On September 8, the Financial Crimes Enforcement Network of the U.S. Department of Treasury (FinCEN) issued an alert warning financial institutions to be vigilant against a prominent virtual currency investment scam called “pig butchering.” U.S. law enforcement currently estimates victims in the United States have lost billions of dollars to these types of scams.

These scams are referred to as “pig butchering” because they resemble the practice of fattening a hog before slaughter. The victims are referred to as “pigs” by the scammers who use fictitious identities, the allure of potential relationships, and elaborate storylines to “fatten up” the victim. The “butchering” phase involves convincing victims to invest in virtual currency with the intent to defraud them.

One example provided in the alert was from November 2022, when the U.S. Attorney’s Office for the Eastern District of Virginia announced the seizure of seven domain names used in a pig butchering scam. Scammers used the seized domains, which were all spoofed domains of the Singapore International Monetary Exchange, to induce five victims. The scammers convinced the victims that they were investing in a legitimate cryptocurrency opportunity. After the victims transferred investments into the deposit addresses provided by the scammers through the seized domain names, the victims’ funds were immediately transferred through numerous private wallets and swapping services. In total, the victims lost over $10 million.

In its alert, FinCEN identified fifteen red flags to help financial institutions identify and report such suspicious activity. These include:

• A customer with no history of exchanging virtual currency attempts to exchange a high amount of fiat currency for virtual currency or attempts to initiate high-value transfers to virtual asset service providers (VASPs).
• A customer mentions an investment opportunity leveraging virtual currency with significant returns that they were told about from a new contact who reached out online or through text.
• A customer mentions that they were instructed by an individual who recently contacted them to exchange fiat currency for virtual currency at a virtual currency kiosk and deposit the virtual currency at an address supplied by the individual.
• Accounts with large balances that are inactive or have limited activity begin to show sudden, abnormally frequent, or significant withdrawals of money being transferred to a VASP or being exchanged for virtual currency.
• A customer with a short history of conducting several small-value electronic funds transfers (EFTs) to a VASP abruptly stops sending EFTs and begins sending multiple high-value wire transfers to accounts of holding companies, limited liability corporations, and individuals with which the customer has no prior transaction history.
• System monitoring show that a customer’s account is accessed repeatedly by unique IP addresses, device IDs, or geographies inconsistent with prior access patterns.

Many of the above “red flags” may involve payments to legitimate cryptocurrency service providers. However, this type of fraud has become so prevalent that FinCEN has cast the net widely in identifying fact patterns that may involve a pig-butchering scheme. Financial institutions should take this as a cue to update their suspicious activity red flag framework in line with this alert.