Unmasking the Scammers: How AI Is Exposing Job Scam Networks

by

Author: Denis Avetisyan

Researchers have developed a system using artificial intelligence to proactively investigate and map the infrastructure behind increasingly sophisticated job scam operations.

Anansi generates synthetic victim personas to ensure consistent and realistic interactions between language model agents and scammers operating across diverse digital platforms.
Anansi generates synthetic victim personas to ensure consistent and realistic interactions between language model agents and scammers operating across diverse digital platforms.

Anansi, a scalable system leveraging LLM agents, reveals patterns of infrastructure reuse and estimates $12.3M in losses due to message-based job scams and cryptocurrency fraud.

Despite growing concern over online fraud, scalable analysis of rapidly evolving “smishing” schemes-where victims are lured with fake job offers-remains a significant challenge. This paper introduces ‘Anansi: Scalable Characterization of Message-Based Job Scams’, a novel system employing large language models and automated agents to systematically engage with and analyze these operations in the wild. Our analysis of over 1,900 scammers and 29,000 messages reveals extensive infrastructure reuse and deceptive tactics linked to an estimated \$12.3M in cryptocurrency losses. Can automated engagement with malicious actors provide a crucial methodological foundation for proactively disrupting large-scale fraud ecosystems?

The Evolving Landscape of Deception

Conventional fraud detection systems, largely built upon identifying transactional anomalies, are proving increasingly ineffective against contemporary schemes like employment scams. These operations don’t typically trigger alerts based on unusual spending patterns; instead, they prioritize establishing rapport with victims through carefully crafted interactions. Scammers invest significant effort in building trust, often mimicking legitimate recruiters and companies, and exploiting the natural desire for stable employment. This reliance on social engineering – manipulating psychological vulnerabilities rather than exploiting technical flaws – allows fraudulent activity to unfold over extended periods, masking the eventual financial exploitation within a seemingly normal pattern of communication and, ultimately, circumventing rule-based detection systems designed to flag suspicious transactions. The shift toward relationship-based fraud necessitates a move beyond purely quantitative analysis and towards methods that assess the behavioral and linguistic cues indicative of manipulation.

The escalating integration of cryptocurrency into fraudulent schemes presents unprecedented difficulties for both investigators and victims. Unlike traditional financial transactions, cryptocurrency offers a degree of pseudonymity and operates across borders, complicating the process of identifying perpetrators and seizing illicit gains. While blockchain technology is often touted for its transparency, tracing funds through multiple wallets and mixers-services designed to obscure transaction origins-can be extraordinarily time-consuming and frequently unsuccessful. This exploitation of digital finance vulnerabilities is particularly acute in schemes like ‘pig butchering,’ where scammers cultivate long-term relationships to justify increasingly large cryptocurrency investments before disappearing with the funds. The decentralized nature of many cryptocurrencies, combined with the lack of robust regulatory oversight in some jurisdictions, further exacerbates the challenges of recovery, leaving victims with limited recourse and highlighting a critical need for enhanced international cooperation and innovative forensic techniques.

The escalating prevalence of ‘pig butchering’ scams-where fraudsters cultivate prolonged, emotionally invested relationships with victims before extracting funds-underscores a critical gap in current fraud detection strategies. These schemes aren’t simply about technical exploitation; they rely heavily on psychological manipulation, building trust and exploiting vulnerabilities in human connection over weeks or months. Traditional methods, focused on transactional anomalies, often fail to identify these slowly unfolding deceptions. Consequently, a more holistic approach is needed, integrating behavioral analysis, linguistic pattern recognition, and an understanding of social engineering tactics. Effective detection now requires identifying the subtle cues of manipulation – the grooming process, the fostering of false intimacy, and the gradual erosion of a victim’s critical thinking – rather than solely focusing on the financial transaction itself. This necessitates collaboration between fraud investigators, psychologists, and behavioral scientists to develop robust defenses against these increasingly sophisticated and emotionally damaging attacks.

The total number of transactions and associated US dollar value reveal the financial impact on victims of cryptocurrency scams.
The total number of transactions and associated US dollar value reveal the financial impact on victims of cryptocurrency scams.

