The Spreading Wave of Pig-Butchering Scams in India

A large-scale pig-butchering campaign is targeting investors in India using fake trading apps distributed via compromised developer accounts on Google Play and the App Store, supported by phishing sites, social media ads, and WhatsApp/Telegram recruitment. Scammers create realistic websites and fake news (including claims of a BlackRock partnership) to legitimize apps like Provex and use WebView-based apps that redirect to scam domains to collect funds and credentials. #Provex #BlackRock

Keypoints

Scammers use social media ads to lure victims into WhatsApp/Telegram groups and provide initial profitable trades to build trust.
Fraudulent Android and iOS trading apps (e.g., Provex) are published on Play Store/App Store, often via compromised developer accounts like “Design Tunnel Tech” and “Xilli Apps Studio”.
Fake apps use WebView to load scam websites (e.g., protbg.com, provexfintech[.]com) and require invitation codes to register victims.
Scammers impersonate legitimate Indian brokers and publish fabricated news (claiming partnerships with BlackRock) to add credibility.
Victims are encouraged to deposit funds; withdrawal functions are later disabled and communications cut off, causing financial loss.
Phishing domains (e.g., app[.]panth-ss[.]vip, app[.]yongljt[.]com, downs[.]fcsdmp.top) and compromised YouTube channels are used to distribute invitation links.
Evidence (Chinese strings in code, arrests) points to China-based actors collaborating across regions; campaign also targets Taiwan and Korea.

MITRE Techniques

[T1194.002] Spearphishing via Service – Used via social media ads and messages to attract victims: ‘Scammers use social media platforms like Facebook and Instagram to post ads enticing victims with high returns in the stock market.’
[T1133] External Remote Services – Distribution through app stores and compromised developer accounts: ‘Fraudulent applications are distributed through official app stores like Google Play Store and App Store, exploiting compromised developer accounts.’
[T1204] User Execution – Victims install and run malicious apps: ‘Victims are tricked into executing the malicious applications by installing them on their devices.’
[T1036] Masquerading – Impersonation of reputable brokers to appear legitimate: ‘Scammers impersonate reputable Indian brokerage firms to lend legitimacy to their operations.’
[T1027] Obfuscated Files or Information – Likely use of code obfuscation to hide malicious intent: ‘Scammers may use code obfuscation techniques to hide the malicious nature of their applications.’
[T1056] Input Capture – Collection of credentials and input via fake login forms/webviews: ‘Fake trading applications may capture login credentials and other sensitive information entered by victims.’
[T1005] Data from Local System – Collection of victim device data via fraudulent apps: ‘Scammers collect sensitive information from victims’ devices through the fraudulent applications.’
[T1071] Application Layer Protocol – Use of web-based C2 and scam backend to manage apps and collect data: ‘Scammers use command and control servers to manage the fraudulent applications and collect data from victims.’
[T1498.001] Financial Loss – Direct monetary impact when victims cannot withdraw funds: ‘Victims suffer financial losses when they invest in the fake trading platforms and are unable to withdraw their funds.’

Indicators of Compromise

[Domain] Scam websites and app redirects – provexfintech[.]com, protbg.com
[Domain] Phishing distribution sites – app[.]panth-ss[.]vip, app[.]yongljt[.]com (and downs[.]fcsdmp.top)
[IP] Hosting for scam domains – 34.131.1[.]213 (hosts multiple scam domains tied to Telegram task scam)
[File hash] Fake trading app binaries – faf7a001250ef1dbd2d6eaf8eabbd8d589c0960e871325808a7a1a76619c4b4f (SHA256), 87196e5cda572d63c43d52df200e823a9811e33a (SHA1) and 2 more hashes
[Email] Reused support/contact emails in fake apps – alimansoorlahore@gmail[.]com, franciscobenjamimluis28@gmail[.]com
[Domain] Telegram task scam domains – giottusmh[.]com, giottusmk[.]com

Cybercriminals advertise on social media to funnel victims into WhatsApp/Telegram groups where they demonstrate small, initial trading profits. Recruited victims are given invitation links or codes to join WebView-based Android/iOS apps (examples: Provex) that load scam backends (e.g., protbg.com, provexfintech[.]com). Those apps are often published via compromised developer accounts (noted IDs: “Design Tunnel Tech”, “Xilli Apps Studio”) and distributed through Play Store/App Store listings or phishing domains; the apps collect credentials and payment details via fake login/registration flows.

Once registered, victims engage with a simulated trading interface that shows fabricated transaction histories and profits to encourage larger deposits. Attackers control withdrawal functionality on the backend and eventually disable withdrawals and stop communicating, resulting in direct financial loss. Technical artifacts include app package reuse across developer accounts, repeated support email addresses, Chinese-language strings in source code and admin panels, published phishing domains (app[.]panth-ss[.]vip, app[.]yongljt[.]com, hxxps://provexfintech[.]com), and multiple file hashes associated with fake app binaries; these can be used for detection and takedown actions.

Mitigation steps derived from the technical procedure: treat unsolicited trading invitations as high-risk, verify developer identities and app provenance before installing, inspect app permissions and network connections (WebView targets), block known scam domains/IPs, monitor for reused support emails or identical package names across different developer accounts, and coordinate takedown with app store providers and registrars using the listed IOCs.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print