For those who haven't heard about pig butchering yet - in short - the typology involves building of trust with a victim over an extended period before exploiting them for money, often via sham investment platforms. The victim will be guided through the acquisition of cryptocurrency and then instructed to transfer it to the fraudsters.
Sha Zhu Pan is not recent news since the tactic has been used for several years by now, but different variants of the scam is on the rise. The scam is know to originate from Fujian province in China in 2017 and has since been increased to be applied in large scale operations. While the modus operandi seem to follow the same framework, its operations are more systemically applied to scam the world population with increased sophistication.
Nearly all victims are non-cryptocurrency users, and large individual losses is one characteristic of pig butchering scams. The US FBI has reported $1 billion lost to such cryptocurrency investment schemes in 2021, with almost half involving romance. Similar magnitudes are seen for other countries. In China where the scheme originated, $5.7 billion have been reported lost to pig butchering scams in 2020. From estimates off-chain and of the collecting wallets on the blockchain, the cybercriminal syndicates behind pig butchering scams may have already earned tens of billions of US dollars already.
Victimised in five steps
The scams follow a pattern, which often play out in five distinct phases:
Presentation - scammers often present themselves as wealthy, attractive and successful businesspeople looking for a serious relationship. They will share images of food and themselves which they often steal from other social media accounts, and they avoid meeting or live video chats claiming they are too busy, too shy or had a traumatic experience which makes it unnatural and difficult.
Grooming - the scammers will move quickly to declare their friendship and feelings for their victims and communicate with them daily using affectionate terms, often asking for pictures. This then leads to introducing their victims to a third-party app or website, coaching them on how to buy cryptocurrency from an exchange and how to send it to the “platform,” often offering to lend them money and encouraging victims to invite friends and family.
Pressure tactics - the scammers start to increase the pressure on their victims to send more and more to the platform. Victims can be informed of a limited-time deal and the scammers will agree to help make a “loan” to the victim inside the platform to achieve the minimum amount required. Victims find their investments become stuck, devalue rapidly and that the scammers claim their investments are also stuck. The scammers may try to coach their victims to borrow more, using the threat of losing out and what's already been invested.
Cutting off - the final act of the deception involves the sharp turnaround in the sentiment from the scammer – this can involve accusing their victims of fraud, asking for further payments for late fees, tax or other fees. Finally, the scammers often cut off their victims by blocking communications.
Draining - victims' personal information may be sold or transfered to a different scam group whom contacting the same victim under a different entity, saying they can guarantee a swift recovery of the stolen funds. Alternatively, since a keylogger is often linked to the fake website, they might try to log into various accounts to take what is left, and if the victims' account security isn't up to par, might succeed at just that.
Carefully planned and paitiently executed
The fraudsters have become increasingly sophisticated in their approach as they often implement comprehensive procedures/training of personell, in many ways similar to how a normal cooperation would operate. It remains a type of romance scam involving cryptocurrency, but with different variants like:
Fake investment platform - Meta Trader
This is probably the oldest and most known method. A third party application that is connected to the scammers server. A shell company is registered (often in UK) and used to purchase a license and domain from metaquote merchants like Uwork. The trend of bitcoin can then be manipulated with MT4/5 plugins like virtual dealer.
Mining scam - smart contract exploits
The victim receive a link to the fraudulent liquidity mining application. In order to begin investing, the victim must link their cryptocurrency wallet to the application. The scammer instruct the victim on how to connect their cryptocurrency wallet to the liquidity mining pool by clicking a button to receive a so-called mining certificate, or node, in exchange for a small fee often paid in eth. A pop-up designed to mirror the interface of the wallet application presents a list of permissions it is allegedly requesting. By clicking the link and accepting the permissions presented, victims unknowingly authorize scammers to pull an unlimited amount of funds out of their cryptocurrency wallets without permission or notification.
In the liquidity mining scam, the victim move cryptocurrency from their wallets to the liquidity mining platform and see the purported returns on a falsified dashboard. Believing their investments to be a success, victims purchase additional cryptocurrency. Scammers ultimately move all stored cryptocurrency and investments made to a scammer-controlled wallet.
How exactly does this work?
During our investigations we've identified a number of domains (dapps) perpetrating the scam. As the victim clicks the link to allegedly join the liquidity mining pool, a smart contract is run on the ethereum blockchain. Completely unaware, the victim signs a digital contract which has been manipulated to give full spending rights to the scammer. The victim essentially share control and their ERC20 - USDT (tether) tokens in their wallet. As soon as the dapp has access to the funds, a "transferfrom" function pulls the tokens out into the scammers' wallet.
Phone malware - profile configuration
The victim is prompted to download a configuration file (malware) masqueraded as an application download. The malware silently steals passwords and account information. The victims credentials can then potentially be used to execute fraudulent money transfers.
Defi lending liquidity pool
A domain that presents itself as a de-fi lending pool platform, typicly giving the victim profit in return for supplying liquidity in form of interest of typicality 1-2% per day.
The victim is instructed to connect their wallet to the platform, and through similar method as the mining scam, the fraudsters gain access to the tokens in the victims wallet. In this method, a pop-up message may urge the victim to invest more via a limited time offer. The fake profits are always visible to the victim in their account while the domain interface is being manipulated by the fraudsters.
Where are the scammers located?
While sha zhu pan operations originates from the Fujian province in China it has spread to other counties in Southeast Asia. The flow of funds often ends up with Chinese gangs who recruit others to conduct the scam abroad - usually under bad living conditions. These recruits can then be sold as slaves between different compounds as victims of human trafficing. The compounds has been located in Myanmar, Laos, Vietnam and Cambodia. In our investigations done together with other members of GASO, we have revealed locations of various scam compounds along the boarders of Thailand.
