.png){kind=logo}
Picture this. A scam call center somewhere in a nondescript office building. Dozens of people on phones, reading scripts, convincing a retiree in Ohio her computer’s been hacked and she needs to transfer her savings to a “secure” account. And somewhere thousands of miles away, a guy in a hoodie is watching them do it. Through their own security cameras. Which he’s hacked into.
Not a movie plot. It’s roughly what ethical hacking looks like at the edges of the industry, where a handful of self-appointed vigilantes spend their free hours picking apart scam operations. The most famous of them, known online as Jim Browning, is the reason a lot of people even know what goes on inside these call centers.
Why bother? Well, the numbers are pretty bleak. The FTC’s latest report to Congress puts reported fraud losses among Americans 60 and over at something like $2.4 billion for 2024. That’s just what was reported. When you account for how much of this stuff never gets reported at all, the real damage might sit closer to $81.5 billion, per CNBC’s coverage. Either figure is rough.
Ethical hacking, at least the textbook version, isn’t complicated. You poke at systems the way an attacker would, but you’ve been invited to do it, and whatever you find goes back to the people who hired you. That’s basicaly the whole model. Most of the industry works that way.
The anti-scam corner is a grayer zone, though. Hacking into a scammer’s network isn’t exactly sanctioned by, say, Indian law enforcement. Arguably not legal anywhere. Justification from the people doing it usually runs something like: the scammers are committing much worse crimes, and realisticaly, no prosecutor’s rushing to build a case against a hacker who exposed a fraud ring.
Here’s where it gets fun. Scam call centers use the same remote access software their victims end up downloading. AnyDesk, TeamViewer, that sort of thing. Which means a skilled outsider can, in theory, reverse the connection mid-call. Watch the scammer work. Record them. Sometimes pull their entire customer database.
Browning has done this on video, to an audience of millions. It’s not popular to say this, but the approach probably does more to raise public awareness than any government PSA campaign.
This one’s maybe the most remarkable. On more than one occasion, Browning has called victims while the scam was still in progress, explaining what was actually happening. Sometimes it works. Sometimes the victim doesn’t believe him and hangs up, which, fair enough.
Newer fraud like the so-called “digital arrest” scams, where fraudsters impersonate police and keep victims on video calls for days, has made intervention harder. The scripts are tighter now. But the tactic still works often enough to be worth attempting.
Less glamorous, this one. A lot of what ethical hackers actually produce, after all the video and database dumps, is evidence. Spreadsheets of victims. IP logs. VoIP recordings. Packaged up, handed off.
Whether anything happens after that is a different question. Cross-border fraud is notoriously hard to prosecute. Some hackers get frustrated and stop bothering with the legal route. But the cases where something does happen tend to be the ones that make the news.
A weird little corner of the cybersecurity world, honestly. Half vigilante, half public service. And the people most at risk are still mostly unaware any of this is going on in the background on their behalf.
