More On Pig Butchering

Thankfully, pig butchering scams are getting attention. Three weeks after I posted Tracing The Pig Butchers, John M. Griffin and Kevin Mei posted How Do Crypto Flows Finance Slavery? The Economics of Pig Butchering:

Through blockchain addresses used by ‘‘pig butchering’’ victims, we trace crypto flows and uncover methods commonly used by scammers to obfuscate their activities, including multiple transactions, swapping between cryptocurrencies through DeFi smart contracts, and bridging across blockchains. The perpetrators interact freely with major crypto exchanges, sending over 104,000 small potential inducement payments to build trust with victims. Funds exit the crypto network in large quantities, mostly in Tether, through less transparent but large exchanges—Binance, Huobi, and OKX. These criminal enterprises pay approximately 87 basis points in transaction fees and appear to have recently moved at least $75.3 billion into suspicious exchange deposit accounts, including $15.2 billion from exchanges commonly used by U.S. investors. Our findings highlight how the ‘‘reputable’’ crypto industry provides the common gateways and exit points for massive amounts of criminal capital flows. We hope these findings will help shed light on and ultimately stop these heinous crimes.

Griffin & Wei Fig. 9

Their Figure 9 shows the flow of funds over time into the scammer's wallets at exchanges. This is how they estimated the $75.3B; their extremely conservative estimate is $35.1B, and their liberal estimate is $237.6B. Note the huge ~$45B increase from January 2021 to January 2023, partly driven by the cryptocurrency boom, and the slowing until January 2024. Presumably the ETF pump will accelerate the rate.

Below the fold, some commentary on this and other recent developments.

Note that these numbers are flows not the total revenue for the scammers, there is some double-counting involved as scammers move funds between their accounts at these exchanges. The $15.2B is likely much closer to revenue, because the scammers generally don't want to move significant sums into Western exchanges.

Griffin and Wei start their tracing from a collection of the wallet addresses which the scammers used to receive funds from victims:

We start with 3,256 Ethereum addresses, 770 Bitcoin addresses, and 702 Tron addresses. Most addresses are used ten or more times, and 28% of addresses are used more than one hundred times. Of these initial sets, Ethereum addresses receive $5.8 billion in funds, compared to $389 million for Tron and $373 million for Bitcoin. Given that the Ethereum addresses represent approximately 88% of the total funds, we begin by examining Ether (ETH, the native cryptocurrency on Ethereum) and token (commonly known as ERC-20 tokens) transactions on the Ethereum blockchain.

They then follow the way the scammers try to obscure their activites:

We trace victim funds in bulk and follow their paths to centralized exchange deposit addresses from January 2020 to February 2024. Figure 1 plots the resulting network for a three percent sample of nodes from the traced network and highlights many features.

This reveals four main points:

• The sources of the funds:
  

  First, the figure shows how crypto often originates from large exchanges where investors commonly have accounts (Coinbase, Crypto.com, and Binance) and flows into the network.

  The victims need to convert fiat into cryptocurrency using well-known, trusted exchanges.
• Where the scammers move the funds next:
  

  Second, funds are often swapped for Tether (known as USDT) through Tokenlon.

  Tokenlon is not a mixer, similar to Tornado Cash, but "a relatively obscure decentralized exchange". The scammers' goal is partly to obscure their tracks but also to avoid the volatility of cryptocurrencies by converting to stablecoins at the first opportunity.
• The scammers need to find an off-ramp to fiat:
  

  Third, after circulating through various hops in the network, crypto exits the system through centralized exchange deposit addresses.

  Even stablecoins won't by the Lambo, so the scammers have to get their loot to somewhere that can convert it to fiat.
• Which exchanges are useful off-ramps?
  

  Fourth, transactions in amounts above $100,000 and in particular $1 million commonly transfer funds to deposit addresses on Binance, Huobi, and OKX.

  Obviously, they are the offshore exchanges that lack effective KYC/AML, and in particular the one that pled guilty.

Note that this research contrasts with the tracing efforts I discussed in Tracing The Pig Butchers, which traced flows starting from a few victim reports. This research both starts from a much larger collection of victim reported addresses, and uses network analysis techniques to identify a much larger set of scammer wallet addresses. Thus it is understandable that Molly White is skeptical:

But the $75 billion number was certainly a surprise, and it's hit mainstream outlets including Time. I have to say I have some doubts about the number, particularly given other estimates have been in the low billions, but regardless, it's clear that the pig butchering issue in crypto is a multi-billion dollar problem.

