Based on scam websites provided by pig butchering scam victims to GASO, we have conducted an analysis on common pig-butchering scam websites information. With the help of ScamAdviser, we conducted an investigation of 2076 scam websites, of which 1712 are still registered online.
Internet Service Providers
In order to be accessible online, a website needs to be hosted on a publicly-accessible server. While a private individual or company can choose their own computer to host the server, most commonly websites are hosted by a web hosting provider such as Google or Amazon, who can provide a host of professional web services for complex computing. When a site name is accessed, the Internet Service Provider of the source domain can often indicate the Web Host Provider. Although 247 uniquely-named ISPs were identified, a quick analysis of Internet Service Providers for each scam domain found CloudFlare, AliBaba, Amazon, Google and Namecheap to be among the most popular service providers for the servers hosting scam websites. CloudFlare, the most popular ISP, hosted 17.4% of all scam websites. CloudFlare, Amazon, Microsoft and Google, among the most popular American-based ISPs, make up approximately 29.8% of ISPs for servers hosting scam websites that are currently online (as of November 2021).
Many scam websites were hosted on multiple servers. We detected 599 scam websites with locations on US servers, whereas 375 sites were detected primarily in HK. Other common server locations were Singapore, Japan, and Malaysia. Although China has attempted to crack down on investment scams such as these, we detected 37 active scam websites still hosted on Chinese servers. Other server locations are European countries, Korea, Taiwan, South Africa, India, and Australia, among others.
A further analysis of the breakdown of affiliated autonomous systems (which may encompass more than one ISP) on 1085 websites confirms that CloudFlare, Amazon, Namecheap, Microsoft and Google family servers are the most popular for scam website hosting.
Notes: There are several ISPs with a registered autonomous system that holds fewer than 5000 websites. Some of these may be flagged as common hosts of scam websites and may be run by a private organization for scamming
*We define a small ISP here as one which hosts 2 or fewer scam websites:
Most popular cities for server location:
In order to be accessible to the public, a website must be registered with one of the several domain registrars. We found GoDaddy to be the predominant domain registrar for fraudulent broker websites, making up 58.6% of all fraudulent broker websites registered. The next two most popular domain registrars were NameCheap and NameSilo. There are over 900 recognized domain registrars in the world -- 116 of these are known to have registered a fraudulent broker website.
The individual or organization who registers a domain must report a country to which they belong. Top registration countries for reported scam websites are the United States, China, and Israel*, followed by Hong Kong, Taiwan and Malaysia.
*To note, victims also reported "scam recovery" firms, many of which are based in Israel
Lastly, ScamAdviser provides information on detected number of page views, which is detected by the number of full page loads. Based on this information, we gathered the 30 most popular fraudulent broker websites in page views. The top three domains are hosted by American-based web hosts, with kriptofuture.com hosted by Microsoft, etherconnect.com hosted by Amazon, and safir.com. Kriptofuture, Etherconnect and Safir have been reported as Ponzi scheme crypto scams or the like (MLMs) [1, 2, 3, 4, 5, 6]. Kriptofuture was accessible at the time of analysis but as of posting is no longer online.
Existing Website Registration
Of the fraudulent broker websites currently in operation, we tracked their date of registration and graphed here. The graph helps illustrate the effectiveness of reporting to GASO. Since our establishment in July 2020, an increasing number of new fraudulent broker website registrations have been recorded and posted to prevent additional victims.