Naturally, one would expect a savvy scammer to use VPN in order to hide their exact location. This is not always the case with amateurish wanna-be-cyber-criminals who might not care much of their own anonymization. Many cases of crypto scam reveal that no VPN is used at all, so it is pretty easy to estimate a scammer’s location from their IP address. But even VPN usage won’t guarantee a scammer from their location detection if no attention is paid to some important details.
This is an example of scammer’s data under VPN as detected by using Grabify tool. We have quite a lot of data points here, including VPN usage detection, however nothing specific can be found here to give us a hint of their true location. All we know is that they use a VPN connection based in the US, and timezone and locale settings are also matching:
But in the next example we see bunny’s ears sticking out.
VPN usage is also detected, which leads to US, New York as approximate location (as per IP address). Also, device language setting is English – Great Britain (both data points marked in red). Looks normal.
However, timezone setting on the device corresponds to Lagos, Nigeria. Also, if we check user agent string , we see en_NG locale, which stands for “English (Nigeria)” (both data points marked in green).
At the end, we actually have two options here:
- a Nigerian user in US, using US VPN, and keeping local NG settings on the smartphone.
- a Nigerian user in Nigeria hiding behind US VPN.
The latter is much more likely, given the nature of the case.
The next case is different as VPN usage is not detected here by Grabify, so it looks like a real US IP address from the first sight. However, the IP address leads us to Eonix Corporation, which belongs to neither a cellular nor a domestic broadband connection, but actually to a commercial server which should not be used for mobile users connection. Scamalytics service gives it a very high risk score of 88: https://scamalytics.com/ip/18.104.22.168.
Plus, the device timezone still shows Lagos which is almost certainly a true location of the user who is actually connected through US based VPN service:
Scamalytics fraud score might of course not be related to a certain scam case, but it still gives us a strong warning signal about potential threats coming from this address: