$1M crypto-romance scam exposed by Sophos


A pig-butchering ring that stole more than $1 million from victims in three months has been uncovered by cybersecurity firm Sophos.

The rather lurid term, translated from the Chinese “shā zhū pán,” refers to a hybrid form of romance scam that persuades targets to invest in fake cryptocurrency schemes.

Sophos launched its investigation after one of the victims, who goes by the pseudonym “Frank” to protect his identity, came forward with his story. Frank says he lost $22,000 earlier this year after someone claiming to be a German woman called “Vivian” approached him on dating app MeetMe.

The inquiry by Sophos researchers “uncovered a total of 14 domains associated with the scam operation, as well as dozens of nearly identical fraud sites that, together, netted this one ‘ring’ of pig butchers more than $1 million in three months.”

Frank and Vivian, in fact a scammer working for the ring, communicated on MeetMe for weeks. Purporting to be a US resident, Vivian continually “mixed her romantic promises with persistent attempts to convince Frank to invest in crypto.”

Between May 31st and June 5th, Frank put funds into a Trust Wallet account. Though the latter is a legitimate service, the pig butchers took just three days to drain it of money. Sophos says such scams benefit from the unregulated nature of decentralized finance (DeFi) cryptocurrency trading apps.

“Such applications create ‘liquidity pools’ of various types of cryptocurrencies that users can then access to make trades from one cryptocurrency to another,” said Sophos. “Those who participate in the pool receive a percentage of any fee paid when a trade is made, creating an enticing return on investment.”

But where the rubber really hits the road is when the investor signs an online smart contract – usually to give pool operators permission to access wallets to faciliate trades.

All well and good if the pool is a legitimate operation, but this was not.

“Fake pools, which pig butchers are increasingly utilizing to siphon funds from targets, operate in much the same way,” said Sophos. “However, unlike legitimate pools, at some point these scammers ‘pull the rug’ and empty the entire liquidity pool for themselves.”

"Very few [investors] understand how legitimate cryptocurrency trading works, so it's easy for these scammers to con their targets."

Sean Gallagher, principal threat researcher at Sophos

Pigs, pools, and crypto fools

Sean Gallagher, principal threat researcher at Sophos, warns that fake liquidity pools are increasingly sophisticated operations and therefore very attractive options for pig butchers. So much so that instances have multiplied in the past year from dozens to hundreds of cases observed by his team.

“Very few [investors] understand how legitimate cryptocurrency trading works, so it's easy for these scammers to con their targets,” he said. “There are even toolkits now for this sort of scam, making it simple for different pig butchering operations to add this type of crypto fraud to their arsenal.”

But be in no doubt, this is not merely a tech-enabled scam, and the persistence shown by the crooks involved is a cause for alarm in itself. Even after Gallagher told Frank to block Vivian, she managed to track him down on private comms app Telegram and “continued her attempts to entice him” into throwing away more money, using “a lengthy, emotional letter that was very likely created by a generative AI app.”

“What makes these sorts of scams particularly tricky is that they don’t require any malware to be installed on a victim’s device,” added Gallager. “They don’t even involve a fake app, like some of those we’ve encountered in other CryptoRom [crypto-romance] scams.”

Even when Frank tried to contact the real Trust Wallet help center, he ended up being redirected to a fake support contact indexed to the bogus liquidity pool site. Pig butchers may sound crude by their popular name: however, in reality they are anything but.

“These scams succeed solely through social engineering, and the scammers are persistent,” said Gallagher. “Vivian continued trying to contact Frank for weeks after he blocked her on WhatsApp.”

"The only way to stay safe from these scams is to be vigilant and know that they exist and how they operate."

Gallagher

Yes, the rich get bilked too

Even money-savvy entrepreneurs aren’t immune to crypto scams. Billionaire investor and Dallas Mavericks basketball team owner Mark Cuban fell foul of such over the weekend after he “downloaded a version of [Ethereum crypto wallet] MetaMask with some shit in it” – his own words, according to DLNews.

A single act of carelessness on his part led to Cuban being taken for around $870,000 across ten different cryptocurrencies. To be fair, that is spare change to a wealthy man like him, but it still underscores the fact that anyone can fall prey to such scams if they aren’t constantly being careful.

“The only way to stay safe from these scams is to be vigilant and know that they exist and how they operate,” said Gallagher. “Users need be wary of anyone they have no connection with reaching out to them suddenly via any dating app or social media platform, particularly if the ‘person’ reaching out wants to move the conversation to a platform like WhatsApp and then discusses investing in cryptocurrency.”