Sygnia uncovers global law firm recovery scam network

Sygnia has published details of an investigation linking more than 150 domains to a recovery-scam network impersonating law firms and other legal services, with signs of activity across multiple countries and industries.

The investigation began after a major law firm discovered several websites using its name, branding, and publicly available staff identities. The pages posed as legitimate legal and asset-recovery services and invited visitors to contact the firm via phone, live chat, and WhatsApp. The contact details did not belong to the firm.

Threat intelligence analysis connected the initial cluster to a wider set of domains sharing page structures, content fragments, and overlapping contact methods. Many of the websites remained live during the analysis. Sygnia found no meaningful evidence of prior public reporting on the campaign.

Law firms targeted

Sygnia described the activity as a recovery scam targeting people who have already lost money to earlier fraud. The sites present the operators as legal specialists who can recover funds, using legal-style language and authoritative design cues. Some replicate the full identities of real firms. Others promote generic recovery brands, then reference well-known firms once conversations move off-site.

The operators appear to push targets away from the websites and into private channels. Calls to action direct visitors to phone numbers and WhatsApp accounts controlled by the scammers. Once contact begins, the interaction moves off-site and relies on messaging and voice calls, reducing visibility for defenders and the impersonated organisations.

Sygnia researchers engaged with multiple WhatsApp contact points and observed a consistent interaction flow across the network. Exchanges included scripted or semi-automated opening messages, questions about the initial fraud, and assurances that payment would be required only after funds were recovered.

Sygnia characterised this approach as repeat victimisation, relying on cues of legal authority and the vulnerability of victims after an initial loss.

Distributed infrastructure

The investigation describes a network designed to complicate links between domains. Each site used its own SSL/TLS certificate rather than shared certificates across domains. Domains also appeared across multiple hosting providers and IP ranges. Many sat behind Cloudflare, which can mask origin infrastructure.

Sygnia found limited overlap in analytics identifiers. Most sites used different Google Tag Manager or Analytics IDs, reducing opportunities for correlation. Where overlaps did appear, Sygnia treated them as stronger indicators of common ownership.

Domain registration details also varied, with sites using multiple registrars, limiting the value of registrar-based pivoting. Some clustering around specific registrars suggested consistent operational choices in parts of the network.

The investigation also points to content-level evasion. The sites used similar layouts but changed images and wording between domains. The network also used multiple languages, including Chinese, Portuguese, and Romanian, which can make keyword-based discovery harder.

Sygnia argued these choices reflect deliberate trade-offs, with operators accepting added cost and complexity in exchange for durability and investigative friction.

Signs of continuity

Sygnia reported links between contact details used on the impersonation sites and earlier fraud activity. Several phone numbers and contact points appeared in public fraud reports from previous years and across different scam categories.

Sygnia cautioned that phone numbers, particularly VoIP numbers, can be recycled or reassigned, and that historical association alone does not prove the same operators remain in control. However, it cited repeated appearances of the same telecommunications details alongside other overlaps, including repeated wording, consistent use of WhatsApp, and the same WordPress version (6.8.3).

Two examples illustrate the pattern. One phone number, +354-42-12434, appears in an alleged vehicle auction scam, a cryptocurrency project, and later asset-recovery domains linked to the current activity. Another number, +1-347-871-7726, appeared in a COVID-19-era eCommerce scam and later in recovery-themed domains. Additional analysis tied that second number to multiple email addresses and to domains associated with cryptocurrency, shipping, and fitness-related fraud.

Business risk

The investigation frames business impersonation as a growing issue. Sygnia reported volumes up 148% year over year, linking the increase to AI-assisted content generation, deepfake tools, and the ease of cloning websites.

For affected organisations, the damage often emerges after victims have already shared data or made payments. Impacts can include reputational harm and legal exposure, especially in regulated or trust-based sectors.

Sygnia argued the case shows the limits of a takedown-by-takedown approach: individual domains can be removed while the network persists through parallel sites and long-lived phone and messaging accounts.

"In campaigns of this scale, meaningful disruption also depends on coordination with law enforcement. Identifying operators, seizing infrastructure, and disrupting financial flows are necessary to prevent these networks from reappearing under new domains," Sygnia said.