Bitcoin Forum

Only last night I became aware of a "group buy scammer" behind the notorious "Avalon-Shenzhen Scam". He is probably also perpetrator of numerous other "group buy" and other type scams, including VX-Miners, the "1000 pcs USB Erupters Scam" and many other. May also be involved in or related to outbreak of pm phishing scams, such as this scam (http://"https://bitcointalk.org/index.php?topic=597152.0") in which a scammer pose as "Vod" and "austin" to steal a bounty for finding another scammer!  ::)

I become interested in taking up hunt of scammer upon discovery of 20,00 BTC bounty on his head from victim of Avalon-Shenzhen and possible bounty from other victims. So I start my hunt looking at forum threads and basic information...

Avalon-Shenzhen, VX-Miners, USB Erupters and many other group buy scam all share similar characteristic. My English personally is bad, but after consulted friend of mine in USA who speak English, German and Finnish he says scammer is probably not native English speaker but probably speaker of Central European language. This can be faked, said he, so it is only educated guess. But it get more interesting...

I begin analyzing network forensic data and peeling through proxy and Tor exit node used by scammer. I happen upon particular IP address used by scammer to access forum. IP address come back as locate in state of Wisconsin. But what interesting about it is that after do back-trace of network activity with help of South Korean service, I find that this IP address been used from country of Poland... central European nation...

What more interesting is that there is particular Polish person who in past used IP address months before scams take place, and he make a lot of spam posts on Polish and Central European blogs. Many of these posts has mention "Bitcoin" and "Bitcoin mining", and also possible connected to other non-Bitcoin scam, phishing, frauds and other thing! Also find possibly related activity on PirateBay and other file-share websites asking for Bitcoin donation.

Now I summarize what currently leads I have...

Current Leads & Suspicion:

• Scammer behind Avalon-Shenzhen, VX-Miners, USB Erupters and numerous other same person
• ... is native of Poland and probably live in there today
• ... may be fan of "Miklos Rozsa" and active on PirateBay May find leads here (http://"https://www.google.com/search?q=miklosrozsa+bitcoin&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a&channel=sb")
• ... make money from blackhat SEO activity
• ... possible linked to phishing and other scam/fraud inside and outside bitcoin community
• ... scammer probably friend with other Central European scammer; notice related activity and spam for payday loan, mortgage and credit scam/fraud

It is not much, and none of this truly confirm yet. But it is great start for less than one day hunting. I feel like I have solid foundation under foots now to try begin a case against the scammer build. To all victim of this scammer I want you to know someone really do care and is hunting the bastard. And it already appear he overestimate anonymity of Tor, Bitcoin and proxy he use and make critical error in covering track. A name, dox and maybe even arrest could eventually be result of this investigation. Recovering of stolen fund may be too much to hope for, but anything is possible. It too early to make any promise, but I trying really hard.

I do this for two reason. Most obvious reason, I want to catch scammer and claim bounty. His head on spike worth quite a bit coin. But also I hate scammers with burning passion. I have been victim of scam before like many of you. I feel very bad for victims. I very touched by story of user "kenmor666" particular, a disable military veteran who scammer stole from him over $5.000,00 USD of bitcoin and financial devastate him. All victim of scammer real people with real story and real lives, and this hurt them very seriously. There are few wealthy victims who probably not hurt as badly, but they still deserve also justice.

I must be careful what discovery and informations I share publicly. Most important, we don't want to give scammer ability to hide his footprints by revealing too much detail. Second, I don't allow trickster to claim credit for my labors and try to snatch bounty out my fingern. However I willing to cooperate and share information with other hunter best as possible without compromise investigation or loss my own compensation for much hard labor that will come.

I will update thread with news and update of hunt when possible. I canot be hunter all hour of the day and the night because I regular working person with job and must eat and pays the bills like all of you. If I find scammer and uncover name and personal detail I would like to use trusted escrow agent for exchange of information and bounty. I will not beg for donation but donation would help me spends more time on investigation. Then I need not work so much overtime and other job to sustain myself. I will let just thr community decide if my work worthy of donation and how to handle fairly and transparent.

Currently I compiling arsenal of information about scams and scammer. Bitcoin address, transaction, IP address, Tor exit node, network activity and all sort of information. I will be releasing some of these informations periodically so others may aid investigation.

If you like to help me and investigation, give tip or info or have any question please send to me a pm. I doing my best and will work on investigation all time I have my time free!

Thanks  ;)

Scammer Facts & Info
Updated 5.13.2014

This is a compilation of the basic fact and information we know about the scams and the scammer(s). It will be updated as often as possible when new informations discovered and confirmed. The following three scam (and possibly more) are believed to all be committed by same person. They all share similar style, attention to detail, linguistic patterns and money laundering techniques. This also may be the handiwork of same person responsible for phishing scam outbreak on forums.

