pig butchering / long-con investment scam — methodology

what evidence exists and how fast it dies

the first 10 minutes

1. do not confront the scammer — they will vanish and wipe chat.
2. export WhatsApp chat with timestamps (iOS: Export Chat → Without Media).
3. photograph every screen of the fake platform before it goes down.
4. save every deposit wallet address and transaction hash.
5. list every dollar/crypto amount moved, chronologically.
6. identify all borrowed capital (family loans, HELOC) — highest-stakes conversation.
7. begin on-chain analysis from victim wallet on a block explorer.
8. file FBI IC3 with all evidence attached.
9. get a local police case number (needed for bank disputes).
10. begin the path below — all locally, no upload.

the path

1. 1. ios dating app artifact forensic extractor

   export Hinge/Bumble/Tinder sqlite or plist from device backup. surfaces match date, pre-move-off messages, We Met confirmations.why first: the con starts on the dating app — document the origin before the scammer moves you to WhatsApp.

2. 2. ios whatsapp artifact forensic extractor

   ChatStorage.sqlite from iOS backup. reconstruct grooming timeline, TaiKun link introduction, tax-hold pressure messages.why second: months of daily chat is the core evidence — export before uninstall.

3. 3. ios screenshot burst forensic analyzer

   photos.sqlite from backup — burst sessions of platform dashboard screenshots (balance, withdrawal errors).why third: victims screenshot the fake platform obsessively — bursts correlate with deposit events.

4. 4. ethereum tx decoder

   raw signed tx hex or wallet export rows. decode victim → scam-pool deposits.why fourth: on-chain deposits are immutable proof of money movement.

5. 5. crypto tx graph

   edge list from deposit addresses through scam pool to mixer sink.why fifth: visualize downstream flow for IC3 / exchange subpoena targets.

6. 6. crypto mixer pattern detector

   BTC trace csv if secondary rails involved — CoinJoin / known mixer inputs.why sixth: many pig-butchering ops launder through mixers within 48h of victim deposit.

7. 7. bitcoin tx decoder

   tax-hold wire or secondary BTC payment hex — decode outputs for handoff.why seventh: the final 'tax compliance' payment is often a separate rail from the main USDT deposits.

8. 8. crypto wallet classifier

   MetaMask / exchange export csv — classify victim and scam addresses by chain and format.why last: clean address inventory for law enforcement and exchange abuse reports.

common false leads

• he sent a video so he is real — videos are pulled from social media or deepfaked.
• I withdrew once so the platform is legit — small test withdrawals are a trust-building feature.
• Tornado Cash means we cannot trace — true after the mixer, false before the on-ramp.
• the tax hold is real — no legitimate platform asks you to wire more to release a withdrawal.

what we can tell you, what we can't

we can tell you:

• full conversation timeline matching known pig-butchering scripts
• on-chain graph from victim wallet through scam pool toward mixers
• deposit-side exchange clustering (sometimes)
• screenshot burst patterns tied to platform interaction

we can't tell you:

• recover funds — extremely unlikely after mixer
• identify the individual operator — often scripted workers in forced-labor compounds
• guarantee prosecution — jurisdiction is the obstacle

handing it off

• FBI IC3 (US): chat exports, wallet addresses, tx hashes, platform screenshots, timeline.
• local police: case number for bank / credit disputes.
• chain tracing partners: Chainalysis / TRM / Elliptic if you have access via counsel or exchange.

reference investigation