Scams involving cryptocurrencies
A recent retiree was sucked into what would turn out to be an exorbitantly expensive “relationship” in the spring of 2023. He was eventually persuaded to “invest” in what was described as “digital currency mining” after being lured by a dating application from someone who claimed to live in his area. In the end, he would invest more than$ 20,000 in the scheme, spending all of his retirement savings.
The con was a brand-new variation on cryptocurrency-based investment fraud, which has grown to be one of the fastest-growing types of online fraud and has cost billions of dollars in losses to thousands of victims in the US alone.
A wide variety of internet-based scams have concentrated on persuading victims to convert their personal savings to cryptocurrency and then steal it from them due to the ease with which cryptocurrency ignores borders and allows multinational crime rings to quickly obtain and launder funds.
Sha zhu pan ( “pig butchering” ), a scam scheme on which the crime committed against this victim,” Frank,” was based, appears to be the most pervasive of these organized criminal activities.
Pig butchering scams, which began in China at the start of the COVID pandemic and have since spread throughout the world, have become a multi-billion dollar fraud phenomenon. In addition to stealing cryptocurrency, these frauds have also stolen people’s life savings. In one case, a fraud involved ensnaring the bank officer, which caused the small bank to fail.
While well-established versions of these scams have persisted over the past year, a much more sophisticated version has emerged. This version uses the blockchain’s power to get around the majority of mobile device vendors ‘ defenses and gives the scammers direct control over how much money victims convert into cryptocurrency.
These new frauds, which employ deceptive decentralized finance ( DeFi ) applications, are a development of the “liquidity mining” scams that we discovered in 2022 and combine the pre-existing pig-butchering techniques with smart contracts and portable cryptocurrency wallets to create fictitious romance and friendship.
From a technical standpoint, these hybrid” DeFi Savings” scams get around some of the technical issues with earlier pig butchering frauds:
- They do n’t demand that the victim’s mobile device be updated with a unique mobile app. Some pig-butchering app versions required persuading users to follow difficult installation procedures or sneak applications past Apple and Google’s app store reviews in order to be installed. DeFi scams only require the victim to load a web page from within reputable applications created by well-known developers.
- The victim is given the impression that they have complete control over their money because they do n’t require that crypto funds be wired to them or deposited into a wallet they control. The victims ‘ cryptocurrency deposits are visible in their wallet balances up until the trap is set, and the con artists even add more cryptocurrency tokens to their accounts to give the impression that they are making money.
- When victims” join” the scam, a contract wallet—an address that has control over the victims ‘ wallets—is used to hide the wallet network that hides stolen cryptocurrency.
Unique Delivery
Pig-butchering con artists began using Apple iOS and Android apps in 2020 as part of their scams. They did this by using mobile device profiles to distribute real iOS apps and web shortcuts using ad-hoc deployment tools, which are typically used by beta testers, small groups, and businesses.
By altering remotely retrieved content to load new malicious content, the scammers were able to install applications in the Apple App Store and Google Play Stores in 2022, circumventing application security reviews. Due to the lack of steps like setting up a device profile or signing up for mobile device management, it was much simpler to persuade victims to download the app. However, the store app listings might still raise red flags.
The fake liquidity mining pool emerged as a new scam pattern earlier in 2022. These scams were initially primarily motivated by Telegram channels and social media spam groups, with pig butchering rings providing little in the way of long-term confidence building.
Instead, they concentrated on dismantling the scam itself, using a convoluted “real” DeFi passive investment scheme that was carried out through smart contracts with an automated cryptocurrency exchange and conceptually resembled traditional finance brokerage money market accounts.
A victim of a new variant of these liquidity mining scams approached us as we were conducting follow-up research on them. The criminal organizations that perpetrated the fraud” Frank” and hundreds of others used the same strategies they had developed with earlier pig butchering models to entice victims in, primarily targeting the lonely and helpless through dating-related mobile applications, websites, and other social media.
Organization
Pig butchering style organizations are divided into distinct sections with different sets of tools, depending on the organization behind the scam.
IT operations, software development, money laundering, and accounting are divided into two categories: the “front office” ( the” customer” facing operation that entices, engages and instructs victims ). Although the back office team is spread out internationally, these operations are frequently geographically dispersed.
Teams of “keyboarders” are used by the front office to engage potential targets. These individuals are frequently lured from China, Taiwan, the Philippines, Malaysia, and other Asian nations with the promise of high-paying tech or phone center jobs.
They text and send images to targets to persuade them that they are “friends” or romantically interested in them, following scripts and instructions from their handlers. A young person may serve as the scam’s “face” in some instances and hold regular video calls with the victims, while in other instances, they are entirely made up from media that was bought, stolen, or artificial intelligence ( AI ) generated.
Figure 2: A typical pig-butchering scam playbook.
The scammers will frequently harass victims after they disengage in an effort to entice them back in for more con games. In the guise of crypto application technical support, cryptocurrency “recovery specialists,” or the abandoned “lover,” they occasionally use the victim’s information to contact them in other ways, such as text messages, emails, and contact on other social media platforms.
The back office manages logistical tasks like setting up the money laundering process, registering domains, purchasing or developing fraudulent applications, and managing Internet infrastructure.
Toolkit for the butcher
Requirements for front office infrastructure include:
Mobile Gadgets
These can be set up with an Internet Voice over IP and texting service or a prepaid wireless account, depending on the messaging platform.
Applications for Secure Messaging
For targets outside of China, WhatsApp is the preferred platform. Skype and Telegram are also used. In order for line workers ( “keyboarders” ) to work the victim in shifts, accounts registered with one device are frequently shared across multiple other devices ( such as PCs ).
