The Architecture of Deception: How a $187 Million Fraud Ecosystem Exploits Trust Across Australia and the United States

Introduction

In 2025, Australians lost $837.7 million to investment scams — the single highest-loss fraud category in the country, representing over a third of the $2.18 billion in total scam-related losses reported across all agencies. In the United States, the picture is even starker: consumers reported $7.9 billion in losses to investment scams, with a median individual loss exceeding $10,000. These figures, drawn from the Australian Competition and Consumer Commission (ACCC) and the U.S. Federal Trade Commission (FTC), point to a problem that is growing in both scale and sophistication.

What was once the domain of isolated confidence operators has evolved into something far more organized. The threat actors behind today’s investment scams deploy deepfake technology to impersonate well-known financial professionals, build geo-targeted social media advertisements that vanish within hours, coordinate victim buying and the unwitting manipulation of real stocks through WhatsApp groups, and operate a network of over 200 connected fake investment platforms designed to steal cryptocurrency deposits. These are not opportunistic crimes; they are industrial-scale operations.

This blog highlights the key findings from a comprehensive Group-IB investigation into two prevalent investment scam typologies currently targeting individuals across Australia and the United States: a social media-driven pump-and-dump scheme manipulating real stock prices on legitimate exchanges, and an extensive network of fraudulent cryptocurrency investment platforms with an estimated revenue exceeding $187 million. The investigation also examines how a Cyber Fraud Fusion (CFF) approach — unifying threat intelligence, digital risk protection, fraud prevention, and investigation capabilities — can predict and disrupt these operations before they reach scale.

The full technical report on both Social Media Pump-and-Dump and Fake Cryptocurrency Investment schemes, including detailed attack chain analysis, threat actor profiles, on-chain cryptocurrency tracing, and complete CFF defence scenarios, can be accessed here.

Key Discoveries

• Threat actors impersonate well-known financial professionals using deepfake technology and geo-targeted social media advertisements to funnel victims into WhatsApp-based coordination groups.
• Over 20 fake WhatsApp accounts impersonating a single Australian economist were identified during this investigation, suggesting centralized control by an organized group.
• Both Australian (+61) and US (+1) registered phone numbers were observed operating similar pump-and-dump schemes, indicating cross-jurisdictional threat actor involvement.
• Analysis of a NASDAQ-listed stock recommended by threat actors demonstrates that a coordinated inflow of $1.5M–$3M — achievable with as few as 500–3,000 victims — can produce a 12.4% price movement in a small-cap equity.
• Graph analysis of one confirmed fake investment platform reveals connections to 23 contact-linked and 208 IP-linked fraudulent domains, with an estimated combined revenue exceeding $187 million.
• Threat actors transfer stolen cryptocurrency directly to KYC-compliant centralized exchanges without obfuscation, creating potential investigative leverage for law enforcement.

Who may find this blog interesting:

• Fraud and risk management teams at financial institutions
• Cybersecurity analysts and corporate security teams
• Threat intelligence specialists and cyber investigators
• Regulatory and compliance professionals (ASIC, ACCC, SEC, FINRA)
• Trading platform security and surveillance teams

Group-IB Threat Intelligence Portal

Group-IB customers can access our Threat Intelligence portal for more information about the following two threat actors described in this blog:

• Gold Bull
• CoinLure

When Your Stock Tip Is Weaponized: Social Media Pump-and-Dump

A Facebook advertisement appears on your feed featuring a respected Australian economist — someone you may have seen on financial news broadcasts. The ad promises access to high-quality stock recommendations. You click. Within seconds, you are redirected to a WhatsApp contact impersonating that very economist, ready to guide you toward your next investment.

Except none of it is real. The advertisement was created using deepfake technology. The economist’s name, likeness, and credentials have been stolen. The WhatsApp account is one of more than 20 fake personas identified during Group-IB’s investigation — all impersonating a single public figure, all utilising Australian-registered phone numbers, and all operating under what appears to be centralized control by an organized group. US-registered phone numbers were also observed, indicating cross-jurisdictional involvement.

The advertisements are deliberately short-lived — sometimes active for only a few hours — and employ geo-targeted redirection: Australian IP addresses are funnelled to the WhatsApp contacts, while non-Australian IPs are redirected to legitimate websites. This concentrates victims within the target demographic and complicates cross-jurisdictional investigation.

