience function, so it makes sense that they don't bother to rewrite the other headers.
* * *
##### Confirming the MUA
I now had three points of contact which allowed me to say, with some confidence, that the scammer was using `The BAT!` as their mail client, because in their emails:
* `Message-ID` followed a format that's documented (and observed) as being in use by `The BAT!`
* Multipart boundary strings took a format known to be used by `The BAT!`
* The metadata of (some) messages contained a discrepancy associated with `The BAT!`'s postponed send functionality
Use of this MUA also suggests an explanation as to why the scammer hadn't picked up on my mega-tetris "photos", `The BAT!` can be configured to not download attachments by default, which would allow the scammer to confirm that _something_ had been attached, without having to waste bandwidth, time or local storage by downloading it.
`The Bat!` also supports dynamic templating, allowing email bodies to be populated using macros. This feature _could_ provide a potential explanation for why emails to different personas used different words to tell the same story.
* * *
#### Message Timings
The metadata inconsistency does also allow us to get an idea of the scammer's habits, because it enable us to see what time of day they're _really_ replying to emails.
I wrote a quick Processing Engine plugin to extract the relevant headers from emails, convert them into timestamps and write them into InfluxDB 3 Core (there's a full copy of this script in my article-scripts repo):
mbox = mailbox.mbox(args["mbox"])
influxdb3_local.warn("iterate")
# Iterate through messages
for i, message in enumerate(mbox):
if sender_name in message['from']:
subject = message['subject']
# Turn the message date header into a timestamp
mdate = mktime_tz(parsedate_tz(message['Date']))
# Grab and strip a copy of the message ID for the tag
# value
message_id = message['Message-ID'].strip("<>")
# Chop up the message ID
# these are of the format
# aaaaa.YYYYMMDDHHMMSS@somewhere
mid = message['Message-ID'].split(".")[1].split("@")[0]
# Parse and adjust to be UTC
# then convert to ns timestamp
mid_dt = datetime.strptime(mid, '%Y%m%d%H%M%S')# - timedelta(hours=TZ_OFFSET)
mid_ts = int(mid_dt.strftime('%s'))
# Calculate whether it differs so that we can set a tag
# We allow a couple of seconds leway just in case the MUA is racey
differs = (mdate - mid_ts) > 2
# Create a line recording both. The timestamp is taken from "Date"
lp = LineBuilder("scammailtimings").tag("account", account).tag("differs", differs).tag("messageID", message_id).int64_field("id_date", mid_ts).int64_field("date", mdate).int64_field("count", 1).time_ns(mdate * 1000000000)
# Write
influxdb3_local.write(lp)
I added the accounts into Thunderbird and passed the script the path to Thunderbird's local store. Technically, it's possible to fetch the mail directly using `imaplib` but, to connect to GMail, you have to jump through a bunch of OAuth hoops and I didn't really feel it was worth the effort.
I added a scheduled plugin trigger for each account so that the script would periodically check for messages and automatically update the database:
docker exec -it timings influxdb3 create trigger \
--trigger-spec "every:60m" \
--plugin-filename "timings.py" \
--trigger-arguments "mbox=/mail/INBOX,account=andy,sender=Aidana" \
--database timingsdb \
email-timings
Having the data in InfluxDB allowed me to easily compare patterns across recipients.
For example, the following looks at how much variance there is between Andy and Carl (before he got dumped)
SELECT
-- convert the ID date to nanosecond epoch
-- and from there to a time column
to_timestamp(id_date*1000000000) as time,
account,
count(account) as count
FROM scammailtimings
WHERE
account IN ('andy', 'carl')
GROUP by account, id_date
ORDER BY time ASC
This generates the following graph
If you look closely, you can see that, whilst Carl was active, the bars were pretty close together.
This tells us that the scammer consistently hit "Send" in their MUA at around the same time for each recipient.
We can then change the query to look at the `Date` header (i.e. when the scammer scheduled the mail to send):
SELECT
to_timestamp(date*1000000000) as time,
account,
count(account) as count
FROM scammailtimings
WHERE
account IN ('andy', 'carl')
GROUP by account, date
ORDER BY time ASC
Initially, there were some quite significant differences but, in the run up to Carl getting dumped, they drew closer together.
The first emails were written in the early afternoon but scheduled for sending in the small hours of the next day.
Running the same query across all of my personas shows a similar pattern across the board: scheduled send times vary but the **actual** send times of emails to each persona are all _extremely_ close to one another.
This data tells us that:
* There's probably one person behind the emails
* They likely do all of their day's work in one sitting
* They do so at different times of the day.
Although they still make up a non-negligible proportion, delayed sends are in the minority:
SELECT
differs,
count("date")
FROM scammailtimings
GROUP BY differs
It's not entirely clear why, but scheduled sending is primarily used in the early stages - I observed the same happening in a later campaign.
* * *
##### Email Hours of Activity
We can also use the data to check whether the scammer has any particular hours of operation during the day.
