China continues Pig-Butchering Crack-down

One of my techniques for keeping current on Cybercrime trends is having an "interesting" collection of international news ticklers. This story came to me via X:CyberScamMonitor via a QQ account called "onCambodia." @CyberScamMonitor is a Twitter/X account and Substack account dedicated to tracking online scam and gambling operations in Southeast Asia and documenting human trafficking and human rights abuses. Great work and a strong recommendation to follow if you wish to learn more about the links between #CryptoScams and #PigButchering.

I apologize to the original journalist as I have been unable so far to find the original to give them full credit. For reference, the Chinese article I refer to provides the source as 来源：鲁中晨报 (Source: Luzhong Morning News). The headline is: "Chinese woman was arrested after returning to China! Uncovering the financial backers of a fraud syndicate in Sihanoukville." If anyone has a link to the Luzhong Morning News version, please comment and I will update! This post is mostly just a retelling of their story in English!

The story told, in my opinion, should have the headline "Diligent Police Task Force won't stop tracking Fraudsters!" This story features the Yiyuan County Police who started with a telecom fraud case in their jurisdiction and followed it until they had wrapped up the entire organization and seized 200 million yuan from the criminals, 1/4th of it in cash, but also in real estate, luxury cars, watches, and liquour. That's over $28 Million USD! The case started with a local business who found that one of their employees had sent out 38 million yuan in just a few days. The employee was being extorted after installing a porn-dating app on his phone -- when the criminals learned where he worked they demanded that he send money from his company as well. 

 The case was taken up by the "3.01" Task Force. Yiyuan County is administered as part of Zibo City in Shandong Province of China. Police officers from county, city, and provincial level work together on the 3.01 Task Force.  (Shandong is in the east of China, across the Yellow Sea from South Korea.) The deputy magistrate of Yiyuan, Zhang Xiuguang (张秀光), takes an approach to cybercrime that reminds me of the work of the Garda National Economic Crimes Bureau in Ireland!  Zhang says "Since we established the task force, we have firmly believed that we must recover the losses and hit the core.  From catching the first culprit, we will not withdraw our troops until the case is solved!"

(map of Zibo City from medical article by Lili Liu and Ling Wang)

The case dragged on at a very slow pace, Yiyuan deputy director of public safety Ma Wencheng (马文成) described it as involving the tracing of funds from thousands of accounts and peeling back each account like peeling layers from bamboo shoots. Even with a 100 person task force, very little progress was being made, but that changed with a key arrest on 31AUG2022. The key piece of evidence as a suspicious mobile phone number. Among all of the hundreds of thousands of scraps of evidence, there was a telephone number belonging to a woman in Cambodia. Recognizing that Cambodia is the home of many telecom fraud rings, the head analyst for the task force, Lu Lu, focused on the owner of that number. The decision was made to wait for her to return to China. The police have assigned this key figure the alias Xie Xiaofang. When they learned that Xie was returning to China, the task force rushed to Zhengzhou in Henan Province and arrested her as she was leaving quarantine.

As she was questioned, Xie Xiaofang revealed that her #PigButchering group was based in the Chinatown setion of Sihanoukville, Cambodia. Her job within the organization was laundering the money, but she claimed despite her key role, she only knew middle managers in the gang, and then only by alias. The 3.01 Task Force team began tracking each person traveling to China from Sihanoukville and asking Xie Xiaofang to identify them. Within a few weeks, they had mapped out the leadership of the organization. On 17SEP2022, the team traveled to Jiangxi, Yunnan, Fujian, and other places, arresting two more key members and seven others, followed in quick succession by dozens more, eventually totaling 135 arrests. At this point, the Shandong Provincial Public Security Department thought it was time to reward their team.  The photo below shows the public ceremony where all of the local dignitaries publicly praised the work of the 3.01 Task Force, who had at this point seized 8.5 million yuan (about $1.1 million) and had key leaders of the gang in custody. 

