SecureLeaf Fraud Intelligence Advisory

ADV-2025-003 — Multi-Domain Investment Fraud Network (BCBit / BCBitPro)

1. Executive Summary

SecureLeaf Intelligence has identified a coordinated, multi-domain cryptocurrency scam network operating under the names BCBit and BCBitPro. The network exhibits all markers of a modern “pig-butchering” (恋人詐欺 + 投资骗局) investment fraud operation, including engineered emotional manipulation, fake trading dashboards, forced “top-ups,” and complete withdrawal refusal once victims deposit funds.

This advisory consolidates technical evidence across multiple domains, credential capture interfaces, PDF-based forensic analysis, and NLP-driven linguistic mapping.

2. Affected Domains & Infrastructure

Malicious domains confirmed:

bcbitpro.cc — Previously active, now NameSilo parking, used as SMTP domain for email verification
~~bcbit.vip~~ — Active fake login interface - Neutralized 2025-12-10 (Gname GW2025120306206365 - Client Hold)
communityofcrypto.com — Recruitment funnel masquerading as a “crypto blog”
~~m.bcbitfx.com~~ — Carbon copy of 'bcbit.vip' - Neutralized 2025-12-16 (Gname GW2025121105398006 - Client Hold)
~~m.bcbitfx.vip~~ — Carbon copy of 'bcbit.vip' - Neutralized 2025-12-16 (Gname GW2025121105398006 - Client Hold)
~~m.bcbit-ex.com~~ — (Registered 2025-12-17) — Carbon copy of 'bcbit.vip' - Neutralized 2025-12-21 (Gname GW2025121804077998 - Client Hold)
~~m.bcbit-exussvip.net~~ — (Registered 2025-12-22) — Carbon copy of 'bcbit.vip' - Neutralized 2025-12-22 (Gname GW2025122303114927 - Client Hold)
~~m.bcbit.cc~~ — (Registered & Parked since 2025-05-14) — Carbon copy of 'bcbit.vip' - Neutralized 2025-12-28 (Gname GW2025122410034012 - Client Hold)
~~m.bcbitexchange.net~~ — (Registered 2025-12-23) — Carbon copy of 'bcbit.vip' - Neutralized 2026-01-01 (Gname GW2025123005516327 - Client Hold)
~~m.bcbitexus.com~~ — (Registered 2026-01-02) — Carbon copy of 'bcbit.vip' - Neutralized 2026-01-05 (Gname GW2026010303056641 - Client Hold)
~~m.bcbitxus.com~~ — (Registered 2026-01-06) — Carbon copy of 'bcbit.vip' - Neutralized 2026-01-06 (Gname GW2026010704236004 - Client Hold)
~~m.bcbityyvip.com~~ — (Registered 2026-01-07) — Carbon copy of 'bcbit.vip' - Neutralized 2026-01-08 (Gname GW2026010803343501 - Client Hold)

3. Threat Description

The network uses long-form social engineering funnels combined with fabricated “trading dashboards” to coerce deposits. Once funds are transferred, victims are blocked with successive excuses:

“Pending AML review”
“Additional unlock fee required”
“Income tax must be paid before withdrawal”
“Security risk detected — recharge required”

No legitimate trading, blockchain interaction, or financial licensing is present.

SecureLeaf has also confirmed that these specific actors are actively recruiting victims into WhatsApp and Telegram groups using Meta-platforms such as Facebook and Instagram. The funnel typically begins with unsolicited contact, friend requests, or targeted engagement on crypto, finance, travel, or personal lifestyle content. Once initial rapport is established, victims are redirected into messaging groups where coordinated investment fraud operations are conducted.

4. Technical Indicators

4.1 Platform Behaviors

No CSP headers
No CSRF tokens
Form posts into unknown backend endpoints
No real blockchain API hooks
Dashboard values are front-end fabricated

4.2 Infrastructure Traits

Domain rotation every few weeks
Same design template across all domains
Zero corporate identity or footer disclosures
Similarity to known banking or crypto trading platforms

5. Linguistic Pattern Analysis (N-gram Forensics)

SecureLeaf analyzed uploaded dataset ngram.csv and identified extremely high-frequency manipulative phrasing:

“second contract return investment”
“urgent trading signal immediate action”
Repetition of operator names: Chris, Dixon, Matilda

These patterns match known pig-butchering scam compounds operating mainly in Southeast Asia.

6. CVSS Scoring

CVSS v3.1 Score: 9.8 (Critical)

CVSS v4.0 Score: 10.0 (Critical)

Attack Vector: Remote
Attack Complexity: Low
User Interaction: Required
Confidentiality: High
Integrity: High
Availability (Financial): High

7. Reproduction (Safe Observation Only)

1. Navigate to m.[currentdomain].[tld] 2. Observe login panel with no licensing or disclosures 3. Submit fake credentials (testing only) 4. Fake dashboard loads with simulated trading 5. Withdrawal attempts fail behind “unlock fees”

8. Impact Assessment

Financial loss
Identity theft
Persistent extortion attempts
Reuse of stolen credentials on other services

9. Recommendations

For Users:

Do not interact with bcbit*/bcbitpro*/bcbitfx*/bcbit-ex*/bcbit-exussvip*/bcbitexchange*/bcbitexus*/bcbitxus*/bcbityyvip* domains
Never deposit funds into unlicensed exchanges
Be cautious of unsolicited trading “mentors”

For Security Teams:

Block all listed domains
Monitor for referral traffic to pig-butchering clusters