Thursday, February 8, 2024

Tracing The Pig Butchers

Chapter 18 of Zeke Faux's Number Go Up: Inside Crypto's Wild Rise and Staggering Fall is entitled "Pig Butchering". It starts when he receives a supposed wrong-number text from a "Vicky":
I showed my phone to my friend and explained that I was stringing Vicky along because I’d heard about a new kind of investment fraud that often started with a random text message. I had a hunch that this was why “Vicky” was texting me. The scam was called “pig butchering” because the scammers liked to build up the victim’s confidence with a pretend romantic relationship and made-up investment gains before stealing all their money in one fell swoop—like how hogs are fattened up before their slaughter.
This is a romance- and cryptocurrency-enabled version of the "Wee Forest Folk" scam we described in our 2003 SOSP paper.

Below the fold, I look into the details of pig-butchering scams, and how the tracing techniques I discussed in Criming On The Blockchain are being applied to identify the cryptocurrency companies facilitating it.

Faux strung "Vicky" along and:
My short-lived texting flirtation with Vicky confirmed something that I had suspected: The scammers were using Tether to move the money. I spoke with several other pig-butchering victims, and they said they’d been asked to send Tether too.
From the scammer’s perspective, Tether was a clear improvement on bribing bankers or money mules. It was instant, there was no recourse for refunds, and it didn’t ask for anyone’s name or address. And unlike other cryptocurrencies, its value didn’t fluctuate from hour to hour, making it less scary for potential victims and easier to manage for criminals.
How much Tether are we talking?:
News stories revealed that people were losing huge amounts of money. A project finance lawyer in Boston with terminal cancer handed over $2.5 million. A divorced mother of three in St. Louis was defrauded of $5 million. A twenty-four-year-old social media producer in Tennessee lost $300,000 she inherited from the sale of her childhood home.
I came across a group that claimed to be raising money dedicated to helping victims. It was called the Global Anti-Scam Organization. The group said it had helped a huge number of pig-butchering victims: 1,483 worldwide, who’d lost more than $250 million combined.
Despite Tether's ability to freeze wallets, Faux writes:
Icetoad and other volunteers from the Global Anti-Scam group told me that Tether refused to help them by freezing accounts or seizing stolen money, even when presented with evidence that an account held the proceeds of fraud.
In another exchange provided by Global Anti-Scam, Tether told a Hong Kong police official that it did have the ability to intervene. But the company still refused, saying the case was too small. “We must sometimes decline fraud cases involving relatively small amounts of stolen USDT,” the Tether representative wrote, using the ticker symbol for the cryptocurrency. It said they would only intervene if the case was “directly connected to acts of violence.”
Faux got Rich Sanders of CipherBlade to trace his payment to "Vicky":
a small dark circle represented Vicky Ho’s wallet. This was where I’d sent the eighty-one Tethers. Sanders explained that the wallet was active for about two months and received many deposits from addresses that were known to be associated with U.S. and Canadian Canadian crypto exchanges. There were transfers of $3,600, $180, $400, $500, and $9,774, always in Tether. These were other people who’d been scammed by the same operation, Sanders said. In other words, I wasn’t Vicky’s only love interest. Once Vicky Ho had collected the money, they sent it to another numbered address, represented on the screen by a larger white circle. This one was likely controlled by the scammers too, Sanders said, and it held $9.4 million in Tethers. From there, many of the Tethers were sent to addresses associated with the crypto exchange Binance, and to others that belonged to Sam Bankman-Fried’s FTX.
Global Anti-Scam told Faux that:
most butchering scams were orchestrated by gangsters based in Cambodia or Myanmar. These bosses would lure young men and women from across Southeast Asia to move abroad with the promise of well-paying jobs in customer service or online gambling. Then, when the workers arrived, they’d be held captive and forced to work on online scams. Icetoad and his colleagues told me there were thousands of people who’d been tricked this way. Entire office towers were filled with floor after floor of people forced to send spam messages around the clock, under threat of torture or death. These were the people using Tether to move their money.
His next chapter recounts his trip to Cambodia to see the pig-butchering campuses. Like the rest of the book, it is well worth reading. Conditions in these campuses were horrific:
Workers who missed quotas were beaten, starved, made to hit one another. One said he’d seen people forcibly injected with methamphetamine to increase productivity. Two others said they’d seen workers murdered, with the deaths passed off as suicides. They said the bosses would buy and sell captive laborers like livestock.
Local news reports described a string of suspicious deaths near Chinatown—one body was found hanging at a construction site, and another corpse was dug up handcuffed from a shallow grave in a field nearby. A local vendor told a Cambodian outlet that there had been many suicides at the complex. “If an ambulance doesn’t go inside at least twice a week, it is a wonder,” he said.
Wang and cybercrime cop>
Faux wasn't alone in reporting on the pig-butchers. Poppy McPherson and Tom Wilson of Reuters published a special report entitled Crypto scam: Inside the billion-dollar ‘‘pig-butchering‘‘ industry. They traced funds flowing to Wang Yicheng in Bangkok:
At a Thai police headquarters in October 2022, Chinese businessman Wang Yicheng congratulated one of Bangkok’s most senior cybercrime investigators on his recent promotion, presenting the official with a large bouquet of flowers wrapped in red paper and a bow.

