Over the past year, we’ve had the unfortunate need to warn our readers not once, but twice, about a scam we’ve dubbed CryptoRom, a portmanteau word formed from the terms “Cryptocurrency” and “Romance scam”.
Simply put, these scammers use a variety of techniques, notably including prowling on dating sites, to meet people online, form a friendship…
…not with the intention of drawing their victims into a “we’ve fallen in love, now send money” romance scam, but instead to earn their trust and lure them into bogus investments “managed” via fraudulent mobile phone apps.
Intriguingly, the crooks even target iPhone users, despite the fact that ripoff financial apps are difficult to sneak into Apple’s App Store, and Apple doesn’t allow its users to download apps from anywhere else.
Sadly, and ironically, the CryptoRom gangs have turned Apple’s strictness into a sort of sales schpiel: if anyone and everyone could download their “investment” apps, that would spoil the exclusivity, so the apps are only available by invitation, directly from the “investment” group.
SophosLabs has tracked these criminals using Apple’s business and developer toolkits to bypass the App Store, using systems such as Apple’s Enterprise Provisioning system, which allows phones directly managed by a business to install proprietary apps:
The crooks have also used Apple’s development tool TestFlight, where unreleased apps can be provided for a limited time to invited, consenting partcipants:
As an aside that we can’t bring ourselves not to mention: the Sophos researchers who wrote the two papers referenced above won the prestigious 2022 Péter Szőr Award, presented at the annual Virus Bulletin conference for the best technical research of the year.
Winning your trust
Obviously, this means buying into a scammer’s instructions not merely to install an app you’ve never heard of, but to do so by essentially committing your entire device to their control, either via Enterprise Provisioning or by enrolling in a development process that would normally only be recommended for devices dedicated to coding and testing.
That’s why the scammers win your trust first, for example by befriending you via a dating site, so that you’re willing to accept what sounds like an obvious technical risk.
The crooks parlay the curious installation process into what sounds like an online privilege: the unusual way of acquiring the app is pitched as a way to join an exciting online investment vehicle that isn’t available via Apple precisely because it’s financial dynamite that’s not available to just anyone!
The “romance” in a CryptoRom scam isn’t tugging at your heart strings, but at your wallet strings.
You can probably imagine how the scam plays out from here.
A carefully concocted pack of lies
The app looks and behaves like a legitimate investment product, hooked up directly to an online web backend that processes deposits, calculates growth, allows deposits, displays real-time graphs…
…all presented with branding that is typically dolled up to look like an official, well-regulated service or stock exchange.
But the app, the “exchange” that backs it, the logos, the branding, and the enticingly upward direction of your account balance are all completely bogus.
In five words, the entire thing is a carefully concocted pack of lies.
Your initial investment shows up right away; the crooks may even offer to “boost” your account with a loan or a staking bonus, which might sound too good to be true but will nevertheless show up in your “account” as promised.
The crooks may even allow you to make withdrawals at first, to build trust and confidence.
This is a common ploy in so-called Ponzi or pyramid schemes – in truth, of course, the scammers are merely giving you some of your own money back.
But they then quickly show your account surging, inviting you to imagine how much more you could be making if only you’d re-deposit your recent withdrawal, and perhaps whack some more on top of that as well.
Heck, why not borrow from your friends and family (but don’t let them in on the whole story or they’ll all want to join in, eh?) and double, triple, quadruple all that money as well?
And that’s not all…
Sadly, that’s not all, because there’s a sting in the tail, too.
When you try to withdraw your “funds”, there’s suddenly a government witholding tax, usually of 20%, on the funds you want to access – something that’s admittedly not unusual in countries with investment charges such as Capital Gains Tax.
Except that it’s not a witholding tax at all, as you might at first expect (that’s where the government’s cut is simply deducted, or witheld, from the amount you want to withdraw, and the rest comes to you).
The crooks tell you that the funds are frozen for regulatory reasons, so they can’t be used to offset the amount you “owe”.
You have to pay the amount first, in a transaction of its own, in order unfreeze the funds before they can be withdrawn in a second transaction.
The crooks will typically pile on the pressure here, warning that you risk losing everything in your “account”, both your own money that you’ve paid in already, and the “capital gains” you think you’ve accumulated.
As the SophosLabs researchers explain, if the crooks think that they genuinely can’t squeeze you for the entire 20%, because they’ve almost bled you dry already, they’ll even pretend to “help” by rallying together their “friends” to lend you some of the money you need to get your “investment” out, until they really have drained you for every drop:
The theory, of course, is that after you’ve paid the 20% “tax”, you will get access to 100% of the “balance” in your account, leaving plenty of funds on hand not only to pay off the loans that made it all possible, but also to cash out to your own considerable advantage.