But there are good reasons why Griffin and Wei would come up with much larger numbers for revenue than earlier tracing efforts; they are looking at a much larger fraction of the total scammer network. Zeke Faux's article in Time starts:

Pig-butchering scammers have likely stolen more than $75 billion from victims around the world, far more than previously estimated, according to a new study.

That is not what the paper says. It says they:

recently moved at least $75.3 billion into suspicious exchange deposit accounts

The paper points out that the $75.3B in flows includes some amount of double-counting:

If a network sent funds from say OKX to Binance, it would lead to the double-counting of funds. Additionally, the funds may be due to other activities of the criminal networks. ... We examine the sources of funds that later enter into these potential scammer deposit addresses and find that $40.2 billion of the $75.3 billion can be attributed to exchanges.

It is unlikely that all this movement from one exchange to another is between scammer accounts, so $35.1B is a conservative estimate.

The scammers do send small amounts to exchange deposit wallets:

Across all exchanges, the scammer network initiated 104,460 deposits to centralized exchanges for amounts below $10,000, most commonly in small amounts clustering at round numbers, such as $100, $200 or $500. The transaction patterns mirror the characteristics of inducement payments in pig butchering scams, which are small payments from scammers to victims used to build trust. ... We find 83% of potential inducement payments are sent from addresses used in more than ten transactions, suggesting limited monitoring by crypto exchanges.

There is a reason for "limited monitoring by crypto exchanges". The 87 basis points the authors find on movements of $75.3B is $655M in fees over 4 years, enough to motivate turning a blind eye.

Griffin & Wei Fig. 2a

Griffin and Wei's Figure 2a shows their trace of a single victim report. Their figures use the following conventions:

Edges that are concave up represent flows moving from left to right (e.g., the curve moves as if going from 9 o’clock to 3 o’clock). Similarly, edges that are concave down represent flows moving from right to left (e.g., from 3 o’clock to 9 o’clock). Nodes are colored by identity, ... and their size is proportional to the total amount transacted. Edges are colored by transaction size and identity. Green edges are transactions from exchanges, while blue and purple are transactions to exchanges. Edges entering or exiting exchanges with darker colors represent larger transactions.

What Figure 2a shows is that:

The victim sent funds to the left red node and were later transferred to the right red node, which swapped the funds into Tether.

Griffin & Wei Fig. 2b

The left and right nodes are scammer wallets. The right node is a "collection node" that converts victim payments to Tether and aggregates them for onward transmission in larger amounts.

Their next step was to find other flows into the collection node, as shown in Figure 2b. Even this one step into the network produces a large number of scammer wallet addresses, the addresses to which other victims were directed to send funds. By identifying these wallets the authors generate a huge number of additional "victim reports".

Griffin & Wei Fig. 2c

Tracing the flows out of the collection nodes produces an enormous number of other scammer wallets, shown in Figure 2c, as the funds are shuffled around to obfuscate the flows.

The off-ramps are at exchanges, so the authors need to find the scammers deposit addresses:

Since scammers are unlikely to return large sums of stolen funds, we consider deposit addresses that receive more than $100,000 as more likely to be scammer deposit addresses. These addresses are rarely associated with Western exchanges, but are common within Binance, Huobi, and OKX, as well as exchanges such as Kucoin, Bitkub, and MXC. The common feature of these exchanges is that they have loose KYC procedures and are perceived to be outside of U.S. jurisdiction. To more fully understand the scope of the network, we apply “deposit address clustering” by tracking addresses that send funds into these deposit addresses and finding other recipient deposit addresses associated with the same user. To avoid capturing payments made by criminals for things like inducement payments, we exclude all connections below $100,000 and only consider direct connections.

This is where the $75.3B number comes from; it is the total inflow into deposit addresses at offshore exchanges believed to be controlled by scammers. Note again the potential for double-counting if scammers move funds between these exchanges. Deposit address clustering was published by Friedhelm Victor in Address clustering heuristics for Ethereum (Section 5.1):

To credit the assets to the correct account, exchanges typically create so-called deposit addresses, which will then forward received funds to a main address. As these deposit addresses are created per customer, multiple addresses that send funds to the same deposit address are highly likely to be controlled by the same entity. ... The forwarded amount is often slightly less than what was received, as the exchange has to pay for the transaction costs. In most cases, deposit addresses are EOAs [Externally Owned Accounts], but they can also be smart contracts. When depositing tokens on the cryptocurrency exchange Kraken for example, users are instructed to send them to a given smart contract address, identical versions of which have been mass deployed in advance. This makes it trivial to identify all identical token deposit contracts deployed by Kraken. They are designed to forward received tokens automatically, thereby passing on the transaction costs to the user.

