Pig butchering / DEX laundering$19M alleged schemePublished 2026-06-20

Pig-Butchering Wallet: Catching the DEX-Routed Pass-Through Shape Sanctions Lists Miss

In May 2026, on-chain investigator ZachXBT publicly named a set of wallets tied to an alleged 18-year-old US-based crypto thief, including the Ethereum address analyzed here. The wallet has 100% attribution coverage and zero sanctions or mixer exposure. CredScore now flags it Medium Risk, Review, on the laundering shape itself.

By Wade Wickingson, founder of CredScore
TL;DR
  • In May 2026, ZachXBT published an investigation tying approximately $19M in social-engineering thefts to a US-based alleged actor, naming multiple wallets including the Ethereum address 0xea9fccb3ea820f080f38e9c49fc1a201066010c7.
  • The named wallets are grouped among addresses linked to more than $5.85M across five high-confidence social-engineering thefts in 2025, per the same reporting.
  • The wallet has zero sanctions designation, no mixer interactions, no DPRK cluster overlap, and 100% mainstream entity attribution coverage (Metamask Swaps, Uniswap V3 Router, WETH Token). Every list-based screen returns clean.
  • CredScore returned Medium Risk, score 62/100, Review, at 84% confidence, with the new DEX-routed pass-through pattern firing as primary driver: 75% of inbound value from a single source, 54% of activity routed through DEX or aggregator swap infrastructure, and a value-balance score of 0.01 (heavily one-sided, drained).
  • The detection that catches this shape was added to the engine on 2026-06-20. Before the update the wallet scored 100/Low/Proceed. This case study documents both the catch and the gap that produced it.

Pig butchering is the long-form social-engineering scam that has dominated retail crypto theft for several years. The perpetrator builds a sustained relationship with the victim, often posing as a friend, romantic interest, or business contact, then steers the victim toward a fraudulent investment or wallet. Small fake gains keep the victim invested. Eventually the victim is drained for everything they will send. The proceeds typically pass through legitimate DeFi infrastructure on the way to cash-out, which is exactly what makes them hard to catch with list-based screening: every counterparty in the laundering path is a recognizable, legitimate protocol.

In May 2026, on-chain investigator ZachXBT published an investigation that publicly named Dritan Kapllani Jr., an alleged 18-year-old US-based actor, as the controller of multiple wallets tied to approximately $19M in social-engineering thefts. The investigation named several specific addresses across Bitcoin and Ethereum, including the August 2025 Ethereum address 0xea9fccb3ea820f080f38e9c49fc1a201066010c7. ZachXBT's reporting also grouped the named wallets among addresses tied to more than $5.85M across five high-confidence social-engineering thefts in 2025.

This case study runs that Ethereum address through CredScore with no special configuration, no off-chain context, and no attribution hints, and publishes the result. The engine has no sanctions match on the address, no mixer exposure, and 100% mainstream protocol attribution. To a list-based or entity-attribution screen, this is a clean wallet. CredScore flags it for review anyway, because the shape of the activity is the laundering signature.

Every screenshot below is unedited output from a production CredScore analysis. The engine is fully deterministic. Every flag has a written rationale, and every score traces to an observable on-chain signal. The full verdict is also live at credscore.us/v/9dyI-QJBSkc.

The wallet

ZachXBT's May 2026 investigation lists this address as an August 2025 Ethereum wallet tied to the broader alleged $19M scheme. The engine's observed snapshot at analysis time:

Named Ethereum address0xea9fccb3ea820f080f38e9c49fc1a201066010c74.9y old · 186 transfers · drained to dustMedium / 62 / Review

The shape is the point. The wallet is nearly five years old, so it is not a fresh throwaway address. It has 186 observed transfers across that lifespan, currently sits at a dust balance, and shows the laundering fingerprint clearly: a single inbound source supplied roughly 75% of inbound ETH value, 54% of all activity routed through DEX or aggregator swap infrastructure (Uniswap V3 Router, Metamask Swaps, 1inch), the value-balance score is 0.01 (almost entirely one-directional flow), and the wallet was drained rather than retained. Every individual counterparty in that path is a recognizable, legitimate piece of Ethereum infrastructure. None of them carry any adverse attribution. The wallet still reads as a laundering pass-through because the engine evaluates the shape of how those tools were used, not the labels on the tools themselves.

The verdict

CredScore verdict for the ZachXBT-named social-engineering laundering wallet: Medium Risk, score 62 out of 100, Review decision posture at 84 percent confidence
Verdict for the ZachXBT-named Ethereum address, run with no sanctions data and no entity attribution hints. Medium Risk, score 62, Review, 84% confidence. The decision is driven by observable on-chain behavior alone.

