If you’ve ever been in a large group on Telegram, Discord, WhatsApp, or any other messaging app, you have probably received unsolicited private messages—especially if the group you’re in is crypto-related. The number one rule when in a crypto group is not to click unfamiliar links or interact when random strangers private message you. They will often try to scam you. In this post, I will break that rule and expose how these scammers operate and gather information about them.
Shailene Woodley Scammer
On Telegram, I joined only crypto-related groups. One day, about a month ago, I received a message from Shailene Woodley.
Of course, I knew it was not the real, famous Shailene Woodley who starred in The Secret Life of the American Teenager, Divergent, and other films. I still communicated with the scammer for a couple of weeks. The scammer had me send pictures of myself, which I stole from Google. The scammer also sent an image of the actress, but in a secret chat where I could not screenshot or reread the image. The scammer kept calling me “dear” and asking questions like where I lived, what my name and age were. The scammer was attempting to use the social engineering technique of familiarity. They tried to get to know me and attempted to build trust by asking how my day was, my age, and other small talk topics before waiting two weeks to ask if I wanted to purchase a fan card. The scammer also used a famous person’s name to attempt to gain authority and familiarity. You would not purchase a fan card of a famous person from a random person who messaged you on Telegram, but by using a famous person’s identity, they built authority that it was a real product.
After a couple of weeks of small talk with the scammer, they asked me to message their “management” on WhatsApp in order to buy a “fan card.” I am still unsure what a fan card is—maybe like a baseball card? The phone number of the “management” is ‘+1 (303) 648-7161’. The fake Shailene’s username on Telegram is “@shailenewoodley_org” and the phone number tied to the Telegram account is “+234 (803) 782 4852”. Below is a table to make the information easier to read.
| Telegram Username | @shailenewoodley_org |
| Telegram Phone Number | +234 (803) 782 4852 |
| WhatsApp Username | Official Management |
| WhatsApp Phone Number | +1 (303) 6487161 |
Look into the phone numbers.
The number, ‘+1 (303) 648-7161’, has the area code for Colorado, and the phone carrier is “Sinch-Onvoy Spectrum-NSR-10X/2,” according to the site currentcarrierlookup.com. This is her “management” phone number.
| Phone Number | +1 (303) 648-7161 |
| Phone Provider | Sinch-Onvoy Spectrum-NSR-10X/2 |
| Country Code | USA |
| Area Code | Colorado |
The number from Telegram, which they were pretending to be Ms. Woodley, was “+234 (803) 782 4852,” which is the Nigeria country code. This makes sense because the country code is from Nigeria, as when I IP-logged the person, the IP showed that someone from Nigeria clicked the link. This will be shown later in the post. According to the site emobiletracker.com, the telecom provider is MTN. The site says the user of the phone number is Monday Drava. This might be a fake name or the real name of the scammer; I am unsure at this time. I could not find any information about the name. In my research, phone numbers in Nigeria are assigned by network providers.
| Phone Number | +234 (803) 782 4852 |
| Provider | MTN network |
| Country Code | Nigeria |
| Possible Name | Monday Drava |
After messaging her “management” on WhatsApp, they sent me the prices of the fan card. The text below is the exact same text they sent me.
Her fan/membership card ranges from 1000$-3000$ depending on the fan
Bronze fan/membership card 1000$
Gold fan/membership card 2000$
Diamond fan/membership card 3000$
Which price of my fan card can you afford??
I picked the “diamond fan/membership.” I had no intention of paying $3,000 for a fan card, but I played along with the scammers.
I asked her “management” if I could pay in Bitcoin because I knew I could attempt to track the transactions. Unfortunately, the scammer had good operational security and did not reuse the Bitcoin address they had previously used on a different victim. I plan on dusting the address, but I had to first acquire the Bitcoin.
The scammer asked for proof that I sent the money. Of course, I had no intention of paying $3,000. I took this opportunity to try to IP-log the scammers. This is when you send the scammer a link, and when they click on it, it will log their IP and other information about the device they are using. User agents are used by websites to determine what operating system a user has, the browser they are using, and other information about the device so they can determine the best way to display the website’s content.
Did you know that when you send a link in Telegram or WhatsApp, both will visit the link after it is sent?
