Pig Butchering Scam Trails Blend with Russian Intelligence

This looked like another sad story of romance scam. Then money trails led to places connected to Russian military intelligence.

A scared pig running away with a knife still inside him, and a scene shows an assasin with a machine gun in a Russian town.
Created by Kornelija Poderskytė from DailyCoin

Marius, a Lithuanian small-business owner and stock market investor, fell victim to a pig butchering scam. His life savings, about €150K ($162.5K), were gone in a few months.

A man was like thousands of victims worldwide: an attractive and luxurious woman approached him on a dating app and gained his trust. Then, he was lured into investing via a platform where fund withdrawals were never meant to be possible.


The only difference is that, in his case, the lost money traveled through hands closely tied to Russian intelligence services.

Pig Butchering: A Billion Dollar Crime Industry

Because of its similarity to fattening hogs before slaughter, the illicit scheme is metaphorically called the pig butchering scheme. Originating in China during the pandemic, it has spread worldwide and is a billion-dollar industry today.

According to the FBI, investment scam victims in the United States alone lost over $4.6 billion last year.

Today, the pig butchering scam is a profitable branch of organized crime. In Southeast Asian countries, particularly Cambodia, specialized labor camps are set up where people are forced to carry out financial scam operations.


However, Marius’ story raises suspicions: Could it be possible that behind the pig butchering scam schemes in Europe lie much more powerful forces than just organized crime?

A Glamorous Jeweler from Moscow

When Marius joined Tinder on his lazy vacation day a few years ago, he soon received a message from an attractive jewelry maker named Irina. She lived in Moscow, and her social media profiles proudly displayed her luxurious tastes.

Soon after, Irina invited Marius to switch their communication to WhatsApp, where both kept exchanging messages and photos. A month later, Irina casually mentioned how she funded her lavish lifestyle.

The social media profile of jewelry maker Irina, which Marius shared on a blog focused on Lithuanian investors.
The social media profile of jewelry maker Irina, which Marius shared on a blog focused on Lithuanian investors. Source: BalticMustache
“She said that 30% of her income is from jewelry making, while 70% comes from investments,” he recalls. Marius, whose investments usually earn a 10% annual return, became curious. 

The woman explained that her brother worked as a financial analyst for wealthy portfolio manager Nikolay, who had insider connections in various corporations. She and her brother traded from their investment account by following Nikolay’s signals for a 23.5% profit fee.

Irina offered Marius to join them. She explained that it would only take two hours per week and cost the same 23.5% quarterly fee once he made profits. She then brought Marius in contact with Nikolay.

At first, the latter was unhappy with the “too small” amount of €10K, which Marius decided to start with. But he later relented. All that was left was to open an investment account, send funds in Bitcoin, which would later be converted to euros, and start trading. 

Marius Starts Making Profit

The platform used by Irina and Nikolay was Aplore.com. According to their website, it is a broker registered in Romania and licensed in Cyprus. However, Marius found no information proving this on the official registries.

“I was inclined to invest through, for example, IB [Interactive Brokers, a popular brokerage firm]. I suggested IB, but I was criticized that the leverage there is too small, it's not suitable for trading cryptos, in short, it's a sandbox,” claims Marius.

The scammers had the answers to all his questions. They could explain everything logically. The Lithuanian businessman believes this is what finally convinced him.

He transferred the required amount in BTC to Aplore’s digital wallet and started trading. The choice was wide: from fiat currency pairs to equities, oil, and crypto.

In just the first week, Marius increased his portfolio by more than 30 percent with Nikolay’s guidance.

Problems and Demands Begin

Soon after, Nikolay’s team started urging Marius to increase his account balance. Higher leverage was possible above €50K, and oil options were available for those with more than €70K in their portfolio.

But minutes after Marius’s additional €40K reached Aplore’s account, the support team called with a new request for 30 percent of the account value as insurance against leverage trading.

A three-day deadline was given for transfer to a new wallet. If the transfer were not made, the trading account would be suspended.

A screenshot from Marius's account interface on Aplore.
A screenshot from Marius’s account interface on Aplore. Source: BalticMustache

Eventually, his deposits surpassed €140K, and the gains from successful trades expanded to €30K. But Marius was never able to withdraw his funds. Every attempt was met with excuses and requests for additional money. 

At that time, reviews started appearing online, indicating that Aplore was a fraud. Marius filed a report with the police but continued communicating with the scammers without sending more money. 

One day, Aplore suddenly disappeared. Irina, her brother, and Nikolay became out of reach, too.

Funds Flow Through Ukrainian Crypto Exchange

As on-chain data revealed, funds from Marius’s Aplore account immediately left the platform and landed in digital wallet 38aoWNkpyKxqE1HQqJapHevfJWRSjepK2K, which accumulates inflows from numerous one-off deposits.

When a larger amount was gathered, the wallet sent out much bigger sums to intermediaries, where the process repeated. Intermediary wallets accumulated BTC and then moved it further to new destinations.

Eventually, a cumulative amount of $7.05 million was siphoned into the bc1qng0keqn7cq6p8qdt4rjnzdxrygnzq7nd0pju8q address. 

Coinfirm, a blockchain analytics platform specializing in investigation solutions, identified the address as associated with WhiteBit, a Ukrainian cryptocurrency exchange, after Marius contacted them for help.

“I contacted WhiteBit, and they confirmed it,” Marius says.

