CryptoRom scammers are adding AI chat tools like ChatGPT and invented crypto account hacks to their toolbox. In its new report, Sophos explains the "pig butchering" scam. In addition, seven new fake apps for crypto investments have been successfully smuggled into the official stores.
Sophos today has new insights into CryptoRom scams published. This is a subgroup of the so-called "Pig butchering" (shā zhū pán) Scams aimed at tricking dating app users into investing in fake cryptocurrency funds.
AI tools refine attack techniques
The report released today, “Sha Zhu Pan Scam Uses ChatGPT to Target iPhone and Android Users,” details the new crackdown. Since May, Sophos X-Ops has been watching scammers refine their techniques by adding an AI chat tool such as ChatGPT to their toolbox. Criminal intimidation tactics have also been expanded: victims are told that their crypto accounts have been hacked and now more money is needed. Additionally, Sophos X-Ops has discovered that scammers have infiltrated seven new fake cryptocurrency investing apps onto the official Apple App Store and Google Play Store, further increasing the number of potential victims.
$3,31 billion investment fraud
In 2022, investment fraud caused the highest losses among all of the public to the FBI's Internet Crime Complaint Center (IC3). reported fraud cases and totaled $3,31 billion. Cryptocurrency-related scams, including so-called "pig butchering," accounted for the majority of these scams, leading to a 183% increase from 2021 to $2,57 billion in reported losses last year.
Sophos X-Ops first learned about CryptoRom scammers using the AI chat tool, most likely ChatGPT, when a concerned victim contacted the team. After contacting the victim through the “Tandem” app – an app that connects language learners with native speakers and also used as a dating app – the scammer convinced the victim to continue the conversation on WhatsApp. The victim became suspicious when they received a lengthy message, apparently written in part by an AI chat tool using a Large Language Model (LLM).
ChatGPT for romantic chat in foreign languages
“Ever since OpenAI announced the release of ChatGPT, there has been widespread speculation that cyber criminals might use the program for their own malicious activities. We can now say that, at least in the case of 'pig butchering' scams, this is indeed happening. One of the main challenges faced by CryptoRom scam scammers is to have compelling and sustained romantic conversations with their targets. These calls are mainly conducted by 'keyboard players' who are primarily based in Asia and have a language barrier. Using a tool like ChatGPT can be a more efficient and effective way to keep those conversations going, making the scams less labor intensive and more authentic. It also allows the 'keyboardists' to interact with multiple victims at the same time,” said Sean Gallagher, principal threat researcher at Sophos.
Invented hacks on crypto accounts
Sophos X-Ops has also discovered a new scam tactic used by scammers to extort additional money. Traditionally, when victims of CryptoRom scams attempt to claim their "winnings," the scammers inform them that they must pay 20% tax on their funds before withdrawals can be made. However, a victim recently revealed that after paying the "taxes" to withdraw the money, the scammers now claimed that the funds had been "hacked" and that a further deposit of 20% of the sum was required for a withdrawal.
Seven new fake apps in the official stores
Upon further investigation, Sophos X-Ops discovered seven fake cryptocurrency investing apps on the official Google Play Store and Apple App Store. These apps have seemingly innocuous descriptions in the app stores (for example, BerryX claims it has something to do with reading). However, once the users open the app, they are faced with a fake crypto trading interface.
To bypass the Apple App Store review process, the app developers use the same technique that Sophos first reported on in February 2023. You submit the app for approval using legitimate, everyday web content. Once the app is approved and published, they modify the server hosting the app with deceptive interface code.
Many of these seven new apps use identical templates and descriptions, suggesting the same scam ring or two developed the scam.
iOS and Android: Users should remain suspicious
“Before the CryptoRom scammers were able to get their apps onto the Apple Store, they had to use a cumbersome technical solution to target iOS users, which could alert their victims. Now it is much easier for them to target iPhone users which expands their victim group. These apps are also easy to recycle and reuse. In fact, the BerryX app appears to be related to the fake apps we detected and blocked earlier this year.
While we've notified Google and Apple of these latest apps, it's likely more will emerge. These scammers are ruthless. Today they claim to victims that their accounts were hacked to extort more money, but in the future they are likely to develop new methods of extortion. The best defense against pig butchering is awareness of these scam campaigns. We encourage users who are suspicious or who believe they have been victimized to contact us," Gallagher said.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.