Reconnaissance

After I started getting very suspicious, I decided to start collecting as much information as I possibly could. Of course, there’s no way for anyone to know who or where these people are, as communication was only done through Telegram and Emails. With some clever social engineering, I made some of the admins visit a link, leading to a fake screenshots website that I sent them to fix some spelling mistakes on their website. The fake website was tracking all the visits that came in. Of course, the only visits were from the fraudsters since the page I provided was not accessible from any other page or website, and no one could access it except the receiver of the email.

Fortunately, one of them visited the web page from a phone device while connected to a residential IP, in the afternoon, in the evening, and the following day in the afternoon, which told me that it was the perpetrator’s personal mobile internet connection, that is always linked to a mobile contract, specifically from Hyperoptic Ltd in the UK. This is the first residential IP that we can directly connect to one of the perpetrators.

I left a week passed by, and I created a fake media publishing website. I emailed the Orbeon team posing as a journalist interested in writing a piece about Orbeon Protocol. The email included a signature with links to the fake media publishing website that logged all incoming traffic. Unique identification references were assigned to every address I sent to, which made it possible for me to know which IP accessed the website and from which email.

One of the admins was careful and visited the website through a Proxy IP from the support email, specifically a Squid Proxy set up on a Digital Ocean Droplet. Other admins weren't as careful and visited the website through a direct internet connection. The emails were from the same support email, alex, and sienna @orbeonprotocol.com.

This time, the IP is a static business IP that doesn't change. The IP is from COLT Technology Services Group Limited, leased to WeWork UK Limited.

I didn't get any replies. It's strange that a startup doesn't want to get media coverage. Unless it's a scam of course.

I then followed up multiple times and forwarded the email to every orbeon email address I knew was valid, including marketing, devops, alex, sienna, oli and eddie @orbeonprotocol.com. I managed to lure one of them into visiting the website from the devops email, which tracked another residential IP from Virgin Media Limited UK from the city of Lewisham. It is safe to say that the fraudsters are mainly in the UK, and some are operating from a WeWork co-working space somewhere in London.