Pig Butchering Scam Investigation
Forensic documentation for sha zhu pan victims.

You met someone on a dating app, a social platform, or what looked like a wrong-number text. Over weeks or months they earned your trust. They were warm, attentive, present in your life. At some point they introduced you to crypto investing, then to a specific platform that they said had been good to them. The platform looked professional. Your first deposit produced a real-looking gain. So did your second. Then they encouraged you to scale. When you finally tried to withdraw, the platform demanded a fee. Then a tax. Then a recovery deposit. Then it went silent. Or the person you trusted simply disappeared. The amount lost typically runs from tens of thousands to several million dollars. This is pig butchering, and we exist to produce the evidentiary record that makes the recovery and prosecution pathways tractable.

Important. We do not recover funds directly. We deliver forensic investigation, evidence preservation, and coordination with the parties who can pursue recovery: law enforcement, civil counsel, licensed asset-recovery partners, and the IRS for theft-loss tax treatment. The crypto-recovery industry is full of operators who promise recovery and either do nothing or are themselves running a second-round scam targeting victims who have already been scammed once. The FBI and FTC have issued repeated warnings about this. Our work is the honest version of pig-butchering response: forensic case-file production at hourly rates, no fees contingent on recovery, and the explicit acknowledgement that fund recovery is controlled by law enforcement and licensed counsel, not by us.

Quinnlan Varcoe, Founder and CEO, oversees every pig butchering investigation and reviews every case before findings leave the system. Alex Riffenburgh, Co-Founder and CTO, oversees the engineering and the practitioner team executing the technical work. Engagements are confidential, NDA-protected, and structured to begin within 48 hours of the consultation, or same-day under surge when the loss is recent and perishable evidence (live platform screenshots, active messaging, in-window bank intervention) needs to be preserved. Pricing is hourly at $450 per hour — the same standardized rate every Witness engagement bills at, including expert witness. A typical case runs 12 to 25 hours for a total range of $5,400 to $11,250. Sliding-scale pricing is on the table on the first call for victims who lost retirement, savings, or home-equity funds.

What pig butchering actually is

Pig butchering is called sha zhu pan(shā zhū pán, literally "pig-killing plate") in Mandarin, the language in which most of the operational scripts are written. The metaphor is industrial: the victim is the pig, the trust-building phase is the fattening, and the rapid escalation of deposits before the platform vanishes is the butchering. Operations are typically run from organized criminal compounds in Southeast Asia — Cambodia, Myanmar (especially the Shwe Kokko and KK Park complexes), Laos, and to a lesser extent the Philippines — where the operators on the keyboard are frequently themselves trafficking victims forced to run the scripts under armed guard. The criminal organization above the operators is what attribution work targets. The US Treasury OFAC has sanctioned specific compounds and individuals tied to these operations, and the FBI Cyber Division has stood up dedicated task-force capacity for pig-butchering response.

The structure of a pig-butchering operation

1. Initial contact. A wrong-number text, a LinkedIn message, a dating-app match, a Facebook friend request, an Instagram DM, a WhatsApp introduction. The contact pretext is engineered to feel coincidental. The persona is typically a successful professional in their thirties to fifties with photos of an attractive lifestyle (travel, restaurants, business success).
2. Relationship cultivation.Weeks to months of consistent, warm, attentive communication. The persona shows interest in the victim's life, work, family, hopes. The relationship may become romantic; in some variants it remains a close friendship or business mentorship. The persona is never available to meet in person — typical excuses include international travel, a deployed military rotation, an offshore engineering project, an ongoing business deal in another country.
3. Investment introduction. The persona casually mentions crypto trading success or family-office investing. The introduction is gradual and framed as the persona helping the victim build wealth, often with the persona offering to teach or guide. A specific platform is named. The platform looks professional, has a working dashboard, and may be backed by what appears to be a custodian or licensing partner.
4. First deposit and fictitious gain.The victim deposits a small amount. The dashboard shows a real-looking gain. The victim is encouraged to withdraw a portion to confirm the platform works. The withdrawal succeeds. This seeds trust at exactly the moment the victim's skepticism would otherwise kick in.
5. Escalation.Subsequent deposits scale. The persona provides increasingly compelling reasons to deposit more — a time-limited opportunity, a tax-advantaged window, a custodian requirement that the account hit a tier threshold to qualify for the persona's help. Deposits often reach retirement, savings, or home-equity funds.
6. Withdrawal block and escalating fees. The victim attempts a larger withdrawal. The platform demands a tax, a fee, or a security deposit. The persona reassures the victim that the requirement is normal and offers to front it. The victim pays. The next requirement appears. Eventually the platform stops responding, the persona stops messaging, or both.
7. Second-round recovery scam. The victim, now searching for help, finds advertised crypto-recovery services. Many of these are themselves pig-butchering operations targeting victims who have already been scammed. The pattern: an upfront fee, frequently in crypto, frequently with the framing that the fee is required to start the recovery process, followed by either nothing or a second round of social engineering for additional payments. We exist to be the honest alternative to this layer.

