top of page
Chainbrium

Report: Pig Butchering Scams Global Total 2020-2023

From Project TRANSACCT (Targeted, Real-time Analysis of Southeast Asian Criminal Cryptocurrency Transactions)



INTRO

Chinese cybercrime syndicates in Southeast Asia (SEA) conduct ‘pig butchering’ scams (PBS) and human trafficking on an industrial scale, and the opacity of this dark cottage industry inhibits formulation of effective policies to curb their proliferation.

Since 2020, the SEA syndicates have rapidly adopted blockchain technologies to expand their reach globally and solve one of the hardest parts of carrying out scams– how to illicitly move money.

Here, we leverage their increasing use of cryptocurrency in scams and the transparency of blockchains to (1) quantify the amounts of stolen cryptocurrency and (2) to trace the funds to identify the most common destinations that disproportionately process PBS proceeds.



FINDINGS


  • More than 7,000 reported PBS addresses from late 2020 to mid-2023 have taken in at least $10.2B, accounting for backflows.

  • When counting adjacent, non-exchange wallets that consolidate scammed funds, the total intake of cyber scam syndicates from PBS may reach $45.3B, accounting for backflows.

  • Tracing $5.2B of defrauded ETH, BTC and USDT to the nearest identifiable entities shows that most are processed by Binance (41%) and Tokenlon (29%), with minor but significant amounts also going to Huobi, OKX and FTX.




ACKNOWLEDGEMENTS

 

This study was benefited by Chainbrium's participation in a wider project on transnational crime in Southeast Asia, spearheaded by the United States Institute of Peace (USIP). Their senior group study report is found here:


We thank the following people for their comments in our study. While we try our best to incorporate their thoughts, all errors and shortcomings in analysis are ours.



In addition to those acknowledged, special mention is given to the following non-profits for data sharing:






INTRODUCTION TO METHODS

The goal of PBS perpetrators once in control of victim cryptocurrency is to ultimately transfer them to cryptocurrency exchanges for conversion into legal tender, i.e. “cashing out”. Over time the transfers have become more elaborate, involving multiple addresses in series and in parallel to confound tracing. Token swaps with smart contracts, cross-chain hops, especially with so-called decentralized exchanges, became common also.

Figure 1. Tracing of a simple case to a known entity in Chainalysis software.

A general observation among investigators tracing PBS cases, following the accounting principle of Last In First Out (LIFO), is that perpetrators quickly move stolen funds one-way through a series of cryptocurrency addresses to obfuscate, consolidate or split proceeds. Here we call deposit addresses given to victims by their scammers Level 0 (L0). Cryptos are quickly transferred to succeeding addresses L1, L2, L3 and so on until they are cashed out in a cryptocurrency exchange.

Figure 2. Common pattern of money laundering in PBS

L0 addresses displayed on scam websites or apps are typically used on multiple victims anywhere in the world. These L0 addresses are mostly active for about a month before emptying out and new L0 addresses are generated. They are not reused for trading or any other activities. Meanwhile, L1 addresses generally consolidates funds from multiple L0.


Since all incoming funds to short-lived L0 addresses must be victim losses (aside from minor amounts for gas fees), losses to PBS globally from late 2020 to mid-2023 were quantified by counting all incoming amounts to reported L0 addresses. Then, based on the common pattern described above, we extrapolate the potential losses to all PBS cases globally in the same period by counting all incoming amounts to L1 addresses, to capture the losses to more L0s outside our collection.  Filters based on conservative criteria were applied to remove known and likely service provider addresses, and outgoing amounts traced back to L0 and L1 addresses were subtracted to reduce double counting.


Figure 3. Addresses of victims on the left sending USDT to a reported scam address (L0, middle), which sends to addresses on the right (L1). On Breadcumbs.app


DATA COLLECTION


Almost 8,000 Bitcoin, Ethereum and TRON cryptocurrency addresses that PBS victims have sent their funds to were gathered, based on reports to Chainbrium; to non-profits (PICDO, Taiwan’s Judicial Reform Foundation); to private sector partners (Rexxfield, iRegtech, Integra); to various PBS victims’ groups (on Facebook, Reddit, and FPA); open sources like Chainabuse.com, BitcoinAbuse.com (now under ChainAbuse) and Dune Analytics ShaZhuPan dashboard by @tayvano; and scam-baiting and server searches of hundreds of PBS scam websites. Cases are between late 2020 to mid-2023.


