Unregulated DeFi services abused in latest pig butchering twist

Please fol­low and like us:
Pin Share

A major pig butcher­ing (shā zhū pán) scam oper­a­tion has been observed using fake trad­ing pools of cryp­tocur­ren­cy to entice their vic­tims to part with their sav­ings, and has like­ly net­ted over $1m dur­ing the course of the scam, accord­ing to new intel­li­gence released by the Sophos X‑Ops research team.

This is the lat­est in a series of ongo­ing research dis­clo­sures by Sophos researchers as they inves­ti­gate so-called pig butcher­ing scams – the prac­tice of con­ning vic­tims out of their mon­ey using a com­bi­na­tion of romance-themed social engi­neer­ing lures and fraud­u­lent cryp­to trading.

In ear­ly 2023, they detailed how these cyber crim­i­nal gangs – usu­al­ly locat­ed in the Asia-Pacif­ic region – were get­ting their mali­cious apps list­ed on Apple and Google mobile apps stores by bypass­ing secu­ri­ty mea­sures, and more recent­ly, they revealed how pig butch­ers are turn­ing to gen­er­a­tive arti­fi­cial intel­li­gence (AI) chat­bots to con their vic­tims.

The lat­est twist in the saga sees the pig butch­ers set­ting up fraud­u­lent domains that take advan­tage of the essen­tial­ly unreg­u­lat­ed world of decen­tralised finance (DeFi) cryp­to trad­ing apps.

As part of their func­tion­al­i­ty, such apps cre­ate liq­uid­i­ty pools of var­i­ous cryp­tocur­ren­cies that users can tap into to trade from one to anoth­er, with those par­tic­i­pat­ing in the pool receiv­ing a per­cent­age of any fee paid when a trade is made. To join pools, par­tic­i­pants in gen­er­al must sign an online con­tract that gives the pool oper­a­tors per­mis­sion to access their cryp­to wal­lets in order to trade. This is a high­ly risky prac­tice in general.

At first glance, the pig butcher­ing ring tracked by Sophos oper­ates in much the same way as a legit­i­mate one, estab­lish­ing pools of cryp­tocur­ren­cy assets and adding new traders – or, in this case, vic­tims – until such time as the cyber crim­i­nals drain the entire pool for them­selves. This is what is known as a rug-pull. When com­bined with the tra­di­tion­al pig butcher­ing romance scam, it can be extreme­ly effec­tive, as Sean Gal­lager, Sophos prin­ci­pal threat researcher, observed.

“When we first dis­cov­ered these fake liq­uid­i­ty pools, it was rather prim­i­tive and still devel­op­ing. Now, we’re see­ing shā zhū pán scam­mers tak­ing this par­tic­u­lar brand of cryp­tocur­ren­cy fraud and seam­less­ly inte­grat­ing it into their exist­ing set of tac­tics, such as lur­ing tar­gets over dat­ing apps,” explained Gallagher.

“Very few under­stand how legit­i­mate cryp­tocur­ren­cy trad­ing works, so it’s easy for these scam­mers to con their tar­gets. There are even toolk­its now for this sort of scam, mak­ing it sim­ple for dif­fer­ent pig butcher­ing oper­a­tions to add this type of cryp­to fraud to their arse­nal. While last year, Sophos tracked dozens of these fraud­u­lent ‘liq­uid­i­ty pool’ sites, now we’re see­ing more than 500.”

A little ditty about Frank and Vivian

Gal­lagher first got wise to this par­tic­u­lar group of scam­mers when he was con­tact­ed by Frank, a vic­tim who had read some of the pre­vi­ous research. Frank – which is not the victim’s real name – had thought he was con­nect­ing on the MeetMe dat­ing app with a women named Vivian, who said she was a Ger­man nation­al liv­ing in Wash­ing­ton DC.

Frank and Vivian chat­ted online for some weeks, dur­ing which time Vivian, who was of course the scam­mer, mixed roman­tic promis­es with per­sis­tent attempts to get Frank to invest in cryp­to assets, as is stan­dard prac­tice in the con.

Unfor­tu­nate­ly for Frank, he was con­vinced to open an account with the legit­i­mate Trust Wal­let dol­lar-to-cryp­tocur­ren­cy con­ver­sion ser­vice, which he con­nect­ed to the liq­uid­i­ty pool Vivian had rec­om­mend­ed to him.

At sev­er­al points dur­ing the course of their con­ver­sa­tion, Frank came close to stum­bling on the ruse when the scam­mer – appar­ent­ly by acci­dent – wrote mes­sages to him in Chi­nese instead of Eng­lish but was able to con­vince him that she had mis­tak­en­ly copied text from a trans­la­tion app that she was using to talk to a friend in Chi­na into their chat.

