Back to Intelligence

US Disrupts Myanmar-Based 'Pig Butchering' Ring: Detection and Defense Against Investment Fraud

SA
Security Arsenal Team
April 26, 2026
7 min read

Introduction

In a significant blow to transnational cybercrime, U.S. authorities have dismantled a massive fraud operation based in Myanmar, charging 29 individuals—including a Cambodian senator—with running a sophisticated financial fraud network targeting U.S. citizens. The operation, which utilized over 500 seized web domains, specialized in "pig butchering" scams (Sha Zhu Pan)—long-term social engineering campaigns where victims are lured into fake investment platforms.

For defenders, this isn't just a news story; it's an indicator of active infrastructure. The seizure of 500 domains highlights the scale of infrastructure used to facilitate these crimes. While the specific domains are now seized, the tactics, techniques, and procedures (TTPs) remain active threats. Security teams must hunt for similar patterns and harden their environments against these socially engineered financial attacks.

Technical Analysis

Threat Overview: This operation relied on the creation of fraudulent investment websites mimicking legitimate cryptocurrency and trading platforms. These sites were meticulously designed to build trust, ultimately allowing victims to deposit funds that could not be withdrawn.

Affected Products & Platforms:

  • Web Platforms: Fake investment/financial trading sites (primarily PHP/JS based, mimicking legitimate exchange UIs).
  • Communication Channels: WhatsApp, Telegram, and dedicated dating apps (initial attack vector).
  • Victims: Individuals using personal devices, though corporate assets are increasingly used for personal trading during work hours (BYOD risk).

Attack Chain & Exploitation:

  1. Initial Contact: Social engineering via messaging apps or dating sites (no technical vulnerability required).
  2. Trust Building: Victims are convinced to invest small amounts with guaranteed returns.
  3. Infrastructure: Victims are directed to the 500+ fake domains (e.g., secure-invest-platform[.]xyz).
  4. Exploitation: The "vulnerability" here is human trust, facilitated by look-alike domains and professional-grade web spoofs.
  5. Data Exfiltration/Fraud: Credentials and funds are transferred to wallets controlled by the threat actors.

Exploitation Status:

  • Status: Active. While this specific ring was busted, hundreds of similar operations exist. The 500 seized domains represent a snapshot of current infrastructure.
  • CISA KEV: While not a software CVE, this falls under active exploitation campaigns. Defenders should treat these domains and their TTPs as active threats.

Detection & Response

Defending against "pig butchering" requires a focus on network traffic patterns and domain categorization rather than malware signatures. We detect the infrastructure and the behavior.

SIGMA Rules

YAML
---
title: Potential Access to Fraudulent High-Risk Investment Domains
id: 89a2b123-c4d5-4e6f-a1b2-c3d4e5f67890
status: experimental
description: Detects network connections to domains containing investment-related keywords on high-risk TLDs commonly used in pig butchering scams and fraud. High-risk TLDs like .xyz, .top, .club are often used to host these sites at low cost.
references:
  - https://www.darkreading.com/cyber-risk/us-busts-myanmar-ring-targeting-us-citizens-financial-fraud
author: Security Arsenal
date: 2025/05/23
tags:
  - attack.initial_access
  - attack.social_engineering
  - attack.t1566
logsource:
  category: network_connection
  product: windows
detection:
  selection_keywords:
    DestinationHostname|contains:
      - 'invest'
      - 'crypto'
      - 'trade'
      - 'profit'
      - 'yield'
      - 'finance'
      - 'wallet'
      - 'coin'
      - 'token'
      - 'usdt'
  selection_risk_tld:
    DestinationHostname|endswith:
      - '.xyz'
      - '.top'
      - '.win'
      - '.bid'
      - '.loan'
      - '.trade'
      - '.club'
      - '.online'
      - '.site'
      - '.store'
  filter_legit:
    DestinationHostname|contains:
      - 'googleusercontent.com'
      - 'cloudfront.net'
      - 'azureedge.net'
  condition: selection_keywords and selection_risk_tld and not filter_legit
falsepositives:
  - Legitimate new crypto startups on alternative TLDs (rare in enterprise)
level: high
---
title: Suspicious Process Invoking Browser with Investment URL Pattern
id: 7f8e9d01-2c3a-4b5c-9d8e-0f1a2b3c4d5e
status: experimental
description: Detects command-line execution of browsers with URLs containing investment or crypto-related keywords, potentially indicating automated access or testing of fraudulent sites.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2025/05/23
tags:
  - attack.execution
  - attack.t1059.003
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
  selection_cli:
    CommandLine|contains:
      - 'invest'
      - 'crypto'
      - 'binance'
      - 'coinbase'
      - 'metamask'
      - 'trust://'
  filter_legit:
    ParentImage|contains:
      - '\Program Files\'
      - '\Program Files (x86)\'
  condition: selection_img and selection_cli and not filter_legit
falsepositives:
  - Users manually launching trading sites
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for connections to domains matching investment fraud keywords on high-risk TLDs
// Look for high volume of requests or connections from unique endpoints
let HighRiskTLDs = dynamic(['.xyz', '.top', '.win', '.bid', '.loan', '.trade', '.club', '.online', '.site', '.store', '.shop']);
let FraudKeywords = dynamic(['invest', 'crypto', 'trade', 'profit', 'yield', 'finance', 'wallet', 'usdt', 'forex']);
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any(FraudKeywords)
| extend TLD = strcat('.', extract(@'^.*\.(.[^.]+)$', 1, RemoteUrl))
| where TLD in (HighRiskTLDs)
| summarize Count = count(), DeviceCount = dcount(DeviceId), make_list(RemoteUrl, 100) by RemoteUrl, ActionType
| where Count > 5 // Filter out single accidental hits
| project-reorder RemoteUrl, Count, DeviceCount, ActionType, list_RemoteUrl