An Integrated System for Unveiling Deceit

Anansi is a structured pipeline for the end-to-end analysis of job scams. It moves beyond simple detection to comprehensively document the scam lifecycle, beginning with initial contact-typically through online job boards or messaging applications-and progressing through various engagement stages including application submission, interview processes, and requests for personal or financial information. The pipeline is designed to track and categorize scammer tactics at each stage, culminating in the potential for financial loss, and allows for the systematic recording of evidence, including communication logs and requested information, for detailed characterization and future mitigation efforts. This systematic approach enables researchers to move beyond anecdotal evidence and establish patterns in scammer behavior.

The Anansi pipeline employs automated interaction with identified scammers using tools such as Selenium for browser automation and LLM Agents to mimic human conversational patterns. Selenium facilitates programmatic control of web browsers, allowing the pipeline to navigate scam websites and respond to prompts as a potential victim. LLM Agents, integrated with these automated browsers, generate contextually relevant messages, effectively engaging scammers in dialogue and eliciting their typical methods of operation. This automated interaction allows researchers to observe scam tactics-including information gathering, persuasion techniques, and requests for financial details-at scale and without direct human involvement, providing a consistent and reproducible data source for analysis.

Data acquisition for the Anansi pipeline utilizes web crawlers to proactively identify and gather scam advertisements and related online content. Prior to initiating any interaction or data collection, the project underwent review and received approval from an Institutional Review Board (IRB). This IRB approval ensures all data acquisition and engagement activities adhere to ethical guidelines, prioritizing the safety of potential victims and responsible research practices. The IRB protocol specifically addresses data handling procedures, minimization of risk, and adherence to privacy regulations throughout the pipeline’s operation.

Anansi utilizes a pipeline architecture to process and generate outputs, as illustrated in this schematic.
Anansi utilizes a pipeline architecture to process and generate outputs, as illustrated in this schematic.

Dissecting the Anatomy of Deception

Anansi employs message clustering techniques to monitor the progression of scam campaigns by grouping messages with similar linguistic characteristics and shared contact information. This process identifies recurring patterns in scammer communication, revealing reused message templates – including phrasing, narrative structures, and emotional appeals – across multiple victim interactions. By clustering messages based on textual similarity and identifying shared entities like email addresses, phone numbers, and social media handles, Anansi can track how campaigns adapt and evolve over time, highlighting the reuse of successful tactics and the propagation of malicious content across different targets. This allows for the detection of coordinated scam operations and the identification of core infrastructure used by threat actors.

Multimodal analysis within Anansi integrates the examination of textual content, visual elements, and behavioral indicators to construct detailed profiles of scam operations. This approach moves beyond simple keyword detection by analyzing image characteristics – such as the presence of emotionally manipulative visuals or branding associated with fraudulent schemes – alongside linguistic patterns in messages. Behavioral patterns, including message frequency, response times, and the sequence of requests made to victims, are also incorporated into the analysis. By correlating these diverse data streams, the system identifies key indicators of malicious intent that might be missed by analyzing any single modality in isolation, enabling a more accurate and robust detection of scam activity.

The Anansi pipeline integrates a Wallet Extraction Module designed to automatically identify cryptocurrency wallet addresses embedded within scam communications. This module facilitates the tracking of illicit funds and contributes to potential recovery efforts. Extracted addresses are also incorporated into dynamically updated blocklists, which proactively warn users across various platforms about known malicious cryptocurrency addresses, mitigating potential financial losses before transactions occur. The system’s ability to identify and disseminate these blocklists provides a preventative measure against ongoing and future scams utilizing cryptocurrency as a primary method of payment or fund transfer.

The Task Completion Module facilitates automated interaction with identified scammers to map their operational workflows. During a data collection period, the system processed 29,209 messages and successfully established engagement with 1,901 unique scammer entities. This automated engagement allows for the observation of sequential actions taken by scammers – from initial contact and pretext establishment to requests for funds or personal information – providing detailed insights into common scam methodologies and enabling the identification of patterns in scammer behavior. The resulting data is used to refine detection algorithms and proactively counter evolving scam tactics.

The cumulative distribution function illustrates the persistence of scammers following a user's last message, indicating how long they continue to attempt engagement.
The cumulative distribution function illustrates the persistence of scammers following a user’s last message, indicating how long they continue to attempt engagement.

