An AI-powered honeypot system that detects scam messages, autonomously engages scammers, and extracts intelligence without revealing detection.
- Intelligent Scam Detection: Multi-layered detection using keyword analysis, urgency patterns, and information request identification
- Autonomous AI Agent: Engages scammers with human-like responses while gathering intelligence
- Intelligence Extraction: Automatically extracts bank accounts, UPI IDs, phone numbers, phishing links, and suspicious keywords
- Multi-turn Conversations: Handles complex, adaptive scammer tactics across multiple conversation turns
- REST API: Clean, documented API endpoints for easy integration
- GUVI Integration: Automatic callback to evaluation endpoint with extracted intelligence
βββββββββββββββββββ
β Incoming Msg β
ββββββββββ¬βββββββββ
β
βΌ
βββββββββββββββββββ
β Scam Detection β βββ Keyword Analysis
β Engine β βββ Pattern Matching
ββββββββββ¬βββββββββ βββ Confidence Scoring
β
βΌ
Is Scam?
β
ββββββ΄βββββ
β YES β
ββββββ¬βββββ
β
βΌ
βββββββββββββββββββ
β AI Agent β βββ Claude API (optional)
β Engagement β βββ Rule-based fallback
ββββββββββ¬βββββββββ
β
βΌ
βββββββββββββββββββ
β Intelligence β βββ Extract Bank Info
β Extraction β βββ Extract UPI IDs
ββββββββββ¬βββββββββ βββ Extract URLs
β βββ Extract Phone Numbers
βΌ
βββββββββββββββββββ
β Send to GUVI β
β Evaluation β
βββββββββββββββββββ
- Python 3.8+
- FastAPI
- httpx
- Anthropic API key (optional, for enhanced responses)
# Clone or create the project directory
cd scam-honeypot
# Install dependencies
pip install -r requirements.txtEdit config.py or set environment variables:
# Required
export HONEYPOT_API_KEY="your-secret-api-key"
# Optional (for enhanced AI responses)
export ANTHROPIC_API_KEY="your-anthropic-api-key"
# Optional settings
export API_PORT="8000"
export ENVIRONMENT="development"# Start the API server
python main.py
# Or using uvicorn directly
uvicorn main:app --host 0.0.0.0 --port 8000 --reloadThe API will be available at http://localhost:8000
# Run automated tests
python test_client.py
# Or interactive mode
python test_client.py interactiveAll requests require an API key in the header:
x-api-key: your-secret-api-key
Content-Type: application/json
Main endpoint for processing incoming messages.
Request Body:
{
"sessionId": "unique-session-id",
"message": {
"sender": "scammer",
"text": "Your bank account will be blocked today. Verify immediately.",
"timestamp": "2026-01-21T10:15:30Z"
},
"conversationHistory": [],
"metadata": {
"channel": "SMS",
"language": "English",
"locale": "IN"
}
}Response:
{
"status": "success",
"reply": "Oh no! Why would my account be blocked? I haven't done anything wrong."
}Health check endpoint.
Response:
{
"status": "healthy",
"active_sessions": 3
}The system uses multiple detection mechanisms:
- Keyword Analysis: Identifies scam-related terms (urgent, verify, blocked, OTP, etc.)
- Pattern Matching: Detects urgency patterns and sensitive information requests
- URL Detection: Identifies potential phishing links
- Confidence Scoring: Assigns a confidence score based on detected indicators
Detection Threshold: Messages with confidence β₯ 0.3 are flagged as scams
Once a scam is detected, the AI agent activates with specific objectives:
- Appear believable: Uses natural, slightly naive language
- Extract intelligence: Asks probing questions to reveal scammer details
- Maintain engagement: Shows interest but raises realistic concerns
- Adapt responses: Changes strategy based on conversation stage
Agent Strategies by Stage:
| Stage | Turns | Strategy |
|---|---|---|
| Early | 1-2 | Show confusion, ask basic questions |
| Middle | 3-5 | Request verification, probe for details |
| Late | 6+ | Express skepticism, suggest in-person visit |
The system continuously extracts:
- Bank Accounts: Account numbers and IFSC codes
- UPI IDs: Payment identifiers (user@bank format)
- Phishing Links: Suspicious URLs
- Phone Numbers: Contact information
- Keywords: Scam-related terminology
After sufficient engagement (8+ turns or enough intelligence), the system automatically sends results to the GUVI evaluation endpoint:
{
"sessionId": "session-id",
"scamDetected": true,
"totalMessagesExchanged": 12,
"extractedIntelligence": {
"bankAccounts": ["1234567890"],
"upiIds": ["scammer@paytm"],
"phishingLinks": ["http://fake-site.com"],
"phoneNumbers": ["+919876543210"],
"suspiciousKeywords": ["urgent", "verify", "blocked"]
},
"agentNotes": "Scam detected with 0.85 confidence..."
