2026-02-02 Cross-Border Cryptocurrency Investment Scam Leveraging Social Messaging Channels and Fake Regulatory Credentials

📃Title: Cross-Border Cryptocurrency Investment Scam Leveraging Social Messaging Channels and Fake Regulatory Credentials
📅Date: 2026-02-02
🔗References:

• https://www.cloudsek.com/blog/cross-border-cryptocurrency-investment-scam-leveraging-social-messaging-channels-and-fake-regulatory-credentials

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: campaign-analysis
• topic: crypto-related
• target: broad-based
• MY-relevancy: relevant
• topic: mobile-attack

🔖MISP Galaxies:

• producer CloudSEK
• target-information=“Malaysia”
• country=“china”
• financial-fraud=“Fake Website”
• financial-fraud=“Phishing”
• financial-fraud=“Compromised Account Credentials”
• financial-fraud=“Compromised Personally Identifiable Information (PII)”
• financial-fraud=“Virtual Currency Fraud”
• financial-fraud=“Cryptocurrency Exchange”
• financial-fraud=“Social Media Scams”
• financial-fraud=“Fake App”
• financial-fraud=“Scam”
• mitre-attack-pattern=[]

MISP event uuid: 020ceb62-7009-41fe-b22f-1ddd6806e4ea

Indicator of Compromise (IoCs)

type,value,comment
domain, zhguihc.com, 'cloned domain'
domain, zhguize.com, 'cloned domain'
hostname, rtqs.zhguiwe.com, ''
hostname, udesk.zhgui.com, 'Embeds Udesk customer service integrations'
ip-dst, 52.77.125.17, 'backend management consoles'
ip-dst, 188.114.96.3, 'replicate the scam login and investment page'
ip-dst, 172.67.191.67, 'replicate the scam login and investment page'
ip-dst, 104.21.84.186, 'replicate the scam login and investment page'
domain, zhgui.com, ''
ip-dst, 172.67.145.192, ''
domain, zhguiro.com, ''
ip-dst, 18.164.237.46, ''
domain, zhguiwd.com, ''
ip-dst, 18.164.246.64, ''
domain, zhguiyv.com, ''
ip-dst, 18.66.63.105, ''
domain, zhguitn.com, ''
ip-dst, 104.21.48.1, ''
domain, zhguivx.com, ''
ip-dst, 18.164.246.111, ''
domain, zhguimj.com, ''
domain, zhguioe.com, ''
ip-dst, 104.21.84.95, ''
domain, zhguiqt.com, ''
ip-dst, 172.67.149.149, ''
domain, zhguisp.com, ''
domain, zhguicx.com, ''
sha256, 1ca2e500f792fdce9128e8f26fd0a5c10b3f06f1047ce5217e5789db9b33681b, 'favicon hash No sample in VT\r\nLast check:09/02/2026'
url, https://www.knightkron.com, 'domains replicate identical ZHGUI interfaces'
url, https://www.sydmonet.com, 'domains replicate identical ZHGUI interfaces'
url, https://52.77.125.17/home/login, 'Presents an internal “Management Console” login page'
url, https://udesk.zhgui.com/, 'Exposes an end-user login page with Chinese-language error messages and the same JavaScript resources'
url, https://52.74.11.35/, 'Exposes an end-user login page with Chinese-language error messages and the same JavaScript resources'
ip-dst, 18.66.112.81, ''
hostname, rtqs.zhguibn.com, ''
ip-dst, 18.244.18.3, ''
url, https://1884145.s5.udesk.cn/im_client/?web_plugin_id=350&language=en-us&im_user_key=66666, ''
url, https://1884145.udeskglobal.com/sim, ''
email-src, support@zhgui.org, ''
url, https://msb.fincen.gov/msb.registration.letter.php?ID=28612373, ''
url, https://doc.zhgui.com/ZHGUI-Whitepaper-EN.pdf, ''
domain, zhguiqz.com, ''
url, https://www.wikifx.me/en/newsdetail/202510231334676397.html, ''
url, https://apps.apple.com/us/app/zhguige/id6747241718, ''
url, https://klse.i3investor.com/web/blog/detail/ZHGUIscam/2025-07-25-story-h499657939-ZHGUI_Exchange_Reminder_Beware_of_On_Chain_Data_Forgery_Traps_and_Stay_A, ''
url, https://www.zhgui.org, ''
url, https://www.facebook.com/ZHGUI.Official, ''
url, https://www.facebook.com/ZHGUI.Global/, ''
url, https://x.com/ZHGUI_, ''
url, https://x.com/ZHGUI_global, ''
url, https://t.me/lease_choobot, ''
url, https://www.facebook.com/share/p/1KCg4dA3k9/, ''
url, https://www.linkedin.com/posts/ivanblinde_web3-defi-innovation-activity-7337856604559634432-IjRC, 'LinkedIn Promotion Post (Likely Fraudulent)'

Full IOCs available in Rectifyq's MISP```