Pig butchering compound report 2026: inside the $63 billion Southeast Asia pipeline

The four months Megan spent falling in love with a script

Megan was 41, divorced for three years, and tired of dating apps. She matched with Andrew on Hinge on a Tuesday night in February 2025. His profile said he was a 44-year-old structural engineer based in Singapore, originally from Boston, currently in town visiting family. His photos showed him on a sailboat, at a vineyard in Sonoma, eating noodles in a small Tokyo bar. The photos were not stock photos. They were real photos of a real man whose Instagram had been scraped two years earlier. He had no idea his face was being used.

Andrew opened with a question about the book on her shelf in the third photo. The Goldfinch. He said he had read it twice and that the Vegas section dragged. Megan laughed out loud at her kitchen counter. She typed a reply.

They moved to WhatsApp on day three. Andrew apologized that work travel made his Hinge use sporadic. He said WhatsApp worked better internationally. The number was a Singapore prefix. Everything checked out.

For the next four months, Andrew was the most attentive man Megan had ever talked to. He sent good-morning messages at 6 AM Eastern, which was 6 PM in Singapore, which made the time difference feel like a feature instead of a bug. He asked about her daughter's school project. He remembered her mother's surgery date and texted to ask how it went. He sent a real bouquet of flowers to her office on a Wednesday with a card that read "for the woman who actually reads the books on her shelf." The flower shop was real. The order had been placed through a service that accepts crypto.

He talked about his work. Bridge load calculations. A project in Vietnam. A weekend in Hong Kong to meet investors. He sent photos of himself in restaurants, photos of his hotel view, photos of his hand holding a coffee cup with a newspaper dated that morning. The photos were generated by a small in-compound team that swapped the scraped face into stock backgrounds using off-the-shelf face-swap tools. The newspapers were photoshopped. The coffee cups were real, photographed in the compound canteen.

In month three, Andrew mentioned, casually, that his uncle in Hong Kong managed a private trading desk that ran a closed-network crypto strategy. He was not pitching her. He said it in the context of complaining that his uncle wanted him to "take it more seriously" and put more of his own money in. Megan asked what kind of returns the strategy did. Andrew said he averaged about 12 percent a month and that her question was sweet but he did not want to mix money and them. He changed the subject.

She brought it up again two weeks later. He resisted. She insisted. Eventually he agreed to send her the link to the platform "just so you can see what it looks like, but please do not actually use it without talking to me." The platform was called Centrex Pro. The domain was centrex-pro[.]live. The interface was a clean copy of a real exchange. KYC verification, candlestick charts, deposit address, withdrawal flow. Megan deposited $500 in USDT through Coinbase. The platform showed her a small profit by the end of the day. She withdrew $200 back to her Coinbase wallet to test that withdrawals worked. The $200 arrived in four hours. The platform was real to her now.

Over the next six weeks she deposited $48,000 in three transfers. $5,000, then $13,000, then $30,000. The last $30,000 came from a home-equity line of credit she opened specifically for "this opportunity." Her displayed balance on Centrex Pro showed $217,000. When she tried to withdraw $80,000, the platform requested a 15 percent "anti-money-laundering tax" be paid first to release the funds. The tax was $12,000. She paid it. The withdrawal still did not release. A new request appeared: a 5 percent "international compliance fee." That was another $10,850.

She called her sister. Her sister told her to stop. She stopped. Andrew kept messaging for three more days, then went silent. The Centrex Pro domain stopped resolving a week later. Megan filed a complaint with the FBI Internet Crime Complaint Center on a Sunday night. The case was logged. The money was already in seven different wallets, then bridged to a Hong Kong over-the-counter desk, then withdrawn as Hong Kong dollars to a network of shell companies, then transferred to mainland accounts. The chain analysis traced 73 percent of it in the first 48 hours. None of it came back.

The job ad Vinh answered in a Hanoi cafe

Three thousand miles west, in a coffee shop in Hai Phong, Vietnam, a 22-year-old computer science graduate named Vinh was scrolling a Vietnamese-language tech job board on his phone. He had finished his degree six months earlier. The local market for entry-level developers had cratered. He had been doing tutoring work and contract freelance bug fixes and not making rent.

The ad was for "customer service representative, Sihanoukville Special Economic Zone, Cambodia." Salary: $1,400 USD per month, paid in cash. Housing included. Free meals. English required, Chinese a plus. The employer was listed as "Asia Online Services Group." There was a polished website. There were testimonials from "current employees." There was a Vietnamese-speaking HR contact on Telegram who replied in under five minutes.

