Infoblox researchers published a detailed report on a growing ecosystem of service providers that equip criminal networks with the tools, infrastructure, and expertise needed to operate large-scale pig butchering or sha zhu pan scams.
According to the research, the providers have built a “pig butchering-as-a-service” (PBaaS) economy, similar to malware- and phishing-as-a-service models. Rather than operating alone, scammers can now buy solutions that allow them to run sophisticated fraud campaigns without advanced technical skills.
Modern pig butchering operations span a wide range of fraud, including romance and investment fraud, law enforcement impersonation, and job or task scams. The marketplaces supporting such schemes offer extensive package of services needed to launch an operation like communication tools and social engineering scripts, pre-registered SIM cards, disposable devices, internet access, stolen or fake social media accounts, ready-made websites, and mechanisms for laundering stolen funds and cryptocurrency. Some operations even rely on smuggled Starlink terminals and rigged online investment platforms to evade detection.
Infoblox notes that a dense network of such service providers has quietly spread across Southeast Asia, selling full fraud kits and end-to-end packages. One of such providers, operating under names such as Heavenly Alliance, Overseas Alliance, and Penguin Account Store, openly advertises PBaaS solutions to criminal customers. The group offers scam templates, stolen Western social media accounts, login credentials for major platforms, and tools such as bulk SIM cards, routers, IMSI catchers, and AI-powered social CRM systems.
“Suppliers of PBaaS have also automated the provision and supply of mobile applications. On Android, this process is simple: users can install any given binary packaged as an .apk. It is more restricted on iOS. Any given iOS developer can enroll a limited number of devices and users into a “testing program,” and there is a thriving shadow economy that provides developer certificates and testing accounts,” the report notes.