Scammers are relentless in their pursuit of victims, employing fake cryptocurrency trading pools to steal millions, according to the latest report from cybersecurity solutions provider Sophos.

Sophos uncovered a major scam operation involving fake cryptocurrency trading pools, or liquidity pools, as part of its surveillance efforts. In one case, a victim lost $22,000 within a week after being deceived through the dating app MeetMe.

“When we first discovered these fake liquidity pools, it was rather primitive and still developing,” said Sean Gallagher, principal threat researcher, Sophos. “Now, we’re seeing sha zhu pan (pig butchering) scammers taking this particular brand of cryptocurrency fraud and seamlessly integrating it into their existing set of tactics, such as luring targets over dating apps.”

Identity Theft: Scammers exploit publicly available information
Fake CryptoRom apps bypass Apple security — Sophos

(Pig butchering means the scammers let the victims increase their investments then take everything.)

The investigation into the MeetMe scam led the Sophos X-Ops team to identify 14 domains linked to the scam operation. They found numerous nearly identical fraudulent websites, collectively netting this group of scammers more than $1 million in just three months.

Scammers exploit vulnerabilities in unregulated decentralized finance (DeFI) cryptocurrency trading applications, where they create “liquidity pools” involving various cryptocurrencies. Users are enticed with the promise of significant returns on investment during these trades.

Trust Wallet app

“Very few understand how legitimate cryptocurrency trading works, so it’s easy for these scammers to con their targets,” Gallagher said. “There are even toolkits now for this sort of scam, making it simple for different pig butchering operations to add this type of crypto fraud to their arsenal.

What distinguishes legitimate pools from fake ones is scammers’ ability to “pull the rug” and drain the entire liquidity pool for their benefit.

“Last year, Sophos tracked dozens of these fraudulent ‘liquidity pool’ sites and now we are seeing more than 500,” Gallagher said. “What makes these sorts of scams particularly tricky is that they don’t require any malware to be installed on a victim’s device. They don’t even involve a fake app, like some of those we have encountered in other CryptoRom scams.”

Unfortunately, fake liquidity pools were run through the legitimate Trust Wallet app, where the victim was instructed by the scammer to open an account. 

Social engineering

Sophos emphasized that these scams thrive solely on social engineering, with scammers displaying persistence.

Sophos has shared its findings with Chainalysis, Coinbase, and other threat intelligence professionals in the cryptocurrency field, all of whom are actively investigating the matter.

Individuals who suspect they may have fallen victim to pig butchering or liquidity mining fraud are encouraged to contact Sophos and reach out to local law enforcement for assistance.