Vinh applied. The Telegram contact set up a video interview that same evening. The interviewer was warm and professional and asked basic English-comprehension questions and one question about whether Vinh would be willing to relocate for at least 12 months. Vinh said yes. He was hired three days later. The company paid for his flight to Phnom Penh and a driver to take him the four hours south to Sihanoukville.

The driver took his phone and his passport at the compound gate. The driver said it was for security processing and they would be returned within 24 hours. They were not. Vinh was shown to a dormitory on the fifth floor that he would share with seven other men, all in their twenties, three of them also Vietnamese, two Chinese, one Indonesian, one Filipino. Nobody had been there for less than three weeks. Nobody had their passport. There were bars on the windows. The doors of the dormitory locked from outside between the hours of midnight and 6 AM. He was told, in matter-of-fact tones, that his "training period" would last two weeks and that he had a debt to the company of $12,000 for the recruitment, flight, and accommodation, which would be deducted from his salary at a rate of $400 per month. If he wanted to leave before paying it off, his family would be contacted for the balance.

He was given a phone with eight dating-app profiles already logged in. Hinge, Bumble, OkCupid, Tinder, plus four region-specific apps. Each profile had a complete identity. Andrew the Singapore engineer was one of them. The phone also had WhatsApp, Telegram, and Line installed, with conversation threads already in progress with dozens of targets in the United States, Australia, Singapore, the United Kingdom, and Canada.

The script was in a Google Doc shared with his floor supervisor. The supervisor was a 31-year-old Chinese man who had worked in the compound for two years and who was paid commission on the floor's earnings. The script had branches. Opening greetings adapted to time zone and stated occupation. Mid-conversation prompts adapted to whether the target was responsive or cool. A "fattening checklist" of trust-building beats: ask about family, remember details, send a small gift if engagement is high. The platform-reveal point was triggered when the target's emotional rapport metric crossed a threshold, which the supervisor scored from message logs each morning.

Vinh was given Megan as one of his assignments in March, two weeks into his time at the compound. He did not know her name. He knew her by her profile ID: HG-US-41-PARA. Hinge, United States, age 41, paralegal. Her grooming was being handled by a more senior worker until he was promoted to take her over in May. By then she had already deposited $5,000. His job was the platform-side conversation: walk her through the "compliance tax," push her toward the home-equity line of credit, maintain emotional warmth while the financial extraction escalated. He typed every message she received in the final six weeks. Some of the messages he typed himself. Some he copy-pasted from the script. None of them were Andrew. None of them were real.

When she went silent in late June, his supervisor moved him to a new target. The system never paused. There were always more.

Where the two stories meet

Megan thought she had fallen in love with a man. Vinh knew he was running a script under threat of violence. Both of them were inside a system that had been designed by a third group, the senior management of the criminal syndicate that owned the compound, to extract money from one of them through the labor of the other. The middle layer was the script. The script was the same one running on 200 other phones in the same building.

The UN Office on Drugs and Crime, in its October 2024 report on transnational organized crime in Southeast Asia, estimated that the total value of pig butchering and adjacent compound-driven fraud against victims worldwide reached $37.3 billion in East and Southeast Asia alone in 2023, with a global figure UNODC characterized as "tens of billions of dollars" annually. Subsequent estimates from the US Institute of Peace, working from the same dataset extended through 2024, place the global figure at $63 to $75 billion. The same UNODC report estimated that hundreds of thousands of people, drawn from at least 28 countries, are currently held in compound conditions across the region. The largest source countries for trafficked workers are Vietnam, China, Thailand, Indonesia, Malaysia, the Philippines, India, Pakistan, Bangladesh, Sri Lanka, Nepal, and increasingly several African nations.

The Humanity Research Consultancy, an independent specialist on forced criminality, estimated in 2024 that the population of trafficked compound workers in Cambodia, Myanmar, and Laos combined likely exceeds 220,000. The Global Anti-Scam Organization's 2024 victim survey of pig butchering complainants found that the median financial loss per US victim was $169,000, that 71 percent of victims first engaged with their scammer on a dating app, and that the average grooming period before the first deposit was 17 weeks.

This is the scale. This is the shape. Megan and Vinh are not characters. They are composites of patterns documented by United Nations investigators, by Reuters and Al Jazeera embedded reporters, by Chainalysis on-chain forensics, and by the small number of compound workers who have escaped and given interviews to NGOs and law enforcement.

