Pig Butchering Has Gone Big Time. Your Identity Layer Has to Catch Up. 

Kasey Cromer, Netlok | February 28, 2026

Executive Summary 

“Pig butchering” refers to scams where fraudsters build trust over weeks or months before steering victims into fake investment schemes, “fattening” them with false gains before the “slaughter” when scammers empty accounts and disappear (TRM Labs). Pig butchering has evolved from fringe consumer crypto fraud into an industrialized scam industry that steals billions globally each year. 

These operations increasingly target employees with access to corporate funds and data. What once looked like a consumer romance problem has become a material enterprise risk that blends payment fraud, business email compromise, and targeted social engineering. Traditional controls relying on users spotting red flags or password centric authentication are struggling against well resourced adversaries operating at global scale with near zero enforcement risk (Huntress). 

Security leaders need to treat pig butchering as a systemic identity and payments problem, not merely a user awareness issue. That means reducing the blast radius when employees are socially engineered. Leaders need to assume that scammers will eventually obtain credentials or convince someone to approve a transaction and need to adjust accordingly. Photolok Passwordless IdP helps close this gap by taking passwords off the table and making it significantly harder for scammers to steal or manipulate their way into your systems. 

The Pig Butchering Threat Landscape 

Pig butchering operations combine relationship building, fake investment platforms, and crypto infrastructure. Scammers cultivate trust over weeks or months across messaging apps, dating platforms, and social networks before steering victims into high yield “opportunities” that are actually scam websites or apps they control. Once funds are deposited, money moves quickly through crypto infrastructure designed to obscure its origins, often crossing multiple jurisdictions in volumes that are difficult to trace in real time or, for that matter, over time. 

The scale and professionalization are hard to ignore. The FBI IC3 reported a record $16.6 billion in total cybercrime losses in 2024, an increase of about 33 percent compared to 2023. TRM Labs notes that nearly 150,000 IC3 complaints in 2024 involved digital assets, with $9.3 billion in losses tied to crypto enabled fraud. Of that $9.3 billion, approximately $5.8 billion (62 percent) came from cryptocurrency investment scams. Pig butchering is the largest driver of this category. 

Blockchain analytics show that pig butchering remains a dominant component of crypto scam activity. Chainalysis reports that pig butchering revenue in 2024 grew nearly 40 percent year over year and that the number of victim payments to scammers grew by almost 210 percent.  At the same time, the average deposit amount declined by more than half, which suggests that scammers are widening the victim pool and accepting smaller amounts in exchange for more total victims. 

The infrastructure behind pig butchering has become a service industry. Researchers describe “pig butchering as a service” in Southeast Asia where providers sell kits with preregistered SIM cards, stolen social media accounts, fake finance apps, and multilingual scripts for scam workers. These offerings remove much of the overhead of building scams and lower the entry barrier for new actors. A 2025 US Treasury action against Funnull Technology revealed that one company’s infrastructure hosted hundreds of thousands of domains used in crypto investment fraud, including pig butchering schemes. 

For executives, the picture is clear. Pig butchering is no longer a niche romance scam that only affects consumers. It is a professionalized fraud ecosystem that blends human trafficking, social engineering, crypto infrastructure, and scalable technology, and it increasingly touches employees and customers who interact with your organization’s money and systems. 

Why Traditional Defenses Are Failing 

Many organizations still treat pig butchering primarily as a consumer issue. That framing creates blind spots in enterprise risk management and identity strategy. 

User awareness by itself is not enough. Scam operators use detailed scripts, share playbooks, and increasingly rely on generative AI to craft realistic personas in multiple languages. They build rapport across personal channels such as WhatsApp, Telegram, dating apps, and social media long before a victim’s work identity is even mentioned. By the time a fraudulent “investment opportunity” appears, the victim may feel a strong emotional bond and is less likely to question unusual requests. CNBC reports that AI is accelerating these scams by enabling scammers to operate in multiple languages and at greater scale than ever before. 

Controls tend to focus on channels rather than relationships. Security teams invest heavily in email filtering, secure web gateways, and endpoint protection, but pig butchering conversations often never touch corporate email or networks. The scam starts on personal channels. By the time fraudsters ask employees to move funds or share access, the request bypasses corporate email and security tools entirely. 

Authentication remains easy to observe and easy to coerce. Once a victim trusts the scammer, the adversary needs one of three outcomes: the person sends money, shares credentials, or approves an action. Passwords can be phished through fake login pages that resemble investment or banking portals. SMS codes can be requested “for verification” and entered by the scammer in real time. The FBI notes that scammers increasingly coach victims through authentication steps in real time, turning even multi factor authentication into a vulnerability when the user is complicit. Even stronger methods such as passkeys or biometrics can be abused when a victim is persuaded that an approval is safe, routine, or urgently required. 

Fraud and security functions are often siloed. Fraud teams monitor anomalies in payment flows and counterparties. Security teams monitor logins, session behavior, and application access. Pig butchering cases frequently straddle both domains. A payment might be technically authorized from a familiar device, but the authorization itself is the product of social engineering. When fraud and security teams don’t share data, these incidents get written off as legitimate user decisions instead of organized crime. 

