Fake token investment scams and "pig butchering" attacks

This attack involves scammers convincing users to invest into fraudulent tokens, often imitating existing prominent tokens for credibility.

How does it work?

Content Warning: mentions of animal butchery.

Most often, we see this type of scam occur following a period of initial social engineering, during which the malicious actor tries to build trust and rapport with the victim. This process is often known as "pig butchering".

What is a "pig butchering" attack?

"Pig butchering" is the English translation of the Chinese phrase that can be rendered in Latin characters as "shā zhū pán". The rather grisly name refers to gradually fattening up pigs before they're slaughtered in order to improve the quality and quantity of meat that can be butchered. The concept of being kind to the pig—by offering additional food—but only for selfish, malicious reasons can be applied to crypto scams: often, scammers will seek the victim's trust, friendship, or even romantic interest during an initial period of social engineering. This cynical kindness is then withdrawn once the scammer has what they want from the victim — in our context, this is almost always crypto tokens.

As a result of gaining the victim's trust, the scammer will try to convince them to:

  1. Add a custom network to MetaMask. Often, it's a test network. 
  2. Transfer the scammer something of value. This could be crypto with genuine value, NFTs, or even a fiat bank transfer completely external to MetaMask. The attacker will generally frame this transaction as a good deal, a heavy discount, or a sound investment for the user: "if you transfer me 50% of [XYZ total value] in cash, I'll add the other 50%".
  3. Add a custom token on the newly added network. The scammer uses the token to trick the user into believing they received a token with actual, real-world value. The method they generally use is to imitate a common token's symbol, like USDT or ETH.


    Even network tokens and cryptocurrencies unrelated to Ethereum and EVM-compatible networks are deployed here. For example, Bitcoin (BTC) is common: its prominence in public discourse means its fundamental characteristics and, importantly, its value are already known to the crypto newcomers and inexperienced users that pig butchering scams target.

    Crucially, the scammer's suggested token will use a different RPC endpoint (explanation here) to the token it's imitating, meaning it is a fundamentally different token with no real value. Due to the way MetaMask and other wallets use the symbol to source price information, the value of the imitated token may be displayed under the fake one: leading a user to believe, for example, that their fake USDT has the same fiat or dollar value as real USDT on Ethereum. 

We're working on building in additional safeguards to prevent these fraudulent imitation tokens being displayed with fiat values in MetaMask. Unfortunately, we cannot ever stop a user from using their funds as they decide, but we hope small changes such as this will support users to make good decisions. 

How to stay safe

This attack relies mainly on the user's lack of knowledge and experience. Though an experienced user may see the attack coming from miles away, humans are social, emotional creatures, and the manipulative skill of malicious actors that run pig butchering scams should not be underestimated.

Even someone who is streetsmart and cautious in everyday life can be easily duped by a skilled perpetrator when taking their first steps into the unfamiliar, often-confusing world of crypto and self-custody; decision-making can become clouded when the scam involves the prospect of romance, friendship, respect, or belonging — social factors our brains are hard-wired to pursue.

Protecting yourself from falling victim to this scam requires internalizing the same key principles we mention in most of our web3 security series, namely: 

  • If it seems too good to be true, it probably is. A scammer offering to transfer you tokens with a value that exceeds that of the payment you send them in return, for example, is a significant giveaway that something is wrong. People do not give away assets for free.
  • Be wary of unsolicited contact. Invariably, the scammer will contact you first. Whether over Twitter (X), Instagram, Whatsapp, Telegram, or Discord, be suspicious of strangers that seek to strike up an exchange out of nowhere—and if it starts to touch on money or crypto, be even more suspicious. We know it can feel cynical and isolating to assume strangers mean harm, especially in an age where loneliness is on the rise — but web3 is generally a reflection of society. Do you usually trust strange individuals with your money?

In addition to these core principles, you should also:

  • Get in touch with us (via the "Start a Conversation" button on the homepage) if anyone is walking you through specific instructions involving using MetaMask. For example, asking you to visit a specific site, add a specific network, get involved with a specific investment opportunity, etc. Even if you think they are friendly and mean no harm, we can help you determine whether you're putting yourself at risk.  
  • Be very careful about adding unverified custom networks. You can read more about this here
  • Learn how to check whether token contracts are trustworthy. See here for more information, including how to use block explorers like Etherscan to practice due diligence. It may feel excessively cautious, but a few minutes of research could prevent you from losing funds.

If you have any questions or you think you may have fallen victim to this type of scam—or you think you might be at risk of doing so—please get in touch with MetaMask Support by hitting the "Start a Conversation" button on the homepage of this site. Our bot will ask a few questions to ensure you get in touch with the right team member. 


See also: Testnet ETH scams

Was this article helpful?
45 out of 52 found this helpful

Articles in this section

See more