What "killing pig" actually means

The phrase pig butchering is a direct translation of the Mandarin shā zhū pán, written 杀猪盘, which means literally "the butchering pig plate." The phrase originated on Chinese-language gambling and fraud forums around 2016 and 2017. It described a specific gambling-adjacent scam in which Chinese-language victims were drawn into rigged online betting platforms after a period of grooming. The metaphor was operational, not poetic. The victim was the pig. The grooming period was the fattening. The financial extraction was the slaughter. The plate referred to the entire production, the way a kitchen platter holds the prepared dish.

The model migrated. Chinese organized crime networks that had operated the original gambling variant relocated to the Mekong region after a 2016 to 2018 anti-fraud crackdown in mainland China made the operation untenable from inside the mainland. Sihanoukville, Cambodia, became the first major hub. The city's Special Economic Zone status, low law-enforcement presence, and proximity to a deep-water port that could accept international flights made it ideal. By 2019 the scam had been adapted to target English-speaking victims and the dating-app vector had replaced gambling as the dominant grooming front. By 2021 the compounds had spread to Myanmar's Karen and Shan states and to the Bokeo Special Economic Zone in northern Laos.

The naming continues to matter because the original Mandarin phrase carried no euphemism. Western coverage that softened the term ("romance investment fraud") obscured the industrial scale of the operation. Victims who searched for what had happened to them often did not find the right pattern because the right pattern was being described under a name English-language search engines did not know.

The compound infrastructure model

A typical large compound is a walled facility containing between 1,000 and 10,000 workers across multiple buildings. The largest single complex documented to date, KK Park on the Myanmar side of the Moei River across from Mae Sot, Thailand, was estimated by USIP and Reuters in 2024 to contain approximately 6,000 to 10,000 trafficked workers in peak operation. Chinatown, near Shwe Kokko in the same Karen State region, had similar scale before the late-2024 raids.

The buildings are arranged like office towers. Workers are organized by floor. Each floor has a "team lead" who supervises 30 to 60 workers, monitors message logs, scores rapport metrics, and reports daily to a building manager. Building managers report to compound management. Compound management answers to the syndicate that owns the facility. The syndicates that own facilities in Sihanoukville and KK Park have been linked in multiple investigative reports to organized crime networks with documented histories in mainland China, with backing in several cases from political and military figures in the host territories.

The work is shift-based. A typical worker is required to log 12 to 16 hours per day on the phones, six and a half days per week. Quotas are enforced by the floor supervisor and by daily review of conversation logs. Workers who fail to advance a target through the script stages within a certain window are punished. Documented punishments, per worker interviews collected by the Mekong Club, GASO, and the Humanity Research Consultancy, include withholding of food, beatings, electric shocks, solitary confinement in concrete rooms with no windows, and in some cases sale to other compounds at a markup that increases the worker's debt. Escape attempts that fail are punished severely. Successful escapes typically require either ransom payment by the worker's family, bribes paid to local officials, or coordinated NGO and law-enforcement intervention.

The infrastructure inside is industrial. Compounds have their own dormitories, canteens, security teams, medical clinics (often operated by other trafficked workers with medical training), generators, satellite internet links to bypass national filtering, on-site SIM-card farms, KYC-document warehouses with stolen identity packages, on-site face-swap and voice-clone production teams, photographers and lighting rigs for "lifestyle" photo generation, and cryptocurrency processing rooms that handle the on-chain side of the operation.

The 2024 USIP report on Myanmar SEZ compounds documented the supply-chain dimension as well. Compounds source uniforms, food, scripted training materials, dating-app KYC bypasses, and stolen photo libraries from a layer of contractors that itself operates as a small parallel economy. Several known contractors are based in Hong Kong and operate as outwardly legitimate digital marketing firms.

The script and the tooling

The script is the product. Scripts are tested and refined the way a software company tests a conversion funnel. New script branches are A/B tested on live targets, with engagement and conversion rates tracked per branch. Underperforming branches are removed. Branches that produce above-average rapport scores are propagated across the syndicate's other compounds.

The opening hook is always one of three patterns: a wrong-number text, a dating-app match, or an unsolicited LinkedIn message claiming professional interest. The wrong-number opener was dominant from 2020 to 2022 and remains common in WhatsApp and SMS-based targeting. The dating-app opener became dominant from 2022 onward as scripts were adapted to English-speaking Western markets. The LinkedIn opener targets professionals, especially in finance, technology, and consulting, with a pitch that mixes professional networking and personal interest.

The grooming period is calibrated. GASO's 2024 victim data suggests an average of 17 weeks of grooming before the first deposit. Shorter periods correlate with smaller eventual losses. Compounds running longer grooming periods extract higher average amounts. The "uncle's broker" or "family contact" framing is universal because it gives the target a plausible reason the opportunity is real and personal without requiring the operator to pitch openly. Direct pitches are flagged by experienced targets. Indirect pitches through a third party feel like a favor.

