OSINT Magic: Unmasking Romance Scams and International Pirates

Michaal Khan · 61:37 · 2025 · Track 1

threat-intelosintfundamentals

Michaal Khan on osint magic. A Track 1 session from Simply CyberCon 2025.

Open this segment on YouTube ↗ · jumps to 2:19:50 in the Track 1 livestream

OSINT Magic, Live

Michaal Khan does not use slides the normal way — he opens by saying TSA pulled him over because he had bullets in his PowerPoint. Then he walks through two real cases he solved: a romance scam targeting a friend, and an international book-piracy operation that the FBI, DOJ, Stripe, and PayPal had all given up on after seven years. He cracked the second one in a day. The talk is part live demo, part OSINT masterclass, and the throughline is that human persistence still beats automation when you are hunting people.

The Romance Scam: Counting Red Flags

Michaal's friend, an executive in her late 50s, calls him because she thinks she is being scammed. She is right, and he walks her through it in real time. The scammer's photos do not reverse-image-search. The accent is French but he claims to be German. He is calling on Google Voice. The video call shows the beach but never his face — she insists she saw him until Michaal points out a pictured face is not a video face. The bank login is at easycombn.com (a copy of a real bank), the WHOIS lookup shows a Gmail contact address registered in Nigeria, and the domain is brand new. The killer move is the inversion: she was logging into the scammer's bank account to transfer his stolen money to other money mules, which made her the one moving the funds.

Finding the Real Face Behind the Stolen Photo

The scammer used a real person's photos. Michaal spends 20 minutes of the talk showing the actual hunt — multi-engine reverse image search, geoint on background details, peeling the blur class off a paywalled people-search site by deleting the CSS class in DevTools, chasing a Spanish-language YouTube channel for a trash company until he finds the guy reporting in the background of a video, then naming him: Manu Garcia. Real reporter, no idea his face was in a Nigerian romance scam, and — small mercy for the friend — gay, so the relationship was never going to happen anyway.

The Magic Pirates and the Stealer Log

Vanishing Inc and a pile of independent magicians had been hemorrhaging trade secrets to a pirate site called Ernese's Magic Store for seven years. Michaal pulls a Gmail address out of the WHOIS, runs WordPress username enumeration on the pirate site to identify the admin (Yousef Yaser), correlates a freelance.com profile to a second name (Omar) and Egypt as the country, then maps the scammer's life through Google reviews. The break is a stealer log breach — the suspect's own machine had been infected, and his cleartext password was his phone number followed by his initials. With his Stripe and PayPal accounts surfaced through the breach, the case is over. He hands law enforcement the names, the addresses, the transaction histories. One day's work versus seven years of agency effort.

Who Should Watch

Anyone curious about real OSINT workflow as opposed to the marketing version. Anyone who has a friend or family member who might be in a romance scam right now. Investigators tired of "this stops at the captcha" and red teamers who want to see the offensive applications of breach data. The takeaway is uncomfortable: one red flag is enough, default everything to scam until proven otherwise, and keep clicking when everyone else gives up.