Pig-Butchering Scams: An Emerging Crypto Threat Vector
Merkle Science
Of all the crypto crime scams in recent memory, one of the most vividly named is the “pig butchering” scheme. Originating from China, this cyberattack was named after the similarities between pigs and the scheme’s victims. Similar to how pigs are dutifully raised as livestock, the victims in a pig butchering scheme are “fattened up” over a long period before they are slaughtered - or in this case, scammed.
From its roots in China, pig butchering has spread all over the world. As with outsourcing, pig butchering operations tend to be based in developing nations like Cambodia or the Philippines, while the intended victims tend to be based in developed nations like Singapore or Australia. These operations have become so professionalized that many are now using shell companies to feign legitimacy. In the United Kingdom, half of 168 shell companies linked to cryptocurrency schemes were reportedly focused on pig butchering.
Though this scam invokes some gruesome imagery and ultimately destroys victims financially, it typically starts with a seemingly innocuous event: a message. The case of Anthony and Michelle illustrates how a benign encounter can quickly turn into trouble. In November 2021, Michelle, a twenty-something-year-old woman from Hong Kong, commented on the Instagram photo of Anthony, a 48-year-old single father. From there, the two took their conversation to WhatsApp where they communicated every day, exchanged selfies and photos, and even flirted.
There was just one problem: Michelle was not a real person. In fact, she was nothing but a persona created by scammers who used her digital persona to build an emotional and romantic connection with Anthony. Once Anthony developed a strong connection with her, “Michelle” offered an investment scheme related to crypto mining. Anthony took the bait and began investing in the fictitious mining operations. He ultimately lost approximately $168,000.
Unfortunately, Anthony is not alone. The growing number of pig butchering victims is attributable in part to the sophistication of these scamming operations. These are not lone wolves, but enterprise-level operations. An exposé from Vice uncovered a facility in Cambodia that would rival a legitimate call center in terms of business maturity and metrics. Over the course of two days, one person who was trafficked into the business and held against his will was trained with scripts and playbooks to deceive unsuspecting victims. After training, he would hunt for targets for over 15 hours a day alongside 10 other workers, most of whom were also human trafficking victims.
Though exact numbers vary, Vice and others have estimated that pig butchering scams have already cost victims billions of dollars. That figure should not be far off the mark, considering even just one syndicate can amass hundreds of millions of dollars through this scam. The CryptoLabs syndicate stole as much as $500 million through pig butchering, while another group based in Australia gained $100 million. In 2021, victims in the United States alone reported $429 million in losses from pig butchering scams. Astoundingly, pig butchering does not appear to be slowing down, even as authorities and regulators aggressively combat the scam. Pig butchering is successful in spite of this growing vigilance in large part because it is both a financial and an emotional scam. With their emotions compromised, it is difficult for victims to recognize the dubious investment and to back out when they feel something is not right.
Here is how a pig butchering scheme usually works and advice on how to identify red flags at each step in the process.
Initial message: The scammer (for the sake of convenience, we will use this catch-all term, even if some of them may be victims themselves) will make contact with the prospect.
Red flag: While some messages may directly address the target, others will be intentionally framed as though they are mistakenly sent. The scammer may address a different person, contacting them about some seemingly mundane pretext. “Are we going to the salon tonight?” one message read, piquing the interest of a victim who eventually lost $1.6 million in just three months.
This ruse is designed to lower one’s guard and make the encounter seem accidental - people are likely to be skeptical when receiving random messages that directly address them by name. Scammers appear to be channel-agnostic, sending these messages over SMS, email, and other messaging platforms. In August 2022, one victim reported that scammers reached out via Line and WeChat, promoting a cryptocurrency investment platform with the simexlua.com domain.
While the victims vary widely, most are professionals, executives, or business owners - exactly the type of people the scammers purport to be. In some cases, the profiling seems to be more advanced, with scammers favoring middle-aged people or empty nesters who may be lonely and thus more likely to engage with them.
“...If you were the kind of person who was kind of looking for some sort of
connection, you could see how you’d be easily lured in, sucked in by a seemingly innocuous conversation with a nice person,” explained Alastair McCready, the Southeast Asia Editor for Vice World News, in a podcast.
The best defense here can be found in the wisdom parents bestow upon their kids: don’t talk to strangers.
Character-building - The scammer will continue chatting with the target. If they did not already start communicating on a traditional messaging platform, the scammer may invite the target to move the conversation to one such as WhatsApp or Skype. Over the course of the conversation, the scammer will portray the image of an educated, cosmopolitan, and attractive (the scammer will find a way to slip a selfie in as part of their story-telling) individual. Some may even pretend to volunteer to virtue signal to the victim that they are a kind-hearted, trustworthy person.
Crucially, the scammer will present themselves as financially successful - perhaps as an executive or entrepreneur - so they have credibility later on. Though these backstories are all hypothetical, they will appear consistent because they are based on well-memorized scripts. The scammer will occasionally improvise to build a deeper connection with the victim.
Red flag: These scammers have evolved from the days of pretending to be a Nigerian prince. Instead, scammers will model real-life people who you would want to date or befriend.
As their interest grows, the victim may reverse-image search some of the photos that the target has shared. If nothing comes up, the victim may take this as evidence that their new friend is a real, albeit private person. This should not be the case. Failing for matches to appear on reverse-image search should not be taken as evidence that the photos are genuine. They could still very well be scraped from the social media profiles of unsuspecting victims, generated with AI, or bought on a marketplace.
Rapport-building - Once it is clear the target views the digital persona as a friend or romantic interest, the scammer will do their best to ingratiate themselves with the target. Like real companions, they will send messages at different points of the day, share random thoughts as much as deep ones, send more photos and selfies, and bond over inside jokes. Unfortunately, this is the pig being fattened. If the target has a clear romantic interest in the persona, the scammer may take it a step further by love-bombing that person or overwhelming them with attention, compliments, and sweet nothings. This approach works particularly well for emotionally vulnerable people, as in the case of a recently heartbroken man who was manipulated by a scammer who stated that he was also looking for a long-term relationship.
At some point, the scammers will subtly steer the conversation toward
cryptocurrency trading, mining, or some other investment scheme. Because the persona is a friend or a romantic interest, they will not push too hard if the target shows little interest. Instead, they will return to the topic once they have built even more rapport or connection with the target. If the victim is receptive to the topic, the scammer may jump straight into step four, which is asking directly for cash.
With this emotional and psychological connection, pig butchering schemes sit on the opposite side of scams like ransomware and extortion. In those scams, the bad actor is upfront and explicit about their intentions. With ransomware, lock your laptop or threaten the exposure of data unless a ransom is paid. With extortion, they threaten the target to comply or risk facing violence or some other punishment. Ignoring the bad actors in these cases disincentivizes them from continuing the scheme: their priority is to target someone, after all, who fears they have something to lose and is thus more likely to comply with their demands at some point.
Pig butchering scams are arguably successful because they take a vastly different approach, with the scammers presenting themselves as a well-meaning friend or companion. So even if their initial ask to invest is rebuffed, they will still continue with the relationship knowing that their growing rapport may enable them to break down the target’s guard down the road.
Red flag: If you randomly meet someone you click with online, you will most likely escalate communication with them, beginning first with a voice or video call before meeting in person. The scammer, on the other hand, will have a litany of excuses for not being able to do these things. Some may refuse any kind of live communication. Some may accept scheduled voice calls but say that their camera is broken or give some other reason that they cannot appear on the screen. Some may agree to meet in person, only to find some reason to back out at the last minute – often due to an emergency.
The caveat here is that some pig butchering operations have gotten so big that they have the resources to fool targets in this phase as well. Some may have an attractive person - one reasonably consistent with shared photos - on hand to take video calls. Victims should not take these communications as proof that a person really is who they say they are. In the immortal words of Andy Grove: only the paranoid survive.
The ask - At some point, the persona will mention an investment scheme in passing. Some will even post screenshots of their supposed earnings. These investments are commonly related to crypto - because it is more difficult to trace - but occasionally they are not. What unites all the investment schemes is that they are accessible via some sort of online platform that the person has a scoop on or connection with. Ideally, the target will take the bait and broach the topic with the scammer. The scammer will then educate the target about the scheme, before eventually asking or encouraging them to sign up for an account and make an investment.
Red flag: While the website may appear legitimate - the most common categories they fall into are mining operations, exchanges, and brokerages - the purported company will not have a digital footprint, as even small businesses do. People should look up the URL on a domain registry. A recently created website may be a clear indicator that it is a front for a scam.
In some cases, scammers may impersonate domains of legitimate crypto
exchanges, purporting to be them. People should do their due diligence by
double-checking the URL for any misspellings or inaccuracies. In other scenarios, scammers may purport to have some connection with legitimate crypto exchanges, such as being their subsidiary for a specific market. People should check the legitimate exchange’s website for any information that shows there really is any affiliation between the two organizations.
The best way to avoid these problems is to partake in legitimate investment or cryptocurrency websites. These will have extensive know-your-customer processes in place, will be regulated by relevant authorities in a particular jurisdiction, and have a network of other legitimate partners, such as for cash-in and cash-out.
The quick win - Because the platform is entirely controlled by scammers, they will make it seem as though the target gained profits on their initial investment after a few days. These returns are of course entirely fictitious. Just like in pyramid schemes, the fake returns in a pig-butchering scheme are meant to assure people that the investment is real, tempting them to invest even more money.
Red flag: If the target tries to withdraw these returns, the platform may for some reason prevent the cash-out. The platform may even request additional fees or charges as part of the withdrawal process to get more money from the victim. If the target mentions this idea to the persona, the scammer may discourage the target from doing so.
A caveat here is that some scammers have released early winnings to targets,
knowing that obtaining cash could inspire more confidence to invest again
and in larger amounts. Receiving earnings should not be taken as evidence
that an investment is legitimate, as this has been an age-old tactic going back to
pyramid schemes.
Many scammers even turn the table on victims, demanding payment of taxes,
fees, or security deposits to ensure that they are not involved in illegal activity. Put on the defensive, many victims, unfortunately, do comply. By making it seem like the platform is concerned with criminality, scammers can create a veneer of legitimacy.
The disappearance - After the initial investment, the persona and platform will work hand-in-hand to get the target to invest more and more money. The persona will leverage their rapport or romantic connection with the target to convince them to increase their position. The platform will continue to post fictitious profits. Unlike before, where a platform may have released some funds to the target, all funds past this point will be stolen in their entirety. The platform will make up all sorts of reasons a person cannot cash out, such as a hold being placed on their account.
At this point, the target may start to have suspicions at the back of their mind about the veracity of the investment scheme. But many still do not back out. Apart from their
emotional or romantic connection to the persona, engaging in sunk cost fallacies keep them stuck: they are reluctant to back out of the investment because they have already poured so much money, or sunk costs, into the venture. In this case, the target may be hoping that the scheme ends up being real and that they recoup their investment. Sadly, many people have lost their life savings by relying on this false hope.
If a target is able to see past this sunk cost fallacy and realize they are being scammed, they should cease communication with the scammer and stop the use of the platform. If any transactions were processed from their bank, they should ask the bank to cancel any pending transactions and report details of where previous funds were sent to the appropriate regulators. The individual should also file a report with the relevant authorities.
Red flag: Once the target ghosts the scammer, they may be contacted by people purporting to specialize in the recovery of stolen assets, who can assist for an advanced fee. These people may be the scammers themselves operating under a different persona. A person who has already fallen victim to one scam, after all, is more likely to fall for another one compared to a totally new prospect. Many victims of pig-butchering are unfortunately victimized again by crypto recovery services.
After the money is transferred - from either the original pig butchering scheme or any subsequent schemes - it goes through a complex laundering process. One study has shown that scammers prefer the use of Tether. Due to its speed, stability, and low transaction fees, it is easier to launder the victim’s funds across various exchanges. Scammers may further obfuscate the trail by chain peeling, which involves distributing large funds across many small transactions, and availing of swapping services, which enable them to change one crypto to another without the use of fiat.
The regulatory response
While individuals can exercise due diligence when interacting with anyone online, especially people they have not met, there is only so much they can do. It’s the role of the government to stamp out these pig-butchering schemes at their root, especially as they are deeply interconnected with human trafficking. Governments around the world have the opportunity to right two wrongs.
At the global level, there has not been a unified approach to pig-butchering. The closest was an international operation from Interpol from March to May 2022 that targeted operators of social engineering scams in 76 countries, including those who perpetrated romance scams.
There is much more concerted effort at the national and local level. For example, the FBI has issued a warning about pig butchering, advising individuals to follow a basic rule of thumb. “If the deal looks too good to be true, it probably is,” said Special Agent in Charge Raul Bujanda of the Albuquerque FBI Division. For their part, the United States Secret Service is welcoming tips from potential victims of pig-butchering to an email and telephone hotline, including details on “cryptocurrency addresses, transaction hashes, and dates of transactions.”
Others, such as the US Attorney’s Office, have seized websites involved in pig butchering. Such actions may be more a nuisance to criminals than a deterrent: the cost of putting up another similar website is negligible. Seizing websites may amount to a digital game of whack-a-mole, with new pig-butchering platforms popping up when others are stamped out.
Some local government units are attacking the flow of funds. A cease and desist order issued by the Delaware Department of Justice was more than just an empty pronouncement. With this issuance, wallets associated with scammers were effectively frozen - they would not be able to move funds out, due to restrictions set with any affiliated exchange.
As the Delaware DOJ example shows, using on-chain analytics may be the best way to combat pig butchering. By tracking the flow of funds, authorities, exchanges, and other stakeholders can take appropriate action. Preventing scammers from accessing stolen funds may be the best deterrent of all: scammers may not want to slaughter pigs if there is nothing left to eat.