Over the years, I’ve encountered scams both directly (LinkedIn fraud, Sponsored Scams) and indirectly (Who Viewed My Profile?), which has motivated me to document these attempts in blog posts to raise awareness among those around me. There have been times when friends, family, and colleagues have sent me scam warnings, and I’ve done my best to share these (Instagram Scammers) whenever possible. Now, I’m here once again to expose a new scam attempt.
As I shared on my Twitter in June 2022, this particular scam began with a message from a protected Twitter account named Anna on June 14, 2022. The conversation started with Anna mentioning how long it had been since we last spoke. After she gathered my name (Mark fake), my location (a Belgian living in Turkey fake), and my occupation (CFO of a FinTech company fake), the discussion quickly shifted to topics such as where I invest my money and the decline in Bitcoin’s value at that time.
I paused the conversation and decided to investigate the true identity behind the photo on Anna’s profile, suspecting it was fake. To do this, I utilized the Visual Search feature of the Yandex search engine, which revealed that the profile picture actually belonged to a Chinese individual named Shasha Zhao. Upon further inspection of the photos shared on Shasha’s profile, I found the exact same photo used on Anna’s profile.
Anna, who initially stated she lived in Singapore and was the founder of a garment import and export trading company, asked to move our conversation to WhatsApp and provided a US phone number (+19295654212). When I questioned her about using a US number, she altered her story, claiming she was in the US for business purposes. To grab my attention, she then mentioned making a profit of about $715,000 from a crypto investment of $300,000. I told her that I was contemplating an investment of $500,000 to observe her methods for quickly generating profit.
After expressing that I considered her to be a skilled investor and wanted to invest with her, she told me I needed to use the MonexCrypto platform for short-term investments. She then instructed me to visit the website https://app[.]monexcrypto[.]net, download the mobile app, and register.
I visited the website to download the mobile app, and when I checked the source code of the webpage, I discovered that both an Android (update.apk) and an iOS version of the app were available. After uploading the Android version to VirusTotal and Pithus, a mobile threat intelligence platform, and reviewing the somewhat suspicious results, I decided to conduct a thorough examination of the iOS version of the app.
Upon discovering that the mobileprovision file, which allows third-party applications to run on the iOS operating system, was stored on GitHub, I proceeded to check the details of the developer/company (QuanLi Network Technology Co., Ltd. (SRD7J8LLBV)) registered in the Apple Developer Program.
I examined the app.mobileconfig XML file, which contains payloads that load settings and authorization information onto Apple devices. When I ran the file in the Simulator application within Xcode, I discovered that it was a Web Clip (WebClip) that directs to the https://www.monexcrypto.net webpage and is signed by a developer named Gang Dai.
Web clips are icons on the device Home screen that link to a website or URL. They can also launch full-screen web apps and run offline using HTML5 local storage. Configuration profiles can include web clips with custom titles and icons, and some may even be nonremovable. Web clips are sometimes used to direct users to specific websites, such as for educational purposes. For more information on configuring web clips, refer to the WebClip profile page in the Apple Developer documentation.
When I tried to register on the website, I was expected to enter an Organization Code in the registration form. The purpose of placing such a code in the form by scammers was probably to prevent cyber security researchers and/or cyber security vendors from detecting this page and collecting information, and they had been successful until now. Whenever I told Anna that I was having issues in the app installation, she kindly did everything she could to help me with screenshots. So I decided to ask Anna for help one more time in finding out the organization code. 🙂
When I asked Anna for the organization code, she initially responded with Chinese words (likely because she was using a Chinese-English translation service). Shortly afterward, she provided me with the code (768919) that I needed to enter into the registration form.
After successfully registering and navigating the website through the Web Clip, I encountered pages and menus related to real-time market tracking, depositing funds into a wallet, withdrawing money, and similar features.
After completing the registration and exploring the website via the Web Clip, I came across various pages and menus, including options for real-time market tracking, depositing money into a wallet, withdrawing funds, and other related features.
On June 28, 2022, Anna, sensing she was close to successfully scamming me, started providing instructions on how to transfer cryptocurrency (USDT) from a cryptocurrency exchange called Binance to my wallet.
