Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cryptocurrency Fraud. Show all posts
Social Engineering
Brand Impersonation Crypto Wallet Theft Cryptocurrency Fraud DNS Attack email security Holiday Cybercrime Merchant Data Breach Phishing scam Social Engineering

Grubhub Branding Misused to Promote Exponential Crypto Returns

 


The holiday season is a time when consumer engagement is at its peak and digital transactions are in the ascendant. However, a wave of misleading communication has been plaguing Grubhub's user community in recent weeks. 

There has been an increase in the number of users of Grubhub's online food delivery platform that has been targeted by a coordinated email scam designed to mimic Grubhub's infrastructure in order to cultivate trust among its customers.

It was falsely framed as part of a holiday crypto promotion. It used the authentic-sounding subdomain b.grubhub.com. The emails were derived from addresses typically associated with the company’s merchant partner outreach, appearing to have originated from those addresses. 

The verified communications team at Grubhub uses a similar domain when communicating with restaurants and commercial partners, giving legitimacy to what has really been a malicious impersonation campaign in reality. A fraud email was sent to users that asked them to transfer Bitcoins to external wallets and promised a tenfold return within minutes.

A widely circulated message claimed that there were only 30 minutes left in this promotion, asserting that any Bitcoin that was sent would be multiplied tenfold. This illustrates how the scam relies heavily on urgency and unrealistic financial incentives in order to convince victims. 

In multiple reports, it is revealed that these emails were being dispatched from counterfeit email addresses resembling merchant support channels, including Grubhubforrestaurants and other restaurant-specific sender tags, for example. This scam, which has been active since December 24, displays a high level of personalization, as recipient names are embedded directly in the email's body and delivery metadata, which indicates structured data harvesting or prior exposure to breaches.

Throughout the cryptocurrency fraud landscape, social engineering attacks have grown increasingly sophisticated, according to a study conducted by the University of Surrey. These attacks are raising renewed concerns about the misuse of digital trust and brand-based impersonation, and the exploitation of corporate identity, among other things. 

It has been reported that recipients have received scam emails, titled merry-christmas-promotion and crypto-promotion, starting on December 24. The emails were both deceptively appended to the b.grubhub.com subdomain and embedded with their full names, along with their e-mail addresses, and contained personal identifiers such as their full names.

It is without a doubt that this scam is one of the most textbook examples of high yield cryptocurrency reward scams, as it relies on psychological mechanics like trust, financial aspirations, and manufactured urgency so that it can deliver high returns with minimal investment. It is apparent from the attackers' narrative that they promised exponential returns on Bitcoin transfers, which is consistent with cryptocurrency fraud models that use implausible incentives to overcome skepticism. 

According to some users and independent researchers, this breach could have been caused by a DNS takeover, a situation where forged emails would have passed through normal authentication checks. However, Grubhub has not yet officially confirmed any of these claims, nor has it provided any technical information regarding the breach. 

BleepingComputer was informed by the company that the issue was identified within its merchant partner communications channels, and was promptly isolated from the issue, and that a full investigation is underway in order to prevent it from recurring in the future. A spokesperson from the platform also stated that containment measures were immediately implemented, suggesting that the platform does not view the incident as a routine spam attack, but rather as an attack on targeted integrity. 

Additionally, the company also discussed Grubhub's disclosure earlier this year during the event. The Grubhub company reported at that time that a threat actor had accessed a large volume of contact information of customers, merchants, and delivery drivers - providing contact information, but not payment credentials - resulting in the discovery of the threat actor's access to the servers of the company as a result. 

Even though the January breach is not related in structure in any way, experts note that previously exposed identity datasets are often resurfaced as raw material in impersonation campaigns a decade or two later, providing attackers with the level of personalization needed to appear credible and targeted to consumers. 

There has been an escalation in digital fraud during high-traffic holiday periods, according to law enforcement agencies, a trend highlighted in a recent public advisory from the Federal Bureau of Investigation which cautioned consumers against the seasonal cycle of scams. According to the bureau, attackers deliberately increase their activities at times of high demand for discounts, limited-time offers, and fast money gains, deploying schemes that are based on expectations and urgency. 

According to the FBI, non-payment scams and non-delivery scams were among the most frequently reported tactics in 2024, with victims misled into paying for goods or services that never materialized. There have been significant financial impacts on the financial system resulting from these frauds. 

The FBI estimates that in 2024 alone, these frauds alone will account for more than $785 million in losses to users, while credit card frauds will contribute an additional $199 million. This reinforces the persistence of the profitability of financial crime driven by impersonation. 

Additionally, investigators highlighted that phishing environments have evolved beyond traditional credential theft, and increasingly target passwords to cryptocurrency exchanges and accesses to digital wallets, where a single compromised account could allow the liquidation and transfer of assets immediately. 