Victor Fig 1

Victor's Figure 1 shows how this works. Wallets 0x2 and 0x3 deposit to the same deposit address at exchange A, so they have the same account at exchange A. Wallet 0x4 shares an account with 0x3 at exchange B, so all three are the same entity.

By analyzing the network graph they discover using these techniques, Griffin and Wei draw the following conclusions about money laundering:

Scammers extensively recirculate and swap funds across different addresses and cryptocurrencies. These transactions incur costs, but may help obfuscate the true source of their funds. We estimate that transaction costs for a network of this scale total to 87 basis points as a portion of outflows to exchange deposit addresses. In contrast, Soudijn and Reuter (2016) find costs of 7-16% to move physical Euro bills from Europe to Columbia and money laundering commission estimates range from 4-12% (US Treasury Department, 2002) and 10-20% (US Treasury Department, 2007). Cryptocurrencies thus appear to be a much more cost-effective channel for moving illicit funds across borders. In total, scammer swap transactions may constitute more than 58% of Tokenlon transactions since 2022. We observe large inflows from potentially Chinese victims in 2020; however, after the Chinese financial authorities banned cryptocurrency trading in late 2021, there appears to be a dramatic decrease in Chinese victims and a shift to US-based victims. Overall, in the set of addresses touched by the criminals, we find $1.172 trillion dollars of volume, 84% of which is in Tether.

Griffin and Wei conclude:

This project highlights how large-scale tracing of tainted funds can help expose and understand criminal financial activity that can hopefully be used as a roadmap in other criminal contexts. There are several other practical implications of our study. First, organized or “legitimate” crypto exchanges serve as the on- and off-ramps for billions of dollars in criminal proceeds. Users with a crypto exchange account should realize that crypto exchange users are frequent targets of scams, and their funds are just a quick transfer away from being irreversibly lost—a risk that is far less prevalent for traditional investment accounts. Second, our findings indicate that the large players in the crypto space are likely not sufficiently protecting their customers from scams. Third, the Ethereum network appears to drastically reduce barriers for illicit financial flows of transnational organized crime. Fourth, romance scammers prefer the stablecoin Tether over other cryptocurrencies and the Ethereum network over Bitcoin. Fifth, decentralized exchanges also serve as large swapping points to exchange crypto and obfuscate funds. Crypto hedge funds and users (many based in the U.S. and Europe) who might purport to engage in “arbitrage” or “liquidity trading” (PWC, 2023) may simply be making profits by facilitating low-cost money laundering. Finally, the large centralized crypto exchanges located in jurisdictions with opaque regulatory environments (Binance, Huobi, OKX, and others) seem to be preferential potential exit points that can further finance extremely large amounts of criminal activities. Such activity has continued as of February 16, 2024, despite recent crackdowns.

Other recent developments in pig-butchering include:

• John Oliver's Last Week Tonight on pig-butchering scams.
• Jim Browning's Inside a Pig Butchering Scam with video from inside a Chinese pig-butchering operation in Dubai that occupies at least half of a campus of 8 8-storey office buildings.
• The Irrawaddy's report Surrounded by Fighting, a Myanmar Crime Hub Is Oddly Unscathed about another Chinese campus including a major pig-butchering operation, this one in a war zone on the Myanmar/Thailand border which clearly pays off both sides. It is very similar to the one Zeke Faux visited on the Cambodia/Thailand border.
• Zeke Faux's report in Time, in which he writes:
  

  Paolo Ardoino, the chief executive officer of Tether, called the report false and misleading. “With Tether, every action is online, every action is traceable, every asset can be seized and every criminal can be caught,” Ardoino said in a statement. “We work with law enforcement to do exactly that.”
  
  Tether has cooperated with authorities in some cases to freeze accounts tied to fraud. But often by the time the crime is reported, the scammers have already cashed out.

  This is more obfuscation from Tether. The paper clearly demonstrates that the scammers rapidly convert their takings to stablecoins, overwhelmingly Tether, and that they are able to use offshore exchanges as their off-ramps.