The Rise of Pig Butchering Scams


When you hear the words “Pig Butchering” your first thought probably isn’t a financial scam. Likely, it’s a grisly image of a poor pig, but there’s a reason the financial scam Pig Butchering is titled as such. That is because it is a very grisly scam that can leave its victims completely penniless, and their credit destroyed.

But what is Pig Butchering? That is an excellent question. In this article, I hope to answer not only that question but also provide some red flags that credit union employees can utilize to help identify if their members might potentially be victims of this new scam.

What is Pig Butchering?

The name Pig Butchering stems from the idea that these bad actors will fatten their victim (the pig in this case) before completely wiping out all their accounts (the slaughter or butchering). While this may sound a touch dramatic, believe me, it’s not and we are seeing more and more of this in the field.

We’ve all been exposed to romance scams in the compliance field, so what makes this different? With standard romance scams, the victim will be led to believe that they need to provide money to get their love interest that they’ve never met out of a sticky situation, whether that be to get them out of a foreign country or payoff bad actors that may be holding assets hostage or even the physical person.

Think of the Nigerian Prince scam.

Big Butchering is a bit more sinister in the sense that the scammers will let you get some money back out of your ‘investment’ to help gain the victim’s trust.

Making the first move

More often than not, initial contact is made by the bad actor by sending a text to a victim. Something along the lines of “Hey it’s Amber.” While the victim may not know anyone by that name, they will text back generally and say, “I think you have the wrong number.” It’s the job of the bad actor to make sure they further along the conversation and don’t allow it to die.

Bad actors prey on the elderly and lonely. Victims are happy that someone is talking to them at all, even if it is someone they’ve never met and don’t know. Leaving them vulnerable to these types of phishing scams.

After initial contact has been made and trust established, the bad actor will start discussing investment opportunities that they have made and cashed in on. Many times this is some type of virtual currency. Getting the victim anxious and excited at the prospect of doing the same.

Cultivating a false sense of trust

What is so dangerous about Pig Butchering is the bad actors will ask for investment capital and give the victim a URL that is an overlay showing that their investment is going up. Many times, victims can check on these URLs to monitor their investment.

Unlike so many romance scams where once the bad actor has the money, the member will never see or hear from them again, Pig Butchering scammers will ask for a small amount upfront, “invest” that money, and show how much it’s making on these plagiarized webpages.

This is the dangerous part.

As trust has been established and the investment appears to be doing so well, the bad actor will allow the victim to take some of that money out. You may be asking yourself, why would a bad actor allow the victim to get their money back? The reason is simple, it builds more trust in the relationship between the bad actor and the victim.

Trust is the key factor here as this is when the bad actors turn up the pressure requesting that their victims invest more of their liquid cash, even going so far as to have them max out their HELOC or open other open-ended lines of credit to maximize their returns on this once in a lifetime investment opportunity. You’ve already seen how much you’re making and got some of that money returned, what’s not to believe?

This is what FinCEN refers to as “The Point of No Return.” When victims try to collect on their investment bad actors will demand the victim pay taxes or early withdrawal fees to try and scare them from cashing in on their investment. If this does not work, and the victim is unwilling to continue to invest, the bad actor will cease communication taking everything from the victim and leaving them without any money and potentially in debt as well.

Members might hide the fallout

One of the things we notice with romance scams is members a lot of times are too embarrassed to admit they were swindled and discuss their financial institution. That is why it is so important to look for red flags on members’ accounts to help determine if one of your members may be a victim of this type of scam.

FinCEN published an alert in September of 2023 outlining some of the red flags to look for broken down by behavioral, financial, and technical red flags which are listed below.

Behavioral red flags

  • A customer with no history or background of using, exchanging, or otherwise interacting with virtual currency attempts to exchange a high amount of fiat currency from an existing or newly opened bank account for virtual currency or attempts to initiate high-value transfers to Virtual Asset Service Providers (VASPs).
  • A customer mentions or expresses interest in an investment opportunity leveraging virtual currency with significant returns that they were told about from a new contact who reached out to them unsolicited online or through text message.
  • A customer mentions that they were instructed by an individual who recently contacted them to exchange fiat currency for virtual currency at a virtual currency kiosk and deposit the virtual currency at an address supplied by the individual.
  • A customer appears distressed or anxious to access funds to meet demands or the timeline of a virtual currency investment opportunity.

Financial red flags

  • A customer uncharacteristically liquidates savings accounts prior to maturation, such as a certificate of deposit, and then subsequently attempts to wire the liquidated fiat currency to a VASP or to exchange them for virtual currency.
  • A customer takes out a HELOC, home equity loan, or second mortgage and uses the proceeds to purchase virtual currency or wires the proceeds to a VASP for the purchase of virtual currency.
  • A customer receives what appears to be a deposit of virtual currency from a virtual currency address at or slightly above the amount that the customer previously transferred out of their virtual currency account. This deposit is then followed by outgoing transfers from the customer in substantially larger amounts.
  • Accounts with large balances that are inactive or have limited activity begin to show constant, uncharacteristic, sudden, abnormally frequent, or significant withdrawals of large amounts of money being transferred to a VASP or being exchanged for virtual currency.
  • A customer sends multiple electronic funds transfers (EFTs) or wire transfers to a VASP or sends part of their available balance from an account or wallet they maintain with a VASP and notes that the transaction is for “taxes,” “fees,” or “penalties.”
  • A customer with a short history of conducting several small-value EFTs to a VASP abruptly stops sending EFTs and begins sending multiple high-value wire transfers to accounts of holding companies, limited liability corporations, and individuals with which the customer has no prior transaction history. This is indicative of a victim sending trial transactions to a scammer before committing to and sending larger amounts.

Technical red flags

  • System monitoring and logs show that a customer’s account is accessed repeatedly by unique IP addresses, device IDs, or geographies inconsistent with prior access patterns. Additionally, logins to a customer’s online account at a VASP come from a variety of different device IDs and names inconsistent with the customer’s typical logins.
  • A customer mentions that they are transacting to invest in virtual currency using a service that has a website or application with poor spelling or grammatical structure, dubious customer testimonials, or a generally amateurish site design.
  • A customer mentions visiting a website or application that is purported to be associated with a legitimate VASP or business involved in investing in virtual currency. The website or application shows warning signs such as a web address or domain name that is misspelled in such a manner as to resemble that of another business, a recently registered web address or domain name, no physical street address, international contact information, or contact methods that include only chat or email.
  • A customer mentions that they downloaded an application on their phone directly from a third-party website, rather than from a well-known third-party application store or an application store installed by the manufacturer of the device.
  • A customer receives a large amount of virtual currency such as ether at an exchange, subsequently converts the amount to a virtual currency with lower transaction fees such as TRX, and then abruptly sends it out of the exchange.

Stay informed and alert

With bad actors getting more intelligent with how they social engineer victims and develop these scams it’s very important to make sure you keep your ear to the ground and eyes peeled to help protect your members.

For more information on Pig Butchering please refer to the alert posted by FinCEN.


Your email address will not be published. Required fields are marked *