Basic Info on the Scams

---------------------------------------------------
Avalon-Shenzhen Scam:
---------------------------------------------------

Thread URLs:
https://bitcointalk.org/index.php?topic=424621.0
https://bitcointalk.org/index.php?topic=467404.0

Scammer Username:
AvalonShenzhen

Scam Payment Address:
1Mzyo7PYfsxNLyNWhnznUYfiX1Kf6LFqkh

---------------------------------------------------
VX-Miners Scam:
---------------------------------------------------

Thread URLs:
https://bitcointalk.org/index.php?topic=452850.0

Scammer Username:
The Observer

Scam Payment Address:
???

---------------------------------------------------
"USB Erupters" Scam
---------------------------------------------------

Thread URLs:
https://bitcointalk.org/index.php?topic=252180.0

Scammer Username:
vdragon

Scam Payment Address:
1NoW8WSMkkCPb1xRAN3oLQXo5QmC8Lvw7w

Hello i just wanted too show my appreciation....i was the other thread starter for the "investegation" off the AvalonShenzhen scam..i must really say im happy too see you allready got som clues! ive been waiting a long time for that guys name lol. And i am a scam victim, and we allready agreed om 20-25bitcoins as a finders fee. i mean fuck it lets just say here and now its 30BTC alot off the people have given up the search annyhow so im just goin too up the bounty too 30. feel free to maybee use the other 10 too get yourself some outside help in I O U - BTC ;) lets catch this guy KORVA

Thanks for posting this, very useful information.

Its absolutely superb! All those fuqin scamms and poor victims like the army vet and other guys really seeing bitcoin as a possible investment oportunity and for good reason to. YOU keep grindin man :-)

lets finally get these guys ! :-D  :P

Scammer, if you here on forums and you reads this today: Know that today may be the day you dox'ed and turn into Interpol and local and national authority.

If you would like to return victim funds and avoid inevitable exposure, please let us know. Tick-tock, tick-tock... <-- This is time ticking to you ultimate demise... :)

Our scammer may enjoy playing Minecraft sometime and been part of Minecraft project. Perhaps also make donation to PirateBay and do a little mining under Eligius pool.  ;D

Also could have connection to this blog, which look like scam to me...  ::)

http://bitcoinautorobot.wordpress.com/

Just found possible name and Facebook profile... working to confirm person as scammer or clear name now.  :D

TIC TAC TIC TAC TIC TAC - "denzel voice" lest Get This wanker once and for all! It maybee took a couple of months but like serpiente12 said in his post : they will slip up somewere, they allways do ;-)

AND it certainly look like he did infact SLIP UP, its a slippery road out there you see....one needs to wachout if he finds himself on a slippy road, might just slip and brake his neck.  :o ONCE again great work with my friend and you putting us in touch! HOORAH!

OK, I definitely has solid suspect and other possible suspect. ;D

Scammer may be watching development of this thread now (Hi there!!! ;)), so I will let know not what exact informations we now have. But I give community general idea...

Suspect #1:

• Post lots of spam to internet
• Seems involve in blackhat SEO
• User (and possible donator) to PirateBay
• User/spammer on BitBin
• May be player of Minecraft, CoD Ghosts and other video game
• Located in Central Europe (maybe Poland)
• Speaks English as second language
• His name is of Czech and/or Polish origin!!!
• Also got Facebook profile XD

Suspect #2:

• Likely lurking within USA (could be Wisconsin, USA, or in UK)
• Owns lot of fake company
• Has register lot of domain name and make fake website for fake company with PO Box addresses
• Possible of Scottish descent

Right now I leaning more heavy to suspect #1, but suspect #2 may know or be involve with this person.

The information I have now is not fully complete. Remember, these people NOT proven yet guilty. It unethical to dox these people until more proof gather to proove they scammer or clear name. They are simply lead/suspect. Much more work must be done to prove link between suspect and scams. This could take day, or it could take weeks or more. I not sure yet, but working hard on case. I pretty confident these guy will be bust soon, though. Even if our suspect not the scammer(s) they could know or be in contact with them. We soon will find out! :-)

Thanks everyone for help and support!

EDIT: Suspect #2 could also be fake identity use by Suspect #1. Need more time to confirm or deny.  ;)

The more and more research I does, the more I feel like we may have found the guy... we just need to find exact location, solidify evidence and nail him!

Suspected location in Poland I think now may be wrong...

Suspect #1 definitely a user of Bitcoins, Tor, proxies... speaks multiple language. Posts on Facebook in Estonian. This is interesting, because I recently make this post (http://"https://bitcointalk.org/index.php?topic=597152.msg6663763#msg6663763") about the "Vod/austin impersonator phishing scam". In the post I talk about suspect scammer who scam me and other people on IRC years ago who was probably from Estonia.  ;D

Unfortunate for him, he stupid enough to host multiplayer games online in past and set up server himself??? :o

One of the game server he set up has IP address located in... you guessed it, Estonia. Interesting enough, the server IP resolves to location near: Jarva Jaani, Estonia

Also, he has friend located in Tartu, Estonia...  ;)

Updated thread with some basic fact information about the scams with URLs to threads, scammer payment addresses and usernames used by scammer.

