The article describes a growing pig butchering-as-a-service (PBaaS) economy in Southeast Asia that supplies turnkey scam platforms, stolen identities, pre-registered SIMs, mobile apps, payment rails and company-formation services to scale large romance/investment fraud operations. It highlights two service providers—“Penguin” selling PII, stolen accounts and fraud kits, and “UWORK” supplying CRM templates used by sites like lion-forex[.]com—showing how low-cost, commodity services have lowered barriers to mass fraud. #Penguin #UWORK
Keypoints
- Pig butchering (sha zhu pan) operations have industrialized into a PBaaS market supplying everything from stolen PII to mobile apps and geofenced scam websites.
- The actor dubbed “Penguin” openly sells shè gōng kù (stolen PII), pre-registered SIMs, stolen social media accounts, “character sets” (stolen images), SCRM tools and payment services to scammers.
- UWORK is a CRM/management platform sold to scammers that powers fake investment sites (e.g., lion-forex[.]com) and provides admin dashboards, agent management and KYC collection functionality.
- Suppliers also offer app distribution (Android .apk sideloads and iOS .mobileprovision provisioning), VPS hosting, MetaTrader integration, and company-incorporation/nominee director services to launder credibility and funds.
- The commodification of these services dramatically lowers costs and technical barriers (website templates from US$50; full packs from ~US$2,500), enabling high ROI and scaling of global fraud networks.
- Defensive priorities should shift toward disrupting service providers, financial enablers, shell-company facilitators and DNS/infrastructure that underpin PBaaS rather than only targeting individual scam groups.
MITRE Techniques
- [T1588 ] Obtain Capabilities – Purchase of turnkey scam infrastructure, templates, SIMs, stolen accounts, and company formation services from PBaaS providers to rapidly scale fraud operations (‘…PBaaS provides the mechanisms to scale an operation with relatively little effort and cost.’).
- [T1589 ] Gather Victim Identity Information – Acquisition and resale of extensive personally identifiable information (shè gōng kù) used to target and socially engineer wealthy victims (‘…shè gōng kù (社工库), literally, a “social worker database.” This is a code word for the theft and resale of personally identifiable information (PII)…’).
- [T1078 ] Valid Accounts – Use and sale of stolen login credentials and pre-registered social media accounts to perform account takeover and assume trusted identities (‘…sells account data from western social media platforms, including Tinder and WhatsApp, as well as login information from sites like Adobe and Apple’s developer platforms.’).
- [T1566 ] Phishing – Social engineering via romance, investment and impersonation scams to induce victims to send funds or install scam apps (‘From romance and investment scams to law enforcement impersonation and job or task scams…’).
- [T1204 ] User Execution – Victims coerced to install mobile provisioning files or sideload apps (.mobileprovision/.apk) enabling installation of scam apps and potential device management by developers (‘Users (victims) receive a .mobileprovision file, and if they approve it from a mobile device, the developer will obtain access to the device’s management suite…’).
Indicators of Compromise
- [Domain ] CRM and scam site infrastructure – uworkcrm[.]com (CRM domain queried by many sha zhu pan sites), lion-forex[.]com (fake investment site / Lion Brokers cited in indictment).
- [File types ] App distribution and sideloading artifacts – .mobileprovision (iOS provisioning files used to install scam/testing binaries), .apk (Android app binaries used to distribute scam apps).
- [Messaging/Channels ] Marketplace and mule/payment channels – Bochuang Telegram channel (payment/mule recruitment and BCD Pay references), Telegram sellers advertising CRM kits and fraud templates.