What is a pig butchering scam?

Pig butchering (Mandarin sha zhu pan, 杀猪盘, 'the pig butchering plate') is a long-form crypto scam in which an organized criminal operator builds a personal relationship with a target over weeks or months before introducing a fake crypto trading platform. The victim is encouraged to deposit increasingly large amounts, sees fabricated profits, and ultimately either cannot withdraw any funds or signs an approval phishing transaction that lets the operator drain their wallet. The term comes from the metaphor of fattening a pig before slaughter. Global lifetime losses are estimated at $75 billion per a University of Texas at Austin study.

How can I spot a pig butchering scam early?

The earliest red flag is a wrong-number text or unsolicited DM that continues into a conversation after the apology. Real wrong-number texts end. Pig butchering openings persist. Other early signals: the conversation moves to WhatsApp or Telegram immediately, video calls keep failing or are very short, the operator mentions a unique investment opportunity through a 'family contact' (uncle, college friend, broker), and the trading platform they introduce is a domain you cannot find mentioned by any independent crypto reviewer.

How do I recover if I already sent money to a pig butchering scam?

File a complaint at ic3.gov (FBI IC3) immediately with all evidence. Also file at reportfraud.ftc.gov. Revoke any wallet approvals at revoke.cash, especially Permit2 allowances with unfamiliar spender addresses. Move remaining crypto to a fresh wallet with a new seed phrase. Contact your bank if you used wire transfers or cards in the past 60 days. Contact your state Attorney General if you are in the US. Avoid 'recovery services' that charge upfront fees — those are themselves scams targeting prior fraud victims. Operation Level Up actively contacts identified victims; your report contributes to that pipeline even if your individual recovery is uncertain.

Pig Butchering Crypto Scam Explained (2026)

What "pig butchering" means

The term is a direct translation of the Mandarin shā zhū pán (杀猪盘), which means "the pig butchering plate." The metaphor describes the operating model: identify a target (the "pig"), feed it carefully over weeks or months until the deposits grow fat, then "butcher" — drain everything at once and disappear. The metaphor is intentionally clinical because the operators run the scheme as a business with KPIs, scripts, and hierarchical management.

This is not a casual phishing attempt. Pig butchering is the work of organized criminal enterprises operating out of forced-labor compounds primarily in Cambodia, Myanmar, and Laos. The "scammers" sending the messages are often themselves trafficked workers held against their will, supervised by managers who control the scripts and take the proceeds. The Wall Street Journal, the FBI, and the United Nations Office on Drugs and Crime have documented the human-trafficking dimension extensively. The point matters for victims: the person you were talking to was not the person you thought they were, and in many cases was being coerced into delivering the script.

The financial scale is the second thing to understand. A 2024 study from the University of Texas at Austin estimated victims worldwide had lost at least $75 billion to pig butchering since the pattern emerged around 2017. That number dwarfs every other crypto-specific category. By comparison, the AdGuard / Chainalysis estimate for crypto wallet drainer losses in 2024 was around $500 million. Pig butchering is two orders of magnitude larger.

The five-stage attack chain

Stage 1: The hook

The first contact looks accidental. A stranger sends a WhatsApp message saying "Hi David, are we still on for dinner Thursday?" — except your name is not David. You reply "Sorry, wrong number." The stranger apologizes, makes a small joke, and the conversation continues. Other variants: a LinkedIn connection request from a polished professional in an aspirational industry (private equity, biotech, oil trading); a Tinder match with a strikingly attractive person who lives in a nearby city; an Instagram DM from someone who "saw your story" and wanted to compliment your travel pictures. The opening is always low-pressure, always plausibly accidental, always designed to bypass your scam radar.

The names and photos come from stolen identities. The operator running the script may have hundreds of these "personas" assigned to them, each with consistent backstories and a photo library scraped from real social media accounts. The person on the other end of the conversation is reading from a playbook; the playbook has been tested on thousands of prior victims; the conversation is tuned to your replies in real time.

Stage 2: The fatten

Once the conversation moves to daily chats, the operator builds genuine emotional rapport over weeks. They ask about your day, your work, your family. They share their own (fictional) life — successful career, recently divorced, traveling for business, lives in a different time zone so video calls are always inconveniently timed. They never ask for money. They might ask for relationship advice or share photos of food they "cooked." The investment isn't in extracting anything yet — it's in earning trust.

The operator works on multiple targets at once. A typical operator runs 5–10 active "relationships" in parallel, each at a different stage. If one target gets suspicious or stops responding, the operator drops them and focuses on the others. Survivor bias filters for the most receptive targets — the people who keep replying, who share emotionally, who reveal vulnerability. Those targets get more attention. Eventually, after weeks of buildup, the operator mentions, casually, that they have been making good returns trading crypto with their uncle's broker. The trading is "no big deal" — just a hobby. They don't pitch you. They might even discourage you from getting into crypto because it's "complicated." This is bait disguised as discouragement.

Stage 3: The trading platform reveal

You ask the operator how they do it. The operator says they use a special platform recommended by their uncle, an investment manager. They send you a link to an exchange that looks identical to a real crypto exchange — clean UI, candlestick charts, deposit/withdrawal flows, KYC verification screens. The branding is custom but the visual quality matches Binance or Coinbase Pro. The domain is something like secure-bitfinex-trading[.]com or kucoin-pro[.]asia — close enough to feel legitimate to non-experts.

The platform is entirely fake. There is no real exchange behind the UI. The "deposit address" sends crypto directly to the operator's wallet. The "trading interface" displays simulated price action and your "portfolio balance" updates in real time based on numbers the operator's backend chooses. When you "make a winning trade," the displayed P&L goes up. When you "lose," the operator chooses the loss. The whole thing is theater designed to convince you the platform is real.

Initial deposits are kept small — a few hundred dollars. The operator coaches you through the deposit and the first trade, which always wins. The displayed return is 15-30% in days. The operator suggests you withdraw a portion to "confirm everything works." The withdrawal goes through, in actual crypto, back to your wallet. This is the critical trust-building moment. You think: "OK, the platform is real. I can get my money out." But the operator only ever lets you withdraw small amounts. The bigger deposits never come back.

Stage 4: The scale-up

You deposit more. The operator says they have a tip about an upcoming "pre-IPO" or "AI token" or "leveraged trade" that will return 200% in a week. They show you their own "portfolio" on the platform, which displays high six-figure or seven-figure balances. They send screenshots of "their" Lamborghini purchase or "their" wife's vacation pictures. The pressure builds gradually. You take out a loan. You drain your retirement account. You convince a sibling to invest. The platform's displayed balance grows to numbers that would change your life. You ask to withdraw a substantial amount. The platform says you need to pay a "tax" or a "verification fee" or a "regulatory compliance deposit" before the withdrawal will release. You pay. Another fee appears. You pay again. At some point, you cannot pay anymore.

Stage 5: The endgame — approval phishing

This is where pig butchering and Web3 wallet drainers converge in 2026. The technical evolution of the scam has shifted from "convince the victim to wire crypto to a fake exchange" to "manipulate the victim into signing a wallet permission that grants spending control to the attacker." The US Secret Service, the UK's National Crime Agency, the Ontario Provincial Police, and the Ontario Securities Commission launched Operation Atlantic on March 16, 2026, specifically targeting this evolution. They named it: "approval phishing."

The mechanic: the operator tells you that to "upgrade your account" or "claim your trading bot rewards" or "synchronize with the new platform version," you need to sign a transaction in your wallet. The signature request looks routine — wallet popups for sign-in messages and approvals are common in DeFi. But the typed-data payload behind the signature grants the operator unlimited token-spending permission on your wallet via Permit2 or ERC-2612 permit. You sign. Nothing visible happens immediately. Days or weeks later, the operator executes transferFrom on the granted permission and your wallet is drained of every token they specified.

The waiting period is intentional. By the time you notice the drain, you have forgotten which page or app prompted the signature, and you cannot trace the loss back to the operator. The on-chain history shows your own wallet as the authorizing signer. For deeper detail on the signature mechanic, see Permit2 signature attack explained.

Who runs pig butchering operations

The frontline operators are typically trafficked workers held in compound facilities in Sihanoukville (Cambodia), KK Park / Shwe Kokko (Myanmar), and Bokeo (Laos). The compounds are operated by organized crime syndicates, in some cases with documented links to Chinese triad networks. Workers are recruited through fake job ads on LinkedIn and regional job boards promising tech or hospitality work, then trafficked into the compounds where their passports are confiscated and they are forced to run scam scripts under threat of violence.

The compound structure has tiers. Frontline workers do the messaging. Mid-tier supervisors manage scripts and target lists. Senior managers handle financial laundering through a network of shell companies, OTC desks, and tether (USDT) on-chain conversions. The criminal proceeds typically pass through compromised crypto exchanges in Southeast Asia before being laundered into fiat through layered transfers.

Multiple investigative outlets — Vice, ProPublica, Bloomberg, the Wall Street Journal — have published embedded reporting from inside the compounds, including interviews with workers who escaped. The forced-labor dimension matters because it changes the moral framing of victims: the person who messaged you was likely themselves a victim of a different kind. The financial loss is yours, but the scam ecosystem has more layers of harm than a single transaction.

The 2026 enforcement wave

The first four months of 2026 produced more enforcement actions against pig butchering operations than the entire preceding decade. Highlights:

January 2026: The US government transferred $225 million in USDT seized from a pig-butchering scam directly to Tether for burning, settled on Ethereum without an exchange — one of the largest stablecoin transactions tied to federal enforcement on record.
March 16, 2026: Operation Atlantic launched — US Secret Service, UK NCA, Ontario Provincial Police, and Ontario Securities Commission coordinated a week-long action focused on identifying approval-phishing victims in real time.
April 2026: The FBI's Operation Level Up scaled — agents proactively contacting potential victims based on on-chain transaction patterns. The operation has prevented an estimated $285+ million in additional losses by reaching victims before they sent more funds.
April–May 2026: Dubai Police arrested 275 suspects from nine compound facilities in a coordinated raid.
May 2026: A coordinated US–China operation arrested 276 additional suspects, shut down nine more crypto scam centers, and seized $701 million in laundered proceeds.

The enforcement wave matters for two reasons. First, takedowns disrupt active campaigns and reduce the rate at which new victims are recruited. Second, the seized funds create a precedent for victim restitution — historically, pig butchering victims have rarely recovered anything, but the 2026 enforcement actions have begun to establish frameworks for returning seized USDT to identified victims.

The 7 red flags that catch pig butchering early

Wrong-number opener. Any unsolicited message from an unknown number that is followed by an apology and a continued conversation is the pig butchering opening move. Real wrong-number texts end after the apology. Pig butchering wrong-number texts persist.
The conversation moves to WhatsApp / Telegram immediately. The operator wants you off platforms that have content moderation or fraud reporting (LinkedIn, dating apps). They will push the chat to WhatsApp, Telegram, Signal, or WeChat within the first few exchanges.
Video calls keep getting canceled or are very short and low quality. The operator either does not have access to a deepfake video setup or wants to avoid creating evidence. Brief video calls happen; long ones do not. "Sorry, my Wi-Fi is bad" is a perpetual excuse.
They have a unique investment opportunity through a family contact. The operator never pitches "the system" directly. They casually mention their uncle, cousin, college friend, or family broker who has access to a special platform. The personal connection feels like the offer is for you specifically. It is the same offer made to thousands of others.
The trading platform is a domain you have never heard of. Real crypto exchanges are visible everywhere in crypto media. If you cannot find the platform mentioned by any independent reviewer, podcaster, or news outlet, it does not exist outside the scam.
First withdrawal works, second withdrawal "needs a fee" or "tax." The first small withdrawal is the trust-building lever. Every subsequent withdrawal will be blocked by escalating "fees" or "deposits" you have to pay first. Real exchanges do not work this way. Tax obligations are reported via tax forms, not collected by the exchange.
They ask you to sign a "verification" or "synchronization" transaction in your wallet. This is the approval-phishing endgame. Any signature request that grants spending permission to an unfamiliar address is a drainer setup, regardless of how routine the operator makes it sound.

What to do if you are being targeted right now

Do not block the operator yet. Save the message thread, screenshots of the trading platform, the deposit addresses you used, and every URL the operator sent you. This evidence is critical for reporting and possible recovery.
Stop sending money immediately. Any "fee" or "tax" required to release a withdrawal is part of the scam. You will not get your principal back by paying more fees.
Do not sign any wallet transaction the operator requests. Disconnect your wallet from any site the operator told you about. If you have already signed something, see the recovery section below.
Tell someone you trust. Pig butchering relies heavily on isolation. Operators discourage victims from telling family because "they wouldn't understand." Telling a family member or close friend is the single highest-impact action against the operator's psychological hold.
Report to FBI IC3 (US) or the equivalent agency in your country. Even if you think the loss is unrecoverable, your report contributes to investigations like Operation Level Up that prevent future losses for other victims.

How to recover if you already sent crypto or signed approvals

File at ic3.gov immediately. The FBI's Internet Crime Complaint Center is the primary US channel. Include screenshots, transaction hashes, the platform URLs, the operator's account names, and any wallet addresses you sent crypto to. Operation Level Up uses these reports to identify other victims and seize laundered funds.
Report to reportfraud.ftc.gov for the broader fraud database.
Revoke wallet approvals at revoke.cash. Connect your wallet, find any Permit2 allowance or token approval with an unfamiliar spender, and revoke. If you signed something during the scam, this is the only way to prevent the operator from executing a drain on a delayed timer.
Move remaining crypto to a fresh wallet. Generate a new seed phrase on a clean device, transfer everything you have to the new wallet, and treat the old wallet as compromised. Even if you revoke all visible approvals, you cannot be sure you caught every one.
Contact your bank if you used wire transfers or card payments. Charges within the past 60 days can often be reversed via dispute. Crypto purchased on regulated exchanges in the past few days may still be reversible if the exchange has fraud protections.
Contact your state Attorney General's office. US states with active pig-butchering task forces (New York, California, Texas, Florida) have dedicated channels for victim intake.
Beware of "recovery scams." Once you have been identified as a victim, secondary scammers will contact you offering to recover your funds for an upfront fee. These are themselves scams. No legitimate recovery service charges upfront fees from victims of fraud.

How SafeBrowz catches the approval phishing endgame

SafeBrowz cannot intercept the romance-building stage — that happens on messaging apps the extension doesn't see. But the endgame, where the operator points you at a wallet signature URL, is exactly where SafeBrowz operates. The three-layer detection model:

Layer 1 — Local checks. Pattern rules for known fake-exchange URL structures, suspicious TLDs (.xyz, .top, .live, .vip used heavily by pig butchering operators), free-hosting destinations (Vercel / Netlify / Cloudflare Pages with fake exchange dashboards), and homograph attacks. Most pig butchering "trading platforms" register fresh domains on cheap TLDs, which the local layer flags.

Layer 2 — API checks. Google Safe Browsing database, community blacklist (refreshed every 6 hours and updated when new pig-butchering platforms are reported), WHOIS domain age (most fake exchanges are less than 60 days old at the time victims are sent there), URL shortener unwrap (operators often hide the destination behind bit.ly or branded shorteners).

Layer 3 — AI scan + signature detection. Page content analysis in 100+ languages catches brand impersonation when the fake platform mimics Binance, Coinbase, KuCoin, or other real exchange visual identity on a non-official domain. For Premium users, JavaScript signature inspection catches Permit2 payload construction patterns even on novel platform UIs — the drainer libraries underneath tend to reuse known code.

Same Premium key activates the SafeBrowz Telegram bot — if a pig butchering operator pivots your group conversation to Telegram and drops a "trading platform" link, the bot replies in the same thread before anyone clicks. For wallet apps and security platforms that want to integrate detection at scale, the API is at api.safebrowz.com/v1/detect.

The structural problem and what is changing

Pig butchering scaled the way it did because three things lined up: a vulnerable target population (lonely or financially stretched adults reachable through dating apps and social media), a payment rail with no chargebacks (crypto), and a labor supply that operators could coerce into running the scripts (trafficked workers in unstable jurisdictions). The 2026 enforcement wave is the first serious attempt to break that combination. Tether's cooperation on freezing and burning seized USDT is a real lever — the Asia-based laundering networks depended heavily on tether mobility, and that mobility is now contestable.

But enforcement does not scale to the speed at which compounds replicate. New compound facilities have already appeared in Vietnam, Nepal, and parts of West Africa to replace those raided in Cambodia and Myanmar. The operators learn from each enforcement action and shift jurisdiction. Defense at the victim layer — recognizing the pattern early, refusing to engage when the wrong-number text arrives, never signing wallet transactions for "verification" reasons — remains the most reliable protection.

If a stranger reaches out and the conversation eventually leads to a unique investment opportunity, the conversation is the scam. If a trading platform you have never heard of is showing you returns that real exchanges do not deliver, the platform is the scam. If a "synchronization" or "verification" signature is required to move funds in a wallet, the signature is the scam. Three rules cover almost every pig butchering case.

Block fake exchange and approval phishing pages automatically

SafeBrowz is a free browser extension for Chrome, Firefox, and Edge that blocks fake exchange clones, approval-phishing pages, and wallet drainer URLs before they load. Core protection is free forever. Premium adds JavaScript signature detection for known drainer libraries (Inferno, Pink, Angel, MS, Atomic) and Permit2 attack catching for $14.99 per year, or hold 10 million $SAFEBROWZ tokens on Base for unlimited Premium access. Same Premium key works on the SafeBrowz Telegram bot — drop the bot in your group and any pig butchering trading platform link posted in the chat gets flagged before anyone clicks.

Install SafeBrowz Free Check a URL Now