Scam Awareness: Pig Butchering Scammers now in Tanzania.
Introduction
Investigative Research shows that Pig Butchering Scammers are now targeting rich Tanzanians around the country. The scams are mostly based out of Asian Countries such as China with money mules being used within Tanzania. Further information about these scams have been referenced by the United States Department of Justice and The Federal Bureau of Investigations as well as being one of the worst scams in history. NBCNews and GovTech reports can be accessed from the clicking the links.
Research:
While long ago, there existed scammers that used to send unsolicited text messages to different people around the country asking to be sent money due to some issues, such as seen below:
These scammers have approached with a new tactic of collaborating with scammers from within the Asian Circle (Mainly, the Chinese in this matter) to operate Pig Butchering Scams within the country as their money mules. This article will uncover everything about these scammers from start to end including the kinds of texts they send to victims as well to lure their victims into the scam. This isn’t the first time I’ve documented information about such scams, so if you’d like to see another detailed article that’ll have pretty much similar information to this article then I recommend you read this Medium Article from my page, which references the same scam played in a different way whereby a Trojan Virus was involved, all while documenting everything with a Federal Agent.
I would like to make it known that all the information within this article has been sent out to the Tanzanian Police Force as well, so they are aware of the scammers and have their information at this very moment as this article is being published as well. Either way, let’s get to it.
OpSec Notice: While I have used my real name and identity throughout this conversation with these scammers. It is important to note not to do this in real life situations whereby you are approaching scammers like these. The only reason why I’m using my real identity is because I’m well-known and a Public Figure. Nonetheless, it is very important to understand that the methods carried out here are investigative as well and require professional approach before attempting them. Do not try this at home.
Everything began when I first received this text from a scammer asking to me to text a number on WhatsApp:
The scammers text begins this way, by social engineering victims to believe they are signing up for a job. If you’ve posted online that you need a job anywhere or have used a portal that has supposedly sold your data or had a data breach, then this is where potential scammers can gather information from in order to target individuals like you who are seeking a job. This seemed a little bit weird because this person was somehow asking me to work for them, according to how the text is structured, so I decided to proceed to text the number on WhatsApp and eventually ended up in a short conversation with a scammer asking me to contact their supposed Human Resource:
The screenshot above is of a WhatsApp Exported Conversation, fingerprinted with a time-stamp and date as well as hashed to prove integrity before sending to the Tanzanian Police. This is done to prove that evidence has not been changed while the information is being presented before the Court of Law. Screenshots are normally hard to prove before a court. Certain information has been redacted for my privacy and the Telegram Contact of the scammer as well, with name being present and seen.
As we can see from the above conversation, we even see that the scammer asked me which phone number referred me to text them and I mentioned the number. Now to reveal the identities of both the owners of these numbers, I decided to use the M-Pesa App to check who the owner of the NIDA (National ID and Biometric Registration) for the person behind the SIM Card is by checking their numbers up and retrieving the name from the ISP Database:
While these names could be tied to both these scammers, it is important to note that sometimes scammers can perform identity fraud and request innocent people who don’t know how to protect their identity to give out their fingerprints and register for the scammers a SIM Card, so these scammers could even be pretending to be someone else. Nonetheless, from OSINT Industries, we see that the number is tied to an Instagram Account as well:
While the number is shown here, their privacy settings is likely restricting me to access their account via Phone Number because I couldn’t find it. Nonetheless, a subpoena could be issued to the Instagram and data requests can be retrieved from the number itself or even a subpoena can be sent to the ISP (Internet Service Provider — Such as Vodacom, Airtel, etc) and they can send records and logs, but this is for the Police Force themselves to do. However, I ended up finding out that this is all a scam after the conversation in Telegram as seen below:
As we can see from the above conversation, this is the full chat export between me and the scammer herself over Telegram; I eventually came into conclusion of the scam itself after seeing the website they sent me to register, but even noticed that the company the HR said they represent is different from the one “Alisher” supposedly brought up as well. Normally, what Pig Butchering Scammers do is lure their victims to make a big investment on their crypto-currency platform and introduce them to crypto-currency (In this case, the scammer is using TRX or Tron) then disappear with the victims money after they expect a return in the investment. The structure of the website is similar to the previously investigated website as well, which makes it identical to the scam itself. Inclusive to this, it appears that I wasn’t the only person that received such scams. You can check out this YouTube Video (This is a different video from the one in the other article, so it would be beneficial to watch this as well to gain awareness on how these scams are getting escalated) from a Scambaiter named PleasantGreen who was lured to a similar scam playing out in a different manner and had lost some few bucks from this kind of scam. The domain registrar of the scammer is the same as multiple Pig Butchering Scammers as well, as we can see from here:
