We Talked to the Hacker Who Flooded Alleged IRS Scammers With Robocalls

A telephonic DDoS worthy of a top spot on r/justiceporn.

Danny Paez

Image: YouTube screenshot

Thousands of people across the US have been defrauded by criminals posing as the Internal Revenue Service (IRS) over the phone. They tell their victims that they owe back taxes and threaten to arrest or even deport them if they don't pay up.

A 2017 IRS report states that since October 2013, there have been more than 10,000 victims who have collectively lost more than $54 million to these scams. When security engineer and Redditor, YesItWasDataMined, received a voicemail from someone claiming to work for the IRS, they decided they'd had enough.

In an act of vigilante justice, the Redditor says they programmed a script to call the alleged scammers' phones 28 times a second, making it impossible for them to make or receive any calls. The grey-hat developer then recorded the calls and posted the audio on his Youtube channel Project Mayhem. The video has since garnered more than a million views and ends with a warning.

"If you are a scammer, and you call me or cross my path in anyway, I will happily call you… Again, Again, and Again."

In an interview with Motherboard conducted via Reddit direct message, YesItWasDataMined claimed to be the sole person behind Project Mayhem, which they say is an effort to halt rampant fraud phone calls by flooding lines, reporting the numbers to the Federal Trade Commission (FTC), and shaming the people responsible.

While police have arrested some alleged fraudsters, a 2017 FTC report stated that government imposter scams are now the second most common source of consumer complaints.

"The [FTC] does all they can do, but sadly it's not enough. No one else is helping these [victims]. I have been in the security field for years and I'm so sick of these scammers," YesItWasDataMined told Motherboard. "I don't just go after telemarketers either, we also record tech support scams and turn them in."

Motherboard reached out to both the IRS and FTC. The FTC pointed us toward its Annual Summary of Consumer Complaints as well a website and hotline where you can report fraud, 1-877-FTC-HELP. We'll update this post if we get more information or hear back from the IRS.

Even though this was Project Mayhem's first video, its founder said they have been assisting victims of both phone scams and cyberattacks for some time.

"I have enjoyed playing the grey hat / white hat position for quite a while now," they said. "I actually got a lot of traction online for creating decryptors for victims who were affected by ransomware. I help where I can with all these scams."

The viral success of the video prompted other Reddit users to ask for more videos, the source code of YesItWasDataMined's phone flooding program, and even a front end to the script to let people submit numbers they receive scam calls from. The developer was excited by all the positive feedback, but was aware of the legal and ethical lines they could cross by making their code accessible to the public.

Giving anyone the power to feed numbers into a phone flooding service would almost certainly lead to harassment. All you would need is a grudge and ten digits to ruin someone's day.

YesItWasDataMined makes note of the potential for abuse in their comments and has not made the code available publicly. However, they have no intention of stopping making videos.

Only two days after posting the aforementioned video, Project Mayhem uploaded a second recording. This time they targeted alleged tech support scammers, who impersonate computer technicians from well known companies in order to sell victims unnecessary or harmful services.

While it's undeniably satisfying to hear someone beat spam callers at their own game, we can't say for sure if vigilante actions like these will do anything to stop fraudulent IRS calls moving forward. Project Mayhem's work in this case stopped this group of scammers for a few days, but will their phones still be flooded next week?

The fundamental problem is individuals being manipulated by social engineering and threats. The only way to fight that is by informing people that the IRS, or any other government organization, will never call you out of the blue and threaten to deport you if you don't pay some imaginary fee.

A 2016 IRS blog put it best: "We continue to say if you are surprised to be hearing from us, then you're not hearing from us."