Wang, the vice president of a local Chinese trade group, wished the new cybercrime investigator “smooth work and new achievements,” according to the group’s website, which displays photographs of the event.

Over the past two years, Wang has forged relationships with members of Thailand’s law-enforcement and political elite, the trade group’s online posts show. During that time, a cryptocurrency account registered in Wang’s name was receiving millions of dollars linked to a type of cryptocurrency investment scam known as pig butchering, a Reuters investigation has found.

In total, crypto worth more than $90 million flowed into the account between January 2021 and November 2022, according to registration documents and transaction logs reviewed by Reuters. Of that, at least $9.1 million came from a crypto wallet that U.S. blockchain analysis firm TRM Labs said was linked to pig-butchering scams. Two other major crypto-tracking firms also said the account received funds linked to such scams.
Lisa Wolk, a blockchain intelligence analyst at TRM, said the crypto account in Wang’s name “is a node in a money laundering network and not necessarily the ultimate recipient of funds.” Reuters was unable to determine whether anyone else benefited from the account or used Wang’s identity to open it.
Where was Wang's account?:
The crypto account registered to Wang was held at Binance, the world’s largest crypto exchange, according to three blockchain analysis firms. Asked about the account, Binance spokesperson Jessica Jung declined to comment on individual users or Reuters’ findings. In an August post on its website, the company said the number of reports of pig-butchering scams it had received this year was double that of 2022, an increase it attributed to an influx of inexperienced crypto investors and scammers looking to exploit them.
In April, the U.S. Department of Justice said it seized about $112 million worth of crypto linked to pig-butchering scams, without identifying suspects. A warrant that resulted in the seizure of more than half that amount specified a Binance account registered in Thailand.
Wang's account moved a lot of Tether:
The crypto account in Wang’s name was registered in November 2020, according to the financial records Reuters reviewed. The three blockchain-analysis firms determined the account was with Binance. The documents, which relate to the Binance account, span two years to November 2022. They show that the account was accessed mostly from Bangkok.

Deposits started arriving in the account in early 2021 and quickly increased in size to include sums of more than $100,000, the financial records show.
In 2022, the volume of crypto reaching the account in Wang’s name mushroomed to almost $79 million, a near six-fold increase on the previous year, the account records seen by Reuters show.

Coinfirm, the blockchain analysis firm that reviewed the transaction records for Reuters, said deposits from funds linked to pig-butchering scams it previously investigated began entering the account as early as February 2022. Stolen crypto was moved to the account via a “complex layering scheme,” involving multiple different wallets, Coinfirm’s then-head of fraud investigations Roman Bieda told Reuters in May. The crypto moved between “dozens” of wallets and was mixed with funds from other sources, he said.

More than $102,000 originating from fraudsters’ wallets that the California man identified were deposited into the account in Wang’s name between June 26 and Oct. 23, 2022, according to Coinfirm.

Nearly all of the crypto deposited in the Wang-registered account was moved to other wallets, the transaction records reviewed by Reuters show. Between January 2021 and October 2022, about $87.5 million was transferred to almost 50 other crypto wallets, including at least five registered at regionally based crypto exchanges, Coinfirm said.
The pigs weren't butchered in Bangkok:
Several scams connected to deposits made into the account in Wang’s name were run from an industrial park on the Myanmar-Thai border, one of the blockchain analysis firms told Reuters. Workers are trafficked to the area, known as KK Park, by gangs that force them to con people online, according to two former workers and groups that support workers or scam victims.
This was clearly a different pig abattoir from the Cambodia-based one Faux investigated.

A more detailed account of tracing the money flows of the pig butchers can be found in Connecting Chinese and American Scam Victims, a collaboration betwween Jonathan Reiter's company ChainArgos and BitTrace, a Chinese blockchain tracing company. The abstract reads:
The world is experiencing an epidemic of online scams with at least tens of billions of dollars lost across dozens of countries. One particular class of scam known as “pig butchering” has grown dramatically and often involves the use of cryptocurrency both to collect funds from victims and to launder the proceeds. Here we are going to explore the use of cryptocurrency in pig butchering scams beginning with victims in both the People’s Republic of China and United States of America, and demonstrating the remarkable degree of similarity for cases that have no reason a priori to be similar at all.

