Executive Summary
In late 2025, the U.S. Securities and Exchange Commission charged a network of fraudulent crypto trading platforms and investment clubs for orchestrating a $14 million scam targeting retail investors. The scammers operated platforms such as Morocoin Tech Corp., Berge Blockchain Technology Co., Ltd., and Cirkor Inc., as well as front groups like AI Wealth Inc. and others, leveraging social media ads and WhatsApp messages promising AI-driven trading tips. Victims were enticed to buy into phony 'Security Token Offerings' with guarantees of high returns, only to be tricked a second time by advance withdrawal fees before all funds were siphoned to overseas accounts, predominantly in Asia.
This incident underscores the urgent risk of AI-wash fraud and the exploitation of digital messaging channels to build investor trust. As cryptocurrency scams grow more sophisticated and regulatory scrutiny intensifies, organizations and individuals should exercise heightened vigilance against elaborate schemes blending false credentials, social engineering, and AI-themed deception.
Why This Matters Now
AI-driven and crypto investment scams have multiplied in both scale and complexity, exploiting new technologies and social platforms to manipulate targets. This case demonstrates escalating risk for investors, and intensifies global compliance and detection pressures for financial institutions and digital service providers.
Attack Path Analysis
Attackers initiated the scam by targeting investors through social engineering in messaging apps, enticing victims with AI-themed investment tips. Once initial trust was established, they used fake personas and fraudulent platforms to elevate their credibility, gaining deeper access. The scam's infrastructure enabled multi-entity deception and seamless movement of investor trust across platforms. The adversaries managed inbound and outbound communications with victims, controlling the flow of information and investments. Successfully, they siphoned funds via multiple channels, including crypto assets and wire transfers to international accounts. The operation ultimately deprived investors of access to their assets and caused extensive financial loss.
Kill Chain Progression
Initial Compromise
Description
Attackers lured retail investors through social media ads and WhatsApp groups, using social engineering and impersonation to compromise trust.
MITRE ATT&CK® Techniques
The selected ATT&CK techniques cover prominent social engineering, impersonation, execution, and exfiltration activities observed in the incident. These are suitable for initial SEO/filtering and can be further enriched with STIX/TAXII feeds.
Phishing
Search Open Websites/Domains
Gather Victim Identity Information
User Execution
Phishing: Spearphishing via Services
Impersonation
Masquerading
Data Transfer Size Limits
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Incident Response Plan
Control ID: 12.10.1
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21(2)
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – User Identity Validation
Control ID: Identity Pillar - User Identification
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Primary target for AI-themed crypto fraud schemes exploiting investment platforms, requiring enhanced egress security and anomaly detection capabilities.
Investment Banking/Venture
High exposure to sophisticated cryptocurrency scams using fake AI signals, demanding zero trust segmentation and threat detection systems.
Capital Markets/Hedge Fund/Private Equity
Vulnerable to multi-million dollar fraud targeting retail investors through fake trading platforms and AI-generated investment recommendations.
Computer Software/Engineering
Software platforms exploited for fraudulent cryptocurrency exchanges, requiring secure hybrid connectivity and multicloud visibility controls.
Sources
- SEC Files Charges Over $14 Million Crypto Scam Using Fake AI-Themed Investment Tipshttps://thehackernews.com/2025/12/sec-files-charges-over-14-million.htmlVerified
- SEC Charges Three Purported Crypto Asset Trading Platforms and Four Investment Clubs with Scheme That Targeted Retail Investors on Social Mediahttps://www.sec.gov/newsroom/press-releases/2025-144-sec-charges-three-purported-crypto-asset-trading-platforms-four-investment-clubs-scheme-targetedVerified
- SEC Charges Three Purported Crypto Asset Trading Platforms and Four Investment Clubs With Misappropriating $14 Million From Retail Investorshttps://www.sec.gov/enforcement-litigation/litigation-releases/lr-26453Verified
- SEC Complaint Against Morocoin Tech Corp., et al.https://www.sec.gov/files/litigation/complaints/2025/comp-pr2025-144.pdfVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Robust network segmentation, egress policy enforcement, centralized visibility, and real-time anomaly detection could have significantly limited fraudster movement, data exfiltration, and overall operational freedom within cloud-connected environments. Zero Trust controls would have constrained attacker reach, expedited detection, and prevented unauthorized outbound fund transfers.
Control: Threat Detection & Anomaly Response
Mitigation: Unusual access or communication patterns from suspicious accounts would have triggered alerts.
Control: Zero Trust Segmentation
Mitigation: Strict least privilege and identity-based segmentation would have restricted lateral movement and internal access.
Control: East-West Traffic Security
Mitigation: Restricts unauthorized workload-to-workload or service-to-service communications.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Enforced real-time inspection and distributed policy could disrupt persistent malicious communications.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized or unusual outbound transfers would be blocked or tightly audited.
Rapid centralized visibility would accelerate incident response and limit additional damage.
Impact at a Glance
Affected Business Functions
- Investment Services
- Financial Advisory
Estimated downtime: N/A
Estimated loss: $14,000,000
Personal and financial information of investors may have been exposed due to fraudulent activities.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict access between workloads, applications, and user groups based on identity and least privilege.
- • Enforce egress security policies to monitor and block unauthorized fund transfers or data exfiltration events.
- • Deploy anomaly detection and real-time alerting to swiftly identify and respond to social engineering, impersonation, or unusual user activity.
- • Ensure centralized, multi-cloud visibility to enable rapid containment and audit of suspicious network or account activity.
- • Mandate robust internal segmentation and runtime enforcement to prevent lateral movement and reduce the blast radius of future incidents.