The fake exchange platforms are the production layer. A typical compound runs several active fake platforms simultaneously, each with its own brand, UI, and domain rotation. Centrex Pro is a placeholder name for a real category. Confirmed examples documented by Chainalysis and by victim reports include platforms with names mimicking Bitfinex, KuCoin, OKX, and several entirely invented brands. The platforms display real-time market data scraped from real exchanges. They show the victim's "portfolio" updating in real time based on backend numbers that the compound controls. Small withdrawals are honored to build trust. Large withdrawals trigger the "tax" or "compliance fee" stalling pattern.

The endgame has shifted. From 2017 to 2022 the dominant endgame was simple: the victim deposited until they could not deposit more, then the platform vanished. From 2022 onward, the dominant endgame has shifted toward approval phishing, in which the victim is induced to sign a Permit2 or ERC-2612 wallet permission that grants the operator unlimited spending control. The signature-based endgame allows the operator to drain the victim's wallet days or weeks after the conversation, on a delayed timer that obscures the connection between the conversation and the loss. For the technical mechanic, see our earlier explainer on how crypto wallet drainers work.

The Hong Kong and Macau laundering pipeline

The on-chain side is the part that has been most thoroughly mapped. Chainalysis, in its 2024 Crypto Crime Report and follow-up writeups through 2024, traced pig butchering inflows of $9.9 billion across the year on visible blockchains. That figure represents only the portion that touched analyzable chains. The total off-chain figure is substantially higher because a significant share of victim money is moved through fiat rails before ever touching public crypto infrastructure.

The on-chain flow has a consistent shape. Victim deposits land first in a wallet controlled by the compound's processing team. From there the funds are split across multiple wallets to break clustering analysis, bridged across chains (Ethereum to Tron and Tron to Solana are the most common pairs), and aggregated at over-the-counter desks operating out of Hong Kong, Macau, and to a lesser degree Singapore and Dubai. The OTC desks convert the crypto to Hong Kong dollars or US dollars, often through a layer of shell companies registered in jurisdictions with low corporate-disclosure requirements.

The fiat side then enters one of three pipelines. The largest pipeline routes through Hong Kong and Macau casino junket networks, which have been documented by multiple academic and investigative sources as a primary channel for converting illicit crypto inflows into laundered fiat. The second pipeline routes through trade-based money laundering, in which shell-company invoices for fictitious imports of consumer electronics, gold, or other high-value goods are used to move funds across borders inside ordinary commercial banking. The third pipeline routes through real-estate purchases in Southeast Asian and Gulf markets that have weak ultimate-beneficial-owner disclosure requirements.

Tether (USDT) is the dominant on-chain currency for the operation, primarily because of its liquidity in the Hong Kong and Southeast Asian OTC ecosystem. The 2024 enforcement-focused cooperation between Tether and US authorities, which produced several large-scale freezes and burns of seized USDT in pig butchering cases, is the first serious intervention against the on-chain leg in the operation's history. It has not stopped the flow. It has raised the cost.

Why disruption is genuinely hard

The compounds did not arise in random locations. They cluster in jurisdictions that share three features. The host territory has weak law-enforcement reach or active political alignment with the compound operators. The territory is geographically remote enough to make raid logistics difficult. And the territory has a Special Economic Zone or equivalent legal designation that exempts the compound facility from ordinary regulatory inspection.

Sihanoukville in Cambodia operates under SEZ designations that, in practice, give compound operators significant insulation from Cambodian national law enforcement. Multiple Cambodian government officials have been publicly named in 2024 reporting by Reuters, the Associated Press, and the BBC as having business interests in, or political relationships with, compound owners. The Cambodian government has conducted several high-profile raids since 2022, particularly after sustained international pressure, but the structural relationship has limited the depth of those operations.

The Myanmar situation is more complex. KK Park, Shwe Kokko, and the Chinatown compounds sit in territory controlled by the Karen Border Guard Force, a militia formally aligned with the Myanmar military but operating with substantial autonomy. The Border Guard Force has been documented by USIP, by the United States Institute of Peace, and by Reuters as having direct financial relationships with the compound operators. The Myanmar civil war, in which the central government's reach into Karen and Shan states is contested and in many areas absent, makes ordinary law-enforcement intervention impossible in much of the affected territory.

Bokeo Province in Laos hosts the Golden Triangle Special Economic Zone, leased to a Chinese-connected operator under a long-term concession that limits Lao government authority over the leased area. The territory has been the subject of US Treasury OFAC sanctions, with the SEZ operator and several connected entities designated in 2018 and reinforced in subsequent action. The designations have not closed the compounds.