(source: https://zibo.sdchina.com/show/4733923.html ) 

But the team was not done yet. As they interrogated those who had been arrested so far, they realized that there was still a bigger boss. The police assigned him the alias Tang Xiaowei, but they were cautioned by their current detainees that this guy has a "very strong sense of anti-reconnaissance." He only uses cash. He doesn't use mobile phones. He doesn't use credit cards.  He doesn't have a fixed address. But he was known to have a favorite place in Xiamen.  The head analyst, Lu Lu, however, believed that Tang would know about the arrests and would be looking for a way to get out of the country safely, and in the mountains of evidence, Lu Lu believed there was a clue to his exit point. Someone under their surveillance had arranged for a large party in "an Internet celebrity hotel" in Guilin, Guangxi. Lu Lu was confident this would be for Tang. 

Speeding down the highway for nearly 1200 miles with members of the 3.01 task force, Lu Lu's vehicle fell into a pit related to some road construction, but they acquired another vehicle and continued on through the night. They arrived just in time to arrest Tang and his closest associates!  It turned out that Tang and his gang were leaving for the coast that morning where a boat was waiting to smuggle them out of the country and back to Cambodia!  They had the actual top kingpin in their hands and now they could finally pull apart the entire organization.  

Based on the information they acquired, additional arrest teams were sent to Beijing, Shanghai, Tianjin, Guangxi, Hebei, Henan, Guizhou and other cities where 18 teams assigned to different roles for the organization were arrested.  Three technical teams, 1 "payment on behalf" gang, and 14 "point running" gangs totaling 197 additional criminal suspects.  Boxes and suitcases loaded with cash were seized.

While the case that started with the Yiyuan County Police investigating one employee who seemed to be embezzling funds, it led to 38 million yuan ($5.3 million USD) being returned to citizens in Yiyuan and Zibo City and has spawned countless additional investigations as the national and international connections are still being traced. 

This is what COULD happen if we follow the model of the brave Yiyuan Police (the same model which the Garda National Economic Crime Bureaus follows!)  DON'T STOP.  DON'T take your local arrests and be happy with them.  FOLLOW EVERY LEAD.  

We'll close with this quote from Zhang Xiuguan ... 

"No matter how far you run, the Yiyuan police are not afraid of hardships and dangers.  They will catch you no matter how far you go!" 

Resources:

• https://mp.weixin.qq.com/s/IZJMXYTkKF8H0lksAHNOjQ
• https://twitter.com/johnwSEAP/status/1729426989310980377
• https://zibo.sdchina.com/show/4733923.html

Mirror Trading International's Cornelius Johannes Steynberg and his $3.4 Billion USD Default Judgement

Some of you may have heard that students in UAB's Investigating Online Crimes class have been researching Crypto Investment Scam websites.  You can find a list of some of the sites we've identified so far on URLScan.io using our tag "CryptoScam" (as of this writing we have 3600+ sites on the list -- hosting companies and registrars, please take action!) 

Mirror Trading International and a $3.4 Billion Fine

You may have never heard of the U.S. Government agency, the Commodity Futures Trading Commission, but that doesn't mean they don't have power.  Last week the CFTC announced an order of default judgment against Cornelius Johannes Steynberg of Stellenbosch, Western Cape, South Africa. The order states that Steynberg must pay $1,733,838,372 USD in restitution and an additional $1,733,838,372 as a civil monetary penalty for defrauding 23,000 Americans of 29,421 Bitcoin.  (That's $3.4 Billion USD, or R63.6 Billion South African Rand.)

I'm proud to say that this action was brought in part by the Alabama Securities Commission, who joined Texas, North Carolina, and Mississippi in taking action.  I've met their director (who just retired this week! Thank you Joe Borg for 30 years of service!) and some of their investigators and they fight hard to protect the citizens of Alabama from fraud. 

Mirror Trading International claimed that their members could earn 10% per month in interest on their investments.  A typical ad of theirs boasted of this advantage over traditional bank accounts and other investment vehicles: 

Ponzi Scam or Affiliate Program: Tomato / Tomato

Like many other Crypto Investment Scams, MTI was an affiliate program.  MTI encouraged members to create an account, after which they would be granted an affiliate code. By sharing a link to the main MTI website using their affiliate code, anyone who clicked the link and made an investment would begin generating "passive weekly income" to the member. 