Specifically we will show that scammers with victims in both these countries share cryptocur- rency addresses, use overlapping sets of money-laundering services, and are therefore likely parts of the same group or syndicate. Our analysis begins with reports from victims in both countries where we find source victim and scam wallet addresses. From there we are able to trace scam proceeds through the cryptocurrency ecosystem to prove these connections. Finally, a range of exchanges and other service providers are identified through a combination of on-chain and documentary research, to demonstrate the cross-border nature of modern scams leveraging cryptocurrencies, and highlight the challenges facing law enforcement agencies globally when it comes to such scams.
The two teams use press accounts of two cases with victims in China and legal filings from two cases with victims in Florida and California. They provide detailed traces, including wallet addresses, of flows from the victims to exchanges including Binance, Bitkub, FTX, OKX, Coinbase, Huboi, Maskex, Paribu and Peatio amounting to $635M. In particular, one of the Binance wallets was one of those identified in Reuters' reporting. The paper concludes:
  1. Similar simultaneously-run scams have victims in both China and the United States.
  2. Funds taken from both jurisdictions flow through common service providers.
  3. The sums involved range from the tens to possibly hundreds of millions of dollars.
The ChainArgos team followed up with Laundering the Proceeds of Crime: Crypto’s Killer App?:
Now we are going to connect a few more dots to argue that scamming and the laundering of scam proceeds was not just a use case for cryptocurrencies in Asia, but likely a major driver of flows through several well-known industry players.

This may well even be, empirically, crypto’s killer app.
They note that Genesis Block, whose Charles Yang admitted maintaining bank accounts in South-East Asia under false pretences, appears to have been the on- and off-ramp for FTX in the region. The earlier paper showed that:
FTX was involved in processing over US$250 million in flows downstream from scams and Bitkub, Thailand’s largest crypto exchange, was involved in over US$100 million.
Could this be "banking Cambodia's unbanked"?:
Cambodia’s population is only 16 million, with a per capita GDP of about US$1,600 — it’s hard to imagine Cambodia driving hundreds of millions of dollars worth of stablecoin flows.
They refer to the interview with Charles Yang and note that:
Genesis Block’s head trader explicitly talks about scam proceeds leading to bank account freezes and how they actively manage this problem.

So Genesis Block were clearly a downstream service provider and knew that at least some of their clients were, or at least were dealing with, criminals.

With regards to Genesis Block’s Chinese client base, in a different interview the same person says:
We’ve been seeing a lot of our partners pretty much disappear…a lot of our friends over there are kind of in big trouble…it’s not really about crypto it’s more about the source of the RMB… [which was] a lot of pyramid schemes, a lot of scams.
Genesis Block were clearly dealing with people who were either criminals themselves, or service providers to criminals, and Genesis Block appeared comfortable talking about such activities on camera.
Genesis Block was plugged in to the top level of cryptocurrency infrastructure:
Genesis Block OTC was on the Signet client list, as were many of the other exchanges referenced in our earlier work.

A service provider that talked openly about dealing with criminals was active on a platform another commentator described as “a walled garden filled with snakes.”

That service provider (Genesis Block) was integrated with FTX/Alameda Research), which was both the largest recipient of new USDT and a major exchange operator with myriad, sometimes-remarkably-creative, schemes to access fiat currency.
This leads ChainArgos to argue that:
it is entirely plausible that:
  • Genesis Block’s client base included many of these scammers and/or crimionals;
  • the outsized involvement of FTX was this flow; and/or
  • so was the Bitkub flow, via Genesis Block or otherwise;
and this isn’t just plausible, it’s provable, because the illicit flows documented in our prior work were laundered by someone.

If it wasn’t this route it means there is at least one more multi-billion-dollar laundering pipeline connected to this activity we know nothing about.

That is possible of course, but seems unlikely.

Certainly the simplest explanation is that no second as-yet-undiscovered group of scammers or criminals exists and it’s all the same organization.

Now remember these actors specifically mentioned that the traditional financial system was blocking them and freezing their accounts.
Thus ChainArgos concludes:
We are looking at a gigantic amount of bad flow that was caught by banks and how cryptocurrencies were used to circumvent those controls.

The contents of those frozen accounts could have been, and at least partially would have been, sent back to the victims instead of being irreversibly exfiltrated.

