After a Two-Year Investigation, Sophos X-Ops Discovers Unprecedented Sophistication in Scams That Trick Victims into Fake Investments

OXFORD, U.K. — 二月 2, 2024 —

Sophos, a global leader in innovating and delivering cybersecurity as a service, today revealed howsha zhu pan scammers—those conducting elaborate, romance-based cryptocurrency fraud—are leveraging a business model similar to cybercrime “as-a-service" by selling sha zhu pan kits on the dark web, globally expanding to new markets. Sophos details these advanced sha zhu pan operations (also known as pig butchering) in the article, “Cryptocurrency Scams Metastasize into New Forms.” Originating from organized crime gangs in China, the new kits provide the technical components needed to implement a specific pig butchering scheme called “DeFi savings.”

Criminals position DeFi savings scams as passive investment opportunities that are similar to money market accounts, often times to people who have no understanding of crypto. Victims only need to connect their crypto wallet to a “brokerage account,” with the expectation that they will earn significant interest from their investment. In reality,victims are adding their crypto wallets to a fraudulent cryptocurrency trading pool, which the fraudsters then empty.

“When pig butcheringfirst appeared during the time of the COVID pandemic, the technical aspects of the scams were still relatively primitive and required a lot of effort and guidance to successfully scam victims. Now, as the scams have become more successful and the fraudsters have refined their techniques, we’re seeing a similar evolution to what we’ve seen withransomware andother types of cybercrime in the past: the creation of an as-a-service model. Pig butchering rings are creating ready-made DeFi app kits, which other cybercriminals can purchase on the dark web. As a result, new pig butchering rings that are unaffiliated with Chinese organized crime groups are appearing in areas like Thailand, West Africa and even the U.S.

“As with other types of commercialized cybercrime, these kits lower the entry barriers for cybercriminals interested in pig butchering and vastly expand the victim pool. Last year, pig butchering was already amulti-billion-dollar fraud phenomenon; sadly, the problem is likely only to grow exponentially this year,” said Sean Gallagher, principal threat researcher, Sophos.

Sophos X-Ops has been tracking the evolution of pig butchering schemes for two years. The earliest iterations—dubbed by Sophos as“CryptoRom” scams—involved connecting with potential victims on dating apps and then convincing them to download fraudulent crypto trading applications from third-party sources. ForiOS users, these scams required victims to download an elaborate workaround that allowed scammers to bypass security on victims’ devices and gain access to their wallets.

In 2022, the scammers continued to refine their operations, this time finding ways tobypass app store review processes to sneak their fraudulent apps into the legitimate App Store and Google Play Store. This was also the year that a new scam pattern emerged:fake cryptocurrency trading pools (liquidity mining).

In 2023, Sophos X-Ops uncovered two vast pig butchering rings—one based out ofHong Kong and one based out ofCambodia. These rings leveraged legitimate crypto trading apps and created elaborate fake personas to lure victims and steal millions from them. Further investigation revealed that pig butchering operators wereadding AI to their arsenal.

At the end of 2023, Sophos X-Ops uncovered a vastliquidity mining operationinvolving three separate Chinese organized crime rings targeting nearly 100 victims. During the investigation into this operation, Sophos X-Ops first noticed the availability of pig butchering scam kits.

In the most recent pig butchering operations that Sophos X-Ops has investigated, the fraudsters have removed any previous technological impediments, as well as significantly lowered the amount of social engineering required to steal from victims. In the DeFi savings schemes, victims now engage in fraudulent crypto trading through legitimate, well-known cryptocurrency apps and give (albeit unknowingly) the scammers direct access to their wallets. In addition, the scammers can conceal the wallet network that launders stolen crypto, making the scams harder for law enforcement to track.

“The DeFi savings scams are the culmination of two years of pig butcherers refining their operations. Gone are the days when the scammers had to convince victims to download some strange app or transfer the crypto themselves into a soon-to-be-stolen digital wallet.

“The fraudsters have also learned how to better ‘market’ their schemes. They’re taking advantage of how liquidity mining pools operate to steal the funds by telling victims it’s a simple investment account. This is often an easier sell, especially since most people don’t understand the ins and outs of cryptocurrency trading and everything is done under the guise of trusted brands.

“In other words, it’s never been easier for people to fall victim to pig butchering, which means it’s never been more important to be aware that these scams exist—and know what to look out for,” said Gallagher.

Tips to Avoid Falling Prey to Pig Butchering

To avoid falling victim to a pig butchering scam, Sophos recommends the following:

  • Be skeptical of strangers that reach out via social networking sites like Facebook or texts, especially if they want to quickly move the conversation to a private messenger like WhatsApp
    • This also applies for new matches on dating applications—especially if the stranger begins talking about trading in crypto
  • Always be weary of any “get rich quick” scheme or cryptocurrency investment opportunity that promises large returns in a short amount of time
  • Be familiar with the lures and tactics ofromance scams andinvestment scams. Non-profits like theCybercrime Support Network have resources that can help
  • Anyone who believes they have fallen victim to a pig butchering scam should immediately withdraw any funds from any affected wallet and contact law enforcement

Timeline of Sophos’ Two-Year Investigation into Pig Butchering



  • Sophos X-Ops discoversmore fake apps from CryptoRom scams, as well as a new workaround scammers are using so that victims can successfully download the fake apps on their iOS devices
  • A new type of pig butchering scam emerges:liquidity mining


  • Sophos X-Ops uncoversthe first fake apps for CryptoRom schemes found in the Apple App Store as scammers find ways to bypass the app store review process
  • Sophos X-Ops uncovers two vast pig butchering rings operating out ofHong Kong andCambodia. Rather than using fake apps, these scammers are now exploiting legitimate crypto trading applications, as well as building elaborate personas to hook their victims
  • Sophos X-Ops finds more fake apps—and learns that pig butcherers are now addinggenerative AI to their toolkit
  • Thestory of a man who lost $22,000 in a week to a pig butchering scheme leads Sophos X-Ops to a vastliquidity mining scam operation being run by three different Chinese organized crime rings


  • Sophos X-Ops uncovers the most technically sophisticated pig butchering scheme yet—“DeFi savings” scams. These schemes and other crypto-based scam operations are for sale as kits, leading to pig butchering rings popping up in new areas of the world

For more about the current DeFi savings schemes and the evolution of pig butchering in “Cryptocurrency Scams Metastasize into New Forms”go to

关于 Sophos

Sophos 是先进网络安全解决方案的全球领导者和创新者,包括托管式侦测与响应 (MDR) 和事件响应服务,各种端点、网络、电子邮件和云安全技术,帮助企业防御网络攻击。作为最大的纯网络安全供应商之一,Sophos 帮助全球超过 500,000 家企业和超过 1 亿用户抵御主动攻击对手、勒索软件、网络钓鱼、恶意软件等。Sophos 的服务和产品通过 Sophos Central 云管理控制台连接,并得到内部跨领域威胁情报部门 Sophos X-Ops 的支持。Sophos X-Ops 情报优化整个 Sophos Adaptive Cybersecurity Ecosystem 自适应网络安全生态体系,包括一个中央数据湖,为客户、合作伙伴、开发人员和其他网络安全与信息技术供应商提供一组丰富的开放 API。Sophos 为需要全托管并即使可用的安全解决方案的企业提供网络安全即服务,客户还可以直接利用 Sophos 的安全运行平台管理其网络安全,或者采用混合方法,为内部团队补充 Sophos 服务(包括威胁追踪与修复)。Sophos 通过世界各地的经销商合作伙伴和托管服务供应商 (MSP) 销售。Sophos 总部位于英国牛津。如欲了解更多信息,请访问