‘Dog with a bone’: The small businessman who took on a sophisticated rental-hopping fraud ring

Sunday, 21 June 2026

Tim Carr, chief executive of MindKits, has been pursuing a group of scammers.

A company owner turned to artificial intelligence to track down a scanning couple after losing thousands in stock and forced bank chargebacks.

The fraudsters allegedly bypassed verification platforms with fake identities to rent short-term houses as secure bases for their operation.

Despite a private investigation tracking the suspects to a driveway, police have made no arrests while enquiries continue.

The scammers were clever: using a raft of stolen cards and burner phones, they rented Airbnbs and bought and sold high-end goods - until one of their victims turned detective. Steve Kilgallon reports.

It was a clever scam, executed well: use stolen credit cards to book short stays at rental houses, use them again to buy high-end products, sell that stuff online, then move on to another property and repeat the process.

It’s worked at least six times, as a scamming couple moved their way around Auckland’s eastern suburbs and North Shore over the last two months, buying up 3D printer parts, high-end torches, solar panels, meal-kits and lots of takeaways.

But if they are finally halted (police are now investigating), then it will be down to the sleuthing - and the AI skills - of business owner Tim Carr, who has been hit for about $25,000 in lost payments and products by the pair.

A dog with a bone

It was in early April that Carr got a phone call from a stranger called Jane Marris. “I don’t even know what a MindKit is,” she said. “I haven’t bought anything off you”.

Marris had seen Mindkits listed on her credit card statement - along with a lot of other unfamiliar payments - and was calling to find out more.

Carr, whose family-owned Dairy Flat company sells 3D printers and printer filament, knew immediately that she had been scammed, and directed her to call her bank.

Then Mindkits was stung by another purchase from another stolen credit card - and this time Carr had even helped the scammer load the goods into their car when they came to collect. “They were very convincing,” he recalls.

“We’ve always been pretty careful about [fraud attempts] but these guys were slick. And we got hit again, and again, and again. We got hit pretty hard.

“And then the chargebacks started coming.”

Carr wasn’t just losing stock - he was losing money, as banks refunded defrauded customers and took the funds from him, making it a double blow.

Marris, for example, got the $10,400 the scammers ran up on her card with various merchants back from her bank, ANZ. “I worked out through Tim they had all my personal details, my name, my address, my phone number and card details,” she says. “To this day, I have no idea how they did it all. I hated the fact they knew those details.”

As he contacted more victims, Carr struggled to find any links between them to explain the frauds, and he worried more transactions would slip past him.

“I am a bit of a dog with a bone, and I love data,” he says. “And one night, I was sitting in my spa feeling pretty miserable and adding up the dollars.”

He decided then to use an AI system to total up his losses. And he realised he could also build one to track the villains.

His new AI robot uses 15 different data points to tie together questionable orders - and it allowed Carr to track the crime spree across the city.

The bot compared clues such as patterns in the cellphone numbers (he suspects the scammers used a series of similar numbers bought in a batch as ‘burner’ phones), IP addresses, Google Ad clicks and session IDs (a unique number assigned by a server to identify specific web users’s visits to a website) to draw patterns.

Then came the human element, thanks to New Zealand’s village effect.

A mate put Carr onto his dad - retired cop turned private detective Bryan Wotton, who agreed to help investigate pro bono.

Some of the boxes left behind at an Airbnb rental by a group of alleged credit card fraudsters.

And spotting a friend’s name being used on a fake order twice gave away clues - once for Carr, and once for another business owner who was hit by the scammers.

But the big breakthrough came when Carr researched the physical delivery addresses for the scam orders - and realised they were all short-term rentals, mainly through Airbnb.

He was able to watch as one order was delivered to a Castor Bay address - and saw it collected by the same young woman who (using a different name) had happily let him help load up her order from his business address.

Carr then tracked the same woman and the young man she was working with to a house in Meadowbank (the owner didn’t want to talk to Stuff, saying he wanted to put the experience behind him, but he did tell Carr he’d found empty 3D printer boxes after they left and had retrieved a parcel for them).

