“Pig Butchering” - When “Catfishing” Meets Crypto-Investment Fraud

By Valerie Moss

“Pig butchering” has increasingly appeared in news stories over the past couple of years, and, it has nothing to do with raising and breeding domestic livestock. “Pig butchering” is a cryptocurrency investment scam that metaphorically resembles fattening a pig before slaughter. Also known in Chinese as “Sha Zhu Pan” or the killing pig game, these scams originated in Southeast Asia, but are now being perpetrated by organized crime groups around the world, often utilizing victims of labor trafficking.

Scammers using fictitious online personas (i.e., “catfishing”) approach potential victims via social media, dating platforms or text messages, claiming that they mistakenly reached the wrong person or were trying to re-connect with an old friend or romantic partner. Scammers communicate with victims over time to establish trust and build what appears to be a friendship or romantic relationship, then introduce them to a supposedly lucrative crypto-investment opportunity. Once the victim is unable or unwilling to invest any more money, the scammer will cease communication and take the victim’s entire “investment” with them, i.e., the slaughter.

Pig Butchering “Red Flags”

FinCEN issued an alert on the scam in 2023 that highlighted a number of behavioral, financial and technical “red flags” to assist financial institutions in identifying and reporting suspected pig butchering to FinCEN. For example:

Behavioral Red Flags

•    A member with no history or background of using, exchanging, or otherwise interacting with virtual currency (i.e., crypto-currency like Bitcoin or Ethereum) attempts to exchange a high amount of fiat currency (i.e., government-issued currency or legal tender) from an existing or newly opened account for virtual currency, or attempts to initiate high-value transfers to virtual asset service providers (“VASPs”).

•    A member mentions or expresses interest in an investment opportunity leveraging virtual currency with significant returns that they were told about from a new contact who reached out to them unsolicited online or through text message.

•    A member mentions that they were instructed by an individual who recently contacted them to exchange fiat currency for virtual currency at a virtual currency kiosk and deposit the virtual currency at an address supplied by the individual.

•    A member appears distressed or anxious to access funds to meet demands or the timeline of a virtual currency investment opportunity.

Financial Red Flags

•    A member liquidates a share certificate prior to maturity, and then subsequently attempts to wire the liquidated currency to a VASP or to exchange them for virtual currency.

•    A member takes out a HELOC, home equity loan, or second mortgage and uses the proceeds to purchase virtual currency or wires the proceeds to a VASP for the purchase of virtual currency.

•    A member receives what appears to be a deposit of virtual currency from a virtual currency address at or slightly above the amount that the member previously transferred out of their virtual currency account. This deposit is then followed by outgoing transfers from the member in substantially larger amounts.

•    Accounts with large balances that are inactive or have limited activity begin to show constant, uncharacteristic, sudden, abnormally frequent, or significant withdrawals of large amounts of money being transferred to a VASP or being exchanged for virtual currency.

•    A member sends multiple electronic funds transfers (EFTs) or wire transfers to a VASP or sends part of their available balance from an account or wallet they maintain with a VASP and notes that the transaction is for “taxes,” “fees,” or “penalties.”

•    A member with a short history of conducting several small-value EFTs to a VASP abruptly stops sending EFTs and begins sending multiple high-value wire transfers to accounts of holding companies, limited liability corporations, and individuals with which the member has no prior transaction history. This is indicative of a victim sending trial transactions to a scammer before committing to and sending larger amounts.

Technical Red Flags

•    System monitoring and logs show that a member’s account is accessed repeatedly by unique IP addresses, device IDs, or geographies inconsistent with prior access patterns. Additionally, logins to a member’s online account at a VASP come from a variety of different device IDs and names inconsistent with the member’s typical logins.

•    A member mentions that they are transacting to invest in virtual currency using a service that has a website or mobile application (“app”) with poor spelling or grammatical structure, dubious member testimonials, or a generally amateurish site design.

•    A member mentions visiting a website or mobile app that is purported to be associated with a legitimate VASP or business involved in investing in virtual currency. The website or app shows warning signs such as a web address or domain name that is misspelled in such a manner as to resemble that of another business, a recently registered web address or domain name, no physical street address, international contact information, or contact methods that include only chat or email.

•    A member mentions that they downloaded a mobile app on their phone directly from a third-party website, rather than from a well-known third-party app store or one installed by the manufacturer of the device.

•    A member receives a large amount of Bitcoin or other virtual currency at an exchange, subsequently converts the amount to a virtual currency with lower transaction fees, and then abruptly sends it out of the exchange.

For more information, see FinCEN’s Alert on Prevalent Virtual Currency Investment Scam Commonly Known as “Pig Butchering” (FIN-2023-Alert005)

Filing Suspicious Activity Reports and Helping Victims

FinCEN requests that financial institutions include the key term “FIN-2023-PIGBUTCHERING” in SAR field 2 (Filing Institution Note to FinCEN) and the SAR narrative, and select “Fraud-Other” under SAR field 34(z) with the description “Pig Butchering.

In addition to filing a SAR, credit unions can refer members who may be victims of pig butchering to the FBI’s IC3 Internet Complaint Center: https://www.ic3.gov/, as well as the Securities and Exchange Commission’s tips, complaints, and referrals (TCR) system to report investment fraud: https://www.sec.gov/tcr. In the case of elder victims of pig butchering, credit unions may also refer their members to DOJ’s National Elder Fraud Hotline at 833-FRAUD-11 or 833-372-8311. See also FinCEN’s Advisory on Elder Financial Exploitation (FIN-2022-A002). 

Questions? Suggestions for future blog posts? Please reach out to the Compliance Team at compliance@americascreditunions.org.