Dating Profiles and Social Media
To support their backstory, more sophisticated scams use edited Facebook and LinkedIn accounts that have been stolen or fraudulent. Photos and videos of a designated spokesperson ( often heavily edited ), stolen images from other accounts and platforms, or artificial intelligence images can all be used in social and dating profiles.
A VPN link
Others have used private VPN services to avoid geolocation, while some con artists have n’t bothered to hide the source of their Internet traffic.
A cryptocurrency wallet is used to show the victim how to link to the scam and to give them reason to believe it is real.
Artificial intelligence
ChatGPT or other large language model ( LLM) generative AI has been used more frequently to generate text messages that are sent to specific targets. As a time-saving tool and to make their conversation appear more fluent in the target language, keyboarders useLLMs. After blocking the con artists on WhatsApp, Frank used AI to write a love letter to them that was sent via Telegram to beg him to re-engage with them.
Depending on the scam, different back office infrastructure is used. Since there is no need for application distribution outside of the setup of malicious DeFi sites, the requirements for mining scams are a little more streamlined than those for frauds based on fake cryptocurrency trading or other trading apps.
Hosting a Website
A major cloud service provider, such as Alibaba, Huawei Clouds, Amazon CloudFront, Google, and others—often hidden behind Cloudflare’s content delivery network—is typically the victim of these scams.
Domains
registered through low-cost domain registrars in China or the US, or occasionally through a partner in the Amazon Registry. When multiples are being created, the domain names typically include a cryptocurrency-related term or brand ( DeFi, USDT, ETH, Trust, Binance, etc. ) along with one or two randomly generated or incremented numbers and text.
Kit for the DeFi app
a JavaScript-powered website that connects to wallets using the Ethereum blockchain using” Web 3.0″ programming interfaces. The React user interface library is used by the majority of the fake DeFi apps we’ve looked at, and many of them come with built-in chat programs that let the con artists provide the target with “technical support.”
The crime ring may develop this kit naturally, or it may be acquired from underground markets. We discovered several hundred instances of the kits listed below hosted on various services and with various domain registrars, demonstrating how easily the same kit can be set up across hundreds of domains.
Nodes for cryptocurrencies
These Ethereum blockchain applications may be located locally on a scammer-controlled computer or in the cloud. They perform the transactions that transfer cryptocurrency tokens from the victim’s wallet address to the scammers ‘ wallets for laundering and serve as the” contract wallet” with which victims enter into smart contracts.
wallets for destination and cashout
Destination wallets are typically “offline” wallet addresses that serve as a point of departure for con artists with cryptocurrency tokens. The stolen money is then typically transferred to a cryptocurrency exchange account—possibly one that has been compromised or created using false identification—and cashed out. In an effort to avoid tracing, stolen cryptocurrency may be spread across several exchange accounts and moved through a number of intermediate wallets.
accounts with banks
A cryptocurrency exchange cashout to a bank account controlled by the scammer is the last step in the money laundering process from these scams. A Hong Kong bank served as the target of the scams we tracked.
A recent US Secret Service case revealed that a ring partially based in the US used US and foreign bank accounts connected to shell companies to launder$ 80 million. These are frequently linked to these to further obfuscate the trail of transactions.
additional evolution
We have observed an increase in technical sophistication throughout our investigation into the most recent DeFi mining and other pig butchering scams, much of it in an effort to stop analysis of the schemes or to stay away from wallet platforms that have outlawed earlier frauds.
An early version of this required target interaction with the con artists in order to access the scam DeFi application, known as “invitation codes.” Recenter actions include:
- To avoid analysis and limit connections to particular ( vulnerable ) mobile wallet apps, use agent detection scripts to block or redirect desktop and mobile browsers unrelated to cryptocurrency wallets.
- use of” WalletConnect” or other third-party APIs to conceal the scheme’s contract wallet address
- To stop empty Ethereum wallets from connecting and to find the contract wallet address, wallet balances must be detected.
Because they can be more easily packaged for sale and distribution to other cybercriminals and because they are simple for existing romance scam operators to adopt, we anticipate that DeFi mining scams will account for an increasing proportion of pig-butchering frauds in the future. The hundreds of copies of some kits that we have seen operating in the wild and their adoption by cybercriminals in other areas support this expectation.
These scams frequently go undetected after they have started because they use legitimate software and frequently change their web hosting and cryptocurrency addresses. This is frequently done by banks or cryptocurrency brokerages, who are alerted by large volumes of transactions from clients who have never used cryptocurrencies before. The scale of these scams makes it impossible to protect against all of them, so we keep looking for the websites that are hosting them and alert developers of mobile devices, wallet applications, and cryptocurrency exchanges.
Public education is still the best line of defense against them. People can identify the lures for pig-butchering-style crime by using the educational resources provided by the Cybercrime Support Network on romance and investment scams.  , However, it might take a more personal touch—from friends, family, and acquaintances they trust—to reach the people who are most likely to fall victim to these scams.
On our Sha Zhu Pan research page, you can find more in-depth details about the DeFi scams and other pig butchering frauds.
Podcast# 358 of Smashing Security discusses pig butchers, Hong Kong henchmen, and underprivileged ransomware gangs.(Opens in a new browser tab)Declaring war on AI religion, mobile muddles, and ransomware gangs is the topic of the Smashing Security podcast# 359.(Opens in a new browser tab)Hacker Illegally Mines Cryptocurrency Using 1 Million Virtual Servers(Opens in a new browser tab)Cybercrime Update | Exploitation of Known CVEs, Crypto Drainers &amp, Ransomware Updates as of January 2024(Opens in a new browser tab)Hackers from North Korea are currently using YoMix Tumbler to launder stolen cryptocurrency.(Opens in a new browser tab)
(Opens in a new browser tab)