Case study: a real pig butchering scam, week by week

This is a real pig butchering scam, reconstructed from a victim file submitted to the GACS report intake in May 2026. The victim — we'll call her "Elena", a 42-year-old project manager in Madrid — lost €112,400 over 47 days. Names, exact amounts, and platform branding are altered. The grooming sequence, broker mechanics, and drainer wallets are taken verbatim from her chat archive and on-chain transaction graph.

Most "how pig butchering scams work" articles describe the *technology*. The technology is the easy part. What actually traps people is the psychological grooming — a slow, deliberate fattening that turns a stranger into a trusted partner before any money is ever mentioned. This case study walks through that grooming hour by hour so you can spot it in real life.

If you only have 30 seconds: pig butchering is a long-con investment scam dressed up as a friendship or romance. The "pig" is the victim. The "fattening" is weeks of warm, attentive conversation. The "slaughter" is a single signature on a fake trading platform that drains everything at once. Every red flag below would have been caught in 4 seconds by the free Safe Scanner.

Week 1 — The wrong-number opener (Days 1–4)

*Day 1, 14:02:* "Hi Marcus, are we still on for dinner tonight at Casa Lucio? It's Lin 😊"

Elena was not Marcus. She replied politely that it was a wrong number. Lin apologised, said she was new in town from Singapore for a fintech role, and asked if Elena could recommend a good tapas place — *"since you're clearly Spanish, your taste must be much better than Google's"*.

That single sentence does four things at once:

1. Flatters — your taste is better than a search engine.
2. Pretends helplessness — I just moved here.
3. Establishes wealth without bragging — Singapore, fintech, dinner at Casa Lucio (one of Madrid's most expensive restaurants).
4. Asks for something tiny and zero-risk — a restaurant recommendation.

Elena recommended a place. Lin replied with a photo of herself at a rooftop bar — well-lit, well-dressed, smiling. The photo is the hook. From this point forward the scammer has a face attached to the conversation, and human pattern-matching does the rest.

What was actually happening: the +65 number was a WhatsApp business-API account registered three weeks earlier and tied to 14 other ongoing conversations with women aged 35–55 across Spain, Italy, and Portugal. The photo was stolen from a Singaporean lifestyle blogger's Instagram and reverse-image-search-protected by being lightly cropped and run through a face-warping filter.

Red flags a [Safe Scanner](/safe-scanner) phone-number check would have flagged on Day 1:

• Foreign WhatsApp number with no prior contact
• Business-API origin (not a personal SIM)
• Number first activated within the last 60 days
• Country corridor (SG → ES) over-represented in our pig-butchering intake queue

Week 2 — The friendship phase (Days 5–11)

For seven days, Lin and Elena talked about nothing financial. Lin asked about Elena's job, her dog, her divorce two years prior. She remembered names. She sent voice notes at the same time every morning — *"my coffee ritual is incomplete without saying hi to you"*. She referenced things Elena had mentioned a week earlier, proving she was paying attention.

This is the most important stage and the one most articles skip. No money is requested. No platform is mentioned. The only goal is to become someone Elena looks forward to hearing from. Every message is engineered to deposit a small amount of emotional trust.

Lin shared "vulnerable" details too: a dead father, a sister with cancer, a recent breakup with a tech founder she wouldn't name. These details serve two purposes: they make Lin feel like a real person, and they pre-load future emotional leverage. The dead father will come back at the end as the reason Lin "understands grief and money".

By Day 11, Elena had typed the words *"talking to you is the best part of my day"* — saved in the screenshot folder her victim-impact statement was built from.

**No red flag in the *content* of these messages. The red flag is the pace and the persistence**: a stranger from another continent who messages every single day, never asks to meet on video, and never has a friend or sibling join the chat. Real friendships built remotely have texture — gaps, busy days, group chats. Grooming has metronome consistency.