What a pig butchering forensic engagement produces

• Communication preservation.Forensic capture of the full communication thread with the persona — chat apps (WhatsApp, Telegram, Signal, WeChat), dating-app DMs, social-media DMs, voice notes, video calls, screenshots of the trading platform's dashboard, screenshots of any KYC documents the persona shared, and the exact wording used at each escalation point. The capture is timestamped, hashed, and preserved under chain of custody.
• Persona analysis. Reverse-image search and metadata analysis on every photo the persona shared. Identification of the real person whose images were stolen, where attribution is possible. Linguistic and behavioral analysis on the communication thread to detect script-driven patterns, language transitions consistent with multiple operators handing off, and timing patterns consistent with an Asian operating shift behind a US-aligned persona.
• Platform infrastructure attribution. Domain registration records and historical DNS for the trading platform, hosting infrastructure, payment-rail off-ramps, fake-custodian and fake-license claims documented and cross-referenced against known scam infrastructure. Where the platform is connected to a known operating cluster, the case becomes part of a broader picture that supports law-enforcement task-force attention.
• Wallet and transaction documentation. Full record of every deposit — wallet address, transaction hash, USD value at the time of transfer, the chat-thread context that drove the deposit, the platform-dashboard screenshot that justified it. Documentation of every subsequent fee or recovery payment in the same format.
• On-chain tracing coordination.Coordination with specialist blockchain-tracing firms (Chainalysis, TRM Labs, Crystal Blockchain partners) for the on-chain analytical work that follows funds from the victim's wallet through laundering hops to the off-ramp. Tracing alone is not the case file; tracing combined with the social-engineering forensics is.
• Off-ramp identification. Where the funds came to rest. If a US, EU, UK, or other cooperating-jurisdiction exchange, the receiving exchange has KYC on the cash-out party and law-enforcement subpoena power becomes available. If a non-cooperating jurisdiction or a privacy-coin chain, the case file still supports IRS theft-loss treatment and civil suit but the recovery calculus changes.
• Wire-fraud overlay where applicable.Many pig-butchering cases include a bank wire layer where funds moved fiat-to-crypto through an intermediary. The wire layer creates a separate evidentiary stream supporting the bank's fraud unit, a SAR against the receiving account, and a wire-fraud predicate for law-enforcement engagement.
• Written report.Court-admissible methodology, structured for the specific recovery and prosecution pathways that apply to your case: FBI IC3 and Cyber Division referral, US Treasury OFAC sanctions reporting where the operation maps to a sanctioned entity, IRS Form 4684 and Schedule A theft-loss documentation, your bank's fraud unit, your state attorney general's consumer-protection unit, your cyber and crime insurance carrier, civil counsel pursuing recoverable defendants, and licensed asset-recovery partner introduction.

What the engagement does not include

• Direct fund recovery. Asset recovery is the domain of law-enforcement seizure, civil counsel, exchange cooperation, and IRS theft-loss treatment. We coordinate the introduction and provide the forensic evidence package.
• Promises of recovery. We promise to deliver the forensic case file. The case file makes recovery materially harder for institutions to dismiss; recovery itself is controlled by the parties with subpoena power and asset-seizure authority.
• Fees contingent on recovery. That structure aligns the operator with overpromising rather than with delivering what the case actually warrants, and is the structural marker of the recovery-scam ecosystem we exist to be the alternative to.
• Contact with the scammer. This almost always makes things worse. If the operator believes the victim has gone to investigators, the platform vanishes, evidence disappears, and any remaining recovery window closes.
• Legal advice. We are forensic investigators. Where the case requires legal action, we coordinate with civil counsel and you work directly with that attorney on legal strategy.
• A single automated wallet trace and a one-line result. Pig-butchering cases need integrated social-engineering and on-chain forensics, not a wallet lookup.

Pig butchering by the numbers (FBI IC3 + Treasury OFAC reporting)

The FBI Internet Crime Complaint Center logged $4.4 billion+ in US victim losses to confidence-investment scams (the IC3 category that includes pig butchering) in 2023. Crypto investment scams are the largest single fraud-loss category in IC3 reporting, exceeding BEC and ransomware combined for individual-victim totals. Average loss per reporting victim sits in the $150,000 to $300,000 range, but the distribution is heavy-tailed with substantial cases in the multi-million dollar range. The US Treasury OFAC has sanctioned specific compounds tied to pig-butchering operations and the State Department has named pig-butchering operations as a national-security concern given the human-trafficking layer at the operator level. The recovery infrastructure — IC3 referral, FBI Cyber Division engagement, state attorney general consumer-protection units, IRS theft-loss treatment, civil suit against recoverable defendants, licensed asset-recovery partners — all require a forensic case file as the entry point. That is what we produce.

Related Witness pages

• Crypto scam recovery: investment-scam forensics for cases that do not have a romance-pretext layer (fake brokers, fake DeFi, fake yield, ICO scams).
• Romance scam investigation: social-engineering forensics for romance-scam cases that did not include a crypto investment surface.
• Wire fraud recovery: bank-wire layer of pig-butchering cases that included a fiat-to-crypto conversion through a mule account or intermediary.
• SIM swap attack recovery: where the loss followed a SIM swap that bypassed exchange-account MFA before the pig-butchering escalation.
• Elder fraud investigation: when the targeted person is an older adult and pig-butchering forensics needs to be combined with senior-fraud reporting overlay.
• Identity theft investigation: when the pig-butchering chain included new-credit-line fraud or synthetic identity downstream.
• Digital forensics for attorneys: civil-suit and expert-witness support in pig-butchering litigation.