Sophos, a globally renowned leader in the realm of cybersecurity, has recently unveiled a significant revelation concerning a fraudulent operation centered around “shā zhū pán” [Pig butchering]. This illicit scheme ingeniously employed counterfeit cryptocurrency trading pools, often referred to as “liquidity pools,” resulting in a staggering theft of over $1 million. In the report titled “Latest Evolution of ‘Pig Butchering’ Scam Lures Victim in Fake Mining Scheme,” Sophos delves into the harrowing account of one victim, known as Frank, who fell prey to this elaborate scam, losing $22,000 within a mere week due to an encounter with an imposter named “Vivian” on the dating app MeetMe.
Upon launching a comprehensive investigation into Frank’s ordeal, the dedicated Sophos X-Ops team uncovered a total of 14 domains associated with the fraudulent operation. Furthermore, they identified dozens of nearly identical fraudulent websites that collectively contributed to the pig butchers’ coffers, amassing more than $1 million in a span of just three months.
This elaborate scam exploits the relatively unregulated landscape of decentralized finance [DeFi] cryptocurrency trading applications. These applications create “liquidity pools” by pooling various cryptocurrencies, allowing users to conduct transactions between different digital assets. Participants in these pools receive a portion of the transaction fees, promising an enticing return on investment. To become part of a pool, participants must first sign an online smart contract, granting access to their wallets for the facilitation of trades, typically managed by the pool’s operators. Fake pools, a tactic increasingly favored by pig butchers, operate similarly, but with a sinister twist. At some point, these scammers execute a tactic colloquially known as “pulling the rug,” draining the entire liquidity pool into their accounts.
Sean Gallagher, the principal threat researcher at Sophos, shed light on this evolving form of cryptocurrency fraud, saying, “When we first discovered these fake liquidity pools, it was rather primitive and still developing. Now, we’re seeing sha zhu pan scammers taking this particular brand of cryptocurrency fraud and seamlessly integrating it into their existing set of tactics, such as luring targets over dating apps. Very few understand how legitimate cryptocurrency trading works, so it’s easy for these scammers to con their targets. There are even toolkits now for this sort of scam, making it simple for different pig butchering operations to add this type of crypto fraud to their arsenal. While last year, Sophos tracked dozens of these fraudulent ‘liquidity pool’ sites, now we’re seeing more than 500.”
The genesis of Sophos’ involvement in this liquidity mining operation traces back to Frank, a victim who encountered the fraudulent Vivian on the dating app MeetMe. Vivian, posing as a German woman residing in Washington, D.C., skillfully blended romantic promises with relentless efforts to convince Frank to invest in cryptocurrency. Ultimately, Frank succumbed to Vivian’s persuasions, opening a Trust Wallet account – a legitimate app for converting fiat currency into cryptocurrency. He followed the link provided by Vivian, directing him to a purported liquidity pool site masquerading as Allnodes, a well-established decentralized finance platform provider. Between May 31 and June 5, Frank invested a substantial $22,000 in the fraudulent scheme, only to discover that his digital wallet had been emptied a mere three days later.
Desperate to recoup his losses, Frank turned to Vivian, who cunningly insisted that more investments were needed to unlock the promised “rewards.” During this precarious period, Frank initiated an investigation of his own, stumbling upon a Sophos article about liquidity mining. This prompted him to reach out to Sean Gallagher for assistance.
Even after Gallagher advised Frank to block Vivian, the imposter resorted to using Telegram to persistently entice Frank to continue investing. Vivian went as far as crafting an emotional letter, likely generated by an artificial intelligence application, to further manipulate Frank.
Gallagher emphasized the unique nature of these scams, noting that they do not require the installation of malware or fake applications, which are prevalent in other crypto-related scams. The entire fake liquidity pool operation transpired within the legitimate Trust Wallet app. Frank even attempted to contact Trust Wallet’s support to recover his funds, inadvertently connecting with a counterfeit support contact linked to the fraudulent liquidity pool site. This highlights the absence of regulation in both legitimate and fraudulent crypto pools within cryptocurrency applications. These scams hinge solely on social engineering, and the scammers exhibit remarkable persistence, with Vivian relentlessly attempting to contact Frank even after he blocked her on WhatsApp.
Gallagher underscored the importance of vigilance and awareness in preventing falling victim to such scams. He stated, “The only way to stay safe from these scams is to be vigilant and know that they exist and how they operate. That is why Frank wanted to share his story. Users need to be wary of anyone they have no connection with reaching out to them suddenly via any dating app or social media platform, particularly if the ‘person’ reaching out wants to move the conversation to a platform like WhatsApp and then discusses investing in cryptocurrency.”
In a proactive move, Sophos has shared its findings with Chainalysis, Coinbase, and other threat intelligence professionals within the cryptocurrency industry, all of whom are actively investigating the matter. Victims who suspect they have fallen prey to pig butchering or liquidity mining fraud are encouraged to contact Sophos for assistance and should also consider involving their local law enforcement agencies.
In conclusion, the ingenious fusion of dating apps, cryptocurrency scams, and fraudulent liquidity pools showcases the evolving tactics employed by cybercriminals in the ever-expanding world of cryptocurrency fraud. Frank’s ordeal serves as a stark reminder of the need for vigilance and education to safeguard against such scams in an environment where regulations are often lagging behind the rapid advancements in technology and financial innovation.