{"id":5188,"date":"2025-10-03T07:00:00","date_gmt":"2025-10-03T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5188"},"modified":"2025-10-03T07:00:00","modified_gmt":"2025-10-03T07:00:00","slug":"that-ciso-job-offer-could-be-a-pig-butchering-scam","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5188","title":{"rendered":"That CISO job offer could be a \u2018pig-butchering\u2019 scam"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The recent experience of a seasoned security leader illustrates how fake job offers are increasingly being used as entry points for \u201cpig-butchering\u201d scams.<\/p>\n

Pig-butchering scams are a form of investment fraud that exploit social engineering to build a relationship with a prospective mark before butchering them financially, often through cryptocurrency or other fake investments.<\/p>\n

Fraudsters purportedly representing Gemini Crypto, a US-based cryptocurrency trading platform, tried to leave US CISO Walter Williams<\/a> at a minimum of $1,000 out of pocket through a sustained campaign that lasted more than three months between May and September 2025. The pretext of a confidential job search for a CISO was plausible enough for Williams to play along despite quickly realizing the approach was suspect.<\/p>\n

\u201cThey initially reached out to me on LinkedIn, but not from a Gemini account,\u201d Williams, a part-time infosec consultant, told CSO. \u201cI\u2019m figuring that they found me through a search on LinkedIn and thought I\u2019d make a good target since I am open to work.\u201d<\/p>\n

Williams added: \u201cThe reason I gave them even a moment of my time \u2014 as the initial contact was odd enough to signal something was wrong \u2014 was because I had reached out to them in January and they might be following up with me.\u201d<\/p>\n

First contact<\/h2>\n

In January Williams applied to Gemini Crypto for a director of security GRC role via its official website, receiving no more than a standard email acknowledgement of his job application.<\/p>\n

Months later in May a recruitment representative from Gemini Group\u2019s human resources department approached Williams through LinkedIn about an initially unspecified senior leadership position. A reply from Williams saying he might be interested and offering his contact details was met with an ungrammatical reply.<\/p>\n

Soon after, Williams received an SMS message from Li Jiaxin, supposed head of Gemini\u2019s Los Angeles branch and a member of the board of directors, referencing an application for a CISO role. A few quick checks by Williams revealed that Gemini Crypto neither has a Los Angeles office nor a listed board member named Li Jiaxin, but he decided to play along to see where this outreach would lead.<\/p>\n

Deepfaked interview shenanigans<\/h2>\n

What followed was three months of constant messaging, which moved from SMS messages, to conversations on WhatsApp, to a (likely) deepfaked<\/a> video interview.<\/p>\n

\u201cOther than the 15-minute interview, mostly my interaction with them was a minute here and there, and of course the necessary background research on Gemini itself as well as the person who was trying to scam me,\u201d Williams explained. \u201c\u2018She\u2019 has a Facebook profile to match the WhatsApp profile and periodically changes \u2018her\u2019 profile picture but not much else.\u201d<\/p>\n

The interview itself was weird, Williams said.<\/p>\n

\u201cThe interview[er] asked me questions about my career and hopes for relations with the CEO, CFO, and CIO,\u201d Williams said. \u201cThere were no technical questions.\u201d<\/p>\n

Williams added: \u201c\u2018She\u2019 never moved her head other than to speak; no blinking, no expressions. I saw no part of her body except the face. The tone of \u2018her\u2019 voice was very matter of fact; no inflection.\u201d<\/p>\n

Having successfully negotiated the interview, Williams was offered the role and a generous salary package. However, before taking up this \u201cposition\u201d Williams was required to complete mandatory training in cryptocurrency derivatives.<\/p>\n

He was instructed to purchase $1,000 in cryptocurrency through Coinbase from his own funds to carry out this \u201ctraining.\u201d Williams declined and was rebuffed when he suggested the funds could be taken from an advance on his first month\u2019s salary, bringing the dialogue to an end.<\/p>\n

\u201cI\u2019ve no idea how extensive this is, but the criminals were rather well prepared for a CISO as a target, so they\u2019d done their research,\u201d Williams told CSO.<\/p>\n

\u201cMy motivation to keep going was there was just enough substance in their conversation to make this 50% plausible that this was real,\u201d he added.<\/p>\n

Williams documented the entire exchange \u2014 complete with commentary \u2014 in a post on LinkedIn<\/a>.<\/p>\n

\u201cThey were investing a lot of time into this \u2014 three months of constant messages \u2014 and had some interesting techniques \u2014 the e-signed contract [tied to a Gmail address] \u2014 that I thought would make a good story to share,\u201d Williams told CSO.<\/p>\n

Pig-butchering dissected<\/h2>\n

Ashley Jess<\/a>, Intel 471\u2019s senior intelligence analyst, said the mechanism of the fraud documented by Williams is typical of pig-butchering scams.<\/p>\n

\u201cThreat actors frequently initiate contact on legitimate, trusted platforms \u2014 for example, LinkedIn job posts or recruiter outreach \u2014 because those venues lower a victim\u2019s guard,\u201d Jess explained. \u201cOnce rapport is established, the conversation is moved to private channels \u2014 WhatsApp, Telegram, DM \u2014 and then eventually to sham trading or investment sites where the victim is encouraged to deposit funds, though they may begin on a legitimate platform, such as in this example, before moving to an illegitimate one.\u201d<\/p>\n

\u201cPig butchering\u201d is a deliberate, long-game fraud that relies on building a relationship over time more than a single, cunning trick.<\/p>\n

\u201cThe long sample interaction the CISO shared is exactly what investigators expect: daily check-ins, career talk, and seemingly innocuous coffee chats that gradually morph into financial conversations,\u201d Jess added. \u201cThat \u2018grooming\u2019 phase, which can last weeks or months, is what makes the scam so damaging and allows the attackers to push victims into large transfers with convincing narratives and staged \u2018returns.\u2019\u201d<\/p>\n

Chainalysis estimated crypto fraud at roughly US$12.4 billion in 2024, with high\u2011yield investment and \u201cpig-butchering\u201d scams representing large proportions of that figure.<\/p>\n

\u201cThis year alone, we at Intel 471 have helped research and identify thousands of fake investment platforms,\u201d Jess explained. \u201cIncreasingly we\u2019re seeing threat actors weaponize fake job offers as an entry point because job hunting normalizes high-value conversations \u2014 salary, investments, remote work \u2014 and creates plausible pretexts to move off-platform.\u201d<\/p>\n

The potential for millions in illicit earnings help explain why attackers play the long game by building trust before attempting financial theft.<\/p>\n

\u201cThreat actors use AI-generated profiles, deepfake videos and phone calls, and realistic onboarding materials, carefully staging everything they communicate to make the scam highly convincing, even to the most seasoned cybersecurity professionals,\u201d said Haris Pylarinos<\/a>, CEO of Hack The Box.<\/p>\n

Coding challenges laced with malware<\/h2>\n

In some cases, fake recruiters have given the scam a mendacious twist by sending candidates \u201ctest assignments\u201d booby-trapped with malware that can infect their devices and steal sensitive data.<\/p>\n

Palo Alto Network Unit 42 intelligence unit recently discovered a North Korean threat group known as Slow Pisces (aka Jade Sleet) running a targeted campaign impersonating LinkedIn recruiters<\/a>. They send malware-laced \u201ccoding challenges\u201d to developers in the crypto space, aiming to compromise networks and steal data. This campaign is linked to high-profile cryptocurrency thefts \u2014 reportedly over $1.5B stolen in 2023 alone.<\/p>\n

Vigilence required<\/h2>\n

Williams\u2019 experience shows that CISOs are not exempt from social engineering and phishing attacks.<\/p>\n

Fraudsters are skilled at building out convincing recruitment narratives that mirror real hiring processes, often referencing genuine applications and company details to build credibility \u2014 something capable of catching out even seasoned professionals.<\/p>\n

Intel 471\u2019s Jess advised: \u201cPractical takeaway: Verify unsolicited recruiters and job offers through company HR channels, avoid moving conversations to unfamiliar private apps, never send money or seed investments to someone you haven\u2019t independently verified, and report suspicious outreach to the platform immediately.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The recent experience of a seasoned security leader illustrates how fake job offers are increasingly being used as entry points for \u201cpig-butchering\u201d scams. Pig-butchering scams are a form of investment fraud that exploit social engineering to build a relationship with a prospective mark before butchering them financially, often through cryptocurrency or other fake investments. Fraudsters […]<\/p>\n","protected":false},"author":0,"featured_media":5189,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5188","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5188"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5188"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5188\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5189"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5188"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5188"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5188"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}