Crypto Scam Kits Power “As-a-Service” Fraud

Sophos, a leading cybersecurity company, has unveiled the tactics of sha zhu pan scammers, who specialize in complex romance-based cryptocurrency fraud. These scammers are now adopting a business model akin to “cybercrime-as-a-service” by selling sha zhu pan kits on the dark web, allowing them to expand their operations globally.

The article, titled “Cryptocurrency Scams Metastasize into New Forms,” sheds light on the sophisticated operations of these scammers, originally from organized crime circles in China. These kits, named after a specific pig butchering scheme called “DeFi savings,” provide the necessary tools for conducting fraudulent activities.

The scammers portray DeFi savings scams as passive investment opportunities similar to traditional money market accounts, often targeting individuals unfamiliar with cryptocurrencies. Victims are lured into connecting their crypto wallets to what appears to be a legitimate brokerage account, promising substantial returns on their investments. However, in reality, they unknowingly contribute their funds to a fraudulent cryptocurrency trading pool, which the scammers promptly drain.

According to Sean Gallagher, a principal threat researcher at Sophos, the evolution of these scams parallels the development of other cybercrimes like ransomware, with the emergence of an as-a-service model. This evolution has led to the proliferation of pig butchering rings worldwide, facilitated by the availability of ready-made DeFi app kits on the dark web. As a result, new criminal groups unrelated to Chinese organized crime are emerging in regions such as Thailand, West Africa, and the United States.

Sophos X-Ops has been monitoring the evolution of pig butchering schemes for two years. Initially known as “CryptoRom” scams, these schemes targeted individuals through dating apps and fraudulent crypto trading applications. Over time, scammers refined their methods, infiltrating legitimate app stores and introducing new scam patterns like fake cryptocurrency trading pools.

In recent investigations, Sophos X-Ops observed a significant advancement in pig butchering operations, with scammers eliminating previous technological hurdles and reducing the level of social engineering required to defraud victims. Victims now engage in fraudulent crypto trading through trusted cryptocurrency apps, unwittingly granting scammers access to their wallets. Moreover, scammers can obscure the network used to launder stolen crypto, making it challenging for law enforcement to track.

Gallagher emphasizes the importance of awareness to combat these scams, as they have become more sophisticated and deceptive. With victims increasingly falling prey to pig butchering schemes, it is crucial for individuals to recognize the signs of such scams and remain vigilant.

Tips to Avoid Falling Prey to Pig Butchering

To avoid falling victim to a pig butchering scam, Sophos recommends the following:

  • Be skeptical of strangers that reach out via social networking sites like Facebook or texts, especially if they want to quickly move the conversation to a private messenger like WhatsApp
    • This also applies for new matches on dating applications—especially if the stranger begins talking about trading in crypto
  • Always be weary of any “get rich quick” scheme or cryptocurrency investment opportunity that promises large returns in a short amount of time
  • Be familiar with the lures and tactics of romance scams and investment scams. Non-profits like the Cybercrime Support Network have resources that can help
  • Anyone who believes they have fallen victim to a pig butchering scam should immediately withdraw any funds from any affected wallet and contact law enforcement

Timeline of Sophos’ Two-Year Investigation into Pig Butchering



  • Sophos X-Ops discovers more fake apps from CryptoRom scams, as well as a new workaround scammers are using so that victims can successfully download the fake apps on their iOS devices
  • A new type of pig butchering scam emerges: liquidity mining


  • Sophos X-Ops uncovers the first fake apps for CryptoRom schemes found in the Apple App Store as scammers find ways to bypass the app store review process
  • Sophos X-Ops uncovers two vast pig butchering rings operating out of Hong Kong and Cambodia. Rather than using fake apps, these scammers are now exploiting legitimate crypto trading applications, as well as building elaborate personas to hook their victims
  • Sophos X-Ops finds more fake apps—and learns that pig butcherers are now adding generative AI to their toolkit
  • The story of a man who lost $22,000 in a week to a pig butchering scheme leads Sophos X-Ops to a vast liquidity mining scam operation being run by three different Chinese organized crime rings


  • Sophos X-Ops uncovers the most technically sophisticated pig butchering scheme yet—“DeFi savings” scams. These schemes and other crypto-based scam operations are for sale as kits, leading to pig butchering rings popping up in new areas of the world

For more about the current DeFi savings schemes and the evolution of pig butchering in “Cryptocurrency Scams Metastasize into New Forms” go to

Related Posts