Global Cyber Security Alert for Judicial Systems and Law Enforcement Agencies Worldwide
Last updated:
⚠️ Official Notice to All International and National Judicial Authorities, Global and National Law Enforcement Agencies, INTERPOL, EUROPOL, and All Relevant Security and Legal Institutions Worldwide: This technical report contains highly sensitive and critical security findings that demand immediate review and action by the relevant authorities. Prompt attention and appropriate measures are required to address the identified security concerns in accordance with international legal and cybersecurity standards.
JURISDICTIONAL DATA HANDLING & UNODC HANOI CONVENTION
Cross-border data sets comply with international mutual legal assistance treaties (MLAT) standards, in alignment with the United Nations (UNODC) Convention against Cybercrime (Hanoi Convention).
Notice to Victims —
The chairman of the Prince Group and his network have been indicted by the U.S. Department of Justice for operating a forced-labor and cryptocurrency fraud scheme. If you were contacted or harmed, do NOT send more funds — report details and transaction evidence immediately to IC3 (www.ic3.gov) or email PrinceGroupTips@fbi.gov.
Case Intelligence & Indicators Registry
Primary obfuscation layer detected originating from multi-proxy routing networks.
Secondary automated ledger synchronization script executed across decentralized endpoints.
Identified persistent credential harvesting vectors active on external routing nodes.
Official Report on the Anti-Pig Butchering Scam Campaign
By Mir Ali Shahidi, Secretary and Author of the Campaign
Date: August 31, 2025
Introduction
To our esteemed compatriots and the global community,
In response to the alarming rise in fraudulent activities known as the "Pig Butchering Scam" in Hong Kong, Singapore and worldwide, this campaign has been established with the primary objectives of raising awareness, protecting victims, and combating the criminal networks orchestrating these schemes. The Pig Butchering Scam, characterized by building trust through fake romantic or business relationships to lure victims into fraudulent investment schemes, has inflicted severe financial and psychological damage on individuals and families. This report provides a comprehensive overview of the campaign’s findings, objectives, and recommendations to address this global threat.
Investigative Findings on the Infrastructure of Pig Butchering Scams
Following extensive research, it has been determined that platforms facilitating Pig Butchering Scams employ sophisticated infrastructure to conceal their illicit activities. The operational framework includes the following key components:
Domain Registration and Hosting:
The domains used in these scams are initially registered through registrars based in China, primarily by Chinese specialists operating in China and the United States.
These domains are subsequently connected to web servers hosted in various regions, including China, Hong Kong, South Africa, Singapore, South Korea, Japan, the Seychelles, and multiple states in the United States.
To further obscure their activities, these domains are routed through Content Delivery Networks (CDNs) and proxy services such as Cloudie Limited (Hong Kong) and Cloudflare, before establishing direct connections to the primary platform servers.
Hosting Infrastructure:
The servers are hosted on reputable cloud service providers, including Amazon Web Services (AWS) in the United States, Google Cloud in Singapore, and Alibaba Cloud in China, Hong Kong, and the United States.
Additional CDN and proxy services, such as those provided by Fastly, are utilized to enhance access speed and security, further masking the true location and identity of the operators.
Domain Transfer Strategy:
Domains are initially registered through Chinese registrars, such as HiChina (a subsidiary of Alibaba Group) and Gname (Singapore), before being transferred to Dynadot, a U.S.-based registrar.
This multi-layered strategy is a deliberate attempt to conceal the true hosting location and the identities of the platform operators.
Technical Analysis of Server Access:
Technical assessments and specialized testing conducted on the platforms reveal that access to the primary servers is restricted exclusively to connections originating within Hong Kong and Singapore. External access from other regions, including Iran, is blocked by default.
Network tracing and repeated tests confirm that the infrastructure is tightly controlled, with access keys held solely by the platform operators within the designated regions. While a minimal possibility (approximately 1%) exists for specialized configurations allowing external access, 99% of access is limited to Hong Kong and Singapore.
These findings rule out significant technical involvement or control from Iran or other third-party countries, underscoring the centralized and regionally controlled nature of the infrastructure.
Sophistication of Operations:
The Pig Butchering Scam is not the work of amateur individuals but a highly organized operation supported by hundreds of top-tier specialists in programming, server management, network security, software security, server security, and database management.
These platforms are designed to appear professional and legitimate, with robust technical frameworks that withstand superficial scrutiny, delaying victims’ awareness of the fraudulent nature of the schemes.
Misuse of Corporate Brands and Trademarks
The criminal networks behind these scams exploit the names and reputations of globally recognized companies, including Alibaba (China and U.S.), Amazon (U.S.), and AliExpress (a subsidiary of Alibaba Group), to attract investments and gain victims’ trust. This constitutes a clear violation of copyright and trademark laws, as well as an egregious misuse of the public trust associated with these reputable brands.
Legal Responsibility of Service Providers
Any entity providing domain registration, IP allocation, web hosting, CDN, or proxy services to Pig Butchering Scam platforms is considered complicit in facilitating criminal activities. Service providers, whether knowingly or unknowingly supporting these networks, will be subject to legal scrutiny and prosecution. Their cases will be referred to local and international judicial authorities for enabling illegal activities through the provision of domains, IPs, hosting, CDNs, or proxies.
Campaign Objectives
Our campaign is committed to achieving the following goals:
Public Awareness: Educating the public about the signs and tactics of Pig Butchering Scams through targeted and official communications.
Victim Support: Guiding victims to report incidents to relevant authorities, including the Hong Kong Police Force and the Securities Regulatory Commission (SRC).
Victim Support: Guiding victims to report incidents to relevant authorities, including the Singapore Police Force and the Monetary Authority of Singapore (MAS).
