> The creator is a current computer science student in China who is using the skills he's learning to make a pretty penny on the side.

I'm speechless that they were able to reach that number of victims without consequences. Reeks of a lack of oversight, will, power or coordination on behalf of the investigators. I wonder which reasons they give.

Gifting a bit of existential fear to those scammers might not hurt, since they force it on thousands of others.

He identifies the culprits in detail, scares the hell out of them, reports them to police, and tries to inform / refund the victims. In at least one video, he accesses the scammer's Stripe account and refunds the victims (often elderly) for their payments on bogus IT security products. I recall another video where gains access to the CCTV in the scammer's office building, and captures a police raid on the scammers.

https://www.youtube.com/@NanoBaiter

"wangduoyu666!.+-"

Whoops, this looks like username -> wangduoyu666 (same for "wangduoyu8", "wdy666666". Seems like they're incrementing numbers in username too, but probably false positives, maybe popular username)

Google it. Probably skid's github, linkedin, etc. (not verified)

And looks like OP missed this. Also name on telegram is fake of course, Wang Duo Yu is singer in China, so skid is using singer's name as username and also as a full name in Telegram.

Ps.: From their backup telegram, also "wangduoyu12"

Ps2: From OP write up -> https://t.me/wangduoyu0 -> there is youtube channel https://www.youtube.com/@duoyuwang4820 which links in description to this telegram channel wangduoyu0

And it's full of videos of someone making tutorials to bypass china firewall? etc. Multiple 30min-1hour videos, there must be treasure trove of info. Videos is leaking these gmail accounts: https://i.imgur.com/LUiKbF6.png

This should not be possible. I guess the iMessage scams used e2ee, but the SMS scams should have been caught. It would be great if there was law enforcement that competently handled cybercrime, or at least triaged it.

More broadly, and at the risk of creating another TLA, the US needs a Blue Team version of the NSA. In other words, identify critical infrastructure, figure out how it can be hacked, and require that companies fix the issues. Use national security if need be. Banks have to undergo stress tests to prove they are solvent, there is no reason that critical infrastructure should be able to leave their doors unlocked.

>It would be great if there was law enforcement that competently handled cybercrime, or at least triaged it. [emphasis mine]

I'm not sure CISA fits that definition.

I remember during Covid there was a few startups in that space trying to work with MVNO’s to get a foothold in the market, but don’t think any of that went anywhere.

These days they are mostly political pleas, which are, ironically, in some semi-protected gray area. Haven’t noticed any USPS-related ones lately, but a few have gotten through in the last few months.

I assume the point is “there is no economic incentive to fix the situation” … but that is an extremely generic claim.

This would decrease their profit per-item by 1/2.

Key piece tho, are you able to return pre-sorted mail to sender?

I would have loved to ask him if he'd do business with Stormfront or ISIS as long as they were "paying their bills." It's not just the top of the food chain, these middle managers are all morally bankrupt, too.

As an aside, it's terrifying that our texts can just be read and mass processed like this.

I'm sure, in the general sense, this information isn't used for evil. But certainly I think it can be, like those Ring Doorbell employees who used their access to stalk their victims.

The case for secure messaging services only grows stronger, even for the innocent.

I'm sure, in the general sense, this information isn't used for evil.

Maybe. I do know there have been cases of people bribing lower tier support in wireless providers to do SIM swapping. I don't know how often this occurs or how often they get caught. Things are logged but someone would have to know to look at the logs. I've also heard that employee churn is high in support so they might be long gone by the time anyone looks.

There's a strong argument right here for teaching technology ethics as part of a typical CS curriculum. I'm not saying that would have stopped this student from making his own unethical choices, but it does highlight the fact that we equip people with these really powerful technical skills, but we don't even try to equip them with the ethics to be responsible about it. We just sort of hope they were raised right, I guess.

Anyone here have experience with a curriculum that includes the ethics aspect?

Suddenly I realized even dumping passwords was an invasion of privacy, even if I didn't use them. And that passwords should never contain sensitive information!

