If you miss the first part of this article, check it out before you continue.
After that fake “Dangote Empowerment Grant” email and the unexpected ₦4,500 PalmPay debit, I knew someone had silently hijacked my session. I didn’t want just to block the app and move on. This wasn’t about the money. I needed to trace who was behind it, not out of pride, but because I had the skill, and it felt wrong just to let it go.
The first thing I did was pull out the phishing email again. The link was disguised as a Google Docs form. I opened the email source and saw the redirect structure buried in the HTML. It led to a subdomain on a .ng domain, not a well-known host, but a locally registered one.
Hold on, let’s take a quick detour, stay with me.
What is a Phishing Email?
A phishing email is one of the most common and dangerous tools used by cybercriminals to trick people into giving away sensitive information such as passwords, credit card numbers, or login details.
It often looks like a normal email from a trusted source, like your bank, a popular online store, or even your workplace. But behind the scenes, it’s designed to deceive you. The goal is simple: get you to click, trust, and reveal something you shouldn’t.
Most phishing attacks start with urgency. You might get an email saying your account has been compromised, a payment failed, or that you’ve won something exciting. These emails create panic or excitement, forcing you to act quickly without thinking. And that’s exactly when people click on harmful links or download infected files.
The links might look legit, but once you click, you’re taken to a fake website that captures your login details or installs malware on your device.
Beginners often assume they can spot a fake email by looking for bad grammar or strange wording. While that used to be true, phishing emails today are much more advanced. They use logos, professional designs, and even real names and emails to make the message feel authentic.
That’s why knowing how to identify a phishing email is more important than ever.
So, what should you look out for? First, always check the sender’s email address. Even if the name looks familiar, the actual email might be slightly off—like “support@apple-secure.com” instead of “support@apple.com.”
Second, hover over any link in the email before clicking. This shows the actual URL. If it doesn’t match the company’s real website or looks suspiciously long and confusing, don’t click.
Watch out for attachments you weren’t expecting. Phishing emails often use PDF, Word, or ZIP files to carry malware. If the email asks you to “verify” information or download something urgently, take a step back.
Call the company directly or log in through their official website, not through the link in the email.
Multi-factor authentication (MFA) is one of the best ways to protect yourself. Even if attackers get your password, they can’t access your account without that second step. You should also keep your software and antivirus tools updated regularly. And if you ever suspect an email is fake, report it or delete it, don’t interact with it.
In today’s digital world, phishing emails are more than just spam; they’re a gateway for identity theft, financial loss, and even ransomware attacks. Whether you’re browsing on your phone, at work, or checking emails late at night, always pause before you click.
Cybersecurity awareness isn’t just for IT professionals; it’s something every user needs to practice daily.
Now let’s get back to the story.
I copied the URL and then used developer tools to test the page in a safe environment. It had embedded JavaScript, and from looking at the code, I could tell it wasn’t collecting passwords. It was tracking session activity silently; this was classic silent redirect behavior.
That confirmed it: they didn’t need my login. They used my active browser session, stole the token, and initiated the transaction.
Next, I wanted to know where the data was going. I monitored the network requests while the phishing site loaded and noticed a call to a Telegram bot API. That meant someone had set up a bot to collect stolen session details. I extracted the bot’s username from the request URL and searched for it on Telegram.
It was linked to a public channel that was part of a larger group. From the outside, it looked like a Telegram community focused on “wallet flipping” and “crypto giveaways,” but inside, people were actively posting stolen wallet balances, fake withdrawal screenshots, and KYC bypass tricks.
That’s where I found one of the users boasting about a ₦4,500 PalmPay steal. Same amount, same time. It matched mine. His username: @lagoshacker69.
I didn’t confront him. Instead, I created a clean Opay wallet, seeded it with ₦100, and left fake session tokens in the console log. I dropped it into the Telegram group under a fake identity, pretending to be a beginner trying to share a “dump.” Less than 10 minutes later, someone accessed the session.
I had already set up a basic logger on a private server. When the session was accessed, it triggered my logger through an invisible tracking pixel. The payload captured the attacker’s IP address, browser type, device OS, and access time. The IP resolved to Lagos, Surulere. The device was an Infinix Note, using Brave browser on Android.
That gave me something tangible.
With the IP and user agent, I ran some additional scans, looking for vulnerable services. I found an exposed router admin panel in the IP range, running on default credentials. It was a long shot, but I logged in, and it worked. From the router dashboard, I saw connected devices, including one with a matching MAC address to the Infinix I had traced earlier.
I now had a more accurate idea of who the attacker was and what device they were using. The next discovery came from an unexpected angle. The attacker was reusing browser sessions carelessly.
I managed to intercept a Telegram session token through one of the callback URLs. It gave me read-only access to their messages for about 20 minutes, enough to look through their saved chats and pinned files.
They were working with two or three other people. They had fake BVNs, passport scans, and dozens of stolen PalmPay and Opay credentials. They were even creating guides on how to carry out SIM swaps using NIN slip scans and fake affidavits to trick telecom agents.
In one of the chat exchanges, I saw a picture of the guy holding a deposit slip at a POS stand, the same day I was debited. I zoomed in. His face was visible, and the POS name and amount matched.
This wasn’t just an anonymous hacker anymore. I had everything I needed.
I compiled all the evidence, IP addresses, Telegram messages, screenshots of the admin panel, and the selfie. I packaged it into a folder and sent it to a contact I had at the EFCC cybercrime unit.
They had helped me on a previous fraud case involving crypto wallet theft, so I trusted their process.
Two days later, the phishing Telegram bot was shut down. Then the domain hosting the fake form went offline. A week after that, I got feedback from the EFCC contact.
The guy had been traced to an apartment in Surulere and picked up. He confessed to running multiple phishing campaigns targeting mobile wallet users in Nigeria.
That’s how I hacked the hacker. No movie script. No “movie” scene. Just careful tracking, digital footprint tracing, and using his laziness against him.
It could’ve ended with me complaining to PalmPay and moving on. But if people like me don’t take these things seriously, these scammers will keep winning. And they’re not just targeting “big” wallets, they’re hitting ordinary people: students, parents, small traders. The kind of people who can’t afford to lose ₦500, talk less than ₦50,000.
I’m sharing this because it’s real, and it happens every day. Silent redirects are not some high-tech, foreign problem.
Nigerian hackers are using it right now, and they’re getting smarter. If you’re logged into your wallet or bank on your browser and you click the wrong link, you may never see a password prompt, and still get wiped out.
So take it seriously.
Always log out. Don’t click strange links, no matter how legit they look. Avoid mixing work and wallet sessions on the same browser. And never underestimate a low-budget scam email; some of them are smarter than you think.
I wasn’t smarter than this guy. I was just faster at tracing him.
That made all the difference.
If you enjoyed this story, consider joining our mailing list. We share real stories, guides, and curated insights on web development, cybersecurity, blockchain, and cloud computing, no spam, just content worth your time.