IP Addresses

Tracking them down with IPs and social engineering.

#1 Hyperoptic Residential IP

I tracked one residential IP address, most likely registered to one of the fraudster's mobile contract. This is the first IP I extracted by creating the fake article.

ISP: Hyperoptic Ltd IP: 140.228.56.222 Type: Residential/Mobile IP Timestamp: 3 Feb 2023 - 12:40:42 Coordinates - 51°27'22"N 0°58'16"W

Fortunately, after contacting Hyperoptic, they confirmed that they retain customer data for seven years, including who was logged in on a specific IP on a specific Timestamp. I also contacted the National Crime Agency UK, which handles Cybercrime, and asked how long it would take to get a warrant for a scammer’s identity linked to an IP from the ISP. Their reply was that it would take two to five days. In this case, the authorities can get a warrant against the perpetrator’s IP to discover the user’s real identity that was connected to the IP at the timestamp mentioned above.

#2 WeWork Business IP

I tracked the fraudsters to an office in London operated by Wework UK Limited. WeWork would be the obvious choice to work on a scam operation, with a $299 all-access monthly membership plan and no contracts. WeWork Operates 49 Co-working offices across London. However, the fraudsters seem to always go to the same one since I got multiple hits on different dates from this IP.

ISP: COLT Technology Services Group Limited IP: 213.86.221.106 Type: Business IP: Static IP Lease: WeWork UK Limited Timestamp: 8 February 2023 – 17:04:21 Coordinates - 51°30'31"N 0°7'33"W

The above business static IP can only be assigned to one office.

To narrow down the search myself, I used several IP-to-Location services and plotted all WeWork London offices manually based on their physical address on Google Maps. I then plotted the WeWork IP I acquired. Due to the difference in accuracy between each service I used, I got four different locations for the IP. The Red markers are in four different locations, along with all WeWork offices in Blue. One stood out as it’s right on one of WeWork’s offices (far right). The office in question is WeWork, 30 Churchill Place, London E14 5RE, UK (Canary Wharf).

I needed to confirm the above location. Therefore, I created a project on UpWork titled "Calling all London freelancers at Canary Wharf" and requested custom website development. I got several bids, two of which were working from, you guessed it, WeWork Canary Wharf. I politely asked them for the office IP, and they gladly shared it with me. It was a 100% match. We now know for certain that some of the fraudsters are working from the following office:

WeWork 30 Churchill Place London, England E14 5EU.

The good thing about WeWork is that to get both WeWork On Demand and WeWork all access, you need to provide identification such as a national ID or passport. Additionally, when arriving, you can only access the building by swiping the WeWork card, which tells WeWork which customers are in the building at any given time.

#3 Virgin Media Limited IP

ISP: Virgin Media Limited IP: 80.235.222.154 Type: Residential/Mobile IP Timestamp: 22 Feb 2023 - 14:37:42

The above IP was traced from devops@orbeonprotocol.com, meaning that the person behind it is directly involved in the scam. The above IP is a residential/mobile IP from Virgin Media Limited. The authorities can easily get a warrant against the IP to identify the fraudsters.

With a warrant, the authorities can ask Virgin for the residential or mobile contract that was using that IP at the specific timestamps from the multiple hits I gathered. A contract is always tied to a legal person or a business.

#4 British Telecommunications PLC

This IP was traced from marketing@orbeonprotocol, again directly involved in the project.

ISP: British Telecommunications PLC IP: 209.93.183.18 Type: Residential/Mobile IP Timestamp: 23 Feb 2023 - 19:36:42

This is another residential IP that can be traced to a real identity with the proper warrants.

#4 Squid Proxy

ISP: Digital Ocean IP: 167.99.243.233 Type: VPS Timestamp: 30 Jan 2023 - 13:42:49

This proxy was set up so that the fraudsters could relay their internet connection through it and conceal their real IPs. The proxy doesn’t allow basic authentication, meaning that when setting it up, they whitelisted IPs that would be allowed to access the proxy. Those IPs can potentially be the home and workplace IPs of the perpetrators in London and beyond.

As a matter of fact, we know that there are over 18 admins in the Telegram group, some of which greet the members with Good Morning when it's evening in the UK. That means that some fraudsters are overseas in faraway countries, but never far from justice.

With the squid proxy data, it would be easy to get to all of them. The authorities can request a warrant to get a snapshot of the Digital Ocean droplet, which can then be booted on a new server so that authorities can access and retrieve all the whitelisted IPs leading to the fraudsters’ homes and offices in the UK and beyond.

Since the proxy was set up long ago, we can assume that access logs would show the fraudsters continuously accessing the other projects mentioned before and even others we don’t know about, with their real IPs. This proxy is critical to the investigation and can link many of the scammers to the entire operation, including past and current scams.

5# Other IPs

Some other IPs I managed to track down with social engineering.

ISP: Plusnet IP: 209.93.183.18 Type: Business Location: Mitcham, Merton, United Kingdom Timestamp: 23 Feb 2023 - 20:55:22

ISP: Ask4 Limited IP: 213.143.10.197 Type: Business Location: Sheffield, United Kingdom Timestamp: 2 Mar 2023 14:56:11

ISP: Avast Software IP: 5.62.43.123 Type: VPN Timestamp: 1 Mar 2023 22:58:51

PreviousEvidence #12 NextThe Telegram Admins

Last updated 2 years ago