Pig-Butchering Scams: An Emerging Crypto Threat Vector
Of all the crypto crime scams in recent memory, one of the most vividly named is the “pig butchering” scheme. Originating from China, this cyberattack was named after the similarities between pigs and the scheme’s victims. Similar to how pigs are dutifully raised as livestock, the victims in a pig butchering scheme are “fattened up” over a long period before they are slaughtered - or in this case, scammed.
From its roots in China, pig butchering has spread all over the world. As with outsourcing, pig butchering operations tend to be based in developing nations like Cambodia or the Philippines, while the intended victims tend to be based in developed nations like Singapore or Australia. These operations have become so professionalized that many are now using shell companies to feign legitimacy. In the United Kingdom, half of 168 shell companies linked to cryptocurrency schemes were reportedly focused on pig butchering.
Though this scam invokes some gruesome imagery and ultimately destroys victims financially, it typically starts with a seemingly innocuous event: a message. The case of Anthony and Michelle illustrates how a benign encounter can quickly turn into trouble. In November 2021, Michelle, a twenty-something-year-old woman from Hong Kong, commented on the Instagram photo of Anthony, a 48-year-old single father. From there, the two took their conversation to WhatsApp where they communicated every day, exchanged selfies and photos, and even flirted.
There was just one problem: Michelle was not a real person. In fact, she was nothing but a persona created by scammers who used her digital persona to build an emotional and romantic connection with Anthony. Once Anthony developed a strong connection with her, “Michelle” offered an investment scheme related to crypto mining. Anthony took the bait and began investing in the fictitious mining operations. He ultimately lost approximately $168,000.
Unfortunately, Anthony is not alone. The growing number of pig butchering victims is attributable in part to the sophistication of these scamming operations. These are not lone wolves, but enterprise-level operations. An exposé from Vice uncovered a facility in Cambodia that would rival a legitimate call center in terms of business maturity and metrics. Over the course of two days, one person who was trafficked into the business and held against his will was trained with scripts and playbooks to deceive unsuspecting victims. After training, he would hunt for targets for over 15 hours a day alongside 10 other workers, most of whom were also human trafficking victims.
Though exact numbers vary, Vice and others have estimated that pig butchering scams have already cost victims billions of dollars. That figure should not be far off the mark, considering even just one syndicate can amass hundreds of millions of dollars through this scam. The CryptoLabs syndicate stole as much as $500 million through pig butchering, while another group based in Australia gained $100 million. In 2021, victims in the United States alone reported $429 million in losses from pig butchering scams. Astoundingly, pig butchering does not appear to be slowing down, even as authorities and regulators aggressively combat the scam. Pig butchering is successful in spite of this growing vigilance in large part because it is both a financial and an emotional scam. With their emotions compromised, it is difficult for victims to recognize the dubious investment and to back out when they feel something is not right.
Here is how a pig butchering scheme usually works and advice on how to identify red flags at each step in the process.
Initial message: The scammer (for the sake of convenience, we will use this catch-all term, even if some of them may be victims themselves) will make contact with the prospect.
Red flag: While some messages may directly address the target, others will be intentionally framed as though they are mistakenly sent. The scammer may address a different person, contacting them about some seemingly mundane pretext. “Are we going to the salon tonight?” one message read, piquing the interest of a victim who eventually lost $1.6 million in just three months.
This ruse is designed to lower one’s guard and make the encounter seem accidental - people are likely to be skeptical when receiving random messages that directly address them by name. Scammers appear to be channel-agnostic, sending these messages over SMS, email, and other messaging platforms. In August 2022, one victim reported that scammers reached out via Line and WeChat, promoting a cryptocurrency investment platform with the simexlua.com domain.
While the victims vary widely, most are professionals, executives, or business owners - exactly the type of people the scammers purport to be. In some cases, the profiling seems to be more advanced, with scammers favoring middle-aged people or empty nesters who may be lonely and thus more likely to engage with them.
“...If you were the kind of person who was kind of looking for some sort of
connection, you could see how you’d be easily lured in, sucked in by a seemingly innocuous conversation with a nice person,” explained Alastair McCready, the Southeast Asia Editor for Vice World News, in a podcast.
The best defense here can be found in the wisdom parents bestow upon their kids: don’t talk to strangers.
