Sophos has uncovered how Sha Zhu Pan scammers are now using a business model similar to “cybercrime-as-a-service” for their supposedly romance-oriented so-called pig-butchering scams.
The fraudsters sell Sha-Zhu-Pan kits on the Dark Web all over the world and are expanding into new markets. Sophos describes these operations (also known as pig booking) in the article “Cryptocurrency Scams Metastasize into New Forms.” The new sets come from organized crime gangs in China and provide the technical components needed to implement a special pig-butchering program called “DeFi savings”. The criminals present DeFi savings as passive investment options that are similar to money market accounts. Victims simply need to connect their crypto wallets to a brokerage account with the expectation that they will earn significant interest on their investment. In reality, victims add their crypto wallets to a fraudulent cryptocurrency trading pool where they are drained by criminals.
The fraud model is becoming more professional
“When pig butchering first emerged during the COVID pandemic, the technical aspects of the scams were relatively primitive and required significant effort to successfully deceive victims,” explains Sean Gallagher, Principal Threat Researcher at Sophos. “But the crooks have refined their techniques and we are seeing a similar evolution to what ransomware and other types of cybercrime have seen in the past: the evolution of an as-a-service model.
Pig-butchering gangs create ready-made DeFi app kits that other cybercriminals can purchase on the dark web. As a result, new crime rings unaffiliated with Chinese groups are popping up in areas such as Thailand, West Africa and even the United States. As with other types of commercial cybercrime, these kits lower the barriers to entry for cybercriminals and significantly increase the potential victim pool. This method was already a multi-billion dollar fraud phenomenon last year and is expected to grow exponentially this year.”
Development of Pig Butchering
Sophos X-Ops has been tracking the evolution of pig butchering for two years. The first variants – dubbed “CryptoRom” by Sophos – contacted potential victims via dating apps and then tricked them into downloading fraudulent third-party crypto trading applications.
- In the year 2022 Fraudsters found ways to circumvent App Store review procedures to funnel their fraudulent apps into the legitimate App Store and Google Play Store. In the same year, a new fraud pattern also emerged: fake cryptocurrency trading pools (liquidity mining).
- Two giant pig butchering rings based in Hong Kong and Cambodia, Sophos uncovered X-Ops in 2023. These gangs used legitimate crypto trading apps and created fake personas to lure victims. Further investigation revealed that the crooks also added AI to their arsenal.
- End 2023 Sophos This was also the first time that Sophos X-Ops was able to demonstrate the availability of fraud kits for pig butchering.
Elaborate victim-coaxing is a thing of the past
In recent pig-butchering cases investigated by Sophos In the DeFi-saving scam, victims now engage in fraudulent crypto trading through legitimate, well-known cryptocurrency apps, giving the scammers direct access to their wallets (albeit unknowingly). Additionally, the fraudsters can hide the wallet network that launders the stolen cryptocurrencies, making it difficult for law enforcement to track the fraud.
“The DeFi saving scam is the culmination of the past two years as pig-butchering scammers have refined their approach. Gone are the days when fraudsters had to convince victims to download an app or transfer the cryptocurrency themselves to a stolen digital wallet,” said Gallagher. “The gangsters have also learned how to market their activities better. They exploit the functionality of liquidity mining pools to steal funds by telling victims it is a simple investment account. This makes it easier for victims to invest because most of them don't understand cryptocurrency trading and everything happens under the guise of trustworthy brands. In other words, it has never been easier to fall victim to a pig butchering scam, and never has it been more important to be aware of the existence of these scams and know what to look out for.”
Prevent Pig Butchering Scams
To avoid falling victim to a pig butchering scam, Sophos recommends the following steps:
- Skeptical to strangers who contact you via social networks such as Facebook or via SMS. Especially if you want to quickly move the conversation to a private messenger like WhatsApp.
This also applies to new matches on dating apps and especially if the stranger starts talking about trading cryptocurrencies. - Be suspicious versus any get-rich-quick offers or cryptocurrency investment opportunities that promise big profits in a short period of time.
- Deal with the temptations and familiarize yourself with the tactics of romance and investment scams. Non-profit organizations such as the Cybercrime Support Network offer a lot of information on this.
- Possible Pig Butchering Victims should immediately withdraw all funds from the affected wallets and contact law enforcement.
History of the Pig Butchering Investigation
- 2021: Sophos X-Ops discovers the first fake “CryptoRom” trading apps targeting users in Asia
Shortly thereafter, Sophos X-Ops discovered that these fraudsters were expanding their activities and targeting victims in the US and Europe. - 2022: Sophos A new type of pig butchering is emerging: liquidity mining
- 2023: Sophos Sophos X-Ops uncovers two massive big-butchering rings operating out of Hong Kong and Cambodia. Instead of using fake apps, these scammers are now using legitimate crypto trading applications and creating sophisticated personas to lure their victims.
Sophos X-Ops finds more fake apps - and learns that pig-butchering scammers are now adding generative AI to their toolkit. A victim of pig butchering loses $22.000 in a week. This leads Sophos X-Ops to a massive liquidity fraud run by three different Chinese organized crime rings - 2024: Sophos X-Ops uncovers the most sophisticated pig butchering yet: “DeFi savings” scam. These and other crypto-based scams are being offered for sale as kits, resulting in Pig Butcher wrestlers popping up in new regions of the world.
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.