Couple days ago I received a message on Instagram from a guy who claimed to be Ukrainian, asking for some money. It’s an abious scam, right? Right, but I’m really curious person, so I wanted to see, how this will escalate. I replied to the guy, telling I’ll send him some money, so he sent me his PayPal address [email protected], his Ukrainian mobile +380681167162 and Ukrainian IBAN UA513052990000026204696761295. He introduced himself as Aleksandr Yantselovsky.
|
|
Does it look convincing? Let’s check this guy’s profile pictures.
Using Google Photos we can see that Aleksandr has been in Kiev. However Podil’s’ko-Voskresens’kyi Bridge seen in the background shouldn’t be highlighted during war time and his clothes aren’t suitable to wear in March (when the photo was added), cause of the low temperatures at the time. For sure this isn’t a fresh photo, so let’s dig dipper.
Looks like guy’s phone number is registered to Telegram and Whatsapp services, so he uses them. All profiles contain his picture, so it’s somehow convincing. But Ukrainian mobile number could be bought at the common Ukrainian mobile numbers store by anyone. This doesn’t prove he’s Ukrainian. Let’s go further.
Iban checker shows that given account number is indeed in Ukrainian JSC CB PRIVATBANK, but again, this account could be legally opened by non-Ukrainian or just bought. There is also a slight possiblity, that account number is correctly validated, but just doesn’t exist, so any wire will be sent back to sender and Aleksandr will just ask to use different method, ie. PayPal.
Google search of Aleksandr Yantelovsky gives nothing, but doing the same with cyrillic Александр Янцеловский we can find guy’s VK profile by going to vk-look.com, which clearly states, his homeland is Russia, not Ukraine. But let’s go further and let’s check if his mobile is assigned to this VK account. After providing his mobile using acount recovery option, portal will ask for last name shown on profile, but neither Yantelovsky, nor Янцеловский works.
So, let’s check the email he provided. There is usefull tool called Holehe written in Python. But from the report we can see, that he uses this email probably only for Instagram.
And using Instagram’s password recovery option we can verify, that this email is probably assigned to the same Instagram account, that scammer used to contact me.
We can go further and check if scammer used his email in other services, like those which had a data breach. For this we can use have i been pwned.
Very secure guy or… This account was created only for scam purpose. Let’s use emailrep.io to check email’s reputation.
Oops! Found nothing. Looks like our guy is either really private person or this email serves only one purpose - being a part of a scam. Let’s make sure and check if this Google account has been even used.
To do this, we’re gonna need GHunt tool, which is simple Python application. We just need to clone a repository and copy Google cookies, to be ready to go. After that usage is pretty simple. Just type:
|
|
And jackpot! We have our guy!
I’ve censured YouTube channels’ IDs, because there is only 37,5% confidentiality they are accurate and actually I doubt any of them is real. However now we know, that guy’s name (or nickname) is San Sanich, so using YT search we can find his channel, which is https://www.youtube.com/channel/UC-fayuIXqMZs5CeCQEiWSKw. Last video is from two years ago, so currently it’s a dead channel. Maybe because rightful owner lost control over it along with his Google account, where he had his photos and videos that are now posted in social media?
Unfortunately this was a dead end, so the last thing left was image reverse search. I personally prefer to use Yandex Image Search to this job, because it can perfectly match similar photos (even similar faces) and it also indexes social media. So I found Aleksandr Jancełowski on VK
But also found other different accounts having photos of our guy.
So, whoever owns those accounts, is probably not our guy. Also our guy is probably not from Ukraine, because all VK profiles I found are telling different locations in Russia. And even if he’s indeed Ukrainian, as a young man from Kiev, shouldn’t he have more important things to do, like preparing for invasion and killing Russians?
I wasn’t able to find the real guy. Probably because he became a very private person, having so many clones in the internet. However there was one VK account I found with reverse image search, which made me thinking.
This account is totally private and the guy looks like the one we are interested in. He has same hairline, wearing the same jacket, similar shoes and the photo is taken in the same manner as all the ohter ones, but lastname is different. Anyways, I’ve sent him friend request on VK from my fake account and he replied asking who was I. So if this was a fake account, he’d either ignore me or accept the request.
Finally, I didn’t explain why I knew this was scam. Well, I replied him, I’ll send the money, to see what will happen. He was really impatient, asking have I sent the money, so I wrote, that I need to get the money first. After that he removed all his messages and blocked me on the Instagram.