Character-building - The scammer will continue chatting with the target. If they did not already start communicating on a traditional messaging platform, the scammer may invite the target to move the conversation to one such as WhatsApp or Skype. Over the course of the conversation, the scammer will portray the image of an educated, cosmopolitan, and attractive (the scammer will find a way to slip a selfie in as part of their story-telling) individual. Some may even pretend to volunteer to virtue signal to the victim that they are a kind-hearted, trustworthy person.
Crucially, the scammer will present themselves as financially successful - perhaps as an executive or entrepreneur - so they have credibility later on. Though these backstories are all hypothetical, they will appear consistent because they are based on well-memorized scripts. The scammer will occasionally improvise to build a deeper connection with the victim.
Red flag: These scammers have evolved from the days of pretending to be a Nigerian prince. Instead, scammers will model real-life people who you would want to date or befriend.
As their interest grows, the victim may reverse-image search some of the photos that the target has shared. If nothing comes up, the victim may take this as evidence that their new friend is a real, albeit private person. This should not be the case. Failing for matches to appear on reverse-image search should not be taken as evidence that the photos are genuine. They could still very well be scraped from the social media profiles of unsuspecting victims, generated with AI, or bought on a marketplace.
Rapport-building - Once it is clear the target views the digital persona as a friend or romantic interest, the scammer will do their best to ingratiate themselves with the target. Like real companions, they will send messages at different points of the day, share random thoughts as much as deep ones, send more photos and selfies, and bond over inside jokes. Unfortunately, this is the pig being fattened. If the target has a clear romantic interest in the persona, the scammer may take it a step further by love-bombing that person or overwhelming them with attention, compliments, and sweet nothings. This approach works particularly well for emotionally vulnerable people, as in the case of a recently heartbroken man who was manipulated by a scammer who stated that he was also looking for a long-term relationship.
At some point, the scammers will subtly steer the conversation toward
cryptocurrency trading, mining, or some other investment scheme. Because the persona is a friend or a romantic interest, they will not push too hard if the target shows little interest. Instead, they will return to the topic once they have built even more rapport or connection with the target. If the victim is receptive to the topic, the scammer may jump straight into step four, which is asking directly for cash.
With this emotional and psychological connection, pig butchering schemes sit on the opposite side of scams like ransomware and extortion. In those scams, the bad actor is upfront and explicit about their intentions. With ransomware, lock your laptop or threaten the exposure of data unless a ransom is paid. With extortion, they threaten the target to comply or risk facing violence or some other punishment. Ignoring the bad actors in these cases disincentivizes them from continuing the scheme: their priority is to target someone, after all, who fears they have something to lose and is thus more likely to comply with their demands at some point.
Pig butchering scams are arguably successful because they take a vastly different approach, with the scammers presenting themselves as a well-meaning friend or companion. So even if their initial ask to invest is rebuffed, they will still continue with the relationship knowing that their growing rapport may enable them to break down the target’s guard down the road.
Red flag: If you randomly meet someone you click with online, you will most likely escalate communication with them, beginning first with a voice or video call before meeting in person. The scammer, on the other hand, will have a litany of excuses for not being able to do these things. Some may refuse any kind of live communication. Some may accept scheduled voice calls but say that their camera is broken or give some other reason that they cannot appear on the screen. Some may agree to meet in person, only to find some reason to back out at the last minute – often due to an emergency.
The caveat here is that some pig butchering operations have gotten so big that they have the resources to fool targets in this phase as well. Some may have an attractive person - one reasonably consistent with shared photos - on hand to take video calls. Victims should not take these communications as proof that a person really is who they say they are. In the immortal words of Andy Grove: only the paranoid survive.
The ask - At some point, the persona will mention an investment scheme in passing. Some will even post screenshots of their supposed earnings. These investments are commonly related to crypto - because it is more difficult to trace - but occasionally they are not. What unites all the investment schemes is that they are accessible via some sort of online platform that the person has a scoop on or connection with. Ideally, the target will take the bait and broach the topic with the scammer. The scammer will then educate the target about the scheme, before eventually asking or encouraging them to sign up for an account and make an investment.
Red flag: While the website may appear legitimate - the most common categories they fall into are mining operations, exchanges, and brokerages - the purported company will not have a digital footprint, as even small businesses do. People should look up the URL on a domain registry. A recently created website may be a clear indicator that it is a front for a scam.