Trying to scam someone on the internet is always a bad idea, but if that someone turns out to be the head of a security research company, you’re in for a whole world of hurt.
Christian Haschek is an Austrian security researcher who was trying to sell $500 in US Apple gift cards on Reddit, since they’re a pain to use from overseas. He thought he had struck a deal with a buyer, but that buyer turned out to be less than honest.
After attempting to verify the buyer through an eBay account, Haschek mailed the cards to the buyer. He was expecting Bitcoin payment sometime soon after, but that never came. Getting angry, he messaged the verified eBay account, only to get a message denying any knowledge of the sale. At the same time, the Reddit account he had been dealing with was deleted.
So, Haschek embarked on a slightly more low-key and geeky version of Liam Neeson’s Taken. He used the Reddit and eBay account names to track down a Steam name, and through that, a Facebook account of the scammer’s friend. He used that and some painstaking Facebook stalking to find the scammer’s full name and all of his family, and that’s where things got really good.
He sent a message to the scammer’s mom and brother outlining the situation, and said that something had to be done or he would got to the cops. Unsurprisingly, the Bitcoin for the gift cards came quickly thereafter, along with a grovelling apology.
In the end, there was no harm done on either side. But it also goes to show that little on the internet is really anonymous. If you want to scam someone — or conduct perfectly legitimate business on the internet without being found — remember to start with brand-new accounts.
You can (and should) read the full account here.