Gallagher found that the website the scammers were using to distribute their malicious apps was set up to impersonate a real Japanese financial company and had a .com domain. It was even visible on Google as one of the top results, Gallagher says, so victims could find it if they attempted to do some basic research. “To someone who isn’t particularly knowledgeable about these things, that part would be pretty convincing,” Gallagher says.
The attackers, who Sophos suspects are based in Hong Kong, developed Windows, Android, and iOS apps off of a legitimate trading service from a Russian software company. Known as MetaTrader 4, Sophos researchers have seen past examples of the platform being misused and abused for fraud. As part of joining the platform, victims had to disclose personal details including tax identification numbers and photos of government identification documents, then start moving cash into their account.
As is often the case in a wide range of scams, the attackers were distributing their iOS app using a compromised certificate for Apple’s enterprise device management program. Sophos researchers have recently found pig butchering-related apps that skirted Apple’s defenses to sneak into the company’s official App Store, though.
The second scam Gallagher followed appears to have been run by a Chinese crime syndicate out of Cambodia. The tech for the scheme was less sleek and impressive but still expansive. The group ran a fake Android and iOS cryptocurrency trading app that impersonated the legitimate market tracking service TradingView. But the scheme had a much more developed and sophisticated social engineering arm to lure victims in and make them feel like they had a real relationship with the scammer suggesting that they invest money.
“It starts off, ‘Hey Jane are you still in Boston?’ so I messaged back, ‘Sorry, wrong number,’ and we had a standard exchange from there,” Gallagher says. The conversation started on SMS and then moved to Telegram.
The persona claimed to be a Malaysian woman living in Vancouver, British Columbia. She said that she ran a wine business and sent a photo of herself standing next to a bar, though the bar was mostly stocked with liquor, not wine. Gallagher was eventually able to identify the bar in the photo as one in the Rosewood Hotel in the Cambodian capital, Phnom Penh.
When asked, Gallagher once again said that he was a cybersecurity threat researcher, but the scammer was not deterred. He added that his company had an office in Vancouver and repeatedly tried to suggest meeting in person. The scammers were committed to the ruse, though, and Gallagher received a few audio and video messages from the woman in the photo. Eventually he even video chatted with her.
“Her English skills were pretty good, she was in a very nondescript location, it looked like a room with acoustic wall pads, kind of like an office or conference room,” Gallagher says. “She told me she was at home, and our conversation quickly steered toward whether I was going to be doing the high-frequency crypto trading with them.”
Cryptocurrency wallets associated with the scam took in roughly $500,000 in a single month from victims, according to Sophos’ monitoring.
The researchers reported their findings on both scams to the relevant cryptocurrency platforms, tech companies, and global cybersecurity response teams, but both operations are still active and were able to continually establish new infrastructure when their apps or wallets got taken down.
Sophos is redacting all images of people from both scams in its reports, because pig butchering attacks are often staffed using forced labor, and participants may be working against their will. Gallagher says that the most sinister thing about the attacks is how their evolution and growth means more forced labor on top of more devastated and financially ruined victims. As law enforcement agencies around the world scramble to counter the threat, though, in-depth details of the mechanics of the schemes show how they work and how slippery and adaptive they can be.