A recent FBI advisory has advised users to be cautious when clicking on unsolicited links. Authorities are warning that malicious landing pages are routinely being used to collect crypto-platform authentication details, such as multi-factor authentication codes, for the purpose of diversion of funds that may not be recoverable. 

Researchers have drawn parallels between the ongoing Grubhub campaign and the more widespread crypto-doubling scam, a type of social engineering scam that engages in recognizable branding, individualized targeting, and a countdown-style deadline as a means to feign legitimacy and to eliminate suspicion. 

In an effort to combat fraud, industry experts and national agencies have repeatedly said that communications that include verified-looking domain names, time-sensitive ultimatums, or requests for transfers to external wallets have been identified as some of the most obvious behavioral indicators. 

In both Grubhub's guidance as well as from federal authorities, it is stressed that independent verification through official channels is a key component of ensuring authenticity, especially when messages are individually addressed. However, personalization no longer stands as a reliable sign of authenticity, but is often a sign that prior personal data exposure has been weaponized in order to enhance credibility. 

There are many ramifications of the phishing campaign that go far beyond the theft of isolated amounts of money. They prompt a broader discussion of digital trust, corporate identity, and the fragility of brand credibility in an increasingly weaponized online environment. Although users who have been affected by this crypto-crisis are at direct risk of losing cryptocurrencies, Grubhub itself faces an equally troubling threat - the erosion of public confidence - which is not a case of an actual breach of security, but rather a perception of one. 

As industry observers and researchers have noted for years, modern phishing operations are no longer dependent solely on technical intrusion; their success depends equally on psychological authenticity, which means familiar email formats, harvesting personal identifiers, and brand-aligned subdomains can alter the perception of phishing operations. 

It has been emphasized that this incident has raised concerns about how cybercriminals are reusing previously disclosed identity datasets, which they routinely repurpose to personalize fraudulent outreach on a large scale, giving phishing mail the appearance of one-on-one legitimacy. Security commentators have warned that such events can create lasting doubt among consumers who may be unable to distinguish a genuine system lapse from a forged communication. 

However, even if the corporate infrastructure remains intact, consumers may have difficulty distinguishing between a genuine system lapse, since their perception may be frightful. Additionally, the situation has also highlighted the growing gap between user preparedness and law enforcement agency preparedness, with cyber security experts emphasizing that the importance of phishing literacy is as crucial as the importance of a good password hygiene regimen. 

The following precautions are recommended: Verifying unexpected financial or promotional claims through company channels rather than embedded links, strengthening account defenses with unique, high-entropy passwords, and enabling multi-factor authentication as soon as possible, especially in cryptocurrency exchange accounts, where credential theft can result in a quick, irreversible transfer of funds. 

It has been reported that the campaign is part of a larger pattern of crypto-doubling social engineering fraud, which is a scam archetype that has been around for quite some time due to its perfect combination of technological deception with the strength of the promise of a big payday. 

In light of the incident, the delivery platforms and digital marketplaces have been urged to intensify customer education initiatives, including technical monitoring as well as public awareness outreach, since the most effective defense against impersonation-driven fraud lies not only in one strategy, but in a combination of infrastructure resilience, informed skepticism, and a robust defensive strategy.
Read more »
Tech Support Scam
Bitcoin ATM Scam Call Center Scam Cross Border Cybercrime Cryptocurrency Fraud Cyber Fraud CyberCrime Cybersecurity Investigation Fake Microsoft Support Tech Support Scam

Fake Microsoft Support Call Center Scam Targeting US Citizens Brought Down


 

An investigation by the Bengaluru police has revealed that a sophisticated cyber fraud operation was operating in the city masquerading as Microsoft Technical Support, targeting U.S. citizens in an attempt to defraud them, bringing an end to a transnational scam network that has been working from the city for some time. 

On Saturday, the Special Cell of the Cyber Command, in coordination with the Cyber Crime Police of the Whitefield Division, conducted a raid at the premises of a firm known as Musk Communications in response to certain intelligence. 

The raid was conducted based on specific intelligence. A number of investigations have revealed that the company, which began operations in August, has established a scam center that is fully functional and consists of approximately 4,500 square feet of space, where employees allegedly pose as Microsoft support technicians in order to deceive foreign nationals and defraud them. 

Several individuals have been arrested from the facility for being directly involved in the fraudulent activities, according to police. This operation was designed with the intent of systematically exploiting overseas victims through carefully orchestrated technical support scams, and according to police, 21 individuals have been arrested. Several rented office spaces were used by the racket, where callers dressed up as Microsoft representatives and targeted residents throughout the country as a whole. 

A number of victims have been targeted either directly or through deceptive pop-up messages that falsely stated that their computer was infected with malware or had been compromised, leading them to be lured in. Once the callers had established a connection with the target, they convinced them to install remote access applications like AnyDesk or TeamViewer, which allowed the fraudsters to take control of the target computer system. 

