Skip to content
Naked Security Naked Security

Multimillion dollar CryptoRom scam sites seized, suspects arrested in US

Five tips to keep yourself, and your friends and family, out of the clutches of "chopping block" scammers...

Over the past year, we’ve had the unfortunate need to warn our readers not once, but twice, about a scam we’ve dubbed CryptoRom, a portmanteau word formed from the terms “Cryptocurrency” and “Romance scam”.

Simply put, these scammers use a variety of techniques, notably including prowling on dating sites, to meet people online, form a friendship…

…not with the intention of drawing their victims into a “we’ve fallen in love, now send money” romance scam, but instead to earn their trust and lure them into bogus investments “managed” via fraudulent mobile phone apps.

Intriguingly, the crooks even target iPhone users, despite the fact that ripoff financial apps are difficult to sneak into Apple’s App Store, and Apple doesn’t allow its users to download apps from anywhere else.

Sadly, and ironically, the CryptoRom gangs have turned Apple’s strictness into a sort of sales schpiel: if anyone and everyone could download their “investment” apps, that would spoil the exclusivity, so the apps are only available by invitation, directly from the “investment” group.

SophosLabs has tracked these criminals using Apple’s business and developer toolkits to bypass the App Store, using systems such as Apple’s Enterprise Provisioning system, which allows phones directly managed by a business to install proprietary apps:

The crooks have also used Apple’s development tool TestFlight, where unreleased apps can be provided for a limited time to invited, consenting partcipants:

As an aside that we can’t bring ourselves not to mention: the Sophos researchers who wrote the two papers referenced above won the prestigious 2022 Péter Szőr Award, presented at the annual Virus Bulletin conference for the best technical research of the year.

Winning your trust

Obviously, this means buying into a scammer’s instructions not merely to install an app you’ve never heard of, but to do so by essentially committing your entire device to their control, either via Enterprise Provisioning or by enrolling in a development process that would normally only be recommended for devices dedicated to coding and testing.

That’s why the scammers win your trust first, for example by befriending you via a dating site, so that you’re willing to accept what sounds like an obvious technical risk.

The crooks parlay the curious installation process into what sounds like an online privilege: the unusual way of acquiring the app is pitched as a way to join an exciting online investment vehicle that isn’t available via Apple precisely because it’s financial dynamite that’s not available to just anyone!

The “romance” in a CryptoRom scam isn’t tugging at your heart strings, but at your wallet strings.

You can probably imagine how the scam plays out from here.

A carefully concocted pack of lies

The app looks and behaves like a legitimate investment product, hooked up directly to an online web backend that processes deposits, calculates growth, allows deposits, displays real-time graphs…

…all presented with branding that is typically dolled up to look like an official, well-regulated service or stock exchange.

But the app, the “exchange” that backs it, the logos, the branding, and the enticingly upward direction of your account balance are all completely bogus.

In five words, the entire thing is a carefully concocted pack of lies.

Your initial investment shows up right away; the crooks may even offer to “boost” your account with a loan or a staking bonus, which might sound too good to be true but will nevertheless show up in your “account” as promised.

The crooks may even allow you to make withdrawals at first, to build trust and confidence.

This is a common ploy in so-called Ponzi or pyramid schemes – in truth, of course, the scammers are merely giving you some of your own money back.

But they then quickly show your account surging, inviting you to imagine how much more you could be making if only you’d re-deposit your recent withdrawal, and perhaps whack some more on top of that as well.

Heck, why not borrow from your friends and family (but don’t let them in on the whole story or they’ll all want to join in, eh?) and double, triple, quadruple all that money as well?

And that’s not all…

Sadly, that’s not all, because there’s a sting in the tail, too.

When you try to withdraw your “funds”, there’s suddenly a government witholding tax, usually of 20%, on the funds you want to access – something that’s admittedly not unusual in countries with investment charges such as Capital Gains Tax.

Except that it’s not a witholding tax at all, as you might at first expect (that’s where the government’s cut is simply deducted, or witheld, from the amount you want to withdraw, and the rest comes to you).

The crooks tell you that the funds are frozen for regulatory reasons, so they can’t be used to offset the amount you “owe”.

You have to pay the amount first, in a transaction of its own, in order unfreeze the funds before they can be withdrawn in a second transaction.

The crooks will typically pile on the pressure here, warning that you risk losing everything in your “account”, both your own money that you’ve paid in already, and the “capital gains” you think you’ve accumulated.

