image of breaking badness
Breaking Badness
Breaking Badness

[Special Report] Two Seans, a Tim, and a Pig Butchering Ring

In Q1 2023, DomainTools shared several research articles regarding a pig butchering campaign targeting financial advisors, so when Sophos published Sean Gallagher’s article on the most recent iteration of this tactic, we thought it would be an interesting conversation to have Sean on the podcast. 

Sean is a Principal Threat Researcher at Sophos in the X-Ops group. Previously he was the Information and National Security Editor at Ars Technica, focusing quite a bit on Information Security (Infosec). Be sure to listen to the full episode for more on Sean’s background. 

What is Pig Butchering? 

Before we dive into the specifics of Sean Gallagher’s article, we discuss the concept of pig butchering. The term comes from the translation sha zhu pan in Chinese – literally translating to “pig butchering.” The tactic evolved out of mainland China and as the Chinese people became more vigorous in prosecuting these cases, the Coronavirus pandemic hit, effectively moving pig butchering out to bordering countries. 

It originally focused on establishing a friendly connection over a dating or meeting app, then introducing the idea that as a team or couple, you can make money together. In the early days, wire transfers were prevalent, but cybercriminals began to introduce the use of cryptocurrency and show their victim fake profits to “fatten the pig” (i.e. show the process was working), but in truth the money was long gone. When the process was questioned or the victim wanted to take their gains, the attacker would change the game and say the money couldn’t be dispersed until “taxes” were paid or another goal was met. 

The Cryptocurrency Myth

An interesting revelation Sean Gallagher shared in this interview is at present, most of the victims of pig butchering do not have prior experience using cryptocurrency. It usually starts with small sums of money and increases as trust develops between the attacker and victim – and the attacker initially shows gains in crypto, further establishing trust in the system. 

The insidious thing about this method is there is no malware to download – it’s all social engineering and use of legitimate websites for cryptocurrency transfer. In Sean’s article, the company in question is Coinbase, and when they noted what they considered odd activity, they shut down the victim’s wallet. But because the victim was deep in the process, he opened another crypto wallet with 

Human Trafficking and Pig Butchering 

A more devastating element of pig butchering is often on the attacker’s end of the campaign is a person who is held against their will to keep the conversation going. The cybercriminals require English speakers to communicate with their victims, and sometimes they are in limited supply. These individuals might be lured to the country of origin of the crime, promised a telecommunications job with good pay, and upon arrival their passports are taken and they are forced to comply with the scheme. 

It is possible the trafficking element may slow as artificial intelligence (AI) and large language models (LLMs) continue to grow, making it easier to communicate with victims in their native languages. In Sean’s latest article, the last messages to the victim were likely generated using chatGPT. 


There was much more to this conversation that’s best to hear in Sean’s own words. We go deeper into his current article, experience with other victims, and thoughts on how AI will change the game of pig butchering. 

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!