TL;DR: Crypto scammers act like jurisdiction doesn’t apply to them. It does. We built the DestroyScammers Dashboard (https://phishdestroy.github.io/DestroyScammers) and the open source DestroyList dataset (https://github.com/phishdestroy/destroylist) to prove it. With automated data collection, passive DNS, CT logs, and basic OSINT, we turn “elite hackers” into ordinary, traceable suspects. This post explains how the stack works and why code beats fear.
“Incident response” that starts with balance: 0
For a lot of victims, the story starts like this:
- Fake airdrop → sign “just one” transaction
- “Support agent” in DMs → asks for seed phrase or wallet export
- Drainer script hidden behind a trusted-looking UI
Result is always the same:
- Money gone
- Trust shattered
- Mental loop: > “I was stupid. Nothing can be done. It’s the blockchain — there is no Ctrl+Z.”
This post is a patch for that mindset.
We’re not law enforcement. We don’t have badges or warrants. What we do have is:
- GitHub
- Automation
- OSINT
- Time
And surprise: a lot of the time, identifying the “mouse” behind the screen is easier than getting a special agent to pick up your ticket.
The Myth of the “Elite Hacker”
Public image:
- Hoodie
- Green terminals
- “Offshore”
- “Non-extradition”
- “Connections in high places”
Reality for a big chunk of crypto scam operations:
- Recycled phishing kits with minor CSS edits
- Cheap domains bought in bulk
- Shared hosting / same IP ranges
- Terrible OpSec (chat logs, reused usernames, real-life selfies…)
When you start collecting and structuring evidence, they stop looking like hackers and start looking like what they are:
People running stolen code on discount infrastructure, assuming nobody will ever audit them.
The Stack: How DestroyScammers Works
The DestroyScammers ecosystem is boring by design. No magic, no “zero-days”, no access to internal systems. Just systematic use of data that is already public.
Core repo (dataset):
https://github.com/phishdestroy/destroylist
Dashboard (visualization):
https://phishdestroy.github.io/DestroyScammers
1. Passive DNS & WHOIS history
Scammers are lazy. Common patterns:
- Same email reused across multiple domains
- Real data in historical WHOIS before they enable privacy
- Reused name/handle fragments in contact fields
Passive DNS + WHOIS history lets us:
- Map how domains move between IP ranges
- Cluster related infrastructure
- Catch “forgotten” metadata from early registrations
2. Certificate Transparency (CT) logs
We monitor CT logs and regularly see:
- SSL certificates issued for phishing domains
- Certificate subjects/patterns that match known kits
- New domains for an existing scam panel before the campaign goes live
This gives you a pre-attack visibility window: the site is not live yet, but the certificate already exists.
3. Cross-referencing chain data, infra and social
We link:
- Wallet addresses (on-chain traces)
- Domains / IPs / hosting providers
- Social identities and handles reused across platforms
Individually, none of these are magic. Together, they form a graph that is very hard to fully sanitize once you’ve already run a few campaigns.
4. Sandboxes & threat intel feeds
We ingest reports from:
- Public sandboxes like https://urlscan.io
- Other open threat intelligence feeds
Even a single sandbox run can leak:
- C2 endpoints
- JavaScript kit URLs
- Panel paths
- Reused redirectors
We don’t need to breach their servers. We just need to structure the artifacts they already leak into the open web.
Case Study Flow: From Victim to Evidence Package
Here’s the high-level flow of how a victim report turns into a structured case.
Now let’s look at two real-world-style scenarios that illustrate one point:
Borders do not protect you if the evidence package is solid.