Of course, if you’ve read my previous article and watched Benjamin (PleasantGreen’s) full YouTube video. You’ll see that the domain Gname isn’t really anything new to me and these appear frequently in most Pig Butchering Scams. Nonetheless, since the domain registrar doesn’t respond to emails requesting for data from their customers due to potential illegal activities, it simply makes sense that these scammers are registered in a Bulletproof Domain which is meant to bypass all DMCA (Digital Millennial Copyright Act) and makes them non-compliant to Government Requests and Subpoenas due to their Privacy Agreement. However, we can come to a conclusion that the scammers aren’t Tanzanian-based, but are rather using people from Tanzania as money mules to get them to contact scammers who are likely in Asian Countries like China. The mules in Tanzania are likely getting paid through crypto-currency that is scammed from the victims by the scammers and the money that these mules dispatch to people to motivate them to go deeper into the scam and invest more money before the scammer take the large sum is likely through their M-Pesa and the money which the scammer sends them. This makes sense because if you’ve read my previous article on this same scam that took place in Nigeria, we see that it took place in the heart of China and the Domain Registrar exists within an Asian Country as well, and we even confirmed that the domain is owned by Chinese people as well. The domain once again looks like this:
Other methods that these scammers use to lure their victims include text messages on WhatsApp as well and using numbers from different countries (also known as, VoIP Numbers, or could very well be the scammers themselves texting you from their Asian numbers like in this case, I got texted from a number in Indonesia as I’ll show below) as well. We can see other examples of text messages I’ve received from such scammers as follows. Also, it is important to note that others may not even use a website. They just pretend to give you a job opportunity, then lure you into doing short tasks such as taking screenshots from YouTube and sending them then they pay you for it through their mules through Telegram, then later ask you to make big investments and promise big money in return but end up disappearing with the money. This, once again, is the entire theory behind the Pig Butchering Scam. They entertain you, give you a little bit and gain your trust to put money into their platform, only to run away with your money in return:
We can see that the whole point of how the scam works is by the scammers themselves offering job opportunities and claiming to receive information about the victims from sites such as LinkedIn and the similar. It’s obviously not the first time, but if a person from LinkedIn wanted to hire you. They would have obviously contacted you directly from LinkedIn or asked you to send a CV or other form of document such as a Cover Letter via email, or asked you to use their official portal for registering for jobs rather than sending a message on WhatsApp. Nonetheless, we can see the Indonesian Number above there as well, as explained earlier that it is likely the scammers number. While the Indonesian Number seems to retrieve nothing on OSINT Industries, the other number has some interesting information showing it’s tied to three different Facebook accounts:
Why Telegram?
Telegram has obviously become a large base for cyber-criminal operations throughout the years. Due to it’s capabilities of providing encryption, remote deletion and other tweaks which other apps don’t have. It makes it easy for cyber-criminals to use such platforms to perform their activities while staying Anonymous. The main cause of scammers being caught is mostly lack of OpSec — Operational Security. Which simply means that when they don’t have control over the privacy of their sensitive information and disclose it to the public and leads to them getting caught or other forms of ways. Yes, it’s even possible to track Dark Web Marketplaces this way regardless of their encryption as long as PII — Personally Identifiable Information is exposed, an individual can be tracked because that’s what PII is mainly used for. Tracking an individual. The International Police (INTERPOL) analyse TTPS (Tactics, Techniques and Procedures) as well by performing profiling and other activities to identify an individual as well. We, cyber security experts and information security experts, do the same as well.
Conclusion:
To protect yourself against such scams, simply don’t respond to random text messages that you receive giving you a job opportunity without confirming with an original company first. Also, random texts asking you to text a Telegram Account that looks pretty similar to having a profile picture of an Asian lady is a big red flag. While these scams are on the rise all over the world, and highly targeted big investors who loose plenty of money in these scams, it is good to have educative knowledge to prevent yourself from getting scammed this way. Always remember that any person sending texts claiming to have gotten your contact from LinkedIn should have first told you to send an email your CV or used an online job portal to submit a Offer Letter and a CV or simply would have directly contacted you from LinkedIn and offered a job in a descriptive manner asking you to email them your CV. Any kind of job that is offered without a CV is obviously a red flag as well. Please stay safe and take care.