We explicitly learned about voht IEEE and ACM code of ethics for example (though this was not the only thing we discussed) . We were even tested on the difference. I'm always confused when people don't even get the baseline ethics training.

There was also an ethics module in one of the massive pre-weed out 100 level courses.

In the end, ethics courses only teach you to be conscious about your actions and learning how to convince others that you're ethical. An ethical person can easily pass an ethics exam. All of that knowledge, and being raised by good parents, do not completely prevent someone from becoming a criminal.

If you can set up a reasonably successful scamming business on your own as a student, you can earn enough money to move to the countryside and never need to work another day in your life, as long as you can manage to hide the money from the authorities. Or you can spend it all on drugs and other short-lives pleasures, like so many criminals do.

Cybercrime targeting vulnerable people is laughably easy and extremely lucrative. Hearing about how hard some people's lives are because of their student loans, I'm a little surprised this stuff doesn't happen more, really, especially with the growing resentment the younger generations seem to feel for the bad hand they've been dealt by the older generations.

That has to do with fear, not ethics; the consequences of getting caught doing this to Chinese (vs foreigners) are significantly high (you do not f*k around with a system that has no due process)

I don't the US gov is gonna go after him for hacking a scam group AND he provided details to the authorities. Now, if he hacked them and used the stolen credit card details? Who knows.

So cyber-vigilantism is technically illegal but the authorities will tacitly pretend it is not, when it suits them fine, probably.

(This is also why criminals tend to seek illegal firearms; self-defense from other criminals is a more salient issue than it is for the average citizen for this reason.)

Most of them are quite capable of delivering a nasty counterattack. Some, IRL.

Had a friend hack a spammer that hijacked his server, and they blasted his server into LEO.

What happens is scammers get numbers with small carriers who interconnect with major ones. Eventually the reputable carriers notice spam from these smaller carriers and start dropping their calls (or banning them altogether). So the smaller carriers decide whether they want to see their legitimate traffic dropped or just ban the offending users (which is eventually what ends up happening). Scammers end up hopping to a different carrier so it's a cat-and-mouse game, but it's a lot more expensive to play now than it was with simple number spoofing.

In parallel, numbers are starting to get reputations attached to them, similar to IP addresses. Some filtering takes advantage of that.

Of course, spearfishing can continue unimpeded with someone buying a prepaid cell phone and using that to call a specific target. :(

https://transnexus.com/whitepapers/understanding-stir-shaken...

Up until very recently, caller ID was stupid easy to spoof if the originating phone company didn't care.

How do you expect that to be implemented without requiring them to read everyone's texts (requiring either no encryption or a backdoor) and judge their worthiness?

Actually...

Doesn't it now take a significant amount of effort to get a valid company e-mail whitelisted by the incumbents exactly because of this and yet I have received multiple emails today about diplomatic correspondence...

I mean, it's validly been 25 years since I received my first scam text and I still sporadically get them once in a while.

Seems it's no longer active. If I send "Y", the message is not delivered. The domain points to 404 on a "King Ice" website selling jewelry shaped like guns or penises, I'm not joking.

I always thought there should be a driver license and test to use the Internet to cut down on people being ignorant. As well or a class you must pass in high school that teaches ignore all phone calls, text, emails and etc from people you have not met offline. If you do meet them online make them snap or facetime you fairly quickly to verify veracity.

Can't tell you how, it's been a minute.

The US has roughly 340 million people now.

The US gdp is roughly 28 trillion dollars.

Which means that on average the dollar value per citizen is roughly 82 thousand dollars…

Divided by days in year, hours and minutes its roughly 15 cents per minute.

So if we assume 100% of the population is getting at least one scam a day of some sort and that the disruption to thought to get back on track as result of the anger induced is about 30 minutes…

That puts the loss to the US at little over 1.5 trillion dollars in lost productivity.

The US currently spends roughly 840 billion on defense…

So almost twice the yearly national defense budget is potentially lost to scams.

Seems crazy, as I said off the cuff. I would love to see some way more accurate numbers.