Disrupting Criminal Networks: Identifying and dismantling the infrastructure and service providers facilitating these scams.
Indicators of Pig Butchering Scams
The following are common signs of Pig Butchering Scams:
Suspicious contacts from unknown individuals claiming friendship, romantic interest, or lucrative business opportunities.
Pressure to make rapid investments in fraudulent cryptocurrency, stock, or other schemes.
Requests for sensitive personal information, such as bank account details or identification documents.
Offers that appear too good to be true, often accompanied by promises of substantial profits.
Urgent Recommendations
To protect yourself from falling victim to Pig Butchering Scams, we urge the following:
Vigilance: Never trust unknown individuals or entities, and avoid sharing personal or financial information.
Verification: Thoroughly verify the identity of any party before engaging in transactions, using trusted and reputable sources.
Reporting: Immediately report suspected scams to the Hong Kong Police Cybercrime Unit or equivalent authorities in your country.
Reporting: Immediately report suspected scams to the Singapore Police Force or the Monetary Authority of Singapore (MAS).
Digital Security: Use strong passwords, enable two-factor authentication, and employ reliable security software.
Campaign Actions
The campaign undertakes the following actions:
Official Awareness Campaign: Regularly publishing updated information on scammers’ tactics and issuing warnings to the public.
Victim Support: Collaborating with legal advisors and victim support organizations to assist affected individuals.
Advocacy for Stronger Regulations: Pushing for enhanced laws and increased resources to combat cyber and financial crimes at local and international levels.
Technical and Legal Documentation
As a specialist in computer networks and information security management, I, Mir Ali Shahidi, have conducted a detailed classification of approximately 500 IP addresses and over 700 domains linked to Pig Butchering Scams. Key findings include:
Organized Network Identification: IPs and domains have been categorized based on network segments and connectivity, revealing a cohesive criminal infrastructure.
Legal Evidence: Classified tables of IPs, domains, and cryptocurrency transactions are admissible in legal, criminal, and judicial proceedings, providing precise documentation for judicial authorities.
International Traceability: The categorized data enables submission to Interpol, Europol, and police in countries hosting the servers, facilitating rapid identification of transaction paths and primary servers.
Enhanced Investigation Efficiency: This classification reduces the time required for data analysis and improves the accuracy of judicial investigations.
These documents provide a comprehensive roadmap of the scam network, enabling asset freezes, transaction tracking, and the pursuit of justice for victims.
Motivational Message to Victims
To victims and supporters, the classification of nearly 500 IPs and over 700 domains is a critical step in exposing an organized criminal network. This effort:
Demonstrates the structured nature of the scams.
Provides documented evidence for law enforcement, including cybercrime units and Interpol.
Accelerates international investigations and server takedowns.
Strengthens the case for recovering victims’ rights.
These documents are powerful tools for justice, enabling authorities to trace cryptocurrency flows, fraudulent domains, and related IPs. United, we can expose and dismantle these networks.
Message to Scammers and Facilitators
To the criminal networks and service providers enabling these scams: our community is united and vigilant. Through collaboration with authorities and advanced digital tools, we will track your operations and ensure justice is served. The time for hiding is over.
Response to Community Feedback
In response to concerns raised about the broader societal impact of these scams, which include widespread financial losses, psychological insecurity, and diminished trust in online services, we express our gratitude for the attention to this issue. These effects underscore the urgency of our campaign’s mission to combat fraudulent activities and restore public confidence.
Call to Action
We invite everyone to join this official campaign. If you are a victim or have information about Pig Butchering Scams, please contact us through secure channels. By sharing this announcement, you can help protect others from this threat. Together, we can dismantle these criminal networks and safeguard our communities.
Conclusion
The Pig Butchering Scam represents a sophisticated, organized, and international criminal operation that exploits trust and causes widespread harm. Through awareness, technical expertise, and collective action, our campaign is dedicated to protecting victims, pursuing justice, and disrupting these illicit networks.
With utmost respect, Mir Ali Shahidi Secretary and Author of the Anti-Pig Butchering Scam Campaign Specialist in Computer Networks and Information Security Management
Note: This report is solely for awareness purposes. To report scams, please contact the Hong Kong Police or relevant legal authorities directly.
Reporting: Immediately report suspected scams to the Singapore Police Force or the Monetary Authority of Singapore (MAS).
Case Intelligence & Indicators Registry
Primary obfuscation layer detected originating from multi-proxy routing networks.
Secondary automated ledger synchronization script executed across decentralized endpoints.
Identified persistent credential harvesting vectors active on external routing nodes.
For a comprehensive analysis of the Pig Butchering Scam, including methods of operation and the associated IP infrastructure, please refer to the detailed report available here: Pig Butchering Scam Analysis.
International Checklist for Victims of Organized Cryptocurrency Fraud
As the primary international authority for investigating organized cryptocurrency fraud, the United States Secret Service (USSS) provides the following checklist. All requested information must be submitted in full and in text format (typed and copyable) to the following email address:
Please provide the following information in your email:
Your full name
Your phone number and email
Your city, state, and zip code
The websites/domains that were provided to you for "investment" purposes
The transaction IDs for all cryptocurrency transfers you made (Do not send screenshots)
The deposit wallet addresses where you sent your cryptocurrency (Do not send screenshots)
The platform where you were first contacted by the suspect (e.g., social media, messaging app, etc.)
The account name/screen name/handle/WhatsApp phone number/URL of the suspect on that platform
A detailed description of the events and interactions that occurred
The approximate total amount you sent in cryptocurrency, expressed in USD
Once all required information is received, it will be forwarded to the appropriate U.S. Secret Service field office based on your location. This email is for intake purposes only. Any further communication will be handled by your local field office.