This query provides a count of how many days saw activity in the given hour:
SELECT
COUNT(val) as days_active,
hour
FROM
(
SELECT
extract(hour, to_timestamp(id_date*1000000000)) as hour,
1 as val
FROM scammailtimings
)
GROUP BY hour
ORDER BY hour ASC
The data can also be used to generate a heatmap to show whether there are any patterns on particular weekdays
As with the previous queries, the value is the number of days which had a least one email sent, rather than a count of emails sent:
* * *
#### Travel Info and PDF Generation
As the playbook progressed, Aidana talked about her upcoming flight to the UK.
So that Andy would know when he needed to collect her from the airport, she provided a PDF copy of her e-ticket:
The first thing of note here is that the flight numbers and timings are real, I was able to look them up on the Turkish Airlines website:
The e-ticket itself is, of course, fake and there are some inconsistencies within it (the QR code contains text about skyscanner.ru and the baggage allowance is wrong).
Using `pdfinfo` to dump the PDFs metadata also revealed some interesting intel:
$ pdfinfo 20250221_attachment_2.pdf
Title: Microsoft Word - e-tickets London
Author: <redacted>
Creator: Bullzip PDF Printer (11.10.0.2761)
Producer: PDF Printer / www.bullzip.com / FG / Freeware Edition (max 10 users)
CreationDate: Thu Feb 20 16:26:39 2025 GMT
ModDate: Thu Feb 20 16:26:39 2025 GMT
The author info contained a common Russian name. I've redacted it because of Rule 2.
One of the final emails included another PDF that purported to be a bank statement - the metadata on that indicated that it was created by the same author.
* * *
#### Passport Photo
The email that had provided the e-ticket also had an image purporting to be of Aidana's passport (the `Fake` markings are mine):
Unsurprisingly, it had been photoshopped, however the metadata on it was more interesting than on most of the other images.
All of the previous images had been stolen from an instagram profile. Instagram routinely strips source metadata (because Meta want to be the only ones hoovering up other people's data).
This image, however, hadn't passed through Meta's bowels and so still had its original metadata:
The photo was originally taken in January 2023 on an iPhone 7 Plus.
There was no geo-location metadata, but further down the (long) list of entries was the original timezone offset: `+0600`:
The number of regions in UTC+6 is much smaller than in UTC+3:
Omsk oblast borders with Kazakhstan, so it's quite possible that the original photo was perhaps taken during "extra checks" of a Kazakh national's crossing.
Russia is also the only country which also appeared in our UTC+0300 list:
Whilst it's _possible_ that a passport photo might get bandied about internationally, it seems fair to conclude that the author of the emails is likely to be in Russia rather than Belarus or Ukraine.
* * *
#### The Visa Photo
As Aidana's plans began to fall apart, to help reassure (and convince) Andy, she sent a photo of her visa to work in the UK.
Just like the passport photo, it hadn't passed through Meta and so had it's original metadata intact.
The metadata suggested that the image had been photoshopped by someone _other than_ our scammer: Not only did it report a different version of Photoshop (Creative Studio 2), but the modification date indicated that the photoshopper was in a different timezone to the scammer:
The metadata also showed that the original photo had been taken in that same timezone (using a Meizu M6S)
This suggested that the work had been outsourced to someone more able to convincingly photoshop official documents (who, presumably, has their own set of base images to work from).
There was definitely some attention to detail: the scammers had even ensured that the passport number on their fake visa matched the one on their fake passport.
However, the age of the original photo is, _technically_ , an issue.
The photo was taken in February 2023, but the UK changed the visa vignette later that year. This means that there are a number of observable differences between the provided visa and any issued this year:
Of course, It's _extremely_ unlikely that a target would spot this issue and the visa is ultimately a pretty convincing fake.
* * *
#### Fake Dental Practice Website
Eventually, Aidana provided me with a link to the website of her employer:
> I forgot to give you the website ckdent.tilda.ws of the clinic where I work in Almaty.
The bits that I've blurred are both the same phone number as Aidana had provided in an earlier email.
Interestingly, the links at the top didn't work - clicking Специалисты (Specialists) updated the page fragment but didn't take me anywhere. Scrolling down though revealed a section with staff images:
Айдана is Aidana, the profile text describes her as a "tooth fairy for children".
Checking the `Last-Modified` header for this image shows that it was uploaded in June 2024
So, they've likely been using this site for a while: June 2024 is also when they photoshopped a ring out of one of the PT's images and is slightly before the photo of a handwritten note was created.
This supports the idea that they developed this persona and storyline around that time.
If we check in Google Maps, we can see that they're impersonating a real business - there **is** a Dentist at the listed address
Unsurprisingly, their contact number is **not** the same as on the site that the scammer sent.
The **other** thing that's important here is that this website appears to be used for other campaigns too. For example "Svetlana" also claims to live in Almaty, works as a dentist and looks _quite a lot_ like one of the staff photos.
* * *
### Section 6: Corroborating Information From Other Campaigns
At the beginning of this post, I mentioned that recruitment for another identical looking campaign started up in February:
I had some personas respond to this too, to confirm whether the observed behaviour seemed to align with what I've written in this post.