During these scams, police allege that the accused intentionally generated false technical glitches, frozen computer screens, or generated fake virus alerts to increase anxiety in victims and coerce them into paying for services that were unnecessary, nonexistent, or unreliable. 

According to investigators, the group has been charging amounts ranging from several hundred dollars up to several thousand dollars for sham repairs, extended warranties, and counterfeit security subscriptions. According to investigators, the organization may have facilitated the funneling of crores of rupees through international payment gateways designed to obscure financial records for over a year. 

The raid resulted in the discovery of 35 computers, 45 mobile phones, Voice over IP-based communication systems, scripted call templates, and extensive customer data logs which contained the details of hundreds of prospective targets and a variety of other items. It has been reported that the arrestees were trained to adopt an American accent so as not to raise suspicion, underscoring the systematic and calculated nature of the fraud.

As a result of this case, the police said that cross-border technology support scams are becoming increasingly prevalent, preying on seniors and digitally vulnerable individuals overseas, and that further investigations are currently underway to find out who was behind the fraud, who provided the money, and who was involved in it overseas.

According to Bengaluru Police Cyber Crime Division officials, the syndicate targeted victims both in the United States and in the United Kingdom. It falsely appeared to represent itself as Microsoft's technical support department. 

During the course of the investigation, it was learned that callers escalated the deception by citing fabricated Federal Trade Commission violations, informing victims that their systems were being compromised or that they were being involved in unlawful online activity. This fraudster has allegedly demanded substantial payments in Bitcoin as a means of resolving these purported threats, and instructed victims to deposit money at cryptocurrency ATMs. 

According to police estimates, the individual losses are estimated to have averaged around $10,000. A number of intimidation tactics were employed to pressure compliance by the operation, including false legal penalties and urgent cyber alerts. Senior IPS officers confirmed that the majority of those targeted were elderly individuals who are not familiar with digital security practices. 

Further inquiries revealed that there were nearly 85 people employed in Bengaluru to manage the company's data, handle calls, and simulate foreign technology executives, in a professionally layered setup. There were a number of elements involved in the operation, including American accents, detailed scripts, and email addresses that were designed to mimic official Microsoft and U.S. regulatory addresses. 

It was the task of those arrested to extract personal and financial information during staged troubleshooting sessions, which then allowed payments to be converted to cryptocurrency, which disguised the financial trail in the process. It has been reported that backend systems linked the operation to foreign digital wallets and crypto exchanges that are already under scrutiny by US authorities. 

As a result of this investigation, the investigators are now looking at tracking Bitcoin transactions and identifying international collaborators involved in routing the proceeds. The government is collaborating with Interpol and the federal government to map digital wallet movements and preliminary findings indicate that between August and November 2025, at least $13.5 crore was transferred in multiple tranches through Bitcoin ATMs in multiple batches. 

Additionally, analysts are analyzing the seized servers to find out how the syndicate sourced contact information of overseas victims. As officials pointed out, Bengaluru is becoming increasingly vulnerable to cybercrime networks worldwide. 

It is due to this that skilled manpower and readily available digital infrastructure are being exploited by fraud rings operating under the cover of technology support firms in Bengaluru, prompting tighter monitoring of the registration of startups, co-working spaces, and tech parks around the city. 

Since August, investigators have discovered that the network has contacted 150 victims across the United States and the United Kingdom, coercing them into depositing large sums of money-often close to $10,000-through Bitcoin ATMs, causing them to withdraw substantial sums. In a statement to the IPS, a senior officer stated that authorities are currently extracting and verifying financial information about victims. 

The officer also stated that preliminary findings indicate cryptocurrency kiosks are the primary means by which illicit payments are collected. A police report states that the accused posed as a technical support representative for Microsoft around the world and invoked fabricated Federal Trade Commission violations as a way of instilling fear in the public. Under the guise of mandatory security fixes and regulatory compliance procedures, the accused demanded money. 

According to the reports, the operation's three key masterminds remain absconding and are believed to have orchestrated similar scams targeting victims across the U.S. and the U.K. since 2022. In a scheme of this magnitude, Musk Communications rented a 4,500-square-foot office space in August at a monthly charge of Rs. 5 lakh, where the gang planned to deploy malicious Facebook ads that were targeted at American users as part of its campaign against the US government.

 In the ads, investigators found embedded code that mimicked legitimate security alerts; when clicked on, it would freeze the user's system and trigger a fake pop-up message that appeared to be from Microsoft's global support center with a counterfeit helpline number, which claimed to originate from that support center. 

According to the alleged victim, who contacted the number was told that their computer systems had been hacked, IP addresses had been compromised, and their banking information had been compromised, and they were subsequently pressured into making high-value payments using Bitcoin ATMs, which subsequently triggered the scam.