Do NOT send any additional cryptocurrency for “taxes,” “fees,” or “recovery services.”
Immediately stop all communication with the perpetrators to avoid further victimization.
Best regards,
United States Secret Service (USSS)
National Center for Victims of Crime (NCVC)
The National Center for Victims of Crime (NCVC) is a vital and specialized organization dedicated to supporting victims of various crimes. This center plays a crucial role in promoting the rights and security of victims by providing legal assistance, counseling, and resources tailored to their complex needs. The NCVC is particularly instrumental in international cybercrime cases, such as sophisticated "pig butchering" scams that exploit internet infrastructure based in the United States, helping victims access appropriate legal protections.
By facilitating access to pro bono and expert attorneys, and offering guidance on relevant federal laws like the Computer Fraud and Abuse Act (CFAA) and the Victims of Crime Act, the center enables individuals lacking local financial or legal resources to defend their rights. NCVC also collaborates with federal agencies and victim advocacy groups to help victims protect themselves against identity threats and international criminal activities.
The Office for Victims of Crime (OVC), a component of the U.S. Department of Justice, provides key specialized services to crime victims. Its primary role is to offer legal support, advocate for victims' rights, and connect them with the necessary resources to pursue justice. In international cybercrime cases where U.S. infrastructure is exploited, OVC plays a significant role in bridging legal gaps and supporting foreign national victims who might otherwise lack access to legal protection due to jurisdictional complexities.
OVC also reduces victims' financial barriers by facilitating access to free legal representation and guiding them through applicable federal laws. This office protects the safety and legal rights of vulnerable individuals, focusing on multinational cases and digital crimes. It provides comprehensive support regarding both the technical and legal aspects of cybercrimes, working with law enforcement and judicial entities to ensure justice for victims.
Contact:askovc@ncjrs.gov Phone (OVC Response Center): +1-800-851-3420
Mailing Address: Office for Victims of Crime, 810 Seventh Street NW., Washington, DC 20531, USA
Website:ovc.ojp.gov
Computer Crime and Intellectual Property Section (CCIPS) of the U.S. Department of Justice
The Computer Crime and Intellectual Property Section (CCIPS) is a unit within the Criminal Division of the U.S. Department of Justice, responsible for investigating and prosecuting computer-related crimes and intellectual property rights violations. This section plays a pivotal role in combating complex and organized cybercrime, especially those with international dimensions that exploit U.S. information technology infrastructure. CCIPS leverages its technical and legal expertise to pursue cyber attackers and maintain cybersecurity.
The primary duties of this section include identifying, investigating, and prosecuting cybercrimes such as hacking, internet fraud, data theft, and intellectual property-related offenses. CCIPS also collaborates with governmental and international organizations to establish policies and legal frameworks for effective combat against cyber threats and the protection of cybercrime victims. This section serves as a bridge between victims, law enforcement, and technical entities, ensuring the administration of justice in cyberspace.
Contact (General Email for Criminal Division, DOJ):Criminal.Division@usdoj.gov Phone (Direct to CCIPS): +1-202-514-1026
Mailing Address: Computer Crime and Intellectual Property Section (CCIPS), Criminal Division, U.S. Department of Justice, 950 Pennsylvania Avenue, NW, Washington, DC 20530-0001, USA
Website:justice.gov/criminal/cybercrime
United Nations Office on Drugs and Crime (UNODC)
The United Nations Office on Drugs and Crime (UNODC) is a United Nations agency created in 1997 to fight serious global problems such as drug trafficking, organized crime, corruption, terrorism, and cybercrime.
UNODC helps countries develop laws, train police and judges, and cooperate internationally to fight these crimes effectively. It supports the United Nations Sustainable Development Goals, especially Goal 16, which promotes peace, justice, and strong institutions.
Since 2013, UNODC has focused on combating cybercrime by helping countries improve their laws, strengthen their judicial systems, train law enforcement officers, and work together across borders.
In December 2024, the United Nations adopted a new global convention to fight cybercrime. This agreement will help countries work together even better to stop criminals online. It will be open for countries to sign starting in October 2025.
What to Do If You Are a Victim of Cybercrime
If you think you have been a victim of organized cybercrime or online fraud, here are some important steps you can take:
Report the crime immediately to your local police or cybercrime unit.
Keep any evidence, such as emails, messages, or transaction details.
Protect your personal information and change passwords if needed.
Contact UNODC or visit their website for international support and resources.
Official Contact Information
Street Address: United Nations Office on Drugs and Crime (UNODC)
Vienna International Centre
Wagramer Strasse 5
A-1400 Vienna, Austria
Postal Address: United Nations Office on Drugs and Crime (UNODC)
Vienna International Centre
PO Box 500
A-1400 Vienna, Austria
Reporting Fraudulent IPs and Domains in Pig Butchering Scams
Pig Butchering scams involve fraudsters building trust with victims over time before convincing them to invest in fake schemes, often using malicious IPs and domains. Reporting these to relevant platforms helps mitigate cybercrime. Below are key platforms for submitting free reports:
AbuseIPDB: A community-driven database for reporting malicious IP addresses. You can submit IPs involved in Pig Butchering scams by creating a free account and providing details like the IP, timestamp, and evidence of malicious activity (e.g., phishing or fraud attempts).
Spamhaus: A leading authority on IP and domain reputation. Report fraudulent domains or IPs used in scams via their free submission forms. Ensure you include evidence such as URLs, email headers, or screenshots.
APWG (Anti-Phishing Working Group): Focuses on phishing and cybercrime. You can report phishing URLs, fraudulent domains, or IPs used in Pig Butchering scams through their free reporting portal, helping to warn others and block malicious activity.
