Zerodha users targeted with a pig-butchering scam

Threat researchers at Shreshta have uncovered a pig-butchering scam targeting Zerodha users.

The phishing websites are impersonating Zerodha, a reputed stockbroking and financial services company, duping investors into investing in fake crypto and investment schemes.

What is a pig-butchering scam?

A pig butchering scam, a.k.a. “Sha Zhu Pan” or Shazhupan, (Chinese: 杀猪盘), translated as Killing Pig Plate, is a type of long-term scam and investment fraud in which the victim is gradually lured into making increasing contributions, usually in the form of cryptocurrency, to a fraudulent cryptocurrency scheme.¹

About Zerodha

Zerodha Broking Ltd., founded in 2010, is an Indian online brokerage firm.

Executive Summary

We analyzed a large number of phishing websites targeting Zerodha users. Our analysis found that the phishing website appears to be part of a pig butchering scam campaign, as indicated by the investment plans, commissions from referrals, and an administrator managing deposits.

Motive

The motive of the threat actors is to lure investors into fake crypto and investment schemes for financial gains.

Technical analysis of pig-butchering scam targeting Zerodha users

In this section, we will examine one of the phishing website that is part of the pig-butchering scam.

Figure 1 – The home page of the phishing website

Figure 2 – Registration page of the phishing website

Figure 3 – After registering, the system redirects the user to a completion page.

Figure 4 – Login page of the phishing website

Figure 5 -Using the registration credentials, the system redirects the user to a dashboard page.

The dashboard displays test as the username instead of the username provided by the user during registration.

Figure 6 – Investment page on the phishing website.

The user is asked to deposit money to earn a specified percentage of profit.

Figure 7 – The user is asked to enter the required information for the selected crypto account and continue with the payment.

Figure 8 – After clicking Save, the user is asked to wait for an administrator’s response.

Figure 9 – The phishing website frequently displays pop-ups indicating other users are actively trading on the platform (Social Proof)

Figure 10 – Fake Crypto investment plans

Figure 11 – The phishing website is integrated with a chat

Threat Indicators

• The domain name zerodhaz[.]xyz. has been registered through Hostinger Operations, UAB.
• The domain name registration date is 2024-07-23
• The domain name resolves to the IP addresses 77.37.37.117
• The IP addresses belong to AS47583 (Hostinger International Limited)

Uncovering a larger pig-butchering scam at play

Our detection and analysis of the pig-butchering scam targeting Zerodha users led us down a rabbit hole to unravel a larger scam.

We have mapped similar websites which are part of the same pig-butchering scam and possibly the same threat actor.

Fig 12 – Home page of a similar pig butchering scam’s website

Fig 13 – Page showing various investment plans

Fig 14 – Home page of another pig-butchering scam website

Fig 15 – Page depicting various investment schemes

Fig 16 – Page showing Certificate of incorporation

Fig 17 – Home page of another financial phishing scam

Indicator of compromise

Domain names

• zerodhaz[.]xyz
• tradesmax[.]uk
• ftp[.]tradesmax[.]uk
• store[.]tradesmax[.]uk
• gminitrading[.]com
• app[.]gminitrading[.]com
• alpha[.]gminitrading[.]com
• worldz[.]gminitrading[.]com
• mbtradingfze[.]com
• elitetradermaven[.]com
• pockettrade-limited[.]com
• globals-trade[.]ltd
• avatradeltd[.]pro
• h[.]avatradeltd[.]pro
• lobals-trades[.]pro
• g[.]lobals-trades[.]pro
• exonummus-financial[.]xyz
• markets[.]alphapride[.]ltd
• global-market[.]pro
• gm[.]global-market[.]pro
• app[.]global-market[.]pro
• glancoequityfund[.]com
• h[.]glancoequityfund[.]com
• world[.]glancoequityfund[.]com
• worlds[.]glancoequityfund[.]com
• rlchnetfund[.]pro
• miner[.]rlchnetfund[.]pro
• glancoequityfund[.]live
• world[.]glancoequityfund[.]live

Whatsapp number & email address

212779753451
admin@zerodhaz[.]xyz

Safety Recommendations

• Protect your personal and financial details—never share sensitive information like Aadhaar, passport, or bank details
• Be cautious of links or app downloads from strangers—it’s a red flag
• Promises of jobs, high returns, or requests for money are warning signs
• Avoid responding to unknown messages on WhatsApp, social media, or dating apps
• Scammers prey on emotions like fear or greed—don’t act impulsively
• Stay calm—most people fall for scams when they rush or panic

Conclusion

Our assessment is that this particular pig-butchering scam is targeting users worldwide and not specific to Zerodha users in India. Based on the analysis, our threat research team has detected a large number of phishing websites with the same Modus Operandi(MO).

Additional Resources

Crypto Scams in India

Phishing scam aimed at Flipper Zero India enthusiasts