However, it yielded much more than this: the first reply came through whilst I was working on drafting this post and there were some real similarities in the mail headers:
Received: from [192.168.0.103] ([188.187.xxx.xxx])
by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-43b7371701esm125442985e9.17.2025.03.02.05.30.57
for <redacted>
... snip ...
Date: Sun, 2 Mar 2025 10:21:11 +0300
From: "viktory23@milen2.com" <viktory23@milen2.com>
To: George <redacted>
Message-ID: <1711410497.20250302102111@milen2.com>
Subject: Greetings!
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------06D0E00071963CB3A"
We can tell from `Message-ID` and the boundary format that the author is using `The Bat!`.
However, there's a slight difference in the `Received` header - this time the connection did **not** come via the VPN box.
In fact, that IP belongs to the consumer subnet of a Russian ISP:
inetnum: 188.187.168.0 - 188.187.175.255
netname: ERTH-YOLA-PPPOE-3-NET
descr: CJSC "Company "ER-Telecom" Yoshkar-Ola
descr: Yoshkar-Ola, Russia
descr: PPPoE individual customers
country: RU
admin-c: ETHD12-RIPE
org: ORG-CHYB3-RIPE
Yoshkar-Ola is the capital of Mari El which sits quite nicely in a UTC+3 timezone.
Fun fact: it's also the location of the prison where Prigozhin was filmed promising convicts release if they fought in Russia's attack on Ukraine.
Ukraine is doubly relevant here because the scammers are also using photos of Ukrainian blogger and model Natalia Krasiuk, and the cheeky bastards are even sending out a photo of her with Ukrainian flag ribbons tied in her hair.
Getting back to the mail headers, though, there are two likely possibilities here
* This is another scammer, part of the same (local) group as the first
* This is the original scammer and they forgot to enable their VPN before replying
I replied a couple of times to see whether messages eventually started arriving via the original box, but they did not. Other evidence also supports the idea that they were being sent by a different person:
* The messages routinely lacked `In-Reply-To` headers
* Not replying didn't lead to me getting told off, the scammer just kept replying and progressing Vika's storyline (even referring to replies that I hadn't sent!)
Rule 2 loomed large though, so I didn't dig too far.
* * *
#### Common Backstory Elements
Although the reason for it differs, the personas used by the scammers often have no family: their parents are usually dead or estranged.
> Today I want to tell you about my family and childhood. I didn't see my mom and dad. Dad was in a car accident when Mom was pregnant. When my mother gave birth to me, she died. I always dreamed of having parents like other children. When I was 4 years old, my uncle took custody.
>
> I lived with him for two years. But then he began to abuse alcohol. And he was deprived of custody rights.
It seems likely that this is intended to convey that they have no real ties to their current country, so would be free to come and live with the victim.
* * *
### Section 7: Conclusion
Stitching it all together then: there's a reasonable amount of evidence to suggest that the scammer that I was conversing with is Russian.
However, they do not appear to be operating entirely on their own - at the very least, they solicited the assistance of a photoshopper in order to generate some (visibly convincing) forgeries of official documents.
From onboarding to money request, the scam took about 3 weeks to play out, though it _felt_ as though I'd been talking to them much longer.
During the course of the scam, I received multiple phone calls (some pre-announced, some not) from my Kazakh "girlfriend", along with a call from someone purporting to be an official running safety checks. These calls served no purpose other than to try and reinforce my belief in the storyline.
The scam is designed to entrap the lonely and the vulnerable: it's quite easy to see how someone who **wants** to believe that they're finding a companion for life could be drawn in before eventually being manipulated into sending money.
For all that I've documented here, many of the intended targets of this type of scam simply don't stand a chance, because the scammer spends _weeks_ building trust before hitting an "unexpected" hump in the road.
Even if a victim's suspicions do get aroused, the materials that the scammers provide contain _just enough_ truth to stand up to basic scrutiny. A cursory search would validate the airline ticket, the certificate from the EMA and even the address of Aidana's claimed employer.
Where that isn't enough, the scammer uses emotional manipulation to try and get the victim over the line: she's given so much, _how could you_ doubt her?
Presumably, the storyline and the techniques must work because the evidence suggests that they've been using the Russian PT's images in their scams since _at least_ June 2024.
Although observing my rules of engagement meant that I didn't go too far down the rabbit-hole, analysis of the scammer's communications revealed a bit about their habits, including which mail client they use and the fact that they sometimes use it's delayed send functionality.
Much like bad spelling in 419 emails, the opener acts as a sort of filter: you're either going to fall for it or you're not. Presumably, this gives the scammer something of a false sense of security. They were more readily trusting and certainly leaked quite a bit more metadata than I had been expecting - despite Rule 2 meaning that I didn't go looking for identities, I _still_ ended up with a name and a home IP being essentially handed to me.
Of course, it might also just be that they don't care - it's not as if the Russian police are ever going to be knocking on their door, after all.
