Sophos X-Ops documents a surge in pig butchering scams that push victims into fake liquidity mining schemes, exploiting DeFi concepts and social engineering rather than malware. A detailed victim case shows romance-based outreach via MeetMe, persistent multi-channel pressure, and AI-generated messages driving a $22,000 loss and a broader scam network with dozens of sites and millions stolen.
#PigButchering #LiquidityMining
#PigButchering #LiquidityMining
Keypoints
- Fake liquidity mining scams piggyback on DeFi concepts to lure victims into granting access to their wallets via fraudulent websites.
- Scammers use sha zhu pan-style romance and social-engineering tactics (dating apps, misdirected SMS) to recruit targets and keep them engaged.
- A US victim lost about $22,000 after being guided through installing wallet apps and linking them to a fraudulent mining pool.
- Infrastructure for the scams includes a fraud site hosted on Alibaba Cloud (Allnodes.vip) and at least 13 additional phishing domains hosting similar pools.
- Victims’ funds are drained by smart contracts that grant scammers access to wallets, often with fake profit displays and staged withdrawals.
- The campaign evidence shows extensive use of AI-generated messages and multi-channel harassment to keep victims investing.
- Recommended defenses include revoking wallet permissions, moving funds to a new wallet, avoiding in-app support, collecting transaction data, and reporting to authorities.
MITRE Techniques
- [T1566] Phishing – Social engineering via MeetMe and follow-on chats to lure victims into crypto schemes. “If you have a lot of free time now, I can teach you to mine. This way you can also use your free time to earn some revenue.”
- [T1583] Acquire Infrastructure – Setup and operation of fake liquidity mining domains (e.g., allnodes.vip) and related infrastructure hosted on Alibaba Cloud to sustain scams.
- [T1071] Application Layer Protocol – Victims interact with web-based wallets and smart contracts; clicking a participate action executes a contract that transfers funds. “clicking a ‘participate’ button in the app executed a contract that authorized the scammers to send Tether tokens from the wallet to another address.”
Indicators of Compromise
- [Domain] The fraud domain ecosystem includes allnodes.vip and related scam domains hosting fake liquidity pools – allnodes.vip, and 2 more domains (not named)
- [Wallet address] Wallets used in the scheme – 0x10f5DAf431Ee3F936F847623D7527A63d3ffA7a3, 0x6B79f38233726282c7F88FE670F871eAbd0c746c, 0xbe712a28f10ffe6e0efd77b749de133d6099e4c0, 0x7a77568db98ff29fe49194a77bd559f376068ff7