According to the Police, the company employed 83 employees, including 21 technical operators who were directly involved in the fraud. The salaries for these employees ranged from $15k to $25k per month. Among the other arrests confirmed by investigators in this case was Ravi Chauhan, an Ahmedabad resident, alleged to have been a major part of recruiting nearly 85 staff members for this operation. This brings the total number of arrests in this case to 22 as the investigation continues to pursue remaining suspects and the financial flows that are tied to this scheme. 

There has been a surge in organized cybercrime syndicates operating across borders in recent years, and authorities have issued warnings about the evolving tactics and techniques they are using, particularly those that exploit the trust people have in recognized technology brands internationally. 

Moreover, the police emphasized that legitimate companies such as Microsoft should not initiate unsolicited technical support calls, issue pop-up warnings butting into the system immediately, or seek payments through cryptocurrency channels in order to receive support. 

It was urged by officials that users, particularly those who were unfamiliar with digital platforms and elderly, should exercise caution when faced with alarming online messages or calls claiming legal or security violations, and that they should verify the claims by going to official websites or using authorised service channels.

It has also been emphasized by cybercrime investigators that the need for stronger awareness campaigns needs to be strengthened, short-term commercial rentals need to be closely scrutinized, and online advertising platforms need to be more tightly regulated so they can deliver malicious content on a more regular basis.

This investigation is continuing to trace financial flows and international connections, and authorities are stating that the case serves as a reminder of how sophisticated and large-scale modern tech-support fraud really is, underscoring the need for digital literacy, cross-border cooperation, and timely reporting as a way of counteracting scams that take advantage of fear, urgency, and misinformation.
Read more »
US scam statistics
Broker Chooser report Cryptocurrency Fraud Cyber Fraud investment scam 2025 pig butchering scam social media scams US scam statistics

Investment Scams Surge Across the US as Fraudsters Exploit Social Media, Texts, and Crypto Boom

 

If you've ever received a random “Hi, how are you?” message from a stranger on text or social media, it may not be an accident. While sometimes harmless, these unexpected greetings are increasingly being used by cybercriminals attempting to draw victims into investment schemes.

According to data from broker comparison platform Broker Chooser, investment-related fraud has become the fifth most common scam in the US. In just the first six months of 2025, more than 66,700 incidents were reported, with losses surpassing $3.5 billion. Cryptocurrencies remain a major target, and scammers pocketed $939 million in digital assets—an increase of $261 million from the same period last year.

Because these schemes prey on individuals hoping to grow their money quickly, the financial damage is substantial. The median loss per victim hit $10,000 in early 2025, rising from 2024’s median of $9,300. Broker Chooser notes this is the highest median loss of any scam category, dwarfing the second-highest—business and job fraud—by 376%.

Certain states are being hit harder than others. Nevada ranks first, logging 211 cases per million residents and more than $40.4 million in losses. Arizona follows with 202 cases per million and over $95.1 million lost. Florida comes in third with 185 reports per million residents and a staggering $241 million in total losses.

A major tactic driving these numbers is the “pig butchering” scam. In this approach, criminals initiate contact on dating platforms or social networks and spend months building trust. Once they establish a rapport, they persuade their targets to invest in fake cryptocurrency platforms, often showing fabricated account growth. As the victim invests more, the scammer eventually disappears with the funds, leaving the person with nothing.

Social media remains the leading gateway for these scams, with 13,577 reports and $589.1 million in losses in the first half of 2025. Many victims turn to these platforms for financial guidance, making them easy targets. Fraudulent websites and apps—often made more convincing through AI—rank second, with 6,007 incidents and $266 million in losses.

Text messages are another tool scammers use to start conversations. A simple, friendly opener can quickly evolve into targeted manipulation once the criminal identifies an opportunity.
Read more »
Transnational Fraud
Cryptocurrency Fraud cyber attack Cyber Fraud Cybercrime Scam Cybersecurity Alert Digital Forensics FTC Impersonation Malware Attack online deception tech support fraud Transnational Fraud

Tech Park Operation in Bengaluru Uncovered in Cross-Border Malware Scam


 

The Bengaluru police have made a major breakthrough in their fight against a far-reaching cybercrime syndicate that was operating inside one of the city's bustling technology parks by uncovering and dismantling an alleged tech-support fraud operation that was operating within. 

The officials stated that the group, which is based out of an office operating under the name Musk Communications situated on the sixth floor of the Delta building in Sigma Soft Tech Park, Whitefield, was posing as Microsoft technical support representatives to terrorize unsuspecting victims in the United States by issuing fabricated Federal Trade Commission (FTC) violation alerts. 

Using a judicial search warrant as well as credible intelligence, Cyber Command's special cell and Whitefield division cyber crime police mounted a series of coordinated raids on Friday and Saturday following the receipt of credible intelligence. According to investigators, the operation was sophisticated, and it siphoned off several crores of rupees by largely using cryptocurrency channels, a process that investigators believe is highly sophisticated. 

