On September 8, 2023, FinCEN issued an alert to highlight a prominent virtual currency investment scam known as “pig butchering.”  According to FinCEN’s press release, multiple U.S. law enforcement sources estimate victims in the United States have lost billions of dollars to these scams and other virtual currency investment frauds. 

From FinCEN’s Acting Director Himamauli Das statement:

“This scam has impacted far too many Americans, which is why FinCEN is sounding the alarm and asking financial institutions to report suspicious activity indicative of this scheme. Suspicious Activity Reports filed by financial institutions will enable law enforcement to both aid victims and track down the perpetrators.” 

According to FinCEN, the scam is called “pig butchering” as it resembles the practice of fattening a hog before slaughter. In this type of scam, victims invest in supposedly legitimate virtual currency investment opportunities before they are conned out of their money. FinCEN’s alert explains the scam’s methodology. Scammers may leverage fictitious identities, the guise of potential relationships, and elaborate storylines to make the victims believe they are in trusted partnerships before they defraud the victims of their assets. 

FinCEN has identified the following indicators to help detect, prevent, and report potential suspicious activity related to pig butchering:

• Behavioral Red Flags

• A customer with no history or background of using, exchanging, or otherwise interacting with virtual currency attempts to exchange a high amount of fiat currency from an existing or newly opened bank account for virtual currency or attempts to initiate high-value transfers to VASPs.

• A customer mentions or expresses interest in an investment opportunity leveraging virtual currency with significant returns that they were told about from a new contact who reached out to them unsolicited online or through text message.

•  A customer mentions that they were instructed by an individual who recently contacted them to exchange fiat currency for virtual currency at a virtual currency kiosk and deposit the virtual currency at an address supplied by the individual.

• A customer appears distressed or anxious to access funds to meet demands or the timeline of a virtual currency investment opportunity.

• Financial Red Flags

• A customer uncharacteristically liquidates savings accounts prior to maturation, such as a certificate of deposit, and then subsequently attempts to wire the liquidated fiat currency to a VASP or to exchange them for virtual currency.

• A customer takes out a HELOC, home equity loan, or second mortgage and uses the proceeds to purchase virtual currency or wires the proceeds to a VASP for the purchase of virtual currency.

• A customer receives what appears to be a deposit of virtual currency from a virtual currency address at or slightly above the amount that the customer previously transferred out of their virtual currency account. This deposit is then followed by outgoing transfers from the customer in substantially larger amounts.

• Accounts with large balances that are inactive or have limited activity begin to show constant, uncharacteristic, sudden, abnormally frequent, or significant withdrawals of large amounts of money being transferred to a VASP or being exchanged for virtual currency. 

• A customer sends multiple electronic funds transfers (EFTs) or wire transfers to a VASP or sends part of their available balance from an account or wallet they maintain with a VASP and notes that the transaction is for “taxes,” “fees,” or “penalties.”

• A customer with a short history of conducting several small-value EFTs to a VASP abruptly stops sending EFTs and begins sending multiple high-value wire transfers to accounts of holding companies, limited liability corporations, and individuals with which the customer has no prior transaction history. This is indicative of a victim sending trial transactions to a scammer before committing to and sending larger amounts.

• Technical Red Flags

• System monitoring and logs show that a customer’s account is accessed repeatedly by unique IP addresses, device IDs, or geographies inconsistent with prior access patterns. Additionally, logins to a customer’s online account at a VASP come from a variety of different device IDs and names inconsistent with the customer’s typical logins.

• A customer mentions that they are transacting to invest in virtual currency using a service that has a website or application with poor spelling or grammatical structure, dubious customer testimonials, or a generally amateurish site design.

• A customer mentions visiting a website or application that is purported to be associated with a legitimate VASP or business involved in investing in virtual currency. The website or application shows warning signs such as a web address or domain name that is misspelled in such a manner as to resemble that of another business, a recently registered web address or domain name, no physical street address, international contact information, or contact methods that include only chat or email.

• A customer mentions that they downloaded an application on their phone directly from a third-party website, rather than from a well-known third-party application store or an application store installed by the manufacturer of the device. 

• A customer receives a large amount of virtual currency such as ether at an exchange, subsequently converts the amount to a virtual currency with lower transaction fees such as TRX, and then abruptly sends it out of the exchange.

Read FinCEN’s press release here.

The alert can be found here.