Self-initiated investigation · Network analysis · Policy proposal
Mapping an organized "Man-in-the-Middle" scam ring in P2P markets
Traced a repeat-offender network hiding behind isolated-looking cases, then proposed the risk rules to shut the pattern down.
▸Read full investigationCollapse
Context
Frontline teams kept seeing sellers lose funds on peer-to-peer trades, but enforcement was rare: each case looked like an isolated user mistake rather than organized fraud, and the evidence on any single order was thin.
My role
I opened a self-directed investigation to find the pattern buried in the noise, working from raw order and dispute data rather than waiting for a case to be escalated to me.
What I did
- Tracked every confirmed or suspected case in a working file and tagged accounts that recurred across more than one incident.
- Flagged accounts that reused the same destination bank account across multiple, seemingly unrelated orders — including after a prior dispute had already been raised on one of them.
- Cross-referenced shared devices to link accounts that looked unrelated on the surface.
- Partnered with risk leads to validate each finding and get enforcement sign-off before any account action, to avoid penalizing genuine victims caught in the middle.
- Reviewed messaging with a sample of affected sellers to validate the social-engineering script end-to-end — first contact, the pitch, and the justification used for the fraudulent payment details.
Findings
A recurring group of accounts was responsible for a disproportionate share of confirmed cases. Several had already adapted their behavior after a first warning — spacing out their activity and varying their approach specifically to stay under the threshold that would trigger a suspension. I documented the full attacker playbook end-to-end, from first outside contact to the final dispute.
Proposed risk rules
- Restrict accounts from paying into third-party bank accounts flagged mid-trade; repeat offenses trigger a graduated suspension of trading privileges (temporary, escalating to extended).
- Real-time in-chat detection for messages containing long numeric strings that resemble bank account numbers, prompting both parties with a warning and a direct escalation path before payment — rather than letting the trade proceed silently.
- Require accounts to pre-register and verify any third-party account they intend to use, closing the loophole that let the ring rotate through "clean" accounts.
Outcome
Findings and proposed rules were shared with Risk and Product leadership; several accounts were suspended on the strength of the evidence trail, and the in-chat detection proposal directly informed a Risk-team initiative to flag bank-account-like strings during a live trade. I also authored the internal training material later used to onboard teammates on the scheme.