In the summer of 2022, we received a case with the task of identifying a scammer. The input was a Telegram account — more precisely, just the name “CJ” and an exported chat between the client and the offender. Thus, the initial data consisted only of the account ID and some initials: CJ.

The scam scheme was quite simple — selling advertising in the accounts of famous personalities (musicians, porn actresses, etc.). After luring the victim with several real placements from mid-level celebrities, the scammer received several large orders totaling over $1 million and, of course, disappeared.

Moreover, by the time the task was taken into work, the scammer had already set a username.

Thus, at the start we had the following:

1. Telegram ID
2. Username
3. Avatar (not a photo)

Thanks to this, we were able to identify the full personal information of the scoundrel within an evening, including his place of residence in the USA, phone number, social media accounts, and some other information.

The summary of the results provided to the client was brief but made him very happy:

How did we do it?

Without going into investigative details that only a knowledgeable person would understand, here’s a brief summary of how it was accomplished.

In many fraud-related cases, the key to identifying the perpetrator lies in their mistakes and a factor like laziness. It was thanks to the latter that this deanonymization case was successfully closed.

By analyzing the history of the Telegram user’s nickname changes, the specialist noticed that some time ago one of the usernames was an abbreviation of the first and last name plus the word “official”. In addition, the “name” field contained a name starting with that same initial and a likely surname letter. This was enough to learn almost everything about this person within a few hours.

Searching for accounts on popular US social networks (Twitter, FB, LinkedIn) provided additional leads that formed the basis of several working hypotheses regarding the scammer’s identity.

Each hypothesis was tested. During the investigation of one of the versions, a deleted account (thankfully there is Google cache) was found on a social network. It contained information that matched the fragmented data already gathered about the criminal’s identity.

For example, in this post from his “work account,” the individual shares information that allows us to estimate his age:

Eventually, continuing to work through the main version, we found a number of other accounts and fragmented information, gradually assembling the puzzle.

Imagine our surprise when, upon identifying his phone number, we saw that it was linked to the Telegram account that started our investigation.

This situation strongly suggests that the person did not plan the crime in advance, and most likely the intent arose spontaneously. This is rather an exception in the practice of fraud investigations.