But arguing in dollar amounts I think will go a long way to putting the problem in perspective. And who knows, maybe we’ll get to some drone strikes on scammers in our lifetime.

Let's go with your "one scam a day". The person then has to see it, choose to read it and then act on it (delete/ignore/get scammed). Not even considering the practical effects of receiving 4 before lunch, and none getting past spam filters the rest of the week.

Then you come up with 30 minutes for each individual scam? If it evens goes trough the above mentioned phases, nobody is non-profitable for a full 30 minutes, for every scam attempt, every single day of the year.

Using your 15 cents per minute, we could stick with just a minute of lost value. That translates into 340 000 000 * $0.15 * 365 days = 18 billion.

Still a totaly useless number because it's impossible to measure, but at least much further from 'ridiculous' than 10% of the GDP you came up with.

You know what? I do. We all should. These scammers are awful people and deserve to be attacked. I am tired of toothless authorities like CISA and the alphabet agencies in the US doing next to nothing about it unless some YouTube scam baiter does the work for them. Scammers destroy people, not just financially, but emotionally as well, even driving some victims to suicide. As far as I am concerned, any wannabe hacker out there should be using these scammers for target practice.

I think we all agree that hacking scammers is a net positive for society.

I find it hard to believe if some scammer is hacked and the evidence shows the hacker learned everything from solely this video then this disclaimer won’t mean anything legally.

I think disclaimers are just a bit of noise that people put in out of an abundance of caution.

Most of the time this won't matter. People and courts generally know advice isn't to be trusted, if this goes to court it will probably be laughed out before they even see your disclaimer. However since there is trusted advice on the internet and courts/the law hasn't figured out where there is always risk and a disclaimer helps protect you against the court deciding you were playing an expert.

Of course I'm not a lawyer, I'm only guessing as to what will happen. I'm reasonably sure no lawyer will comment on this for reasons above.

At least some disclaimers aren't just noise—they add context that would otherwise be missing to help the reader navigate the subtext. The "this is not my work" portion of that disclaimer is highly relevant and useful information for interpreting the blog. The afformentioned IANAL disclaimer helps readers to understand whether your opinion has any stronger basis in law than their own.

I also strongly suspect that some disclaimers would have legal value in the event of someone misusing information being dispensed, but IANAL.

Safe to assume everyone else is not a lawyer.

And, to the topic at hand: if lawyers consistently do that, that again speaks to the legal value of at least some disclaimers.

Like the previous commenter points out, actual lawyers are quite clear that their statements in this kind of non-professional capacity hold no more weight than any other random Joe. There is no situation of authority. IANAL/IAAL may have once been a funny meme – albeit one quite tired at this point – but doesn't add anything, and may be a detractor if one falls prey to the logically fallacy it potentially introduces.

As before, it used to be a funny meme – albeit one that has become tired – but there is no significance to it. Who the person is tells absolutely nothing about the rest of the comment.

This is not at all what "I'm not your lawyer" means—that's a disclaimer to say that they're not taking legal liability for their advice to you because you're not paying them. They're still far more qualified than I am to talk about law in the abstract and dismissing that as "appeal to authority" is a false appeal to egalitarianism.

While they have the capacity to be more qualified to talk about the law, that does not imply that they will choose to exercise those qualifications. Lawyers can be trolls just like everyone else.

The work must stand on its own. If it is of high quality, then it is of high quality. It does not matter who wrote it. If an infinite number of monkeys wrote it, it is still of equal value.

The person is irrelevant.

Even were I a lawyer, it should carry the same weight. Some random, kind internet stranger sharing ideas.

I think it distracts from the conversation as I wasn’t giving legal advice but just thinking about how useful and relevant disclaimers are.

The comment is more about too much bullshit language used in our lives, so I think minimizing (or at least intending and attempting to) bullshit in my own comments is something I can control.

We have all received email from a legitimate place where a scammer uses your email to spam and then legitimate company thinks your email sent it.

