The Pig Butchers

Pig Butchering is when scammers fatten up a pig before sending it off for slaughter. But the scammers aren't fattening a pig, they're fattening their pockets.

The Pig Butchers
Unauthorized Love Demonstration by Dmitry Mel

What do a woman in Indiana, a woman in California, a woman in Australia, and a man in Kentucky all have in common? They've all fallen victim to the same cryptocurrency scammer and had their drivers licenses and / or money stolen. Stick around as I dive into the specifics of how one person I had the chance to speak to was victimized by this scam, at the end of the post.

The scam I'm about to dive into is often referred to as a variant of a "Pig Butchering" scam. Namely, for the concept of fattening up a pig before sending them off for slaughter. In this case however, the scammers aren't fattening a pig, they're fattening their pockets. These scams take a few different forms, however I have seen this exact implementation so often that I believe it's becoming increasingly prevalent and decided to dive in to it.

The Pretext

I had previously written about these briefly but I wanted to take a moment to re-examine what these sites look like and how they operate. While working to examine a site that was possibly targeting my company, I confirmed much like many before it, that if you create an account on the site you get access to what looks like a cryptocurrency trading platform.

Unrealistic return promises featured on a fraudulent page.

Often these sites claim to offer you substantially large returns in relatively short periods of time. For longstanding cryptocurrency holders, the current market certainly does not seem to back this claim. For the average end user however, this can be quite compelling.

Example investment plans on a fraudulent site.

The Scam

The design of these sites can vary. I have seen very low quality sites, high quality sites, and even sites that cloned legitimate sites and changed the branding to their own. They usually look like they've had enough work to seem semi-legitimate to the untrained eye.

A banner showing appealing incentives on a fraudulent site.

A person who's found their way to this site, usually by referral of fake social media accounts ran by the scammers (more on that later), is asked to create an account as the first step and make an investment. The sites look rather unassuming on the front end, but it's after you create an account that you get to see where the real scam happens.

A real registration page on a fraudulent site.

So you go to create an account on the site. One thing common of these, though not always the case, is links to things like the Terms of Use and Privacy Policy do not work. When you click these you're directed to a "404 - Page Not Found". In other cases, I've seen these links work, but when you go to read them its clearly copy and pasted from another scam or site and uses entirely different branding or naming for who the documents belong to. In this case however, they just don't work. Bad sign.

A real ID upload form from a fraudulent site.

When you first login, you're prompted to upload a picture of the front and back of your government issued ID. It is worth noting that for some this is a red flag, for others its common place. Most cryptocurrency exchanges, at least in the US, require verification for tax purposes. Unfortunately however, as these are scammers and not professionals, when a victim uploads their ID pictures here, it ends up in an unprotected "Uploads" directory. Anyone who knows how to find it can view it, along with the pictures of all of their IDs.

A directory of uploaded ID pictures from victims utilizing a fraudulent site.

So your ID is now uploaded, you're "verified" and you want to start making that sweet money! We have a fancy looking trading dashboard filled with widgets displaying legitimate information from sites like TradingView and what would be our balance if we had deposited money. At this point there's money to be made and we need to deposit some money.

A fake trading platform for registered users on a fraudulent site.

So I head over to the deposit screen and on this particular scam's template they have two options for making deposits, Bitcoin or Bank Transfer. On virtually all of the scams you'll encounter that have a fake trading platform like this, bitcoin will be a primary option. This site did offer a really interesting alternative of bank transfer. It was interesting in particular because they outlined the full account details to send to at Bank of America. By the way, I'm coming for you "Money Mule Justin*" (*™ pending).

Bank details to deposit money via bank transfer on a fraudulent site.

At this point, this was the extent of information I could typically gather about any single site without depositing money. Considering I had access to the ID's uploaded by people who had utilized the site, I decided to try and contact one of them to get more information and inform them of the scam which it turns out was still in progress. She ended up being an invaluable resource and providing me a lot of additional information on what happens to these people after they've been victimized. Lets examine some red flags I've noticed across these sites briefly and then hear her story.