Other Free Reporting Platforms: Platforms like PhishTank, Google Safe Browsing, and VirusTotal allow free submissions of malicious URLs, IPs, or domains. Provide detailed evidence, such as scam messages, fake websites, or transaction records, to support your report.
In addition to public reporting platforms, it is strongly recommended to directly contact the abuse departments of CDN providers, proxy services, VPS hosts, and web hosting companies used by the scammers. Most of these services provide an abuse@ email address or an online form for reporting. Submitting a report to their infrastructure providers helps disable malicious services at the source.
When reporting, always include as much detail as possible, such as logs, timestamps, and screenshots, to ensure the report is actionable. These platforms rely on community contributions to maintain safer internet ecosystems.
Network Infrastructure Details & Domain Mapping
Click on table headers to sort records dynamically based on domains or numerical IP values.
43.130.64.87 Repeated frequently and used extensively.
43.133.0.0/16
43.133.56.102
43.134.0.0/16
43.134.129.104 Repeated frequently and used extensively.
43.154.0.0/16
43.154.182.90 Repeated frequently and used extensively.
43.156.0.0/16
43.156.7.69, 43.156.29.48
43.198.0.0/16
43.198.80.147
43.199.0.0/16
43.199.63.118, 43.199.65.238 Repeated frequently and used extensively., 43.199.201.77
43.242.0.0/16
43.242.203.225
44.222.0.0/16
44.222.77.55 Dedicated Original IP
45.194.0.0/16
45.194.192.77
45.199.0.0/16
45.199.119.64 Repeated frequently and used extensively.
45.201.0.0/16
45.201.227.56, 45.201.241.36
45.207.0.0/16
45.207.54.125
47.76.0.0/16
47.76.49.243
47.91.0.0/16
47.91.170.222 Repeated frequently and used extensively.
47.99.0.0/16
47.99.138.95
47.103.0.0/16
47.103.51.41, 47.103.99.29
47.104.0.0/16
47.104.252.109
47.107.0.0/16
47.107.50.66
47.238.0.0/16
47.238.174.162
47.242.0.0/16
47.242.162.24 Repeated frequently and used extensively.
47.243.0.0/16
47.243.248.86 Repeated frequently and used extensively.
52.71.0.0/16
52.71.57.184
52.86.0.0/16
52.86.6.113 Repeated frequently and used extensively.
52.213.0.0/16
52.213.114.86
52.221.0.0/16
52.221.188.169
54.46.0.0/16
54.46.2.17
54.82.0.0/16
54.82.172.55
54.167.0.0/16
54.167.22.195 Repeated frequently and used extensively.
54.203.0.0/16
54.203.56.53
54.205.0.0/16
54.205.192.227
54.209.0.0/16
54.209.32.212
54.255.0.0/16
54.255.146.174
58.253.0.0/16
58.253.212.26
59.188.0.0/16
59.188.232.88
67.21.0.0/16
67.21.93.233
67.229.0.0/16
67.229.175.194 Repeated frequently and used extensively.
74.48.0.0/16
74.48.79.235
75.2.0.0/16
75.2.18.233 Dedicated Original IP
85.202.0.0/16
85.202.173.173
85.208.0.0/16
85.208.116.217, 85.208.212.181 Repeated frequently and used extensively.
88.218.0.0/16
88.218.195.103
91.195.0.0/16
91.195.240.12 Repeated frequently and used extensively., 91.195.240.94
96.0.0.0/16
96.0.146.222
96.56.0.0/16
96.56.221.4
103.20.0.0/16
103.20.220.81 Repeated frequently and used extensively.
103.38.0.0/16
103.38.81.116
103.41.0.0/16
103.41.65.185
103.51.0.0/16
103.51.144.90, 103.51.144.226
103.81.0.0/16
103.81.169.59
103.85.0.0/16
103.85.24.230 Repeated frequently and used extensively.
103.100.0.0/16
103.100.210.82
103.116.0.0/16
103.116.244.225, 103.116.244.226 Repeated frequently and used extensively.
103.120.0.0/16
103.120.80.160, 103.120.80.164, 103.120.80.165
103.134.0.0/16
103.134.144.40, 103.134.144.56, 103.134.144.60
103.139.0.0/16
103.139.0.32
103.146.0.0/16
103.146.230.214
103.149.0.0/16
103.149.92.36 Repeated frequently and used extensively., 103.149.92.164
103.215.0.0/16
103.215.82.140
103.186.0.0/16
103.186.214.154 Repeated frequently and used extensively., 103.186.215.50
103.231.0.0/16
103.231.15.197 Repeated frequently and used extensively., 103.231.15.211 Repeated frequently and used extensively., 103.231.15.231 Repeated frequently and used extensively.
103.246.0.0/16
103.246.244.103, 103.246.244.140 Repeated frequently and used extensively.
103.254.0.0/16
103.254.108.167
104.160.0.0/16
104.160.190.62
104.166.0.0/16
104.166.78.188, 104.166.86.22
104.206.0.0/16
104.206.156.155
107.148.0.0/16
107.148.89.86, 107.148.237.131, 107.148.239.174
107.149.0.0/16
107.149.191.200, 107.149.240.133
107.151.0.0/16
107.151.97.52
107.164.0.0/16
107.164.235.46
107.167.0.0/16
107.167.63.51
112.213.0.0/16
112.213.124.202
115.29.0.0/16
115.29.4.207
117.50.0.0/16
117.50.120.110
118.24.0.0/16
118.24.118.236
119.28.0.0/16
119.28.82.152
119.37.0.0/16
119.37.199.227
121.54.0.0/16
121.54.163.238
122.10.0.0/16
122.10.49.214 Repeated frequently and used extensively., 122.10.52.11 Repeated frequently and used extensively.
Location: 400 S El Camino Real, Suite 400, San Mateo, CA, 94402, United States
Abuse Contact: intl-abuse@list.alibaba-inc.com
Technical Contact: noc@list.alibaba-inc.com
Phone: +1-408-748-1200
AS Number: AL-3
Analysis of the devanholo.com Domain
Question: Where is the devanholo.com domain located, and where is its database hosted?