Once inside the WhatsApp coordination group, victims receive precise trading instructions: buy a specific stock at a specific price on a legitimate trading platform. Provide a screenshot as proof of purchase. Wait for the target selling price. The social dynamics within the group — populated with shill accounts posting fabricated profits — suppress scepticism and create collective momentum.

The mechanics are straightforward: the coordinated buying pressure inflates the stock price. The threat actors, who pre-positioned their holdings at lower prices, sell into this artificial demand. The stock peaks, the operators exit, and the price collapses — leaving victims holding devastating losses.

How feasible is this? Group-IB analysis of one targeted NASDAQ-listed stock demonstrated that it is alarmingly achievable. In this particular observed instance, the threat actor instructed victims to buy at $24.79 per share on November 6, 2025, with a target price of $29.00. The stock reached a peak of $27.87 (+12.4%) before collapsing to $14.27 — a 42.4% decline from entry. The estimated coordinated capital required to produce this movement: $1.5 million to $3 million. At $1,000 per victim, that equates to 1,500–3,000 participants – a figure well within the reach of an organized scam operation operating multiple WhatsApp/Telegram groups.

At higher per-victim investments ($5K–$10K, which is common among engaged victims), as few as 150–600 victims could generate sufficient buying pressure. A single well-run WhatsApp group holds up to 1,024 members; two to three such groups would be sufficient to coordinate the required buying pressure. The barrier to executing a pump-and-dump on a real exchange-listed stock is far lower than most people assume.

The $187 Million Platform Network: Fake Cryptocurrency Investment Schemes

The second scheme operates on a longer timeline but at a far greater scale. Victims are directed — through SEO-optimized search results, social media advertisements, romance scams, or referral schemes — to professional-looking investment platforms that display fabricated returns, offer tiered “investment plans” with mathematically unsustainable daily returns, and accept only cryptocurrency for deposits.

These platforms are engineered to pass scrutiny. They feature polished homepage layouts, fabricated user statistics, live transaction feeds, and in some cases, fake ASIC (Australian Securities and Investments Commission) registration numbers. Some impersonate legitimate Australian financial services providers — replicating not just their branding, but their actual business workflows. Victims complete fake KYC processes (which double as personal data harvesting), make deposits, and see their portfolios showing consistent, impressive returns. Small early withdrawals may even be permitted to build confidence.

When victims attempt to withdraw larger sums, the platform deploys systematic obstruction: tax demands, compliance charges, mandatory account upgrades, technical errors — each condition met only to be replaced by another. No legitimate withdrawal pathway exists. When the platform eventually disappears, victims may be contacted by a “recovery firm” — often run by the same operators — offering to retrieve lost funds for an upfront fee. This coordinated 2-step scam can cause victims to be defrauded twice.

The scale of this operation is where the investigation yields its most significant finding. Group-IB Graph analysis of one confirmed fake investment platform — tethergloballtd[.]com — reveals that it shares identical contact information (name, email, phone, address) with 23 other fraudulent platforms, and shares the same hosting IP address with 208 additional domains. Multiple platforms also share remarkably similar design templates, confirming shared development resources and a common operator. The strategic rationale is twofold: operational resilience (if platforms are taken down, the rest continue) and revenue maximisation (multiple brand identities expand the victim pool).

On-chain cryptocurrency analysis of the single confirmed platform identified over $90,000 USD in deposits across BTC, ETH, and USDT-TRC20 addresses active since 2022. Extrapolating this number across all 208 connected platforms yields an estimated total revenue of approximately $187 million USD. And this represents only one identified cluster — the actual scale is likely significantly larger.

A New Approach: Cyber Fraud Fusion

These schemes expose a fundamental problem with current defences: the attack chains span social media, messaging apps, trading platforms, and cryptocurrency exchanges, but each of these industries monitors its own domain in isolation. Banks have limited visibility into social media activity. Trading platforms cannot detect coordination in messenger groups. Cryptocurrency exchanges struggle to distinguish victim deposits from legitimate transactions without external intelligence.

The Cyber Fraud Fusion (CFF) approach addresses this by unifying cybersecurity capabilities — Digital Risk Protection (DRP) and Threat Intelligence (TI) — with fraud prevention capabilities — Fraud Protection (FP) and the Cyber Fraud Intelligence Platform (CFIP) — and Investigation services into a single coordinated framework. Each capability’s output feeds the next: DRP detects fraudulent advertisements and platform infrastructure; TI maps the threat actor’s financial flows and digital footprint; FP monitors transactions at the client level; CFIP distributes intelligence across institutions in real time; and Investigation traces stolen funds to identifiable individuals.