The disruption strategy that has shown traction combines four levers. First, host-country raids when international pressure becomes high enough to force action, as occurred in Cambodia in late 2022 and again in 2024. Second, financial action against the laundering pipeline through Tether cooperation, OFAC sanctions on identified entities, and Hong Kong Monetary Authority pressure on identified OTC desks. Third, source-country awareness campaigns in Vietnam, China, the Philippines, India, and Indonesia to reduce the supply of new recruits who answer fraudulent job ads. Fourth, victim-side warning operations like the FBI's Operation Level Up that proactively contact identified pig butchering victims based on on-chain patterns and break the conversation before the next deposit.

The KK Park and Chinatown raids of late 2024 and early 2025

The most significant operational disruption to date occurred in late 2024 and early 2025. In October 2024 Chinese authorities, in coordination with Myanmar's State Administration Council and the Border Guard Force, conducted a series of operations against compounds in the Myawaddy region of Karen State. Reports filed by Reuters and the Bangkok Post placed the number of repatriated trafficking victims at over 7,000 across the operation, drawn from at least 30 countries.

The raids targeted KK Park, Chinatown, Shwe Kokko, and several smaller adjacent compounds. The operation was triggered by sustained Chinese government pressure following high-profile abductions of Chinese nationals into the compounds, including the kidnapping of Chinese actor Wang Xing from Bangkok in January 2025, an incident that received intense Chinese-language media coverage and prompted a public commitment by Chinese authorities to accelerate cross-border enforcement. The Mae Sot border crossing on the Thai side became a major transit point for repatriation, with thousands of rescued workers processed through temporary holding facilities operated by Thai authorities and international NGOs.

The repatriation operation was incomplete. Workers from countries that did not have active embassies or formal diplomatic representation with the responsible Myanmar authorities, including many African nationals and some South Asian nationals, were held in extended detention by Thai authorities while their cases were sorted. The Humanity Research Consultancy and Amnesty International, in early 2025 reporting, documented that some rescued workers were re-trafficked back into compounds after being released without adequate support structures, particularly when they returned to source countries without job prospects and were re-recruited by the same networks.

The compounds did not disappear. Multiple 2025 reports, including Reuters and Al Jazeera follow-ups, documented that KK Park resumed partial operations within weeks of the raids and that displaced operations relocated to newer compound facilities in Laos, in northern Cambodia near Poipet, and to entirely new sites in Mae Sai (Thailand), Bavet (Cambodia), parts of the Philippines, parts of Nigeria, and parts of the United Arab Emirates. Dubai Police arrests in late 2024 of approximately 275 suspects across nine compound-style facilities reflected the displacement.

Red flags during the grooming phase

The grooming phase is where almost every successful intervention happens. Once the platform is introduced and the first deposit clears, the script's psychological hold on the target makes outside intervention substantially harder. Recognizing the pattern during weeks one through twelve is the highest-leverage defense. Eight specific signals to watch for:

1. The opener that continues past its natural end. A wrong-number text that does not stop after the apology. A LinkedIn message from someone whose professional reason for contacting you does not quite hold up when you push on it. A Hinge or Bumble match whose profile is polished but whose responses feel slightly off-cadence in the first hour. Real first contacts have a natural ending point. Pig butchering openers persist.
2. Migration off the original platform within the first three messages. Dating apps, LinkedIn, and Instagram have moderation, reporting, and pattern-detection that scammers want to avoid. Any push to move the conversation to WhatsApp, Telegram, Signal, or WeChat in the first three messages is a signal. Real connections happily continue on the original app for at least a week.
3. The stated location is somewhere unverifiable and time-zone convenient for grooming. Singapore, Hong Kong, Dubai, and "currently traveling for work in Asia" are the most common cover identities. The time difference creates a natural reason for video calls to be inconvenient and gives the operator coverage for response delays. Real long-distance connections eventually video call comfortably.
4. Video calls cancel or are very short and low quality. The operator is unwilling to produce extended live video because their face is not the face in the photos. Brief video calls of 30 to 60 seconds may happen using a real photo of the operator (when the operator is presentable) or face-swap tools. Long unstructured video calls do not happen. "My WiFi is bad" is a perpetual excuse.
5. An investment opportunity that comes through a family connection. The operator never pitches the trading platform directly. The opportunity arrives through a casual mention of an uncle, a cousin, a college friend, a former mentor who happens to manage a private trading desk. The personal-connection framing is the same in every script because it works.
6. The trading platform is not findable in independent reviews. Real crypto exchanges have reviews, podcasts, news coverage, and community discussion. If you cannot find the platform mentioned by any independent crypto reviewer or news outlet, it does not exist outside the scam. This rule alone catches the vast majority of pig butchering platforms.
7. First small withdrawal works, every subsequent withdrawal requires a "fee." The first withdrawal is the trust-building lever. Every subsequent withdrawal will be blocked by escalating "anti-money-laundering tax," "international compliance fee," "withdrawal verification deposit," or "regulatory clearance fee." Real exchanges do not work this way. Tax obligations are reported via tax forms, not collected by the exchange to release a withdrawal.
8. Wallet signature requests framed as "verification" or "synchronization." This is the approval-phishing endgame. Any signature request that grants spending permission to an unfamiliar address is a drainer setup, regardless of how routine the operator makes it sound. The signature payload, not the visible prompt, is what matters. For deeper context, our companion piece on dating-app romance to crypto scam evolution walks through the signature step in more detail.