Domain Connection to Server
The domain is connected via a shared server IP for Alibaba Cloud with the IP address: 47.91.170.222.
DNS Servers
The domain devanholo.com uses the following DNS servers:
jm1.dns.com
IP Address: 218.98.111.214
Organization Name: Jinan Jingdi Zhiban
Address: Jinan, Shandong Province, China
IP Range: 218.98.111.0 - 218.98.111.255
jm2.dns.com
IP Addresses: 183.253.57.200, 211.99.99.50
Domain Name: jm2.dns.com
Organization Name: China Mobile Communications Corporation
Address: Beijing, China
IP Ranges: 183.192.0.0 - 183.255.255.255, 211.99.99.0 - 211.99.99.255
IP Address 211.99.99.50
Organization Name: Shandong Stock Exchange
Address: Jinan, Shandong Province, China
Admin Contact: Kele Cao
Email: caokele@beelink.com
Phone: +86-0531-83192780
Fax: +86-0531-86097472
Abuse Contact: zhengkj@wy.cn
IP Range: 211.99.99.0 - 211.99.99.255
Network Status: Assigned Non-Portable
Last Modified: 2008-09-04
Domain Database
Question: Where is the database of the devanholo.com domain hosted?
Since the domain is connected to a shared server and IP information is distributed across multiple servers, the database is likely hosted within cloud infrastructure, such as Alibaba Cloud servers. This database could be distributed across multiple geographically diverse servers and synchronized in real-time.
Based on the provided information, the domain devanholo.com is hosted on a shared server in Alibaba Cloud with the IP address 47.91.170.222. Additionally, its DNS servers are jm1.dns.com and jm2.dns.com, which are located in China.
Possible Database Location
The storage location of a website’s database depends on the following factors:
1. Hosting Type (Shared or Dedicated)
Since this domain is hosted on a shared server in Alibaba Cloud, the database could be stored locally on the same server or on a cloud database service such as ApsaraDB (Alibaba Cloud’s database service).
2. Main Server IP Address (47.91.170.222)
The database service might be running on the same server, in which case its address would be localhost or 47.91.170.222.
If a cloud database service is used, there would be a separate domain for the database server (e.g., rds.aliyuncs.com).
3. DNS Configuration Analysis
The DNS servers are located in China, but this does not indicate the actual location of the database. DNS only resolves domain names to IP addresses and is not directly related to database hosting.
4. Platform Type (CMS or Custom)
If this website uses WordPress, Magento, or another CMS, the database is likely stored in MySQL/MariaDB on Alibaba Cloud.
If the website is custom-built, it may use MongoDB, PostgreSQL, or Redis as its database.
How to Determine the Database Location
To accurately identify the database location, the following methods can be used:
Check the config.php or .env file (CMS platforms usually store database information in these files).
Run nslookup or dig commands on the domain to find associated servers.
Use tools like nmap and shodan.io to scan for active services on the server's IP address.
Conclusion
The database for this domain is likely hosted on the same server as the website (47.91.170.222) or utilizes Alibaba Cloud services such as ApsaraDB.
DNS Architecture Analysis and Implementation Scenario
You have identified 300 different domains under the .COM TLD, all pointing to the same website and using two fixed name servers (NS):
jm1.dns.com
jm2.dns.com
However, an important point to note is that these domains are distributed across different IP ranges and various geographical locations such as China, Hong Kong, South Africa, North America, Indonesia, Malaysia, and Singapore.
1. The Primary Role of the Two Fixed DNS Servers (jm1.dns.com & jm2.dns.com)
These two DNS servers function as the Primary and Secondary DNS for all 300 domains, meaning:
They handle all domain queries.
Instead of having separate NS records for each domain, all domains are centralized on these two DNS servers.
They return an appropriate IP from a specific data center based on the requester's geographic location (GeoDNS or Anycast DNS).
2. Implementation Scenario: Using Anycast or GeoDNS
What is Anycast DNS?
In this method, a DNS address (e.g., jm1.dns.com) is hosted in multiple locations worldwide. When a user requests a domain, the DNS returns the nearest server. This reduces latency and increases website loading speed.
What is GeoDNS?
With GeoDNS, the DNS returns a different IP based on the user's geographic location. For example:
If a user connects from South Africa, the DNS returns an IP from a South African server.
If a user connects from China, the DNS returns an IP from a server in Hong Kong or China.
3. Assigning Different IPs to Domains
Domains are routed to different IPs across the world, including China, Hong Kong, South Africa, the USA, Seychelles, Indonesia, Malaysia, and Singapore. This suggests that the website’s servers are distributed across multiple data centers, utilizing global load balancing.
Methods for Implementing This Scenario
Method 1: Configuring A Records in DNS with different IPs for different locations.
Method 2: Using Anycast IP on a CDN or Load Balancer.
Method 3: Using a Reverse Proxy or Edge Servers.
4. What is the Purpose of This Scenario?
A) Improving Website Performance and Speed
Users receive responses from the closest server, optimizing loading speed.
Reduced latency and improved user experience.