Dozens of webpages, Telegram channels, and Facebook pages were filled with ads claiming how easy it was to earn money.  Here's one that was shared on a Facebook page operated by affiliate "Themba2000." 

This affiliate regularly posted updates supposedly showing how much money they were earning, as well as testimonials where the people they had recruited supposedly thanked them for their newfound financial freedom:

Like many other Crypto Investment Scams, the affiliates were encouraged to share videos claiming that Artificial Intelligence-based training was part of the secret of their success: 

South Africa's Court Order Outlines a Problem: Greed

While the terms of the South African court order against MTI may seem like victim-shaming, Greed is truly one of the factors involved in many of these Crypto Investment Scams.

"People all over the world, and South Africans are no exception, are bewitched and fascinated by any idea or scheme promising, in most cases, instant wealth, new homes, new cars, holidays abroad and all material possessions that can be acquired with an abundance of money. A further attraction of these schemes is the perception that the money will keep rolling in with little or no effort by the participants, the hardest part being to count one's money." 

The conclusion of that case summarized their findings as follows: 

[137] MTI's business clearly amounted to an unlawful ponzi-scheme, i.e. a fraudulent investing scam promising high rates of return to investors and generating returns for earlier investors with investments taken from later investors. 

[138] It would appear that there is no pool of member bitcoin, Trade 300 does not exist, the artificial intelligence bot never existed or traded and the remarkable trading results presented to investors were prima facie false. 

(ordered by A De Wet, Acting Judge of the High Court) 

What?  The AI Magic Bitcoin Genie isn't real?  I'm shocked!

Scammers or Victims:  Why Not Both? 

Unfortunately, many of the people who became involved in the scam are innocent victims while others made fake Facebook accounts in order to scam others into signing up.  As long as they signed up others, they had a good chance of making money, until the whole scheme collapsed.  It took about five minutes to find fifty affiliates with a simple Facebook search:

So will everyone get their money back?  Highly unlikely. 

Steynberg Arrested in Brazil

Mr. Steynberg was arrested in 2022 by the Brazilian Military Police of the state of Goias: 

https://www.pm.go.gov.br/giro-prende-foragido-internacional-responsavel-por-fraude-milionaria/

Assurances from MTI CEO Steynberg: I am not a Ponzi Scheme!

When Mirror Trading was first accused of being a Ponzi Scheme by the Texas Securities Commission, their CEO replied to queries using a form letter like this one, shared by Global Crypto in a story called "MTI Announces It Is Working With the FSCA": 

Dear Kratika,

I unfortunately only received your email this morning, Tuesday 14 July 2020.

As I have declared to the Texas Commissioner in writing, I wish to state and declare from the outset that Mirror Trading International (Pty) Ltd (hereinafter referred to as “MTI”), a privately held company registered in the Republic of South Africa, is not a Ponzi scheme (new money feeding old) or a scam, with which a holder of funds suddenly disappears.

It is also most unfortunate that because MTI is operating in the online passive income building industry, which has a notorious and demonstrated reputation for scams and Ponzi schemes, and, due to the nature and Modus-Operandi of the robust MTI referral-based business model, that MTI is automatically by default behaviour of the media and some regulators, and maybe the behaviours of some members, is being perceived by associative conclusion that MTI is but another of these.

This unfortunate and misinformed perception is far from the reality of what MTI is as a newly formed (15 month old) highly innovative referral-business and brand that the founders would like to see growing over many years into a global, iconic and heritage brand in the market trading sector.

For instance, the Texas Commissions states that …The actual value of the commissions depends on their success in recruiting new investors and multilevel marketers. … While this may apply to Ponzi schemes, this is not correct for MTI.

Daily trading returns using top regulated trading brokers determine the quantum of rewards, which can vary and if there is a negative trading day, there are no rewards. The point is that with MTI, that the funding of MTI referral payments is derived from daily trading profits and not from the funds of new members.

Another important point which differentiates MTI from Ponzi’s and scams is that members have full control over their funds (Bitcoin) at all times. Members are able to add or withdraw their funds (Bitcoin) at any time, with no complications and no fees. If you do research, you will find not a single member of the 75,000+ MTI members worldwide has ever complained or not been able to withdraw their BTC whenever they have opted to.  

