← All posts
Investigation9 min readPublished 2026-06-20

How to Detect Pig-Butchering Laundering in 2026

Pig-butchering is a long-form social-engineering scam that has dominated retail crypto theft for several years. The perpetrator builds a sustained relationship with the victim, often pretending to be a friend, romantic partner, or business contact, then directs the victim into a fraudulent investment or wallet. The proceeds get laundered through legitimate DeFi infrastructure on the way to cash-out, which is exactly what makes them hard to catch with list-based screening: every counterparty in the laundering path is a recognizable, legitimate protocol.

By Wade Wickingson, founder of CredScore
The short version. Pig-butchering laundering wallets share a recognizable behavioral shape: a dominant share of inbound value from one source (the victim or upstream hop), heavy routing through DEX or aggregator swap infrastructure (Uniswap, Metamask Swaps, 1inch), one-sided value flow with the wallet drained rather than retained, and an absence of trust-bearing context like CEX on-ramp provenance. Sanctions lists and entity attribution miss this shape because the protocols involved are mainstream. Behavioral scoring catches it by reading the composition rather than the labels.

Why list-based screening misses pig-butchering

Sanctions lists, mixer flags, and entity-attribution databases are lagging indicators. They get populated after investigators, victims, or governments do the work of proving a wallet is dirty. Pig-butchering wallets are unusually well-positioned to evade them.

First, the victim is often too embarrassed to report. Romance-scam victims in particular tend to internalize the loss as personal failure, which means many incidents never reach a public investigator or law-enforcement filing in the first place. Second, the perpetrator is usually a single person or a small ring, not a sanctioned organization. Even when an incident is reported, the wallet is unlikely to land on OFAC's SDN list, because that list is reserved for state-level adversaries (DPRK, sanctioned ransomware affiliates) and named criminal organizations, not individual romance-scam operators. Third, and most importantly, the laundering path runs entirely through legitimate DeFi infrastructure that no list maintainer would ever flag.

A typical pig-butchering laundering wallet might interact only with Metamask Swaps, Uniswap V3, WETH, and the 1inch aggregator. Every one of those is a piece of mainstream crypto plumbing used by tens of millions of people. Adding any of them to a watchlist would generate so many false positives that compliance teams would simply tune the rule out. The labels themselves are not the signal.

The behavioral shape that catches it

The signal is not what the wallet touches. It is how the wallet uses those tools relative to a baseline of normal DeFi usage. There are four observable characteristics that, in combination, distinguish a pig-butchering laundering wallet from a normal DEX power user.

1. Single-source inbound concentration

Normal DeFi users have diversified inbound sources: CEX withdrawals, swap proceeds returning from Uniswap, LP withdrawals from Aave or Compound, NFT sale proceeds, airdrop receipts. The composition is heterogeneous over time.

A pig-butchering laundering wallet typically shows the opposite: one upstream source supplies a dominant share (often 55–80%) of the wallet's inbound native-token value. That source is the victim transfer, or in multi-hop cases, the previous laundering wallet in the chain. The exact threshold matters less than the asymmetry against typical DeFi behavior, where no single source usually exceeds 40% of total inbound value.

2. Heavy DEX and aggregator routing

Normal users swap occasionally and hold positions. A laundering wallet swaps constantly and holds nothing. The DEX plus aggregator share of total activity typically sits at 30–60% of all transfers on a laundering wallet, dominated by Uniswap V3 router calls, Metamask Swaps interactions, and aggregator routes like 1inch or 0x. Each swap converts one token to another to obscure the trail; multiple consecutive swaps fragment what was originally a single inbound transfer into many smaller outbound transfers.

3. One-sided flow and drained balance

A normal user's wallet retains some balance most of the time. A yield farmer holds LP positions. A holder accumulates and waits. Even a frequent trader keeps working capital. A laundering wallet is the opposite: funds arrive, get processed, get sent out, and the wallet sits at dust or zero balance once the operation is complete. The value-balance score (the ratio of net flow to total flow) sits near zero on a laundering pass-through, which is the engine's signal that the wallet is one-directional rather than custodial.

4. No CEX on-ramp provenance

A legitimate DEX power user almost always has some CEX exposure on the inbound side. They funded the wallet from Coinbase or Binance or Kraken at some point, even if the original deposit happened years ago. That inbound CEX trace is the on-ramp provenance that makes the wallet's capital base legible.

