top of page
Search

Identify a Sextortion Email Scammer

The Dark Night Online | TRACK THIS CRIMINAL - This BTC address belongs to a #SEXTORTION #SCAMMER deploying an email #scam campaign.


Add this criminal BTC address to your investigative portfolio. 15yZJwEws2wfvyaaXS7sp5sdGH4QKsPcLW


Alias is RYAN ROWE using email no-reply@no-reply.com

Demanding USD12,000 per victim.


Determining the true identity of the sender from raw email headers is a forensic process that involves analyzing technical details about the email's origin, but it might not always conclusively identify the sender if they’ve gone to significant lengths to obfuscate their identity.


Anyone can use the following CHATGPT query using copied and pasted RAW SOURCE CODE from the EMAIL HEADER.

While highlighting the email in your email client Click

1. View

2. Message

3. Raw Source


You will then see html code.

Copy and paste into ChatGPT.


This is CHATGPT in action.

QUERY: "The person who sent the email in this raw source code is attempting to obfuscate their identity. Tell me the true identity of the sender of this email from the raw source code."


RESPONSE:


Sender's Email Address:

The From field shows Ryan Rowe <no-reply@no-reply.com>. This appears to be a generic or placeholder email address, which is often used in spam or phishing attempts to obscure the sender's identity.


IP Address Analysis:

The email was received from the host hedrich-lessing-dortmund.de, with the IP address 80.152.131.112.


This IP is registered to Deutsche Telekom AG, indicating that the sender used an internet service in Germany. However, this could be a proxy, VPN, or compromised server.


Domain Information:

The domain hedrich-lessing-dortmund.de does not necessarily belong to the sender but could have been exploited as part of the obfuscation. A WHOIS lookup or DNS records check for this domain could reveal its ownership or more details about its origin.


Message ID and Authentication Results:

The Message-ID <443765609-2348@hedrich-lessing-dortmund.de> suggests that the email originated from the hedrich-lessing-dortmund.de server.


Authentication results (DKIM, SPF, DMARC) failed or were insufficient, meaning the sender did not properly authenticate the email, which is a common tactic in spam or spoofed emails.


Possible Real Identity:

While it’s possible to infer that the email was sent through a server at Deutsche Telekom, it’s not conclusive without further forensic evidence. If law enforcement or a network administrator were involved, they could request logs from the server or ISP for the timestamp of the email.


Next Steps:

Trace IP Address: Perform a detailed geolocation lookup or reverse DNS on 80.152.131.112 to identify its precise source.


Analyze Domain: Investigate the ownership of hedrich-lessing-dortmund.de via WHOIS and DNS records.


Report Abuse: Contact the abuse team of the hosting provider or ISP (Deutsche Telekom) for more information.

ree

FOLLOW THIS WALLET on Arkham

https://intel.arkm.com/tracer/2b514b82-ea51-4fb4-b6bf-3cfbb76f5f90 At the time of posting this article the scammer has not scammed funds into the identified wallet with proven attribution to the wallet. If they do, then CITIZEN SLEUTHS and LAW ENFORCEMENT know this wallet is 100% associated with a criminal and we can seek law enforcement subpoena the VASP for identity details to prosecute them.


 
 

Investigations Powered by

ARKHAM LOGO.png

DEANONYMIZING THE BLOCKCHAIN

THE DARK NIGHT ONLINE

  • YouTube
  • LinkedIn
bottom of page