On Wednesday, Sophos cybersecurity researchers named the gang "CryptoRom" and said they have recently expanded their operations from Asia, spreading to both the United States and Europe.
Romance scams are an insidious and constant problem, and thanks to the rising popularity of dating apps, are now not only limited to phishing emails. Instead, fraudsters will 'match' with their victims, pretend interest until they build a foundation of trust, and then they will ask for money -- only to vanish soon after.
In recent years, romance scams have become more sophisticated, with some cybercriminals offering their victims 'exclusivity' in trading deals or in cryptocurrency investments, using the lure of easy profit as well as potential love matches.
Interpol warned of an uptick in investment-based romance fraud taking place across dating apps in January this year.
The CryptoRom scam artists target iPhone users of dating apps including Tinder and Bumble. One tactic used is to lure victims into downloading a fake cryptocurrency trading app that gives the operators remote control over the handset.
The researchers say this has been made possible by abusing Apple's Enterprise Signature platform, used by software developers to test out iOS apps ahead of submission to the App Store.
Victims are asked to purchase cryptocurrency through Binance and then transfer the funds to a wallet via the fake trading app. Matches are pointed to fraudulent websites that mimic the look and feel of the legitimate App Store -- likely in the hope they won't look at the address bar too closely and they will install a malicious app.
"At first, the returns look very good but if the victim asks for their money back or tries to access the funds, they are refused and the money is lost," explained Jagadeesh Chandraiah, Senior threat researcher at Sophos. "Our research shows that the attackers are making millions of dollars with this scam."
Unfortunately, it seems the group is competent, as a wallet controlled by them contains close to $1.4 million in cryptocurrency, thought to have been stolen from victims who fell for their tactics and who invested their cash into crypto. However, there could easily be more than one wallet in use.
As Enterprise Signature allows developers to test out app functionality, the fake apps are also able to perform other functions such as data theft, account compromise, as well as potentially download and execute other payloads.
Sophos reached out to Apple with its findings but at the time of writing has not received a response.
"To avoid falling victim to these types of scams, iPhone users should only install apps from Apple's App Store," Chandraiah cautioned. "The golden rule is that if something seems risky or too good to be true -- such as someone you barely know telling you about some 'great' online investment scheme that will deliver a big profit -- then sadly, it probably is."