It was found, according to the Times of India, that the fraud network employed a carefully choreographed playbook of deception, which included utilizing fake security pop-ups and falsified FTC violation notifications to convince victims into transferring money by using counterfeit security pop-ups and false FTC violation notices. It was found that the Cyber Command's special cell, along with Whitefield division officers, were receiving a credible tip-off which prompted a swift and coordinated response to the operation. 

Upon receiving the intelligence, police conducted a court-ordered search over the weekend at Musk Communications headquarters on the sixth floor of the Delta building, which is located on Whitefield Main Road within Sigma Soft Tech Park. There was a cache of computers, laptops, hard drives, mobile phones, and other digital tools seized inside the building that were thought to have powered the scam. All of the employees present at the scene were detained and later appeared in court, where they were remanded to police custody while the investigation was being conducted.

It was noted by law enforcement officials that the company's owner, who recruited and trained the detained employees, remains on the loose even though the police have arrested only six people in connection with the operation. According to investigators, there may have been more than 500, possibly more than 1,000, US citizens defrauded by this network, based upon preliminary estimates. Investigators believe the network went far beyond the 21 employees caught at the scene. 

As the head of the CCU and DGP, Pronab Mohanty, has stated that the scam involved a carefully layered approach to social engineering combined with deceptive technology that led to a successful exploitation scheme. The officers observed that the group began by deploying malicious Facebook advertisements aimed at users living in the United States. The advertisements were designed to deliver harmful code embedded in links disguised as legitimate company notifications to American users.

It was designed to lock the victim's computer once they clicked on the code, triggering a fake alert, posing as "Microsoft Global Technical Support," complete with a fraudulent helpline number, to click OK. The trained impersonators who greeted victims when they contacted them escalated their fears by claiming they had been compromised, their IP addresses had been breached and that sensitive financial data was about to be exposed. 

Upon attempting to resolve fictitious FTC compliance violations and urgent security fixes, the callers were then coerced into transferring significant amounts of money, often in cryptocurrency, under the guise of resolving fictitious compliance violations. Various CCU teams had been placed under discreet surveillance by the SSTP detectives after receiving specific intelligence regarding the operation of the scam in a 4,500 square foot building that masqueraded as a call center in the Delta building at Sigma Soft Tech Park, which had been operating under the cover of a call centre.

In the case of a suo motu lawsuit filed under the provisions of the Information Technology Act, a team led by Superintendent Savitha Srinivas, the Superintendent of Police, stepped in and conducted a planned raid that lasted from Friday night until Saturday morning. According to the authorities, the arrested employees had been hired for unusually high salaries and had been provided with systematic training. Their educational and professional histories are being verified now. 

Investigators are currently examining all digital devices recovered from the premises in order to identify the individual members who are still involved with the operation. In addition, investigators will attempt to identify those individuals responsible for creating the malicious software, the trainers, and those who manage the network's finances. 

In addition, it is necessary to determine the total extent of the fraud by analyzing all the digital devices recovered from the premises. A senior officer of the company described the operation as a meticulously planned fraud network, one which relied heavily on deception and psychological pressure to perpetrate the fraud. As reported by investigators, the group ran targeted Facebook ads targeted towards U.S. users, encrypting malicious code in messages that appeared to be routine service messages or security alerts, and directing them to them. 

One click of the mouse was enough for a victim's computer to freeze and trigger a pop-up that appeared to mimic the appearance of a genuine technical support warning from Microsoft, including a fake helpline number. Upon calling victims and seeking assistance, trained impersonators dressed as Microsoft technicians spun alarming narratives claiming their computers had been hacked, their IP addresses had been compromised, and their sensitive banking information was immediately at risk. They used fabricated FTC violation notices that enticed the victims to pay hefty amounts for supposed security fixes or compliance procedures that never existed in the first place. 

Upon preliminary analysis of the financial flows, it seems that the syndicate may have siphoned off hundreds of crores through cryptocurrency channels, with Director General of Police, Cyber Command Unit, Mr. Pronab Mohanty noting that he believes the crypto transactions might have been of a large scale. 

A more complete picture of the case would emerge as the suspects were further questioned, he said, adding that investigators already had significant electronic evidence at their disposal. According to official officials, the sophisticated nature of the operation, as well as its technological infrastructure, as well as its widespread reach, suggest that it may be linked to a wider transnational cybercrime network. 

A team of experts is currently reviewing seized devices, tracking cryptocurrency wallets, reviewing communications logs, and mapping the victim footprints across multiple jurisdictions as part of the investigation. Authorities are coordinating with central agencies in order to determine if the group had counterparts operating outside of the city or overseas as part of the investigation. The scope of the investigation has continued to expand. 

There is also an investigation underway into whether shell companies, falsified paperwork, or layered financial channels were used to conceal the true leadership and funding network of the operation. As new leads emerge from digital forensics as well as financial analysis in the coming days, officers expect that the investigation will grow significantly in the coming days. According to the authorities who are investigating the incident, tech parks, digital advertisers, and online platforms are being urged to strengthen monitoring systems in order to prevent similar infiltration attempts in the future. 

