Global Crypto Fraud Takedown: Detecting 'Pig Butchering' and Remote Access Abuse

In a significant blow to transnational cybercrime, a coordinated operation led by the Dubai Police, in partnership with U.S. and Chinese authorities, has resulted in the arrest of 276 suspects and the seizure of $701 million in assets. This crackdown dismantled nine scam centers specializing in cryptocurrency investment fraud—often referred to as "pig butchering"—which targeted victims globally.

While this specific infrastructure has been disrupted, the business model of high-yield investment fraud remains a persistent threat. The actors behind these operations frequently rely on social engineering combined with legitimate Remote Access Tools (RATs) to coerce victims into transferring funds. As defenders, we cannot rely solely on law enforcement takedowns; we must proactively hunt for the technical indicators of these scams within our environments, specifically the abuse of remote administration software and the presence of unauthorized cryptocurrency applications.

Technical Analysis

Threat Type: Cryptocurrency Investment Fraud (Social Engineering + Remote Access)

Attack Vector:

Social Engineering: Initial contact occurs via SMS (smishing), WhatsApp, or dating apps (tinder/scams). Actors build trust over weeks/months.
Remote Access: Victims are manipulated into installing legitimate remote access tools (e.g., AnyDesk, TeamViewer, RustDesk) to "assist" with crypto investments or wallet management.
Financial Fraud: Victims are directed to fraudulent investment platforms or fake exchanges showing fake returns, ultimately leading to loss of funds.

Affected Components:

Endpoints: Windows and macOS systems running unauthorized RATs.
Network: Connections to known fraudulent crypto exchange domains or IP ranges associated with scam centers.

CVE/NVD Status: N/A (This is a fraud campaign relying on user interaction and legitimate tools, not a software vulnerability).

Detection & Response

Defending against these scams requires detecting the abuse of legitimate administrative tools and the presence of unauthorized crypto-related software on corporate endpoints. The following rules target the behavioral outliers typical of these operations, such as remote tools executed from non-standard paths (e.g., AppData or Temp) instead of Program Files.

Sigma Rules

YAML

---
title: Suspicious Remote Access Tool Execution from User Directory
id: 8a4b1c92-3d5e-4f6a-9b8c-1d2e3f4a5b6c
status: experimental
description: Detects execution of common remote access tools from user-writable directories (AppData/Temp), often used in fraud and scam operations to bypass installation requirements or evade detection.
references:
  - https://attack.mitre.org/techniques/T1219/
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.command_and_control
  - attack.t1219
logsource:
  category: process_creation
  product: windows
detection:
  selection_tools:
    Image|endswith:
      - '\anydesk.exe'
      - '\teamviewer.exe'
      - '\rustdesk.exe'
      - '\supremo.exe'
      - '\screenconnect.exe'
      - '\aeradmin.exe'
  selection_path:
    CommandLine|contains:
      - '\AppData\Local\Temp'
      - '\AppData\Roaming'
  condition: all of selection_*
falsepositives:
  - Legitimate portable use of IT support tools (rare in managed environments)
level: high
---
title: Potential Crypto Wallet or Miner Execution
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects execution of known crypto wallet or mining binaries on corporate endpoints, which may indicate "pig butchering" fraud activity or unauthorized resource usage.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.resource_hijacking
  - attack.t1496
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|contains:
      - '\AppData\Roaming\'
    Image|endswith:
      - '\exodus.exe'
      - '\atomic.exe'
      - '\bitcoin-qt.exe'
      - '\ethereumwallet.exe'
      - '\nicehash.exe'
      - '\xmrig.exe'
  filter:
    Image|contains: '\Program Files\'
  condition: selection and not filter
falsepositives:
  - Authorized usage by finance/development teams
level: medium

KQL (Microsoft Sentinel)

This query hunts for network connections or process executions associated with the tools commonly used in these scams.

KQL — Microsoft Sentinel / Defender

// Hunt for Remote Access Tools running from non-standard paths
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("anydesk.exe", "teamviewer.exe", "rustdesk.exe", "supremo.exe", "aeradmin.exe")
| where FolderPath !contains @"Program Files" and FolderPath !contains @"Program Files (x86)"
| extend DeviceName, AccountName, InitiatingProcessAccountName
| project Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine, AccountName
| order by Timestamp desc

Velociraptor VQL

VQL artifact to hunt for suspicious processes and persistence mechanisms on the endpoint.

VQL — Velociraptor

-- Hunt for Remote Access Tools running from suspicious user directories
SELECT Pid, Name, Exe, Username, CommandLine, Ctime
FROM pslist()
WHERE Name IN ('AnyDesk.exe', 'TeamViewer.exe', 'RustDesk.exe', 'SupRemo.exe')
  AND (Exe =~ 'AppData\\Local\\Temp' OR Exe =~ 'AppData\\Roaming')

-- Hunt for common crypto-related binaries in user profiles
SELECT FullPath, Size, Mtime
FROM glob(globs='/*/Users/*/*/AppData/Roaming/*/{exodus.exe,atomic.exe,bitcoin-qt.exe,ethereumwallet.exe}')

Remediation Script (PowerShell)

This script scans for and optionally terminates unauthorized remote access processes running from user directories.

PowerShell

<#
.SYNOPSIS
    Detects and kills unauthorized Remote Access Tools (RATs) running from user directories.
    Used for remediation of "Pig Butchering" scam tools.
#>

$SuspiciousProcesses = @(
    "AnyDesk", "TeamViewer", "RustDesk", "SupRemo", "AERAdmin"
)

Write-Host "[+] Scanning for unauthorized remote access tools..." -ForegroundColor Cyan

foreach ($ProcName in $SuspiciousProcesses) {
    $Processes = Get-Process -Name $ProcName -ErrorAction SilentlyContinue
    
    foreach ($Proc in $Processes) {
        $Path = $Proc.Path
        # Check if running from Program Files (legitimate install) or User Directory (suspicious portable)
        if ($Path -match "C:\\Users\\") {
            Write-Host "[!] ALERT: Suspicious process found: $($ProcName) (PID: $($Proc.Id))" -ForegroundColor Red
            Write-Host "    Path: $Path"
            
            # Stop Process
            Stop-Process -Id $Proc.Id -Force
            Write-Host "    Action: Process terminated." -ForegroundColor Yellow
        }
    }
}

Write-Host "[+] Scan complete." -ForegroundColor Green

Remediation

Application Allow-listing: Enforce strict allow-listing policies via AppLocker or similar EDR controls. Permit execution of remote administration tools (e.g., TeamViewer, AnyDesk) only from %ProgramFiles% or signed, verified corporate installers. Block execution from %AppData% and %Temp%.
Network Segmentation: Restrict outbound internet access for endpoints that do not require it. For those that do, implement DNS filtering to block domains associated with known fraudulent crypto exchanges and malware distribution.
User Awareness Training: Immediately roll out targeted security awareness training regarding "Pig Butchering" scams. Emphasize that legitimate entities will never ask users to install remote access software to assist with financial transactions.
Policy Enforcement: Update Acceptable Use Policies (AUP) to explicitly prohibit the installation of unauthorized remote access software and cryptocurrency wallets on corporate devices.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub