In this case study, we will explore a sophisticated scam that involved multiple fraudulent domains, fake app optimization schemes, and impersonation tactics, resulting in significant financial losses. Between December 2023 and March 2024, this scam victimized individuals by manipulating them into depositing large sums of money to “optimize” apps and complete tasks for promised profits.

Phase 1: Pig Butchering Scam (December 2023)

The first phase of the scam involved a pig butchering scheme. In this common investment fraud, the victim is tricked into believing they participate in a legitimate high-profit venture. Between December 5, 2023, and December 31, 2023, scammers convinced the victim to deposit €56,000. All transactions for this scam were documented in a file named “transaction_list_metamask.docx.”

Phase 2: App Optimization Scam (March 2024)

In March 2024, the scammers employed a fake app optimization service operated through the now-defunct domain qagencywork.top. The victim was asked to deposit €1,500 in USDT (cryptocurrency) to complete tasks. They were further pressured to continue depositing money under the guise of app optimization, which was entirely fraudulent.

Phase 3: Expansion of the App Scam Network

As the scam progressed, the fraudsters introduced a more extensive network of fraudulent domains. These include:

• andersen-dev.com
• linnifyapps.vip
• cloverdevapps.cc
• digiruuapps.top
• the-snowplow.top

Each website was designed to trick the victim into performing tasks and depositing money under the pretense that they would receive significant returns. When the victim requested to withdraw funds, they were told they needed to pay a VIP membership fee of €10,000 to unlock withdrawals. No withdrawals were permitted even after paying, and the sites went offline.

Phase 4: Impersonation of Recovery Agents (2024)

The scam took a final turn when the victim was approached by individuals impersonating cryptocurrency recovery agents from Capital Recover Pro. Isabelle Garcia contacted the victim through remote desktop tools such as Iperium and scammed an additional €2,600. False claims about fees to release funds were made, including payments to Europol.

Key Fraudulent Domains Involved:

• qagencywork.top
• andersen-dev.com
• linnifyapps.vip
• cloverdevapps.cc
• digiruuapps.top
• the-snowplow.top
• webcryoins.net
• morlton.net
• webcryonics.net

These fraudulent domains have since gone offline but were integral to the scam. Investigators are encouraged to track the cryptocurrency addresses associated with these transactions and to search for any remaining server logs or registrations tied to these domains.

Conclusion

This scam highlights the complexity of multi-layered fraud involving pig butchering, app optimization schemes, and impersonation. Scammers used a combination of cryptocurrency deposits, fake domains, and social engineering techniques to extract over €100,000 from the victim. The case underscores the importance of tracing cryptocurrency transactions and domain registrations and analyzing remote desktop access logs to identify and locate scammers.

Victim of cryptocurrency scam? We can trace your funds!