They're in Nigeria, with VPNs in Frankfurt, Germany and Brooklyn, NY. I think one of them is from Sierra Leone, though.
I directed them to a site I wrote to look like a personal finances app. From there, they gave me their email and password. Of course, I failed to require a recovery email, so I had to get that through an hour of social engineering.
Here's what I gleaned:
Email:
[email protected]
Password: Companyodec12345 (they changed this from Company12345 about a week ago, and it's changed again)
Recovery email:
[email protected]
Recovery phone: 0810-726-5608
The scammer actually entered his personal Gmail (and name, I think) as well:
Email;
[email protected]
Password: okikiola232
Recovery Email: san********@o**.com
Okikiola seems to be a popular name in West Africa, and 232 is the country code for Sierra Leone.
I got into the Odecee email for about three minutes, during which time I tried killing all their access to the account (there seemed to be six users), but I didn't get them fast enough and was kicked out. Okikiola got upset and switched into what I figure is a Nigerian pidgin, telling me "you be mumu" and my "mama no dey real" and "so Na you won dey hack me abi, yon don mental ooo", and "Where you beleive say you no work reach some ppl pass you for the level you no no."
So, two lessons learned:
1) Don't change the password right away. It sends an email, and they all get it.
2) Be mean, and use really simple English. I challenged Okikiola's integrity, which made him eager to prove himself, and by using really simple (and inflammatory) English, I think it made him feel confident enough to go off script. This is how I finally got that alternate email address.
3) WARN EVERYBODY. I should have immediately gone into each chat window and pasted, "THIS IS A SCAM, don't give up any more information," but I was too busy screwing with their account to do what, in retrospect, would have been the right thing.
Next time, my first priority after warning the victims is to download this group's Google account data. They had about 15MB in there, only email, so it was a pretty new account. I'm going to try to change the recovery method before the password, and if I'm in long enough, do two-step authentication with my own (burner) device.
I'm trying again under a different name tonight, so if anyone has any hints, reply here.