Cybersecurity experts say the case underscores the growing need to raise public awareness of deceptive pop-ups, unsolicited alerts, and remote support scams—tactics that are becoming more sophisticated as time goes by. As a reminder to users, legitimate agencies will never charge money for compliance or security fixes, and users are advised to verify helplines directly through official websites to ensure they are trustworthy. It is expected that the crackdown will set a critical precedent in dismantling multi-national cyber-fraud operations by setting a critical precedent in international coordination.
Read more »
Wan Kuok-koi
Cryptocurrency Fraud Cyber Attacks global cybercrime human trafficking Online Scams pig butchering scams Wan Kuok-koi

Global Cybercrime Epidemic: Pig-Butchering Scams Exploit Vulnerable Victims and Flourish Amidst Enforcement Gaps

 

The phenomenon of “pig-butchering” scams has emerged as a significant cybercrime, exploiting vulnerabilities intensified by the Covid-19 pandemic. These schemes involve creating fraudulent investment platforms and manipulating victims emotionally, often targeting them through social media. Shockingly, these operations are frequently linked to human trafficking networks across Southeast Asia.

Central to these allegations is Wan Kuok-koi, also known as “Broken Tooth,” a former Macau gangster. According to The Wall Street Journal, Wan is believed to be a key figure behind these scams. Despite his alleged connections to organized crime, Wan remains at large, shedding light on the failures of international enforcement efforts.

Named for the analogy of “fattening” victims with trust before “butchering” them financially, pig-butchering scams typically involve scammers posing as friends or romantic partners online. Once trust is established, victims are persuaded to invest in fake cryptocurrency platforms, often losing vast sums of money.

One striking example involved a Kansas banker who embezzled $547.1 million from his own bank to cover his losses. A study by finance professor John Griffin found that criminal networks moved over $75 billion through cryptocurrency exchanges in just four years, with Tether being the most commonly used stablecoin.

“These are large criminal organized networks, and they’re operating largely unscathed,” Griffin stated.

Wan Kuok-koi, infamous for his leadership of Macau’s 14K Triad in the 1990s, served 14 years in prison for organized crime. After his release, he resurfaced as a businessman. In 2018, he established the Hongmen Association in Cambodia, which purported to be a cultural organization but has been linked to cybercrime operations.

The group's activities expanded into Myanmar with the establishment of the Dongmei Zone, described by investigators as one of the first scam compounds. At a 2020 ribbon-cutting ceremony, Wan appeared alongside militia members, solidifying the zone’s association with illicit activities. The U.S. Treasury has since sanctioned the Dongmei Zone for its role in human trafficking and cyber scams.

Thousands of individuals have been trafficked into scam compounds like Dongmei under false promises of legitimate work. Victims are forced to surrender their passports and engage in fraudulent activities under constant surveillance.

Lu Yihao, a Chinese man enslaved for seven months in Dongmei, said: “As far as I could tell, from my personal experience, Dongmei was specifically built for criminal purposes.” The United Nations estimates that over 200,000 people are trapped in such conditions across Southeast Asia.

Efforts to combat pig-butchering scams are hindered by the role of cryptocurrencies, which facilitate laundering and obfuscation of funds. Platforms like Tokenlon have been identified as tools for scam proceeds, while Binance has worked with authorities to freeze fraudulent accounts.

Jan Santiago, a consultant for Chainbrium, explained: “People in the U.S., their money is going straight to Southeast Asia, into this underground economy.”

The Covid-19 pandemic provided fertile ground for these scams, as isolation left many more susceptible to emotional manipulation. Victims have lost not only their savings but also their trust.

A recent study titled How Do Crypto Flows Finance Slavery? The Economics of Pig Butchering emphasized the global scale of these operations. Paolo Ardoino, Tether’s CEO, stated: “With Tether, every action is online, every action is traceable, every asset can be seized, and every criminal can be caught,” though critics argue that cryptocurrencies remain attractive for illicit activities.

Wan has denied any involvement in criminal operations. In a 2020 video, he claimed that his Hongmen Association “follows the law.” However, his continued appearances at Hongmen events, including the recent opening of a Macau office, raise questions. Investigators remain unable to locate him.

Pig-butchering scams have expanded significantly, exploiting the perfect storm of the pandemic and the complexities of cryptocurrency tracking. Authorities face ongoing challenges in dismantling these sprawling networks.
Read more »
young male fraudsters
Bitcoin Scams Cryptocurrency Fraud Cyber Fraud digital financial crime EFCC report Nigeria social media platforms study U.S. targets University of Surrey young male fraudsters

Emerging Wave of Digital Criminals Targets U.S. Financial Systems

 

A recent study by the University of Surrey, in partnership with Nigeria’s Economic and Financial Crimes Commission (EFCC), reveals that cryptocurrency fraud in Nigeria is overwhelmingly carried out by young men, with males accounting for all convicted offenders and nearly two-thirds of them under 30. Over half (55%) of these cases target victims in the United States, illustrating a troubling cross-border crime trend.