Several years ago when I still had a Facebook account there was a guy that DMed me yelling at me and accusing me of trying to “hack him”. His evidence? The reverse DNS record for a server was pointing to a domain I owned. I replied and told him the reverse record was out of date. I had previously rented a VPS with that IP address and I had had the reverse record point to my domain. I had since cancelled the rental of that VPS and now the hosting company had assigned the IP to someone else. Apparently the hosting company had not bothered to remove the reverse DNS record from their systems so it was still pointing to my domain. The guy that was yelling at me was of course too stupid to understand this when I explained it to him so I gave up on trying to educate him and blocked him from being able to send me any more DMs.

Now imagine if this guy had started a full-on retaliation campaign based on his misguided “evidence”. Luckily for me I never heard or seen from him again.

But yeah, that kind of thing is exactly why “vigilante justice” is such an incredibly dangerous and stupid idea.

Some of them are being held prisoner and are being forced to run these scams under threat of torture. There was a Search Engine episode about this in the last year.

I'm quite aware that not everyone is on the same page, and this just helps to indicate a basic respect for others that may not like him.

As you can see, that didn't actually work, as just the mention of his name, got a ding.

The stuff he says before the main story, tends to be quite political, but the main story, itself, is often apolitical.

Some might, but it's their choice to make, no yours.

There are other forms of punishment besides jail time. But really I'm more concerned that the scam organization is shut down, even if the main scammer isn't put behind bars. If nothing else, it'll slow down and reduce the scams.

Given that we're talking about legal, rather than extra judicial, pursuit and punishment I would expect jail to be a part of that process.

Vigilantes are criminals too so society takes an active role in pursuing and punishing them as well.

Society is supposed to take an active role, but sometimes they have other priorities.

Big companies getting hacked or scammed make headlines and generate FBI action. People like me, not so much.

Its still not quite accurate to deem vigilantes as criminals though. Unless they've been charged and convicted they aren't technically a criminal.

Not sure why that's "ironic". Seems reasonable. Only people trained and accountable should be doing things that would violate people's civil rights and take away their freedom or possessions.

Obviously the reality of our legal systems fall far short of ideal, but IMO vigilantism is not the answer to that.

> Its still not quite accurate to deem vigilantes as criminals though. Unless they've been charged and convicted they aren't technically a criminal.

You sound like the kind of kid who would put their hand an inch from their sibling's face and constantly utter "not touching! still not touching!" and think that you were "technically" not breaking the rules, so your behavior was ok.

Maybe ironic wasn't a great fit there, I stand by the rest of the comment though. I blame Alanis Morissette for my inability to recognize irony accurately.

> You sound like the kind of kid who would put their hand an inch from their sibling's face and constantly utter "not touching! still not touching!" and think that you were "technically" not breaking the rules, so your behavior was ok.

There's a legal definition of "criminal". Is it being an annoying little brother to think definitions are important?

I meant to say "the vigilantes" not "we vigilantes." I don't take part in it and don't condone it as long as we collectively agree to live under a legal system.

I agree with you though, vigilantes are imposing "justice" on innocent people. The right to a fair trial and a jury of your peers is a really important check on power. Vigilantes skip that whole process.

Anarcho-tyranny

A stage of governmental dysfunction in which the state is anarchically hopeless at coping with large matters but ruthlessly tyrannical in the enforcement of small ones

https://m.wikidata.org/wiki/Q64594123

Then you get your door kicked in for not paying taxes on $50 venmo transaction, or saying the wrong thing online but when there is a school shooter (or presidential assassin) the cops wait for them to finish while they play with their phones.

Red light ticket revenue funding small town budgets is another. Brake-light rationales for traffic stops…I could go on.

The key is what you pointed out, that these are never used against the elite class.

There's no such thing as a "natural right". Rights are granted, not innate. In the US we might think freedom of speech is a "natural right", but go to a country that doesn't have that, and you'll see how "natural" it really is. (And hell, even in the US, free speech rights are curtailed all the time.)

> IF the government abdicates its assumed responsibility to provide justice people have every moral and ethical right to enact justice themselves.