For public reports of cryptocurrency investment scams, the collection focused on PBS cases. PBS is formulaic, and PBS cases with the largest losses hew closely to a honed, recognizable formula of a relationship scammer/leader and a fake investment website in tandem. When going through public reports, the key patterns we look for are stories that mention the following (not exhaustive):


Withdrawal taxes/transaction fees; online dating, love, Tinder, OkCupid, LinkedIn or apps; customer service; WeChat; rich uncle or contact with access to insider information; boyfriend; wrong number; rich girl/guy from Hong Kong or Singapore; Asian or Chinese; spoke or written in Chinese; lends money; needing to “top-up”; allows withdrawals initially.


We exclude the following patterns:

Video/footage; blackmailing at the beginning with explicit photos/videos by email; short duration scams (e.g. “one-and-done” rug pulls on Instagram, promises of Nx returns in 24 or 48 hours), reports pre-2020 (when PBS using cryptocurrency first started outside Asia); Nigerian/African perpetrators; having long faux formal letters (“Nigerian prince”); cold calls, phone calls or Zoom calls by investment salesmen; victims being talked into allowing remote access software like Anydesk in real time; Elon Musk or Tesla; hacks; Cyprus; scam advertised on Youtube, Google or Amazon; bots on Instagram; alternative transfers by Venmo or Zelle; snapchat; scam recovery scams; donation, giveaway or airdrops; army or military persona

Scam baiting is the act of purposefully engaging a known scammer to get information about their scam website and cryptocurrency addresses.


Server URL searches involves doing reverse IP address lookups on known PBS fraud websites and looking at all other websites hosted by the same server. These servers almost always host many other investment scam websites. An account is then created to log in and get the cryptocurrency addresses inside.



GEOGRAPHIC LINKS


In some cases, the mobile phones of scam relationship counterparts were geolocated by Chainbrium to known hubs of cyber scamming and gambling in Southeast Asia. Note that the below are geolocation tags, which are more reliable than IP addresses.


Figure 4 Geolocation of conversational partners in PBS cases

DATA PROCESSING


Addresses were screened with BlockCypher API for empty addresses with no transaction histories and for invalid addresses due to typos or spurious results from pattern recognition scripts. The result is a starting L0 set is 2,663 Bitcoin addresses, 3,834 Ethereum addresses, and 684 TRON addresses.


All outgoing BTC, ETH, or USDT (ERC-20 or TRC20) from L0 addresses were traced in a high throughput fashion with Python scripts and commercial APIs, mostly BitQuery, up to 6 levels or to an address labeled as a cryptocurrency service provider by BitQuery. This produced datasets that list all addresses that received funds from L0 up to 5 addresses removed. There were 8,343 unique L1 addresses for Bitcoin; 16,286 for Ethereum; and 1,032 for TRON.


Attributions of addresses in the trace file was supplemented from a list of more than 500 known user, smart contract, or service provider addresses as labeled in OKLink, Etherscan, Bitquery, Arkham Intelligence and other open sources.


To quantify the total amounts received to L0 and L1 addresses, summaries of transaction history for each of 7,181 L0 and each of 25,661 L1 addresses found in tracing were generated with an API script. All the L0 and L1 addresses were screened to remove all identifiable service provider addresses. The following filters were additionally applied:


  • Overlaps between L0 and L1 addresses, as when addresses are used to both receive directly from victims (L0) and consolidate funds (L1), were removed from the L1 address set.

    • Only 118 out of 8,343 Bitcoin L1 addresses (1.4%); 1,449 out of 16,286 Ethereum L1 addresses (8.9%); and 22 out of 1,032 Tron L1 addresses (2.1%) overlapped with the L0 sets and were removed.

  • L0 and L1 addresses with first transactions before 2019 were removed. Pig butchering scams via cryptocurrency were first reported outside China in late 2020. Interestingly, no L0 or L1 non-exchange Tron address were active before 2020.

  • L1 addresses that received less than $1000 or 0.25 ETH total from all L0s were removed. They amounted to only half a billion dollars of the subtotal Ethereum L1 losses (below).

  • L1 addresses with total transaction counts over 1,500 for Bitcoin; 2,500 for Ethereum; and 5,000 for Tron, suggestive of hot wallet or service provider behavior, were removed.

  • L1 addresses with total received over $100M, suggestive of exchange hot wallet or service provider behavior, were removed.

    • Although rare, some well-characterized, non-exchange Ethereum L1 addresses that have been encountered when tracing PBS cases received >$100M while active. One such L1 address flagged by many investigators received $248M between March 2021 to February 2022 before emptying out and becoming inactive-- 0x5ed54861901eb36fe7771c90fa13e646a141d851.

    • The largest Bitcoin L1 address receiving under $100M (and under 1500 transactions) received only $60M throughout its active use.

    • The largest Ethereum L1 address receiving under $100M (and under 2500 transactions) received only $94M throughout its active use.

    • The largest Tron L1 address receiving under $100M (and under 5000 transactions) received only $74M throughout its active use.


