{"id":23852,"date":"2024-02-04T13:20:54","date_gmt":"2024-02-04T21:20:54","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/02\/04\/news-17582\/"},"modified":"2024-02-04T13:20:54","modified_gmt":"2024-02-04T21:20:54","slug":"news-17582","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/02\/04\/news-17582\/","title":{"rendered":"Cryptocurrency scams metastasize into new forms"},"content":{"rendered":"<p><strong>Credit to Author: gallagherseanm| Date: Fri, 02 Feb 2024 11:00:13 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p>In the spring of 2023, a recent retiree was drawn into what would become a <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/09\/18\/latest-evolution-of-pig-butchering-scam-lures-victim-into-fake-mining-scheme\/\">horrifically expensive \u201crelationship.\u201d<\/a> Lured through a dating application by someone who claimed to live in his area, he was eventually convinced to \u201cinvest\u201d in what he was told was a safe, sure bet\u2014something called \u201cdigital currency mining .\u201d He would eventually invest over $20,000 in the scheme, depleting his personal retirement savings.<\/p>\n<p>The scam was a new variant on what has become perhaps the fastest growing segment of online fraud, accounting for billions of dollars in losses from thousands of victims in the US alone\u2014cryptocurrency-based investment fraud. Because of the ease with which cryptocurrency ignores borders and enables multinational crime rings to quickly obtain and launder funds, and because of widespread confusion about how cryptocurrency functions, a wide range of internet-based scams have focused on convincing victims to convert their personal savings to crypto\u2014and then steal it from them.<\/p>\n<p>Among these sorts of organized criminal activities, none seem as pervasive as sha zhu pan (\u201cpig butchering\u201d, \u6740\u732a\u76d8)\u2014a scam pattern upon which the crime perpetrated against this victim, \u201cFrank,\u201d was based. \u00a0Originating in China at the beginning of the COVID pandemic, pig butchering scams have expanded globally ever since, becoming a multi-billion-dollar fraud phenomenon. These scams have done more than steal cryptocurrency; they have robbed people of their life savings, and in one reported case a scam led to the <a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2023-09-27\/crypto-scam-led-to-demise-of-heartland-tri-state-bank\">failure of a small bank<\/a> by ensnaring a bank officer.<\/p>\n<p>In the past year, while well-worn versions of these scams persist, we\u2019ve seen the growth of a much more sophisticated version\u2014one that uses the power of the blockchain itself to bypass most of the defenses provided by mobile device vendors and give the scam operators direct control over funds victims convert into cryptocurrency.\u00a0 These new scams, using fraudulent decentralized finance (DeFi) applications, \u00a0are an evolution of the <a href=\"https:\/\/news.sophos.com\/en-us\/2022\/05\/17\/liquidity-mining-scams-add-another-layer-to-cryptocurrency-crime\/\">\u201cliquidity mining\u201d scams we uncovered in 2022<\/a> marrying the script for fake romance and friendship perfected by past pig butchering operations with smart contracts and mobile crypto wallets.<\/p>\n<p>These hybrid \u201cDeFi Savings\u201d scams overcome a number of the stumbling blocks of earlier pig butchering scams from a technical perspective:<\/p>\n<ul>\n<li>They do not require the installation of a customized mobile app onto the victim\u2019s mobile device. Some versions of pig butchering apps required convincing targets to go through complicated steps to install an application, or to slip applications past Apple and Google application store review so they could be directly installed. DeFi scams use trusted applications from relatively well-known developers, and only require the victim to load a web page from within that application.<\/li>\n<li>They do not require crypto funds to be deposited into a wallet controlled by them, or wire a deposit to them, so the victim has the illusion of having full control over their funds. Until the moment that the trap is sprung, the victims\u2019 cryptocurrency deposits are visible in their wallets\u2019 balances, and the scammers even add additional cryptocurrency tokens to their accounts to create the illusion of profit.<\/li>\n<li>They conceal the wallet network that launders stolen crypto behind a contract wallet\u2014an address that is given control over the victims\u2019 wallets when the victims \u201cjoin\u201d the scam.