GoKawiilFraud operations have expanded beyond traditional hacking techniques to include methods that exploit legitimate services and real-world infrastructure. By combining publicly available data, weak identity verification processes, and operational gaps, threat actors are building scalable fraud workflows that are both low-cost and difficult to detect.
A tutorial shared in a fraud-focused chat group and analyzed by Flare analysts provides step-by-step guidance on how to identify and exploit vacant residential properties to intercept sensitive mail, revealing a low-tech but highly effective method for enabling identity theft and financial fraud.
Unlike traditional cybercrime techniques that rely on malware, phishing kits, or network intrusions, the method outlined in this article focuses almost entirely on abusing legitimate services and physical-world logistics.
The approach blends open-source intelligence, postal service features, and fake identity fraud into a coordinated workflow designed to gain persistent access to victims’ mail.
A “drop address” tutorial circulated on Telegram
Turning vacant properties into fraud infrastructure
The tutorial begins with identifying so-called “drop addresses”, real residential properties that are temporarily unoccupied and can be used to receive mail without immediately alerting the rightful occupants.
Threat actors are instructed to search real estate platforms such as Zillow, Rightmove, or Zoopla, filtering for recently listed rental properties. By focusing on newly available listings, attackers increase the likelihood that the property is vacant or between tenants.
The guidance further suggests reviewing older listings to identify homes that have remained unoccupied for extended periods, increasing their reliability as drop locations.
In some cases, threat actors even recommend physically maintaining abandoned properties to make them appear occupied, reducing the risk of drawing attention while using the address for fraudulent purposes.
... continue reading