For seven years, the FBI's Internet Crime Complaint Center (IC3) has tallied the reports the US law enforcement agency receives about all different types of digital crime, and it has consistently found that business email compromise (BEC) scams resulted in the highest total losses each year. But in its latest Internet Crime Report, released today for incidents in 2022, “investment” scams have overtaken all others as the biggest digital threat, with $3.3 billion in losses last year.
IC3 reported that BEC—in which attackers trick businesses into making bogus payments or intercept legitimate payments—resulted in nearly $2.4 billion worth of losses in 2021 and $2.7 billion in 2022. In other words, those attacks are still a significant and rising threat. But investment scams, particularly those that claim to offer a path for cryptocurrency investment, have exploded over the past 18 months. They have been particularly fueled by so-called “pig butchering” scams, in which attackers cold-contact a target via texts or other messaging platforms, start a conversation to build trust, and then say they can help the individual get in the door on a lucrative investment deal.
The $3.31 billion of overall investment scam losses in 2022 compares with $1.45 billion in 2021, an increase of 127 percent. And the FBI notes that cryptocurrency investment scams specifically caused losses of $2.57 billion in 2022, up from $907 million in 2021—an increase of 183 percent.
In 2021, IC3 tracked pig-butchering attacks by that name and categorized them under the umbrella of “romance scams” rather than cryptocurrency scams, citing $429 million in losses related to pig butchering that year. In the new report, IC3 doesn't mention the phrase “pig butchering” but says in an appendix that “one complaint may have multiple crime types.”
The figures seem to reflect IC3's efforts to quickly adjust its understanding of how these scams are operating amidst pig butchering's sudden rise. But it's hard to get a definitive picture, since it depends on how you categorize the different types of scams. For example, romance scams (also called “confidence fraud”) dropped from 24,299 complaints in the 2021 report to 19,021 in 2022. The associate losses dropped from $956 million to $736 million. But the US Federal Trade Commission said last month that it had received reports of close to 70,000 romance scams in 2022 and losses of $1.3 billion.
“Crypto-investment scams saw unprecedented increases in the number of victims and the dollar losses to these investors,” the FBI wrote in the 2022 Internet Crime Report. “Many victims have assumed massive debt to cover losses from these fraudulent investments.”
Researchers who have been tracking pig butchering say the trend is unmistakable. In recent research by the security firm Sophos, for example, senior threat researcher Sean Gallagher tracked one criminal campaign that originally appeared to have amassed about $500,000 worth of stolen cryptocurrency in one month. After continuing to investigate and identifing more wallets linked to the attackers, though, Gallagher concluded that the gang had stolen about $3 million over five months.