By Alex Fernandez
Recently, a close family member was the target of a digital scam attempt in which criminals tried to steal €4,000 by impersonating me on WhatsApp. I was able to gather evidence of how they operate and hand everything over to the authorities.
I want to share the experience and the technical analysis to raise awareness and demonstrate how these groups work.
The scammers pretended to be me on WhatsApp, claiming that my phone was broken and that I urgently needed money.
They first requested a €500 Bizum transfer to a number supposedly belonging to “a friend of mine.” Later, they increased the pressure, asking for up to €4,000.
During the conversation, they provided up to five different bank accounts in an attempt to receive the money.
After my investigation, I discovered the origin and registration location of each account:
CaixaBank (Palma de Mallorca)
BBVA (Albal, Valencia)
Santander (Picassent, Valencia)
Caja Rural (Albal, Valencia)
Sabadell (Palma de Mallorca)
The use of multiple accounts demonstrates that this network has infrastructure in place to avoid immediate blocking.
When my relative informed me of what had happened, I decided to carry out an investigation in several phases.
I used controlled SMS spoofing to send a message to the number linked to the Bizum, simulating that it came from their own network of contacts (the other number we had, belonging to another scammer). The SMS contained a tracking link.
Result: the attackers opened the link, which allowed me to record their real IP, device, browser, and exact geolocation for two hours.
Example:
IP: 84.125.72.85
Location: Xeraco, Valencia
Device: Android 10, Chrome 139
Next, I performed an OSINT analysis by cross-referencing the IPs with several repositories. I found matches with emails and credentials associated with the same IP addresses, as well as the full name, surname, and public address of three individuals.
This indicates that the network members are not sophisticated actors, since they leave traces in compromised services.
The group likely uses Telegram to coordinate and maintain quick communication.
The Bizum numbers and IBANs probably belong to money mules who receive funds in exchange for a commission.
The core criminal group is probably from Eastern Europe.
Never trust urgent messages without verifying through another channel. A 30-second call can prevent the loss of thousands of euros.
Scammers constantly change IBANs and phone numbers to avoid being blocked, making them harder to track.
Social engineering is their main weapon. They don’t rely on sophisticated exploits, but on manipulating trust and urgency.
Tracking is possible, but must be done carefully and always reported to the authorities.
This case confirms what we see every day in cybersecurity: technology and psychology go hand in hand in modern fraud schemes.
The key lies in education, prevention, and, whenever possible, investigation and reporting.
EN 
ES 