Listen to this Post
Introduction: A New Era Where Cybercriminals Become the Targets
For decades, phishing emails have followed the same pattern. Attackers send millions of fraudulent messages, hoping that a handful of victims will fall for fake invoices, romance scams, business email compromises, or urgent payment requests. Security teams have traditionally responded by blocking, filtering, or deleting these messages before users interact with them.
But what if simply deleting phishing emails is no longer enough?
A new open source project called ScamBuster proposes a radically different strategy. Instead of ignoring scammers, it engages them. Powered by artificial intelligence, ScamBuster pretends to be a real victim, encouraging criminals to continue their conversations while secretly collecting valuable intelligence about their infrastructure, payment methods, communication channels, and operational behavior.
Created by Laurent Giovannoni during his engineering research at École Polytechnique, ScamBuster represents a shift from passive defense toward active cyber intelligence. Scheduled for a full public release at Black Hat USA 2026 under the MIT open source license, the platform demonstrates how AI can become an investigative asset instead of merely a defensive filter.
Why Deleting Scam Emails Is No Longer Enough
Every day, organizations receive thousands of phishing emails.
Most are automatically quarantined or deleted before reaching employees. While this protects users, it also destroys an opportunity to understand the criminals behind the attacks.
ScamBuster challenges this traditional mindset.
Instead of removing phishing emails immediately, the system automatically responds using carefully designed AI-generated personas. To the attacker, everything appears genuine. The scammer believes they have found another victim who is willing to continue the conversation.
Behind the scenes, however, every reply becomes another opportunity to collect evidence.
The Vision Behind ScamBuster
The idea originated after Laurent Giovannoni witnessed people close to him becoming victims of online scams.
Rather than accepting phishing as an unavoidable problem, he asked a simple question.
What if organizations could waste the
That idea evolved into ScamBuster.
Since November 2025, the platform has reportedly been operating in production environments while continuing to evolve ahead of its public unveiling at Black Hat USA 2026.
Its mission is straightforward.
Transform phishing attacks into intelligence gathering operations.
How ScamBuster Tricks the Criminals
Unlike spam campaigns that actively contact users, ScamBuster follows one important rule.
It never starts conversations.
The system only replies after receiving an incoming phishing email.
This architectural limitation prevents misuse while ensuring every interaction begins with an actual criminal attempt.
Once a phishing email arrives, ScamBuster selects an AI-generated personality appropriate for the scam.
Depending on the situation, the AI may become:
An Elderly Widow
Someone unfamiliar with modern banking who appears vulnerable to financial fraud.
A Small Business Owner
An entrepreneur distracted by invoices and payment requests.
A Busy Executive
An executive juggling countless emails who may overlook suspicious details.
An Inexperienced Tourist
Someone confused about travel documents, bookings, or emergency payments.
Each personality behaves realistically, maintaining believable conversations while subtly encouraging scammers to reveal operational information.
Turning Conversations Into Cyber Intelligence
The true objective is never to deceive scammers for entertainment.
Instead, ScamBuster extracts intelligence.
During long conversations, criminals eventually provide payment instructions.
That moment becomes extremely valuable.
The AI automatically identifies and stores information such as:
International Bank Account Numbers (IBAN)
Cryptocurrency payment instructions
Banking institutions
Phone numbers
Email addresses
Payment websites
Domains
Financial services
Communication methods
Money transfer routes
Rather than leaving this information buried inside emails, ScamBuster converts everything into structured threat intelligence.
Building Criminal Profiles Instead of Reading Individual Emails
Cybercriminals rarely operate alone.
Many phishing campaigns share payment infrastructure despite appearing unrelated.
ScamBuster automatically clusters shared indicators.
For example:
Several fake invoices may use the same bank account.
Different romance scams might rely on identical payment portals.
Multiple fake charities could share identical telephone numbers.
By connecting these seemingly unrelated attacks, investigators begin seeing an organized criminal network instead of isolated phishing campaigns.
This dramatically improves cyber investigations.
Helping Security Teams and Law Enforcement
The structured intelligence produced by ScamBuster can be exported into industry-standard formats including:
STIX 2.1
A globally recognized framework for exchanging cyber threat intelligence between organizations.
MISP
One of the
Because ScamBuster speaks the same language as modern security tools, collected intelligence becomes immediately useful for analysts.
Instead of manually reading hundreds of phishing emails, investigators receive structured indicators ready for automated analysis.
Self-Learning AI That Continuously Improves
One of
Every conversation teaches the AI something new.
It measures:
Which personalities generate longer conversations
Which scams respond better to certain emotional behaviors
Which replies encourage attackers to reveal payment information
Which wording increases intelligence collection
The platform continuously updates its future strategies.
According to Giovannoni, the difference between the most effective persona and the least effective one is approximately 5.5 times.
That difference can determine whether investigators obtain dozens of valuable indicators or almost none.
Over time, ScamBuster becomes increasingly effective without requiring manual tuning.
Keeping Operational Costs Surprisingly Low
Many advanced AI systems require expensive computing infrastructure.
ScamBuster deliberately avoids that problem.
The prototype relies on GPT-4o-mini, a lightweight commercial language model capable of maintaining convincing conversations at minimal operational cost.
This allows organizations to deploy the platform without creating excessive AI expenses.
Even better, the architecture remains flexible.
