The ‘pig butchering’ scam is a mixture of a romance and financial ‘investment’ scam. The scam is not unique to the crypto fraud world, with scammers having also invited victims into forex and commodities scams long before crypto was invented. Recently, popular culture has put this form of fraud in the spotlight, such as Netflix’s The Tinder Swindler documentary.
Here, Coinfirm’s Investigations Team do a deep dive into the prevalence of this type of scam in the crypto-asset world.
Why the Term ‘Pig Butchering’?
‘Pig butchering’ is also known as: Sha Zhu Pan (殺豬盤), Crypto Romance Scam, CryptoRom, Hybrid Investment Romance Scam and Romance Baiting.
The term ‘pig butchering’ comes from the concept of the scammer(s) targeting a victim and grooming them for weeks or months (in some cases years), to gain the confidence of the victim – as well as leading the victim on to the possibility of a romantic relationship (which never materialises) – and the end goal being to convince the victim to part with their entire life savings, and if possible, assets. Typically, scammers deploying this type of fraud work in tandem with a fake crypto investment website, app, broker or liquidity mining pool.
This targeting of a small handful of potentially vulnerable victims is in contrast to scammers seeking to take sums from as many victims as quickly as possible (such as rug pulls, Ponzi schemes etc).
Stages of the Hybrid Investment Romance Scam
Packaging – Scammer(s) foster long-term relationships with targets (using social media, dating sites)
Raising – Introduce targets to a fake online investment platform. The fake platform typically has a live customer service chat (the details of which are shared between the scammer(s) and those running the platform, often the same people).
Killing – Assume varying schemes to entice victims to deposit more and more funds into the sham platform. The relationship scammer, supposedly also ‘invested’ together with the victim, pressures him/her to keep depositing, often ‘loaning’ funds to the victim’s ‘account’ inside the fake platform.
Killed – The relationship scammer, customer service of the fake platform, and the platform itself disappear once the targets realise that they can no longer withdraw anymore (during the length of the scam, victims are allowed by the scammers to withdraw their deposits to build trust, with the final deposit typically very large are unable to be withdrawn).
The Data: Average Scheme Value Stolen, Ethereum vs Bitcoin Chains, and Clusters
Coinfirm’s Investigations Team found hundreds of victims that had fallen to this type of scam, with the scammers’ deposit addresses being funded with hundreds of millions of USD in crypto (USD 323M).
The average scheme – when comparing the Bitcoin and Ethereum blockchains – stole USD 727,946 in BTC, with USD 1,614,037 on the Ethereum blockchain in the coin and tokens analysed (ETH, USDT and USDC) at exchange rates calculated 13.09.2022. Stablecoins are popular with crypto scammers in general, as it enables them to collect deposits from multiple victims and not need to be concerned with ether’s market volatility.
Out of the analysis of the 5 most prevalent geographical locations of victims: 21% of victims came from the USA, 8.6% from the UK, 8.5% from Canada, 5% from Germany and 4.5% from France.
The investigation uncovered 148 website domains related to this type of scam, with some copycatting other (prominently known) legitimate crypto OTC or trading platforms such as localbitcoins.net (copying localbitcoins.com) and bittpex.com (copying Bittrex). Worryingly, 2 Asia-based CEXs cropped up in relation to 2 pump and dump scams with the tokens SHC and WMC (pump and dump frauds can be used in the ‘killing’ phase of this type of scam).
Many of the domains listed phone numbers from Hong Kong SAR, the UK and Laos (however, it is hard for victims to verify if the scammers are indeed in communication with them from those jurisdictions (as there are many mobile applications and services enabling people to swap to another international number)).
The scamming gangs are adept at attempting to obfuscate the flow of funds, with the team finding 8,338 BTC addresses – via clustering analysis – of the scammers related to the initial 170 scam deposit addresses (the average BTC cluster had 66.7 addresses in it). This large number of addresses identified in the clusters demonstrates the extensive length fraudsters go in their attempt to layer (launder) illicit funds.
Professional Scammers and Their Multiple Schemes
During the course of the investigation, Coinfirm found that some of the most prevalent schemes were directly linked – with just a few hops between identified scheme addresses – showing that the same individuals were operating both ‘Cointen’ and ‘Wealthbct’.
The image below shows the link between Cointen (yellow) and Wealthbct (orange) addresses with one address linking the two schemes directly (red). Some funds were sent to CEXs (purple).
Both of the internet domains, are of course, up for auction or redirect to a page temporarily down display.
Not every scammer is committing fraud willingly. In some cases, modern slaves are used by scamming gangs to ‘work’ victims – as the scam can be very time-intensive on the part of the scammer to develop a ‘romantic’ relationship with target(s).
A recent investigation by The Guardian (10.10.2022) – specifically noting ‘pig butchering’ scams – revealed thousands from Taiwan, Vietnam and Thailand had been tricked into slavery in Cambodia by enticing (fake) job adverts in the country, only to arrive and be forced into becoming cybercriminals on behalf of gangs.
The use of slaves perpetrating crimes on behalf of gangs is nothing new and is a phenomenon that perpetually evolves in lock-step with criminal techniques (such as the use of children in the UK’s county lines drug gangs).
Sometimes, the scammer on the other end of a WhatsApp chat is not the worst element in the equation.
Coinfirm is proud to be partnered with the Anti-Human Trafficking Intelligence Initiative’s Cryptocurrency Consortium (ATCC).