Anatomy of a pig-butchering scam: a real WhatsApp transcript, decoded

Most "pig butchering explained" articles tell you the scam exists. This one walks you through an actual case — message by message — and shows exactly where GACS would have stopped it. Names and wallet fragments are altered; the structure, timing, and language are taken verbatim from a victim file submitted to our report intake in April 2026. The victim, "Marco" (not his real name), lost the equivalent of $48,300 in USDT-TRC20 over 41 days.

If you only have 30 seconds: pig butchering is a *long-con* romance-investment scam. The "pig" is the victim, "fattened" over weeks of fake friendship before being "slaughtered" through a cloned trading platform. Every step below is a stage of that fattening. Every red flag is something a 4-second Safe Scanner check would have surfaced before the money moved.

Stage 1 — The wrong-number opener (Day 0)

**"Hi Linda, is this still your number? It's Vivian from the Lululemon Hong Kong tasting last month 🥰"**

This is the opener in 9 out of 10 cases we triage. It's never a romantic pitch; it's a polite, slightly-embarrassed "wrong number" message designed to make you reply *"sorry, wrong person"* — which gives the scammer a foothold for a conversation.

Red flags at Day 0:

• Number is foreign and never seen before. Marco's contact came from a +852 (Hong Kong) WhatsApp number. He lives in Toronto. He had no business or social link to Hong Kong.
• The "wrong" name is generic and Western. Linda, Sarah, David, Michael. Scammers cycle these.
• The "shared event" is upmarket but unverifiable. Lululemon tasting, Soho House dinner, a yoga retreat in Bali. Always something that signals wealth, never something with a guest list you could check.
• A heart emoji on a first contact with a stranger. Real wrong-number texts are dry: *"Sorry, wrong number"*. Scam wrong-number texts are warm.

What GACS would have done: dropping the number into the Safe Scanner returns a category-level warning the moment a phone number from a high-risk corridor (HK, MY, TR, NG inbound to NA/EU) is paired with WhatsApp business-API metadata. We've cataloged the pattern in the WhatsApp scams playbook and the dedicated pig-butchering scam guide.

Stage 2 — The "let's stay friends" pivot (Days 1–5)

After Marco politely said it was the wrong number, "Vivian" replied:

**"Haha I'm so sorry! You seem nice though, I just moved to Vancouver for work, do you mind if we stay in touch? Hard to meet new people here 🙈"**

This is the foothold. The scammer now has consent for ongoing contact. Over the next four days, "Vivian" sent Marco photos of brunch, gym selfies, a (stolen) LinkedIn screenshot positioning her as a "senior product designer at a fintech", and three voice notes in lightly accented English.

Red flags Days 1–5:

• Geographic drift. She "just moved" to a city near the victim, but her number is still foreign and she never proposes to meet.
• Image-heavy, voice-light. Lots of photos, very few voice notes (and the ones that exist are short — scammers often use scripted recordings).
• No second-platform presence. Marco asked for Instagram; "Vivian" sent a private account with 11 followers, all of them other "Vivians" with similar bios. Reverse-image search on her LinkedIn screenshot returned the actual woman pictured — a UI designer in São Paulo who'd had her photos lifted three months prior.
• Highly engaged but always available. A real person with a senior job and an active social life replies in bursts. Pig-butchering operators are paid to reply within minutes for 14 hours a day. Marco noticed she answered at 3 a.m. local time "because of jet lag" — a tell.

What you can check yourself: reverse-image search every photo in Google Images and Yandex. Run the LinkedIn URL through the Safe Scanner. If you've already shared personal details, see the romance-scam warning signs checklist.

Stage 3 — The "I trade a little crypto" reveal (Days 6–14)

This is the pivot from friendship to investment. It is *never* a hard sell. It comes up casually, the way a real friend would mention a hobby.