From there, the couple shifted to nearby Orakei. Here, they made an order to specialist online torch retailer TorchMonster in Suzanne Bourke’s name.

TorchMonster owner Sanna Cooke was vigilant: her friend Tess Jones had already called to say her credit card had been hit, and Cooke was thus able to stop an order going out in Jones’ name. Cooke’s husband Tim had halted a second attempt when he tracked down the real person behind another fake order.

So when ‘Suzanne’ ordered $800 worth of torches and powerbanks, Cooke called her to check. “She played along. She was a total charlatan but we bonded over being soccer mums … I felt so stupid after.”

Cooke later got a message from fake Suzanne saying she wanted to exchange one of the powerbanks. Cooke texted three times offering to drop a new one off but got no reply - and two days later got a call from Wootton explaining she had been scammed.

The real Suzanne is retired, and rarely uses her credit card after suffering online fraud a few years ago. She spotted four payments - including to TorchMonster and MindKits - totalling $5,500 on her ASB Visa card.

“I realised they weren’t right,” she said. ASB picked up on them immediately and refunded her the money.

Carr, meanwhile, had recognised Bourke’s name immediately when he saw her ‘order’ - she’d been the instructor on a sailing course he’d taken. “Tim knew me, and he knew I wouldn’t be spending $2,500 on computer kits,” she said.

The Orakei address where the stolen torches were delivered is an Airbnb property managed by Ruby (not her real name).

Ruby says the fraudsters must have passed Airbnb’s verification process by using a fake identity - in this case, that of a Christchurch academic.

She later checked the photo on the customer’s account and it did not match the academic’s picture.

Ruby says she got that profile blocked on the platform, and had tried to warn other rental property owners. “I think they will keep making fake profiles and fake IDs - they are sneaky buggers,” she said.

While the original stay was still paid out, with Airbnb taking the hit, the couple made a direct booking to extend - which has cost Ruby’s client $1300 in a reversed payment.

Tim Carr, chief executive of MindKits, pursuing the scammers

She saw the couple when the woman returned to collect a parcel.

Ruby said they left behind piles of Chinese takeouts, but also lots of emptied parcels in different names to the booking name, including from MindKits. And a fortnight later, HelloFresh meal kits were still arriving.

The couple moved on after nine nights.

Their next stops were two different addresses in Forrest Hill, on the North Shore.

TorchMonster was stung here again for another $400 order. Cooke’s family-run business is now out $1400 in sales and the same in stock, but she feels most sorry for Carr. “Poor old Tim, how is he supposed to know? That poor man.”

By this time, Carr knew where the couple would be moving, and had an eye on their next booking - a home in Browns Bay.

But then a neighbour at the second Forrest Hill house called - they’d seen the couple collecting parcels at the property.

Carr and Wootton raced over there. Stuff followed.

When we arrived, the pair were standing by a car being driven by a very confused Tazim Sinjal, who had just unwittingly bought a solar panel from the woman on Facebook Marketplace (Sinjal says he buys a lot of stuff online, and there “were no obvious red flags” with this deal; the page in question has sold a lot of high-end goods recently).

“As soon as she saw you guys she said ‘Oh these guys don’t look happy’ and disappeared,” he said later.

The woman went inside the rental, closed the curtains and windows and wouldn’t answer the door when Carr, Wootton and Stuff knocked.

“What happened after?” asked Sinjal. “Did the police not show?”

Carr had indeed called the police, but they did not come.

After an hour, Stuff left. Half an hour later, two large men arrived and told Carr and Wootton they should leave too.

The couple must have moved on from that address, as the following day they were at the Browns Bay house. They were seen leaving in a car full of packages. Police stopped their car and talked to them, but let them drive on.

At that stage, Carr's trail had run dry, but he hoped he’d done enough for the police to take over.

Police told Stuff their “ enquiries are still in the early stages and as such are unable to comment on specifics”.