How are the billions of dollar in stolen funds laundered?
After blockchain analysis of dousins of pig butchering cases, one company in particular show up as a major contributor to the laundering process: IMTOKEN PTE. LTD, (https://token.im/?locale=en-us), incorporated in Singapore in 2016, is a company that develops cryptocurrency wallet service. It boasts to have exchanged more than $500 billion USD worth of cryptocurrency since inception. Tokenlon is imToken's decentralized trading platform, incubated and launched by ImToken in 2018. Tokenlon is integrated into the ImToken wallet. In an email to us, ImToken says Tokenlon is a separate team now but that they are still in a close business partnership. Tokenlon claims to be a decentralized exchange, and among the touted capabilities of Tokenlon is to exchange Bitcoin for another cryptocurrency. In Tokenlon’s terms and conditions (https://tokenlon.im/tos), they claim to be a decentralized cryptocurrency exchange (DEX), implying that they have no control over transactions being made since they are all done automatically (with smart contracts). This enables imToken to avoid AML regulations and KYC requirements, as those are commonly understood to not be applicable to DEXs. According to the Monetary Authority of Singapore, FinTechs and non-FinTechs are subject to the same regulation if they undertake the same regulated business activity. While the extent of how DEXs can be regulated is up for debate, ImToken/Tokenlon is patently misrepresenting itself as a DEX. Because of how Bitcoin (BTC) works, it is impossible to run smart contracts natively on the Bitcoin blockchain. Tokenlon offers token swaps between BTC and Ethereum-based tokens. There are other services that offer the same swap option from Bitcoin, but they do it as a centralized entity implementing KYC, and not “decentralized” as Tokenlon does. As such, Tokenlon has become a very popular platform for money laundering. We observe too often that Tokenlon is practically the only DEX used by Sha Zhu Pan scammers in an attempt to obfuscate their trail on the blockchain. It is traceable as there is some data under the OP_RETURN field under the respective bitcoin transaction, but the chain-hop itself is not represented on the bitcoin ledger.
Tokenlon and imToken has been involved in nearly every Sha Zhu Pan case we've ever witnessed.
Despite Tokenlon’s claims to be providing swaps in a decentralized way, they admit that they hold the BTC in custody. See https://gto.tokenlon.im/imbtc.
“After using BTC to mint imBTC and waiting for 6 blocks to be confirmed, imBTC will be issued to your Ethereum wallet address.”
Tokenlon admitted recently to be centralized although when it comes to regulation - they’re decentralized. "Therefore, we choose to adhere to the principle of security and transparency, and temporarily use centralized hosting to make imBTC easy to use, so as to better popularize usage.”
Although, they have been doing this as early as 2019, as they say in their Chinese blog: https://imtoken.fans/t/topic/6693
Tokenlon does not describe how the tokens are issued, because it has to be done in a centralized way. This is simply due to how the bitcoin network functions. It’s just not possible to do in a decentralized way. As a consequence, the transaction isn’t publicly shown on the bitcoin ledger as one normally would see it. “imBTC is not a freely issued token, but is generated by locking an identical amount in BTC. Completely transparent and 100% verifiable.”
It sounds like there are concerns about the transparency and decentralization of Tokenlon, and that there may be some suspicious activity occurring on the platform. The fact that one address has processed such a large amount of BTC is certainly noteworthy, and the way that Tokenlon handles swaps of other tokens may indicate that it is more centralized than decentralized.
It is also concerning that investigators of pig butchering scams have independently arrived at the same findings about Tokenlon, suggesting that there may be fraudulent activity occurring on the platform. Without more information, it is difficult to say for certain what is going on, but it does seem like there are some red flags that warrant further investigation.
Laundering enablers: liquidity providers
We haven't heard of a case where liquidity providers that provided large amounts of liquidity to a DEX faced repercussions for facilitating illicit transactions. We also aren’t sure what type of merits such a case would have. If a select few entities engaged in a scheme whereby they provided the vast majority of liquidity to a ‘DEX’ which had a very large portion of illicit activity, and whereby such liquidity providers knew (or ought to have known of this), can the liquidity providers themselves be held liable? These liquidity providers are often investment funds in various jurisdiction, but the main provider is located in the US.
Can justice prevail?
Policies that prevent and responds to human trafficing which in large facilitate these online scams are necessary. Having recruiters/leaders put behind bars seem unlikely, or atleast not in the near future, increasing the difficulty of having the funds successfully laundered can be a viable option. According on-chain data, it's undoubtedly profitable and fraudsters rarely get caught as the scam is conducted from countries usually unreachable by international law enforcement agencies and with lacklusting policies that doesn't deal with the issue from within. Creating awareness always helps, but Chainbrium believes that stopping the flow of funds/reducing the profitability is an important aspect of fighting this kind of crime. A good start could be to stop entities where AML is practically nonexistent. If one 'DEX' which had a very large portion of illicit activity, of what it is completely aware of and chooses to ignore it, shouldn't it be held accountable? Targets like that would be "malicious infrastructure".
While tracing cryptocurrencies is possible, criminals continue to apply more sophisticated laundering techniques in an attempt to obfuscate the trail which can make the investigation more time consuming. These techniques involves layering, chain-hopping (bridges) and most effectively mixers/tumblers, although the laundering process has generally been less sophisticated for these cases compared to others. If the tracing is successful, the victim may pursue both criminal and civil routes to recover their stolen assets.
Comments