1 @katie_official__12 INVESTIGATIVE REPORT w ehackscammers. github io Conta ct: wehackscammers@protonmail. com We Hack Scammers w eha ckscammers. github io 2 Executive Summary : On January 24th, 2022, an investigation into the instagram account @katie_official__12 [1] and their backup page @katie_official_back_up_page [2] begun after noticing accou nts reposting similar content[3]. These promotional posts claimed @katie_official__12 was their personal investor who was able to make them 1000% or more return on investment (ROI) in cryptocurrency (crypto) and/or foreign exchange (forex) trading within a 24 hour or less time frame. Being that this activity seemed very similar to recent scams, and that account owners posting promotions were later found to have had their instagram accounts hacked, locked out, and/or another person posting on their behalf[4] , it is important that this matter be taken seriously. As this report will detail, it appears that the @katie_official__12 account is promising users unrealistic ROI following their “o wn way of trading”. This account has also stolen the likeness, images, and instagram content of one Veronique Prins (@jezaakvoorelkaar)[5] in order to appear more professional/trustworthy as a scammer. @katie_official__12 will also take over other user’s a ccounts to use as a promotional platform and gain access to potential new victims by impersonating one of their followers. It is uncertain at this time as to specifically how @katie_official__12 is executing the scam (as this would require illegally settin g up crypto wallets with fake id entities), but after our investigation, it is suspected that users with limited or no knowledge of crypto or forex are convinced to create a new wallet, activate funds, a nd then transfer funds to @katie_official__12 who clai ms to “invest it “for them. It is also uncertain as to how @katie_official__12 is gaining access to other user’s Instagram accounts, however it is theorized that access is gained through a mixture of social engineering and examining data dumps from past da ta breaches to find login credentials. G oal: To prove a scam is in operation by providing evidence collected from an investigation and proving the scammers have violated a punishable offense warrant ing a ban from Instagram and legal action. w eha ckscammers. github io 3 How the Scam Works : As previously mentioned, this investigation was conducted within the confines of the law, and as such was unable to discover all of the operation details surrounding how the scam works. Any and all speculation fro m the investigators will be explicitly stated and separated from evidence and facts. The following information was gathered through the creation of a sock puppet account that was used to engage the scammer and investigate different posts and profiles assoc iated with the scammer. FINANCIAL THEFT The scam begins by a user either being direct messaged (DMed) or actively DMing one of the two accounts belonging to the scammer (@katie_official__12 or @katie_official_back_up_page): Once interest is established, the scammer explains how their ‘investment opportunity’ works. In this case, we were promised a daily profit of 1000% ROI with a minimum investment of $500 and w eha ckscammers. github io 4 only needing to pay 10% of the profit: The scammer will then request that money be transferred through PayPal or eTransfer if the user has existing accounts. If this becomes an issue for whatever reason, the scammer will also suggest a variety of crypto services that can be utilized such as Bitcoin.com or Trust Wallet, requiring a screenshot of the profile as evidence[6]. It should be noted that both Bitcoin.com a nd Trust Wallet are owned by companies that exist outside of the United States (Bitcoin.com being located in Saint Kitts and Nevis while Trust Wallet is owned by Binance who operate out of the Cayman Islands). This may be done to avoid the heavy restrictio ns and active investigations into illegal financial operations such as this. w eha ckscammers. github io 5 At this point we were unable to continue walking through the scam as we would have had to make a crypto wallet using a fake identity (for our security) which is illegal. However, through investigating other comments, posts, stories, and profiles related to the scam, it is assumed that the following occurs to users who continue past this point. Once a payment platform is chosen and an account is verified, the user will be requested to send the minimum investment to the scammer’s account, unless they choose to invest more (in this case $500). It is possible that the scam may end here with the scammer ending communications once the money is received. However, as seen from the promotion al stories from hacked accounts and @katie_official__12 themself, we believe the scam continues, relying on the user’s unfamiliarity with crypto/forex to steal more money. The scammer will likely send pictures of an account with the promised ROI, however n ot transferring back to the user, either requesting the 10% payment first, or convincing them that the money is on its way and to invest again. This pattern would likely continue until the user figures out they have been wronged, the scammer cuts communica tions, or the scammer attempts to takeover the account. ACCOUNT TAKEOVER As mentioned before, this scam was discoverd after a user was uncharacteristically posting promotional material for @katie_official__12. It