Sophos uncovers new crypto-based fraud scheme

Sophos, a leading cybersecurity company, has recently uncovered a new form of cryptocurrency fraud called sha zhu pan, which is being used by scammers to conduct elaborate romance-based fraud schemes. These fraudsters are using a business model similar to cybercrime “as-a-service” by selling sha zhu pan kits on the dark web, which are globally expanding to new markets. Sophos has detailed these advanced sha zhu pan operations, also known as pig butchering, in their article titled “Cryptocurrency Scams Metastasize into New Forms.”

The new kits provide the technical components needed to implement a specific pig butchering scheme called “DeFi savings.” Criminals position DeFi savings scams as passive investment opportunities that are similar to money market accounts, often targeting people who have no understanding of crypto. Victims only need to connect their crypto wallet to a “brokerage account,” with the expectation that they will earn significant interest from their investment. In reality, victims are adding their crypto wallets to a fraudulent cryptocurrency trading pool, which the fraudsters then empty.

Sophos has been tracking the evolution of pig butchering schemes for two years. The earliest iterations involved connecting with potential victims on dating apps and then convincing them to download fraudulent crypto trading applications from third-party sources. In 2022, the scammers continued to refine their operations, this time finding ways to bypass app store review processes to sneak their fraudulent apps into the legitimate App Store and Google Play Store. This was also the year that a new scam pattern emerged: fake cryptocurrency trading pools (liquidity mining).

In 2023, Sophos uncovered two vast pig butchering rings, one based out of Hong Kong and one based out of Cambodia. These rings leveraged legitimate crypto trading apps and created elaborate fake personas to lure victims and steal millions from them. Further investigation revealed that pig butchering operators were adding AI to their arsenal.

In the most recent pig butchering operations that Sophos has investigated, the fraudsters have removed any previous technological impediments, as well as significantly lowered the amount of social engineering required to steal from victims. In the DeFi savings schemes, victims now engage in fraudulent crypto trading through legitimate, well-known cryptocurrency apps and give (albeit unknowingly) the scammers direct access to their wallets. In addition, the scammers can conceal the wallet network that launders stolen crypto, making the scams harder for law enforcement to track.

To avoid falling victim to a pig butchering scam, Sophos recommends being skeptical of strangers that reach out via social networking sites like Facebook or texts, especially if they want to quickly move the conversation to a private messenger like WhatsApp. This also applies for new matches on dating applications, especially if the stranger begins talking about trading in crypto.

Always be wary of any “get rich quick” scheme or cryptocurrency investment opportunity that promises large returns in a short amount of time. Be familiar with the lures and tactics of romance scams and investment scams.

Non-profits like the Cybercrime Support Network have resources that can help. Anyone who believes they have fallen victim to a pig butchering scam should immediately withdraw any funds from any affected wallet and contact law enforcement.