Exposing Bitcoin Investment Scam
This article will give a deeper understanding of a Pig Butchering Bitcoin Scam that both I and a Law Enforcement Agency have traced down.
This article is tied to another article that’s on my Medium and ResearchGate, so I recommend you check that article first before you look into this one.
Let’s start by presenting that we managed to trace the scammers to China, Hong Kong. The name of the scammer goes by Yuan. While we are trying to identify the scammer, we thought that the scammer is based off the United States because of the US Phone Numbers they used in their sites being legit, but later recognized they’re just Money Mules in the United States that are working for these scammers in China.
I was provided with an Open-Source Intelligence Report by Taiwo Owolabi (A Nigerian Federal Law Enforcement Agent) which clarified some phone numbers and domain information involved in various cyber-crimes. The following two phone numbers were identified in his course of investigation, these phone numbers are tied to the scam website; +1 (469) 732-8264 and +1 (706) 201-8212. They both belong to some Indians based in the United States. Further investigation on the emails linked to the second phone number revealed some fascinating information on a popular OSINT Tool “Intelligence X”. Check the image below for further clarification:
We can see from this screenshot that it’s registered to some SMS Service which is quite shady because scammers use such services to perform scams. Nonetheless, further analysis from the malware analysis performed shows proof that this scam is ran from China in it’s full form, we can even see this from the domain registration information as well, as seen below. This is for all their app domain, their DNS Resolver Domain and even their main domain:
We see that the domains are registered in China to a Domain Host that’s in Singapore. This domain is likely a bulletproof domain, which means they don’t receive requests to suspend domains that violate DMCA (Digital Millennial Copyright Act) and this makes the domain possible to perform illegal activities without any issues.
We can further see from here that the domains are connected together, and that CNAME Record pointing to the Shared DNS Resolver Domain showing a name which seems to be a name of someone in China. Yuan. These are basic OpSec Mistakes that we are seeing taking place here. Especially, since they’re sharing DNS from their own server.
We further get to see that the website where the DNS is shared from doesn’t really have anything on it and the site actually is tunneled through CloudFlare:
This further proves that the site is just a domain tunnel for DNS Resolution, so they created their own DNS Server through the site to host their actual scam leaving their real name (Yuan) left out as part of the DNS connected to the site.
To further show what is behind the site, let’s clarify that the app domain as well is connected to this domain and that the domain itself is hosted by the same provider in Asia:
To further prove that the domain is based off of Asia and that it’s bulletproof, we can show this from the website of the domain host iself:
Also, the fact that they accept Digital Currency further proves that this domain provider indeed is a bulletproof provider. The country code for +65 which is tied to the number on the site is Singapore, which is a country in Asia and China as well is in Asia, so it’s no coincidence that the Pig Butchering Scam originated from there because we have a video from a scambaiter named PleasantGreen baiting a Big Butcher Scammer from Asia as well, which will be presented at the end of this report:
Conclusion:
This OSINT Report should raise awareness of scammers from Asian Countries using Money Mules in the United States. It should further raise awareness not to fall for this kind of scam and raise awareness to further help investigate the situation. You can learn more about Pig Butchering Scams from Scambaiter PleasantGreen’s (Benjamin Taylor, aka, Benjamin Dover) Video from here, who also managed to bait an Asian Scammer as well.