Delhi IT Worker Uses ChatGPT to Trap Scammer in Viral Scambaiting Sting

The encounter began with a familiar digital grift. A scammer, posing as an Indian Administrative Service officer, contacted the IT worker claiming a friend in the paramilitary forces needed to sell high-end goods “dirt cheap” due to an impending transfer. Recognizing the classic “army transfer” fraud, the target, identifying as an AI product manager on Reddit, decided against blocking the number. Instead, he engaged ChatGPT to “vibe code” an 80-line PHP webpage designed to mimic a legitimate payment portal. The code’s true function was covert surveillance: to harvest the visitor’s GPS coordinates, IP address, and a front-camera snapshot upon access.

Execution relied on clever social engineering. Feigning technical issues with a provided QR code, u/RailfanHS instructed the scammer to upload the image to the fake portal to “expedite the payment process.” Driven by greed and haste, the scammer clicked the link and, when prompted by his browser, granted the camera and location permissions necessary for the upload. “I instantly received his live GPS coordinates, his IP address, and, most satisfyingly, a clear, front-camera snapshot of him sitting,” the Reddit user reported. The subsequent digital confrontation was swift; upon receiving his own harvested data, the scammer allegedly panicked, flooding the IT worker’s phone with calls and messages pleading for forgiveness and promising to abandon crime.

While tales of internet justice often invite skepticism, the technical method described in the r/delhi subreddit thread underwent immediate community scrutiny. Other users, including u/BumbleB3333 and u/STOP_DOWNVOTING, reported successfully replicating the approach. u/BumbleB3333 confirmed creating a “dummy HTML webpage” with ChatGPT that captures geolocation after permission is granted during an image upload. This verification underscores a critical technical nuance: while ChatGPT has built-in guardrails against generating overtly malicious code for silent surveillance, it readily produces code for legitimate-looking sites that request user permissions—a loophole exploited in this sting.

The original poster acknowledged using specific prompts to navigate around some of ChatGPT’s safety restrictions, a practice he described as routine. He hosted the final script on a virtual private server to execute the trap. This incident highlights the dual-use nature of generative AI in cybersecurity: the same tools that can lower the barrier to entry for creating phishing sites can also be repurposed by knowledgeable individuals to expose and disrupt fraudulent operations. The community’s replication efforts confirm that the technique is not an isolated feat but a reproducible method, signaling a potential shift in how tech-savvy individuals approach scambaiting.

This satisfying narrative of vigilante justice, however, operates within a significant legal grey area. Cybersecurity experts routinely caution that such retaliatory “hack-backs” or counter-offensives carry substantial risks. While the intent may be to disrupt criminal activity, the actions—capturing someone’s location and photograph without consent—could potentially violate privacy laws or constitute unauthorized computer access, depending on the jurisdiction. The individual initiating the sting could face legal repercussions, despite targeting a criminal.

Nevertheless, the viral response to the Delhi IT worker’s story underscores a deep public frustration with digital fraud and a growing appetite for direct action. The incident exemplifies the evolving trend of “scambaiting,” where individuals waste scammers’ time or gather intelligence to expose them, now supercharged by accessible AI. As generative tools like ChatGPT become more sophisticated and widespread, their role in both perpetrating and combating cybercrime will likely expand. This case serves as a compelling, if cautionary, benchmark for how artificial intelligence is democratizing aspects of cybersecurity, turning everyday users into potential digital vigilantes and forcing a conversation about the ethics and legality of fighting fire with fire.