{"id":12363,"date":"2025-10-09T05:55:14","date_gmt":"2025-10-09T12:55:14","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=12363"},"modified":"2025-10-10T13:59:10","modified_gmt":"2025-10-10T20:59:10","slug":"pig-butchering-scams-and-their-dns-trail-linking-threats-to-malicious-compounds","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/pig-butchering-scams-and-their-dns-trail-linking-threats-to-malicious-compounds\/","title":{"rendered":"Pig Butchering Scams and Their DNS Trail: Linking Threats to Malicious Compounds"},"content":{"rendered":"

Author: Ma\u00ebl Le Touz and John W\u00f2jcik<\/strong><\/h3>\n

 
\nAfter uncovering Vigorish Viper in June of 2024, we kept following the DNS trail and have discovered dozens of other actors involved in illegal activities in Southeast Asia. While we spend our days knee-deep in domains related to these threats, there is a rich human story behind the scenes. This blog provides a sneak peek of what we\u2019ve learnt about the ecosystem surrounding illegal gambling in the region over the past 18 months.<\/p>\n

Background<\/h3>\n

Chinese-speaking criminal groups have been involved in gambling and the drug trade for decades, and have long had a footprint in Southeast Asia. In recent years, however, they have rapidly scaled up their involvement in cyber-enabled fraud, generating tens of billions of dollars in financial losses for victims around the world. In the United States alone, authorities reported more than USD $5.6 billion in financial losses to cryptocurrency scams in 2023, with an estimated USD $4.4 billion attributed to so-called \u201cpig butchering\u201d schemes most prevalent in Southeast Asia.1<\/sup> Regionally, countries in East and Southeast Asia combined have lost up to an estimated USD $37 billion to cyber-enabled fraud during that same year, according to latest available data, with much larger estimated losses being reported globally.2<\/sup><\/p>\n

Powerful criminal groups based out of Southeast Asia have quietly taken control of some of the most vulnerable parts of the region to conduct these industrial-scale operations, infiltrating or even establishing so-called Special Economic Zones (SEZs). In recent years, it has become clear that many of the region\u2019s SEZs, alongside casinos, hotels, and other business parks and property developments infiltrated by Asian crime syndicates, have evolved into sprawling citadels of organized crime\u2014lawless enclaves where scam centers, modern slavery, and illicit finance converge under the veneer of legitimate development.<\/p>\n

These zones, often touted as engines of economic growth, have emerged as fortress-like strongholds for sophisticated transnational Asian crime syndicates, complete with their own armed security, entertainment, criminal service providers, and more. Within their walls, entire industries of exploitation thrive: human trafficking pipelines feed captive workforces, high-tech fraud operations siphon billions from victims worldwide, blurring the boundaries between state authority and criminal enterprise while fundamentally reshaping the regional cyberthreat landscape. <\/p>\n

As these criminal enclaves continue to expand, investigators face steep challenges in disrupting them, thanks to fraud schemes like pig butchering and the fluid, decentralized networks behind them designed to evade detection at every level. This has not only allowed pig butchering to thrive in the blind spots of traditional threat hunting methods, but has allowed these operations to adapt and deliver fraud content at scale with remarkable speed. <\/p>\n

Schemes like pig butchering leave an unusually faint digital footprint: a single fraudulent website can be enough to siphon millions of dollars, and most victim outreach occurs through private messaging platforms, generating little public evidence to track. At the same time, while individual scams may not require deep technical sophistication, executing them at scale does\u2014demanding robust backend infrastructure and a broader criminal service ecosystem to identify and social engineer targets, sustain deception campaigns, streamline technical workflows, and launder vast volumes of illicit funds. <\/p>\n

In light of this, rather than listing domain names or crypto wallets, the below analysis serves as an introduction to a series of short releases focusing on pig butchering scams originating from Asia, highlighting how DNS can be used to track the criminal networks responsible and map out parts of their online infrastructure. <\/p>\n

Using this approach, we examine scam campaigns originating from two infamous compounds\u2014Laos\u2019 Golden Triangle Special Economic Zone (GTSEZ) and Myanmar\u2019s KK Park\u2014and offer insights into a recent high-profile case currently being prosecuted in the United States. In doing so, we also describe the tactics, techniques, and procedures (TTPs) the scammers have used to dupe their victims and set up their infrastructure. <\/p>\n

In both cases examined below, Infoblox has detected hundreds of near-identical websites registered and deployed by the criminals. That said, the criminal networks behind those campaigns remain active and continue to attract potential victims via social media and registration of new domains. <\/p>\n

What Is Pig Butchering?<\/h3>\n

Pig butchering, known in Chinese as \u201cSh\u0101 Zh\u016b P\u00e1n\u201d (\u6740\u732a\u76d8) is a prolonged investment fraud or long-con where criminals entice victims into depositing ever-larger sums into sham platforms and accounts, frequently tied to cryptocurrencies. It first took root in countries of East and Southeast Asia, where criminal groups have a long history of running sophisticated organized fraud operations. The term describes the process of \u201cfattening up\u201d victims with trust and false promises before ultimately \u201cslaughtering\u201d their savings. Here\u2019s how the scheme typically unfolds: <\/p>\n