Full Report
Cybersecurity researchers have shed light on two service providers that supply online criminal networks with the necessary tools and infrastructure to fuel the pig butchering-as-a-service (PBaaS) economy. At least since 2016, Chinese-speaking criminal groups have erected industrial-scale scam centers across Southeast Asia, creating special economic zones that are devoted to fraudulent investment
Analysis Summary
# Threat Actor: Penguin Account Store (PBaaS Provider)
## Attribution & Identity
**Identification:** A service provider operating under a Crimeware-as-a-Service (CaaS) model that fuels "pig butchering-as-a-service" (PBaaS) operations.
**Aliases:** Heavenly Alliance, Overseas Alliance.
**Known Associations:** Operates within the broader ecosystem of Chinese-speaking criminal groups that have established industrial-scale scam centers in Southeast Asia (e.g., Golden Triangle Economic Zone - GTSEZ). Associated with the BCD Pay payment platform, which links to Bochuang Guarantee ($博创担保自).
## Activity Summary
Penguin Account Store supplies necessary tools and infrastructure to online criminal networks engaging in Pig Butchering (romance baiting) and fraudulent investment scams. They provide ready-made applications, templates, and datasets to significantly lower the barrier to entry for running scalable social engineering operations. This activity supports organized crime operating out of compounds in Southeast Asia, which lure thousands of victims with false job promises.
## Tactics, Techniques & Procedures
- **Provision of Fraud Kits:** Selling pre-packaged tools for launching scalable operations.
- **Data Brokerage:** Offering "shè gōng kù" datasets comprising stolen personal information, primarily targeting Chinese citizens.
- **Social Media Account Provision:** Selling bulk pre-registered accounts for platforms like Twitter, Tinder, YouTube, Snapchat, Facebook, Instagram, Apple Music, OpenAI ChatGPT, Spotify, and Netflix.
- **Specialized Hardware Provision:** Supplying bulk pre-registered SIM cards, 4G or 5G routers, and IMSI catchers.
- **Identity Deception:** Providing "character sets" (packages of stolen pictures) used to entrap victims.
- **Automated Victim Engagement:** Developing and advertising a Social Customer Relationship Management (SCRM) platform named **SCRM AI** to facilitate automated initial communication with targets.
- **Financial Facilitation:** Advertising **BCD Pay**, an anonymous peer-to-peer (P2P) payment solution rooted in the illegal online gambling space, used for laundering stolen cryptocurrency proceeds.
## Targeting
**Sectors:** Not explicitly detailed, but supports fraudulent investment and impersonation operations.
**Geography:** Operations are based in Southeast Asia (scam compounds), with stolen data primarily targeting **Chinese** citizens, and services sold globally to criminal networks.
**Victims:** Targets are individuals lured into financial scams (pig butchering victims) facilitated by the criminal groups using Penguin's services.
## Tools & Infrastructure
- **Proprietary Platforms:** **SCRM AI** (Social CRM platform).
- **Financial Services:** **BCD Pay** (P2P payment platform).
- **Infrastructure:** Bulk pre-registered SIM cards, 4G/5G routers, IMSI catchers.
- **Data:** Stolen PII ("shè gōng kù" datasets) and account credentials for numerous major social media/tech platforms.
## Implications
The existence and commercial availability of PBaaS providers like Penguin Account Store dramatically industrialize fraud. By offering turnkey solutions (data, infrastructure, engagement tools, and money laundering channels), they lower the technical and financial barrier to entry, enabling more widespread and sophisticated execution of romance and investment scams on an industrial scale. This shift represents a significant supply chain risk for organized cybercrime.
## Mitigations
- **Stricter Monitoring of Data Broker Markets:** Enhanced monitoring and disruption efforts targeting known data marketplaces selling high volumes of verified/aged social media accounts or PII subsets.
- **Financial Tracking:** Scrutinizing obscure, P2P cryptocurrency transfer services advertising links to known illicit domains or guarantors (like Bochuang Guarantee).
- **IMSI Catcher/SIM Card Monitoring:** Network providers should enhance detection capabilities for bulk unregistered or bulk provisioned SIM usage patterns atypical of legitimate consumer behavior.