Cryptocurrency-based crime has become increasingly prevalent in various forms. Due to the borderless nature of cryptocurrency and its ability to facilitate quick fund acquisition and laundering by multinational crime rings, numerous confidence scams have emerged, with a particular focus on persuading victims to convert their savings into crypto and then separating them from their funds. One of the most widespread forms of organized criminal activity is known as “pig butchering,” which primarily operates through dating apps or social media platforms. Scammers use these platforms to establish relationships with victims and then introduce fraudulent schemes to make money together. In recent cases, scammers have even employed generative AI to make their messages more convincing.
The investigation into pig butchering scams first began in 2020, when fake cryptocurrency-trading mobile apps were discovered. These apps were downloaded by users who had been contacted by individuals they met on dating apps or websites. These apps, known as “CryptoRom” apps, were studied to understand how they evaded platform security on mobile devices. Over the past year, one prevalent method used by scammers is to exploit the vulnerabilities of legitimate cryptocurrency applications that can be linked to web applications. During a recent case involving a victim referred to as “Frank,” it was discovered that he lost over $20,000 USD in a fake “mining pool.” Further investigation revealed a larger network of scams using multiple domains and controlling “contract wallets” that facilitated the transfer and laundering of cryptocurrency. These scams targeted more than 90 victims and were connected to a multinational Chinese-language crime organization.
Analyzing the movement of funds, it was found that the contract wallets associated with the scams had transferred $1.22 million worth of Tether (USDT) cryptocurrency between January 1 and November 20 of the current year. It was also discovered that three separate threat activity groups were involved in running identical fraudulent decentralized finance (DeFi) app sites, indicating their affiliation with a single organized crime ring. Evidence of two additional domains matching the scam site’s fingerprint was found, but they had already been deactivated before further data collection could be done. By examining the wallets involved in the scheme, it was determined that nearly $2.9 million worth of cryptocurrency had been moved from various scams and illegal activities this year as of November 15.
During the investigation of the scam targeting “Frank,” the flow of cryptocurrency from his wallet was tracked. The scam involved a fake decentralized finance app hosted on the domain allnodes[.]vip, registered and hosted through Alibaba. The app created a smart contract that allowed another wallet address to have unlimited access to the linked wallet’s balance and transfer deposited Tether tokens. This remote address, known as the contract wallet, transferred funds to other wallets controlled by the scammers. Further analysis revealed that Frank was not the first victim targeted by this scam configuration. The control node associated with the scam had been active since April, and at least seven victims had been targeted, resulting in a total loss of $177,560. This prompted the search for similar sites, leading to the discovery of 14 domains hosting identical scam code, four control nodes, and multiple contract wallets.
By examining domain registry data and analyzing web requests, it was found that different sub-groups were operating identical scam kits simultaneously. Two groups of domains shared contract wallet addresses and routed cryptocurrency to the same destinations. An overview of the transaction data showed that the volume of cryptocurrency movement through the primary contract wallets significantly increased in June and remained relatively high throughout the summer months. Further analysis of the wallets receiving fraudulent withdrawals led to the discovery of additional contract wallets connected to the same destination wallets. The investigation is still ongoing to identify more scam operations and understand the extent of this organized crime ring.
In conclusion, cryptocurrency-based crime, especially in the form of pig butchering scams, has become widespread due to the ease with which cryptocurrency can be used for illegal activities and the confusion surrounding its functioning. Scammers target victims through dating apps and social media platforms, often employing generative AI to make their schemes more convincing. Investigations have revealed a complex network of scams using multiple domains, contract wallets, and control nodes, with connections to a multinational Chinese-language crime organization. The scams involve the transfer and laundering of significant amounts of cryptocurrency, highlighting the need for increased awareness and measures to combat cryptocurrency-based crime.