The analysis highlights a growing wave of young, tech-savvy criminals leveraging digital currencies to execute sophisticated fraud schemes, making enforcement a major challenge. 

Dr. Suleman Lazarus, co-author and cybercrime specialist at the University of Surrey, pointed out the urgent need for global collaboration to address the issue, noting, “Our findings expose a surge in cryptocurrency fraud, led by a generation of male offenders using online platforms and digital currencies to conduct high-stakes crimes with global reach.”

The study involved a comprehensive review of case files, which revealed that platforms such as Facebook (27%), Gmail (22%), and Instagram (14%) are frequently used to contact and deceive victims. Notably, Bitcoin is the cryptocurrency of choice for nearly half (46%) of these schemes, complicating efforts to trace and recover stolen funds due to its inherent anonymity.

Financial gains from these scams vary widely, from as little as $1,000 to as high as $475,000 in cash, with some fraudsters accumulating up to 1,200 Bitcoin—worth an estimated $81.96 million. Contrary to the assumption that technical sophistication requires advanced education, only about 25% of the convicted fraudsters held a degree.

Dr. Lazarus emphasizes that the popularity of digital currencies calls for heightened awareness among law enforcement, policymakers, and the public to combat this evolving financial threat.
Read more »
Two Factor Authentication
Chromium Browser Cryptocurrency Fraud Malicious Browser Extension malware Rilide Malware Trustwave SpiderLabs Two Factor Authentication

Rilide Malware: Hackers Use Malicious Browser Extension to Bypass 2FA and Steal Crypto


Trustwave SpiderLabs security researchers have recently discovered a new malicious browser extension, named Rilide, targeting Chromium-based browsers like Google Chrome, Brave, Opera, and Microsoft Edge. 

The malicious activities include monitoring browsing history, taking screenshots and stealing cryptocurrency through scripts injected into websites. Rilide impersonated benign Google Drive extensions to remain undetected while abusing built-in Chrome features. 

The cybersecurity company also found another operation that loaded the extension using a Rust loader by leveraging Google Ads and the Aurora Stealer. 

While the origin of the malware is still unknown, Trustwave reports that it shares similarities with extensions that are sold to cybercriminals. In addition, due to a dispute between hackers over an unsolved payment, some of its code was recently disclosed on a dark web forum. 

Hijacking Chromium-based Browsers 

Rilide’s loader modifies the web browser shortcut files to automate the execution of the malicious extension that is dropped on the compromised system. When the malware is executed, a script attaches a listener to monitor when the victim switches tabs, receives web content, or finishes loading a page. It also monitors if the current site matches a list of targets available from the command control (C2) server. 

If there is a match, the extension loads extra scripts that are injected into the webpage to steal the victim's cryptocurrency and email login information, among other details. Additionally, the extension disables the browser's "Content Security Policy," a security measure intended to guard against cross-site scripting (XSS) attacks to freely load external resources, usually restricted by the browser. 

Bypassing Two-factor Authentication 

Another interesting attribute of Rilide is its 2FA-bypassing system, used in producing bogus dialogs to lure victims into entering their temporary codes. The system is triggered once the victim has submitted a request for a cryptocurrency withdrawal to one of the exchange services that Rilide targets. 

Right when the script needs to be injected into the background to process the request automatically, malware enters the picture. Once the user has entered the code on the fake dialog, Rilide utilizes it to complete the withdrawal process to the hacker’s wallet address. 

“Email confirmations are also replaced on the fly if the user enters the mailbox using the same web browser[…]The withdrawal request email is replaced with a device authorization request tricking the user into providing the authorization code,” the Trustwave report explains. 

This way, Rilide has highlighted the growing threat possessed by malicious browser extensions, which now include live monitoring and automated money-stealing systems. 

How can You Protect Yourself From Malicious Browser Extensions?

In regards to the issue, Trustwave SpiderLabs noted that Google enforcing Manifest V3 might aid in making it difficult for the threat actors to use malicious extensions to organize attacks. However, it would not solve the issue entirely as “most of the functionalities leveraged by Rilide will still be available,” the researchers added. 

In order to protect yourself, it has been advised to use the best antivirus software, that would help in preventing your system from getting infected or having your data compromised. Similarly, a good identity theft protection service can help restore your stolen identity or funds stolen by hackers. 

Moreover, when installing new browser extensions, one must only rely on using trusted sources such as Chrome Web Store or the Microsoft Edge Add-ons store.  

