The Financial Crimes Enforcement Network (FinCEN) has issued an Alert, FIN-2023-Alert005, on the virtual currency investment scam known as “pig butchering.”[i] The Alert lays out the methodology of the scheme and provides red flags to help identify and report suspicious activity. In the Alert, FinCEN notes that the fraud and cybercrime elements of the scam are two of the agency’s AML/CFT National Priorities.
While the Alert is directed explicitly to US financial institutions (including Money Service Businesses), the descriptions of the scheme and the red flags help identify the scheme in other jurisdictions. The Alert is also useful as a training tool to help your teams spot this scam.
What is the basic design of the scheme?
The scammer contacts a possible victim using:
- Text messaging
- Direct messages on social media
- Other communications platforms.
The essence of the initial contact is that they reached the “wrong number” or were looking for an old friend. The scammer may create a social media profile showcasing wealth and may claim to be a money manager or an investor. If the scammer receives a response from the victim, they will continue to interact to build a relationship and establish trust.
Once trust has been created, the scammer will present a purportedly worthwhile investment in virtual currency and connect the victim to virtual currency applications or websites that appear legitimate but are not and are controlled by the scammer. The scammer will assist the victim in purchasing virtual currency and use it to “invest” the funds through the applications or websites controlled by the scammer.
Once the victim invests, the scammer shows the victim exceptional returns. These are false. The scammer will repeatedly recommend that the victim increase their investment. When the victim slows the frequency of their additional investments or stops altogether, the scammer will cut off interaction with the victim who cannot access their “investments.”
Who are the scammers?
Often, the perpetrators who connect with victims are themselves victims of human or labor trafficking operations run by criminal organizations and are acting against their will.
FinCEN and law enforcement have developed red flags to aid the detection, prevention, and reporting of suspicious activity related to these schemes. No single red flag definitively indicates suspicious activity. Possible suspicious activity should be evaluated considering all the facts and circumstances available. Some of the red flags outlined in the Alert include:
Behavioral Red Flags
- A customer with no history of using virtual currency asks to exchange a large amount of fiat currency from their account for virtual currency.
- A customer expresses interest in a possible investment in virtual currency offering high rates of return, which they learned about from an unsolicited contact online or through a text message.
- A customer mentions that an individual instructed them to exchange fiat currency for virtual currency at a virtual currency kiosk and deposit it at an address supplied by the individual.
- A customer appears upset or anxious to access funds to meet requirements or the timeline of an investment opportunity in virtual currency.
Financial Red Flags
- A customer uncharacteristically liquidates a certificate of deposit before maturity and then attempts to wire the liquidated funds to a virtual asset service provider (VASP) or exchange them for virtual currency.
- A customer establishes a home equity loan or second mortgage and uses the proceeds to purchase virtual currency.
- Accounts with large balances that are inactive or have limited activity begin to show constant, uncharacteristic, sudden, abnormally frequent, or significant withdrawals of large amounts. The withdrawn funds are transferred to a VASP or exchanged for virtual currency.
- A customer sends multiple transfers to a VASP or sends part of their available balance from their account or wallet with a VASP and notes that the transaction is for “taxes,” “fees,” or “penalties.”
Technical Red Flags
- System monitoring shows that a customer’s account is accessed repeatedly by unique IP addresses, device IDs, or geographies inconsistent with prior access patterns. Additionally, logins to a customer’s online account at a VASP come from various device IDs and names inconsistent with the customer’s typical logins.
- A customer mentions visiting a website or application that is supposed to be associated with a legitimate VASP or business investing in virtual currency. The website or application shows warning signs such as a web address or domain name that is misspelled in such a manner as to resemble that of another business, a recently registered web address or domain name, no physical street address, international contact information, or contact methods that include only chat or email.
- A customer mentions that they downloaded an application on their phone directly from a third-party website rather than a well-known third-party application store or an application store installed by the device manufacturer.
- A customer receives a large amount of virtual currency, such as ether, at an exchange, subsequently converts the amount to a virtual currency with lower transaction fees, such as TRX, and then sends it out of the exchange.
How to report the scheme
The Alter includes details about reporting a suspected pig butchering scheme in a Suspicious Activity Report. Financial institutions are encouraged to refer customers who are victims of the scam to the FBI (https://www.ic3.gov/) and the SEC (https://www.sec.gov/tcr). Where elder victims are involved, they can also be referred to the DOJ’s National Elder Fraud Hotline at 833-372-8311.
We have helped financial institutions across the globe for decades. If you want to learn more about how our experts can help you reach your goals, fill out our contact form, and we’ll start the conversation.
[i] The term "pig butchering" comes from the idea that scammers fatten up their victims with promises of high returns or profits before "slaughtering" them for their money.