The recent experience of a seasoned security leader illustrates how fake job offers are increasingly being used as entry points for “pig-butchering” scams.
Pig-butchering scams are a form of investment fraud that exploit social engineering to build a relationship with a prospective mark before butchering them financially, often through cryptocurrency or other fake investments.
Fraudsters purportedly representing Gemini Crypto, a US-based cryptocurrency trading platform, tried to leave US CISO Walter Williams at a minimum of $1,000 out of pocket through a sustained campaign that lasted more than three months between May and September 2025. The pretext of a confidential job search for a CISO was plausible enough for Williams to play along despite quickly realizing the approach was suspect.
“They initially reached out to me on LinkedIn, but not from a Gemini account,” Williams, a part-time infosec consultant, told CSO. “I’m figuring that they found me through a search on LinkedIn and thought I’d make a good target since I am open to work.”
Williams added: “The reason I gave them even a moment of my time — as the initial contact was odd enough to signal something was wrong — was because I had reached out to them in January and they might be following up with me.”
First contact
In January Williams applied to Gemini Crypto for a director of security GRC role via its official website, receiving no more than a standard email acknowledgement of his job application.
Months later in May a recruitment representative from Gemini Group’s human resources department approached Williams through LinkedIn about an initially unspecified senior leadership position. A reply from Williams saying he might be interested and offering his contact details was met with an ungrammatical reply.
Soon after, Williams received an SMS message from Li Jiaxin, supposed head of Gemini’s Los Angeles branch and a member of the board of directors, referencing an application for a CISO role. A few quick checks by Williams revealed that Gemini Crypto neither has a Los Angeles office nor a listed board member named Li Jiaxin, but he decided to play along to see where this outreach would lead.
Deepfaked interview shenanigans
What followed was three months of constant messaging, which moved from SMS messages, to conversations on WhatsApp, to a (likely) deepfaked video interview.
“Other than the 15-minute interview, mostly my interaction with them was a minute here and there, and of course the necessary background research on Gemini itself as well as the person who was trying to scam me,” Williams explained. “‘She’ has a Facebook profile to match the WhatsApp profile and periodically changes ‘her’ profile picture but not much else.”
The interview itself was weird, Williams said.
“The interview[er] asked me questions about my career and hopes for relations with the CEO, CFO, and CIO,” Williams said. “There were no technical questions.”
Williams added: “‘She’ never moved her head other than to speak; no blinking, no expressions. I saw no part of her body except the face. The tone of ‘her’ voice was very matter of fact; no inflection.”
Having successfully negotiated the interview, Williams was offered the role and a generous salary package. However, before taking up this “position” Williams was required to complete mandatory training in cryptocurrency derivatives.
He was instructed to purchase $1,000 in cryptocurrency through Coinbase from his own funds to carry out this “training.” Williams declined and was rebuffed when he suggested the funds could be taken from an advance on his first month’s salary, bringing the dialogue to an end.
“I’ve no idea how extensive this is, but the criminals were rather well prepared for a CISO as a target, so they’d done their research,” Williams told CSO.
“My motivation to keep going was there was just enough substance in their conversation to make this 50% plausible that this was real,” he added.
Williams documented the entire exchange — complete with commentary — in a post on LinkedIn.
“They were investing a lot of time into this — three months of constant messages — and had some interesting techniques — the e-signed contract [tied to a Gmail address] — that I thought would make a good story to share,” Williams told CSO.
Pig-butchering dissected
Ashley Jess, Intel 471’s senior intelligence analyst, said the mechanism of the fraud documented by Williams is typical of pig-butchering scams.
“Threat actors frequently initiate contact on legitimate, trusted platforms — for example, LinkedIn job posts or recruiter outreach — because those venues lower a victim’s guard,” Jess explained. “Once rapport is established, the conversation is moved to private channels — WhatsApp, Telegram, DM — and then eventually to sham trading or investment sites where the victim is encouraged to deposit funds, though they may begin on a legitimate platform, such as in this example, before moving to an illegitimate one.”
“Pig butchering” is a deliberate, long-game fraud that relies on building a relationship over time more than a single, cunning trick.
“The long sample interaction the CISO shared is exactly what investigators expect: daily check-ins, career talk, and seemingly innocuous coffee chats that gradually morph into financial conversations,” Jess added. “That ‘grooming’ phase, which can last weeks or months, is what makes the scam so damaging and allows the attackers to push victims into large transfers with convincing narratives and staged ‘returns.’”
Chainalysis estimated crypto fraud at roughly US$12.4 billion in 2024, with high‑yield investment and “pig-butchering” scams representing large proportions of that figure.
“This year alone, we at Intel 471 have helped research and identify thousands of fake investment platforms,” Jess explained. “Increasingly we’re seeing threat actors weaponize fake job offers as an entry point because job hunting normalizes high-value conversations — salary, investments, remote work — and creates plausible pretexts to move off-platform.”
The potential for millions in illicit earnings help explain why attackers play the long game by building trust before attempting financial theft.
“Threat actors use AI-generated profiles, deepfake videos and phone calls, and realistic onboarding materials, carefully staging everything they communicate to make the scam highly convincing, even to the most seasoned cybersecurity professionals,” said Haris Pylarinos, CEO of Hack The Box.
Coding challenges laced with malware
In some cases, fake recruiters have given the scam a mendacious twist by sending candidates “test assignments” booby-trapped with malware that can infect their devices and steal sensitive data.
Palo Alto Network Unit 42 intelligence unit recently discovered a North Korean threat group known as Slow Pisces (aka Jade Sleet) running a targeted campaign impersonating LinkedIn recruiters. They send malware-laced “coding challenges” to developers in the crypto space, aiming to compromise networks and steal data. This campaign is linked to high-profile cryptocurrency thefts — reportedly over $1.5B stolen in 2023 alone.
Vigilence required
Williams’ experience shows that CISOs are not exempt from social engineering and phishing attacks.
Fraudsters are skilled at building out convincing recruitment narratives that mirror real hiring processes, often referencing genuine applications and company details to build credibility — something capable of catching out even seasoned professionals.
Intel 471’s Jess advised: “Practical takeaway: Verify unsolicited recruiters and job offers through company HR channels, avoid moving conversations to unfamiliar private apps, never send money or seed investments to someone you haven’t independently verified, and report suspicious outreach to the platform immediately.”
No Responses