B) Increasing Stability and Security (DDoS Protection)
If a data center fails, the DNS directs users to an alternative server.
Mitigating DDoS attacks by distributing the load across multiple servers.
C) Bypassing Internet Censorship in Certain Countries
This method is often used by websites that are blocked in certain regions.
Having multiple servers with different IPs makes it harder to completely block access.
D) Special Use Cases (e.g., Botnets or Large-Scale Advertising)
Some use this technique for gray-hat projects like click fraud, phishing, or botnet control (C2).
Domains and servers frequently change to avoid detection.
5. Conclusion
This scenario represents a globally distributed network of DNS and web servers, likely leveraging Anycast DNS and GeoDNS to route traffic based on user location.
This technique is commonly used by major companies (such as Alibaba, Cloudflare, Google, and Amazon AWS) to enhance speed and stability.
Additionally, some websites use this approach to bypass censorship or manage botnets.
Recommended Tools for Further Analysis:
Nslookup / Dig / WHOIS → To check DNS records
Traceroute / MTR → To examine request routing
Shodan.io → To analyze active services on IPs
Passive DNS Analysis → To observe domain-to-IP relationships
Question:
Does this website have specific content that requires such an infrastructure?
Analysis of DNS Structure and Possible Objectives
Based on the provided information, the two name servers (jm1.dns.com and jm2.dns.com) have three different IP addresses located in China and belong to various Chinese organizations:
This indicates that the DNS structure is entirely managed in China and possibly falls under one of the following scenarios:
1. DNS Under the Control of a Specific Entity in China
These name servers are associated with different Chinese organizations, including:
Jinan Jingdi Zhiban (Shandong Province)
China Mobile Communications Corporation (Beijing)
Shandong Stock Exchange (Shandong Stock Market)
The fact that both DNS servers are located in China and managed by different companies suggests centralized control over this system.
Possible Scenario:
✅ Centralized Domain Control: All 300 domains you mentioned receive responses from these DNS servers, indicating possible management by a central authority.
✅ Internet Traffic Monitoring: The location of these DNS servers in China could suggest governmental oversight of user access and traffic.
✅ Redirection and Monitoring Capability: Since these DNS servers are managed in China, there is a possibility of traffic manipulation or redirection to government-specified IP addresses.
2. Load Balancing and Anycast DNS
Since these DNS servers exist within multiple IP ranges in China, they may be using Anycast DNS or GeoDNS to direct users to the nearest server.
How Anycast Works in This System:
A user requests a domain.
The DNS server returns the closest IP address.
The user is directed to one of multiple servers in different locations (e.g., Hong Kong, Africa, the US).
Advantages and Concerns:
✅ Goal: Reduce latency, improve speed, and distribute the load across multiple servers.
✅ Concern: All DNS servers are controlled within China, raising potential concerns about filtering, redirection, or user data collection.
3. Possible Objectives of This Architecture
A) Strengthening a Chinese CDN
If these domains are linked to a private Chinese CDN (such as Tencent Cloud, Alibaba Cloud, or ChinaNet), the goal might be to accelerate access to international content for Chinese users.
B) Gray Hat Applications (Advertising or Cyber Attacks)
✅ The structure may be designed for large-scale click advertising or directing users to specific pages.
✅ If domains are redirected, phishing or malware hosting could also be possible.
C) Bypassing Internet Filtering
✅ This method is commonly used to mask the original server’s identity and bypass internet filtering systems.
✅ For example, users from restricted countries might be directed to unblocked IP addresses.
4. Is This Architecture Linked to a Specific Organization?
Based on IP addresses and organizational ownership, these DNS servers are located in China and managed by both state-owned and private Chinese companies.
Key Questions:
Do the websites using these DNS servers provide specific content (e.g., political, economic, or special services)?
Are these DNS servers listed in security threat reports or cybersecurity watchlists?
Do the IP and domain patterns indicate a cyber attack or covert operation?
For Further Investigation, Consider:
✅ Using Passive DNS Analysis (to check domain history changes)
✅ Analyzing network traffic with Wireshark or Zeek (to inspect how these DNS servers handle requests)
✅ Checking these IPs on services like VirusTotal, Shodan, and AbuseIPDB (to find any abuse reports)
5. Final Conclusion
This architecture is most likely a distributed network managing domains under the control of a Chinese entity, potentially used for CDN, advertising, traffic control, or other activities.
For a more precise analysis, specific domains and DNS behavior could be further examined.
→ Do you have additional information about the domains connected to these DNS servers?
Analysis of Load Balancing Architecture and Distributed Database
Yes, that is correct. This architecture is typically implemented in two ways:
1. Load Balancing with DNS
In this method, each domain points to a set of IPs in different geographic regions, but all servers are connected to a centralized or synchronized database.
Mechanism:
DNS directs requests to the nearest or fastest server.
Each server maintains a synchronized copy of data (via Replication or Clustering).
All servers connect to a central database or stay synchronized.
Use Cases:
CDNs (such as Cloudflare, Akamai, Alibaba Cloud)
Cloud services (AWS, Azure, Google Cloud)
Distributed infrastructure to prevent downtime
2. Using a Distributed Database
In this approach, databases are distributed across multiple geographic locations and synchronize data in real time.
Mechanism:
Each region (e.g., Hong Kong, South Africa, the US) maintains a local copy of the database.
Changes are shared instantly (Real-time Replication) between databases.
If a server goes down, requests are routed to the nearest available database.
Use Cases:
Google Cloud Spanner (Google's distributed database)
Amazon Aurora Global Database (Amazon's global database)
Microsoft Cosmos DB (Microsoft's distributed database)
Conclusion
Each geographic region has its own IP, but all server data remains synchronized in real time. This model ensures users connect to the fastest and nearest server while still accessing a unified database.