Curious to determine the country Anna was actually communicating from, I started thinking of methods to uncover her IP address. Despite the “Cyber Security Researcher” background on my Twitter profile, Anna had persisted with her scam attempt for 15 days, suggesting a lack of attention to Operations Security (OPSEC).
To test this, I hosted the screenshots I shared with her on my website and tracked her activity using the Bitly URL shortening service. Without hesitation, Anna clicked on the three Bitly links I provided. Through SOCRadar’s IOC Radar, I identified her IP address as 45.204.66.140, which was traced to Hong Kong.
As I continued to browse the MonexCrypto website, I decided to check if the Bitcoin and Ethereum cryptocurrency wallet addresses were unique to me or same for everyone who joined the platform. If these wallet addresses belong to scammers and they show their own addresses as wallet addresses to each person who joins the platform (victim), they can easily steal the cryptocurrency from their victims with ease. Based on the research I conducted on this matter, I discovered that;On June 28, 2022, when I checked my Bitcoin wallet address (3QX2Csna3FEbXD9PxhgEXL36qAfYXWSwQU) on the Blockchain.com website, it was seen that this wallet was created on June 6, 2022 and until September 29, 2022, $55,618.73 worth of Bitcoin was transferred to this wallet and then withdrawn.On the same date, when I checked my Ethereum wallet address (0xF88997e493C08874d9e0D485463386ABf0EBe6bf) at the same place, it was seen that this wallet was also created on June 26, 2022 and until November 23, 2022, ~$839.000 worth of Ethereum and USDT was transferred to this wallet.Again, on the same date, this time checking my USDC wallet address (0xcfddf006ec9f4af5bf34a6f71af41655fb7d4167), it was seen that this wallet was created on June 17, 2022 and until August 16, 2022, ~$46.000 worth of Ethereum and USDT was transferred to this wallet.
Disclaimer: I would like to emphasize that I am neither an IRS agent nor a Blockchain expert capable of tracing end-to-end cryptocurrency transfers as described in the book Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. Please excuse any potential errors. 🙂
From the time I registered on the MonexCrypto website on June 26, 2022, until January 29, 2023, I checked my wallet addresses about 5 times by logging into the platform, and I noticed that they changed each time. This led me to conclude that the wallet addresses were not uniquely generated for each user, but rather the scammers’ own wallet addresses, which they changed at regular intervals. After compiling a list of these wallet addresses and tracking the transfers made to them, I estimated that the scammers had stolen approximately $3 million worth of cryptocurrency..
Of course, while I was attempting to unmask Anna on July 18th, 2022, the FBI issued a warning about fraudulent activities involving fake crypto exchanges/investment apps like MonexCrypto. According to the warning, around $42.7 million worth of cryptocurrency had been stolen from 244 people globally. By that point, I had already figured out how $3 million was stolen. 🙂
In 2021, the FBI’s Internet Crime Complaint Center received over 4,300 reports related to pig butchering scams, amounting to losses of more than $429 million. Later, in November, the US Department of Justice announced that it had seized seven domain names used in pig butchering scams in 2022. (Source: Wired)
Anna, who had exhausted every tactic to deceive me from June 14th to July 6th, 2022, began sending messages full of complaints starting on July 6th. I ended our conversation with a smile, informing Anna of the FBI’s warning on August 1st, 2022. 🙂
It appears that Anna continued to ensnare new victims without slowing down in the following months. She was successful, as some user passwords were also stolen when they visited the monexcrypto.net site on September 5th, 2022, according to information flagged as stolen by malicious software (Stealer) on the SOCRadar Cyber Threat Intelligence platform.
By October, the Monex Group issued a warning that two additional websites, starting with the monexcrypto.net site, were using the group’s logos without authorization.
As a result, we have gained a detailed understanding of how Anna and her fellow scammers executed the Pig Butchering Scam, a well-orchestrated fraudulent scheme, and how they accumulated millions of dollars in stolen funds, with the applications being downloaded not only from third-party websites but also from the Apple App Store and Google Play Store.
The Pig Butchering scam is named after the practice of fattening a pig for slaughter. In this case, scammers build a relationship with their victim online before persuading them to send money or invest in high-yield cryptocurrency accounts.
I strongly urge you to share this article with your friends and loved ones to raise awareness about security risks. I hope to see you in future articles.
