Chainalysis report: Crypto scams are shifting from Ponzi schemes to pig killing

Source: Chainalysis; Compilation: Deng Tong, Bitchain Vision

This article is part 2 of the 2024 Crypto Crime Mid-Year Report published by Chainalysis. View the first part to clickChainalysis Report: Why stolen funds and ransomware continue to increase.

summary

CSAM Network

Reports on CSAM websites in China have increased since the end of 2023.
Most wallet holders are purchasing access for a month or more, including up to about 20,000 days (equivalent to over 54 years) of nearly permanent access.
Consistent with our past findings, CSAM suppliers continue to utilize instant redemption machines when cashing out.

Scam

Scammers are adjusting their on-chain and off-chain strategies for shorter but more dynamic and profitable scams.
The pig killing is by far the largest type of revenue-generating fraud this year.A Myanmar fraud gang first discovered on the chain in 2022 has netted at least $101.22 million so far this year.
Most scammers continue to move from widespread Ponzi schemes to more targeted activities such as pig killing, home office scams, Drainer theft scams (Bitchain Vision Note: Drainer is a malware designed to illegally clear.Or “empty” a cryptocurrency wallet, a software that is rented by its developers, meaning that anyone can pay to use the malicious tool.) or address poisoning.

Huione Warranty

We have observed an increase in the use of Chinese market and money laundering networks.Huione Guarantee is one such market, which is associated with the Cambodian conglomerate Huione Group, which connects buyers and sellers who often rarely conceal the illegal nature of their transactions.
Huione guarantees have processed over $49 billion in cryptocurrency transactions since 2021, far exceeding previously reported amounts.
Huione’s on-chain contacts include pig killing and other scams, addresses reported as stolen funds, OFAC-approved Russian exchange Garantex, fraud stores, CSAM, Chinese gambling websites and casinos, etc.

In the first part of our mid-year crime update, we discuss trends related to ransomware and stolen funds.While total illegal on-chain activity has dropped by nearly 20% so far this year (YTD), inflows of stolen funds have nearly doubled, with annual ransomware payments expected to be the highest amount in a single year ever.

In the second half of our update, we will look at on-chain activities related to the distribution and consumption of Child Sexual Abuse Materials (CSAM), including on-chain analysis of payments received by two CSAM vendors, and these amounts indicateWhat.

Next, we will look at the latest trends in cryptocurrency scams.On-chain and off-chain activities indicate that scammers are adjusting their strategies and conducting shorter but more profitable and regenerating activities.We will discuss a noteworthy fraud group – the highest-paid group in 2024 so far – highlightingIn recent years, there has been a trend from carefully designed Ponzi schemes to more targeted activities such as pig killing.

The reason why the “pig killing slaughter” is called “pig killing slaughter” is that criminals will “fatten” the victims in order to obtain as much benefit as possible.This usually involves establishing a romantic relationship with the victim via text messages or dating apps until they force the victim to send money to fake investment opportunities.It is chilling that the scammers on the other end of these conversations are often people who have been kidnapped, sold to Southeast Asia and forced to work in labor camps in large courtyards for pig killing scams.

Finally, let’s take a look at Huione Guarantee, a $49 billion market that has been recently exposed to facilitate cybercrime, including CSAM and pig killing.Let’s get started.

CSAM in China shows signs of growth

Reports on Chinese CSAM suppliers have increased since the end of last year.The following figure shows the ratio of suppliers denominated in RMB to other currency activities in all CSAM activities.These websites provide RMB exchange rates for cryptocurrency payments.Since the end of 2023, Chinese suppliers have accounted for a larger share of global CSAM inflows, peaking so far in the first quarter of this year, accounting for 38.8% of total inflows.

According to the Internet Watch Foundation (IWF), an organization dedicated to blocking online sexual abuse of children, it is difficult to determine why these networks are developing in China.“We’re seeing an increase in reports on such sites,” said an IWF spokesperson.“Based on reporting channels alone, it is difficult to say clearly whether there are emerging trends or whether these websites have been around for some time but have not been reported to the authorities.” While these websites themselves may have been around for some time, the public has not noticed them,But the on-chain infrastructure of these services is relatively new, with the oldest Chinese wallets dating back to July 18, 2023, with most other addresses coming from the end of 2023.At least in terms of on-chain dimensions, the time frames of these wallets suggest that these services are emerging, representing a real trend, and probably more than just the product of new reporting channels.

On-chain inspection of Chinese CSAM suppliers

Apart from numbers, we cannot quantify the harm caused by child sexual abuse worldwide.Given its potential for reallocation, small purchases of dozens of dollars (as shown in the Chainalysis Investigations chart below) can still lead to long-term exploitation of children.

The network shown above includes two suspected CSAM suppliers selling materials in RMB.Transfers from personal wallets to suppliers indicate what kind of access the CSAM buyer is buying compared to the subscription rates on the CSAM vendor website.As mentioned, buyers can get one day’s access to CSAM material from these suppliers for just $5.They can also buy almost permanent access for just $41 (about 20,000 days, or more than 54 years).In this example, most wallet holders purchase access for a month or more.As for CSAM vendors, they utilized instant redemption machines when they cashed in, which is consistent with our reports earlier this year.

Scammers adopt on-chain and off-chain strategies; large-scale pig-killing fraud activities continue to exist

With billions of dollars inflows, cryptocurrency-related scams have continued to increase in 2024, making them one of the largest areas of illegal activity so far this year.The most prominent feature of this year’s scam situation is the rapid evolution of scammers’ on-chain footprints—crypted wallets and addresses used to collect payments from scam victims—and off-chain tools they use to manipulate victims, such as domain names and social media accounts..This activity reveals how scammers adapt to both on-chain and off-chain for shorter, more destructive scams.To avoid being discovered and destroyed, many such actions will regenerate or maintain many smaller, simultaneous activities to keep the larger organized fraud groups running.