It is the aim of MTI and its innovative, unique referral-based business model and MTI’s operating Modus Operandi of trading on world markets to generate real growth and returns on a daily basis, to work with and co-operate with regulators in every regard, in the process of taking MTI along a path that will see MTI fully and properly regulated.
There are three reasons for this.

1. My Founding Vision for MTI: Build a preferred iconic and heritage global brand in the financial services sector that delivers sustainable growth and value creation for all stakeholders, including for the little man in the street:
2. Professional and Compliant:  Ensure that MTI is a professionally managed business and brand that is regulatory compliant and which delivers sustainable growth and value creation for all stakeholders. My team and I are committed to this.
3. Change the reputation of the on-line passive income generating industry: We and myself personally, are extremely tired of this industry having a negative and darkly clouded reputation. And yes, some 99.9% of online passive income building services are scams and  / or Ponzi’s. I am personally very driven to be part of changing this perception once and for all, by showing and demonstrating to regulators, to the media and to consumers that such a business model can on a Bona Fida basis, exist, successfully operate and grow on an organic and sustainable basis, which is what MTI is doing.

To this end, MTI will in the coming period be placing great emphasis on engaging with and working with any regulator with a clear purpose at all times;  be fully compliant as a professionally managed company and brand that delivers sustainable growth and value creation to its stakeholders, and which intends to be around for many years to come.

MTI is already in discussion with the South Africa Financial Services Conduct Authority (FSCA) and will be meeting with the FSCA in a week’s time. MTI is also fully committed to co-operating with the Texas State Securities board and is in correspondence with them on this matter.

We trust that the above gives you some insight into MTI.

Should you wish to correspond further, please use my private email address: [REDACTED]
Your sincerely,

Johann Steynberg
Chief Executive Officer
Mirror Trading International (Pty) Ltd
South Africa

Watching a Crypto Investment Scam WhatsApp Group

If your online accounts are like mine, almost every day I'm "force joined" to a new Telegram group where a crypto investment scammer tries to tell everyone how great their scam investment site is. This week, I started getting added to WhatsApp Crypto Investment Scams. 

I thought I'd share the experience with you, in case you were curious. 

When you are Force-joined to a WhatsApp group, the first thing that is displayed is information about who added you to the group.

In my case, +856 20 29 725 893 created the group, and then I was added to the group by +856 20 29 728 289.  The +856 should be a clue to whether these are the advisors they claim to be, as +856 is the international calling code for Laos. A third Laos number then removes the group creator, another Laos administrator, and a South African adminstrator (+27 is South Africa).  They must have added a US-numbered administrator, (we don't see other people being added), because the +1 (346) number then changed the "Subject" of the group to be "BTC Nuggets 02th Team."   02th.  As in, the Second team created by a non-English speaker.  1st ... 02th ... 3rd? 

Then we get our first message from "Tricia Storti" our second theoretically American admin +1 (530), American.  See? (530 is the Area Code for extreme NorthEastern California.) 

Tricia's first post introduces our Crypto Investment Scam website name and begins the process of helping us all lose our money to "FileCoin" (or is it FILcoin? they can't seem to decide.)

But wait ... I didn't want to get a hundred WhatsApp messages a day from a new scammer.  That's ok ... all of Tricia's bot-controlled fake Americans are here to make you realize how special it is that you got added to the group.  They blather on non-stop about how great it is ... just so you might wonder (if you were a complete idiot), "Is it possible that I've been accidentally added to a WhatsApp Group that will teach me how to get rich trading Crypto Currency?" 

Seriously.  I can't believe they think anyone is stupid enough to fall for this ... but then I look at the BILLIONS OF DOLLARS being stolen in Crypto Investment Scams and realize they wouldn't spend all of this time and money doing this if somewhere it wasn't making them a profit. 

Just as you might be wondering, "But how will being in this group make me rich?" none other than the FOUNDER HIMSELF, the one and only BERNIE McTERNAN jumps into the conversation to explain how!

