Week 41: Double deception – Scammers targeting scammers

14.10.2025 - Scam attempts come in many forms and are a regular topic in the NCSC's weekly reviews. In this case, however, it is not necessarily law-abiding citizens who are being duped. The focus is instead on people who don't always play by the rules themselves.

Taking advantage of system vulnerabilities or configuration errors can seem like an easy way to make money quickly. But anyone who tries risks getting into trouble with the law. The scammers exploit this situation by pretending to share a trick for making easy money from exploiting vulnerabilities. In reality, their 'method' is the scam itself : anyone who follows their instructions ends up sending money straight to the scammers. Since the victims of this scam were attempting something illegal themselves, they are unlikely to report the crime for fear of facing charges.

The scam begins on Instagram, where someone claims to know a trick for getting a refund on purchased gift cards without the cards being cancelled. In other words , you would supposedly get your money back and still have valid gift cards to spend – clearly an illegal idea, but one that could still tempt a few people.

Victims are directed from Instagram to a Telegram channel, where they can download an instructional document in the form of an e-book file. This manual outlines the steps in plain language and includes examples that the author presents as their own experiences. Its purpose is to persuade readers to try the method for themselves.

According to the manual, the scam works as follows: when you purchase a digital item online and pay with Bitcoin, a special code from the scammers' manual tampers with your browser's time zone at checkout. This causes the Bitcoin transaction to fail – but only after the seller has delivered the digital item. Step by step, this works as follows:

• Download a (legitimate) browser extension called Tampermonkey.
• Follow a link in the manual to get a small piece of JavaScript code, then paste and enable it in the Tampermonkey extension. This code supposedly manipulates your browser's time zone.
• On a popular digital marketplace, buy gift cards (or other digital items). The manual recommends amounts from EUR 100–200; purchases must be made with cryptocurrency for the trick to work.
• The purchased digital item is then delivered to you.
• A few minutes later, your Bitcoin payment is supposedly refunded – the manual claims it was invalidated by the time zone manipulation.

According to the scammers, this supposedly provides a source of free money: anything bought on this portal will be refunded. However, the manual warns not to be greedy and to avoid trying to buy too much at once, as the operator will otherwise notice.

In reality, there is no such thing as free money. This is how the scam really works:

• After installing the browser extension and the extra piece of JavaScript code, the victim places the order.
• At checkout, the script does not change the browser's time zone as claimed. Instead, it replaces the Bitcoin address shown for payment with a different address controlled by the scammers. Consequently, the money moves from the victim's wallet to the scammers' wallet and is not refunded as promised.

Rather than ending up with free gift cards, people who try the trick are themselves defrauded, and the Bitcoin they paid is diverted to the scammers' wallet and lost. The NCSC believes that these kinds of scams usually aren't reported to the police. After all, the victims were attempting to commit fraud themselves, so they are unlikely to come forward.

It is also clear why a specific marketplace is required for these purchases: this portal accepts Bitcoin for gift cards and similar items, which is still uncommon elsewhere.

• If an offer sounds too good to be true, it often is.
• Exercise the utmost caution when dealing with software or scripts obtained from unknown or dubious sources. If in doubt, do not install or run them.
• Although an antivirus program is essential, do not rely on it alone, as new or obscure files and patterns are often not detected as malicious.
• If you suffer financial loss, the NCSC recommends reporting the incident to the police. You can find your nearest police station on the Suisse ePolice website (available in German, French and Italian).

Current statistics

Last week's reports by category:

Current figures