Criminals Leverage “As-a-Service" Business Model with Sha Zhu Pan Kits, Globally Expanding Cryptocurrency Fraud

Sophos, a global leader in innovating and delivering cybersecurity as a service, today revealed howsha zhu pan scammers—those conducting elaborate, romance-based cryptocurrency fraud—are leveraging a business model similar to cybercrime “as-a-service" by selling sha zhu pan kits on the dark web, globally expanding to new markets. Sophos details these advanced sha zhu pan operations (also known as pig butchering) in the article, “Cryptocurrency Scams Metastasize into New Forms.” Originating from organized crime gangs in China, the new kits provide the technical components needed to implement a specific pig butchering scheme called “DeFi savings.”

Criminals position DeFi savings scams as passive investment opportunities that are similar to money market accounts, often times to people who have no understanding of crypto. Victims only need to connect their crypto wallet to a “brokerage account,” with the expectation that they will earn significant interest from their investment. In reality,victims are adding their crypto wallets to a fraudulent cryptocurrency trading pool, which the fraudsters then empty.

“When pig butcheringfirst appeared during the time of the COVID pandemic, the technical aspects of the scams were still relatively primitive and required a lot of effort and guidance to successfully scam victims. Now, as the scams have become more successful and the fraudsters have refined their techniques, we’re seeing a similar evolution to what we’ve seen withransomware andother types of cybercrime in the past: the creation of an as-a-service model. Pig butchering rings are creating ready-made DeFi app kits, which other cybercriminals can purchase on the dark web. As a result, new pig butchering rings that are unaffiliated with Chinese organized crime groups are appearing in areas like Thailand, West Africa and even the U.S.

“As with other types of commercialized cybercrime, these kits lower the entry barriers for cybercriminals interested in pig butchering and vastly expand the victim pool. Last year, pig butchering was already amulti-billion-dollar fraud phenomenon; sadly, the problem is likely only to grow exponentially this year,” said Sean Gallagher, principal threat researcher, Sophos.

Sophos X-Ops has been tracking the evolution of pig butchering schemes for two years. The earliest iterations—dubbed by Sophos as“CryptoRom” scams—involved connecting with potential victims on dating apps and then convincing them to download fraudulent crypto trading applications from third-party sources. ForiOS users, these scams required victims to download an elaborate workaround that allowed scammers to bypass security on victims’ devices and gain access to their wallets.

In 2022, the scammers continued to refine their operations, this time finding ways tobypass app store review processes to sneak their fraudulent apps into the legitimate App Store and Google Play Store. This was also the year that a new scam pattern emerged:fake cryptocurrency trading pools (liquidity mining).

In 2023, Sophos X-Ops uncovered two vast pig butchering rings—one based out ofHong Kong and one based out ofCambodia. These rings leveraged legitimate crypto trading apps and created elaborate fake personas to lure victims and steal millions from them. Further investigation revealed that pig butchering operators wereadding AI to their arsenal.

At the end of 2023, Sophos X-Ops uncovered a vastliquidity mining operationinvolving three separate Chinese organized crime rings targeting nearly 100 victims. During the investigation into this operation, Sophos X-Ops first noticed the availability of pig butchering scam kits.

In the most recent pig butchering operations that Sophos X-Ops has investigated, the fraudsters have removed any previous technological impediments, as well as significantly lowered the amount of social engineering required to steal from victims. In the DeFi savings schemes, victims now engage in fraudulent crypto trading through legitimate, well-known cryptocurrency apps and give (albeit unknowingly) the scammers direct access to their wallets. In addition, the scammers can conceal the wallet network that launders stolen crypto, making the scams harder for law enforcement to track.

“The DeFi savings scams are the culmination of two years of pig butcherers refining their operations. Gone are the days when the scammers had to convince victims to download some strange app or transfer the crypto themselves into a soon-to-be-stolen digital wallet.

“The fraudsters have also learned how to better ‘market’ their schemes. They’re taking advantage of how liquidity mining pools operate to steal the funds by telling victims it’s a simple investment account. This is often an easier sell, especially since most people don’t understand the ins and outs of cryptocurrency trading and everything is done under the guise of trusted brands.

“In other words, it’s never been easier for people to fall victim to pig butchering, which means it’s never been more important to be aware that these scams exist—and know what to look out for,” said Gallagher.

Tips to Avoid Falling Prey to Pig Butchering

To avoid falling victim to a pig butchering scam, Sophos recommends the following:

• Be skeptical of strangers that reach out via social networking sites like Facebook or texts, especially if they want to quickly move the conversation to a private messenger like WhatsApp
  • This also applies for new matches on dating applications—especially if the stranger begins talking about trading in crypto
• Always be weary of any “get rich quick” scheme or cryptocurrency investment opportunity that promises large returns in a short amount of time
• Be familiar with the lures and tactics ofromance scams andinvestment scams. Non-profits like theCybercrime Support Network have resources that can help
• Anyone who believes they have fallen victim to a pig butchering scam should immediately withdraw any funds from any affected wallet and contact law enforcement

Timeline of Sophos’ Two-Year Investigation into Pig Butchering

2021

• Sophos X-Ops spots the first“CryptoRom” fake trading apps targeting users in Asia
• Sophos X-Ops then discovers these scammersexpanding their operations, targeting victims in the U.S. and Europe

2022

• Sophos X-Ops discoversmore fake apps from CryptoRom scams, as well as a new workaround scammers are using so that victims can successfully download the fake apps on their iOS devices
• A new type of pig butchering scam emerges:liquidity mining

2023

• Sophos X-Ops uncoversthe first fake apps for CryptoRom schemes found in the Apple App Store as scammers find ways to bypass the app store review process
• Sophos X-Ops uncovers two vast pig butchering rings operating out ofHong Kong andCambodia. Rather than using fake apps, these scammers are now exploiting legitimate crypto trading applications, as well as building elaborate personas to hook their victims
• Sophos X-Ops finds more fake apps—and learns that pig butcherers are now addinggenerative AI to their toolkit
• Thestory of a man who lost $22,000 in a week to a pig butchering scheme leads Sophos X-Ops to a vastliquidity mining scam operation being run by three different Chinese organized crime rings

2024

• Sophos X-Ops uncovers the most technically sophisticated pig butchering scheme yet—“DeFi savings” scams. These schemes and other crypto-based scam operations are for sale as kits, leading to pig butchering rings popping up in new areas of the world

For more about the current DeFi savings schemes and the evolution of pig butchering in “Cryptocurrency Scams Metastasize into New Forms”go to Sophos.com.