#46: Hijacked Content, Empty Accounts, and Global Crackdowns

This week’s stories are a reminder that scams don’t always look like scams. Real content, trusted platforms, and familiar flows are being repurposed for profit and most people don’t realize what’s happening until it’s too late.

Let’s get into it.

NATE'S TAKE - AUGUST 26, 2025

Top Three This Week

1. Nigeria Deports 50 Chinese Nationals in Global Cybercrime Crackdown
2. How a Viral Tailor Became the Face of TikTok’s Newest Scam Format
3. Phish, Pump, Exit: The Brokerage Scam Hiding in Plain Sight

1. Nigeria Deports 50 Chinese Nationals in Global Cybercrime Crackdown

Photo: Economic and Financial Crimes Commission

Nigeria just deported 50 Chinese nationals as part of a wider operation targeting what officials called one of the largest foreign-led cybercrime syndicates in the country’s history. The sting (Eagle Flush) took place in Lagos and led to the arrest of 192 foreign nationals, including 148 Chinese citizens.

According to Nigeria’s Economic and Financial Crimes Commission (EFCC), those convicted were involved in internet fraud and cyberterrorism, with ties to romance scams and crypto investment fraud. Authorities say the operation was driven by “actionable intelligence” and is the second major bust in under a year. A prior sting arrested nearly 800 suspects, including dozens of Chinese and Filipino nationals working with local Nigerian scammers.

This isn’t the stereotypical lone romance scammer in a cybercafe. It’s an organized global operation with foreign actors partnering with local networks, recruiting and training at scale, and building industrialized fraud businesses. Many are exploiting gaps in social media, messaging apps, and payments to stay ahead of enforcement.

If you're in trust and safety, this is a reminder that attribution matters. Where fraud comes from and who it's being outsourced to should inform how you score behavior, escalate abuse, and decide when to shut down access entirely. Scams aren’t just digital, they’re structured. Treat them like operations, not one-offs.

2. How a Viral Tailor Became the Face of TikTok’s Newest Scam Format

Photo: Kevin Whitlock / Massillon Independent

George Tsaftarides is an 84-year-old tailor in Ohio who quietly built a following on TikTok by sharing sewing tips and videos from his decades-old shop. His account became a small pandemic-era hit, then the scam videos started.

Scammers stole clips of George at his sewing machine and re-edited them into fake fundraisers claiming he was making slippers to save a cat shelter, or working late to cover his wife’s cancer treatments. The stories were fake, but the emotion was real enough to drive donations. Some buyers received cheap products from overseas. Others just lost their money.

This is what researchers are calling “sadness bait” and it’s spreading fast. Dozens of complaints were filed with TikTok, but most were ignored. One takedown request was denied because the scam video “didn’t violate community standards.” Meanwhile, the fraudsters just kept reposting under new accounts.

TikTok eventually removed a few videos after media coverage, but the underlying issue remains: the content remix features that power platform growth also power abuse.

If your platform enables content remixing, influencer marketing, or in-app sales, this is a warning shot. You’re not just fighting copycats. You’re fighting remixed trust. Detection needs to move beyond static account matching. You have to look at emotional triggers, virality patterns, and how your own tools can be used to disguise the con.

3. Phish, Pump, Exit: The Brokerage Scam Hiding in Plain Sight

Photo: KrebsonSecurity

Fraud rings are getting smarter about how they cash out stolen credentials. Brian Krebs shared in an article that a new wave of “ramp-and-dump” schemes are targeting brokerage accounts to manipulate stock prices and quietly exit with a profit.

Here’s how it works: phishers steal brokerage logins via SMS and spoofed sites. They use those accounts to buy large volumes of a penny stock. At the same time, they pre-position themselves in that stock via another account they control. When the victim buys in, the price spikes just enough for the scammer to sell at a gain. No wires. No flagged transfers. Just a clean-looking trade that leaves the victim holding worthless shares.

These scams are coordinated via Telegram communities, often run by Mandarin-speaking phishing kit vendors who sell ready-made templates for Schwab and other major brokerages. Many exploit MFA weaknesses, like SMS codes and mobile prompts, using human operators who sit in front of banks of phones to capture real-time authentication flows. Some kits are even using LLMs to speed up UI cloning and translation.

This synchronized, low-footprint fraud is designed to avoid detection by trading within the rules. Most platforms won’t catch it because it doesn’t look like fraud. It looks like a bad investment decision.

If you run or secure financial platforms, especially anything involving trades or asset movements, take note. You can’t just watch the exit points anymore. You need behavioral context on trades, identity anomalies, and whether someone’s actions match their history.

===

That’s all for this week! For more insights, follow us on LinkedIn or X, and if you want to learn more about what we do, visit www.specprotected.com.

‍