Week 3 — The accidental mention (Days 12–18)

On Day 13 Lin posted a "screenshot" of her trading dashboard — a clean dark-mode interface showing a 14% gain on a small position. Caption:

*"Ugh forgot to take profit again, my uncle is going to laugh at me 😅"*

Elena asked what she meant. Lin's response is textbook:

*"Oh nothing, my uncle works in quant at a Hong Kong fund, he helps me with a tiny strategy on the side. It's nothing fancy, just some BTC/USDT moves a few times a week. I'm bad at it honestly."*

Three engineered properties:

• Self-deprecating — "I'm bad at it" prevents Elena from feeling pressured.
• Authority by proxy — the uncle, never named, is the expert. Lin is just a relatable beneficiary.
• Specific but unverifiable — Hong Kong, quant, BTC/USDT. Real enough to imagine, vague enough to never check.

Elena didn't bite immediately. Lin didn't push. She brought it up *once more* on Day 16 — a casual mention that the same uncle had told her *"the next two weeks would be good for entries"* — then dropped it again. This is the pull-back. A real friend wouldn't sell you on anything. A scammer who knows their craft never sells on the first or second mention.

Week 4 — The platform reveal (Days 19–26)

On Day 22 Elena, prompted by a small bonus at work and a long conversation about her hopes for early retirement, asked Lin whether her uncle would mind if she tried "a tiny test". Lin "checked" overnight and came back enthusiastic. The platform was called GoldArc Pro — a clone of a real Asian crypto-derivatives broker with a slightly altered domain (goldarc-pro.io) and an identical-looking dashboard.

What GoldArc Pro actually is:

• A custom front-end built on a generic white-label scam-broker template, sold on Russian and Chinese darknet forums for about $4,000.
• Backed by no real exchange. Every chart, every "trade", every "balance" is a database row the operator controls.
• Identical to 31 other "broker" sites GACS has tracked back to the same template in the last 90 days. The full pattern is documented in our pig butchering data investigation and the stage-by-stage anatomy guide.

Red flags Elena could have caught in 4 seconds:

• The domain (goldarc-pro.io) was registered 41 days earlier. Real brokers don't appear out of nowhere.
• No regulatory licence number anywhere on the site. Legitimate EU-facing brokers must surface a CySEC, BaFin, AMF, or CNMV number above the fold.
• No corporate registry filing in any jurisdiction the "About" page claimed.
• The deposit page accepted only USDT-TRC20 — a one-way, irreversible rail. Real brokers offer at least one chargeback-capable method.

Paste the domain into the free Safe Scanner and every one of those signals lights up before you can type your card number. Elena didn't run that check.

Week 5 — The first win (Days 27–33)

Elena deposited €500. Lin "introduced" her to the uncle via a series of formatted "signal" messages on Telegram — *"Long BTC 67,420 / SL 67,100 / TP 68,150"*. Elena copied the trades inside the GoldArc Pro dashboard. Every signal "won". By Day 30 her balance showed €642.

She withdrew €100 to test. It arrived in her bank account within 26 hours. This is the most damaging step in the entire playbook: the small successful withdrawal that converts skepticism into faith. From this point on, Elena treats every number on the dashboard as if it were real money.

The €100 came from the operator's own working capital, not from any "trade". The withdrawal is the bait. It is the single feature that separates pig butchering from a crude one-shot rug pull — and the reason victims keep depositing long after a more cynical scam would have already lost them.

Week 6 — The escalation (Days 34–40)

By Day 36 Lin was casually mentioning that *the uncle* had spotted a "big institutional setup" coming the following week. Lin was putting in €40,000 of her own. Elena, by now emotionally invested and watching a €642 balance she believed in, deposited €15,000. Then €25,000. Then, after seeing her dashboard balance climb to €71,000 in five days of "winning" trades, she liquidated a portion of her late mother's inheritance and deposited a further €70,000.

Total deposited: €110,500. Dashboard balance: €184,300.

She tried to withdraw €20,000 to "lock in" a holiday for her sister. The platform's withdrawal page returned: "Account upgrade required to process withdrawals above €5,000. One-time tax-clearance fee: €18,440 (USDT-TRC20)."