I still investigating "Suspect #1". Currently there is circumstancial evidence possible link this person to scams committed here on forums. It not yet enough information to dox or prosecute person (I want to be very sure we have right guy so we don't accuse or hurt innocent person). But it is probably enough information for law enforcement to pick up and question him. But this not good enough. We want to be sure so we nail him and give him no chance to escape.

If any victim can help us with informations or you would like to aid investigation please let know!  :)

HAHA im liking this stuff ALOT!

I just found this topic https://bitcointalk.org/index.php?topic=590836.0 which links to this page. Is there really suspicions of bitwasp developers in this thread, or anyone know what's going on here that threw us into the mix?

The bitwasp@safe-mail email has nothing to do with the project.

No sir, so far I have found not any link between scams and BitWasp project or BitWasp developer.

Maybe link to this thread was placed to send you here for help or was post in error?

I do not know BitWasp developer to be guilty of anything and I not investigating any of you.

EDIT:
Ah, I think I see. The "BitWasp email" was from safe-mail, same service used by scammer we hunt. Maybe serpiente realized not that safe-mail is a large email service provider used by many people for both legitimate and illigitimate purpose.

UPDATE 13.5.2014

I began work to find physical location of Suspect #1, and found result in Tartu, Estonia. After much digging, I was able to find picture of this person from school event and even local bike race event. But there is problem. Person I locate in Tartu is 14 year old child...  :-\

I still not sure what this mean. It could mean several thing:

A) I simply found child (wrong person) with same name as Suspect #1 and should keep search on
B) Child could be little brother, nephew, son, relative or friend of actual Suspect who used same Computer
C) Name I find is simply alias or fake name of Scammer and more investigation need to find real name and location
D) Very small possibility, but child could be incredible gifted and intelligent and could be scammer, but I doubts this, haha

I looking for answer now, and also taking closer look at Suspect #2 and other suspects just in case this one innocent. When people use proxy and Tor sometme multiple people use same exit node or IP/port proxy and we must examine each potential suspect and find most likely one. But I think answer most likely the A or B possibility, and I need to continue search for people with suspect name and try to find physical location...

Reason I think these child I find is simply wrong person with same name:

* Suspect has Youtube account with activity and preference more like adult from 2009, when child only would be 8 or 9 years aged.
* Suspect first begin using Facebook when child would only been 5 or 6 years aged  ???
* Suspect multi-lingual, very intelligent, proficient in use of Tor and proxy and has knowledge of internet protocols few children possess
* Few children skilled spammer and does blackhat SEO activity for money or capable of things suspect I see does

Most interesting part is the suspect original Facebook account made many post/spam concern Bitcoin few months before the big scams take place. After scams, he try to delete this account, all his picture and all reference to ever made about Bitcoin. He then open new Facebook account with no picture of self with only few dozen local friends and never mention Bitcoin again. But he still using Tor and proxies and post spam about Bitcoin on internet to this day, but he keep it all OFF of Facebook and stay quiet. He also list no location, place of work, relatives, school or any personals information. This often indicate person wants not to be found and has hiding something.

But do not yet lose faith, friends. These investigation VERY difficult and MUCH work. Sometimes you lucky and find scammer in few days, sometimes weeks, sometimes months, sometimes year or even longer. There often MANY dead-ends and false lead along the way. You almost NEVER find a scammer on first try. One must build list of possible suspect and analyze each one by one, eliminate ones who innocent and keep search until damning evidence found. The more skilled scammer, the more work takes it to solve case. This scammer is very savvy and smarter one than most. But he not invincible, trust me!!!  :D

@ serpiente: When you become online I have detail report compile of investigation proceeding you may take look at and tell me what you think. Send me pm and we try to make sense of what information we have and make decision on how to best continue search.

it was just a stumble upon some information if it can be used in the greater puzzle then it will be seen too, but for no its just information n update! TIC TAC

I appreciate everything Shadowhax and others are doing to find this POS that stole from myself and others. I have been hurt financially by this scam as I was relying on those miners to make some money for me to help with monthly expenses. I still believe in Bitcoin, unfortunately there are many people out there who would rather steal from others than make an honest living. I wish I had some information that could help with your efforts, but all I know, I posted on the thread I started. Again thank you to all who are trying to find this person.

The hunt still on... just keeping quiet with what I currently know.  ;)

finally caught up with the messages check your pm, i have high level contacts who can pick these people up off grid if we have information

If any of you like to start case in court agaisnt the scammers,feel free to contact us via private message.

already beat you too the punch have all that sorted with serpiente. Will contact you if in need of extra freelancer

i have tried to get a hold of Cryptoken  about my order #994 and #995 I spent 55 euro and its been 3 weeks and no coins have been deposited, many people are unhappy with hos business.  I have written skrill to try and have them to stop doing business with you and they are investigating the transactions i placed with you, i ocd and screen shot everything, i sent you a copy of most of the information.   I just want my coins. BEWARE OF CRYPTOKOPEN. 

Very Unhappy customer
matt