Pig butchering scams have already stolen hundreds of millions of dollars. And while attackers, mainly crime syndicates in China, have developed scripts and playbooks for carrying out the attacks, new findings from researchers at the security firm Sophos show how pig butchers are tweaking and refining their strategies to try to ensnare more unsuspecting victims.
Researchers found that to stay relevant and ensnare more victims in recent months, so-called pig butchering attacks are developing both more compelling narratives to draw targets in and more sophisticated tech to convince victims that there’s big money to be made. Even before these refinements, the scams were big business. The FBI’s Internet Crime Complaint Center received more than 4,300 submissions related to pig butchering scams in 2021, totaling more than $429 million in losses.
Sean Gallagher, the senior threat researcher at Sophos who led the investigation, followed two scam campaigns that had targeted him on personal accounts and devices. Beginning in October, he engaged with the scammers on Twitter DM and SMS text messaging to see where the rabbit hole would take him.
“What was interesting was that, when I played them out, one was more ingenious on the technical side, and the other was more advanced on the social engineering side, but both seem to be having success,” he says. “Trying to deal with all of this is a big game of Whac-A-Mole.”
The first scam Gallagher studied began with a Twitter DM that simply said “Hallo.” He didn’t respond until almost a month later, but once he responded with “Hello, sorry it has taken me so long to respond” the swindle was off and running. The attacker persona claimed to be a 40-year-old woman in Hong Kong, and the two began chatting.
Gallagher told the persona explicitly that he is a cybersecurity researcher who investigates scams. “So you’re a cop?” the persona replied. When Gallagher said he wasn’t, the conversation moved on. “Do you know the spot market of gold?” the persona asked. “The London gold spot market is a reliable platform. … I’m using this to make money.”
The interactions, known as “social engineering,” were relatively weak for a pig butchering scam, Gallagher says. The interactions were stilted, and even when the persona did things like sending flirty photos, the timing was always awkward and abrupt. At one point Gallagher told the actor that it was suspicious to bring up gold investments so early after first starting to talk to someone. “Haha, yes. Because I need to let you know what I am doing,” the persona replied.
Gallagher was surprised to find, though, that the scam’s tech was much more compelling. Pig butchering scams are known for using sleek, legitimate-looking financial applications and dashboards to put victims at ease and build trust when they are considering whether to put money into the scheme. Scammers are ultimately hoping to bleed targets dry, convincing them to transfer all their savings, loans they can take out, and any money they can borrow from friends and relatives, so compelling tech that includes things like real-time markets data makes it more likely that victims will have the feeling of using a reputable financial services app.
Gallagher found that the website the scammers were using to distribute their malicious apps was set up to impersonate a real Japanese financial company and had a .com domain. It was even visible on Google as one of the top results, Gallagher says, so victims could find it if they attempted to do some basic research. “To someone who isn’t particularly knowledgeable about these things, that part would be pretty convincing,” Gallagher says.
The attackers, who Sophos suspects are based in Hong Kong, developed Windows, Android, and iOS apps off of a legitimate trading service from a Russian software company. Known as MetaTrader 4, Sophos researchers have seen past examples of the platform being misused and abused for fraud. As part of joining the platform, victims had to disclose personal details including tax identification numbers and photos of government identification documents, then start moving cash into their account.
As is often the case in a wide range of scams, the attackers were distributing their iOS app using a compromised certificate for Apple’s enterprise device management program. Sophos researchers have recently found pig butchering-related apps that skirted Apple’s defenses to sneak into the company’s official App Store, though.
The second scam Gallagher followed appears to have been run by a Chinese crime syndicate out of Cambodia. The tech for the scheme was less sleek and impressive but still expansive. The group ran a fake Android and iOS cryptocurrency trading app that impersonated the legitimate market tracking service TradingView. But the scheme had a much more developed and sophisticated social engineering arm to lure victims in and make them feel like they had a real relationship with the scammer suggesting that they invest money.
“It starts off, ‘Hey Jane are you still in Boston?’ so I messaged back, ‘Sorry, wrong number,’ and we had a standard exchange from there,” Gallagher says. The conversation started on SMS and then moved to Telegram.
The persona claimed to be a Malaysian woman living in Vancouver, British Columbia. She said that she ran a wine business and sent a photo of herself standing next to a bar, though the bar was mostly stocked with liquor, not wine. Gallagher was eventually able to identify the bar in the photo as one in the Rosewood Hotel in the Cambodian capital, Phnom Penh.
When asked, Gallagher once again said that he was a cybersecurity threat researcher, but the scammer was not deterred. He added that his company had an office in Vancouver and repeatedly tried to suggest meeting in person. The scammers were committed to the ruse, though, and Gallagher received a few audio and video messages from the woman in the photo. Eventually he even video chatted with her.
“Her English skills were pretty good, she was in a very nondescript location, it looked like a room with acoustic wall pads, kind of like an office or conference room,” Gallagher says. “She told me she was at home, and our conversation quickly steered toward whether I was going to be doing the high-frequency crypto trading with them.”
Cryptocurrency wallets associated with the scam took in roughly $500,000 in a single month from victims, according to Sophos’ monitoring.
The researchers reported their findings on both scams to the relevant cryptocurrency platforms, tech companies, and global cybersecurity response teams, but both operations are still active and were able to continually establish new infrastructure when their apps or wallets got taken down.
Sophos is redacting all images of people from both scams in its reports, because pig butchering attacks are often staffed using forced labor, and participants may be working against their will. Gallagher says that the most sinister thing about the attacks is how their evolution and growth means more forced labor on top of more devastated and financially ruined victims. As law enforcement agencies around the world scramble to counter the threat, though, in-depth details of the mechanics of the schemes show how they work and how slippery and adaptive they can be.