So this may well be crypto’s real killer app — irreversible cross-border transfers for criminals.
Taken together, what these documents show is lives being wrecked, both by the scams themselves leading to suicides, and by the human trafficing that provides the scammers workforce, leading to beatings, imprisonment and suicides. Pillars of the cryptocurrency community are enabling this:
  • Tether, which refused to freeze wallets despite detailed blockchain evidence of pig-butchering even from law enforcement. Contrast this with Tether's behavior in the case of The Victim documented by Patrick Tan, where a simple request from law enforcement with only suspicion froze a wallet.
  • Major exchanges, including Binance, FTX, Huboi and many others, were on notice that they were handling funds from the pig butchers. Take Binance for example:
    Binance publicly said it assisted Thai police with a probe into “a significant pig butchering scam,” and that about $277 million of assets were confiscated.
    and they blamed the victims:
    the number of reports of pig-butchering scams it had received this year was double that of 2022, an increase it attributed to an influx of inexperienced crypto investors and scammers looking to exploit them.
    and they responded to a Dept. of Justice warrant about these funds.
Thus these businesses cannnot claim ignorance of the flow of pig-butchering funds, or of their scale. But they are clearly motivated to turn a blind eye to them whenever possible.


David. said...

Molly White reports that Myanmar-based romance scam operation pulls in $100 million in less than two years:

"A pig-butchering operation in Myanmar has scammed victims of more than $100 million in Tether in less than two years, according to a report from Chainalysis and the anti-human trafficking organization International Justice Mission.

Many of the workers for the romance scam group are themselves victims of human trafficking. The operation is based in a "compound" near Myanmar's border with Thailand, and researchers estimate that thousands of trafficked workers operate the scam from the "self-contained city".

The scam may put more pressure on Tether, whose role in human trafficking and high-volume romance scam operations has been scrutinized more heavily in recent months and years. Tether has frozen some assets belonging to romance scammers in the past, but remains the token of choice for many of these groups."

David. said...

David Gerard and Amy Castor tell the tale of another pig-butchering victim:

"Shan Hanes, the former CEO of the collapsed Heartland Tri-State Bank, has been charged with embezzlement. Hanes allegedly took $47.1 million from the accounts of a local church and a local investment club and gambled it on a crypto pig-butchering scam. This is the CEO of a bank falling for a cheap crypto scam."

David. said...

Jim Browning has video from Inside a Pig Butchering Scam housed in at least half of a campus of 8 8-story office buildings outside Dubai. It is a must-watch. A lighter take comes from John Oliver.

David. said...

Ashley Belanger reports that Bitcoin Fog operator convicted of laundering $400M in bitcoins on darknet:

"Sterlingov faces a maximum penalty of 20 years in prison each for counts of money laundering conspiracy and sting money laundering. He was also convicted of "operating an unlicensed money transmitting business and money transmission without a license in the District of Columbia, which each carry a maximum penalty of five years in prison," the DOJ said. Sentencing is scheduled for July.

Throughout the trial, Sterlingov maintained his innocence, accusing the US of relying on "junk science" to trace bitcoin using faulty blockchain analysis techniques,"

He plans to appeal arguing again that the tracing techniques were faulty.

David. said...

Molly White reports that Massachusetts prosecutors seek to seize $2.3 million from crypto romance scam:

"The U.S. Attorney's Office in the District of Massachusetts announced that they had filed a civil forfeiture action to seize cryptocurrency priced at around $2.3 million from two Binance accounts. Those accounts had received cryptocurrency of various kinds from at least 37 American victims, one of whom was based in Massachusetts and who lost $400,000 in crypto assets to the scammers."

David. said...

The Irrawaddy reports on KK Park, a Chinese enclave in Myanmar just across the river from Mae Ku in Mae Sot town in Thailand’s Tak District in Surrounded by Fighting, a Myanmar Crime Hub Is Oddly Unscathed:

"Lay Kay Kaw and surrounding villages have been badly damaged by junta air and artillery strikes during the fighting, with many residents forced to flee across the border to Mae Sot. Junta shells have also hit villages in Thailand, prompting the Thai army to tighten border security.

However, not a single bullet has ever struck KK Park: hence Saw Htoo Htoo’s observation that it is “impervious to bullets and bombs”.

KK Park houses casinos, hotels, restaurants, nightclubs, brothels and online scam centers, according to those working there and some who have escaped.

The online scam centers operate various types of criminal enterprises including “romance scams” and fraudulent investment schemes, and are notorious for human trafficking and forced labor."

KK Park is very similar to the "Chinatown" on the border between and Cambodia and Thailand Zeke Faux visited for his investigation of pig-butchering in Number Go Up: Inside Crypto's Wild Rise and Staggering Fall. Clearly its managers pay the same attention to local "authorities" as Wang Yicheng did in Bangkok. I wonder how many other pig-butchering campuses there are apart from KK Park, Faux's "Chinatown" and the one in Dubai featured in Jim Browning's YouTube video.