So first of all, its very hard to understand him. Some of his messages just doesnt make any sence.
So I saw his post on buyers bay (
https://cracked.io/Thread-WTH-hacker-for...are-bypass) where he wanted the backend ip address of a cloudflare protected website.
So I dmed him and asked for the url and he sent me this url:
https://lift-api.vfsglobal.com/ (cloudflare website, where everyone is blocked) (proof:
https://ibb.co/F8nmyPy)
Then I asked for $100 for the backend ip + a site to scan for ips. (Yeah $100 is high but he accepted it, I would have also negotiated with him, it was just a start price)
I proofed him that I have access to the site (because its only possible with the backend since everyone is blocked by cloudflare) (proof:
https://ibb.co/wrGsKMm)
And then he said "Youu good that the thing i want" wich means translated, that it is exactly what he needs. Then I told him we can use a mm, but since liars were offline he dmed me after some time and asked for some more screenshots of the site, and then he said send me your usdt trc20 address and he paid. (proof:
https://ibb.co/grM0PSG)
Then I gave him the backend ip (
http://46.101.226.197) of the cloudflare protected site (lift-api.vfsglobal.com/) and gave him the site where to scan for addresses.
And now the weird part begins. He dmed me and said its not the original api of this site and then said its:
https://saint-martin-aux-bois.org. (proof:
https://ibb.co/h1ndKQy) This new site he sent me points to the same address but has no cloudflare. And it looks like he claims now that I just got the address from this url because it has no cloudflare. But it is impossible because I sent him the backend + the method how todo it BEFORE he sent me this new url.
Everything can be verified:
https://lift-api.vfsglobal.com/ -> cloudflare protected site he gave me
http://46.101.226.197 -> backend ip of this site
https://search.censys.io/search?resource...global.com -> censys search result
https://saint-martin-aux-bois.org -> new url he sent me after everything [UPDATE: I get ERR_CONNECTION_REFUSED now, so I think this domain is offline now, very weird]
And then he just started writing weird stuff, and sent me a screen of his weird script not working and starting saying that its not the correct address.
Then he started deleting some messages but I managed to record it before.
Everything I'm saying can be verified, I recorded the whole chat.
So what I think is, he found this url on censys (saint-martin-aux-bois.org) and used it to say its a address of a different site, to get a refund. But the truth is that these 2 domains are pointed to the same address, wich is obvious because both are the EXACT same websites if you open them.
Where he was deleting messages:
https://streamable.com/dsaaii
Full chat:
https://streamable.com/thz57x
I've also sent everything to liars on telegram and I hope he will get banned fast.