Sophos released new findings on CryptoRom scams—a subset of pig butchering schemes designed to trick users of dating apps into making fake cryptocurrency investments. Since May, Sophos X-Ops has observed CryptoRom fraudsters refining their techniques, including adding an AI chat tool, like ChatGPT, to their toolset. Scammers also expanded their coercion tactics by telling victims their crypto accounts were hacked and more upfront money is needed.
Researchers additionally discovered that scammers could sneak seven new fake cryptocurrency investment apps into the official Apple App and Google Play stores, upping the potential for victims.
Investment fraud on the rise
In 2022, investment fraud caused the highest losses of any scam reported by the public to the FBI’s IC3, totaling $3.31 billion. Frauds involving cryptocurrency, including pig butchering, represented most of these scams, increasing 183% from 2021 to $2.57 billion in reported losses last year.
Researchers first learned of CryptoRom scammers using the AI chat tool — most likely ChatGPT — when a conned victim contacted the team. After contacting the victim on Tandem, a language-sharing app that has also been used as a dating app, the scammer convinced the victim to move their conversation to WhatsApp. The victim became suspicious after he received a lengthy message that was partly written by an AI chat tool using a large language model (LLM).
Since OpenAI announced the release of ChatGPT, there has been broad speculation that cybercriminals may use the program for their own malicious activities. We can now say that, at least in the case of pig butchering scams, this is happening,” said Sean Gallagher, principal threat researcher, Sophos.
“One of the main challenges for fraudsters with CryptoRom scams is carrying out convincing, sustained conversations of a romantic nature with targets; these conversations are mostly written by ‘keyboarders,’ who are primarily based out of Asia and have a language barrier. Using something like ChatGPT can be a more efficient and effective way to keep these conversations going, making the scams less labor-intensive and more authentic. It also enables keyboarders to simultaneously engage with multiple victims at one time,” Gallagher added.
Extorting additional money
Sophos X-Ops also uncovered a new scammer tactic designed to extort additional money. Traditionally, when victims of CryptoRom scams attempt to cash in on their “profits,” fraudsters will tell them they need to pay a 20% tax on their funds before completing any withdrawals.
However, a recent victim revealed that after paying the “tax” to withdraw money, the fraudsters said the funds had been “hacked” and they would need another 20% deposit before receiving the funds.
Fake cryptocurrency investment apps
Upon further investigation, researchers found seven fake cryptocurrency investment apps in the official Google Play and Apple App stores. These apps have seemingly benign descriptions in the app stores. However, users face a fake crypto-trading interface when they open the app.
To get past the Apple App Store review process, the app developers use the same technique Sophos first reported on in February 2023. They submit the app for approval using legitimate, run-of-the-mill web content. Then, once the app has been approved and published, they modify the server hosting the app with code for the fraudulent interface.
Many of these seven new apps recycled the same templates and descriptions, suggesting the same one or two pig butchering rings are creating the scheme.
“Prior to being able to get their apps into the Apple Store, CryptoRom fraudsters had to use an awkward technical workaround to target iOS users, which could alert their victims that something was amiss. Now, it’s much easier for them to target iPhone users, expanding their victim pool. These apps are also easy to recycle and reuse. While we’ve alerted Google and Apple to these latest apps, it’s likely more will pop up,” concluded Gallagher.