As the SophosLabs researchers explain, if the crooks think that they genuinely can’t squeeze you for the entire 20%, because they’ve almost bled you dry already, they’ll even pretend to “help” by rallying together their “friends” to lend you some of the money you need to get your “investment” out, until they really have drained you for every drop:

Screen photo of “tax” exchange from victim’s phone.
Click on image to see image in original article.

The theory, of course, is that after you’ve paid the 20% “tax”, you will get access to 100% of the “balance” in your account, leaving plenty of funds on hand not only to pay off the loans that made it all possible, but also to cash out to your own considerable advantage.

Tragically, this is a made-up example of how scams like this typically unfold:

Action                               "Balance"   Amount at stake      "Cashout" deductions
---------------------------------    ---------   ------------------   --------------------
$10,000 paid in + $30,000 "loan"  ->  $ 40,000   YOUR STAKE $10,000   DEDUCT $30,000

Your graph shows you are doing well!

Synthetic 2x boost in value       ->  $ 80,000   YOUR STAKE $10,000   DEDUCT $30,000

What if it's all phoney?

Withdraw $5000 as "test of truth" ->  $ 75,000   YOUR STAKE $ 5,000   DEDUCT $30,000

Big growth event coming, crooks go on a
charm offensive, tell you to invest more!

Pay the $5000 withdrawal back in, 
add $10,000 on top, plus
another $20,000 "loan"            ->  $111,000   YOUR STAKE $20,000   DEDUCT $50,000

Synthetic 3x boost in value       -> $ 333,000   YOUR STAKE $20,000   DEDUCT $50,000

Woo-hoo! Time to cash out!

20% "unfreezing" tax comes to $66,600
Crooks realise you genuinely can't come up with that much, 
but figure you can squeeze some money out by hitting up 
friends, etc. for $20,000 if they "offer" to find $46,000.

You pay $20,000 + $46,600 "loan"  -> $ 333,000   YOUR STAKE $40,000   DEDUCT $96,000

After withdrawal and "paying back" the $96,000, you will be 
still be left with $237,000, which gives you a "profit" of 
$197,000 after deducting your outgoings of $40,000!

Withdraw $333,000 less "loans"    -> GAME OVER. 
                                     INSERT MORE COINS TO RESUME GAME. 

The sting in the tail of the tail

Even worse, there’s even a sting in the tail of the tail.

Once you realise you’ve been scammed, you may miraculously be contacted by someone who sympathises with your plight (perhaps it recently happened to them?) and knows just the service for you…

..cryptocurrency recovery!

We all know that cryptocoins, by design, are largely unregulated, pseudo-anonymous, and anywhere from hard to almost impossible to trace and recover.

Yet we also know that cryptocoin recoveries do sometimes happen, occasionally in astonishing amounts and after lengthy periods, like the fund recovered from wannabe rap star Crocodile Of Wall Street and her husband, or from Silk Road cryptorobber James Zhong, who hid $3 billion in bitcoins in a popcorn tin for almost a decade:

Sadly, if you go down the “recovery service” rabbit hole, you will just be pouring yet more good money after bad, and your overall losses will be even more catastrophic.

Hot on the trail

Here’s some good news to follow the bad: the US Department of Justice (DOJ) is taking on at least one group of CryptoRom scammers.

The DOJ refers to this sort of scam as “pig butchering”, which is a metaphor apparently chosen by the scammers themselves to mock their victims: in Chinese, the technique is known as 杀猪盘 (sha zhu pan), something we’d probably refer to as a “chopping block” in English, but that literally translates as “pork butchering plate”.

In a report this week, the DOJ describes a takedown of seven CryptoRom-related web domains that it alleges were used over a period of at least four months (May to Augut 2022) to rip off at least five victims in the US alone. (We assume there were numerous victims from other countries, but the DOJ report relates to victims in its juridiction.)

The domains were rigged up to look like web pages of an official Singapore financial exchange, and allegedly helped in conning victims out of over $10,000,000.

This follows a DOJ action last month in which 11 people were arrested in connection with these “chopping block” attacks and charged with with ripping off more than 200 people in the US of close to $18,000,000.

The 11 defendants were also charged with acting as money laundering “mules”, who illegally passed more than $52,000,000 through bank accounts opened up using forged or stolen identity documents, receiving a percentage of the amount laundered in payment.