This is the slaughter trigger. The withdrawal paywall is universal across pig-butchering platforms — it converts the dashboard balance into a sunk-cost trap. Pay the "tax" and the next withdrawal will demand a "compliance review fee", then a "liquidity reserve", then a "regulatory bond". The platform will extract as much as the victim's financial life can absorb before the operator simply turns the lights off.

Elena, panicked, called Lin. Lin was reassuring, said the uncle had warned her this might happen, and offered to "lend" €5,000 to help cover the tax fee. She never sent it.

Week 7 — The drainer signature (Days 41–47)

Elena paid the €18,440 "tax". The withdrawal still didn't process. A new "verification" fee appeared. She paid €9,200 more. Lin began responding more slowly. On Day 46, GoldArc Pro's "support" pushed Elena to *"finalize verification by connecting your wallet through the integrated KYC partner"*.

The "KYC partner" was a cloned MetaMask interface that asked Elena to sign an unlimited token-approval transaction. Within 11 seconds of her signature, every USDT-TRC20 token she still held was swept to TRON wallet `TLsV52sRDL79HXGGm9yzwKibb6BeruhUzy` — one of the 16 drainer addresses GACS maps in the public evidence file.

On Day 47, Lin's WhatsApp number stopped delivering messages. The Telegram "signals" channel was deleted. GoldArc Pro continued to operate for nine more days before going dark, presumably long enough to slaughter the rest of Lin's roster.

Total loss: €112,400.

The psychological grooming, in one diagram

Most readers see *seven weeks of patient conversation* and think *"I would never fall for that"*. That confidence is the reason the scam works. Lay the stages out and the pattern is engineered like a sales funnel, not a romance:

1. Wrong-number opener — zero-risk reply, harvests a small reciprocity debt.
2. Friendship phase — 7+ days of attentive daily contact, no financial content, builds emotional reliance.
3. Accidental mention — investing surfaces as a hobby of the *scammer*, not a pitch to the victim.
4. Pull-back — the scammer does not bring it up again for several days, training the victim to be the one who initiates.
5. Platform reveal — a polished clone, framed as the scammer's own private setup, not a recommendation.
6. First win + small withdrawal — converts the victim's framing from "test" to "investment".
7. Escalation — large deposits chase the displayed gains; the dashboard becomes the source of truth.
8. Withdrawal paywall — sunk-cost trap; one fee leads to another.
9. Drainer signature — a single signed approval, on a cloned wallet interface, ends the relationship.

Every stage is reversible before stage 9. Most victims could exit at stages 1–5 with a single 4-second URL or phone-number check. Most exit only after stage 9, when it is too late.

What you can do with this case study

1. Share it. Pig butchering survives because victims rarely talk about it — they're embarrassed, broke, or both. The more people who have read a real timeline, the less novel the playbook feels in the moment. Send this article to anyone in your life who is dating remotely, lonely, recently bereaved, or recently retired.
2. Run a check before any platform. Paste any domain, wallet, phone, or token into the free Safe Scanner before depositing a single euro. The 16 wallets and 88 phishing sites behind this category are already in the database.
3. Read the next layer. For the broader cluster behind GoldArc Pro and 30+ template clones, see the pig butchering data investigation. For a stage-by-stage WhatsApp transcript from a different victim file, see the anatomy of a pig butchering scam.
4. If you already paid, open the Panic Guide. The first 24 hours determine almost everything that can be salvaged. No legitimate party will ever DM you offering to recover funds — read the recovery-scam guide before you respond to anyone claiming they can.
5. Add what we don't have. If your scammer's wallet, broker, or "mentor" account isn't on the public list, report it in 60 seconds. Three independent reports auto-promote a new entity to critical.

Methodology and disclosure

GACS is advisory-only. We do not execute trades, we do not move funds, and we do not guarantee recovery. The case study above is reconstructed from a single victim file with permission; names, exact amounts, and platform branding are altered to protect the victim while preserving the operational pattern. The drainer wallet referenced is published on the GACS public blacklist with three independent reports and a critical severity flag. Inclusion is not a legal finding — it is a documented pattern of harm. To request a correction, use the feedback form.