GACS will never ask for your seed phrase, private keys, or payment. Always free.
GACS Logo
All articles
Case studies

How I traced a $50,000 pig-butchering scam in 8 minutes with GACS

A live, step-by-step walkthrough of a single pig-butchering case: from the first WhatsApp message to the wallet, the fake broker, and the recovery scammer who came next. Every screen reproducible in /safe-scanner.

2026-06-08 9 min read

Last Tuesday a reader forwarded us a case that had every classic pig-butchering element compressed into a 6-week window. With their permission, we re-ran the entire conversation back through the live GACS engine and timed how fast each piece of the fraud would have lit up. Total elapsed time to confirm "this is a $50k pig-butchering scam tied to a known drainer wallet and a clone of a Hong Kong broker brand": 8 minutes.

This is the actual workflow, reproducible by anyone, free, no login.

Step 0 — the contact

A WhatsApp message from a +852 number: *"Sorry James, wrong number — but you sound nice, are you in Hong Kong?"*. Reader is not James. The number is Hong Kong. The "wrong number" framing is the single most common pig-butchering opener of 2026.

Step 1 — scan the phone number (0:00 → 0:30)

Paste the number into /safe-scanner. The engine checks our 250k-entity blacklist, normalises the number (E.164), and looks for repeat-victim reports tagged to that prefix.

In this case: no direct hit, but the +852 prefix appeared in 7 prior pig-butchering reports in the last 30 days. Not enough to confirm, enough to escalate.

Step 2 — extract the broker name (0:30 → 2:00)

Three weeks into the chat, the "match" sends a screenshot of "her trading dashboard". The dashboard branding says "HuobiPro Asia". This is the first concrete lead. Paste "HuobiPro Asia" into /website-checker.

Result: 3 lookalike domains active in the last 60 days, none of them owned by the real Huobi parent. All three resolve to the same hosting IP. The clone-broker pattern is now confirmed.

Step 3 — pull the deposit address (2:00 → 4:00)

The broker site asks for a USDT-TRC20 deposit. The deposit address is unique per user but the *first transit hop* is almost never unique. Paste the deposit wallet into /safe-scanner.

The engine traces the first outbound hop and checks it against the drainer-wallet blacklist. In this case: first hop matches a known consolidator wallet that has touched 14 other GACS-confirmed pig-butchering cases in the last 90 days. This is the moment the case goes from "probable" to "confirmed".

Step 4 — check for an impersonator profile (4:00 → 5:30)

The "match" has an Instagram and a WhatsApp profile photo. Reverse-image-search the IG profile picture (Google Lens, free). It came back as a Vietnamese model who is *not* on Instagram and who has been impersonated 100+ times this year. Paste the WhatsApp display name into /social-scan for a final cross-check.

Step 5 — predict the next message (5:30 → 6:30)

By now the engine has classified this as Stage 3 of the pig-butchering playbook: the victim has deposited once and "made a profit" on paper. The script says the operator will now (a) push for a second, larger deposit, then (b) when the victim tries to withdraw, demand a "tax" or "anti-money-laundering" fee. This prediction is 97% accurate across the 1,200 cases the engine has cataloged.

Two days after we re-ran the case, the reader forwarded us the operator's next message: a screenshot of a "tax notice" asking for $4,800 to release the "profits". Textbook.

Step 6 — get ahead of the recovery scam (6:30 → 8:00)

The single highest-confidence prediction in pig-butchering is the recovery-scam follow-up. Within 12 months of a confirmed loss, 1-in-3 victims is contacted by someone offering to recover the funds. The recovery scammer is almost always run by the same network — they sell the victim list back to themselves.

The reader is now subscribed to the scam-alerts RSS and has the names of the three most active recovery operators on the public blacklist bookmarked. When the recovery DM lands, they'll recognise it.

What you actually need to copy this workflow

  • A free scam-check tool. Use /safe-scanner for URLs/wallets/phones, /social-scan for handles, and /website-checker for clone-broker checks.
  • A reverse image search. Google Lens is enough.
  • Curiosity. The engine does the heavy lifting; you just paste.

Net result for the reader

  • $0 sent. The case was caught at the deposit-address stage, before the bigger second deposit.
  • 8 minutes of work, vs. the 6 weeks the operator had already invested.
  • 1 new wallet added to the public blacklist, which protected 4 additional victims who hit the same deposit page in the following week.

If you've been targeted by the same playbook — same opener, same "wrong number", same clone-broker dashboard — forward the conversation to our research desk and we'll do the same trace on your case for free.

---

*Originally published at https://gacs.app/blog/traced-50k-pig-butchering-scam-with-gacs. Free scam scanner (URL · wallet · phone · handle): https://gacs.app/safe-scanner.*

Take action now

Use the free GACS tool referenced in this article.

Run the same scan yourself
Next best action
Open the Panic Guide

If you just sent money or shared details — start here.

Continue

Related Safe Checks

Frequently asked questions

How do I check if a website, wallet, or number is a scam?+

Run it through the free GACS Safe Scanner for a 4-second verdict across 250k+ scam signals.

What should I do if I have already sent money?+

Open the GACS Panic Guide, screenshot every conversation, and contact your bank and the receiving exchange within 24 hours.

Keep reading