A prominent feature of the fraud situation in 2024 is thatHow much of the total fraud inflows so far this year has flowed to active wallets this year, indicating a surge in new scams.The following figure shows the total share of the scam revenues that first appeared in the year the scam was received by the cryptocurrency.It is worth noting that43% of the scam inflows this year have flowed to active wallets this year.This trend is significant because in the next highest year, 2022, only 29.9% of the total inflows so far this year went to active wallets that year.

As shown in the figure below, the average lifespan of fraud activities has been significantly shortened, which reflects this trend well.We plot this trend by calculating the number of days between the first and last observed on-chain scam activity.The average number of active days of fraud activities has decreased significantly from 2020 to 2024, with 271 days starting in 2020 and 42 days starting in 2024.This macro trend is consistent with the continued shift of scammers from carefully planned Ponzi schemes to more targeted activities such as pig killing or poisoning addresses.Part of the reason is that law enforcement is strengthened, and stablecoin issuers have blacklisted fraudulent addresses.

Although scammers tend to use new on-chain addresses, about 57% of scam capital inflows so far in 2024 still flow to wallets that were active before 2024.One of the largest single wallets of the active scam campaign this year integrates funds from many scams from Myanmar’s most notorious pig-killing disc KK Park.The wallet was first discovered on-chain in 2022, and scams using the address continue to generate substantial revenue, netting more than $100 million so far this year.The funds may come from victims of fraud or from ransom submitted by families trying to save members of trafficked family members.

In addition, it is worth noting that scam activities from KK Park and similar venues are very active in adjusting their off-chain scam presence, often buying mature Facebook, Tinder, and Match.com profiles from Chinese services for their activities.The chart below shows the flow of value from KK Park scam wallets to fraudulent stores selling illegal products that have devastating consequences for scammers to exploit these illegal products.

Screenshots of the scam store website also show the pricing of the social media accounts it sells.

By looking at the total inflow of services selling social media accounts like this scam store, we see more evidence supporting this trend.The following figure showsCryptocurrencies sent to these services have grown steadily over the past two years, with a total of 178,000 deposits from 2022 to 2024, totaling approximately $10.5 million.The social media profiles on these sites are priced between $5 and $20 per account, meaning scammers may have purchased 525,000 to 2.1 million social media profiles that can be used to attack victims.

In addition to sending funds to services that provide fraud tools, scammers will eventually need to send their ill-gotten gains to the service for money laundering and converting them into fiat currency, mainly through centralized exchanges.This year, we also see an increase in the use of Chinese markets and money laundering networks, including Huione Guarantee.

Huione Guarantee: $49 billion online market

Huione Guarantee is an online market connected to Cambodian conglomerate Huione Group and has been recently revealed to be a key player in cybercrime.We have a lot more coverage of the service than we have previously reported – we found that the platform has processed over $49 billion in cryptocurrency transactions since 2021.

Historically, Huione Group provides legal services, operates as a remittance system for overseas transfers and provides insurance services.The company once got involved in the luxury travel business.However, its platform Huione Guarantee seems to be used extensively in illegal crypto activities, including pig killing, investment fraud and money laundering.Huione Guarantee has grown into a huge and diverse ecosystem that supports the lucrative pig-killing business that continues to operate in Southeast Asia.

Huione Guarantee is a peer-to-peer (P2P) marketplace that connects buyers and sellers, often facilitating these transactions through Telegrams that provide a point of contact.In total, thousands of Telegram groups advertise or post information on Huione Guarantee, each operated by a different independent merchant or affiliate, many of whom may have connections with criminal businesses operating in the region.

Huione Guarantee claims to be a neutral party in these transactions; it reportedly operates in a similar way to a trading platform, charging fees for each transaction executed, without verifying the legality of the listed goods and services.

Note: This image is machine translated from the original Chinese version.

Many businesses on Huione Guarantee rarely hide their activities, but instead use obscure code words to promote the type of service they seek.For example, some ads show users looking for a “convoy”, which means they are looking for money mules, transferring funds through multiple points and levels, thus masking the source and destination of funds.

Huione Guarantee on-chain activities

On-chain analysis shows that Huione Pay is active on Ethereum, with total inflows exceeding $1.9 billion and inflows on TRON exceeding $47 billion.In the following diagram, we see an example of such activity, with the transfer between Huione Pay and a variety of illegal and high-risk counterparties highlighting Huione’s extensive convenience network.Huione seems to be backed off-chain P2P networks are also mapped to the chain; Huione has received and sent funds to various types of counterparties, including fraud, addresses reported as stolen funds, OFAC-approved Russian exchange Garantex, fraudStores, CSAM, Chinese gambling websites and casinos, etc.

Huione Guarantee also handles wallet transactions allegedly associated with large criminal groups such as KK Park.In addition, Chainalysis has discovered wallets related to Fully Light Group and Warner International, two entities run by Myanmar’s Kokang family, which are reportedly linked to illegal activities such as gambling venues, secret financial networks and money laundering programs.

The use of Huione Guarantee by these networks shows that the service promotes not only the activities of scammers and fraudsters themselves, but also the network of criminals behind them.

Huione Guarantee is striking because it acts as a focal point for different types of cybercriminals, including pig killer scammers and CSAM networks.While it may be the largest, it is not the only service of its kind.Other networks likewise use Telegram to facilitate P2P transactions, often used in exchange of illegal goods and services.Chainalysis is working closely with our partners to closely monitor this ecosystem to expose this activity.