<\/li>\n<\/ul>\n<h2>Special delivery<\/h2>\n<p>In 2020 we saw pig butchering scammers start using Apple iOS and Android applications as part of their scams, using a number of techniques to bypass app store review\u2014including the use of mobile device profiles to distribute actual iOS apps and web shortcuts with ad-hoc deployment tools typically used for beta testers, small groups and enterprises.<\/p>\n<p>In 2022 we found that the scammers were <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/02\/01\/fraudulent-cryptorom-trading-apps-sneak-into-apple-and-google-app-stores\/\">able to place applications into the Apple App Store and Google Play Store<\/a>, bypassing application security reviews by changing remotely-retrieved content to load new malicious content. This made it much easier to manipulate victims into downloading the app, as it didn\u2019t require steps such as installing a device profile or enrolling in mobile device management. But the app listings in the stores still could raise suspicions.<\/p>\n<p>Earlier in 2022, we saw the emergence of a new scam pattern: the <a href=\"https:\/\/news.sophos.com\/en-us\/2022\/05\/17\/liquidity-mining-scams-add-another-layer-to-cryptocurrency-crime\/\">fake liquidity mining pool<\/a>. These scams were initially driven mostly by social media spam groups and Telegram channels, with little in the way of the long-game confidence building done by pig butchering rings.<\/p>\n<p>Instead they focused on selling the scam itself\u2014based on a complicated \u201creal\u201d DeFi passive investment scheme conceptually similar to brokerage money market accounts in traditional finance but executed through smart contracts with an automated cryptocurrency exchange.<\/p>\n<p>We were in the midst of follow-up research on these liquidity mining scams when we were approached by a victim of a new version of them. The criminal organizations <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/09\/18\/latest-evolution-of-pig-butchering-scam-lures-victim-into-fake-mining-scheme\/\">behind the scam \u201cFrank\u201d and hundreds like him fell victim to<\/a> use the same sorts of tactics they\u2019ve honed with earlier pig butchering models to lure victims in\u2014targeting primarily the lonely and vulnerable through dating-related mobile applications and websites as well as other social media.<\/p>\n<h2>Organization<\/h2>\n<p>Depending on the organization behind the scam, pig butchering style organizations are broken into distinct parts, with distinct sets of tools. There is a \u201cfront office\u201d (the \u201ccustomer\u201d facing operation that lures, engages and instructs victims) and a \u201cback office\u201d (IT operations, software development, money laundering and accounting). These operations may be co-located geographically, but they are often widely dispersed, with the back office team spread out internationally.<\/p>\n<figure id=\"attachment_953409\" aria-describedby=\"caption-attachment-953409\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/01\/Slide5.jpeg\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-953409 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/01\/Slide5.jpeg\" alt=\"A chart displaying the roles and relationships within a pig butchering scam group\" width=\"640\" height=\"360\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/01\/Slide5.jpeg 960w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/01\/Slide5.jpeg?resize=300,169 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/01\/Slide5.jpeg?resize=768,432 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-953409\" class=\"wp-caption-text\">Figure 1: the organization of a pig butchering ring.<\/figcaption><\/figure>\n<p>The front office operates teams of \u201ckeyboarders\u201d\u2014often people lured from China, Taiwan, the Philippines, Malaysia, and other Asian countries with the promise of high-paying tech or phone center jobs\u2014to engage potential targets. They operate from scripts and instruction from their handlers, texting and sending images to targets to convince them that they are \u201cfriends\u201d or romantically interested in the targets. In some cases, a young man or woman will act as the \u201cface\u201d of the scam, and engage in scheduled video calls with victims; in others, the \u201cface\u201d is wholly fabricated from purchased, stolen, or AI generated media.