is known that this material was not posted by the original owner of the account as that user later created a secondary account following being locked out of their original account stating in their bio[4]: w eha ckscammers. github io 6 This secondary goal of the scam is done to promote the p rimary goal of financial theft. This aspect of the scam was harder to investigate having not been able to personally walk through the entire financial aspect of the scam and not having a sock puppet account with enough followers to be of interest to the sc ammer. Examining the hacked accounts, we developed two separate theories backed by evidence that explain how the scammer may have been able to access these accounts. It should also be noted that to identify a hacked account in relation to this scam (and ot her crypto/forex scams), not only can the recent unusual/promotional content can be an indicator, but the scammers will add numbers to the end of the username so they can easily reference their accounts (i.e. changing @myname to @myname372). THEORY #1 - SO CIAL ENGINEERING Using a hacked account, the scammer will either DM followers of the hacked account or post “challenges” for the account’s followers to DM a response that enticing a user to join the scam. Being that the user thinks they are messaging one o f their followers, they will be more likely to go through with the financial scam or provide their phone number/email address. With this additional line of communication that is not filtered for malicious links, tools can be used by the scammer to gather l ogins information for the user’s account. Once the scammer gains access, the email and password can be changed to prevent the previous user for logging back in. This allows the scammer to repeat the cycle with the newly hacked account’s followers. A near v ictim of a separate crypto scammer was approached this way before realising it was a scam and blocking the a ccount: w eha ckscammers. github io 7 As can be seen, in this scam, the scammer attempted to get the u ser’s phone number and send them a link to verify an “pending” payment to PayPal. It can also be seen that the scammer asked the user to change their username to have numbers at the end. In this particular case, the user realized the scam before sending th e scammer the link, deleted the message and blocked the account. w eha ckscammers. github io 8 THEORY #2 - DATA BREACHES Searching through credentials in leaked customer databases, a scammer may attempt to use a user’s username and/or email to find any leaked passwords and attempt to u se them to log into a user’s account. If successful, the scammer can then change the login credentials, locking the original user out. This would require extra effort and access to different tools and may indicate a larger group behind the scam if true. Th e evidence for this theory comes from a victim who’s account was hacked from a different scam, despite claiming to have never interacting with this scammer’s main account or any accounts claiming to have investment opportunities. We cross checked the user’ s email (and corresponding passwords) used for Instagram on haveibeenpwned.com and found that it showed up in over 10 data breaches, none of which were from Instagram specifically. w eha ckscammers. github io 9 w eha ckscammers. github io 10 These photos show the victim explaining what the scammer did to lock out the original user, as well as an image from a friend/follower of the user who was DMed by the hacked account. It is also notable that again, this account was changed to have a number at the end of the username. w eha ckscammers. github io 11 PROVING IDENTITY THEFT While it may appear obvious that this account is a scam, it is still important to prove that the account is not only undoubtedly operating as a scam, but also provide evidence that the account is in violat ion of some enforceable offense. In the case of @katie_official__12, we can prove both that the account is a scam, and is stealing content that belongs to another individual and their likeness, passing it off as their own. GRAMMAR MISTAKES Grammar mistakes in and of themselves should not be used to determine if an account is a “scam” account or not, however it can be used as supplementary evidence especially when the account claims to be a native english speaker. Being that a large portions of scams’ operat ions are located in non - native english speaking countries, it would make sense that content made would possess easily identifiable grammar mistakes, especially when coupled with formatting errors as if content was ‘copy pasted’ from somewhere. There is ple nty of examples of @katie_official__12 having grammar mistakes, in fact that can be seen in almost every post/message. To highlight a few, see the below image: w eha ckscammers. github io 12 Additionally, indications of repetitive copy – pasting conte nt indicates the use of a translation tool, automation, or repurposed content. This can be seen in several posts with a few highlighted below: The two leftmost images show an unusual formatting of the post’s description , awkwardly having newlines cut off mid - sentence, almost as if the text was not copied over correctly from some other source. This is a reoccurring pattern in @katie_official__12’s posts. The b elow photo is an example of very generic content that is ob viously being reused from its original purpose by the scammer to quickly create more content and pass