Case 1: US → UAE — “The Dubai Exploit”
- Victim: elderly US citizen
- Loss: six figures
- Operators: based in Russia, relaxed, “grey zone” mindset
Their mistakes:
- Bad OpSec in chats (keyboard layouts, language mix)
- Instagram stories showing off international travel, including Dubai
The victim’s son:
- Used his legal status in the UAE
- Filed a formal complaint via UAE e-government portals
- Ensured that when the scammer landed, there was a legal firewall waiting
Outcome:
- Scammer detained in Dubai
- Case processed under UAE law
- Jurisdiction followed the person, not the blockchain
Case 2: Kazakhstan as a Proxy for Justice
- Victim: US
- Operator: Russia
- Classic prognosis: “Nothing to be done. Different jurisdictions.”
Instead of accepting that, the victim:
- Routed the legal process via Kazakhstan
What happened:
- A criminal case was opened in Kazakhstan (strong mutual legal assistance treaties)
- Formal request sent to Russian authorities
- Search and arrest executed on the Russian side
- No extradition needed — local prosecution was enough
Takeaway:
Crypto is borderless. So is criminal justice if you route the paperwork like an API request.
The Grey Market Threat Model (“probiv”)
In Russia and parts of the CIS, there is a huge grey market for insider data, often called “probiv”.
This is not OSINT. This is illegal access to:
- State databases
- Telco systems
- Bank systems
- Travel records
We do not use or endorse this. But scammers should understand what it means for them.
Data often on sale:
- Border crossing history
- Flight passenger manifests
- Civil registry (marriage, relatives)
- Real-time geolocation from telcos
Scammers hide behind Telegram usernames and think they are safe.
In reality:
- Their full biography sits in centralized state systems
- Access to that data on the black market can cost less than a pizza
If that’s what a random person can buy:
Imagine what a verified investigator can do with a warrant, MLAT, and a well-prepared evidence package.
Anonymity is a UX feeling, not a technical fact.
What the DestroyScammers Dashboard Actually Is
We don’t sell:
- “Recovery”
- “Guaranteed fund tracing”
- “Chargeback for crypto”
Those are usually secondary scams.
We do build an open source intelligence platform focused on crypto scam infrastructure.
Current capabilities:
-
Visualization
- Graphs of domains, wallets, panels, and social accounts
- Clustering scam “crews” and campaigns
-
Archiving
- Snapshots of scam sites and chats
- HTTP 404 is irrelevant if we have the HTML, screenshots, and archive.org copies
-
Aggregation
- Multiple victims, one scam kit → single unified view
- Detecting rebrands, new domains, and “v2” panels
Roadmap:
- [ ] Automated timeline generation for specific scam crews
- [ ] Stronger Domain ↔ Wallet ↔ Social entity mapping
- [ ] Public API for community evidence and intel submissions
Links:
- Dashboard: https://phishdestroy.github.io/DestroyScammers
- Dataset: https://github.com/phishdestroy/destroylist
- Victim Action Guide: https://phishdestroy.io/critical-action
How You Can Use This as a Dev / Researcher
If you’re a developer, security engineer, or researcher, you can:
- Use the dataset to build your own detection logic
- Correlate our data with your SIEM / alerts
- Run your own enrichment (e.g., custom chain analytics)
- Automate reporting workflows to relevant jurisdictions
We intentionally keep everything open:
- No secret paywalled feeds
- No NDAs
- No “elite club”
Fork it, break it, improve it.
Conclusion: Structured Rage > Silent Shame
Scammers want victims to feel:
- Stupid
- Alone
- Helpless
Silence is their best security feature.
The counter-strategy is not “vigilante justice”. It’s structured rage:
- Save the logs
- Dump the HTML
- Archive the site
- Document the chain transactions
- File reports where they actually matter
- Use OSINT and automation to keep pressure on the infrastructure
You don’t have to stay “just another victim”.
You can be the edge case that crashes their operation, burns their kit, and makes their next campaign a lot more expensive.
If this resonates:
- Star the repo: https://github.com/phishdestroy/destroylist
- Play with the dashboard: https://phishdestroy.github.io/DestroyScammers
- Fork the data, plug it into your stack, and make crypto a more hostile place for scammers.
Top comments (0)