<\/p>\n<figure id=\"attachment_953410\" aria-describedby=\"caption-attachment-953410\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/01\/Slide4.jpeg\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-953410 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/01\/Slide4.jpeg\" alt=\"Flowchart of steps of a typical pig butchering scam\" width=\"640\" height=\"360\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/01\/Slide4.jpeg 960w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/01\/Slide4.jpeg?resize=300,169 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/01\/Slide4.jpeg?resize=768,432 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-953410\" class=\"wp-caption-text\">Figure 2: A typical playbook for a pig-butchering scam.<\/figcaption><\/figure>\n<p>Victims will often experience continued harassment by the scammers after they disengage, in an effort to pull them back in for further swindling. Sometimes they use information collected by the victim to contact them via other means\u2014including text messages, emails and contact on other social media platforms\u2014in the guise of crypto application technical support, cryptocurrency \u201crecovery specialists,\u201d or the abandoned \u201clover.\u201d<\/p>\n<p>The back office handles logistical requirements such as Internet infrastructure, domain registration, fraudulent application acquisition or development, and configuring the money laundering process.<\/p>\n<h2>The butcher\u2019s toolkit<\/h2>\n<p><strong>Front office infrastructure<\/strong> requirements include:<\/p>\n<h4>Mobile devices<\/h4>\n<p>These are typically registered with a prepaid wireless account, or are configured with an Internet Voice over IP and texting service in order to be registered with messaging platforms.<\/p>\n<h4>Secure messaging applications<\/h4>\n<p>WhatsApp is the preferred platform for targets outside China. Telegram is also used, as is Skype. Accounts registered with one device will often be shared across multiple other devices (such as PCs) so that line workers (\u201ckeyboarders\u201d) can engage the victim in shifts.<\/p>\n<h4>Social media and dating profiles<\/h4>\n<p>More sophisticated scams use stolen or fraudulent accounts on Facebook and LinkedIn edited to support their backstory. Both social and dating profiles may use photos and videos of a designated spokesperson (often heavily edited), stolen images and videos from other accounts and platforms, or generative AI images.<\/p>\n<h4>A VPN connection<\/h4>\n<p>While some scam rings have not bothered disguising the source of their Internet traffic, others have used private VPN services to prevent geolocation.<\/p>\n<p>A cryptocurrency wallet: this is used to demonstrate how to connect to the scam, and to create confidence in the target that the scheme is legitimate.<\/p>\n<h4>Generative AI<\/h4>\n<p>We have seen the increased use of ChatGPT or other large language model (LLM) generative AI to create text messages to be sent to targets. LLMs are used by keyboarders to make their conversation in the target\u2019s language appear to be more fluent, and as a time-saving device. In Frank\u2019s case, AI was used to write a plea for him to re-engage with the scammers in the form of a love letter after he blocked them on WhatsApp, sent via Telegram.<\/p>\n<p><strong>Back office infrastructure<\/strong> varies based on the scam. With DeFi mining scams, the requirements are a bit more streamlined than with scams based on fake crypto trading or other trading apps, as there\u2019s no need for application distribution beyond the set-up of malicious DeFi sites.<\/p>\n<h4>Web hosting<\/h4>\n<p>Across all types of scams, this is usually through a reseller for a major cloud service provider\u2014Alibaba, Huawei Clouds, Amazon CloudFront, Google, and others\u2014and often put behind Cloudflare\u2019s content delivery network.<\/p>\n<h4>Domains<\/h4>\n<p>Registered through Chinese or US low-cost domain registrars, or in some cases through Amazon Registry via a partner. Domain names usually include a cryptocurrency related term or brand (DeFi, USDT, ETH, Trust, Binance, etc), and one or two may be combined along with randomly created or incremented numbers and text when multiples are being created.<\/p>\n<h4>DeFi app kit<\/h4>\n<p>A JavaScript-powered web page using \u201cWeb 3.0\u201d programming interfaces to connect to wallets via the Ethereum blockchain. Most of the fake DeFi apps we\u2019ve examined use the React user interface library, and many are bundled with in-app chat applications that allow the scammers to act as \u201ctechnical support\u201d for the target. This kit may be organically developed by the crime ring or obtained through underground markets. The same kit can be easily set up across hundreds of domains; we found several hundred instances of the kits shown below hosted on varying services and with different domain registrars.