Sophos, a renowned cybersecurity-as-a-service provider, has unveiled startling revelations about a significant scam operation involving the exploitation of fake cryptocurrency trading pools, leading to a theft exceeding $1 million. In their report titled “Latest Evolution of ‘Pig Butchering’ Scam Lures Victim in Fake Mining Scheme,” Sophos delves into the harrowing experience of a victim, referred to as *Frank, who lost $22,000 within a week after falling prey to an impersonator named “Vivian” on the dating app MeetMe.
After a thorough investigation by the Sophos X-Ops team into Frank’s case, they uncovered a total of 14 domains linked to the scam operation, along with numerous nearly identical fraudulent websites. Collectively, these entities managed to amass over $1 million in ill-gotten gains within just three months.
This scheme capitalizes on the relatively unregulated realm of decentralized finance (DeFi) cryptocurrency trading applications. These applications create “liquidity pools” encompassing various cryptocurrencies that users can access to facilitate trades between different cryptocurrencies. Participants in these pools earn a percentage of the fees generated from trades, offering an enticing return on investment. To join such a pool, users are required to sign an online smart contract, granting permission for another account (typically controlled by the pool operators) to access their wallets for trade facilitation. Fake pools, increasingly favored by the pig butchers, operate similarly, but these scammers eventually abscond with the entire liquidity pool, unlike legitimate pools.
Sean Gallagher, Principal Threat Researcher at Sophos, highlighted the evolving sophistication of these fraudulent liquidity pools and their integration into existing scam tactics, including luring victims through dating apps. He emphasized the ease with which these scammers exploit the lack of understanding surrounding legitimate cryptocurrency trading, pointing out the availability of toolkits for such scams. In contrast to tracking dozens of fraudulent “liquidity pool” sites in the past year, Sophos now detects over 500.
The Sophos X-Ops team first stumbled upon this liquidity mining operation through Frank’s unfortunate encounter. Frank had connected with a scammer posing as “Vivian,” a German woman based in Washington, D.C., on MeetMe. Over weeks, Vivian combined romantic promises with persistent attempts to persuade Frank to invest in cryptocurrency. Eventually, Frank opened a Trust Wallet account, following Vivian’s recommendation to connect to the liquidity pool site. Unbeknownst to Frank, this pool site was a fraudulent operation masquerading as Allnodes, an established decentralized finance platform provider. Between May 31 and June 5, Frank invested $22,000, only to have scammers empty his digital wallet within three days.
Desperate to recover his funds, Frank turned to Vivian, who insisted he invest more in the pool to unlock rewards. As he awaited a bank transfer authorization to Coinbase, Frank came across a Sophos article on liquidity mining. Fearing he had been scammed, he reached out to Sean Gallagher for assistance.
Despite Gallagher’s advice to block Vivian, she persisted in her efforts to lure Frank into further investments, even resorting to sending an emotionally charged letter, likely generated by an AI app. These scams stand out for their absence of malware or fake apps, unlike CryptoRom scams encountered previously. The entire fake liquidity pool operated through the legitimate Trust Wallet app, with Frank’s attempts to contact Trust Wallet’s support futile, as he connected with a fraudulent support contact from the fraudulent pool site. The lack of regulation on these crypto apps leaves these scams solely reliant on social engineering, and scammers display unwavering persistence. Even after Frank blocked her on WhatsApp, Vivian continued to reach out for weeks.
Gallagher emphasized the importance of vigilance and awareness as the only means to safeguard against such scams. He advised users to exercise caution when unfamiliar individuals suddenly contact them through dating apps or social media platforms, especially if the conversation shifts toward cryptocurrency investments.
Sophos has shared its findings with Chainalysis, Coinbase, and other cryptocurrency threat intelligence professionals who continue to investigate. Victims who suspect they have fallen prey to pig butchering or liquidity mining fraud are encouraged to reach out to Sophos and seek assistance from local law enforcement.