**"My uncle in Singapore taught me to read short-term USDT/BTC charts during COVID. Honestly it's how I bought my car. I only trade 30 minutes a day — I'd never gamble haha."**

A few days later:

**"I made $1,200 this morning lol 🥲 just on a quick BTC swing. Want me to show you the platform? No pressure, only if you're curious."**

This is the moment 92% of pig-butchering victims in our intake queue say *"I should have walked away here."* They didn't, because by Day 10 they'd been receiving good-morning texts for a week and felt rude doubting her.

Red flags Days 6–14:

• "Uncle in Singapore / Hong Kong / Dubai". The mythical rich uncle who taught her trading. He is in every transcript we have.
• Specific, modest-sounding wins. Never "I made a million" — always "$1,200 today, $900 yesterday". Believable numbers are the bait.
• "No pressure, only if you're curious." A real friend pushes once and drops it. A scammer drops the offer and waits for *you* to ask — because once you ask, you've consented.
• The platform name is one you've never heard of. Marco was sent to a site called *"BitGlobal Pro"*. It had a working app, a "regulator certificate", and a TradingView-clone interface. It was a $40 template.

What GACS would have done: dropping the platform URL into the Safe Scanner returns a critical verdict — the domain matches our fake-broker pattern set (registered <90 days, Cloudflare-fronted, no real corporate registration, certificate body that doesn't exist). The Risk & Recon report would have surfaced the cloned template hash across 23 other fake-broker domains in the same cluster.

Stage 4 — The first "successful" deposit (Days 15–22)

This is the genius of the scam. The first deposit is small ($500–$1,500), the trades visibly "win", and the victim is allowed to withdraw.

Marco deposited $1,200 in USDT-TRC20 to the wallet "Vivian" gave him. Within 48 hours his account dashboard showed $1,640. He requested a withdrawal of $500 "to test it". The withdrawal arrived in his real wallet within 4 hours.

This single working withdrawal is what overrides every remaining instinct. Marco told us: *"After that I stopped researching. I'd already 'verified' it worked."*

Red flags Days 15–22:

• The "wins" are too consistent. 8 trades, 8 wins, none of them on liquid pairs you can verify against a real exchange. Real crypto trading is messy.
• Deposits go to a personal wallet, not the platform's corporate address. Real exchanges have published, audited deposit addresses. Scam brokers send you a fresh wallet per user.
• The deposit wallet is on Tron (USDT-TRC20). Not because Tron is fraudulent, but because USDT-TRC20 is the laundering rail of choice for this scam family. We've mapped 16 of these drainer wallets in the pig-butchering data report.
• The "withdrawal" came from a different wallet than the one you deposited to. Classic layering: your deposit was bundled and forwarded; the withdrawal was paid out of the operator's hot wallet to keep you confident.

What you can check yourself: paste any wallet address into the free wallet checker. For the 16 mapped drainers in this exact cluster, the verdict is instant.

Stage 5 — The "rare opportunity" (Days 23–35)

Now the slaughter begins. "Vivian" tells Marco her uncle has a 6-hour window on a "node-staking event" — guaranteed 18% return, but the minimum entry is $20,000. She's putting in $35,000 of her own money. She'd love for him to join her.

Marco transferred $18,000 USDT-TRC20. Two days later, "Vivian" was crying on voice notes — the event had hit a "lock-up extension" and to access either of their funds they each needed to top up another 30% as a "smart-contract verification fee".

He sent another $14,000. Then $9,500 in "tax clearance". Then $6,800 because the "platform compliance team" was holding the withdrawal until a "personal AML deposit" cleared.

Red flags Days 23–35 — any one of these is a hard stop:

• Time pressure on a "rare" opportunity. Real opportunities don't expire in 6 hours.
• Guaranteed returns. Anyone promising a guaranteed % return on crypto is either a fraud or about to become one.
• "You need to deposit more to withdraw." This is the single most reliable signal of a scam. Real platforms deduct fees from your withdrawal — they never require fresh deposits to release funds.
• "Tax clearance fee" / "AML verification deposit" / "smart-contract gas top-up". None of these are real. Taxes are paid to a government, not to your broker. AML checks are documentary, not financial. Smart-contract gas is paid by the user signing the transaction, not pre-deposited.
• The "girlfriend" is also a victim. This is the empathy trap. She cries with you, she's "lost more than you", you're in it together. She is the operator.

