Home
Blog
Scams in the spotlight: Is it ‘Pig Butchering’ or ‘Romance Baiting’?

Scams in the spotlight: Is it ‘Pig Butchering’ or ‘Romance Baiting’?

Paul Ducklin
Paul Ducklin
01/22/2025
Share this article:

What’s in a name?

The digital cyber-vandals who churned out the first computer viruses liked to tag them with counter-cultural names that they could use for bragging rights.

Sometimes, those names took hold because they were memorable, or because they were unavoidably woven into the visual fabric of the malware.

What else, for instance, could the infamous Tequila virus have been called, given that when it showed itself after three months of quietly replicating, it said Welcome to T.TEQUILA's latest production, and proclaimed BEER and TEQUILA forever?

Scams in the spotlight: Is it 'Pig Butchering' or 'Romance Baiting'? - SolCyber

Often, however, malware researchers of the day went to great lengths to choose names that were deliberately different from what the authors wanted.

Some researchers even took text from the malware, but reversed it as a vague sign of disrespect, which is how the Nimda virus got its unusual name, being the word Admin backwards.

(Quite how often malware writers sneakily reversed their names in advance, in a double-bluff aimed at getting the name flipped back by the anti-virus industry, will never be known.)

Intriguingly, the dilemma of cyber-threat naming is back in the spotlight today, following an imprecation from INTERPOL for cybersecurity vendors to steer clear of the term Pig Butchering, widely used to describe a form of cyber-scam based on bogus investments, notably those involving fake cryptocurrencies.

The name, it seems, comes directly from the scammers themselves, and is an approximate translation of a Chinese phrase that the fraudsters use to refer to their victims.

The metaphor is as odious as it sounds.

The scammers look on their victims as farm animals to be fattened up for slaughter, with the scam ending in financial “butchering”, when the scammers cut contact and run off with every cent that the victims – and perhaps their friends and families, too – have “invested.”

Gambling in a new guise

The Chinese connection comes from the fact that the playbook of this scam arose in South East Asia, originally targeting Chinese-speaking gamblers who routinely traveled outside mainland China to visit casinos, which weren’t legal in their own country.

By many accounts, when casinos in nearby countries were forced to close down during the coronavirus pandemic, cybercriminals ramped up their efforts to lure frustrated Chinese gamblers into speculating in cryptocurrencies instead, which is how this crime ended up with the translated name “pig butchering,” even though that isn’t a common idiom in English.

Though originally concentrated in South East Asia, this crime is now truly global, given that it is conducted entirely online, with scammers targeting victims far and wide.

In 2024, for example, the former CEO of a bank in Elkhart, Kansas, was sentenced to over 24 years in a federal prison for embezzling more than $47,000,000 from the bank and putting the money into one of these fake investment scams.

US authorities managed to recover $8,071,038 of the missing money, providing at least some restitution for the residents of the small town from which the funds were stolen, but covering the rest of the loss fell to the FDIC, the US Federal Deposit Insurance Corporation, which insures bank deposits and acts as a safety net for bank failures.

INTERPOL, as we mentioned above, would like us to find another name for this crime, arguing that:

The term “pig butchering” dehumanizes and shames victims of such frauds, deterring people from coming forward to seek help and provide information to the authorities.

(Clearly, as the $47 million embezzled from the people of Elkhart, Kansas reminds us, some of the primary victims of this crime are serious criminals in their own right, and sparing them from “dehumanization” and “shame” is probably not high on the agenda of their secondary victims.)

How it works

The tricky question, of course, is what phrase to adopt instead for a cybercrime that typically unfolds like this:

  • The scammers make contact with potential victims, commonly via a dating site, where introducing yourself to people you’ve never met is quite normal, and doesn’t feel particularly risky. Alternatively, the scammers simply make a “missed call” or send a casual and unthreatening text message to people they don’t know, as though they innocently and accidentally typed in the wrong name or number.
  • If the victim responds, even if only to say, “You’re not my type” in reply to a request for a date, or, “I think you’ve got the wrong person” to an unexpected call or message, the scammer typically replies in a casual and non-committal way. The scammer therefore aims to appear uninterested, but friendly at the same time.