Tragically, this is a made-up example of how scams like this typically unfold:
Action "Balance" Amount at stake "Cashout" deductions --------------------------------- --------- ------------------ -------------------- $10,000 paid in + $30,000 "loan" -> $ 40,000 YOUR STAKE $10,000 DEDUCT $30,000 Your graph shows you are doing well! Synthetic 2x boost in value -> $ 80,000 YOUR STAKE $10,000 DEDUCT $30,000 What if it's all phoney? Withdraw $5000 as "test of truth" -> $ 75,000 YOUR STAKE $ 5,000 DEDUCT $30,000 Big growth event coming, crooks go on a charm offensive, tell you to invest more! Pay the $5000 withdrawal back in, add $10,000 on top, plus another $20,000 "loan" -> $111,000 YOUR STAKE $20,000 DEDUCT $50,000 Synthetic 3x boost in value -> $ 333,000 YOUR STAKE $20,000 DEDUCT $50,000 Woo-hoo! Time to cash out! 20% "unfreezing" tax comes to $66,600 Crooks realise you genuinely can't come up with that much, but figure you can squeeze some money out by hitting up friends, etc. for $20,000 if they "offer" to find $46,000. You pay $20,000 + $46,600 "loan" -> $ 333,000 YOUR STAKE $40,000 DEDUCT $96,000 After withdrawal and "paying back" the $96,000, you will be still be left with $237,000, which gives you a "profit" of $197,000 after deducting your outgoings of $40,000! Withdraw $333,000 less "loans" -> GAME OVER. INSERT MORE COINS TO RESUME GAME.
The sting in the tail of the tail
Even worse, there’s even a sting in the tail of the tail.
Once you realise you’ve been scammed, you may miraculously be contacted by someone who sympathises with your plight (perhaps it recently happened to them?) and knows just the service for you…
We all know that cryptocoins, by design, are largely unregulated, pseudo-anonymous, and anywhere from hard to almost impossible to trace and recover.
Yet we also know that cryptocoin recoveries do sometimes happen, occasionally in astonishing amounts and after lengthy periods, like the fund recovered from wannabe rap star Crocodile Of Wall Street and her husband, or from Silk Road cryptorobber James Zhong, who hid $3 billion in bitcoins in a popcorn tin for almost a decade:
Sadly, if you go down the “recovery service” rabbit hole, you will just be pouring yet more good money after bad, and your overall losses will be even more catastrophic.
Hot on the trail
Here’s some good news to follow the bad: the US Department of Justice (DOJ) is taking on at least one group of CryptoRom scammers.
The DOJ refers to this sort of scam as “pig butchering”, which is a metaphor apparently chosen by the scammers themselves to mock their victims: in Chinese, the technique is known as 杀猪盘 (sha zhu pan), something we’d probably refer to as a “chopping block” in English, but that literally translates as “pork butchering plate”.
In a report this week, the DOJ describes a takedown of seven CryptoRom-related web domains that it alleges were used over a period of at least four months (May to Augut 2022) to rip off at least five victims in the US alone. (We assume there were numerous victims from other countries, but the DOJ report relates to victims in its juridiction.)
The domains were rigged up to look like web pages of an official Singapore financial exchange, and allegedly helped in conning victims out of over $10,000,000.
This follows a DOJ action last month in which 11 people were arrested in connection with these “chopping block” attacks and charged with with ripping off more than 200 people in the US of close to $18,000,000.
The 11 defendants were also charged with acting as money laundering “mules”, who illegally passed more than $52,000,000 through bank accounts opened up using forged or stolen identity documents, receiving a percentage of the amount laundered in payment.
As we’ve mentioned before, money laundering services of this sort are widely used by cybercriminals to exfiltrate illicit deposits out of the banking system before the fraud gets spotted and the bogus transactions get frozen or reversed.
Business Email Compromise (BEC) scammers, for instance, operate by tricking companies into paying invoices (they typically focus on high-value sums, sometimes into the millions of pounds or dollars) into the wrong bank account.
From there, they use the assistance of “money mules” to get those misdirected funds withdrawn from the banking system before the deception can be prevented:
What to do?
- Take your time when online talk turns from romance, love, or even plain friendship, to money. Don’t be swayed by the fact that your new “friend” happens to have a lot in common with you, and don’t let yourself be mesmerised by their “investment advice”. It’s easy for scammers to pitch themselves as kindred spirits if they’ve studied at your social networking or dating site profiles in advance.
Never give administrative control over your phone to someone with no genuine reason to have it. Never click
[Trust]on a dialog that asks you to enrol in remote management unless it’s from someone you already have an employment contract with, the conditions have been clearly explained to you in advance, and you understand and accept the business reasons for enrolling your phone.
- Don’t be deceived by messaging inside the app itself. Don’t let by icons, graphs, names and text messages inside an app trick you into assuming it has the credibility it claims. (If I show you a picture of a pot of gold, that doesn’t mean I own a pot of gold.)
- Listen openly to your friends and family if they try to warn you. Online scammers think nothing of deliberately setting you against your family as part of their scams. They may even “counsel” you not to let your friends and family in on your “secret”, pitching their investment proposal as something exclusive: a good fit for you, but not open to just anyone. Don’t let the scammers drive a wedge between you and your family as well as between you and your money.
LEARN MORE ABOUT RELATIONSHIP SCAMS: