Somebody just ripped you off online. Maybe it was a fake marketplace listing, a phishing link that drained your PayPal, or a stranger on Telegram who promised you a job and vanished with your deposit. You are angry. You are also very motivated. And somewhere on your screen you see an IP address — theirs, you think. So the question bubbles up: can I actually track this person down with just an IP?
Short answer: yes and no. An IP address is a real clue, but it is nowhere near the smoking gun TV shows make it out to be. In this guide we'll walk through what an IP can and can't tell you, how to actually preserve the evidence, and — most importantly — which agency to send it to so your report doesn't rot in a help-desk queue. We'll stick to methods that work in the US, UK, EU, Canada, Australia and most of Asia.
TL;DR
- An IP tells you the rough city, the ISP and the timezone — not the person, not the apartment.
- The only people who can map an IP to a human are the ISP and law enforcement with a subpoena.
- Your realistic goal is evidence preservation + a well-written report to FBI IC3, Action Fraud, Europol or your local cyber police.
What an IP address actually reveals
When you feed an IP into a WHOIS or GeoIP lookup, here is what you genuinely get back:
- Country and region (accurate ~95% of the time).
- City-level guess (accurate ~55-70%, very noisy for mobile and CGNAT).
- Internet Service Provider or hosting company (very accurate).
- ASN — the network block the IP sits inside.
- A reverse DNS record, if the owner bothered to set one.
That's it. That's the whole menu. You do not get a name, a street address, a phone number, a passport photo or an apartment number. Anyone telling you otherwise is either selling you a sketchy product or scripting a Netflix show.
There's also a darker twist: the IP you think belongs to the scammer might belong to a coffee shop in another country, a VPN exit node in Panama, a TOR relay, or a hacked IoT camera in Vietnam. Professional fraudsters almost never expose their real residential IP. We'll deal with that in the next section.
Is this IP even theirs? The signal vs. noise problem
Before you spend an hour hunting down an IP, take five minutes to figure out whether it's even worth chasing. Ask yourself:
- Did the IP come from a header inside an email (useful) or from a page that loaded an image from a random CDN (useless)?
- Does the reverse DNS contain words like vpn, proxy, host, digitalocean, hetzner, ovh, linode, amazonaws? If yes — this is a server IP, not a human.
- Does the ASN belong to a consumer ISP (Comcast, BT, Rogers, Telstra) or a datacenter (OVH, Hetzner, DigitalOcean)?
- Is the geolocation plausible? A scammer chatting with you in perfect native English from a Pakistani mobile ASN is a big red flag that the two aren't the same person.
Run the IP through our IP Lookup tool — you'll instantly see the ASN, ISP, geolocation and whether it's a known VPN, proxy or hosting IP. If it's flagged as hosting, stop. You're chasing a disposable exit node.
Step 1 — Preserve the evidence like a pro
This is the part most people skip, and it's also the part that decides whether the police take you seriously. Evidence that walks into a cybercrime unit on a chaotic screenshot gets ignored. Evidence that arrives clean and timestamped gets a case number.
Collect the boring but critical stuff
- Full email headers (not just the body). In Gmail: "Show original". In Outlook: "View → Message source".
- Complete chat transcripts with timestamps — Telegram lets you export JSON, WhatsApp lets you email a chat, Discord has a copy-paste workaround.
- Screenshots with the browser URL bar and system clock visible.
- Any payment references — PayPal transaction ID, Zelle confirmation, bank wire reference, crypto TXID.
- Phone numbers, usernames, social handles, payment addresses. All of them, even obvious throwaways.
Hash your files
Once you have the files, compute a SHA-256 hash of each one and note it in a little text file. It sounds nerdy, but if the case goes anywhere, a defence lawyer will try to argue your screenshots were tampered. A hash you wrote down on day one shuts that argument down.
sha256sum evidence_*.png > hashes.txt
Step 2 — Run the IP through WHOIS
Once you know the IP isn't obvious garbage, run a proper WHOIS. The goal isn't to find the scammer — it's to find the abuse contact of the network they used, so that contact ends up in your police report.
Use our WHOIS Lookup or the command line:
whois 203.0.113.42
Look for these fields:
- OrgName / netname — who actually operates the network.
- abuse-mailbox or OrgAbuseEmail — the address you send reports to.
- Country — whose jurisdiction this falls under.
- Route / CIDR — the full IP block, in case the scammer hops IPs nearby.
Step 3 — Report to the ISP's abuse desk
Every legitimate ISP and hosting provider has an abuse team. They are obligated, by ICANN and RIR policy, to investigate complaints. Will they reply? Sometimes in hours, sometimes never. But every complaint creates a record, and if the same IP is reported by ten victims, that record becomes a reason to shut the account down.
