Ethical Hacking News
Cybersecurity researchers have made a groundbreaking discovery that sheds light on two service providers fueling industrial-scale pig butchering scams. The pig butchering-as-a-service (PBaaS) economy has been around since 2016, with Chinese-speaking criminal groups establishing special economic zones across Southeast Asia to create fraudulent investment and impersonation operations.
These compounds are notorious for luring thousands of people with promises of high-paying jobs, only to force them into conducting scams under the threat of violence. Cybersecurity experts have long warned about the dangers of these types of scams, which can result in significant financial losses for victims and potentially devastating emotional trauma.
The discovery highlights the complex nature of modern cyber threats, where service providers are often unwittingly fueling the scam industry by supplying networks with tools and infrastructure necessary to run social engineering operations. The most prominent example of this is Penguin Account Store, a crimeware-as-a-service (CaaS) provider that offers fraud kits, scam templates, and "shè gōng kù" datasets comprising stolen personal information belonging to Chinese citizens.
The group's services are available for purchase, with prices starting as low as $0.10 per pre-registered social media account. The threat actor has developed a Social Customer Relationship Management (SCRM) platform dubbed SCRM AI, which allows scam operators to facilitate automated victim engagement on social media.
The network primarily targets Indonesian-speaking visitors is part of a larger operation that includes thousands of gambling domains, malicious Android applications, hijacking of domains and subdomains hosted on cloud services, and stealth infrastructure embedded inside enterprise and government websites worldwide. The activity involves systematic exploitation of WordPress, PHP components, dangling DNS, and expired cloud assets to hijack and weaponize trusted domains.
The threat actors behind this scheme are believed to be an Advanced Persistent Threat (APT) that is deeply embedded in the Indonesian cybercrime ecosystem while actively exploiting governmental virtual assets worldwide. Another threat actor, Penguin Account Store's AitM phishing toolkit called Evilginx has also emerged as a major factor in targeting at least 18 universities and educational institutions across the U.S. since April 12, 2025, with an aim to steal login credentials and session cookies.
Pig butchering scams have been fueled by service providers offering tools and infrastructure for social engineering operations. The Penguin Account Store is a crimeware-as-a-service provider offering stolen personal information, social media accounts, and other illicit services. Prices for Penguin's services start at $0.10 per pre-registered social media account. A threat actor has developed an SCRM platform to facilitate automated victim engagement on social media. The threat actor targets Indonesian-speaking visitors and uses a network of hijacked domains, malicious Android apps, and AWS S3 buckets to distribute malware. Another threat actor, Penguin Account Store, has emerged with an AitM phishing toolkit called Evilginx that targets universities and educational institutions in the US. Evilginx's evasion techniques have become effective enough to cause low detection rates among cybersecurity experts.
As cyber threats continue to evolve and become increasingly sophisticated, cybersecurity researchers have made a groundbreaking discovery that sheds light on two service providers fueling industrial-scale pig butchering scams. The pig butchering-as-a-service (PBaaS) economy has been around since 2016, with Chinese-speaking criminal groups establishing special economic zones across Southeast Asia to create fraudulent investment and impersonation operations. These compounds are notorious for luring thousands of people with promises of high-paying jobs, only to force them into conducting scams under the threat of violence.
The pig butchering scam has been characterized by researchers as human trafficking-fuelled fraud on an industrial scale. Cybersecurity experts have long warned about the dangers of these types of scams, which can result in significant financial losses for victims and potentially devastating emotional trauma.
In recent months, cybersecurity researchers have uncovered evidence that suggests service providers are fueling the pig butchering scam industry by supplying networks with tools and infrastructure necessary to run social engineering operations. These services include laundering stolen funds and cryptocurrencies, as well as moving ill-gotten proceeds to accounts that cannot be reached by law enforcement.
The most prominent example of this is Penguin Account Store, a crimeware-as-a-service (CaaS) provider that offers fraud kits, scam templates, and "shè gōng kù" datasets comprising stolen personal information belonging to Chinese citizens. The group also peddles account data from various popular media platforms like Twitter, Tinder, YouTube, Snapchat, Facebook, Instagram, Apple Music, OpenAI ChatGPT, Spotify, and Netflix.
Penguin's services are available for purchase, with prices starting as low as $0.10 per pre-registered social media account. The group also offers bulk pre-registered SIM cards, stolen social media accounts, 4G or 5G routers, IMSI catchers, and packages of stolen pictures (aka character sets) used to entrap victims.
The threat actor has developed a Social Customer Relationship Management (SCRM) platform dubbed SCRM AI, which allows scam operators to facilitate automated victim engagement on social media. The network primarily targets Indonesian-speaking visitors is part of a larger operation that includes thousands of gambling domains, malicious Android applications, hijacking of domains and subdomains hosted on cloud services, and stealth infrastructure embedded inside enterprise and government websites worldwide.
The activity involves systematic exploitation of WordPress, PHP components, dangling DNS, and expired cloud assets to hijack and weaponize trusted domains. The infrastructure has also been found to power a massive Android malware ecosystem hosted on Amazon Web Services (AWS) S3 buckets to distribute APK droppers with command-and-control (C2) and data-theft capabilities.
Researchers have characterized the threat actors behind this scheme as relying on social media and instant messaging platforms to advertise gambling sites and direct users to install the Android apps. As many as 7,700 domains have been flagged containing links to at least 20 AWS S3 buckets staging the APK files (e.g., "jayaplay168.apk" or "1poker-32bit.apk").
The threat actors behind this scheme are believed to be an Advanced Persistent Threat (APT) that is deeply embedded in the Indonesian cybercrime ecosystem while actively exploiting governmental virtual assets worldwide.
Another threat actor, Penguin Account Store's AitM phishing toolkit called Evilginx has also emerged as a major factor in targeting at least 18 universities and educational institutions across the U.S. since April 12, 2025, with an aim to steal login credentials and session cookies. As many as 67 domains have been identified as linked to the activity.
"The low detection rates across the cybersecurity community highlight how effective Evilginx's evasion techniques have become," Infoblox said. "Recent versions, such as Evilginx Pro, add features that make detection even harder."
"These include default use of wildcard TLS certificates, bot filtering through advanced fingerprinting like JA4, decoy web pages, improved integration with DNS providers (e.g., Cloudflare, DigitalOcean), multi-domain support for phishlets, and JavaScript obfuscation. As Evilginx continues to mature, identifying its phishing URLs will only become more challenging."
Related Information:
https://www.ethicalhackingnews.com/articles/New-Light-Shines-on-Industrial-Scale-Pig-Butchering-Scams-as-Cybersecurity-Researchers-Uncover-Service-Providers-Fueling-the-Fraud-ehn.shtml
https://thehackernews.com/2026/01/researchers-uncover-service-providers.html
https://www.infoblox.com/blog/threat-intelligence/scaling-the-fraud-economy-pig-butchering-as-a-service/
Published: Mon Jan 12 02:39:08 2026 by llama3.2 3B Q4_K_M
