Sophos traces a multinational pig butchering network that uses fake DeFi apps and social engineering to drain victims’ crypto wallets across dozens of domains and contract wallets, laundering millions in proceeds. The operation appears to involve multiple affiliated groups, evolving tooling, and broad infrastructure designed to evade platform defenses and monetize stolen funds.
Keypoints
- The investigation centers on pig butchering scams that blend dating/social-engineering with fake crypto/DeFi apps to steal funds from victims.
- The network operated across at least 14 domains and four control-wallet addresses, laundering funds via a five-branch infrastructure.
- From January to November 2023, the group moved about $1.22 million in USDT through contract wallets, with total scams exceeding $2.9 million for the year.
- “Allnodes,” “Trust,” and “Ada” are identified subgroups, with Allnodes linked to the case of a victim nicknamed “Frank” and others accumulating substantial sums.
- The scams used fake DeFi apps hosted on hacked/registered domains, often hosted by Alibaba and protected by Cloudflare, to mislead victims and enable transfers from compromised wallets.
- After exchanges and wallet developers began blocking data, scam operations shifted toward larger numbers of sites using the same kit, indicating evolving countermeasures and wider threat reach.
- The report emphasizes public awareness and coordinated defense (reporting, blocking, and law-enforcement engagement) as the best defense against these mature scams.
MITRE Techniques
- [T1566] Phishing – Spearphishing via social engineering using messaging apps (e.g., WhatsApp) to lure victims. “The target … was approached through WhatsApp by someone claiming to be a Chinese woman living in Germany.”
- [T1036] Masquerading – The scammers present a fake DeFi app to appear legitimate and entice wallet connections. “The scammer’s trap was a fake decentralized finance app hosted on the domain allnodes[.]vip—a site registered through and hosted by Alibaba.”
- [T1190] Exploit Public-Facing Application – The fake DeFi site acts as an exploit against public-facing financial apps to gain control over victim funds via smart contracts. “The app created a smart contract … gave another wallet address a virtually unlimited ‘allowance,’ allowing its owner to see the balance … and transfer Tether tokens.”
- [T1583] Acquire Infrastructure – The scammers acquired infrastructure (domains/hosting) and used providers like Alibaba Cloud/Alibaba Singapore; the infrastructure is concealed by measures such as Cloudflare protection. “hosting concealed through Cloudflare” and “Alibaba Singapore” / “Alibaba Cloud” in the hosting table.
Indicators of Compromise
- [Domain] Domain names used in the scams – allnodes.vip, allnodes.xyx, trust-oke.com, trust-usdt.com, and 11 more domains
- [Contract Wallet Address] Cryptocurrency contract wallets – 0x6B79f38233726282c7F88FE670F871eAbd0c746c, 0xd2b14d2fff430a720cf44bbd064f548a585e73de, 0xcf6b558c218a9148cd77c04be4e3d1c1fc9d61a2, and 11 more addresses
- [Hosting/Infrastructure] Infrastructure providers used to host scam sites – Alibaba Cloud (Alibaba Singapore), hosting via Alibaba; Cloudflare protection
- [Registrar] Domain registrars associated with the scam domains – Alibaba Cloud, Dynadot, Gname.com
Read more: https://news.sophos.com/en-us/2023/12/18/luring-with-love-defi-mining-scam-indepth/