<\/p>\n<div id='gallery-1' class='gallery galleryid-953408 gallery-columns-3 gallery-size-large'>\n<figure class='gallery-item'>\n<div class='gallery-icon portrait'> \t\t\t\t<a href='https:\/\/news.sophos.com\/en-us\/2024\/02\/02\/cryptocurrency-scams-metastasize-into-new-forms\/screenshot-from-2023-12-13-13-58-3252-copy\/'><img loading=\"lazy\" decoding=\"async\" width=\"545\" height=\"909\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/01\/Screenshot-from-2023-12-13-13-58-3252-copy.jpg?w=545\" class=\"attachment-large size-large\" alt=\"Screenshot of fraud site kit\" aria-describedby=\"gallery-1-953412\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/01\/Screenshot-from-2023-12-13-13-58-3252-copy.jpg 545w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/01\/Screenshot-from-2023-12-13-13-58-3252-copy.jpg?resize=180,300 180w\" sizes=\"auto, (max-width: 545px) 100vw, 545px\" \/><\/a> \t\t\t<\/div><figcaption class='wp-caption-text gallery-caption' id='gallery-1-953412'> \t\t\t\tA &#8220;DeFi Savings&#8221; scam kit found across over 300 domains. \t\t\t\t<\/figcaption><\/figure>\n<figure class='gallery-item'>\n<div class='gallery-icon portrait'> \t\t\t\t<a href='https:\/\/news.sophos.com\/en-us\/2024\/02\/02\/cryptocurrency-scams-metastasize-into-new-forms\/screenshot-from-2023-11-28-15-09-57\/'><img loading=\"lazy\" decoding=\"async\" width=\"499\" height=\"825\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/01\/Screenshot-from-2023-11-28-15-09-57.png?w=499\" class=\"attachment-large size-large\" alt=\"\" aria-describedby=\"gallery-1-953415\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/01\/Screenshot-from-2023-11-28-15-09-57.png 499w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/01\/Screenshot-from-2023-11-28-15-09-57.png?resize=181,300 181w\" sizes=\"auto, (max-width: 499px) 100vw, 499px\" \/><\/a> \t\t\t<\/div><figcaption class='wp-caption-text gallery-caption' id='gallery-1-953415'> \t\t\t\tA similar &#8220;liquidity mining pool&#8221; kit run on over 100 domains Sophos identified. \t\t\t\t<\/figcaption><\/figure>\n<figure class='gallery-item'>\n<div class='gallery-icon portrait'> \t\t\t\t<a href='https:\/\/news.sophos.com\/en-us\/2024\/02\/02\/cryptocurrency-scams-metastasize-into-new-forms\/screenshot-from-2023-09-19-15-58-28\/'><img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"907\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/01\/Screenshot-from-2023-09-19-15-58-28-e1705960261843.png?w=640\" class=\"attachment-large size-large\" alt=\"\" aria-describedby=\"gallery-1-953416\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/01\/Screenshot-from-2023-09-19-15-58-28-e1705960261843.png 658w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/01\/Screenshot-from-2023-09-19-15-58-28-e1705960261843.png?resize=212,300 212w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a> \t\t\t<\/div><figcaption class='wp-caption-text gallery-caption' id='gallery-1-953416'> \t\t\t\tAnother variant of a mining scam kit seen hosted on hundreds of domains. \t\t\t\t<\/figcaption><\/figure>\n<\/p><\/div>\n<h4>Cryptocurrency nodes<\/h4>\n<p>These Ethereum blockchain applications can reside in the cloud or on a locally-controlled computer operated by the scammers. They act as the \u201ccontract wallet\u201d that victims form a smart contract with, and execute the transactions that reassign cryptocurrency tokens from the victim\u2019s wallet address to the scammers\u2019 wallets for laundering.<\/p>\n<h4>Destination and cashout wallets<\/h4>\n<p>Destination wallets are usually \u201coffline\u201d wallet addresses that act as a waypoint for cryptocurrency tokens to be moved to by the scammers. The stolen crypto is then usually shifted to an account on a crypto exchange\u2014in some cases, a compromised account or one set up with false identifying information\u2014and then cashed out. Stolen crypto may be moved through several intermediate wallets and spread out across multiple exchange accounts in an attempt to evade tracing.