The four-step verification routine before any "investment"

If you are reading this and a stranger you met online is currently telling you about a unique trading opportunity, this is the routine. Run all four steps before any money moves. If the situation is real, the routine costs you 20 minutes. If the situation is the scam, the routine saves you the rest of your savings.

1. Search the platform name in plain Google with the word "scam" appended. Pig butchering platforms have short lifespans. Each platform produces a small but visible trail of victim complaints on Reddit, Trustpilot, BitcoinTalk, and personal-finance forums within weeks of going live. If the platform you have been pointed at has any complaints attached, you have your answer. If the platform is too new to have complaints, that is also your answer.
2. Check the domain registration date. Open a WHOIS lookup tool (icann.org/whois or whois.com) and check when the domain was registered. Pig butchering domains are typically less than 90 days old at the time victims are sent to them, because compound operators rotate domains constantly to stay ahead of blocklists. Real crypto exchanges have domains that are years old.
3. Run the domain through our free scanner. Paste the URL into the SafeBrowz URL safety checker. The scanner cross-references Google Safe Browsing, PhishTank, URLhaus, and ScamAdviser, runs our 550+ brand impersonation rules, and for Premium users runs AI content analysis on the live page. Most active pig butchering platforms are flagged on at least one of those layers within hours of going live.
4. Talk to one person in your physical life before any deposit. Not the person you have been chatting with. A real human in your physical life. Parent, sibling, close friend, coworker. Tell them the whole story. Show them the platform. If they hesitate even slightly, listen. Pig butchering relies on isolation. The script explicitly discourages targets from discussing the relationship or the investment with friends and family because the script knows what happens when an outside perspective sees it.

What to do if you have already invested

If money has already moved, the next 48 hours determine most of what is recoverable. The order matters.

1. Stop sending anything more, immediately. Any "release fee" or "tax" or "compliance deposit" that the platform is demanding to unlock your withdrawal is part of the scam. You will not get your principal back by paying more fees. Every additional dollar you send is a dollar that will not come back.
2. Do not sign any wallet transaction the operator asks for. Disconnect your wallet from any site the operator pointed you at. If you have already signed something, visit revoke.cash, connect your wallet, and revoke every approval with an unfamiliar spender. This is the only defense against a delayed-timer drain.
3. Document everything. Save screenshots of the platform, the chat threads, the deposit addresses, the transaction hashes, the operator's profile photos, and every URL you visited. Save them off-device too. Email them to yourself or back them up to a drive that is not your phone.
4. File at ic3.gov. The FBI's Internet Crime Complaint Center is the primary US channel. Include all documentation. Operation Level Up uses these reports to identify other victims and to seize laundered funds. Filing matters even if you think recovery is unlikely.
5. File at reportfraud.ftc.gov. The FTC's complaint database feeds federal consumer-protection enforcement and helps identify pattern-level actions against laundering infrastructure.
6. Contact your bank and the exchange you bought crypto from. Wire transfers within the past 60 days and card payments within the past 120 days can sometimes be reversed through fraud dispute processes. Coinbase, Kraken, and Gemini have fraud teams that occasionally freeze outbound transfers if reported quickly enough. The window is narrow but not zero.
7. Move remaining crypto to a fresh wallet. Generate a new seed phrase on a clean device. Transfer everything you still have to the new wallet. Treat the original wallet as compromised even if you have revoked all visible approvals. You cannot be certain you caught every one.
8. Refuse "recovery service" outreach. Within days of becoming a known pig butchering victim, you will be contacted by people claiming to be recovery specialists, blockchain forensics firms, or "asset retrieval lawyers" who promise to get your money back for an upfront fee. These are secondary scams operated by the same or adjacent criminal networks. No legitimate recovery service charges upfront fees from fraud victims. Real recovery work happens through ic3.gov, your state Attorney General, and class actions handled by reputable firms on contingency.
9. Tell someone you trust, in person. The psychological aftermath of a pig butchering scam is severe. GASO's 2024 survey found that 38 percent of pig butchering victims experienced suicidal ideation in the weeks following the discovery of the scam. The shame and isolation that the script cultivated for months does not evaporate when the scam is exposed. Tell one person. Talk to a therapist if you can. The financial loss is recoverable in part or not at all. The isolation is what compounds the harm.