Velociraptor VQL

VQL — Velociraptor
-- Hunt for browser history or DNS cache entries matching high-risk investment domains
-- This targets the artifact of user interaction with the fake investment infrastructure
LET RiskTlds = regex('\\.(xyz|top|win|bid|loan|trade|club|online|site|store)$')
LET InvestKeywords = regex('(invest|crypto|trade|profit|yield|finance|wallet|usdt)', ignore_case=TRUE)

SELECT * FROM foreach(
    row={
        SELECT FullPath, Mtime FROM glob(globs="/Users/*/Library/Application Support/Google/Chrome/Default/History")
        UNION ALL
        SELECT FullPath, Mtime FROM glob(globs="C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\History")
    },
    query={
        SELECT URL, FullPath, Mtime
        FROM parse_sqlite(file=FullPath, query="SELECT url, last_visit_time FROM urls")
        WHERE URL =~ RiskTlds AND URL =~ InvestKeywords
    }
)

Remediation Script (PowerShell)

This script is designed to block a list of known fraudulent domains. While the specific 500 domains from this bust are seized, defenders should update the $FraudDomains list with active threat intelligence feeds related to investment fraud.

PowerShell
<#
.SYNOPSIS
    Block access to known fraudulent investment domains via Windows Firewall.
.DESCRIPTION
    Adds a block rule to Windows Firewall for a specified list of domains.
    Note: Domain blocking in Firewall is not supported directly; this script resolves 
    domains to IPs and blocks those IPs. It is intended for immediate emergency containment.
#>

param(
    [string[]]$FraudDomains = @(
        # Replace with the specific list of seized domains or active threat IOCs
        # Example placeholder values:
        "fake-invest-xyz.com",
        "secure-crypto-top.net" 
    ),
    [string]$RuleName = "Block-Investment-Fraud-Infrastructure"
)

$BlockedIPs = @()

Write-Host "[*] Resolving domains to IP addresses for blocking..." -ForegroundColor Cyan

foreach ($Domain in $FraudDomains) {
    try {
        $Addresses = [System.Net.Dns]::GetHostAddresses($Domain) | Select-Object -ExpandProperty IPAddressToString
        foreach ($IP in $Addresses) {
            if ($BlockedIPs -notcontains $IP) {
                $BlockedIPs += $IP
                Write-Host "[+] Resolved $Domain to $IP" -ForegroundColor Green
            }
        }
    }
    catch {
        Write-Host "[!] Could not resolve $Domain" -ForegroundColor Yellow
    }
}

if ($BlockedIPs.Count -gt 0) {
    Write-Host "[*] Updating Windows Firewall rule: $RuleName" -ForegroundColor Cyan
    
    # Remove existing rule if present to update it
    if (Get-NetFirewallRule -DisplayName $RuleName -ErrorAction SilentlyContinue) {
        Remove-NetFirewallRule -DisplayName $RuleName
    }

    New-NetFirewallRule -DisplayName $RuleName `
                        -Direction Outbound `
                        -Action Block `
                        -RemoteAddress $BlockedIPs `
                        -Profile Any `
                        -Description "Block for identified investment fraud infrastructure." 
                        
    Write-Host "[+] Blocked $($BlockedIPs.Count) IP addresses associated with fraud domains." -ForegroundColor Green
} else {
    Write-Host "[!] No IP addresses resolved to block." -ForegroundColor Red
}

Remediation

1. Immediate Domain Blocking:

  • Action: Obtain the list of 500+ seized domains from the Department of Justice (DOJ) affidavit or seizure notices.
  • Implementation: Ingest these domains into your Secure Web Gateway (SWG), DNS Sinkhole (Cisco Umbrella, Cloudflare, etc.), and Proxy (Zscaler, Blue Coat). Set the action to 'Block'.

2. User Awareness & Reporting:

  • Action: Issue a security advisory to all employees highlighting the "Pig Butchering" scam.
  • Key Message: "Legitimate investment firms will not solicit you via WhatsApp, Telegram, or dating apps. Verify URLs strictly against official financial institution registrations (e.g., FINRA BrokerCheck)."

3. Network Segmentation & Policy:

  • Action: Enforce 'Acceptable Use' policies prohibiting access to personal crypto-trading sites and high-risk TLDs on corporate devices.
  • Configuration: Configure SWG to block 'Newly Registered Domains' (NRDs) or categories of 'High Risk' for general user populations, allowing exceptions only for specific business units.

4. Endpoint Hardening:

  • Action: Review and restrict the installation of unauthorized communication apps (Telegram, Signal, WhatsApp) on managed endpoints if not business-justified.

Related Resources:

  • DOJ Press Release (for domain list)
  • CISA Advisory (AA21-126) on Pig Butchering Scams

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachpig-butcheringfinancial-fraudphishing

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action