Map of stolen funds path towards WhiteBit exchange.
Stolen funds leave Aplore, then change hands and merge with numerous other funds until landing at the same address on the WhiteBit crypto exchange. Source: Arkham

The money, however, didn’t stay there for long. Having changed various hands, it flew into darknet markets and to the wallet 1BKN5obhkdoequshHnn96zZvFi3wCEdfiC on the HTX (former Huobi) exchange.

From there, its journey continued until it eventually entered a Binance account containing millions of dollars worth of other funds.

Map of fund flows from HTX to wallets on Binance.
Fund flows from HTX to wallets on Binance. Source: Arkham

WhiteBit: Ukrainian Exchange with a Russian Shadow?

While WhiteBit may not have been directly tied to the act of pig butchering in this case, their lack of effort to prevent such scams raises some red flags warranting further investigation into the company.

WhiteBit is not a new name in the crypto world. Founded in 2018 in Ukraine by ex-salesman Volodymyr Nosov, it is often presented as one of the biggest European crypto exchanges. It is also an active partner of Ukrainian state institutions and a donor to the Ukrainian military. 

However, one of the companies affiliated with the platform’s management, “WhiteBIT Group,” has connections to a financial donor involved in an attempted coup during Montenegro’s 2016 elections.

The coup organizers planned to assassinate the Montenegrin Prime Minister, bring a pro-Russian government to power, and prevent the country from joining NATO. Montenegro later confirmed that Russian military intelligence (GRU) orchestrated and funded the attempted overthrow. Two GRU agents were found guilty of their involvement in the plot.

Even overlooking possible ties to Russian intelligence agencies, the question remains: Why were funds allegedly tied to pig butchering scams so easily moved through this exchange?  

Police Struggle with Crypto Crime Investigations 

Crypto exchanges, licensed as Crypto Asset Service Providers (CASPs), are obliged to report suspicious transactions to financial authorities. 

But they don’t always do that. As Marius told DailyCoin, the answer he received from WhiteBit after reporting the suspicious wallet was clear: come back with an official inquiry from law enforcement. 

He did exactly that and reported his situation to the local Lithuanian police. Yet he was again faced with another massive problem.

The police did not know what to do with the information the victim provided. Marius says there are very few people who understand cryptocurrencies and blockchain.

“The police, at least in Lithuania, lag light-years behind the scammers’ abilities. When a case is initiated, it is immediately assigned to a category where investigation is unlikely. Accordingly, minimal attention and resources are allocated.”

As the Lithuanian Criminal Police Bureau (LKPB) confirmed to DailyCoin, romance and investment scams often involve individuals operating in foreign jurisdictions. The police must therefore comply with international regulations when requesting data from their foreign colleagues. 

“International cooperation, especially with third countries, when it comes to obtaining financial or electronic communication data, is a complex, lengthy process. Often, foreign entities do not provide significant data, which complicates the investigation of similar crimes,” explains the LKPB.

Over the past three years, the LKPB has seen 33 cases of romance and investment scams involving cryptocurrencies. However, the authorities did not indicate that any had been successfully solved.

In the meantime, the wallet on WhiteBit allegedly associated with pig butchering scams remains active. The latest incoming transfers from a suspicious address were noticed just a day before this article’s publication.

The wallet has since been reported as fraudulent on the open source.  

WhiteBit-related wallet labeled as fraudulent.
WhiteBit-related wallet labeled as fraudulent. Source: BitcoinWhoIsWho

Scammers Return

Marius no longer expects to recover his lost money. The police closed his case due to insufficient evidence. But scammers do not let him forget his painful experience.

"Every 2-3 weeks, I receive a call from a fake money recovery company, claiming they've recovered my money and want to return it, but I need to install AnyDesk or fulfill other additional conditions."

Sometimes, they simply send emails mimicking legitimate company emails or pretend to be a cryptocurrency bank that doesn’t actually exist.

An email that Marius received imitated money recovery company PayBack Ltd. The domain payback-ltd.bio did not match with the legitimate one payback-ltd.com.
An email that Marius received imitated money recovery company PayBack Ltd. The domain payback-ltd.bio did not match with the legitimate one payback-ltd.com

If they call, they always use a fake number and a VPN. After missing the call, it’s impossible to call them back.

But there are also some tricks that Marius has practiced to identify scammers. 

If fraudsters ask him to identify before logging into a new platform, he insists that the scammers go first. If they suggest switching to WhatsApp or Telegram chats, Marius requests a video call. Their standard response is that company policies prohibit it.

“Then I ask them to send an email to prove they're really from the actual company and, for example, to take a photo of their work ID card. That's where it usually ends.”

Scammers typically purchase domains similar to genuine money recovery companies’ domains. Requesting legitimate proof always scares them.

“After receiving such an email and being asked to send one from the genuine domain, a calm period for 2-3 weeks starts again,” Marius sighs. “But in reality, there won’t be any calmness until I change my phone number.

Check out our story about the vanished BKEX crypto exchange:
How to Make a Crypto Exchange Disappear? BKEX May Know a Trick

A must-know list of why crypto withdrawals get suspended:
Crypto Withdrawals Frozen? Here’s What You Must Know

This article is for information purposes only and should not be considered trading or investment advice. Nothing herein shall be construed as financial, legal, or tax advice. Trading forex, cryptocurrencies, and CFDs pose a considerable risk of loss.

Simona Ram

Simona Ram is a senior journalist at DailyCoin, who covers the forces and people shaping the Web3 industry and the areas where decentralized crypto assets meet the centralized world. She has experience in business communication within the financial sphere and has a degree in Foreign Languages, which helps her interact effectively with sources from diverse backgrounds. In her free time, Simona enjoys exploring new cultures.