Sophos found that cybercriminals specializing in sha zhu pan scams have turned to the “as-a-service” business model to expand into new markets on a global scale. Sha zhu pan —杀猪盘 means “pig slaughter dish”. A term that refers to complex frauds on cryptocurrencies which exploit social engineering techniques disguised as friendship relationships with a possible romantic background. Criminals specializing in this type of scam are using an “as-a-service” model by marketing real specialized turnkey kits on the dark web to expand globally. The kits provide the technical components necessary to implementation a specific variant of the sha zhu pan scam known as “DeFi savings deposits”.
The modus operandi of scammers
The bad guys present this particular type of scam as a passive investment opportunity similar to that of liquidity deposit accounts. And they are often aimed at people who don’t know what cryptocurrencies are. Victims are asked to connect your wallet to a “brokerage account” with the promise of earning interest on the sums invested. In reality the victims do nothing but add theirs wallet to a fraudulent trading pool destined to be promptly emptied by scammers.
An exponentially growing phenomenon
Sean Gallagher, Principal Threat Researcher di Sophos
When the sha zhu pan scam first appeared during the pandemic, the technical aspects of the scams were still relatively primitive. Furthermore, they also required a lot of support work to direct the victims to do what the criminals wanted. Today scams have higher percentages success and cybercriminals have perfected their techniques. So we observe an evolution similar to that already seen in the past with ransomware and other types of cybercrime: the creation of an as-a-service model. Gangs dedicated to this type of scam are creating turnkey DeFi app kits that other cybercriminals can purchase on the dark web. The consequence is the appearance in areas such as Thailand, West Africa and even the United States of new gangs completely unrelated to Chinese organized crime.As with other genres of commercialized cybercrime, these kits they lower the entry threshold for those interested in sha zhu pan scams. But they dramatically increase the number of potential victims. Last year these scams were already a multi-billion dollar phenomenon. This year, unfortunately, the problem is destined to grow exponentially.
I cybercriminali
Sophos X-Ops experts have been following the evolution of these scams for two years. Early versions, dubbed “CryptoRom” scams by Sophos, made contact with potential victims through dating apps. Then they convinced them to download applications from external sources bogus for cryptocurrency trading. In the case of iOS users, the mechanism required victims to download a complicated bypass system. This allowed climb over the security systems on the victims’ devices, so as to be able to access their wallets.
How fraud is evolving
In 2022, the activities continued to improve with the discovery of methods capable of bypassing app store verification procedures so that fraudulent apps could be published on the Apple App Store and Google Play Store. That was also the year in which a new fraudulent mechanism emerged: fake pools for cryptocurrency trading (liquidity mining). In 2023 Sophos X-Ops discovered two “pig slaughter” operations, one based in Hong Kong and the other in Cambodia. Frauds used legitimate cryptocurrency trading apps creating false personal profiles with which to lure victims from whom to steal millions of dollars. Further insights have detected how these gangs had also added AI to their arsenals.
The debut of turnkey kits
In late 2023, Sophos X-Ops then detected a massive liquidity mining operation conducted by three separate Chinese criminal gangs involving nearly 100 victims. While investigating how this operation works, Sophos X-Ops first came across turnkey kits for sha zhu pan scams. In the most recently analyzed scams, bad actors have eliminated any previous technological barriers and reduced the social engineering activities needed to target victims.
Cybercriminals are converting to the as-a-service business model
In variants based on DeFi deposit accounts, victims come attracted in fraudulent cryptocurrency trading through the use of legitimate, known apps providing fraudsters (even if unknowingly) with direct access to their personal wallets. Criminals also manage to hide the wallet network that launders the stolen cryptocurrencies, making the work of law enforcement agencies who want to trace the perpetrators of the thefts much more complex.
Increasingly convincing criminals
Sean Gallagher, Principal Threat Researcher di Sophos
Scams based on DeFi deposit accounts represent the climax of two years of perfecting the methods used by the gangs dedicated to sha zhu pan. Gone are the days when bad guys had to be able to convince their victims to download some strange app or transfer their cryptocurrencies to a new digital wallet that would soon disappear. Fraudsters have also learned to better market their schemes by taking advantage of the way liquidity mining pools work.So they can steal funds to tell their victims that it is simply an investment account. Often this claim is more convincing, since most people do not understand the technicalities of cryptocurrency trading and who trusts if the entire operation is conducted under the umbrella of well-known brands. In other words, it has never been easier than today to fall victim to sha zhu pan scams. Which means it’s never been more important to be aware of the existence of these patterns. And know what to pay attention to.”
Tips to avoid becoming “slaughter pigs”
Don’t trust strangers who want to get in touch through text or social media. Particularly if they then try to quickly move the conversation on a private messenger like WhatsApp. This also applies to new profiles recommended on dating applications. Especially if the person you just met starts talking about cryptocurrency trading. Cybercriminals Never believe to any initiative to get rich without effort. Or cryptocurrency investment opportunities that promise earnings in short periods of time. Familiarize yourself with the tactics of romance scams and those based on fake investments. Non-profit organizations such as Cybercrime Support Network offer useful resources for this purpose. Anyone who thinks they are a victim of a sha zhu pan scam should reverse any amounts deposited into suspicious wallets and report what happened to the police.