<\/p>\n<h4>Bank accounts<\/h4>\n<p>The final phase of the money laundering from these scams is a cashout from a crypto exchange to a scammer-controlled bank account. In the scams we tracked, the destination was a bank in Hong Kong. These are often associated with shell companies to further obscure the trail of transactions; a <a href=\"https:\/\/www.justice.gov\/usao-cdca\/pr\/four-individuals-charged-laundering-millions-cryptocurrency-investment-scams-known-pig\">recent US Secret Service case<\/a> found that a ring partially based in the US used a combination of US and overseas bank accounts connected to shell companies to launder $80 million.<\/p>\n<h2>Further evolution<\/h2>\n<p>Throughout our investigation of the latest DeFi mining scams and other pig butchering scams, we have seen increasing technical sophistication\u2014much of it aimed at preventing analysis of the schemes or avoiding wallet platforms that have banned previous scams.<\/p>\n<p>\u201cInvitation codes\u201d were an early version of this, requiring target interaction with the scammers to gain access to the scam DeFi application. More recent steps include:<\/p>\n<ul>\n<li>Use of agent detection scripts to block or redirect desktop and mobile browsers not associated with cryptocurrency wallets to evade analysis, and to restrict connections to specific (vulnerable) mobile wallet apps.<\/li>\n<li>Use of \u201c<a href=\"https:\/\/walletconnect.com\/\">WalletConnect<\/a>\u201d or other third-party APIs to obscure the contract wallet address used by the scheme<\/li>\n<li>Detection of wallet balances to prevent empty Ethereum wallets from connecting and detecting the contract wallet address<\/li>\n<\/ul>\n<p>We expect that DeFi mining scams will constitute an increasing percentage of pig-butchering scams going forward because they can more easily be bundled for sale and distribution to other cybercriminals, and because they can be easily adopted by existing romance scam operators. That expectation is based on the hundreds of copies of some kits we have observed operating in the wild, and their adoption by cybercriminals in other regions.<\/p>\n<h1>Knowing is half the battle<\/h1>\n<p>Because these scams use legitimate software and frequently change their web hosting and cryptocurrency addresses, they often only detected once they have begun\u2014often by banks and cryptocurrency brokerages who are alerted by large volumes of transactions from customers who have never traded in cryptocurrency before that trip money laundering and bank fraud alerts. We continue to actively hunt for the sites hosting these scams and alert mobile device makers, wallet application developers and cryptocurrency exchanges, but the scale of these scams makes it impossible to defend against all of them.<\/p>\n<p>The best defense against them continues to be public education. The <a href=\"https:\/\/fightcybercrime.org\/\">Cybercrime Support Network<\/a> offers educational material on <a href=\"https:\/\/fightcybercrime.org\/scams\/imposter\/romance-scams\/\">romance scams<\/a> and <a href=\"https:\/\/fightcybercrime.org\/scams\/imposter\/investment-scams\/\">investment scams<\/a> that can help people spot lures for pig-butchering style crime. \u00a0But reaching the people most potentially vulnerable to these scams may require a more personal touch\u2014from friends, family, and acquaintances they trust.<\/p>\n<p>More in-depth information on what we\u2019ve uncovered about DeFi scams and other pig butchering scams can be found on <a href=\"https:\/\/news.sophos.com\/en-us\/tag\/shazhupan\/\">our Sha Zhu Pan research page<\/a>.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/02\/02\/cryptocurrency-scams-metastasize-into-new-forms\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/01\/shutterstock_773287879.jpg\"\/><\/p>\n<p><strong>Credit to Author: gallagherseanm| Date: Fri, 02 Feb 2024 11:00:13 +0000<\/strong><\/p>\n<p>\u201cDeFi mining\u201d scams adopted by pig-butchering rings create more problems for those trying to defend against them.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[20200,129,27053,10574,28486,27030,16771],"class_list":["post-23852","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-cryptocurrency-scams","tag-featured","tag-pig-butchering","tag-scams","tag-shazhupan","tag-sophos-x-ops","tag-threat-research"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/23852","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=23852"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/23852\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=23852"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=23852"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=23852"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}