New Threat Intelligence confirms connections underpinning pig butchering and investment scams
Much like companies in the legitimate economy, criminals also specialize: focusing on their core strengths and using third-party Software-as-a-Service platforms and tools to outsource the rest of the business or criminal infrastructure needed. These Crime-as-a-Service providers continue to evolve, from bulletproof hosting to Phishing-as-a-Service (PhaaS).
New threat intelligence from Netcraft has uncovered the connections in the underlying financial infrastructure supporting fraud networks around the globe. This includes insights exposing centralized Mule-as-a-Service (MaaS) providers being used by seemingly unconnected threat actors around the globe to launder their scam proceeds through money mule bank accounts.
Examining the connections between the underlying cyber and financial infrastructure reveals a rich and interconnected network of mule accounts held at local and global banks, phone numbers, crypto addresses, payment app accounts, and email addresses being used to commit fraud. These connections not only give a mechanism to aid in identifying threat actors, but also new opportunities to disrupt crime groups involved in pig butchering, romance scams, and widespread, complex cyber-enabled fraud.
Netcraft’s Conversational Scam Intelligence (CSI) platform brings together Netcraft’s unique threat intelligence and generative AI to engage with threat actors in long-form peer-to-peer conversations at scale. These private conversations can last over a year and span hundreds of messages. Interactions with threat actors also serve as foundational data, used by Netcraft researchers to connect seemingly disparate scams to expose criminal actors around the globe.
Netcraft researchers recently explored the Darcula Phishing-as-a-Service network, and insight suggests that similar providers exist for money mule accounts at banks globally, from the smallest credit unions to the largest banking giants. Definitive evidence has been limited about the inner workings of criminal mule account networks, including the existence of underlying “as a service” groups. Among the earliest and most accessible forms of public evidence are mule recruitment campaigns on social media platforms, which Netcraft researchers have monitored for some time. These campaigns offer the promise of making some fast cash, with little to no effort.
Figure 1 – Social Media ads recruiting potential mules for criminal exploits.
Using the data gathered from real-life scams conducted by Netcraft’s generative AI personas, Netcraft’s research team has mapped the connections in the data linking scams with the ultimate money transfer mechanisms used to cash out. In the following examples we’ve mapped different elements of criminal infrastructure (email addresses, mule account numbers, crypto wallet addresses, phone numbers) uncovered by Netcraft.
These nodes are aligned to the conversation where they were shared. For example, a text message conversation containing a phone number would connect a 💬 conversation node to 📞 a phone number node.
As a simple example, Netcraft classified this inbound, unsolicited email as Advance Fee Fraud:
Figure 2 – This email, identified through Netcraft’s threat intelligence, was used to initiate an AI-powered dialogue with the scammer. To protect the integrity of the data, the email has been slightly altered and identifiable information redacted.
Figure 3 – The email conversation in figure 2 is depicted by “💬” in the bottom right of the infrastructure network shown here. The conversation exposed the simple but connected infrastructure network visualized above.
This simple example consists of 17 messages from the threat actor and 10 replies from Netcraft over the course of approximately one month. In that time we were able to expose the following infrastructure and fraud network connection points:
This simple example demonstrates how Netcraft can effectively map the infrastructure powering threat actor campaigns, providing a much deeper picture of the underlying criminal operation.
Figure 4 – Multiple conversations can be tied to the same threat actor based on their shared reliance on a single piece of infrastructure (in this case a phone number).
In other cases like the one above, seemingly disconnected conversations can be attributed to the same threat actor (an individual or a wider group). See the following analysis that links these conversations:
In this case, the cluster allows us to conclude that nine mule accounts and 19 email addresses are in use by the same threat actor to defraud the customers of at least two separate financial institutions.
While some infrastructure is spread out with small clusters, this region shows scammer infrastructure that is quite densely connected. Seen here are dozens of bank accounts, emails and phone numbers, likely all being used by the same group of scammers:
Figure 5 – A subsection of a wide network of highly connected scammer infrastructure.
Figure 6 – An even larger network of interconnected scammer infrastructure.
Mapping relationships between scammer infrastructure can uncover weak points in scam campaigns. In figure 6 we see how dozens of investment scam emails and conversations hinge on a single UK-based phone number.
Figure 7 – An investment scam campaign reliant on a single phone number exposing a single point weakness in this threat actor’s infrastructure, which when taken down could cause significant disruption for the criminal.
In this group, we see a bank account referenced by at least 23 different email addresses being used for fraud. This bank account was first seen four months ago and was last seen as recently as four hours before the time of writing. Clusters of this form could indicate a fraud operation which is heavily dependent on a single payment account.
Figure 8 – 23 emails across 23 conversations engaged in by the Conversational Scam Intelligence system that all point back to the same bank account.
Zooming out, we can observe that the two bank accounts we have just analyzed have been referenced in the same conversation:
Figure 9 – The two highly-connected bank accounts in the above images are connected by a conversation which references both.
Inspecting that conversation further gives more clues as to the origin of this operation. The following cluster suggests that distinct fraud groups share the same mule accounts:
Figure 10 – This network shows seemingly disconnected operations that appear to be sharing mule accounts, indicating that the mules are operated by Mule-as-a-Service providers.
At the top of this section of the network, multiple pieces of information indicate that the fraudsters are operating from Benin, including the use of +229 phone numbers.
However, at the bottom we see a network of related infrastructure that revolves around Spain-based phone numbers, like a +34 Xfera Moviles mobile number, or a different +34 Vozelia Telecom fixed number.
The unifying factor between these seemingly distinct operations is a single Italian mule bank account.
Given that these operations appear independently in two countries separated by thousands of miles, their use of a shared bank account suggests that they are not ultimately in control of the mule.Instead, they are making use of centralized Mule-as-a-Service providers in charge of receiving and sending on defrauded funds.
Losses to investment scams, romance fraud, and pig butchering reached $4.6 billion in the United States – a 38% increase in 2023. These scams are very often conducted in private peer-to-peer conversations and the ability to stop the scam often comes too late.
Studying the connections between threat actors and centralized Mule-as-a-Service providers provide a unique opportunity to both understand and ultimately deeply disrupt criminal payment networks powering scams, pig butchering, cyber-enabled fraud, and more.
By identifying and disrupting weaknesses in financial infrastructure, like those shown here, security leaders are now able to proactively find and interrupt mule account activity, block payments to known mule accounts outside their institution, stop payments to criminal crypto wallets, and deploy countermeasures against the greatest points of vulnerability, thus crippling criminal infrastructure and protecting their clients.
For almost three decades, the Netcraft team has been developing and using innovative, proprietary solutions to expose,disrupt, and eradicate criminal activity. Netcraft’s Conversational Scam Intelligence, recently announced at RSA ‘24, now provides the data and insight needed to expose, map, and disrupt these scams at any scale.
Connect with Netcraft’s expert team to see how we can help you. Request more information on Conversational Scam Intelligence here.