After a long process – Frank being ini­tial­ly scep­ti­cal of cryp­tocur­ren­cy invest­ments – he was lured to the fake pool site, which con­vinc­ing­ly spoofed the brand of estab­lished DeFI plat­form provider Alln­odes. He paid $22,000 into the pool between 31 May and 5 June 2023, and just three days lat­er, found that his wal­let had been emptied.

In an attempt to recov­er his mon­ey, Frank con­tact­ed Vivian, who claimed he need­ed to pay in addi­tion­al funds in order to do so. Frank got his bank to autho­rise a mon­ey trans­fer to Coin­base, but while this was hap­pen­ing he start­ed doing some research, at which point he found out about Sophos’ work and reached out.

Dur­ing the sub­se­quent con­ver­sa­tion, Gal­lagher told Frank to block his con­tact, but Vivian tracked him down via Telegram and con­tin­ued her attempts to lure him into part­ing with even more mon­ey. At one point, she sent a lengthy and appar­ent­ly emo­tion­al lat­ter – like­ly an AI-creation.

Gal­lagher said that this new vari­ety of pig butcher­ing scam presents a par­tic­u­lar­ly tricky prob­lem as it requires no mal­ware or fake app to be down­loaded to the victim’s device, unlike some oth­er vari­ants – indeed, the entire fake pool can be run through legit­i­mate ser­vices like Trust Wal­let; at one point Frank tried to con­tact Trust Wallet’s tech sup­port team but the pig butch­ers con­nect­ed him instead to a fake contact.

And here­in lies a big part of the prob­lem, said Gal­lager, because there is no reg­u­la­tion of liq­uid­i­ty pools even when sup­pos­ed­ly legitimate.

“These scams suc­ceed sole­ly through social engi­neer­ing, and the scam­mers are per­sis­tent,” he said. “The only way to stay safe from these scams is to be vig­i­lant and know that they exist and how they oper­ate. That is why Frank want­ed to share his story.

“Users need be wary of any­one they have no con­nec­tion with reach­ing out to them sud­den­ly via any dat­ing app or social media plat­form, par­tic­u­lar­ly if the ‘per­son’ reach­ing out wants to move the con­ver­sa­tion to a plat­form like What­sApp and then dis­cuss­es invest­ing in cryptocurrency.”

If you need help

A more in-depth account of Frank’s expe­ri­ence can be found on Sophos’ blog, and Gal­lagher and his col­league Jagadeesh Chandra­iah are still keen for oth­er vic­tims to come for­ward in confidence.

In the mean­time, if you think you have engaged with a pig butch­er and may be using a fake liq­uid­i­ty pool app, there are a num­ber of actions you can take:

  • Use the web­site Revoke – https://revoke.cash/ – from with­in your wal­let app or brows­er to break the con­tract on the wal­let, let­ting you iden­ti­fy and revoke per­mis­sions (this is not a free service);
  • Move your funds to a new wal­let, par­tic­u­lar­ly if you can’t break the contract;
  • Con­tact the exchange from which you bought the cryp­tocur­ren­cy through your wal­let provider. Do not turn to sup­port chats in the liq­uid­i­ty pool app itself as they will like­ly be con­trolled by the pig butch­ers. This is a link to Trust Wallet’s real helpdesk.
  • Col­lect the trans­ac­tion data asso­ci­at­ed with your wal­let with a blockchain explor­er like Ether­scan by past­ing your wal­let ID into its search. You can share this infor­ma­tion with secu­ri­ty teams and police;
  • If the rug-pull has tak­en place and your funds are gone, on no account engage with any cryp­to recov­ery provider adver­tised on social media – in gen­er­al these are also scams;
  • Report the activ­i­ty to the rel­e­vant author­i­ties. In Eng­land and Wales, Action Fraud should be your first port of call. In Scot­land, you should instead con­tact Police Scot­land by phon­ing 101, and read­ers in North­ern Ire­land can also con­tact Action Fraud. In the US, both the US Secret Ser­vice and the FBI are empow­ered to inves­ti­gate cryp­to fraud although they may not always act on indi­vid­ual cases.
  • Under­stand that you are not alone. These scams are sophis­ti­cat­ed and their per­pe­tra­tors are experts at manip­u­la­tion – there is no shame in falling vic­tim to one.

Source link

Please fol­low and like us:
Pin Share

Leave a Reply

Your email address will not be published.