Applied to the pump-and-dump scheme, this means detecting and taking down deepfake advertisements before they reach victims, alerting trading platforms that a specific stock is being promoted fraudulently, and identifying the operators behind the WhatsApp coordination groups. Applied to the fake platform network, this means exposing all 208 connected domains from a single detection, flagging threat actor cryptocurrency addresses at every member exchange before deposits can be laundered, and leveraging the unobfuscated cash-out pattern to identify the real individuals receiving the funds.

Traditional approaches to investment fraud are reactive — they identify and report incidents after funds have been lost. CFF reverses this dynamic, enabling the financial ecosystem to act at the earliest stage of detection rather than the latest stage of loss. Group-IB’s full technical report provides detailed CFF defence scenarios for each scheme.

Conclusion

The two investment scam schemes examined in this investigation share a common and critical characteristic: fraudsters do not target technical security — they target trust. Whether through the impersonation of respected financial professionals, the exploitation of legitimate trading platforms, or the construction of fraudulent platforms that are nearly indistinguishable from real ones, these schemes succeed by positioning themselves precisely where trust already exists and redirecting it.

Existing controls — regulatory warnings, platform moderation, consumer education — are necessary but demonstrably insufficient against an adversary that operates at an industrial scale, with cross-jurisdictional reach and a deep understanding of human psychology. The Cyber Fraud Fusion approach offers a model for the new architecture of defence: one that matches the coordination of the attackers with equivalent coordination among defenders. The architecture of deception is sophisticated. The architecture of defence must be more so.

The full technical report on both Social Media Pump-and-Dump and Fake Cryptocurrency Investment schemes, including detailed attack chain analysis, threat actor profiles, on-chain cryptocurrency tracing, and complete CFF defence scenarios, can be accessed here.

Recommendations

For trading platforms, exchanges and financial institutions:

• Deploy a real-time brand protection service with AI-driven detection and automated enforcement mechanisms that can effectively dismantle fraudulent infrastructure before it reaches scale, such as Group-IB’s Digital Risk Protection platform.
• Proactively monitor accounts that exhibit patterns consistent with pump-and-dump mechanics such as unusual coordinated buying or investment scam cash out tactics.
• Implement alert mechanisms for clients making cryptocurrency purchases from or transferring funds to identified fraudulent platforms.

For individuals:

• Verify investment platform or advisor credentials through official regulatory registers.
• Be sceptical of unsolicited stock or investment recommendations, particularly when received via social media or messaging applications.
• Research any stock or investment opportunity independently. If the advertised returns are too good to be true, it probably is a scam.
• Proactively report suspected fraudulent URLs, messages or apps to the relevant authorities and organizations.

For the ecosystem:

Improve early threat prediction capabilities and proactive blocking before loss occurs by deploying a national collaborative cyber fraud intelligence framework such as the Group-IB Cyber Fraud Intelligence Platform (CFIP) that enables secure sharing of risk signals and suspicious data between participating organizations such as financial institutions without exposing PII through patented GDPR-compliant tokenization.

Acknowledgment of research support:

Zafar Astanov, Deputy Head of Fraud & Financial Crime Solutions BU
Vladimir Kalugin, Operational Director
Dmitry Pisarev, Product Manager, Fraud Intelligence
Nikita Rostovtsev, Technical Head
Jia Hwei Soh, Head of the High-Tech Crime Investigation Department, APAC

Group-IB Fraud Matrix

Social Media Pump-and-Dump Scheme:

Fake Cryptocurrency Investment Scheme:

DISCLAIMER: All technical information, including indicators of compromise and infrastructure details provided in this publication, is shared solely for defensive cybersecurity and research purposes. The data and conclusions represent analytical assessments based on available evidence and are intended to help organisations detect, prevent, and respond to investment fraud threats.

This blog may reference legitimate third-party services such as WhatsApp, Facebook, and others, solely to illustrate cases where threat actors have abused or misused these platforms. All companies named as victims of impersonation — including EverQuote, Inc. — are legitimate entities not implicated in any fraud.

All trademarks referenced herein are the property of their respective owners and are used solely for informational purposes, without any implication of affiliation or sponsorship.