Sha Zhu Pan Scammers Use Fake Cryptocurrency Trading Pools to Steal More Than $1 Million, Sophos Reports
September 2023 by Sophos
Sophos released findings on a major shā zhū pán (pig butchering) operation utilizing fake trading pools of cryptocurrency (liquidity pools) to steal more than $1 million. The report, “Latest Evolution of ‘Pig Butchering’ Scam Lures Victim in Fake Mining Scheme,” details the story of one of the scammed victims in the pools, named *Frank, and how he lost $22,000 in one week after “someone” pretending to be “Vivian” on the dating app MeetMe contacted him.
After Sophos X-Ops investigated Frank’s story, the team uncovered a total of 14 domains associated with the scam operation, as well as dozens of nearly identical fraud sites that, together, netted this one “ring” of pig butcherers more than $1 million in three months.
This scam takes advantage of the largely unregulated world of decentralized finance (DeFI) cryptocurrency trading applications. Such applications create “liquidity pools” of various types of cryptocurrencies that users can then access to make trades from one cryptocurrency to another. Those who participate in the pool receive a percentage of any fee paid when a trade is made, creating an enticing return on investment. To join a pool, participants first have to sign an online smart contract—a contract that gives another account (typically the operators of the pool) permission to access participants’ wallets to facilitate trades. Fake pools, which pig butcherers are increasingly utilizing to siphon funds from targets, operate in much the same way. However, unlike legitimate pools, at some point these scammers “pull the rug” and empty the entire liquidity pool for themselves.
“When we first discovered these fake liquidity pools, it was rather primitive and still developing. Now, we’re seeing sha zhu pan scammers taking this particular brand of cryptocurrency fraud and seamlessly integrating it into their existing set of tactics, such as luring targets over dating apps. Very few understand how legitimate cryptocurrency trading works, so it’s easy for these scammers to con their targets. There are even toolkits now for this sort of scam, making it simple for different pig butchering operations to add this type of crypto fraud to their arsenal. While last year, Sophos tracked dozens of these fraudulent ‘liquidity pool’ sites, now we’re seeing more than 500,” said Sean Gallagher, principal threat researcher, Sophos.
Sophos X-Ops first learned of this liquidity mining operation from a victim named Frank. Frank had connected on the dating app MeetMe with a scammer hiding behind the persona of Vivian, a German woman supposedly living in Washington, D.C. for work. For weeks, Frank chatted with Vivian, who mixed her romantic promises with persistent attempts to convince Frank to invest in crypto.
Eventually, Frank opened a Trust Wallet account (a legitimate app for converting dollars to cryptocurrency) and connected to the link to the liquidity pool site Vivian recommended. In reality, the pool site was a fraud site utilizing the brand of Allnodes, an established decentralized finance platform provider, as a cover. Between May 31 and June 5, Frank invested $22,000 in the scheme. Just three days later, the scammers emptied Frank’s digital wallet. Frank, looking to recover his money, turned to Vivan, who claimed he needed to invest even more in the pool to recover his funds and reap the “rewards.” While waiting for his bank to authorize a money transfer to Coinbase, Frank started researching what was going on and came across an article on liquidity mining from Sophos. At this point, Frank reached out to Gallagher for help.
Even after Gallagher instructed Frank to block Vivian, she eventually found him on Telegram and continued her attempts to entice him into “continuing their investment,” going so far as to send a lengthy, emotional letter that was very likely created by a generative AI app.
“What makes these sorts of scams particularly tricky is that they don’t require any malware to be installed on a victim’s device. They don’t even involve a fake app, like some of those we’ve encountered in other CryptoRom scams. This entire fake liquidity pool was run through the legitimate Trust Wallet app. At one point, Frank even tried to contact Trust Wallet’s support to recover his money, but he connected with a fake support contact from the fraudulent liquidity pool site. There is no regulation of these pools, legitimate or otherwise, on these crypto apps. These scams succeed solely through social engineering, and the scammers are persistent. Vivian continued trying to contact Frank for weeks after he blocked her on WhatsApp.
“The only way to stay safe from these scams is to be vigilant and know that they exist and how they operate. That is why Frank wanted to share his story. Users need be wary of anyone they have no connection with reaching out to them suddenly via any dating app or social media platform, particularly if the ‘person’ reaching out wants to move the conversation to a platform like WhatsApp and then discusses investing in cryptocurrency,” said Gallagher.
Sophos has shared its data on this case with Chainalysis and Coinbase, as well as other threat intelligence professionals in the cryptocurrency space, all of whom continue to investigate. People who believe they may be a victim of pig butchering or liquidity mining fraud are free to reach out to Sophos. They should also reach out to their local law enforcement for assistance.