ScamBuster Turns Phishing Emails Into Intelligence by Pretending to Be the Victim

A French engineer built an AI system that replies to scam emails, plays along long enough to extract bank details and phone numbers, then hands the data to investigators.

ThreatVectr Newsdesk· 3 min read
Close-up overhead shot of a plain laptop keyboard in a dimly lit office, the screen glowing pale blue, an inbox interface faintly reflected on the desk surface,
Share

Key points

  • Laurent Giovannoni, a principal software engineer at Filigran, built ScamBuster as part of his engineering thesis at École Polytechnique in France.
  • The system has been running in production since November 2025 and will be shown publicly at Black Hat USA 2026 in Las Vegas in August.
  • ScamBuster never sends the first email; it only replies to scam messages that arrive in an inbox.
  • The best-performing AI persona extracts 5.5 times more useful data from a scammer than the worst-performing one.
  • The full source code will be released free under the MIT open-source licence on 5 August 2026.

Most companies that receive phishing emails, which are fake messages designed to trick people into handing over money or passwords, simply delete them. The scammer loses one target but quickly finds another. Nothing is learned and no one is held to account.

Giovannoni wanted to change that equation. His answer is ScamBuster, a piece of software that does not delete the scam email. It writes back.

How does ScamBuster actually fool a scammer?

The system creates a fake persona, such as a confused elderly widow, a busy executive, or a tourist who seems easy to deceive. The scammer believes they have found a real victim. They have not. They are talking to an AI, which is an automated system that holds a conversation using a large language model, meaning a type of artificial intelligence trained to read and write natural human text.

The AI keeps the conversation going just long enough for the scammer to reveal what they actually need: a bank account number, a phone number, a payment website. The moment the scammer asks for money, ScamBuster captures those details.

It then organises everything into structured formats, called STIX 2.1 and MISP, which are standard file types that security teams and law enforcement agencies already use to share and read threat intelligence.

"What looks like dozens of separate scam emails can trace back to the same few numbers and the same payment domain," Giovannoni told Dark Reading. That cluster of details becomes a starting point for a real investigation.

The system learns over time. It tracks which personas work best against which types of scam and adjusts on its own. The gap between a well-chosen persona and a poor one is not small: a good match produces roughly 5.5 times more useful information.

Giovannoni designed ScamBuster to be cheap to run. It currently uses GPT-4o-mini, a low-cost commercial AI model, keeping costs close to zero. Organisations can swap in a different AI model, including free open-source ones, by entering a single configuration token at setup.

One rule is built into the architecture and cannot be switched off: the system never sends the first message. It only ever responds to emails that arrive in the inbox.

The code will be released free of charge on 5 August 2026. Giovannoni says he is already working on versions that would handle voice-call scams (known as vishing) and text-message scams (known as smishing).

What ordinary people and businesses should know. ScamBuster is aimed at organisations with IT teams, not individual users yet. In the meantime, if you receive an unsolicited email asking for payment or personal details, do not reply and do not click any links. Report it to your national fraud authority and delete it.

© 2026 Threat Vectr