Question: Do you need a deeper investigation into the database structure of these domains?
Analysis of the Distributed Network Structure of These Domains
Based on the provided information, this network utilizes a distributed infrastructure that includes:
A shared DNS system for all domains
Different IP addresses across various geographical regions
Database synchronization between servers
Analysis of the Fixed DNS Role in This Network
✅ The shared DNS servers (jm1.dns.com and jm2.dns.com) play a crucial role:
All domains use the same two fixed DNS servers.
However, the DNS responses for each domain point to different IP addresses in various geographical locations.
This model is typically implemented using GeoDNS or Anycast DNS techniques.
✅ The main goals of this architecture:
Directing users to the nearest server geographically
Improving performance and reducing latency
Enhancing scalability and fault tolerance
How Database Synchronization Works in This Network
Multiple servers across different regions (e.g., Hong Kong, Africa, USA) host the data.
The database is distributed across these servers and synchronized in real-time.
If a server goes offline, requests are redirected to other servers.
✅ Common synchronization methods:
Master-Slave Replication (a central database with multiple copies)
Multi-Master Replication (all databases store and process data simultaneously)
Partitioning & Sharding (splitting data across different servers)
Summary and Conclusion
✔ All domains use two shared DNS servers but have different IPs in various countries.
✔ Databases are synchronized and deployed across multiple regions.
✔ User traffic is directed to geographically closer servers.
✔ Techniques like GeoDNS, Anycast, or DNS-level Load Balancing are used.
✅ Question: Would you like me to explain the methods for detecting and analyzing this structure?
1. United States - Key Agencies and Judicial System
Cyber Judicial System: U.S. District Courts have jurisdiction over federal cybercrime cases. Key laws include the Computer Fraud and Abuse Act (CFAA), Wire Fraud Statutes, and the Electronic Communications Privacy Act (ECPA). Federal courts aim to deliver justice in cross-border cases, especially when U.S. infrastructure has been exploited in these scams.
Law Enforcement Agencies Relevant to "Pig Butchering" / "Romance Baiting":
U.S. Secret Service (USSS): Plays a pivotal role in investigating cyber financial crimes, including complex cryptocurrency scams and "Pig Butchering." The USSS focuses on detecting, investigating, and arresting individuals who violate financial system laws, often assisting in the recovery of victims' funds.
FBI Cyber Division: This division is the primary agency responsible for investigating cyberattacks and organized cybercrime, including large-scale financial scams like "Pig Butchering." The FBI receives reports via the Internet Crime Complaint Center (IC3) and coordinates national and international investigations.
Computer Crime and Intellectual Property Section (CCIPS) at the U.S. Department of Justice: CCIPS is responsible for implementing the Department of Justice's national strategy against computer crime and intellectual property offenses globally. CCIPS combats complex cyber scams through prosecution, legal support to prosecutors, and collaboration with government agencies, the private sector, and foreign counterparts.
Federal Trade Commission (FTC): The FTC is a consumer protection agency that collects scam reports and provides information and warnings to the public to prevent victimization. The FTC actively raises awareness about "Pig Butchering" scams and helps victims report and pursue their cases.
Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury: OFAC may impose sanctions against individuals or entities involved in malicious cyber activities, including large-scale financial scams like "Pig Butchering," especially if these activities have exploited U.S. infrastructure.
Office for Victims of Crime (OVC) at the U.S. Department of Justice: OVC provides programs and services to support victims of crime, including cybercrime. This office helps victims access resources such as legal aid, counseling, and financial recovery assistance.
2. European Union - Judicial System and Related Agencies
Cyber Judicial System: EU member states have harmonized their national laws based on the Directive on Attacks against Information Systems (Directive 2013/40/EU). This directive defines and penalizes cybercrimes. The European Court of Justice (ECJ) also plays a role in interpreting and enforcing EU laws.
Law Enforcement Agencies Relevant to "Pig Butchering" / "Romance Baiting":
Europol's European Cybercrime Centre (EC3): EC3 is an intelligence and operational hub for combating serious cybercrime in the EU. It supports cross-border investigations, facilitates information exchange, and provides expertise to counter sophisticated scams.
Eurojust: This is the EU's agency for judicial cooperation, assisting member states' judicial authorities in coordinating investigations and prosecutions of serious cross-border and organized crime, including cybercrime.
European Judicial Cybercrime Network (EJCN): Hosted by Eurojust, this network facilitates cooperation and the exchange of expertise among judicial authorities concerning cybercrime investigations and prosecutions.
3. India - Judicial System and Related Agencies
Cyber Judicial System: The Information Technology Act, 2000 (IT Act) serves as the primary legal framework for cybercrime and e-commerce in India. It includes provisions for computer-related offenses, privacy breaches, and online fraud.
Law Enforcement Agencies Relevant to "Pig Butchering" / "Romance Baiting":
Indian Cybercrime Coordination Centre (I4C): This is a government body established to coordinate efforts to combat cybercrime across the country, operating the National Cybercrime Reporting Portal (NCRP).
State Cyber Police Units: Most Indian states have specialized cyber police units responsible for investigating cybercrimes at the state and local levels.
4. China - Judicial System and Related Agencies
Cyber Judicial System: The Cybersecurity Law of the People's Republic of China (2016) and the Personal Information Protection Law (PIPL) (2021) are the main laws governing cybersecurity and related crimes in China. These laws emphasize critical information infrastructure security and data privacy.
Law Enforcement Agencies Relevant to "Pig Butchering" / "Romance Baiting":
Ministry of Public Security (MPS): Through its specialized departments, including the Cyber Security Protection Bureau, this ministry is primarily responsible for combating cybercrime and enforcing relevant laws.
