Disclaimer: This is an active scam and is pending review by federal law enforcement. Due to the nature of this case, some details have been modified and/or hidden to protect the victim’s identity (including the victim’s name and scammer’s alias) and the sanctity of the investigation which is underway. The victim has given zeroShadow authorization to discuss and report on their case to help educate and protect other potential victims from falling victim to this scam.
This article was split into two parts - one to help victims of scams like this one and the second to show what zeroShadow is able to do to help combat this activity.
Background
In Part 1 of this story, we went into the painful story of how Arjun was socially manipulated by “Kareena” to invest $500,000 worth of primarily USDT on the Ethereum blockchain. Now, in Part 2, we will identify what clues exist on and off-chain to identify the scammers’ true identities.
Following the funds
We can see that funds were on average withdrawn from Arjun’s fake DeFi Wallet account to one of the scammer’s addresses within 2.5 hours of his deposit. So, while Arjun’s wallet looked like he had a high balance on the website, the scammers were already moving those funds through the laundering process.
Arjun’s funds quickly consolidated with other victims’ funds in the scammer addresses. One scammer address, for example, received 3.74M USDT in a 30-day window in Spring 2024. Many of the received funds can trace back to centralized exchanges, where we know the scammers told victims to open accounts. Tracing backward also showed at least $386,000 USD coming from known scammer addresses reported by other blockchain analytics companies working with other victims.
The scammed funds were ultimately sent to non-US-based centralized exchanges where we would expect that the funds were converted into fiat currency (orange hexagons on the Chainalysis Investigations graph below). While many accounts were newly created for this specific scam, zeroShadow identified that one of the accounts has existed since June 2022 and received over 140 deposits.
How can we recover funds?
The two main ways to try to recover Arjun’s lost investments are to try to block a centralized exchange account while it still has a balance, or to try to freeze USDT held in a scammer wallet. Timing is super important for this step - sometimes the window is just a few hours to block an address before it is emptied to the next one. Proving the source of funds can also be a challenge for freezes. Since it is unlikely every single victim reports their crime, it can be harder for blockchain analysts to prove that 100% of the funds in a scammer address are illicit, and it is up to the centralized service if they will act on the partial information that they receive.
Website clues
The website Kareena provided to Arjun was publicrealm[.]pro. This domain was designed to mimic a legitimate cryptocurrency trading platform, deceiving users into connecting their wallets and ultimately stealing their funds.
Fake Crypto Wallet Interface
The landing page of this domain uses images associated with the reputable cryptocurrency wallet and trading platform Crypto.com. The site loads a specific JavaScript file “app.1722964668000.js” which drives the site’s appearance and functionality.
The site’s menu included standard features expected in a cryptocurrency trading platform, further enhancing its credibility.
Wallet Connection Exploit
One particularly concerning feature was the wallet connection option. While legitimate platforms offer this to enable trading, malicious sites like this one use it to gain access to users' wallets and siphon off their cryptocurrency.
Use of External Platforms for Social Engineering
What’s particularly intriguing about this scam is how the attackers used Freshworks.com, a legitimate business messaging platform, to further their scheme. By exploiting Freshworks’ free tier, the scammers were able to engage directly with their victims, guiding them through the complex process of connecting their wallets to the fraudulent site.
These scams often prey on individuals who are less familiar with cryptocurrency, taking advantage of their lack of knowledge. While this can make it easier to deceive them into connecting to fake websites, it can also create obstacles if the process becomes too technical. To overcome this, the attackers cleverly employed real-time communication tools, such as chatbots provided by Freshworks, to assist victims step-by-step through the more complicated parts of the scam, ensuring the deception was as smooth and convincing as possible.
Tracking the Threat Actor’s Footprint
Though publicrealm[.]pro was taken offline before our investigation, a scan from website analysis tool urlscan.io provided valuable insights. We discovered that the same JavaScript file, app.1722964668000.js was used across multiple domains, including publicrealm[.]cc, **publicrealm[.]best, and several tradeledger domains (.cab, .top, .cc, .bio). This suggests a coordinated effort by the threat actors to maintain a network of phishing sites.
Additionally, some URLs were disguised as legitimate Coinbase.com website links and redirected users to publicrealm[.]click, tricking them into believing they were interacting with the trusted Coinbase platform.
Observations on Domain Activity
All identified publicrealm and tradeledger domains were registered with NameSilo and hosted on Cloudflare. Most of these domains remain active, a common characteristic of new scam domains, which tend to have short life cycles before they’re reported and taken down.
A recent complaint filed with the DFPI (Department of Financial Protection and Innovation) further underscores the malicious nature of publicrealm[.]pro. Note that this was filed for a separate victim than Arjun.
Key Indicators of a Scam
New Domains - untested domains are often red flags. Scam domains are typically short-lived.
Multiple Domains - the creation of several domains with the similar names across various top-level domains (TLDs) is a strategy used by scammers to stay ahead of shutdowns. Legitimate companies might also buy multiple TLDs, but they usually redirect traffic to a primary site (e.g., google.net redirects to google.com). Scammers, however, use these domains to host identical malicious content across all of them.
By understanding these tactics, users can better protect themselves against phishing scams and avoid falling victim to sophisticated cryptocurrency-related fraud.
What can zeroShadow do to stop a Pig Butchering Scam?
If you have fallen victim to a cryptocurrency scam or know someone who has, please consider the following steps:
Report all known addresses and transactions to zeroShadow.
zeroShadow will label the scammer addresses in blockchain analysis tools to raise awareness of the scam, and follow where the stolen funds have gone.
Provide the details on the scam, including any websites you opened, apps you downloaded, and conversations you had.
We can get the website blocked across many wallet providers and analyze domains to uncover the greater scam ecosystem.
Include information on your jurisdiction (region and country you live).
zeroShadow will guide you through filing a complaint. Since jurisdiction matters for law enforcement, getting this right will help speed up the investigation process.
Original article by the zeroShadow team
Comments