I don't agree with that. Look at how (for example) the 1800s in the US west looked when it came to so-called "justice", when the government wouldn't or couldn't prevent or track all that much crime. That's not a world I want to experience.

And not that I have not denied the negative consequences of vigilantism for society as a whole. Those consequences are the reason governments are supposed to seek justice in a more orderly and accountable manner. It is when governments renege on that responsibility that they bare the blame for the consequences, as people seek justice on their own (because they know justice is their right and will seek it themselves if nobody else will for them. This innate understanding of being entitled to justice is the proof that a natural right to justice does exist.)

Vigilante’s don’t abide by the laws so aren’t well positioned to dispense justice in a non hypocritical way.

Maybe carve out a low level clearance that gives grey hat types a little room for counter red team activity.

Let's say that's more than just individual morality but a concrete cultural relation to wealth, power, justice and social contract of the state.

Of course, when the state demonstrates a dereliction of duty and becomes feckless in its ability to punish criminals in proportion to their crimes, this creates outrage and a strong temptation to engage in vigilatism. The state then shares responsibility for the resulting vigilatism.

Hopefully the suggestion gave them an idea to reflect on later — I don't know of anything better that can be done when on the receiving end of a phone call.

The very fact that he didn't hangup, that he felt he had to explain away his guilt to me (a few times) shows that he himself wasn't convinced of his rationalization and that he himself believed he was doing something wrong. I can only hope that the guilt gnawed its way into his conscious and that the worm that never dies led him to rethink his life and to pick up some honest work.

May the guilty lose sleep, and may their ill-gotten goods taste of ash, and thus be led to remorse and reform and the righteous path. This is love of neighbor.

On the other hand, the examples people commonly share of where someone contacts a knowing scammer to appeal to their humanity, is that the scammers laugh at their victims — so if the people on the phone are the villains, then I think them hanging up immediately may cause more emotional pain than the stream of expletives they're used to.

Regardless, it saves me time.

This approach may not be so useful now that GenAI, both LLMs and synthetic voices, are getting good.

They are getting REALLY good, it is the old "it is photoshopped" except with sound. The problem though is not being able to differentiate, especially not the people scammers usually target (the elderly).

You cannot believe your own eyes AND ears now, sadly. It might sound dramatic, but it takes "trust no one and nothing" to a whole new level.

I expect that, at some point in my lifetime, bio-printing and tissue culture will probably reach the point we can't even have trust in real life, not even with fingerprints and a DNA test.

Will this happen before or after we become post-scarcity? I don't know.

Is Musk a scammer? Bitcoin? The commission Apple charges on the App Store? The Fortnight monetisation system? Facebook's claim to be able to accurately target adverts? Vaccines and masks? OpenAI?

People on this website have said so about each of those examples.

That is why it's bad to go down that path.

If the question's answer was obvious and resolving false then none would have been described thusly, if it was obvious and resolving true then you wouldn't be denying it.

Merely asserting that they are not, in your opinion (though hey, look at those legal cases they have between them…) does nothing to remove the fact that they have been called this.

It also does nothing to help with the lack of legitimacy of vigilantes. Nor, in this case, jurisdiction: part of the problem here is international cooperation, because right now the USA (where the victim is) and China (where the gang is) are a bit chilly towards each other.

> people will take actions into their own hands.

Amateurs sending a bomb their way? That's one way to describe how WW1 started.

It is, at least hypothetically, possible to define "scammer" clearly enough that the more egregious and clear-cut types are taken care of more expeditiously.

Not sure if there's a way to actually enforce that better, but "it is possible to disagree over whether some things are scams" is not the same as "there's no way to agree on whether anything is a scam".

In this specific case, when it comes to vigilantes in particular? Then no. I think that a society which allows it will end up somewhere between lynching and anarchy.

Better law enforcement, which does not even have to mean "more laws"? Good. Batman wannabes? Bad.

People here will lament about the exploited H1Bs causing literal genocides at Meta until the cows come home, but literally other any person working a job they don’t necessarily like and in a living situation that’s undoubtedly worse deserve to be literally bombed because they sent you a text message.

Jesus Christ.