Law enforcement is scaling up but cannot keep pace. The Department of Justice announced the largest ever seizure of funds related to crypto confidence scams in 2025, yet the cross border nature of these networks means many operators still face minimal consequences. For security leaders this reinforces a core design assumption: your defenses must work even when the external environment remains saturated with pig butchering operations. 

Traditional perimeter controls and awareness campaigns are necessary but insufficient. You need to redesign how high value identity and payment flows work so that even a socially engineered user cannot easily hand over reusable secrets or authorize high impact actions. 

Why Photolok Addresses the Pig Butchering Landscape 

Once you see where traditional controls fall short, the answer is to strengthen the one layer pig butchering cannot bypass: identity. 

Pig butchering succeeds when scammers can convert social trust into access. That access may be to cash, credentials, or systems. The strategic question is how to reduce damage when an employee trusts the wrong person. 

Photolok is not another point solution. It is a Passwordless Identity Provider (IdP) that functions as the front door for your apps and systems. It works with existing systems including Okta Workforce and other identity platforms. As an identity provider, Photolok verifies who users are before granting access to any application. By replacing passwords at this identity layer, Photolok secures authentication across every app and system your employees use. The apps themselves never see or store credentials. They simply trust Photolok’s verification. 

• Steganographic photo based authentication with AES 256 encryption. Photolok embeds encrypted codes inside photos. Each session generates a new AES 256 key that is never presented as a visible password or one time code. Users authenticate by selecting photos they recognize rather than typing secrets. 

• Randomized recognition challenges. Photolok presents a different set of photos and challenge patterns each session. There is no fixed credential or predictable sequence for attackers to script against. Even when scammers coach a victim through authentication on a live call, they get nothing they can use again. 

• Device approval and fingerprinting. Photolok lets organizations control which devices may authenticate. Combined with device fingerprinting, this prevents logins from unknown endpoints even if scammers convince a victim to attempt access from unfamiliar devices. 

• Situational security with Duress Photo and 1 Time Photo. The Duress Photo allows a user to appear to authenticate while silently signaling distress and triggering security alerts. The 1 Time Photo becomes invalid after a single use, resisting shoulder surfing and live coaching. These features are specifically designed for scenarios where attackers are actively coaching victims through authentication. 

• User friendly and cost effective. No passwords means no resets, no help desk tickets, and no hardware tokens, reducing authentication costs. Photolok leverages the brain’s picture superiority effect for faster recall even under stress. 

Because Photolok sits at the identity provider layer, it complements existing fraud analytics, transaction monitoring, and security controls. 

What Security Leaders Should Do Now 

1. Incorporate pig butchering into threat models and exercises. Update fraud playbooks to include scenarios where employees are groomed on personal channels before being asked to move company money or share sensitive access. Run tabletop exercises with finance, treasury, and customer success teams. 

2. Map high value identity and payment paths. Identify roles that can move money, change settlement instructions, or grant high privilege access. Use that list to prioritize which users and workflows need stronger authentication first. Document how authentication works today and where scammers could realistically insert themselves. 

3. Move critical flows to observation resistant authentication at the identity provider layer. Prioritize high value users and transactions. Photolok Passwordless IdP can sit in front of existing IdPs to harden sensitive paths without redesigning downstream systems. 

4. Align fraud, security, and AML perspectives. Ensure teams share data and define clear triggers for escalation, such as large transfers to new counterparties combined with logins from unfamiliar devices or locations. 

5. Provide targeted education for high risk staff. Pair training on scammer tactics with strong identity controls so users can ask for help without blame when something feels off. 

These steps signal a shift from blaming victims to designing systems that assume sophisticated adversaries will eventually reach your people. 

The Bottom Line 

Pig butchering is now a major driver of global cybercrime losses. It is fueled by industrialized scam operations, cryptocurrency infrastructure, and “pig butchering as a service” offerings that let new scammers come online quickly. Scammers win when they can convince someone to send cash, share credentials, or access systems. 

The strategic response is to assume some employees will be deceived and design authentication so that deception does not automatically translate into compromise. Photolok Passwordless IdP helps close that gap by turning authentication into a photo based, session specific process that gives attackers nothing to steal, copy, or exploit. It integrates with existing platforms like Okta Workforce. 

Want to see how Photolok can help harden your high risk identity flows against pig butchering? 

Request Your Personalized Demo 

About the Author 

Kasey Cromer is Director of Customer Experience at Netlok. 

Sources 

[1] FBI IC3. “2024 IC3 Annual Report.” ic3.gov 

[2] TRM Labs. “Key Findings from the FBI’s 2024 IC3 Report.” trmlabs.com 

[3] Chainalysis. “Crypto Scam Revenue 2024: Pig Butchering Grows 40% YoY.” chainalysis.com 

[4] CNBC. “Crypto Scams Thrive in 2024 on Back of Pig Butchering and AI.” cnbc.com 

[5] Huntress. “What Is a Pig Butchering Scam.” huntress.com 

[6] US Department of the Treasury. “Treasury Takes Action Against Cyber Scam Facilitator.” treasury.gov 

[7] US Department of Justice. “Largest Ever Seizure of Funds Related to Crypto Confidence Scams.” justice.gov 

[8] Netlok. “How Photolok Works.” netlok.com