Image

Get Your Apple Gift Cards Here!
As he explains in a blog post, Haschek won first place in the Solar Winds Sysadmin Contest back in 2012 with a story he wrote about his first job. The security researcher received two 250 USD Apple store gift cards as his prize. There was just one problem. Haschek wasn't living in the United States, the country where the cards were issued. That meant there was no way for him to redeem the cards. As a result, he turned to Reddit in an attempt to sell his prize. One user seemed particularly interested in the cards, per their message they wrote to Haschek:"Still selling the $500 Apple giftcard? Is it apple store or Itunes? I can do $380 BTC for it. Pm me back with info."After some back and forth to verify one another, Haschek and the buyer connected on eBay. The security researcher provided the Reddit user with the PIN codes for the cards. He said he would also prepare the cards to be mailed out pending receipt of payment. So he waited several days for the buyer to transfer 380 USD worth of Bitcoin to his wallet. When nothing came, he checked on Reddit and to his surprise discovered the party had deleted their account.
Image

"Excuse me, but who are you? I don't use this account except when I occasionally buy items. my ebay was hacked recently along with my email because I was keylogged. The hacked then proceeded to access my bank paypal and ebay. So no. I won't send you money for someone else hacking you but I do feel sorry for you."Fine. Haschek could have a little fun instead. And so he did.
Payback's a Message to Your Mom
Haschek started by tying the scammer's eBay and Reddit usernames together via a Google Search. With that information, he used additional searches to find out their first name and city of residence on a job search site.Image

"On facebook I just entered the username he was using on ebay and I found a post from someone with an anime profile pic, linking the user name of the scammer in a post. Sure enough it was only text and not a link to a facebook profile. The post had one like. But this friend of the scammer had posted everything public. Hundreds of posts a month. I scrolled through 4 years of posts until I found something that I now reffer to as the holy grail. He made a screenshot of some LoL game he played and had facebook open in the background. You could see all of his online friends. One of them was the scammer! So now I knew his full name."
Image

"Please leave me alone after this I won't do anything like this anymore I am having panic of attacks just thinking about this."