A laundering wallet is funded by the victim or by an upstream wallet that is itself funded by victims. CEX exposure on the inbound side is unusually low — sometimes zero, often under 15% of total inbound interactions. The wallet may eventually send proceeds to a CEX for cash-out, but the missing on-ramp side of that relationship is itself a signal.

The compound trigger, gated to avoid false positives

Any one of these four characteristics in isolation describes a large set of legitimate wallets. Single-source inbound concentration can describe an ICO recipient. Heavy DEX usage can describe an active trader. Drained balance can describe a wallet that was retired. Low CEX exposure can describe a user who funds exclusively through OTC or peer-to-peer transfer.

The combination is what makes the signal actionable. The CredScore engine's dex_routed_pass_through_pattern flag fires only when a wallet satisfies a five-gate compound:

A wallet that fails any one of these gates does not trip the flag. Vitalik Buterin's personal address has high inbound concentration (donors often send large single transfers) and one-sided flow at times, but his DEX usage is essentially zero (under 1% of his activity), so the routing gate prevents a false positive. A Binance cold wallet has 99.999% single-source inbound from hot wallets and net-zero flow, but again only 0.17% DEX usage, so the same gate holds. An active DEX trader meets the routing gate but typically has diversified inbound from CEX returns, so the concentration gate stops it.

A documented case where this shape catches

In May 2026, on-chain investigator ZachXBT published an investigation tying multiple wallets to an alleged 18-year-old US-based crypto thief, in a case covering approximately $19M in social-engineering thefts. One of the named Ethereum addresses, 0xea9fccb3ea820f080f38e9c49fc1a201066010c7, has all the structural characteristics described above:

Run through CredScore with no off-chain context and no attribution hints, the wallet returns Medium Risk, score 55 out of 100, Review at 84% confidence. Every individual counterparty on the wallet is mainstream infrastructure — Metamask Swaps, Uniswap V3 Router, WETH Token. No sanctions designation, no mixer exposure, no DPRK cluster overlap. A list-based screen clears the address. The behavioral pattern flags it for review on the shape alone. The live verdict is reproducible at credscore.us/v/9dyI-QJBSkc, and the full case study with unedited engine screenshots is here.

Note on detection age. The dex_routed_pass_through_pattern flag was added to the CredScore engine on 2026-06-20, the same day this post was published. Before that update, the wallet above scored 100/Low/Proceed under the engine's prior rules, because the existing inbound-concentration and fan-in collector flags both had calibration gaps that DEX swap activity defeated. The fix is a tight multi-signal compound trigger, gated specifically to avoid false positives on legitimate DEX power users (vitalik.eth scored unchanged at Low/72 after the update). A scoring engine that does not evolve in response to evidence is a static product, not a live one.

What this changes for a compliance desk

The practical implication for a working compliance desk is that an address does not need to be on a list to be dangerous. Pig-butchering laundering wallets will rarely end up on OFAC, and even when individual perpetrators are publicly named, the specific wallets they used cycle quickly. A screening tool that only checks lists is structurally blind to this category of theft.

A deterministic behavioral engine that reads the structural composition of a wallet's activity does not have to wait for the list to populate. It can flag the wallet for review the first time it sees the shape, with a written briefing and signal-by-signal breakdown that an analyst can act on. The verdict is decision support, not a legal conclusion: the same shape can describe an ICO recipient cashing out through DEX, which is why the engine returns Review rather than Escalate when the pattern fires. A human analyst can disambiguate from inbound-counterparty context that off-chain investigation provides.

How to apply this in practice

If you are evaluating a wallet for a compliance workflow, the questions to ask are not "is it on a list" or "are the counterparties recognizable." They are:

Three or four "no" answers in combination are the laundering signature. None of them in isolation is a reliable signal. The combination is what the engine evaluates, and the same composition you can read by hand is what produces the verdict deterministically in seconds.

Run the analysis yourself. The wallet referenced in this post is publicly known and the engine output is reproducible. Paste 0xea9fccb3ea820f080f38e9c49fc1a201066010c7 on credscore.us/try to see the verdict and the signal-by-signal breakdown. Then try a wallet whose risk profile you already know. If the engine agrees with your read, you have an audit-defensible second opinion. If it disagrees, you have a starting point for investigation.

Sources and further reading

Published 2026-06-20. Last updated 2026-06-20.
The wallet address referenced was publicly named by on-chain investigator ZachXBT in a May 2026 investigation. The named individual has not been the subject of a public criminal conviction tied to this specific address as of publication. This post is decision support, not a legal conclusion.