themselves off as more professional. UNREALISTIC CLAIMS Another indicator of a scam account is when the account makes unrealistic claims, especially if th e claims involve monetary involvement from other users. As has been mentioned (and seen in the previous section’s image), the claims make by @katie_official__12 are unattainable and require a financial investment on the part of the victims. Specifically, the scam claims that every day, with a minimum investment of $500 USD, a 1000% ROI can be made within 2 - 4 hours and only have to pay a 10% fee on the profits. With crypto and forex having many headlines of individuals who get rich overnight, it is easy to convince people unfamiliar with the technology that this kind of return is normal. However, not only is the amount and time frame in which it is obtained absurd, but the idea that this can be repeated on a daily basis is not something that can be promised and is a clear indicator of a scam. w eha ckscammers. github io 13 STOLEN IDENTITY While promising individuals money after receiving their investment without repayment is fraud and illegal, without victims to come forward with direct proof, it is hard to punish. In the case of @katie_o fficial__12, there is another punishable crime being committed that is not only against the Instagram Terms of Service, but also illegal. This secondary offense is stealing the identity and content of one Veronique Prins (@jezaakvoorelkaar)[5] in order to appear more professional as a scammer. There are many details throughout both the @katie_official__12 and @katie_official_back_up_page accounts that point to this identity theft, but the below three are the key factors of the investigation that definitivel y prove it. DATE DISCREPANCY: BACKGROUND FLYER In a post found on both @katie_official__12 and @katie_official_back_up_page accounts, “Katie“ can be seen standing in front of an outdoor bulletin. While the post is tagg ed as being located in Miami, Florida from January 3rd 2022, upon looking at the text on the bulletin posters it appears to be that of a foreign language. Much of the text cannot be seen in full but one flyer that stands out in the top right corner appears to have the word “Stille Heldinnen Disco XL”. Using Google Translate, the phrase translates to “Silent Heroines Disco XL” from Dutch. When Googling the even name, the same flyer can be found advertising an event for the “Silent Heroines Disco” in March 20 20 at the Rotterda m Schouwburg theater. w eha ckscammers. github io 14 w eha ckscammers. github io 15 An d when one Google’s the Rotterdam Schouwburg theater, it is found to be located in Rotterdam, Netherlands. This makes sense as Dutch is the official language of the Netherlands. Due to the two - year discrepancy of the date (March 2020 vs January 2022) and being in an entirely different country (Netherlands vs United States), this heavily suggests that any ‘personal’ content posted on t hese accounts are falsified and cannot be trusted. w eha ckscammers. github io 16 LOCATION DISCREPANCY: CENTRAAL STATION BUILDING On the website for the “Silent Heroines Disco” event (womenconnected.nl/project/stil le - heldinnen - 2020/) , an image can be seen in one of the site’s collages that show a group of women in front of a building with the words “Centraal Station“. In one of @katie_official_back_up_page’s Instagram photos, the woman on the account’s profile pic (being passed off as “Katie ”) can be seen walking her dog in front of the same building. w eha ckscammers. github io 17 Searching for “Centraal Station Rotterdam” (the same city as the “Silent Heroines Event”) we can find a matching building listed as the “Rotterdam w eha ckscammers. github io 18 Centraal Railway Station” on Wikipedia : This definitively places the individual being passed of as “Katie” in Rotterdam, Netherlands, despite the Instagram tag claiming to be in Miami, Flo rida. This adds additional evidence to suggest that not only one of the posts have been falsified, but that likely the entirety of “Katie‘s“ backstory is falsified with the photos potentially belonging to a different individual who lives in this region of the Netherlands. IDENTITY THEFT: REVERSE IMAGE SEARCH While the previous two pieces of evidence prove the deceptive nature of this account and further indicate it is indeed a scam, they do not provide any punishable offenses for which the account can be ta ken down for. This is why this third piece of evidence is so critical, as it uses the previous two pieces to confirm this scam account is stealing the likeness and content of another to appear more trustworthy. w eha ckscammers. github io 19 There is a photo that appears on both @katie_ official__12 and @katie_official_back_up_page accounts that show “Katie” at the head of a large group of women seemingly all apart of a conference due to the group’s identical lanyards and business - formal attire. When this photo is run through the TinEye reverse image search engine , there are two results that both point to the same page of a website titled w eha ckscammers. github io 20 kevinknippingphotography.com The site belongs to a personal photographer who is h ired for events and publishes his work on his website, with one of the events he worked being where this photo was taken. Looking at other photos from the same event, it appears that “Katie” is a headliner, giving a speech in one photo and in another havin g her face in the event advertisement.