Write a clean, short email. This template works:
Subject: Abuse report — phishing/fraud from IP 203.0.113.42
Hi,
On 2026-02-14 at 19:24 UTC, the IP 203.0.113.42 was used to send a phishing email impersonating PayPal. Full headers, screenshots and payment details are attached.
The email tricked the recipient into paying 420 USD to a scam account.
Please investigate and take action in accordance with your AUP.
Thank you,
<your name>
Step 4 — File an official report
This is where most people over-complicate things. There is no single global cybercrime hotline. You report to the agency that matches where you live and where the money went. Here's the cheat sheet we hand to readers:
United States
File an IC3 complaint with the FBI. It is free, it creates an official record, and many insurance companies now require an IC3 case number before they process a fraud claim.
For identity theft on top of fraud, also file with the FTC at IdentityTheft.gov. If a state-chartered bank is involved, loop in your state AG.
United Kingdom
Use Action Fraud (online or 0300 123 2040). Action Fraud feeds the National Fraud Intelligence Bureau, which decides if local police investigate.
European Union
Start at Europol's reporting portal and cross-file with your country's police. In Germany that's the Landeskriminalamt; in France, the plateforme THESEE; in Spain, the Grupo de Delitos Telemáticos of the Guardia Civil.
Canada & Australia
Canadians file with the Canadian Anti-Fraud Centre (CAFC). Australians use ReportCyber, which routes the case to the right state or federal agency.
Anywhere else
Search "cybercrime unit + your country". Almost every country now has a dedicated unit. Also file with your bank (for chargeback) and the payment platform used (PayPal resolution centre, Revolut disputes, exchange support).
What happens after you report
Expect two timelines. The fast one: your bank or payment platform reviews the evidence, sometimes reverses the transaction within 10 business days. The slow one: the cyber unit logs the case, correlates it with other reports against the same IP or account, and — if enough evidence stacks up — opens a proper investigation that can take months.
Don't chase them every week. Do keep your case number written down and file any new details as addendums. Persistence without spam is what moves cases.
What you should never do
- Don't try to "hack back". Counter-attacking a scammer's server is illegal in every country worth mentioning, and you'll end up as the defendant.
- Don't pay a "recovery agent" who DMs you after your complaint. Ninety-nine percent of them are the same scam ring circling back.
- Don't post the IP publicly as "the scammer's address". You'll likely be naming an innocent ISP customer and opening yourself up to defamation.
- Don't expect the IP alone to be enough. It isn't.
The realistic outcome
Honest expectation-setting: if the amount is under a few thousand dollars and the scammer used a VPN or hosted infrastructure abroad, the most likely end-state is that your bank reverses the charge and the attacker moves on to the next victim. Painful, but true.
The cases that actually end in arrests are the ones where victims collected clean evidence and the attacker used real residential IPs, reused phone numbers, or accepted payment to a bank account in their own name. That's why step 1 — evidence preservation — matters so much. You don't know which case you're in until the investigator tells you, and by then it's too late to re-collect the data.
FAQ
Can I find a home address from an IP?
No, not without a court order served on the ISP. GeoIP databases give you a city-level guess, and even that is often wrong for mobile networks that use CGNAT, where thousands of subscribers share one public IP.
How accurate is IP geolocation?
Country-level: around 95 percent. City-level: 55 to 70 percent. Street-level: effectively zero. If a product sells you street-level accuracy, treat it like a magic wand.
Does a VPN make me untraceable?
A no-logs VPN hides your IP from the website you visit, but your ISP still sees that you connected to the VPN. Law enforcement can subpoena both ends. VPNs raise the bar; they don't erase you.
What if the scammer used Tor?
Tor exit nodes are public knowledge. An IP in the Tor list tells you basically nothing about the user. Most investigations of Tor users succeed only when the attacker makes an operational mistake — reusing a username, leaking metadata in an image, paying with a non-anonymous card.
Should I hire a private investigator?
For amounts under roughly 20,000 USD, PIs are usually not cost-effective for pure-online fraud. If the scammer used your stolen identity offline — opened accounts, bought cars — a PI starts to make sense, ideally in parallel with law enforcement, not instead of them.
Is there any free service that just 'finds the scammer'?
No. Anyone who promises that is selling you a second scam. Real attribution needs legal process, and legal process needs a police report. Start with the free, official channels above.
Tools on ip-checker.pro that help
→ IP Lookup — geolocation, ASN and risk flags
→ WHOIS Lookup — find the abuse contact for any IP or domain
→ DNS Lookup — trace the infrastructure behind a phishing domain
→ Security Check — scan a domain against blacklists and malware feeds