Fraudsters steal more than $1 million in three weeks in ‘pig butchery’ scam


Malicious actors stole more than $1 million in a “pig butchery” cryptocurrency scam in just three months, Sophos researchers have found.

According to the investigation, this highly sophisticated operation used a total of 14 domains and dozens of almost identical fraudulent sites.

The attackers used fake cryptocurrency trading pools from decentralized finance (DeFi) trading apps to defraud their victims, with one individual losing $22,000 in a single week.

These “liquidity pools,” which encompass different types of cryptocurrencies, allow users to make profits by trading from one cryptocurrency to another. Those who participate receive a percentage of any fees paid when a transaction is made – with another account (usually that of the pool operators) being allowed access to participants’ wallets to facilitate transactions.

Sophos has discovered that pig butchers are increasingly setting up such pools to siphon off user funds, thereby draining victims’ entire liquidity pools for themselves.

Victim loses $22,000 in one week

THE report highlighted the case of an individual named “Frank”, who lost $22,000 to such a scheme after being duped by an online dating scam.

Frank was contacted by “Vivian” on the dating app MeetMe, who claimed to be a German woman living in Washington DC for work. Over the weeks of romantic messages, Vivian persistently tried to convince Frank to invest in cryptocurrency, recommending a liquidity pool site.

Frank eventually opened a Trust Wallet account, allowing him to convert dollars into cryptocurrency, by connecting to a link to the liquidity pool site. It was a scam site posing as decentralized finance provider Allnodes.

Between May 31 and June 5, Frank invested $22,000 in the pool and three days later the funds were emptied by the fraudsters.

He then turned to Vivian, who urged Frank to invest even more in the pool to recoup his funds and reap the “rewards.” While waiting for his bank to authorize a money transfer to Coinbase, Frank did some research and found an article on liquidity mining from Sophos, which he contacted for help.

Sean Gallagher, senior threat researcher at Sophos, asked Frank to block Vivian; However, she persisted in her attempts to entice him to pursue the investment, even sending a long, emotional letter that Gallagher claims was created by a generative AI application.

A sophisticated operation

Sophos highlighted the sophistication of this fraudulent pig butchering operation, which did not even require malware to be installed on the victim’s device, but instead used social engineering tactics.

Gallagher noted: “This entire fake liquidity pool was managed through the legitimate Trust Wallet app. At one point, Frank even tried to contact Trust Wallet support to get his money back, but he connected with a fake support contact from the scam liquidity pool site.

Gallagher warned that pig butchery scams, also known as shā zhū pán, are becoming more prevalent and proving very effective for threat actors.

“Very few people understand how legitimate cryptocurrency trading works, making it easy for these fraudsters to scam their targets. There are now even toolkits for this type of scam, making it easy for different pig butchering operations to add this type of crypto fraud to their arsenal. While last year Sophos tracked dozens of these fraudulent “liquidity pool” sites, we are now seeing more than 500,” he noted.

He urged people to be wary of anyone they have no connection with who suddenly contacts them through a dating app or social media platform, particularly if the “person” making the contact wants to move the conversation to a platform like WhatsApp and then discusses investing in cryptocurrency.

Sophos shared its findings with crypto intelligence experts Chainalysis and exchange Coinbase, who continue to investigate the scale of pig butchery scams.

Leave a comment