When your "privacy browser" comes with a built-in surveillance suite, it's probably not about privacy.  Our latest research, in collaboration with UNODC, exposes Vault Viper. You might recognize them as "Baoying Group". They are running one of Asia's largest iGaming networks, BBIN, servicing scam centres and cyber-enabled fraud networks across the region.

At the center is the Universe Browser, promoted as a "privacy" and "anti-censorship" tool for illegal online gambling. In reality, it's a high-risk surveillance and exploitation platform designed to bypass detections, proxy access, and maintain persistent access across what we estimate to be millions of devices.

DNS analysis from Infoblox reveals tens of thousands of domains tied to Vault Viper's vast infrastructure, exposing a unique DNS fingerprint and operational control over their own corner of the internet.

But the story does not end here:  BBIN is linked to dozens of commercial ventures - they even had their own airline !  

👉 Read the full report here : https://blogs.infoblox.com/threat-intelligence/vault-viper-high-stakes-hidden-threats/

👉 We spoke to Wired to explain how cybercrime evolved : https://www.wired.com/story/universe-browser-malware-gambling-networks/

#CyberThreatIntel #Infoblox #DNS #VaultViper #riskware #Cybercrime #SoutheastAsia #threatintel #threatintelligence #cybersecurity #infosec #infobloxthreatintel #scam #tds #shazhupan #pigbutchering #malware

Pig butchering scams - also called sha zhu pan - have gained a lot of attention over the last few years. People know these investment scams are connected to human trafficking, but it is less recognized how they relate to illegal gambling and offshore shell companies.

All of this fuels a massive criminal economy.

Thankfully, long-con scam operations on the internet often leave a strong DNS fingerprint. This enables us to connect physically identified scam compounds to domains - it's always the DNS! ;)

https://blogs.infoblox.com/threat-intelligence/pig-butchering-scams-and-their-dns-trail-linking-thr…

#dns #threatintelligence #shazhupan #crypto #cybersecurity #threatintel #pigbutchering #scam #infoblox

This would be fun, if I didn't know that the person on the other end is most likely not a willing grifter, but someone enslaved by the actual grifters.

#shazhupan

Days since last sha zhu pan direct message scammer on Mastodon: 0

#shazhupan #scam #spam

A short update on #pigbutchering #shazhupan #cryptoscammers #cryptoscamhongkong : I have seen increased use of T-Mobile and Telefonica prepaid wireless numbers used for WhatsApp accounts operated by scammers. A victim in Poland was contacted by a person claiming to be from China but in Germany, using a Hong Kong carrier number. They switched to a German Telefonica number, and "VIP Support" operated a US T-Mobile numbered account.

Sophos X-Ops has uncovered new insights into the evolving tactics deployed by pig butchering scammers.

X-Ops encountered a #shazhupan #pigbutchering ring that is using generative text AI chat to communicate with its targets. Sophos’
@jag_chandra also found multiple additional fake crypto apps used by these rings that got past Apple and Google App Store review.

Headed home from Team Cymru’s RISE-USA event a touch early because of travel weirdness. A full report on my talk (slightly redacted from TLP:Amber stuff I presented) posts on Monday, just before Valentines Day. Appropriately, given the content. #shazhupan #PigButchering

The #shazhupan scammer mentioned earlier.

#shazhupan #cryptoscams #scambaiting #emptiness

Today, I got a video call on Telegram from my scammer. She is the person, or at least is visually very close to, the person in all the photos I've been getting. It was clear from the white background and other factors that she was in an office , probably in a booth designed for such calls. She mostly wanted to talk about whether I had downloaded the wallet and if I was ready for her to "teach" me how to invest.

I sent fake screenshots showing I had bought 2200 USDT (I bought 2 to get the proper layout for the balance screen). After it was done, I had the wallet addresses associated with this particular scam, and finally had the last of my IoCs. But I felt emotionally void. What a life these scammers must lead,.

I cannot tell from demeanor whether the scammer is one of those who have had their passports taken away by the gangs that run these scams in Cambodia or if she was an entrepeneur. Her English was good and not accented, and did not match the English usage of some of the chat messages, so I have some indication that this is a farm operation.

I will say that it appears at least one of the wallets involved in this scam, which is only a month or so old, has had$1.8 m worth of crypto flow through it. So there are still a lot of people falling for these scams, More to come as I get my report ready for publication.