Being civilly sued by scammers isn't the fear, it's being prosecuted by the state for committing CFAA (or similar) crimes.

(For example, if your idea of self-defense starts with 'I'll be following someone around in my truck...', most other countries would let you hang.)

But think about "IRL crime". Would we condone someone pulling out their gun and going after someone who they believed had stolen from them? I hope not.

The problems are the usual ones with vigilantism: ensuring a proportionate response to the alleged crime is impossible (vigilantism usually has a large emotional component, so good luck restraining someone there), and ensuring the vigilante is actually going after the right person, and hasn't screwed up their investigation, causing them to target someone innocent.

Certainly holding law enforcement accountable is difficult and sometimes impossible. But at least there's a process to fix that, and people are constantly working on this problem. There's no process to fix cases where randos botch an amateur investigation and mess up the life of someone innocent.

So for example some GRU agents came to the UK and attempted to murder a couple of Russian expats using a nerve agent called Novichok[2]. As well as the original targets, three further people were poisoned and had to be hospitalised, one of whom died.

Unsurprisingly perhaps Russia won't extradite their millitary intelligence officers back to the UK to face justice. This doesn't change the fact that murder and attempted murder are definitely illegal in the UK.

[1] https://www.cfr.org/backgrounder/what-extradition

[2] https://en.wikipedia.org/wiki/Poisoning_of_Sergei_and_Yulia_...

Like if I fly from China to US and offer you a bridge in exchange for $20 and take the $20 and don't give you a bridge, it's a scam.

What's the difference between that and doing it online? The offer is still posed on US soil; if anything it should expose you to the legality of both countries.

Technically the US can start a war with China, which could reach the point of the US military capturing me and bringing me to the US thus ensuring I don't get away wit it. Realistically that isn't happening though. There are also trade-war options which sometimes happen in high profile cases, but often they are seen as losing more than gained.

Note that most countries will arrest me and send me to the US if presented evidence. If you used France as your example country and so I'm exposed the the legality of both countries. Russia and North Korea are most well noted as protecting their own people against crimes like this committed elsewhere, so if you can get protection from those countries for this crime it isn't a crime because nothing will happen (war of course is an option but it seems unlikely). China is a grey area - they sometimes protect their own, but often they will not, in general for this scam I'd expect they would arrest you for this scam, but not all of them.

I believe that's actually very rare. I mean instances in which country A extraditing to country B one of its own citizens (who isn't also a dual citizen of B). In the most common scenario, country A extradites a citizen of B back to B, or (less common) a citizen of some 3rd country C to B.

I couldn't find a single instance in which a US citizen was extradited from American soil to a foreign country, for example, even though this is permitted by the extradition treaties. (I welcome any pointers to actual instances)

Foreign countries sometimes extradite their own citizens to the US, but I believe that to be very rare. Even the case of Gary McKinnon [1] was ultimately blocked, for example.

[1] https://en.wikipedia.org/wiki/Gary_McKinnon

With your bridge example different countries and jurisdictions could have different requirements for the purchase of real estate or that you even were buying real estate rather than like an NFT, toy model, etc. A scam in the US might not be considered a scam in a foreign jurisdiction and even within the US it might not be considered a scam, like if someone offers you a quit claim deed for whatever interests they have in a bridge for $20 that could be considered legal depending on what representations were made. In fact a person buying a quit claim deed for way below market value could find themselves in hot water being investigated for like elder abuse with them being seen as the one trying to pull a scam on a potentially vulnerable property owner.

> The "essential predicate" is "that a punishment must not by its severity be degrading to human dignity", especially torture.

> "A severe punishment that is obviously inflicted in wholly arbitrary fashion." (Furman v. Georgia temporarily suspended capital punishment for this reason.)

> "A severe punishment that is clearly and totally rejected throughout society."

> "A severe punishment that is patently unnecessary."

Crowd strike immediately pushed a fix for the problem once they realized what happened. No, that didn't prevent the global economic costs and general chaos that was caused. But they clearly weren't deliberately trying to cause all that damage.