The idea, very simply, is to lure the victims into the sort of brief chat you might have with a stranger at the station, or the fellow commuter you end up sitting next to on a bus.

Often, those conversations drift harmlessly into companionable silence; occasionally, however, you find some common interests that you are happy to chat about, such as why you prefer iOS to Android, or how much quieter and more comfortable the new electric buses are.

After all, what’s the harm in conversing casually with someone whom you aren’t planning on sharing any personal data with, and whom you’ll probably never hear from again?

But “pig butchering” follows a deliberately devious path of chat that is neither casual nor random, as the US National Cybersecurity Alliance (NCA) bluntly explains:

• Seemingly accidental or mistaken contact, but the person wants to keep talking.

• Conversation turns to investments in cryptocurrency, gold markets, or foreign exchange.

• Continued, sustained contact to encourage repeat theft.

Crypto investment: After conversing with the target, the scammer will try to persuade them to invest in a cryptocurrency or platform. They may also suggest gold trading or forex (foreign exchange markets). In pig butchering, all these “investments” are fabrications, and the money goes straight into the scammer’s pocket.

Extended contact: The scammer will insist on continued investment once they’ve hooked a victim. They might produce fake charts or even send over small “withdrawals” to convince the victim. Sometimes a target is directed to a fraudulent app that mimics financial platforms like Robinhood or Coinbase. Once the victim catches onto the scam or seems to be tapped dry, the scammer ends contact and disappears.

The fraudulent investment apps that these scammers lure their victims into installing are often surprisingly realistic, copying the look-and-feel of legitimate apps, and linking to “live” websites that appear to list real-time transactions just like legitimate online trading sites, thus giving the impression of a genuine and lively “online market.”

The graphs, of course, are entirely concocted, heading almost continuously upwards, and the balance statements that the app presents are completely fake, showing an “investment amount” that simply doesn’t exist.

Android users can be lured into installing non-Google apps by themselves, because Android allows the use of software markets other than Google Play.

But iPhone users can be targeted too, even though consumers can install apps only from Apple’s own App Store, which is pitched as carefully vetted and safe.

(Malware does get into the App Store surprisingly regularly, but long-running scams that rely on apps are hard to pull off by infiltrating the App Store, because rogue apps get thrown out if they’re spotted.)

One trick involves convincing victims that they are lucky early adopters – much like the investors who managed to get into Bitcoins back when they were just a dollar or so each – and inviting them to sign up for a limited-access app release.

For this early adopter privilege, the scammer will explain, the victim needs to join an invitation-only group of users by enrolling their own phone into the scammer’s Mobile Device Management (MDM) service, as though they were an employee being issued with a work-owned phone.

This gives the scammers a huge degree of remote control over enrolled devices: they can wipe the victim’s phones remotely, for example if they think that the police are onto them; and they can install proprietary “business” applications that aren’t available in the App Store, and that have therefore not been vetted, or seen by by Apple at all.

Scams in the spotlight: Is it 'Pig Butchering' or 'Romance Baiting'? - SolCyber

Pulling the plug

Even at the end of the scam, when the victim has become suspicious to the point of demanding to withdraw their “investment” in its entirety, the scammers sometimes sting the victim for yet more money, using high-pressure threats and intimidation.

The scammers may seem entirely obliging at first, leading the victim to believe that their payout is about to go through…

…before jumping in to warn the victim that “the government” is now involved, seeking to recover some sort of withholding tax from the total payout, for example 20%, before the rest can be sent.

As suspicious as the victim might be, the scammers temptingly note that even after 20% is withheld, 80% of the imaginary “investment” will be paid out anyway, free and clear of further “government” intervention.

