EXECUTIVE SUMMARY
Researchers uncovered a large cryptocurrency investment scam ecosystem that merges malvertising with pig butchering style social engineering into a single hybrid fraud model. The activity heavily targeted users across Asia, particularly in Japan, where unusual domain activity first triggered investigation. Advertisements impersonating financial experts or promoting advanced investment AI tools served as the initial lure. Rather than directing victims straight to fraudulent trading platforms, the ads redirected them to intermediary websites designed to transition users into legitimate messaging applications. Inside these chat environments, personas posing as experts or assistants maintained constant engagement, sharing fabricated success stories, offering incentives, and gradually encouraging larger financial commitments. Victims were eventually instructed to pay a final “release fee” tied to nonexistent profits. DNS expansion revealed more than 23,000 related domains, many generated through bulk registration techniques that enabled rapid scaling and rotation. Consistent website structures, overlapping advertising identifiers, and similar engagement workflows suggested a shared framework or kit used across multiple campaigns.
Thel analysis pivoted from the initial suspicious domain cluster to a broader infrastructure mapping effort. Investigators identified thousands of additional domains, many created using registered domain generation algorithms and bulk API registrations. These domains exhibited identifiable naming patterns, including random character strings and dictionary-based lookalike variations designed to appear credible. Lookalike domains often remained active longer, while randomly generated ones were rotated more frequently, indicating a deliberate balance between credibility and disposability. Clustering based on registrar usage, name server records, hosting providers, autonomous system numbers, and advertiser tracking identifiers revealed more than 100 distinct but interconnected infrastructure groupings. The campaigns relied heavily on specific top-level domains such as .sbs, .icu, .top, .click, and .buzz, each associated with targeted geographic audiences including Japan, South Korea, the United States, and several European and Asian regions. Monthly registration patterns showed sustained growth with periodic spikes aligned with intensified campaign activity. Across these clusters, lure websites shared nearly identical layouts and workflows, reinforcing the likelihood of a common site-generation framework.
Further engagement with the scam ecosystem revealed that once victims entered messaging applications, the fraud unfolded through structured and highly consistent interaction flows. Users were first greeted by an impersonated expert, then redirected to assistants and group chats where fabricated students reinforced legitimacy. Messages included investment prompts, staged trading discussions, reward-based point systems, and continuous encouragement to share screenshots or deposit funds. The speed, timing, and multilingual continuity of responses strongly suggested AI-driven or automated chatbot systems rather than human-only operators. Victims were initially guided to make small investments through legitimate platforms to build trust before being encouraged to transfer funds directly. Fabricated profit dashboards created the illusion of success, followed by escalating deposit requests and ultimately a final withdrawal fee. By the time victims recognized the deception, funds were unrecoverable. Although early activity focused heavily on Japan and other parts of Asia, the infrastructure now supports English, German, and Spanish language targeting, indicating global expansion.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub Technique |
| Resource Development | T1583.001 | Acquire Infrastructure | Domains |
| T1583.006 | Acquire Infrastructure | Web Services | |
| T1587.001 | Develop Capabilities | Malware | |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| T1189 | Drive-by Compromise | — | |
| Defense Evasion | T1036.005 | Masquerading | Match Legitimate Name or Location |
| T1027 | Obfuscated Files or Information | — | |
| Credential Access | T1114 | Email Collection | — |
| Collection | T1056.003 | Input Capture | Web Portal Capture |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1102.002 | Web Service | Bidirectional Communication | |
| Impact | T1657 | Financial Theft | — |
REFERENCES:
The following reports contain further technical details: