‘Pig butchering-as-a-service’ provides ready-to-use kits, infrastructure

Two “pig butchering-as-a-service” (PBaaS) providers are detailed in a recent report by Infoblox, demonstrating how off-the-shelf kits, templates, panels and infrastructure facilitate global scams similarly to malware-as-a-service (MaaS) and phishing-as-a-service (PhaaS).

The researchers describe the offerings of the “Penguin Account Store” and “UWORK,” the latter of which Infoblox purchased access to investigate its customer relationship management (CRM) panel. These entities are operated by Chinese-speaking threat actors and tend to serve customers operating scam centers across Southeast Asia, the researchers noted.

Pig butchering is a type of online scam originating in China that involves soliciting increasing payments from victims over an extended period of time, often under the guise of legitimate investment opportunity.

The Penguin Account Store, also known as Heavenly Alliance or Overseas Alliance, is a hub for purchasing a variety of resources that facilitate the social engineering and communication aspects of pig butchering schemes.

These resources include databases of personal identifiable information (PII) of potential victims, credentials for pre-registered social media accounts possibly sourced from infostealers, “character sets” of stolen photos to use for fake accounts and romance lures, pre-registered SIM cards and 4G or 5G routers.

Related reading:

Penguin also offers a social customer relationships management (SCRM) platform it calls SCRM AI that purportedly uses AI to help scammers automate social media interactions with victims. Additionally, the store advertises a payment processing platform called BCD Pay, which links to Bochuang Guarantee, an anonymous peer-to-peer payment service with ties to illegal online gambling, according to Infoblox.

While resources like the Penguin Account Store aid in the act of luring victims to pig-butcher scams, UWORK provides infrastructure to manage and monitor those victims throughout the course of the scam, including fake investment website templates — similar to phishing templates in PhaaS kits — and admin panels — not unlike those used by MaaS customers or ransomware affiliates.

UWORK offers various website templates, including those focused on cryptocurrency, foreign exchange (forex) and gold investment schemes. Websites can be geofenced to target or avoid specific countries and integrate with legitimate trading platforms such as MetaTrader to display real-time financial information that lends credibility to the scam investment sites.

The admin panel enables customers to manage and monitor both victims and “first-level agents” who are directly interacting with victims — Infoblox noted that these agents are often individuals who are trafficked for slave labor at large-scale scam centers. Thus, first-level agents have restricted access to information and funds while the actual scam operator oversees and orchestrates everything through the UWORK panel.

UWORK customers can create new agent and victim profiles, view profitability metrics and also collect victim PII through the “know your customer” (KYC) panel, as victims are made to upload proof of identity to the fake trading platform.

Infoblox noted that UWORK was cited by investigators as a service used by alleged pig-butchering scammers who were arrested in the United States in February 2025 for defrauding victims of more than $13 million.

In addition to marketplaces like the Penguin Account Store and services like UWORK, other PBaaS offerings may include mobile application kits and registering of shell companies to both lend credibility and obscure the movement of funds associated with these schemes, Infoblox said.  

Overall, like other cybercrime-as-a-service offerings, PBaaS makes it easier for less-skilled operators to conduct sophisticated scams and more difficult for investigators to attribute these scams to a specific threat actor, as templates and infrastructure are shared and reused across schemes.

“As PBaaS continues to mature, scams are anticipated to become more automated, more global, and more adaptive. Countering this ecosystem will require a shift in focus: targeting the service providers, facilitators, financial enablers, and DNS infrastructure that make mass-scale fraud possible,” the Infoblox report concluded.