As you can probably imagine, the intimidation comes next, based on a lie that the “authorities” have become suspicious, have abruptly frozen the account, and are insisting that the necessary tax be paid in advance, instead of withheld, so that the victim can “prove” their legitimacy as the owner of the account.

“Don’t worry,” the scammers will say, “Beg or borrow from your relatives – or take an unauthorized ‘loan’ by stealing from your employer – to come up with the tax money, and you’ll immediately get 100% of the ‘investment’ back, so you can return all the money you ‘borrowed’ before anyone notices.”

But if you don’t pay, the scammers turn nasty, with a threat such as, “The government will come after you personally, and they won’t be interested in a 20% tax. The funds are frozen, so they’ll take it all anyway, and then prosecute you for having had the ‘investment’ in the first place.”

What to call this crime?

The name Pig Butchering reflects very clearly just how much disdain the criminals have for their victims, and just how brutally the criminals want to interfere in, and ruin, their victims’ lives, to the extent of stealing their life savings, and persuading them to plunder the life savings of other people, too.

Nevertheless, INTERPOL wants us to stop using that term, and to use a name that reminds us how the scam often starts in the first place, namely Romance Baiting.

Sadly, that’s not a terribly good name either.

Although these scammers started out by using dating sites as a convenient way of forming non-romantic friendships with possible victims, they now use a wide range of excuses for making their first contact.

These are investment scams, and the scammers may not use dating or romance to “bait” their hooks.

In the words of the NCA:

Scammers often pretend they contacted the potential victim by mistake. While contact can occur through texts [SMS messages], it can also happen through social media DMs, dating sites, or other electronic communications.

By lumping in these scams with old-school romance scams, where the criminals really do bait their hooks by pretending to fall in love with their victims, we’d run the risk that some victims might be sucked in simply because the scam didn’t start on a dating site.

Scams in the spotlight: Is it 'Pig Butchering' or 'Romance Baiting'? - SolCyber

What to do?

  • Ignore unsolicited, unexpected or apparently accidental contacts. If someone messaged you by mistake in place of someone else, there’s nothing you can or should do about that. If you know the other person, don’t give any of their personal details away, because it’s not your information to disclose. If you don’t know them, you don’t have anything to say. Either way, just say nothing!
  • Never install unknown or untrusted apps on someone else’s say so. Even more importantly, never give MDM-level control over your phone to someone you don’t know. Business-level MDM enrollment is something that your employer might require for phones that they own and provide for you, or that they may request in return for letting you use your own phone for work. Don’t give MDM powers to anyone else.
  • Don’t turn your back on friends and family if they warn you about something they think is a scam. Whether it’s a romance scam in which the criminal pretends to be in love with you in return for money, or an investment scam where the criminal makes it clear that they aren’t interested in a romantic relationship but wants money anyway, just say, “No.”
  • If you’ve been sucked in to what you think is a scam, act as soon as you can. Stop sending money. Cut off contact with the criminals. Report the scam to your own financial institution. Consider reporting it to the authorities so they have an official record – you are probably not alone. In the US, use the IC3 website at https://www.ic3.gov/ (that’s the Internet Crime Complaint Center).

Don’t feel shamed or dehumanized if you are a victim of this type of scam: the name Pig Butchering is a pejorative reference to the criminals who run these scams, not to the victims they prey upon.


Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!

Scams in the spotlight: Is it 'Pig Butchering' or 'Romance Baiting'? - SolCyber


More About Duck


Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!

Featured image of investment app by Tech Daily via Unsplash.

Paul Ducklin
Paul Ducklin
01/22/2025
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

Businesses don’t need more security tools; they need transparent, human-managed cybersecurity and a trusted partner who ensures nothing is hidden.

It’s time to move beyond the inadequacies of current managed services and experience true security management.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more dealing with poor automated services.
No more services that only detect but don’t respond.
No more breaches caused by all of the above.

Follow us!

Subscribe

Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

CONTACT
©
2025
SolCyber. All rights reserved
|
Made with
by
Jason Pittock

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo

10417