Red Flags

Now I will not go so far as to say that any of these things necessarily guarantee a fraudulent site. However there are many common themes that replay again and again that I'd like to make specific mention of to help people more easily recognize these scams if they can take 5-10 minutes to pause and double check some things.

A majority, and I mean a far majority of the sites I've come across using this model, all seem to have a "Google Translate" bar somewhere near the top of the page to quickly switch languages for visitors. This is not a common feature on most sites, at least not in the way these scammers implement it.

Google translate bar featured at the top of a fraudulent site.

The majority of sites I have observed utilizing this scam method also commonly have a "Live Chat" widget somewhere on the page that quickly pesters you letting you know someone is available to help you as you navigate the site. Most often, both the Google Translate bar and Live Chat icon are present.

Next we can take a look at contact information which is usually located somewhere at the bottom of the page or on a "Contact" page somewhere in the sites navigation. Many of these websites stand up the same site under multiple domains and names to defraud customers en masse. If one site doesn't work, perhaps the next will. So lets take the phone number of this site in particular and throw it into Google.

Multiple fraudulent sites related to finance using the same contact information.

There's more than three websites that return with this phone number but I decided to just include a few for brevity. Three different websites, same contact information. If you're wondering what you'd see if you clicked on any of those sites, it's the same exact webpage down to the letter. Only the name has been changed for each. These scammers are running quite the operation.

Another thing to check for is naturally if the links on the page work. Are there social media links on it? Do they work? Do the links to Privacy Policy and Terms of Use work? If these are broken, this can be a substantial indicator. Even if the site is not malicious, you should never register and agree to terms of service or a privacy policy you haven't at least been provided. We all know you don't read them but at least check if they exist.

I'd like to amend the popular phrase, "If it seems too good to be true, it probably is" to now read "If it seems too good to be true on the internet, it most certainly is."

Lastly, and again this isn't an inherent indicator but can be, always take some time to read through the site. Are there common spelling errors? Is the wording a bit broken or extremely generic? Are they making promises of financial returns that seem too good to be true? I'd like to amend the popular phrase, "If it seems too good to be true, it probably is" to now read "If it seems too good to be true on the internet, it most certainly is."

A Victim's Story

The moment we've all been waiting for while holding steadfast through this post (thank you by the way). I'd like to take you along for the journey of one woman who was victimized by this very scam I was examining. After finding her drivers license among those in the folder I mentioned earlier, I did a little Googling and reached out to her via phone call (we'll talk about the prevalence of people's contact information online in another post). This is her story.

Imagine if you will, you're spending your daily social media time scrolling new posts in your Facebook group with other likeminded women all joined together on the idea of financial independence. Certainly a group like this is no stranger to seeing new faces joining of other women who are or hope to be financially independent.

Well one day, a particularly malicious "woman" shows up. She begins advertising her successful investing endeavors and wants to help other women as well. Coupled with photos of her enjoying the material luxuries she's gained from her success, she begins reaching out to others in the group offering to help them as well. They are then added to a group message run by the scammers with them and all the victims. The ask: Sign up, I'll do your trading for you, you keep 80% of the profits and I'll keep 20% so I can trade in higher volumes. The buy in? Minimum $1000 USD, up to a VIP tier where you can invest $100,000 and make exponentially more daily on your investment.

As the perpetrator continues bragging, other accounts in the group also affirm her claims and share their own pictures of the things they've bought as well. It seems this group has an infestation of what we call "sock puppets", fake online profiles controlled by malicious actors who are most certainly not the people they propose to be on the account.

Our Victim begins having a conversation with the scammer. Eventually, she's sent to a site where she uploads her ID (which is how I found her) and deposits $1,000. Unbeknownst to her, she has just transferred a thousand dollars directly into the pockets of her attackers. In my previous shorter post on this topic, I talked about why these scams are potentially dangerous as they provide an element of concealment to the theft and allow the attack to be prolonged. I could only speculate before, but the Victim confirmed my suspicions when she described what followed.