(In case you wondering if these were totally made up names, yes, they are. But they are based in reality.  McTernan occurs at a rate of 1 in every 519,000 people in the USA.  Storti is Italian.  1 in every 12,000 or so people there is named Storti.  1 in every 365,000 people in the USA.) 

But does it really work?  Well, our straight man "~ FKK" is going to ask the burning questions that are on every potential victim's mind ... and receive honest, trustworthy answers from current investor LOLO!

See?  LOLO has been in the game for 3 months "without finding anything wrong" and he can "withdraw money successfully every time!"  He's made $70,000 thanks to Bernie Analyst! 

You might still have doubts ... just like FKK!   "Wow is this true?"  But it isn't just totally real LOLO who has had great success.  Totally real totally unsolicited testimonial person Josh Perreault ALSO has made withdrawals successfully!  

Now we KNOW that it's real, right? Not you! You are too smart for that!  You're probably thinking "But I've never heard of these people!  What company is this?  Are they reputable?"  Funny that you are thinking this, because Totally Real Person Andrew Woolley is having those same doubts ... 

There you have it! Filecoin Foundation has been around since 2019, they are headquartered in London and have branches in the US, Vanuatu and Australia.  And look!  They even have an ID Number!  OOOOOOH!  Who could possibly doubt now??!?!?!

Totally Real Person JIJIT assures us that this is an American Company, and then FKK, our favorite Straight Man, asks for a website.  Conveniently, Tricia is there to demonstrate her excellent customer service by replying within two minutes!

FileCoinProtocol[.]com 

Oops!  Did NameSilo actually kill a fraud domain?  No, the scammers use "m.filecoinprotocol[.]com" as their primary site, so that if you try the domain name, or the "www" it will look like the site is unavailable. 

The Amazing Tricia-the-Scammer is right there with the answer! 

"BTC seconds contract is a two-way financial investment product. No matter which direction you buy, as long as you buy in the right direction, you can make a profit. The bitcoin second contract investment we currently trade is suitable for all types of investors, whether you are a novice or an experienced investor. Each transaction lasts 180seconds. After 180 seconds, if the analyst's investment forecast is correct, you can make an immediate profit." 

But why would they do that?  For a commission ... nothing suspicious here ... these Totally Real People explain it to each other:

And eventually, after much more banter, the TRADING starts!  Tricia gives our first instruction, and our Totally Real Veteran Trader Josh jumps right in!  (Perhaps not realizing we've already killed the website.) 

All of the Totally Real People quickly share their successful profits!

But, there is one little problem ... 

If ONLY ADMINS can send messages, then, NONE OF THE TOTALLY REAL PEOPLE CAN BE REAL PEOPLE!  

But that doesn't stop us having more imaginary conversations to demonstrate how trustworthy things are.  Tricia had some exciting news today ... VIP Traders don't have to pay the 20% commission!  They keep ALL OF THE MONEY!  (But there is a $10,000 minimum investment, of course) 

How big is the group?  In addition to the 237 current members, there are also (if you choose Group Info and scroll ALL THE WAY DOWN), over 550 "Past Participants" (with all of their telephone numbers exposed as well.)

Those are the people who were Force-Joined to the group and then LEFT the group.  Hopefully they remember to hit "REPORT AND EXIT" so that WhatsApp's team knows these guys are scammers!

For our "Actors" in the play above, none of their telephone numbers correspond to a real phone carrier, except Bernie, who uses T-Mobile. 

Bernie = 346.971.2587 = T-Mobile 
Tricia = 530.435.9207 = Peerless-NSR-ATLC
Josh = 903.636.6515 = Sinch Voice-NSR-10X
Shannon = 438.577-5300 = IXICA Communications 
JIJIT = 873.920.8211 = IXICA Communications
LOLO = 403.694.7067 = ISP Telecom 
Zachary Brook = 343578.0586 = ISP Telecom 
FKK = 985.775.6255 = Sinch Voice NSR 
Andrew = 716.502.2145 = Sinch Voice NSR 
Kevin = 937.966.2921 = Sinch Voice NSR 

Sure would be sad if all of those telephone numbers and WhatsApp numbers were terminated ...