Pig Butchering: Lucrative business model for cyber gangs

Lucrative business model for cyber gangs

Share post

Sophos has uncovered how Sha Zhu Pan scammers are now using a business model similar to “cybercrime-as-a-service” for their supposedly romance-oriented so-called pig-butchering scams.

The fraudsters sell Sha-Zhu-Pan kits on the Dark Web all over the world and are expanding into new markets. Sophos describes these operations (also known as pig booking) in the article “Cryptocurrency Scams Metastasize into New Forms.” The new sets come from organized crime gangs in China and provide the technical components needed to implement a special pig-butchering program called “DeFi savings”. The criminals present DeFi savings as passive investment options that are similar to money market accounts. Victims simply need to connect their crypto wallets to a brokerage account with the expectation that they will earn significant interest on their investment. In reality, victims add their crypto wallets to a fraudulent cryptocurrency trading pool where they are drained by criminals.

The fraud model is becoming more professional

“When pig butchering first emerged during the COVID pandemic, the technical aspects of the scams were relatively primitive and required significant effort to successfully deceive victims,” explains Sean Gallagher, Principal Threat Researcher at Sophos. “But the crooks have refined their techniques and we are seeing a similar evolution to what ransomware and other types of cybercrime have seen in the past: the evolution of an as-a-service model.

Pig-butchering gangs create ready-made DeFi app kits that other cybercriminals can purchase on the dark web. As a result, new crime rings unaffiliated with Chinese groups are popping up in areas such as Thailand, West Africa and even the United States. As with other types of commercial cybercrime, these kits lower the barriers to entry for cybercriminals and significantly increase the potential victim pool. This method was already a multi-billion dollar fraud phenomenon last year and is expected to grow exponentially this year.”

Development of Pig Butchering

Sophos X-Ops has been tracking the evolution of pig butchering for two years. The first variants – dubbed “CryptoRom” by Sophos – contacted potential victims via dating apps and then tricked them into downloading fraudulent third-party crypto trading applications.

  • In the year 2022 Fraudsters found ways to circumvent App Store review procedures to funnel their fraudulent apps into the legitimate App Store and Google Play Store. In the same year, a new fraud pattern also emerged: fake cryptocurrency trading pools (liquidity mining).
  • Two giant pig butchering rings based in Hong Kong and Cambodia, Sophos uncovered X-Ops in 2023. These gangs used legitimate crypto trading apps and created fake personas to lure victims. Further investigation revealed that the crooks also added AI to their arsenal.
  • End 2023 Sophos This was also the first time that Sophos X-Ops was able to demonstrate the availability of fraud kits for pig butchering.

Elaborate victim-coaxing is a thing of the past

In recent pig-butchering cases investigated by Sophos In the DeFi-saving scam, victims now engage in fraudulent crypto trading through legitimate, well-known cryptocurrency apps, giving the scammers direct access to their wallets (albeit unknowingly). Additionally, the fraudsters can hide the wallet network that launders the stolen cryptocurrencies, making it difficult for law enforcement to track the fraud.

“The DeFi saving scam is the culmination of the past two years as pig-butchering scammers have refined their approach. Gone are the days when fraudsters had to convince victims to download an app or transfer the cryptocurrency themselves to a stolen digital wallet,” said Gallagher. “The gangsters have also learned how to market their activities better. They exploit the functionality of liquidity mining pools to steal funds by telling victims it is a simple investment account. This makes it easier for victims to invest because most of them don't understand cryptocurrency trading and everything happens under the guise of trustworthy brands. In other words, it has never been easier to fall victim to a pig butchering scam, and never has it been more important to be aware of the existence of these scams and know what to look out for.”

Prevent Pig Butchering Scams

To avoid falling victim to a pig butchering scam, Sophos recommends the following steps:

  • Skeptical to strangers who contact you via social networks such as Facebook or via SMS. Especially if you want to quickly move the conversation to a private messenger like WhatsApp.
    This also applies to new matches on dating apps and especially if the stranger starts talking about trading cryptocurrencies.
  • Be suspicious versus any get-rich-quick offers or cryptocurrency investment opportunities that promise big profits in a short period of time.
  • Deal with the temptations and familiarize yourself with the tactics of romance and investment scams. Non-profit organizations such as the Cybercrime Support Network offer a lot of information on this.
  • Possible Pig Butchering Victims should immediately withdraw all funds from the affected wallets and contact law enforcement.

History of the Pig Butchering Investigation

  • 2021: Sophos X-Ops discovers the first fake “CryptoRom” trading apps targeting users in Asia
    Shortly thereafter, Sophos X-Ops discovered that these fraudsters were expanding their activities and targeting victims in the US and Europe.
  • 2022: Sophos A new type of pig butchering is emerging: liquidity mining
  • 2023: Sophos Sophos X-Ops uncovers two massive big-butchering rings operating out of Hong Kong and Cambodia. Instead of using fake apps, these scammers are now using legitimate crypto trading applications and creating sophisticated personas to lure their victims.
    Sophos X-Ops finds more fake apps - and learns that pig-butchering scammers are now adding generative AI to their toolkit. A victim of pig butchering loses $22.000 in a week. This leads Sophos X-Ops to a massive liquidity fraud run by three different Chinese organized crime rings
  • 2024: Sophos X-Ops uncovers the most sophisticated pig butchering yet: “DeFi savings” scam. These and other crypto-based scams are being offered for sale as kits, resulting in Pig Butcher wrestlers popping up in new regions of the world.
More at Sophos.com


About Sophos

More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.


Matching articles on the topic

IT security: NIS-2 makes it a top priority

Only in a quarter of German companies do management take responsibility for IT security. Especially in smaller companies ➡ Read more

Cyber ​​attacks increase by 104 percent in 2023

A cybersecurity company has taken a look at last year's threat landscape. The results provide crucial insights into ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Mobile spyware poses a threat to businesses

More and more people are using mobile devices both in everyday life and in companies. This also reduces the risk of “mobile ➡ Read more

Crowdsourced security pinpoints many vulnerabilities

Crowdsourced security has increased significantly in the last year. In the public sector, 151 percent more vulnerabilities were reported than in the previous year. ➡ Read more

Digital Security: Consumers trust banks the most

A digital trust survey showed that banks, healthcare and government are the most trusted by consumers. The media- ➡ Read more

Darknet job exchange: Hackers are looking for renegade insiders

The Darknet is not only an exchange for illegal goods, but also a place where hackers look for new accomplices ➡ Read more

The Terminator tool is coming back

BYOVD (Bring Your Own Vulnerable Driver) are still very popular among threat actors as EDR killers. One reason is, ➡ Read more