Fraudulent investment platforms impersonating cryptocurrency and forex exchanges have emerged as the predominant method used by financially motivated cybercriminals to defraud victims across Asia and beyond.
These sophisticated scam operations deploy advanced social engineering tactics to manipulate victims into transferring funds to attacker-controlled systems that masquerade as legitimate trading platforms.
The threat landscape has evolved significantly from isolated cybercriminal activities to highly organized, cross-border operations with structured hierarchies and specialized roles.
These schemes no longer target single geographic regions but instead operate internationally, utilizing complex infrastructure networks to sustain prolonged campaigns against unsuspecting investors.
Recent law enforcement actions have highlighted the massive scale of these operations.
In August 2025, Vietnamese authorities arrested 20 individuals connected to the billion-dollar Paynet Coin crypto scam, charging them with multi-level marketing violations and asset misappropriation.
.webp "Huge Surge in Fake Investment Platforms Mimic Forex Exchanges Steal Logins 3")
While this particular case represents just one facet of the broader threat landscape, it demonstrates the transnational reach and financial impact of modern investment fraud campaigns.
Group-IB analysts identified a sophisticated victim manipulation framework that consistently appears across these fraudulent platforms.
The research reveals that threat actors employ a multi-stage approach beginning with initial contact through social media platforms including Zalo, Facebook, TikTok, and messaging applications such as Telegram and WhatsApp.
Scammers present themselves as successful investors or financial experts, using carefully crafted personas and forged credentials to establish trust with potential victims.
The deception extends beyond simple impersonation tactics. When victims display hesitation or skepticism, operators introduce additional “bait” personas, including fake fellow investors, friends, or support staff who engage directly with targets to simulate genuine platform activity and reinforce the illusion of legitimacy.
Advanced Infrastructure and Technical Sophistication
These fraudulent platforms operate on shared backend infrastructure rather than isolated throwaway websites.
The technical analysis reveals recurring API endpoints, SSL certificate reuse, and common administrative interfaces across multiple scam domains.
Group-IB researchers noted cross-domain HTTP requests during controlled browsing sessions, with captured traffic showing requests to API subdomains using paths such as /user/info, /index/tickers, and /index/init.
The infrastructure investigation uncovered exposed administrative panels accessible through subdomains following predictable naming patterns like adn. and api..
These control interfaces, often presented in Simplified Chinese, feature standard login fields and integration with popular Chinese platforms including Tencent QQ, WeChat, and Weibo.
Source code analysis revealed the use of lightweight UI frameworks such as Layui, commonly employed in dashboard and administrative panel development.
.webp "Huge Surge in Fake Investment Platforms Mimic Forex Exchanges Steal Logins 4")
Chat-based onboarding systems represent another layer of technical sophistication. Instead of direct registration forms, many platforms load chatbot interfaces powered by third-party services like Meiqia.
These chatbots serve multiple functions including access control, trust reinforcement, and payment instruction delivery.
When victims select deposit functions, the platform redirects them to chatbot windows that provide specific bank account details or cryptocurrency wallet addresses.
Backend payload analysis of these chatbot systems exposes configuration data, registered email addresses, and system-level parameters.
HTTP request traces show API calls to external chatbot infrastructure, while payload inspection reveals Chinese-language system messages and queue notifications not visible in the frontend interface.
The technical infrastructure also includes auxiliary components such as chat simulation tools designed to fabricate convincing conversation screenshots.
These web-based messaging simulators mimic popular platforms and include configurable message metadata, timestamps, and delivery status indicators to create fabricated social proof for victim persuasion.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