Cyberspace Administration of China (CAC): Responsible for policy-making and oversight of cyberspace, including cybersecurity issues and online content.
5. Australia - Judicial System and Related Agencies
Cyber Judicial System: The Cybercrime Act 2001 is Australia's principal legislation for addressing online crimes, including fraud and computer misuse. It provides a framework for investigating and prosecuting cybercrimes.
Law Enforcement Agencies Relevant to "Pig Butchering" / "Romance Baiting":
Australian Cyber Security Centre (ACSC): As the primary technical authority on cybersecurity in Australia, the ACSC collaborates with law enforcement agencies like the Australian Federal Police (AFP) in cybercrime investigations, including complex scams.
Australian Federal Police (AFP): The AFP is involved in national and international cybercrime investigations, working with global counterparts to counter transnational threats.
6. Russia - Judicial System and Related Agencies
Cyber Judicial System: The Federal Law on Information, Information Technologies, and Information Protection and relevant amendments to the Russian Criminal Code provide the legal framework for cybercrimes. These laws include provisions for hacking, malware distribution, and computer fraud.
Law Enforcement Agencies Relevant to "Pig Butchering" / "Romance Baiting":
Ministry of Internal Affairs (MVD): Has specialized units for investigating cybercrime, including online fraud and hacking.
Federal Security Service (FSB): Plays a significant role in national cybersecurity, counter-intelligence, and combating organized and complex cybercrime.
7. Interpol - Global Cyber Law Enforcement
Law Enforcement Agency: Interpol's Cybercrime Division facilitates international collaboration among law enforcement agencies worldwide to combat cross-border cybercrime. It supports global law enforcement in responding to key cyber threats, sharing threat intelligence, coordinating cross-border operations, and providing capacity-building projects. Interpol actively addresses "Romance Baiting" scams (an alternative term for "Pig Butchering") and strives to enhance global awareness and coordination in this area.
8. National Cyber Security Centre (NCSC) - United Kingdom
Law Enforcement Agency: The National Cyber Security Centre (NCSC), part of GCHQ, is the UK's technical authority on cybersecurity. It helps protect critical services, manages major incidents, improves internet security, and provides advice to citizens and organizations on staying safe online. The NCSC works closely with UK law enforcement agencies such as the National Crime Agency (NCA) and regional police forces on cybercrime investigations.
9. FBI Internet Crime Complaint Center (IC3)
Agency Name: FBI Internet Crime Complaint Center (IC3)
Jurisdiction: United States. IC3 serves as the central point of contact for reporting cyber-enabled crime to the FBI, the lead federal agency for investigating such crimes.
Mission: IC3 accepts online Internet crime complaints from victims or third parties. Its mission is to support the FBI's efforts in investigating reported crimes, tracking trends and threats (including "Pig Butchering" scams), and in some cases, assisting in fund recovery.
Reporting Types: Cybercrime, internet fraud, identity theft, phishing, online scams (like "Pig Butchering"), and other online criminal activities.
10. FATA Cyber Police (Cyber Police of Production and Exchange of Information) - Iran
Agency Name: FATA Cyber Police (پلیس فضای تولید و تبادل اطلاعات ایران)
Jurisdiction: Iran. FATA Cyber Police is a specialized unit of the Islamic Republic of Iran Police.
Mission: FATA Cyber Police focuses on investigating cybercrimes within Iran, including internet fraud, phishing, identity theft, and other online criminal activities. It provides services to victims of cybercrimes and receives reports related to these crimes.
Reporting Types: Cybercrime, internet fraud, identity theft, phishing, and other online criminal activities.
Singapore Cyber Police
Agency Name: Singapore Police Force (SPF) - Cybercrime Command
Jurisdiction: Singapore. The Cybercrime Command is a specialized unit within the Singapore Police Force under the Ministry of Home Affairs.
Mission: The SPF Cybercrime Command focuses on preventing, deterring, and detecting cybercrimes in Singapore, including online scams, hacking, identity theft, ransomware, and Pig Butchering Scams. It collaborates with local and international agencies to combat cyber threats and enhance public awareness of cybersecurity.
Reporting Types: Cybercrime, online scams (including Pig Butchering Scams), hacking, identity theft, phishing, ransomware, and other internet-related criminal activities.
Reporting Methods: Use the ScamShield app (WhatsApp or mobile app) for reporting Pig Butchering Scams and other frauds. File reports via the I-Witness portal or Police@SG app. Contact the Anti-Scam Hotline (1800-722-6688) for 24/7 assistance or the Police Hotline (1800-255-0000). For phishing emails, report to singcert@csa.gov.sg without suspicious attachments.
Hong Kong Cyber Police
Agency Name: Hong Kong Police Force - Cyber Security and Technology Crime Bureau (CSTCB)
Jurisdiction: Hong Kong. The CSTCB is a specialized unit within the Hong Kong Police Force dedicated to combating cybercrimes and enhancing cybersecurity.
Mission: The CSTCB focuses on investigating and preventing cybercrimes, including online scams, hacking, identity theft, and technology-related offenses. It collaborates with local and international partners to address cyber threats and promote public awareness of cybersecurity.
Reporting Types: Cybercrime, online scams, hacking, identity theft, phishing, technology-related offenses, and other internet-related criminal activities.
Reporting Methods: Use the e-Report Centre for non-emergency cybercrime reports. Contact the Technology Crime Division or Cyber Security Division via email for specific cybercrime issues. Call the Emergency Hotline (999) for urgent cyber threats. Use the Anti-Scam Helpline (18222) for scam-related advice and reporting guidance.