The recent enforcement wave and what it changed

Through late 2024 and the first half of 2026 the enforcement landscape shifted faster than it had in any prior period. The Chinese-led raids across Myawaddy in October 2024 repatriated over 7,000 trafficked workers. The Dubai compound raids in late 2024 arrested 275 suspects. A coordinated US and China operation in May 2026 produced 276 arrests, the shutdown of nine additional crypto scam centers, and the seizure of $701 million in laundered proceeds. The Tether cooperation pipeline transferred $225 million in seized USDT to Tether for burning in January 2026, the largest stablecoin enforcement action on record at the time.

The FBI's Operation Level Up, run through IC3 from early 2025 through 2026, took a different approach. Instead of focusing on compound takedowns, the operation used on-chain analysis to identify wallets that were currently being drained by pig butchering inflows, traced the originating victim wallets, and proactively contacted identified victims to break the conversation before the next deposit cleared. The FBI publicly reported that Operation Level Up has prevented an estimated $285 million in additional losses by reaching victims mid-scam. The operation's success depends on speed; once victims have completed the deposit cycle and the platform has vanished, the recovery picture worsens substantially.

Operation Atlantic, launched in March 2026, coordinated US Secret Service, UK National Crime Agency, Ontario Provincial Police, and Ontario Securities Commission action specifically against the approval-phishing endgame. The operation targeted the cross-jurisdictional flow of signature-based drains and produced a series of arrests of mid-level operators and the seizure of several drainer-kit-as-a-service operations that had been selling Permit2 attack tooling to compound networks.

The structural problem remains. The compounds rotate, displace, and rebuild. The labor supply is replenished by economic distress in source countries and by ongoing recruitment through job boards and Telegram channels that have not been effectively suppressed. The on-chain laundering pipeline adapts faster than enforcement can close the channels. Tether's cooperation is the single biggest structural change of the past two years; sustaining it through scale-up will determine whether the financial leverage of enforcement keeps growing or whether the operation routes around it.

FAQ

How much money is actually lost to pig butchering each year?

The most credible 2024 estimates put global pig butchering and compound-driven fraud losses at $63 to $75 billion per year. The UN Office on Drugs and Crime's October 2024 report on transnational organized crime in Southeast Asia estimated $37.3 billion in losses for East and Southeast Asia alone in 2023, with the global figure characterized as tens of billions annually. The US Institute of Peace and the Humanity Research Consultancy, working from extended 2024 datasets, place the global figure at $63 to $75 billion. The on-chain portion that Chainalysis traced in 2024 was $9.9 billion, which is a fraction of the total because a large share of victim money is moved through fiat rails before touching public blockchains. For US-specific data, the FBI Internet Crime Report 2024 attributed approximately $4.6 billion to investment fraud, the single largest category, with pig butchering as the dominant subtype.

Are the people sending the scam messages criminals or victims?

Many are both, in a sense the UN and major NGOs have now formally documented. The frontline workers running scripts in compounds in Cambodia, Myanmar, and Laos are predominantly trafficking victims who were recruited through fraudulent job advertisements promising tech or hospitality work and who are held under threat of violence, debt bondage, and document confiscation. The Humanity Research Consultancy estimated in 2024 that over 220,000 such workers are currently held across the region. Senior compound management, the syndicate ownership, and the laundering networks that move the proceeds are the criminals. The frontline workers are typically themselves victims of human trafficking and forced criminality. This dual-victim framing matters for both the moral picture and the practical response: rescue and repatriation of frontline workers is part of how compounds are dismantled.

Why are the compounds based in Cambodia, Myanmar, and Laos specifically?