After her deposit, despite her money being gone, the fake trading platform showed her balance and began to simulate accruing money. Every time she checked it, she had a higher balance. Gaining $600 one day, $800 another day, and so on. Ultimately by the time we had spoken, her "balance" of her initial $1000 investment was showing as over $6000 in a matter of a week.

Thankfully we had gotten in touch when we did, because the attack was still ongoing and the pressures from the "investor" were beginning to mount. After all, why stop at $1000 when you've already succeeded once? Her story continues.

The scammer began pressuring her to invest more to join the VIP tier and greatly increase her profits. The scammer insisted she invest $100,000 now that she had seen the success of her smaller deposit. When the victim responded with hesitancy, the scammer reassured her that she could just "borrow" it (i.e. take out a loan).

Another piece of the puzzle I could only speculate about that she was able to help me confirm is that naturally I knew she would never be able to withdraw her money. But I was unaware of how they would explain it away. It turns out in this particular situation, this scammer (or scammers) was so consumed by their scheme and how to milk people for money, that they actually charge a fee to initiate a withdrawal of your money. The amount of this fee was .005 BTC (Bitcoin). So not only would this withdrawal fail as the scammers realize their plot is about to unravel, but they found one final way to rob their victims who do attempt to get their money before realizing it will not happen. You and any potential victim reading this should know, that money will not come back to you. They flat out ignore you, give you excuses from customer service, or even go so far as to forge fake legal notices to your email letting you know the withdrawal activity is suspicious and is being investigated.

Scammer activity is still pervasive in this Facebook group and pushing traffic to this site and others I've identified (which are in queue for takedown as I write this). The Victim has been feeding me intel of the multiple Facebook profiles involved as well as communications she's observed of impending victims which I'm working diligently to contact and help prevent further loss while I try and dismantle this.

An Unexpected Second Victim

Shortly after I begin collaborating with the initial Victim, I received a call from a former coworker. Same exact day, different scammer, same playbook. She was convinced her mother-in-law was being scammed. As she began describing to me what was going on, it sounded so familiar it almost seemed as if they all just operate out of the same script. There were some differences however.

This Victim finds herself in some kind of chat room (unsure of origin or platform), where she's approached by a charming young man. The group is reported to be centered on learning more about cryptocurrency. I'd like to suggest it be renamed something more accurate like "Learn about cryptocurrency, with the worst possible first experience." But I digress.

The man makes many of the same claims, let me invest for you, get big returns, here's a website, blah blah. All the things we're familiar with. There were some differences on this scam however. The website was Chinese in nature, with some portions in English and others in Chinese. They told people to install an "app" which in reality was a mobile site designed to look and operate like a mobile app on the phone. The site had "tiers" of investing, again with the more you invest the higher your returns will be.

The Victim in this case however was disarmed well by the casual nature of the man who approached her and the fact that he was not soliciting money but utilizing an "app". Unfortunately, the reason these campaigns are so prevalent and continue to pop up daily is they work. The Victim here transferred $50,000 in ETH to a wallet on the "app". Money she took out against her house. This is how evil these people truly are. While they deceive and steal, people are losing substantial portions of their assets and for some, will never recover for a long time if at all.

The withdrawal option on this "app" is no option at all but sends you to "Customer Support" where you essentially have to chat with the scammers to withdraw your money. A withdraw that will ultimately never occur. In this case, they claimed the account was flagged for financial crime investigation or fraud. They went so far as to send her a fake email from a Gmail account mentioning money laundering and then solicited MORE money, 30% more to "verify" it. These people are relentless and unforgiving.

A real email received from a crypto scam victim.

Final Thoughts

In the time it took me to pull all of this together, I spoke to another potential victim, a young mother in her 30's. She was in the middle of being scammed and we were able to prevent that. She noted that the conversation with the people on the Facebook chat seemed so casual and unsuspicious. She was unaware of what was waiting for her.

While some of us may be more aware or trained in spotting elements of this, the reality is lots of people still are not able to spot scams like this. We can't blame people who fall victim to these things, nor would it help to do so when they've actually lost money to these people. All we can do is continue to inform and educate. Bring the fight to the bad guys, keep taking down their new sites and accounts, and make their lives as hellish as they have for their victims.