What GACS would have done: the Panic Guide is designed for exactly this moment — the first 24 hours after you realise something is wrong. The most important step is *stop sending money immediately*, even if the platform tells you you'll lose what's already in. You will lose it either way; additional deposits never come back.

Stage 6 — The recovery-scam follow-up (Day 41+)

Two weeks after Marco stopped responding to "Vivian", he received a LinkedIn message from someone claiming to be a "blockchain forensics investigator" at a firm with a real-sounding name. They knew the platform name. They knew the rough amount. They said they could recover 70% for a 15% upfront fee.

This is the recovery scam. It is run by the same operators, using leaked victim lists. The forensics firm doesn't exist. The "fee" is the second slaughter.

Red flags on Day 41+:

• They contacted you, not the other way around. Legitimate forensics firms don't cold-DM victims.
• They know specifics only the scammer would know. Because they are the scammer.
• Upfront fee for recovery. Real legal/forensic services bill on retainer or contingency, with a contract, on a corporate domain that's older than 90 days.
• "Government agency partner" name-drops — FBI IC3, Interpol, the Met. Real agencies do not partner with private recovery firms; they direct you to report through official channels.

What you can check yourself: read the recovery-scam warning signs page and the deeper recovery-scam playbook. Anyone DMing you about "getting your funds back" is a second-stage scammer, full stop.

The detection summary — what would have stopped this

If Marco had run a single check at any of these moments, the scam ends:

| Stage | What to paste into Safe Scanner | What verdict you'd see | |---|---|---| | Day 0 | The +852 WhatsApp number | High-risk corridor + WhatsApp grooming pattern | | Day 10 | "Vivian's" LinkedIn URL | Stolen-photo cluster, no corporate verification | | Day 12 | The fake broker domain | Critical — cloned-template fake broker | | Day 17 | The Tron deposit wallet | Critical — mapped drainer wallet, see cluster | | Day 41 | The "recovery firm" domain | Critical — recovery-scam pattern |

Five checks. Each takes 4 seconds. Each is free, and none of them require you to sign up for anything.

The psychological tactics, named

Pig butchering works because it stacks well-studied persuasion techniques in a specific order. Knowing the names breaks the spell:

• Foot-in-the-door. A tiny first request (*"can we stay in touch?"*) makes you statistically far more likely to agree to a much bigger one later.
• Reciprocity. Voice notes, good-morning texts, "checking in" messages create a felt debt. You don't want to be rude.
• Social proof. The fake broker dashboard shows other users winning. The "uncle" is an authority figure. The platform has a (fake) regulator badge.
• Loss aversion. Once you've deposited, the prospect of losing what's already in feels worse than the cost of depositing more — even though depositing more is what actually loses the money.
• Sunk-cost commitment. Each additional deposit makes it harder to walk away from the previous ones.
• Empathy trap. The scammer cries with you, "loses" with you, suffers with you. You stop seeing them as the threat.

If you're in this right now

1. Stop sending money. Right now. The next deposit will not be the one that releases your funds. None of them will.
2. Open the [Panic Guide](/panic-guide). It walks you through the first 24 hours — what to freeze, what to screenshot, what to report.
3. Report the wallet and the platform. Three independent reports in our report intake auto-promote an entity to critical on the public blacklist. You make the next victim's Safe Scanner check turn red.
4. Report to your local authority. Country-by-country instructions are at report to authorities.
5. Block every contact and ignore "recovery experts". Anyone DMing you offering to get the money back is the second scam. Read recovery-scam warning signs.

Methodology and disclosure

This case file is based on a real victim submission to GACS, reproduced with the victim's consent and with all personally identifying details altered. The wallet patterns, broker template, and message structure are taken verbatim. GACS is advisory-only: we do not execute trades, move funds, or guarantee recovery. We map and publish the entities behind scams so the next person checks before they send. To submit your own case file, use the report form; to request a correction, use the feedback form.