The compounds cluster in jurisdictions that share three features. Weak law-enforcement reach into the specific territory where the compound sits, often because of Special Economic Zone designations that exempt the area from ordinary inspection or because of active conflict that has removed central-government authority. Geographic remoteness that makes physical raid logistics difficult. And political or military relationships between compound operators and local authorities. Sihanoukville benefits from Cambodian SEZ designations and documented relationships between compound owners and Cambodian officials. KK Park and Shwe Kokko in Myanmar sit in Karen State territory controlled by the Karen Border Guard Force, a militia with direct financial relationships with the compound operators in a context of ongoing civil war. The Bokeo Special Economic Zone in Laos is leased to a Chinese-connected operator under a concession that limits Lao government authority over the area. As enforcement pressure has risen, new compounds have appeared in Vietnam, Nepal, the Philippines, the UAE, and parts of West Africa, suggesting the model travels to wherever similar conditions exist.

How does the money actually get out of the compound to the criminal owners?

Victim deposits land first in wallets controlled by the compound's on-site cryptocurrency processing team. The funds are then split across multiple wallets to break clustering analysis, bridged across chains (Ethereum to Tron and Tron to Solana are common), and aggregated at over-the-counter desks operating primarily out of Hong Kong and Macau, with secondary flows through Singapore and Dubai. The OTC desks convert the crypto to Hong Kong dollars or US dollars, typically through layers of shell companies. The fiat then enters one of three pipelines: Hong Kong and Macau casino junket networks, trade-based money laundering through fictitious commercial invoices, or real-estate purchases in markets with weak beneficial-owner disclosure. Tether (USDT) is the dominant on-chain currency because of its Hong Kong OTC liquidity. Tether's 2024 enforcement cooperation, which produced large freezes and burns of seized USDT, is the first serious intervention against the on-chain leg.

What is approval phishing and why does it matter in this context?

Approval phishing is the technical endgame that has come to dominate pig butchering since 2022. Instead of convincing the victim to wire crypto to a fake exchange (the original 2017 to 2021 pattern), the operator induces the victim to sign a wallet transaction framed as account verification, withdrawal synchronization, or platform upgrade. The signature actually grants the operator unlimited token-spending permission on the victim's wallet through Permit2 or ERC-2612 permit. The operator waits days or weeks, then executes a transferFrom that drains every targeted token. The delayed-timer execution obscures the connection between the conversation and the loss, which makes the victim's later forensic work much harder. Operation Atlantic, launched by US Secret Service, UK NCA, and Ontario authorities in March 2026, specifically targets this evolution. The defense at the user level is straightforward: never sign a wallet transaction for an account-management reason, and revoke all unfamiliar approvals through revoke.cash if you have already signed anything.

If I am being groomed right now, what should I actually do?

Stop sending money. Stop signing wallet transactions. Do not block the operator yet, because the chat history is evidence. Search the trading platform name in plain Google with "scam" appended. Run the domain through the SafeBrowz URL checker at safebrowz.com/url-check. Pull up a WHOIS lookup on the domain and check the registration date; almost all pig butchering platforms are less than 90 days old. Tell one person in your physical life the whole story, including the parts you are embarrassed about. File at ic3.gov even if you have not lost anything yet, because that report contributes to Operation Level Up and may prevent the next victim. If you are receiving the wrong-number opener or the dating-app match that pushes off-platform within three messages, you are at the start of the funnel, and the cheapest exit is now. The person you have been talking to is reading from a script that has been tested on thousands of people before you. The warmth is real-feeling because the script is engineered to feel warm. It is not personal.

Last updated 2026-05-29

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1, Local detection: 60+ URL pattern rules plus 550+ brand-specific signatures run directly in the browser before pages render. This catches lookalike exchange platforms (fake Bitfinex, KuCoin, OKX, Coinbase clones) and the cheap-TLD domain patterns (.live, .vip, .top, .xyz, .asia) that compound operators rotate through to stay ahead of blocklists. Pig butchering platforms typically use freshly registered domains; the local layer flags the structural signals instantly.
• Layer 2, API checks: Google Safe Browsing, PhishTank, URLhaus, and ScamAdviser cross-reference, combined with WHOIS domain-age checks and URL-shortener unwrapping for the bit.ly and branded shorteners compound operators use to hide destination domains. Most active platforms are flagged on at least one upstream layer within hours of going live, often through community reports.
• Layer 3, AI deep scan (Premium): 100+ language content analysis catches novel platform variants that have not yet been blocklisted. The AI layer reads the page in the language the operator is targeting (Chinese, Vietnamese, Korean, Spanish, English) and identifies brand impersonation, fake trading-dashboard patterns, and the Permit2 payload-construction signatures that appear in the approval-phishing endgame even on visually novel platform UIs.

Detection signatures are derived from threat-intelligence research, brand database analysis, and on-chain pattern publications from organizations like Chainalysis and the FBI, not from user browsing data. SafeBrowz does not store per-user browsing history.