After a Two-Year Investigation, Sophos X-Ops Discovers Unprecedented Sophistication in Scams That Trick Victims into Fake Investments

OXFORD, U.K. — 2月 2, 2024 —

Sophos, a global leader in innovating and delivering cybersecurity as a service, today revealed howsha zhu pan scammers—those conducting elaborate, romance-based cryptocurrency fraud—are leveraging a business model similar to cybercrime “as-a-service" by selling sha zhu pan kits on the dark web, globally expanding to new markets. Sophos details these advanced sha zhu pan operations (also known as pig butchering) in the article, “Cryptocurrency Scams Metastasize into New Forms.” Originating from organized crime gangs in China, the new kits provide the technical components needed to implement a specific pig butchering scheme called “DeFi savings.”

Criminals position DeFi savings scams as passive investment opportunities that are similar to money market accounts, often times to people who have no understanding of crypto. Victims only need to connect their crypto wallet to a “brokerage account,” with the expectation that they will earn significant interest from their investment. In reality,victims are adding their crypto wallets to a fraudulent cryptocurrency trading pool, which the fraudsters then empty.

“When pig butcheringfirst appeared during the time of the COVID pandemic, the technical aspects of the scams were still relatively primitive and required a lot of effort and guidance to successfully scam victims. Now, as the scams have become more successful and the fraudsters have refined their techniques, we’re seeing a similar evolution to what we’ve seen withransomware andother types of cybercrime in the past: the creation of an as-a-service model. Pig butchering rings are creating ready-made DeFi app kits, which other cybercriminals can purchase on the dark web. As a result, new pig butchering rings that are unaffiliated with Chinese organized crime groups are appearing in areas like Thailand, West Africa and even the U.S.

“As with other types of commercialized cybercrime, these kits lower the entry barriers for cybercriminals interested in pig butchering and vastly expand the victim pool. Last year, pig butchering was already amulti-billion-dollar fraud phenomenon; sadly, the problem is likely only to grow exponentially this year,” said Sean Gallagher, principal threat researcher, Sophos.

Sophos X-Ops has been tracking the evolution of pig butchering schemes for two years. The earliest iterations—dubbed by Sophos as“CryptoRom” scams—involved connecting with potential victims on dating apps and then convincing them to download fraudulent crypto trading applications from third-party sources. ForiOS users, these scams required victims to download an elaborate workaround that allowed scammers to bypass security on victims’ devices and gain access to their wallets.

In 2022, the scammers continued to refine their operations, this time finding ways tobypass app store review processes to sneak their fraudulent apps into the legitimate App Store and Google Play Store. This was also the year that a new scam pattern emerged:fake cryptocurrency trading pools (liquidity mining).

In 2023, Sophos X-Ops uncovered two vast pig butchering rings—one based out ofHong Kong and one based out ofCambodia. These rings leveraged legitimate crypto trading apps and created elaborate fake personas to lure victims and steal millions from them. Further investigation revealed that pig butchering operators wereadding AI to their arsenal.

At the end of 2023, Sophos X-Ops uncovered a vastliquidity mining operationinvolving three separate Chinese organized crime rings targeting nearly 100 victims. During the investigation into this operation, Sophos X-Ops first noticed the availability of pig butchering scam kits.

In the most recent pig butchering operations that Sophos X-Ops has investigated, the fraudsters have removed any previous technological impediments, as well as significantly lowered the amount of social engineering required to steal from victims. In the DeFi savings schemes, victims now engage in fraudulent crypto trading through legitimate, well-known cryptocurrency apps and give (albeit unknowingly) the scammers direct access to their wallets. In addition, the scammers can conceal the wallet network that launders stolen crypto, making the scams harder for law enforcement to track.

“The DeFi savings scams are the culmination of two years of pig butcherers refining their operations. Gone are the days when the scammers had to convince victims to download some strange app or transfer the crypto themselves into a soon-to-be-stolen digital wallet.

