Pig butchering scammers use fake cryptocurrency trading pools

Sophos has released findings on a major shā zhū pán (pig butchering) operation using fake trading pools of cryptocurrency – also known as liquidity pools – to steal more than $1-million.

The report, “Latest Evolution of ‘Pig Butchering’ Scam Lures Victim in Fake Mining Scheme”, details the story of one of the scammed victims, and how he lost $22 000 in one week after “someone” pretending to be a romantic interest on a dating app contacted him.

After Sophos X-Ops investigated the story, the team uncovered a total of 14 domains associated with the scam operation, as well as dozens of nearly identical fraud sites that, together, netted this one “ring” of pig butcherers more than $1-million in three months.

The scam takes advantage of the largely unregulated world of decentralized finance (DeFI) cryptocurrency trading applications. Such applications create “liquidity pools” of various types of cryptocurrencies that users can then access to make trades from one cryptocurrency to another.

Those who participate in the pool receive a percentage of any fee paid when a trade is made, creating an enticing return on investment.

To join a pool, participants first have to sign an online smart contract – a contract that gives another account (typically the operators of the pool) permission to access participants’ wallets to facilitate trades.

Fake pools, which pig butcherers are increasingly utilising to siphon funds from targets, operate in much the same way. However, unlike legitimate pools, at some point these scammers “pull the rug” and empty the entire liquidity pool for themselves.

“When we first discovered these fake liquidity pools, it was rather primitive and still developing,” says Sean Gallagher, principal threat researcher at Sophos. “Now, we’re seeing sha zhu pan scammers taking this particular brand of cryptocurrency fraud and seamlessly integrating it into their existing set of tactics, such as luring targets over dating apps.

“Very few understand how legitimate cryptocurrency trading works, so it’s easy for these scammers to con their targets. There are even toolkits now for this sort of scam, making it simple for different pig butchering operations to add this type of crypto fraud to their arsenal.

“Last year Sophos tracked dozens of these fraudulent ‘liquidity pool’ sites, now we’re seeing more than 500,” Gallagher adds.

Sophos X-Ops first learned of this liquidity mining operation from a victim known as Frank, who connected on the dating app MeetMe with a scammer hiding behind the persona of Vivian, a German woman supposedly living in Washington, DC for work. For weeks, Frank chatted with Vivian, who mixed her romantic promises with persistent attempts to convince Frank to invest in crypto.

Eventually, Frank opened a Trust Wallet account (a legitimate app for converting dollars to cryptocurrency) and connected to the link to the liquidity pool site Vivian recommended. In reality, the pool site was a fraud site utilising the brand of Allnodes, an established decentralized finance platform provider, as a cover.

Between 31 May and 5 June, Frank invested $22 000 in the scheme. Just three days later, the scammers emptied Frank’s digital wallet. Frank, looking to recover his money, turned to Vivan, who claimed he needed to invest even more in the pool to recover his funds and reap the “rewards”.

While waiting for his bank to authorise a money transfer to Coinbase, Frank started researching what was going on and came across an article on liquidity mining from Sophos. At this point, Frank reached out to Gallagher for help.

Even after Gallagher instructed Frank to block Vivian, she eventually found him on Telegram and continued her attempts to entice him into “continuing their investment”, going so far as to send a lengthy, emotional letter that was very likely created by a generative AI app.

“What makes these sorts of scams particularly tricky is that they don’t require any malware to be installed on a victim’s device,” Gallagher explains. “They don’t even involve a fake app, like some of those we’ve encountered in other CryptoRom scams. This entire fake liquidity pool was run through the legitimate Trust Wallet app.

“At one point, Frank even tried to contact Trust Wallet’s support to recover his money, but he connected with a fake support contact from the fraudulent liquidity pool site. There is no regulation of these pools, legitimate or otherwise, on these crypto apps. These scams succeed solely through social engineering, and the scammers are persistent. Vivian continued trying to contact Frank for weeks after he blocked her on WhatsApp.

“The only way to stay safe from these scams is to be vigilant and know that they exist and how they operate. That is why Frank wanted to share his story. Users need be wary of anyone they have no connection with reaching out to them suddenly via any dating app or social media platform, particularly if the ‘person’ reaching out wants to move the conversation to a platform like WhatsApp and then discusses investing in cryptocurrency,” Gallagher adds.