Logging IPs
The Ms. Woodley account on Telegram had the IP address “105.113.8.88”, which is located in Port Harcourt, Nigeria. The IP’s ISP is “Celtel Nigeria Limited t.a ZAIN.” The time zone is Africa/Lagos GMT+1. The operating system of the device that clicked the link is iOS 16.7, and it is an Apple device. They were using a Chrome browser on Mobile iOS, and the user agent language was set to “en-GB.” The screen size is 375 x 812 @ 59 Hz. Below is a table with the same information from this paragraph, but easier to read..
| IP | 105.113.8.88 |
| ISP ( Internet Service Provider ) | Celtel Nigeria Limited t.a ZAIN |
| Location of IP | Port Harcourt, Nigeria |
| Time Zone | Africa/Lagos GMT+1 |
| UA Language | en-GB |
| Operating System | Apple ( IOS ) |
| IOS Version | IOS 16.7 |
| Browser | Chrome Mobile IOS |
| Browser Version | 126.0.6478.153 |
| Screen Size | 375 x 812 @ 59 Hz |
Another IP, “105.112.103.8,” that clicked the link from WhatsApp is located in Lagos, Nigeria. The ISP was Celtel Nigeria Limited t.a ZAIN. The device was using an iPhone with version 18.2.0. The user agent is for Safari/604.1, but the browser is Chrome Mobile iOS. The device screen size is 390 x 844 @ 58 Hz. Once again, the data in the above paragraph is presented in the table below to make it easier to read.
| IP | 105.112.103.8 |
| ISP ( Internet Service Provider ) | Celtel Nigeria Limited t.a ZAIN |
| Location of IP | Port Harcourt, Nigeria |
| Time Zone | Africa/Lagos GMT+1 |
| UA Language | en-GB |
| Operating System | Apple ( IOS ) |
| IOS Version | IOS 16.7 |
| Browser | Chrome Mobile IOS |
| Browser Version | 131.0.6778.154 |
| Screen Size | 375 x 812 |
I have a feeling that the scammer has two iPhones—one for WhatsApp and another for Telegram. That would explain why the iOS version is different between the two devices.
Cryptocurrencies Addresses
Bitcoin has a transparent blockchain, so you can see which address the coins were sent from and the amount. Sadly, as mentioned before, the scammer had great operational security and sent me an address that has never been used before. I am still going to show the Bitcoin address in case they decide to reuse the address at a later time.
Like Bitcoin, Ethereum has a transparent blockchain, so we are able to see that the Ethereum address has no ETH in the wallet. However, once again, the scammer has good operational security and did not reuse the ETH address. The ETH address had zero Ethereum inside the wallet. Below is a table that includes the Bitcoin and Ethereum addresses.
| Bitcoin | bc1q00hgklmyf5an2fkp282d0f03hel93m9d2gj5cg |
| Ethereum | 0xDc2eB158DC07783453d1954E043517481F187c4F |
Picture Proof
I asked for picture proof that she was really Ms. Woodley. I requested that she take a selfie with a blank piece of paper with my name and the day’s date. I told her my name was Tom earlier in the conversation. The scammer said they could not fulfill the request right away because they “were out to lunch.” The next day, I received the picture below. At first, I thought the scammer had photoshopped the image, so I looked on Google for similar pictures of the actress. Then I realized we live in the age of AI, and she probably enlisted the help of a generative artificial intelligence model. Once I realized that the scammer probably used AI to generate my request, I started Googling services that can detect if an image was generated by AI. The first site I tried detected a 99% chance that it was AI-generated. I tried a few other services that could detect AI usage, and they all confirmed the image was AI-generated.
I decided to message the scammer on Telegram and use this chance to try to get her IP again. I sent a message stating that I thought they were scammers and that the image they sent me was AI. The IP logger link redirected the user to Imgur, where I uploaded a screenshot of the services that detected the image was AI-generated. The next day, when I woke up, the chat and the chat history were gone from Telegram. She either deleted the conversation or blocked me.
It turned out she did not block me, just deleted the conversation. But it was too late—I had already saved all the information I needed. I did confront her about being a scammer, saying that she lived in Nigeria. She denied being a scammer and eventually stopped responding to my messages, but not before deleting her profile picture from her account. I took this as a sign that I was right about the scammer’s location, phone OS, and other information.
Leave a Reply