TL;DR:

Back in the 90s, before firewalls and fraud detection, I traced the person who used my credit card online — using nothing but a dial-up modem, Netscape, traceroute, and sheer determination. This is the true story of my first cyber sleuthing experience… and the birth of e-crime as we now know it.

Prefer to listen? we have a podcast here:

Part 1: Setting the Scene

Back in the mid-90s, the internet was starting to become more accessible to people at home. Dial-up modems screamed into phone lines, Windows PCs were stabilising as the norm, and the price point of technology was just about entering the realm of possibility for average households.

People were curious. You’d hear things like, “What’s this interweb m’larkey?” or “Let’s check out t’internet,” as if it were a pub down the road. Financial institutions were still wondering if Netscape was a gimmick, and online banking was a brave, untested concept. Retailers were dipping toes into ecommerce, not really knowing if this digital storefront thing would stick.

The internet itself was a chaotic playground — a Wild West littered with pop-ups, porn, and promise. Searching Yahoo for The Simpsons might get you links to avant-garde adult “films”. Amid this chaos, someone figured out how to take payments, and the banks were scrambling to keep up.

There was one advert I remembered vividly — a company promising, “If your card is used fraudulently online, we’ve got your back.” Seemed like a safe bet.

Back then, there wasn’t much worth buying. Amazon wasn’t a thing. For me, the internet was a niche, a nerd’s treasure trove. I remember once finding the entire unabridged script of Monty Python’s Life of Brian. That was the kind of treasure you could stumble upon.

Part 2: The Trace

Then one morning, I opened my credit card statement and saw it — unrecognised transactions from a merchant I’d never heard of. Fortunately, back then, statements had rich metadata: web addresses, phone numbers, even some merchant descriptors.

Curious (and annoyed), I looked up the merchant. It led to a site selling adult content — something called Amateur Pie, if memory serves. A charming name for someone else’s idea of a good time.

Shocked, I rang my credit card company — the very one that claimed to have my back. Their response?

“Wife caught you, sir? Embarrassed, are we?”

Not exactly the support I’d been promised.

I was told I’d receive a dispute form in the post to fill out. That didn’t sit well with me. I wasn’t just going to wait. I was going to find out who did this.

So I traced it. The merchant was a payment gateway — a broker — and they were surprisingly helpful. With a bit of polite social engineering, I began working through the transaction chain. Merchant to processor, processor to platform, IP to IP.

Eventually, I got an email address: an AOL account. I even tried using the old finger command on the email address — and yes, I still snigger at that name. It was a long shot, but back then, almost everything felt like a long shot. You never knew what you might dig up — a real name, a login time, maybe even a location. But AOL had already closed those doors. Still, it was worth a punt.

Back then, AOL was everywhere. Discs came in cereal boxes, magazines, junk mail. We used them as coffee mats. The landfill must’ve been 40% AOL CDs.

I had reached the end of the chain — or so I thought.

Armed with my evidence, I called AOL customer support. I explained everything: the fraud, the transactions, the trace. I tried to gently extract the user’s details, but the rep wouldn’t budge. Policies, privacy, and probably a sense of caution.

Still, I was proud. I’d used nothing but Netscape, a 14.4k US Robotics modem, DOS tools like ping and tracert, and sheer determination. I had no name. No address. But I had a digital fingerprint.

Part 3: The Fallout

I sent off the dispute form, packed with my full investigation: timeline, merchants, paths traced, emails captured. Surely, I thought, this would be enough to catch the person.

It wasn’t.

They told me the fraud value was less than £200, and the cost of chasing the perpetrator would be higher than simply writing it off. I understood the economics — but it frustrated me deeply. That logic meant these people could operate with impunity, scamming until they were either caught or bored.

I wasn’t okay with that.

Part 4: Bob Has Hotmail

Determined to see justice done, I contacted my local police station.

What happened next stunned me. I explained my trace, the AOL address, the fraud — and the officer on the phone said:

“We don’t really know what the internet is… You might want to talk to Bob. He’s got something called Hotmail.”

I did. Bob — not his real name — was kind, patient, and honest. He explained he got all the tech calls because he’d signed up for Hotmail once, and no one else in the department knew what to do with this “internet stuff.”

We chatted. I asked how someone could’ve gotten my card — it was always in my wallet. That’s when Bob explained dumpster diving.

Back then, receipts showed everything — full card numbers, expiry dates. Often printed in triplicate. Many shops simply tossed till rolls in the bin.

Fraudsters didn’t need hacking tools. They needed rubber gloves and a torch.

Part 5: Reflection

I don’t know if the fraudster was ever caught. I did everything I could — legally, ethically, doggedly — to follow the breadcrumbs. And in doing so, I learned a lesson that’s only become clearer with time:

The face of crime was changing.

Gone were the balaclava-wearing bank robbers with sawn-offs. They were being replaced by quiet figures in dimly lit rooms, armed with modems and mischief.

This was the beginning of e-crime. And it was only going to get worse. Industrialised, even.

Looking back, that moment — that chase — was when it all clicked. When I realised that everything leaves a trace… if you’re willing to follow it far enough.

This story is based on true events from the mid-1990s, shared in reflection as both a cautionary tale and a nostalgic look at the early days of cyber sleuthing.