The Evolving Art of Deception and its Countermeasures

To obscure the origins of malicious activity, scammers increasingly utilize a technique called Domain Fronting. This involves routing traffic – intended for a fraudulent website or operation – through legitimate content delivery networks (CDNs), such as those used by major technology companies. By effectively hiding behind these trusted services, scammers make it significantly more difficult to pinpoint the true source of the attack or fraud. This complicates attribution, hindering efforts to take down the malicious operation and prosecute those responsible, as standard network monitoring tools may only reveal the CDN’s address, not the scammer’s. The practice leverages the inherent trust placed in these CDNs to mask nefarious activities, creating a significant challenge for cybersecurity professionals and law enforcement agencies attempting to combat online fraud.

Cryptocurrency scams frequently utilize a technique called wallet rotation to obfuscate the flow of illicit funds and hinder recovery efforts. Rather than consolidating stolen cryptocurrency into a single, easily traceable wallet, scammers instead distribute the funds across a rapidly changing series of addresses. This practice makes it exceptionally difficult for investigators to follow the money trail, as any attempt to track a specific transaction is met with a new, unrelated address. The sheer volume of wallets employed, often numbering in the hundreds or even thousands, overwhelms traditional blockchain analysis tools and significantly disrupts attempts to seize or recover stolen assets. Consequently, wallet rotation represents a core component of many successful cryptocurrency fraud schemes, allowing perpetrators to effectively launder funds and avoid accountability.

The Anansi platform facilitates the development of robust countermeasures against online fraud by dissecting the methods scammers employ to avoid detection. Through comprehensive data analysis, Anansi not only quantifies the financial impact of these schemes-revealing an estimated $12,283,258 in losses stemming from the investigated scams-but also actively identifies the infrastructure used to perpetrate them, including the cataloging of 7,028 unique scammer phone numbers. This proactive approach to threat identification allows researchers to anticipate evolving tactics and build defenses before widespread victimization occurs, effectively shifting the advantage from malicious actors to those seeking to protect vulnerable populations and maintain the integrity of online ecosystems.

The detailed analysis of scam tactics and the financial losses they generate directly supports the development of targeted protective strategies for vulnerable populations. Recognizing the evolving sophistication of online fraud – encompassing techniques like domain fronting and wallet rotation – allows for the creation of educational resources tailored to specific threats. These resources, informed by the identified patterns of scammer behavior and the scale of financial damage – exceeding $12 million and linked to over 7,000 phone numbers – can empower individuals to recognize and avoid fraudulent schemes. Furthermore, the insights gleaned from this research enable the implementation of proactive measures, such as enhanced fraud detection systems and improved reporting mechanisms, ultimately bolstering defenses against increasingly complex online exploitation and safeguarding those most at risk.

This flow diagram illustrates the process by which scammers are identified and removed from a platform, ultimately reducing fraudulent activity.
This flow diagram illustrates the process by which scammers are identified and removed from a platform, ultimately reducing fraudulent activity.

The presented work details Anansi’s capacity to map the complex interactions within fraudulent networks, a task requiring significant computational resources and a structured approach to data analysis. This echoes Henri Poincaré’s observation: “It is through science that we arrive at truth, but it is imagination that makes us seek it.” Anansi doesn’t merely detect scams; it actively probes and reconstructs the operational landscape, revealing the reuse of infrastructure and behavioral patterns indicative of sophisticated social engineering. The system’s ability to extrapolate from limited interactions-mimicking human conversation to uncover hidden connections-demonstrates the power of structured inquiry in illuminating otherwise obscured realities, ultimately quantifying the scale of financial loss-estimated at $12.3M-with a precision rarely achieved in this domain.

Where to Now?

The presented work establishes a method for automated reconnaissance of fraudulent operations. It does not, however, resolve the fundamental asymmetry. Anansi observes; it does not prevent. Future iterations must grapple with the proactive challenge: how to translate observation into disruption, without amplifying harm to legitimate actors. The current focus remains largely descriptive; a predictive capability, anticipating emergent scam vectors, represents a necessary, if difficult, progression.

The estimated $12.3M in losses serves as a stark reminder. Monetary quantification, while useful, is incomplete. The non-financial costs – eroded trust, psychological distress – remain largely unaddressed. Research should acknowledge this broader impact, moving beyond simple loss figures to consider the systemic damage inflicted by these persistent attacks.

Ultimately, the problem is not technological, but behavioral. Better fraud detection will be perpetually shadowed by more sophisticated social engineering. The long game requires a deeper understanding of human vulnerability, and a commitment to building resilience against manipulation – a problem far exceeding the scope of any single study.

Original article: https://arxiv.org/pdf/2602.24223.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/

See also:

2026-03-02 19:55