}Edit main.py in the ScamDetector class:
SCAM_KEYWORDS = [
# Add your keywords here
"new_scam_keyword",
"another_pattern"
]For rule-based responses, edit the _rule_based_response method in ScamAgent class.
For AI-powered responses, configure the system prompt in claude_agent.py.
Edit config.py:
SCAM_DETECTION_THRESHOLD = 0.3 # Lower = more sensitive
MIN_TURNS_BEFORE_END = 5 # Minimum engagement
MAX_TURNS_BEFORE_END = 12 # Maximum engagementβ Do:
- Use for legitimate scam detection and research
- Protect extracted data appropriately
- Follow responsible disclosure practices
β Don't:
- Impersonate real individuals
- Use for harassment
- Share extracted data publicly without sanitization
- Session data is stored in memory (use Redis/DB for production)
- Sensitive information should be encrypted
- Implement data retention policies
- Ensure GDPR/privacy compliance
The system is evaluated on:
-
Scam Detection Accuracy (30%)
- True positive rate
- False positive rate
- Detection speed
-
Agent Engagement Quality (30%)
- Human-likeness of responses
- Conversation continuity
- Adaptive behavior
-
Intelligence Extraction (25%)
- Quantity of extracted data
- Quality and accuracy
- Data categorization
-
API Performance (15%)
- Response time
- Stability
- Error handling
FROM python:3.11-slim
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
COPY . .
EXPOSE 8000
CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]Build and run:
docker build -t scam-honeypot .
docker run -p 8000:8000 -e HONEYPOT_API_KEY=your-key scam-honeypotAWS EC2 / Azure VM:
# Install dependencies
sudo apt update
sudo apt install python3-pip nginx
# Setup application
pip3 install -r requirements.txt
# Run with systemd or supervisorHeroku / Railway:
# Add Procfile
web: uvicorn main:app --host 0.0.0.0 --port $PORTAdd logging and monitoring:
import logging
logging.basicConfig(
level=logging.INFO,
format='%(asctime)s - %(name)s - %(levelname)s - %(message)s',
handlers=[
logging.FileHandler('scam_honeypot.log'),
logging.StreamHandler()
]
)# Run with pytest
pytest tests/# Using locust
locust -f locustfile.py --host=http://localhost:8000The test_client.py includes:
- Bank Fraud Scenario: Account blocking threat
- UPI Fraud Scenario: Prize/lottery scam
- Phishing Scenario: KYC update phishing
- Use Redis for session storage instead of in-memory dict
- Implement connection pooling for GUVI callbacks
- Add caching for repeated pattern matching
- Use async operations throughout
- Enable rate limiting per session
For high traffic:
- Deploy multiple instances behind a load balancer
- Use distributed session storage (Redis Cluster)
- Implement message queues (RabbitMQ/Kafka) for async processing
- Add database for persistent storage
Issue: API returns 401 Unauthorized
- Solution: Check x-api-key header matches configuration
Issue: Slow response times
- Solution: Reduce conversation history size, optimize pattern matching
Issue: Agent responses don't seem natural
- Solution: Add Anthropic API key for Claude-powered responses
Issue: Final callback fails
- Solution: Check GUVI endpoint URL and network connectivity
Contributions welcome! Areas for improvement:
- Additional scam detection patterns
- More sophisticated agent personalities
- Multi-language support
- Enhanced intelligence extraction
- Machine learning-based detection
This project is for educational and hackathon purposes.
Created for GUVI Hackathon - Agentic Honey-Pot Challenge
Note: Remember to never use this system to harass or impersonate individuals. Always follow ethical guidelines and local laws regarding automated communication systems.