âScam kitsâ for sale in underground markets
‘DeFi savings’ swindle follows a familiar script but with some new twists
Cybercriminals are selling the latest evolution of online scam schemes in ready-to-go kits on the dark web, lowering the barrier to entry for scammers around the world, according to a report published on Friday by the cybersecurity firm Sophos.
In traditional “pig-butchering” scams, which originated in China and blew up during the pandemic, criminals pretend to cultivate a romantic or personal relationship with victims through dating apps or social media. After gaining their trust over weeks of virtual conversations, the fraudsters manipulate them into investing in phony cryptocurrency investments.
Once the criminals squeeze as much digital currency as they can out of the victims, they take off with the funds, sometimes robbing innocent people of their life savings.
The name “pig butchering” refers to the process of fattening up victims with flattery and companionship before leading them to a potential financial slaughter.
“It gets people where they’re the most vulnerable because they’re trying to reach out to, to have contact with another human being,” said Sean Gallagher, principal researcher at Sophos’ threat research unit Sophos X-Ops.
Now, a type of swindle is being bundled and distributed for sale. Known as “DeFi savings”, it still depends on the fraudsters establishing a personal connection with the victims. In this instance, the financial fraud relies on well-known cryptocurrency apps since they provoke less scepticism among victims, Gallagher said.
The victims are persuaded to invest in a “DeFi savings opportunity”, by downloading a legitimate crypto wallet application and entering a malicious web address provided by the scammer.
Once users open the web page, it allows the fraudsters to access and steal funds from the victim’s wallet, according to Sophos.
DeFi (decentralised finance) savings scam kits include a web page that can connect to a victim’s crypto wallets through the Ethereum blockchain. Many of these web pages also include an installed chat feature, which the criminals can use to act as “technical support” for their victim, according to the report.
The commodification of these scam kits has allowed a wider array of fraudsters to get in on the action, the researchers said. In the past, swindlers could often be traced to Chinese-language crime rings in Southeast Asia. Now, they have started to emerge from web addresses in Thailand and West Africa, according to Sophos.
“It’s very simple for somebody to move over from doing an Instagram scam or some of the other types of social engineering scams that we’ve seen over the past decade, to convert into this type of operation,” Gallagher said.
With dozens of new kits popping up every day, DeFi scams are the fastest growing space in pig-butchering, Gallagher said. The DeFi savings scheme avoids some of the technical hurdles of more traditional techniques, such as installing a customised mobile app or wiring a deposit to the scammers, according to the report.
One DeFi ring studied by Gallagher brought in $3 million over a three-month period — an amount that took almost twice as long to steal by criminals who used more traditional techniques.
The job isn’t done once the scammers empty their victims’ wallet. Instead, the criminals will tell them that they can recover the funds by adding more money, according to Gallagher.
When a victim finally breaks contact, the criminals persistently ping them on other platforms, like Facebook, WhatsApp and Telegram. Some do so by utilising generative AI to create more fluent and believable English messages, according to the report.
“They use ChatGPT to create a text message saying: ‘Why did you cut off contact with me? I miss you. I love you. Please come back’,” Gallagher said.