After filtering as above, only 6,431 Bitcoin; 12,814 Ethereum; and 812 Tron L1 addresses remained.



QUANTIFICATION


After filtering, values of all incoming transactions to all remaining L0 or L1 addresses were added together for L0 and for L1. The transaction history summaries generated for each address earlier were used, which values BTC and ETH at their contemporary USD price at the time of each transaction. No conversion was done for USDT, which is pegged 1:1 to the US dollar. For the tracing done in deriving the backflows and exposures (next section), the average BTC and ETH prices from mid-2020 to mid-2023 were used.


To minimize double counting of funds returning to L0 after leaving L0 addresses, all BTC, ETH and USDT transfers to L0 recipients were subtracted from the initial L0 subtotals. Only $50M in such backflows had been subtracted for L0 Bitcoin subtotals (1.33%), $950M from L0 Ethereum subtotals (13.5%), and $1.6M from L0 Tron subtotals (0.4%). As a result, inflows to all L0 amounted to $10.2B in all blockchains.


To minimize double counting of L1 funds that returned to L1 addresses, all BTC, ETH and USDT outflows at L1 or higher going to another L1 address were subtracted from the initial L1 subtotals. Only $245M in such backflows had been subtracted for L1 Bitcoin subtotals (4.8%), $4.2B from L1 Ethereum subtotals (13.4%), and $85M from L1 Tron subtotals (4.1%). As a result, inflows to all L1 amounted to $45B in all blockchains.


(after applying filters and subtracting backflow amounts)



EXPOSURES

Outgoing transactions from L0 were traced to the nearest identifiable entities (not necessarily cash out exchanges), and about $5.2B could be traced to them (all tracing values based on the average BTC and ETH prices from mid-2020 to mid-2023). The majority of L0 addresses have direct exposure to Binance (41%) and Tokenlon (29%). There was a small but significant FTX exposure at 8%, primarily when tracing USDT on Ethereum. Exposure to all other exchanges was at 12% and comprise MXC, Coinbase, Kraken, Uniswap, Bitfinex, Crypto.com, Poloniex and others. Tokenlon is only a crypto-to-crypto “decentralized” exchange, and it is feasible to trace crypto assets swapped through its Bitcoin bridge and through its Ethereum smart contracts. Post-Tokenlon tracing was not done here, but manual tracing after Tokenlon reveals significantly more Huobi and OKX as cash out endpoints.


Figure 5. Proportions of the nearest cryptocurrency exchanges to where PBS funds were traced

Figure 6. Flow of funds from the top 500 largest addresses to the largest destination addresses.

For interactive version, see this link.


Figure 7 Tokenlon dragged to the far right

DISCUSSION


Factors leading to Overestimation

First, there may still be many unidentified exchange and service provider addresses remaining among our L1 dataset. Counting incoming volumes to these addresses will incorporate volumes from non-victims. Wallet addresses of informal, over-the-counter (OTC) brokers may be servicing funds that albeit still illicit may be unconnected to PBS.

Second, there may still be unaccounted backflows or funds from unknown L0s and L1 that circulate back to L0 and L1 addresses, contributing to their received amounts. Scammed BTC swapped through Tokenlon into Ethereum tokens (see below) may also contribute to the ETH L1 volumes ($38B). How much of the ETH L1 volumes are double-counts from the scammed BTC was not determined here, but it can only be a maximum of around $5B --the total L1 BTC, or the total processed by Tokenlon’s BTC bridge address.


The likelihood of service addresses being included was reduced by filtering based on various criteria: less than 1500, 2500, or 5000 transactions in total (for Bitcoin, Ethereum and Tron, respectively), and less than $100M processed in total. On the other hand, many consolidation L1 addresses with more than $100M processed over time have been observed by investigators of PBS, including one instance of more than $200M processed. These addresses display other characteristics of being simply pass-through addresses for consolidating L0 funds, such as: intaking from many L0s, not directly interacting with any known exchange, active for only a year, and carrying no balance at the end of their use. Setting our threshold too low will risk missing too many of the larger L1 addresses. 


Given the adjacency of L1 addresses to L0 direct reports, it is reasonable that any one L1 address that is (1) non-exchange-hosted and (2) mostly used as a pass-through, is controlled by associates knowledgeable of the scam, if not the perpetrators themselves. Based on the experience of many investigators, short-lived L0 addresses commonly drain to L1 addresses that consolidate or further pass along the funds. Virtually all funds at this level L1 originate from reported L0 addresses and have not yet commingled with other (illicit) activities.