“The fraudsters have also learned how to better ‘market’ their schemes. They’re taking advantage of how liquidity mining pools operate to steal the funds by telling victims it’s a simple investment account. This is often an easier sell, especially since most people don’t understand the ins and outs of cryptocurrency trading and everything is done under the guise of trusted brands.

“In other words, it’s never been easier for people to fall victim to pig butchering, which means it’s never been more important to be aware that these scams exist—and know what to look out for,” said Gallagher.

Tips to Avoid Falling Prey to Pig Butchering

To avoid falling victim to a pig butchering scam, Sophos recommends the following:

  • Be skeptical of strangers that reach out via social networking sites like Facebook or texts, especially if they want to quickly move the conversation to a private messenger like WhatsApp
    • This also applies for new matches on dating applications—especially if the stranger begins talking about trading in crypto
  • Always be weary of any “get rich quick” scheme or cryptocurrency investment opportunity that promises large returns in a short amount of time
  • Be familiar with the lures and tactics ofromance scams andinvestment scams. Non-profits like theCybercrime Support Network have resources that can help
  • Anyone who believes they have fallen victim to a pig butchering scam should immediately withdraw any funds from any affected wallet and contact law enforcement

Timeline of Sophos’ Two-Year Investigation into Pig Butchering



  • Sophos X-Ops discoversmore fake apps from CryptoRom scams, as well as a new workaround scammers are using so that victims can successfully download the fake apps on their iOS devices
  • A new type of pig butchering scam emerges:liquidity mining


  • Sophos X-Ops uncoversthe first fake apps for CryptoRom schemes found in the Apple App Store as scammers find ways to bypass the app store review process
  • Sophos X-Ops uncovers two vast pig butchering rings operating out ofHong Kong andCambodia. Rather than using fake apps, these scammers are now exploiting legitimate crypto trading applications, as well as building elaborate personas to hook their victims
  • Sophos X-Ops finds more fake apps—and learns that pig butcherers are now addinggenerative AI to their toolkit
  • Thestory of a man who lost $22,000 in a week to a pig butchering scheme leads Sophos X-Ops to a vastliquidity mining scam operation being run by three different Chinese organized crime rings


  • Sophos X-Ops uncovers the most technically sophisticated pig butchering scheme yet—“DeFi savings” scams. These schemes and other crypto-based scam operations are for sale as kits, leading to pig butchering rings popping up in new areas of the world

For more about the current DeFi savings schemes and the evolution of pig butchering in “Cryptocurrency Scams Metastasize into New Forms”go to


ソフォスは、MDR (Managed Detection and Response) サービス、インシデント対応サービス、およびエンドポイント、ネットワーク、メール、クラウド セキュリティ テクノロジーの幅広いポートフォリオなど、サイバー攻撃を阻止する高度なセキュリティソリューションを提供する世界的なリーダーであり、革新的な企業です。ソフォスは、最大手のサイバーセキュリティ専門プロバイダーの 1つであり、全世界で 60万以上の組織と 1億人以上のユーザーを、アクティブな攻撃者、ランサムウェア、フィッシング、マルウェアなどから保護しています。ソフォスのサービスと製品は、Sophos Central 管理コンソールを介して接続され、企業のクロスドメイン脅威インテリジェンスユニットである Sophos X-Ops を利用しています。Sophos X-Ops のインテリジェンスは、Sophos ACE (Adaptive Cybersecurity Ecosystem) 全体を最適化します。このエコシステムには、お客様、パートナー、開発者、その他のサイバーセキュリティおよび情報技術ベンダーが利用できる豊富なオープン API セットを活用する一元化されたデータレイクが含まれます。ソフォスは、フルマネージド型のソリューションを必要とする組織に、Cyber​​security-as-a-Service を提供します。お客様は、ソフォスのセキュリティ運用プラットフォームを使用してサイバーセキュリティを直接管理することも、脅威ハンティングや修復などソフォスのサービスを使用して社内チームを補完するハイブリッドアプローチを採用することもできます。ソフォスは、リセラーパートナー、MSP (マネージド サービス プロバイダ) を通じて販売しています。ソフォス本社は英国オックスフォードにあります。詳細については をご覧ください。