As we’ve mentioned before, money laundering services of this sort are widely used by cybercriminals to exfiltrate illicit deposits out of the banking system before the fraud gets spotted and the bogus transactions get frozen or reversed.

Business Email Compromise (BEC) scammers, for instance, operate by tricking companies into paying invoices (they typically focus on high-value sums, sometimes into the millions of pounds or dollars) into the wrong bank account.

From there, they use the assistance of “money mules” to get those misdirected funds withdrawn from the banking system before the deception can be prevented:

What to do?

  • Take your time when online talk turns from romance, love, or even plain friendship, to money. Don’t be swayed by the fact that your new “friend” happens to have a lot in common with you, and don’t let yourself be mesmerised by their “investment advice”. It’s easy for scammers to pitch themselves as kindred spirits if they’ve studied your social networking or dating site profiles in advance.
  • Never give administrative control over your phone to someone with no genuine reason to have it. Never click [Trust] on a dialog that asks you to enrol in remote management unless it’s from someone you already have an employment contract with, the conditions have been clearly explained to you in advance, and you understand and accept the business reasons for enrolling your phone.
  • Don’t be deceived by messaging inside the app itself. Don’t let icons, graphs, names and text messages inside an app trick you into assuming it has the credibility it claims. (If I show you a picture of a pot of gold, that doesn’t mean I own a pot of gold.)
  • Don’t be fooled because a scam website looks well-branded and professional. Setting up a website with live graphs, investment pages and “account” management tools is easier than you think. Crooks can readily copy official logos, taglines, branding and even JavaScript code from the real site, and modify it to suit their malicious purposes.
  • Listen openly to your friends and family if they try to warn you. Online scammers think nothing of deliberately setting you against your family as part of their scams. They may even “counsel” you not to let your friends and family in on your “secret”, pitching their investment proposal as something exclusive: a good fit for you, but not open to just anyone. Don’t let the scammers drive a wedge between you and your family as well as between you and your money.


Original video here:
Click the cog icon to speed up playback or show live subtitles.
Read a TRANSCRIPT of the video.


I’m stunned that anyone falls for these scams. Almost to the point where I’d say don’t even warn people, if someone can’t figure out it’s a scam in the first couple seconds, they shouldn’t handle electronic finances at all.
Music to read this news story by – Come And Get It, by Badfinger


I didn’t realise that song dates from 1969, when the Beatles were still (mostly) a thing… Sir Paul did the music and Sir Ringo was in the film! (Who knew?)

The problem with cryptocoin scams is that everyone knows someone (or feels they know someone who knows someone) who mined a few bitcoins back when they were worth $0.04 each, and who was therefore early enough that they didn’t just make 4x or even 400x the money, but 400,000x. So the zest to *get in early this time* just won’t go away for some people. (Even if you do know someone who mined BTC at 4 cents each… they probably cashed out laughing at $4. And those who got in at $4 probably cashed out at $40, or maybe even $400, but not at $40,000. Rose-tinted spectacles, and all that.)


This has been driving me crazy for quite a while now. The information and advice from Naked Security has always been top notch, but the presentation? What’s one of the first things you look for in a bad phish? Misspelling and bad grammar. In other words, something like these, culled from a short span in the article above:

1. It’s easy for scammers to pitch themselves as kindred spirits if they’ve “studied at your social networking or dating site profiles” in advance. Just “studied” instead of “studied at” would have been just fine.
2. Never click [Trust] on a dialog that asks you to “enrol” in remote management unless it’s from someone you already have an employment contract with… Unless British English spells “enrol” with one “l”…
3. Don’t let “by icons”, graphs, names and text messages inside an app trick you into assuming it has the credibility it claims. Now this one I will admit, I was unsure of. Is there such a thing as a “by icon”? I couldn’t find one in an internet search, but that’s not a definitive answer either way.

I don’t mean to impugn the actual information provided in these articles, but sometimes it’s like reading a manual that’s been software-translated from another language. Keep up the otherwise great work, and thanks for your efforts.


Thanks. I accept your criticism, but not the suggestion that the two typos you found (which are clearly just mistakes that I didn’t spot because it’s really hard to proofread your own content after you’ve written it) make the article read like “a manual that’s been software-translated from another language”.

FWIW, “enrol” and “enroll” can be considered unexceptionable spellings of the same word, like “phoney” and “phony”, or “jewellery” and “jewelry”.

(Not sure, now I think about it, that the word “impugn” isn’t a bit of a harsh choice, given the nature of the mistakes you’re reporting.)


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!