AI Vendor Independence
One particularly attractive feature is vendor neutrality.
Organizations are free to choose whichever language model best fits their security policies.
Compatible options include:
OpenAI models
Anthropic models
Llama models
Other commercial LLMs
Self-hosted open source language models
Changing providers simply requires replacing the API credentials.
This flexibility prevents vendor lock-in while making future upgrades straightforward.
Future Expansion Beyond Email
Email phishing represents only one part of
Giovannoni is already planning support for additional communication channels.
Future versions aim to engage:
Smishing
SMS text message scams.
Vishing
Voice-based phishing attacks conducted over telephone calls.
Expanding beyond email would significantly increase
Why Open Source Matters
ScamBuster will be released under the MIT License.
This decision could dramatically accelerate adoption across the cybersecurity community.
Researchers will be able to:
Audit the code
Improve detection logic
Build new personas
Integrate additional threat feeds
Support new AI models
Develop plugins
Share intelligence globally
Open collaboration often strengthens defensive cybersecurity far faster than proprietary development alone.
Deep Analysis
ScamBuster is designed to integrate naturally into existing cyber defense workflows. Below are examples of commands, technologies, and threat intelligence workflows that organizations could use alongside the platform.
Extract Email Headers
grep "Received:" phishing_email.eml
Analyze Email Metadata
exiftool phishing_email.eml
Query Domain Reputation
whois suspicious-domain.com
DNS Intelligence
dig suspicious-domain.com
Passive DNS Lookup
nslookup suspicious-domain.com
Extract URLs from Emails
grep -Eo '(http|https)://[^ ]+' phishing_email.eml
Network Investigation
tcpdump -i eth0 port 25
Check IP Reputation
curl https://abuseipdb.com/check/<IP>
MISP Integration Example
python misp_import.py indicators.json
Convert Threat Intelligence into STIX
python stix_export.py
Sample YARA Rule
yara
rule Suspicious_Phishing_Email
{
strings:
$invoice = "Payment Required"
$urgent = "Immediate Action"
condition:
any of them
}
These examples demonstrate how
What Undercode Say
ScamBuster represents an important evolution in cybersecurity philosophy. Instead of treating phishing emails as disposable threats, it views every scam attempt as a potential intelligence source.
This approach mirrors military intelligence strategies where observing an adversary often provides greater long-term value than immediately blocking them.
One of the
The AI personas are another significant innovation. Human behavior is unpredictable, and scammers adapt to different personalities. Allowing AI to experiment with emotional responses creates an adaptive defense system that continuously becomes more effective.
The automatic clustering of bank accounts, payment domains, and phone numbers could substantially reduce investigation time for threat intelligence analysts. Rather than examining isolated phishing attempts, defenders gain visibility into criminal ecosystems.
Equally important is the
The decision to remain AI-model agnostic is another strategic advantage. Organizations increasingly seek flexibility rather than dependence on a single AI vendor. Supporting OpenAI, Anthropic, Llama, and open source models ensures long-term sustainability.
Cost efficiency also deserves recognition. Advanced AI security products often require significant infrastructure budgets. ScamBuster demonstrates that practical AI-powered defense does not necessarily demand expensive hardware or premium models.
Its planned expansion into voice phishing and SMS scams shows an awareness of how cybercriminal tactics continue to evolve. Email is no longer the only battlefield.
There are, however, challenges ahead. AI conversations must remain convincing over extended interactions, especially as scammers begin using AI themselves. This could lead to AI-versus-AI engagements where both attacker and defender continuously adapt.
Legal frameworks may also differ across jurisdictions. Organizations deploying systems that intentionally engage criminals should ensure compliance with applicable laws and corporate policies.
Another consideration is operational scaling. Large enterprises receive millions of phishing emails each month. Intelligent prioritization will be essential to prevent unnecessary AI resource consumption.
Overall, ScamBuster shifts cybersecurity from reactive filtering toward proactive intelligence collection. If widely adopted by enterprises, managed security providers, and government agencies, it could significantly improve global phishing investigations while increasing operational costs for cybercriminals.
Most importantly, ScamBuster changes the economics of phishing. Every fake email becomes a potential source of evidence rather than merely another message to delete. That reversal alone could reshape how defenders think about email security in the years ahead.
✅ Verified: ScamBuster is an AI-powered open source phishing engagement platform developed by Laurent Giovannoni and is scheduled for presentation at Black Hat USA 2026.
✅ Verified: The platform is designed as an inbound-only system that impersonates victims to collect indicators such as IBANs, phone numbers, payment domains, and exports intelligence using STIX 2.1 and MISP formats.
✅ Verified: ScamBuster is intended to support investigators and security teams by transforming phishing conversations into structured threat intelligence while remaining compatible with multiple large language models rather than a single AI provider.
Prediction
(+1) AI-powered deception platforms like ScamBuster will become standard components of enterprise email security, enabling organizations to automatically convert phishing campaigns into valuable threat intelligence instead of simply blocking them.
(-1) Cybercriminal groups are likely to respond by deploying their own AI systems capable of identifying automated personas, creating a new generation of AI-versus-AI phishing battles that will demand increasingly sophisticated defensive strategies.
▶️ Related Video (80% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: www.darkreading.com
Extra Source Hub (Possible Sources for article):
https://www.discord.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube




