Malicious actors have stolen more than $1m in a ‘pig butchering’ cryptocurrency scam in just three months, researchers from Sophos have found.
The highly sophisticated operation used a total of 14 domains and dozens of nearly identical fraud sites, according to the investigation.
The attackers utilized fake trading pools of cryptocurrency from decentralized finance (DeFi) trading applications to defraud their victims, with one individual losing $22,000 in a single week.
These “liquidity pools,” which encompass various types of cryptocurrencies, enable users to make profits by trading from one cryptocurrency to another. Those who participate receive a percentage of any fee paid when a trade is made – with another account (typically the operators of the pool) given permission to access participants’ wallets to facilitate the trades.
Sophos found that pig butchers are increasingly setting up such pools to siphon funds from users – ultimately emptying victims’ entire liquidity pools for themselves.
Victim Loses $22,000 in One Week
The report highlighted the case of an individual named ‘Frank,’ who lost $22,000 to such a scheme after being duped by an online dating scam.
Frank was contacted by ‘Vivian’ on the dating app MeetMe, who claimed to be a German woman living in Washington D.C. for work. During weeks of romantic messages, Vivian made persistent attempts to convince Frank to invest in cryptocurrency, recommending a liquidity pool site.
Frank eventually opened a Trust Wallet Account, enabling him to convert dollars to cryptocurrency, connecting to a link to the liquidity pool site. This was a fraudulent site impersonating decentralized finance provider Allnodes.
Between May 31 and June 5, Frank invested $22,000 in the pool, and just three days later the funds were emptied by the scammers.
He then turned to Vivian, who urged Frank to invest even more in the pool to recover his funds and reap the “rewards.” While waiting for his bank to authorize a money transfer to Coinbase, Frank undertook some research, finding an article on liquidity mining from Sophos, whom he contacted for help.
Sean Gallagher, principal threat researcher at Sophos, told Frank to block Vivian; however, she persisted in her attempts to entice him into continuing the investment, even sending a lengthy, emotional letter that Gallagher believes was created by a generative AI app.
A Sophisticated Operation
Sophos highlighted the sophistication of this pig butchering scam operation, which didn’t even require any malware to be installed on the victim’s device, instead utilizing social engineering tactics.
Gallagher noted: “This entire fake liquidity pool was run through the legitimate Trust Wallet app. At one point, Frank even tried to contact Trust Wallet’s support to recover his money, but he connected with a fake support contact from the fraudulent liquidity pool site.”
Gallagher warned that pig butchering scams, also known as shā zhū pán, are growing in prevalence and are proving highly effective for threat actors.
“Very few understand how legitimate cryptocurrency trading works, so it’s easy for these scammers to con their targets. There are even toolkits now for this sort of scam, making it simple for different pig butchering operations to add this type of crypto fraud to their arsenal. While last year, Sophos tracked dozens of these fraudulent ‘liquidity pool’ sites, now we’re seeing more than 500,” he noted.
He urged people to be wary of anyone they have no connection with reaching out to them suddenly via any dating app or social media platform, particularly if the ‘person’ reaching out wants to move the conversation to a platform like WhatsApp and then discusses investing in cryptocurrency.
Sophos has shared its findings with crypto intelligence experts Chainalysis and exchange platform Coinbase, who are continuing to investigate the extent of pig butchering scams.