Read more »
USA
Cryptocurrency Fraud Cyber Fraud Cybercrimes Lazarus Group Online Banking USA

US Government Seizes Cryptocurrency Worth $30 Million From Lazarus Hackers

The U.S. government in collaboration with blockchain analysts and FBI agents successfully seized $30 million worth of cryptocurrency stolen by the North Korean-linked hacker group 'Lazarus' from the popular token-based 'play-to-earn' game Axie Infinity earlier in the year. 

The government reported this news during the AxieCon event today, where the officials highlighted it as a big achievement. The officials further appreciated and encouraged large-scale collaboration between multiple law enforcement authorities and private entities against growing cyber threats. 

As per the statements made by blockchain analysts on Thursday, it's a momentous event for law enforcement agencies as it is the first time when the agencies have successfully seized crypto tokens from the infamous Lazarus Group. 

“I am proud to say that the Chainalysis Crypto Incident Response team played a role in these seizures, utilizing advanced tracing techniques to follow stolen funds to cash out points and liaising with law enforcement and industry players to quickly freeze funds”, the blog reads. 

Chainalysis talked about the laundering process of the group which involves the following five stages:  

• Stolen Ether sent to intermediary wallets 
• Ether mixed in batches using Tornado Cash 
• Ether swapped for bitcoin 
• Bitcoin mixed in batches 
• Bitcoin deposited to crypto-to-fiat services for cashout,  

However, following the incident, the US Office of Foreign Assets Control - Sanctions Programs and Information has sanctioned tornado cash for its role in the cryptocurrency laundering case. 

The total financial damage caused by Lazarus' Axie Infinity hack is around $620 million, thus, the amount that has been recovered represents only 5% of that value and 10% of the cryptocurrency amount. 

The analysts further stated they “have proven that with the right blockchain analysis tools, world-class investigators and compliance professionals can collaborate to stop even the most sophisticated hackers and launderers. There is still work to be done, but this is a milestone in our efforts to make the cryptocurrency ecosystem safer.” 

Hence, the US government and New York-based blockchain analysis firm are confident that in the future they will recover more damages from the past.
Read more »
Scammers
Bitcoins Cryptocurrency Fraud Cyber Fraud Frappo Hackers phishing Scam Scammers

Welcome “Frappo”: Resecurity Discovered a New Phishing-as-a-Service

 

The Resecurity HUNTER squad discovered "Frappo," a new underground service available on the Dark Web. "Frappo" is a Phishing-as-a-Service platform that allows fraudsters to host and develop high-quality phishing websites that imitate significant online banking, e-commerce, prominent stores, and online services in order to steal client information. 

Cybercriminals created the platform in order to use spam campaigns to spread professional phishing information. "Frappo" is widely advertised on the Dark Web and on Telegram, where it has a group of over 1,965 members where hackers discuss their success in targeting users of various online sites. The service first appeared on the Dark Web on March 22, 2021, and has been substantially updated. The most recent version of the service was registered on May 1, 2022. 

"Frappo" allows attackers to operate with stolen material in an anonymous and encrypted manner. It offers anonymous billing, technical assistance, upgrades, and a dashboard for tracking acquired credentials. "Frappo" was created as an anonymous cryptocurrency wallet based on a Metamask fork. It is totally anonymous and does not require a threat actor to create an account. 

Amazon, Uber, Netflix, Bank of Montreal (BMO), Royal Bank of Canada (RBC), CIBC, TD Bank, Desjardins, Wells Fargo, Citizens, Citi, and Bank of America are among the financial institutions (FIs) for which the service creates phishing pages. The authors of "Frappo" offer hackers a variety of payment options based on the length of their subscription.  "Frappo," works like SaaS-based services and platforms for legitimate enterprises, enabling hackers to reduce the cost of developing phishing kits and deploy them on a larger scale. Notably, the phishing page deployment procedure is totally automated, since "Frappo" uses a pre-configured Docker container and a secure route to gather compromised credentials through API. 

Once "Frappo" is properly configured, statistical data such as how many victims opened the phishing page, accessed authorisation and input credentials, uptime, and the server status will be collected and visualised. Compromised credentials will appear in the "Logs" area alongside further information about each victim, such as IP address, User-Agent, Username, Password, and so forth. The phishing pages (or "phishlets") that have been discovered are of high quality and include interactive scenarios that fool victims into providing authorization credentials. 

Threat actors have successfully leveraged services like "Frappo" for account takeover, business email compromise, and payment and identity data theft. Cybercriminals use sophisticated tools and methods to assault consumers all over the world. Digital identity protection has become one of the top objectives for online safety, and as a result, a new digital battleground emerges, with threat actors looking for stolen data.

Christian Lees, Chief Technology Officer (CTO) of Resecurity, Inc. stated, “Resecurity is committed to protecting consumers and enterprises all over the globe, and is actively involved in public-private partnerships to share actionable cyber threat intelligence (CTI) with financial institutions, technology companies and law enforcement to ultimately minimize the risk of credentials being compromised and data breaches being executed.”
Read more »
Subscribe to: Comments (Atom)