Unregulated DeFi services abused in latest pig butchering twist
A major pig butchering (shā zhū pán) scam operation has been observed using fake trading pools of cryptocurrency to entice their victims to part with their savings, and has likely netted over $1m during the course of the scam, according to new intelligence released by the Sophos X‑Ops research team.
This is the latest in a series of ongoing research disclosures by Sophos researchers as they investigate so-called pig butchering scams – the practice of conning victims out of their money using a combination of romance-themed social engineering lures and fraudulent crypto trading.
In early 2023, they detailed how these cyber criminal gangs – usually located in the Asia-Pacific region – were getting their malicious apps listed on Apple and Google mobile apps stores by bypassing security measures, and more recently, they revealed how pig butchers are turning to generative artificial intelligence (AI) chatbots to con their victims.
The latest twist in the saga sees the pig butchers setting up fraudulent domains that take advantage of the essentially unregulated world of decentralised finance (DeFi) crypto trading apps.
As part of their functionality, such apps create liquidity pools of various cryptocurrencies that users can tap into to trade from one to another, with those participating in the pool receiving a percentage of any fee paid when a trade is made. To join pools, participants in general must sign an online contract that gives the pool operators permission to access their crypto wallets in order to trade. This is a highly risky practice in general.
At first glance, the pig butchering ring tracked by Sophos operates in much the same way as a legitimate one, establishing pools of cryptocurrency assets and adding new traders – or, in this case, victims – until such time as the cyber criminals drain the entire pool for themselves. This is what is known as a rug-pull. When combined with the traditional pig butchering romance scam, it can be extremely effective, as Sean Gallager, Sophos principal threat researcher, observed.
“When we first discovered these fake liquidity pools, it was rather primitive and still developing. Now, we’re seeing shā zhū pán scammers taking this particular brand of cryptocurrency fraud and seamlessly integrating it into their existing set of tactics, such as luring targets over dating apps,” explained Gallagher.
“Very few understand how legitimate cryptocurrency trading works, so it’s easy for these scammers to con their targets. There are even toolkits now for this sort of scam, making it simple for different pig butchering operations to add this type of crypto fraud to their arsenal. While last year, Sophos tracked dozens of these fraudulent ‘liquidity pool’ sites, now we’re seeing more than 500.”
A little ditty about Frank and Vivian
Gallagher first got wise to this particular group of scammers when he was contacted by Frank, a victim who had read some of the previous research. Frank – which is not the victim’s real name – had thought he was connecting on the MeetMe dating app with a women named Vivian, who said she was a German national living in Washington DC.
Frank and Vivian chatted online for some weeks, during which time Vivian, who was of course the scammer, mixed romantic promises with persistent attempts to get Frank to invest in crypto assets, as is standard practice in the con.
Unfortunately for Frank, he was convinced to open an account with the legitimate Trust Wallet dollar-to-cryptocurrency conversion service, which he connected to the liquidity pool Vivian had recommended to him.
At several points during the course of their conversation, Frank came close to stumbling on the ruse when the scammer – apparently by accident – wrote messages to him in Chinese instead of English but was able to convince him that she had mistakenly copied text from a translation app that she was using to talk to a friend in China into their chat.
After a long process – Frank being initially sceptical of cryptocurrency investments – he was lured to the fake pool site, which convincingly spoofed the brand of established DeFI platform provider Allnodes. He paid $22,000 into the pool between 31 May and 5 June 2023, and just three days later, found that his wallet had been emptied.
In an attempt to recover his money, Frank contacted Vivian, who claimed he needed to pay in additional funds in order to do so. Frank got his bank to authorise a money transfer to Coinbase, but while this was happening he started doing some research, at which point he found out about Sophos’ work and reached out.
During the subsequent conversation, Gallagher told Frank to block his contact, but Vivian tracked him down via Telegram and continued her attempts to lure him into parting with even more money. At one point, she sent a lengthy and apparently emotional latter – likely an AI-creation.
Gallagher said that this new variety of pig butchering scam presents a particularly tricky problem as it requires no malware or fake app to be downloaded to the victim’s device, unlike some other variants – indeed, the entire fake pool can be run through legitimate services like Trust Wallet; at one point Frank tried to contact Trust Wallet’s tech support team but the pig butchers connected him instead to a fake contact.
And herein lies a big part of the problem, said Gallager, because there is no regulation of liquidity pools even when supposedly legitimate.
“These scams succeed solely through social engineering, and the scammers are persistent,” he said. “The only way to stay safe from these scams is to be vigilant and know that they exist and how they operate. That is why Frank wanted to share his story.
“Users need be wary of anyone they have no connection with reaching out to them suddenly via any dating app or social media platform, particularly if the ‘person’ reaching out wants to move the conversation to a platform like WhatsApp and then discusses investing in cryptocurrency.”
If you need help
A more in-depth account of Frank’s experience can be found on Sophos’ blog, and Gallagher and his colleague Jagadeesh Chandraiah are still keen for other victims to come forward in confidence.
In the meantime, if you think you have engaged with a pig butcher and may be using a fake liquidity pool app, there are a number of actions you can take:
- Use the website Revoke – https://revoke.cash/ – from within your wallet app or browser to break the contract on the wallet, letting you identify and revoke permissions (this is not a free service);
- Move your funds to a new wallet, particularly if you can’t break the contract;
- Contact the exchange from which you bought the cryptocurrency through your wallet provider. Do not turn to support chats in the liquidity pool app itself as they will likely be controlled by the pig butchers. This is a link to Trust Wallet’s real helpdesk.
- Collect the transaction data associated with your wallet with a blockchain explorer like Etherscan by pasting your wallet ID into its search. You can share this information with security teams and police;
- If the rug-pull has taken place and your funds are gone, on no account engage with any crypto recovery provider advertised on social media – in general these are also scams;
- Report the activity to the relevant authorities. In England and Wales, Action Fraud should be your first port of call. In Scotland, you should instead contact Police Scotland by phoning 101, and readers in Northern Ireland can also contact Action Fraud. In the US, both the US Secret Service and the FBI are empowered to investigate crypto fraud although they may not always act on individual cases.
- Understand that you are not alone. These scams are sophisticated and their perpetrators are experts at manipulation – there is no shame in falling victim to one.