One interesting aspect of the case is a link between the scamming couple and two people employed by the issuer of the stolen cards, Visa.

The car the scammers have been driving is registered to a Stanmore Bay address - the address listed on Companies Office for a company owned by a Visa employee. Another Visa staffer’s car has also been sighted at that address.

Visa wouldn’t discuss that aspect of the case, although it is understood their internal inquiries have satisfied them that there is no internal data leak.

A banking industry expert told Stuff it was extremely unlikely the stolen card numbers could have been obtained that way- not just because of a series of internal controls, but because Visa simply wouldn’t hold enough data for the scammers to get workable credit card numbers - that’s because it is the banks who assign part of the credit card number and the CVV code on the back of the card.

‘It’s really not that hard - that’s the scary thing’

So where is the supply of stolen cards coming from?

Most likely, a data fraud expert explains, from either a data breach at a big company (think the Qantas hack last year) or from a ‘phishing’ exercise. “That’s where we see most of the damage happen in New Zealand and Australia: phishing is the root of all evil.”

The fraud specialist says the best way to look at it is like a sales funnel: the villains set up fake sites to acquire leads, then people are tricked into interacting with them and in providing their details, they generate a list of ‘sales targets’. Once harvested, those details are sold or passed on to those on the ground running the scam.

It’s getting much easier to commit online credit card fraud, an expert warns.

Those involved can range from organised multi-national syndicates - some from the UK, Eastern Europe, China or Cambodia - to local gangs to low-level criminals. Often the early stages are done offshore, with locals recruited to ‘cash out’.

We can thank AI for that.

Carr hopes he’s done enough for action to be taken.

“The barrier to entry has dropped significantly…. it’s become far easier with the rise of technology,” the expert says. ‘That’s why a lot of this stuff is happening. It’s really not that hard - that’s the scary thing.”

For $500 a month, he says, you can buy from the dark web a full-service phishing platform that will rip content from a genuine site to give you a realistic-looking phishing site and a database of victims to target. And to actually run the scam itself? “You can buy playbooks off the dark web: you can get an awesome PDF generated by AI for $200, if that.

“It’s super accessible for people that have low skills, are young, don’t know any better - or are oftentimes part of a scam themselves.”

When this case was described to the expert, he said it fitted a lot of patterns, such as the criminals ‘monetising’ the scam by buying high-value goods which retained resale value, and their ability to talk their way into gaining trust: “the best customer service you’ll get is from a criminal.”

He says it’s a concern, because “for every dollar a bad actor steals, they end up making $5 from it. So if it’s $500 a month to buy this infrastructure that allows them to steal millions, it’s a no-brainer.”

His advice? The moment you suspect you’re being scammed, tell your bank. He says fraud and scams are hugely under-reported. And for businesses, he suggests talking to their payment services provider to see if they had any additional security measures they could add (the problem there is that 3D Secure, offered by Visa, loads up extra transaction costs on to merchants).

He was impressed by Carr’s sleuthing. “He’s done a great job - a lot of due diligence. He’s on the right track.”

‘It’s not in my nature to quit’

Carr, now, is waiting for others to take action.

In a statement, Visa said it was “vigilant in safeguarding our network against fraudulent activity. We understand the police are looking into the matter as well and, to protect the integrity of these investigations, we are unable to comment further.” It said it had multiple safeguards in place against fraud for both customers and businesses.

Bookabach said it took “ fraudulent activity on our platforms very seriously and are thoroughly investigating this matter” and used a “variety of “ sophisticated risk strategies and tools to monitor for suspicious behaviour… and continually invest in our capabilities”.

Airbnb also said it was investigating but had “ not received any requests from New Zealand Police at this time but stand ready to assist with any investigation”.

Both said they would remove those who breached terms from their platforms.

Carr said investigating the scams himself seemed his only answer. “It’s not in my nature to quit,” he says. “I was feeling pretty devastated. We are not some big corporate. We are trying to get buy in a really tough time. That $25,000 really hurts.”