Gift Card Scammer Gets His Due When Victim Contacts His Mom

What do you do when you're a scam victim? Stalk your scammer on the internet

Photo Illustration: Diana Quach
Sep 16, 2016 at 1:05 PM ET

It’s a tale as old as time: A thief tries to scam a man out of his Apple gift card online, only the man tracks down the thief, his mom and his brother, and tells them everything. That’s exactly what security researcher Christian Haschek did when a scammer promised to buy his $500 Apple gift card with Bitcoin funds, only to disappear as soon as he received the cards in the mail. But it only took some simple internet sleuthing to track him down.

Haschek explains in a blog post that he won a few Apple gift cards four years ago in a contest, and had been trying to sell them online ever since — a particularly difficult transaction since he doesn’t live in the United States. In a last-ditch effort, Haschek resorted to Reddit to sell the cards. He found a buyer who offered $380 in Bitcoin digital money for his two $250 gift cards, which Haschek thought would be a safer way to do business.

Ungustly, who Haschek says operated under the name Ungustly, refused to send the money until he got the card numbers and PINs first, citing his own fear of getting scammed by Haschek. Ungustly claimed to have over 150 positive feedbacks on his eBay account, but Haschek figured he could’ve bought the account from someone else. When Ungustly messaged him from the eBay account and produced some verification, Haschek took an internet chance and decided to trust him.

Ungustly then asked Haschek to send him the actual physical cards, claiming he would be using them in a retail store, not online. Haschek complied, but first he did one thing he claims saved his butt: He took a picture of the gift cards before he sent them via an image hosting site that would log the IP address of the person who opened the image. A few days later, Haschek’s Bitcoin account is still empty, and he starts poking around, discovering that the reddit user has mysteriously deleted his account.

Haschek tries him back on the eBay account, only to receive a message from someone else claiming not to know who he is or any details of the theft:

“Excuse me, but who are you? I don’t use this account except when I occasionally buy items.

my ebay was hacked recently along with my email because I was keylogged. The hacked then proceeded to access my bank paypal and ebay. So no. I won’t send you money for someone else hacking you but I do feel sorry for you.”

Haschek gave him four days to produce the money or warned he’d press charges, but the scammer was resolute:

“Please do. I will take you to court for defamation and false accusation. I am a college graduate with a law degree and you are just trying to use baseless threat and accusation. When clearly I have not contacted you and have no idea what you are talking about. You randomly message me about deals and products when this is ebay and you have listed nothing that I have bought or bid on. If you try to keep contacting me and continue to pester me further with threats I will contact my local police office as you have looked up my information and have been baselessly accusing me.”

With a little sleuthing, Haschek was able to link the nicknames used to various platforms, and then go to Facebook to try to pin down Ungustly’s real name. Though Ungustly’s account was private, Hashchek hit paydirt when he discovered some of his friends’ accounts were not.

He had to scroll through hundreds of posts, but he finally found Ungustly’s real name, which allowed him to easily find Ungustly’s family. Haschek contacted his brother and mother, letting them know what had transpired. Surprisingly, Haschek took a smidgeon of pity on the scammer when he found out he was only 22 years old.

“I don’t want to ruin his life,” Haschek told the mother and brother, “but I need to know that he won’t scam people anymore.”

Hasheck received a message within 10 minutes of contacting the brother, from the scammer himself:

This is ungustly from before. I am sorry for what I did. I am young and stupid and always in a really bad place. I ama full time student and I have no job. I contacted Apple and got a giftcard back. I can. Give you your giftcard back I have a card for $477 and one of the existing card you gave me should have the remaining balance. Please leave me alone after this I won’t do anything like this anymore I am having panic of attacks just thinking about this.

In the end, the scammer made a deal with Haschek to sell his gift cards, get Bitcoin for them, and then transfer the money to Haschek. Haschek’s takeaway is three fold to would-be scammers.

One, Bitcoin escrow services are probably a good idea for such transactions because they hold funds until sales conditions are met. (Alternately, had he tried to sell the cards via eBay he could have used the site as a protective middle man.) Secondly, Haschek notes that “your privacy settings on facebook are only as good as your friends’.”

But perhaps is third point is most salient: Reusing nicknames on the web creates a digital trail whether you realize it or not, easily trackable to anyone motivated enough. And who wants their mom and brother knowing what they’re up to on the internet?