With the proximity, volumes, and concentration of PBS funds involved, controllers of L1 addresses are likely to process more victim funds from other PBS also, and even specialize in handling only PBS funds. We suggest that L1 addresses could be the general wallets of larger scam company units or OTC exchangers catering to local scam compounds. Beyond the L1 juncture, cryptocurrency is increasingly likely to have changed ownership to money professionals that also service other illicit needs.


The L0, L1, L2, etc., ultimately ending at an exchange, is only a general framework we use, but the PBS perpetrators do not strictly adhere to his. We and others have seen many instances of L0 being used as L1 or L1 as L0, and this would inflate the incoming volumes that we are summing up. However, same-level, internal transactions within “L0” or “L1” addresses were insignificant in our dataset. We find that flows were still largely unidirectional because overlaps between L0 and L1 addresses were only 1% to 9%, and traced backflow amounts comprise only 0.4% to 14% of the summed inflows. As well, detected backflows were subtracted before obtaining our grand total. From the observed transaction volumes and transitory flows, it is highly unlikely that there is retail trading activity in L0 and L1 that would inflate transaction volumes, nor would there be prices of legitimate goods and services in Southeast Asia (where perpetrators most likely are) to justify the large volumes transacted.


Scam addresses are known to be used as well for ransoms and sales in human trafficking. However, ransom amounts in SEA likely pales in comparison to amounts from scamming victims in developed countries, and transactions from human trafficking trade between scam companies would be funded from scam profits, not new funds into the SEA scam industry. These sales might be reflected in the backflows observed.

 


Factors leading to Underestimation


It is more important to note that there are, in fact, factors that could lead to substantial undercounting of PBS syndicate profits with our methods. Aside from discounting L1 addresses receiving higher than $100M, removing all exchange hot wallet addresses in our datasets excludes all the scammed funds sent directly to exchanges. Indeed, many early victims of PBS were simply given (at L0) their scammer’s account addresses in Binance, Huobi or OKX. Many early cases also had funds transferred from L0 straight to exchange deposit addresses (mostly Binance and Huobi), amounts that we did not include in our estimates. We have even documented cases of Binance users being victimized by PBS scammers using another Binance account. In these cases, the transactions would not appear on-chain.


The estimates here do not yet include victims sending money via bank wires. PBS websites often give victims the option to also “invest” via wire transfers, and in our experience about 30% of PBS victims outside Asia do so. Bank wiring is still a very significant mode of PBS among victims in East and Southeast Asia. As such, the total monetary losses to PBS can only be higher than any on-chain estimate.

 


Magnitude of PBS in Context


L0 addresses displayed on scam websites are typically used on up to dozens of victims, so the incoming volumes to the more than 7,000 L0 addresses we have collected represent losses from individuals multiples of this number, or tens of thousands of victims.

This is the largest accounting of global PBS losses from blockchain data. The amounts of scammed cryptocurrency found here far exceeds the estimates of cryptocurrency scams by Chainalysis, for many reasons covered in another blog post. The $45B estimated represents just the known cryptocurrency linked to the intake of SEA cyber-scam syndicates in 3 years. It already rivals the 2021 GDP of Laos ($19B) and Cambodia ($26B) and dwarfs North Korea’s $3B cryptocurrency thefts in 6 years.


These monetary losses do not yet account for the long-term psychological, emotional, social, and future opportunity costs for PBS victims that lose life-changing amounts of money. On the destination end of the scammed billions, the sheer amount of illicit income only empowers the transnational criminal syndicates, distort local economies, add to patronage corruption, and perpetuate large-scale human trafficking to Southeast Asian fraud factories.

 


Exchanges Disproportionately Implicated in PBS


Significant exposure to Binance is not unexpected, given that Binance is the biggest crypto exchange in the world. Disproportionately high use of Tokenlon for on-chain token swaps is interesting however, since it is not widely known outside East Asia. Using Chainalysis Reactor, ~90% of L0 addresses have exposure to Tokenlon, meaning some funds in almost all PBS cases touch Tokenlon. Involvement of Tokenlon has long been the signature of a PBS among cryptocurrency investigators in law enforcement and the private sector (See: The Prevalence of Sha Zhu Pan AKA Pig Butchering Scams by Paul Sibenik)

Tracing to Tokenlon addresses frustrates most casual investigators using open blockchain explorers, because it becomes trickier to trace beyond Tokenlon. When investigators trace assets to centralized cryptocurrency exchanges like Binance, one can request customer information of the receiving account, after a legal process. Tokenlon on the other hand purports to be a decentralized cryptocurrency exchange, implying that Tokenlon cannot help identify who uses Tokenlon because its trades are merely automated by its smart contracts on the public blockchain.



Continuing analysis on the role of DeFi, particularly of decentralized exchanges, in pig butchering scams may be the subject of future research.



******

Comments


bottom of page