The verdict was Medium Risk, a score of 62 out of 100, a Review decision posture, at 84% confidence. There is no list lookup or attribution match producing this verdict. The engine reaches it from the wallet's observable behavior alone.

The 84% confidence number is the most important value on the page. CredScore reports confidence as a separate axis from risk because a high-confidence Review verdict is the one a compliance analyst needs most: the engine is willing to defend the call in a written briefing, the signal coverage is strong, and the underlying numbers support escalation rather than just hesitation. Most opaque addresses produce moderate confidence (50-65%). A high-confidence Review on a five-year-old wallet with 100% mainstream attribution is structurally unusual and is itself a signal worth attention.

The primary risk drivers

CredScore primary risk drivers for the social-engineering laundering wallet: DEX-routed pass-through pattern with 75 percent single-source inbound concentration, 54 percent DEX and aggregator routing share, and heavily one-sided value flow
The new DEX-routed pass-through pattern flag headlines the verdict, with three numeric evidence lines: 75% of inbound value from one source, 54% of activity routed through DEX or aggregator swap infrastructure, and a value-balance score of 0.01 indicating near-total one-directional flow. Rapid outflow and dense contract interaction round out the primary drivers.

The DEX-routed pass-through pattern is the headline driver. The flag fires on a tight five-gate compound: (1) a dominant single-source share of inbound value, (2) heavy DEX or aggregator routing of activity, (3) heavily one-sided flow or a drained balance, (4) enough non-zero transfers to make the pattern meaningful, and (5) the wallet is not a recognized known-good public entity. Each gate on its own is consistent with normal DeFi behavior. The combination is the laundering signature.

Rapid outflow activity is the second driver: 90 rapid outbound events the engine observed, the velocity signal that captures fragmented distribution rather than organic spending. Dense contract interaction is the third: 93 unique contracts touched, an interaction density of 0.50, which is high enough to register even given the DEX-heavy context. The three drivers reinforce each other. The engine is not relying on any single signal.

The signal breakdown

CredScore score composition for the social-engineering laundering wallet, showing the six risk dimensions with Behavior at 11, Coverage at 4, and Stability at 24
The six-dimension score composition. Behavior carries 11 points of risk pressure (driven by the pass-through pattern and rapid outflow). Coverage carries 4 points. Entity, Concentration, and Temporal categories stayed clean. Stability offsets back 24 points from wallet age and observed activity. Every dimension is independent and written down.

The signal breakdown is where the verdict becomes defensible. Each individual signal that moved the score appears with its numeric contribution and a written rationale. Rapid outflow subtracts 7 points. The pass-through pattern carries a behavior-category contribution of 10 points and a coverage-category contribution of 4 points, and forces a score cap of 62 so the wallet cannot land in Low Risk while the pattern is active. Wallet age contributes a modest 5 points back as offsetting context. Attribution coverage and counterparty distribution add small positive credits. Every contribution is independent, written down, and reproducible. Run the wallet again tomorrow and you get the same arithmetic.

The written briefing

CredScore deterministic analyst briefing for the social-engineering laundering wallet, explaining the Review verdict in plain language tied to underlying signal values
The analyst briefing assembled deterministically from the signal output, with every sentence tied to a real numeric value in the analysis. For an internal review or external audit, the written justification matches the numeric evidence exactly rather than paraphrasing it.

Why behavior catches what lists miss

Sanctions lists, mixer flags, and entity-attribution databases are lagging indicators. They get populated after investigators, victims, or governments do the work of proving a wallet is dirty. In pig butchering specifically, the wallets that move stolen proceeds will often never end up on a list: the victim is too embarrassed to report, the underlying actor is a single person rather than a sanctioned organization, and the laundering path runs entirely through legitimate DeFi infrastructure that no list maintainer would ever flag.

This wallet illustrates that gap concretely. Every label CredScore observed on it was a recognizable piece of Ethereum infrastructure. Metamask Swaps. Uniswap V3 Router. WETH Token. None of those carry adverse attribution. None of them ever will. A list-based screen looks at this panel and clears the wallet. The CredScore engine flags it for review anyway because the wallet is not interacting with those protocols the way a normal DeFi user does. It is using them to fragment and obscure a single dominant inbound that it then drains.

For a working compliance desk, the value is direct: an address does not need to be on a list to be dangerous, and a deterministic behavioral engine will tell you to stop and look before any list catches up.

Wallet relationship graph for the social-engineering laundering wallet showing single inbound source and fan-out to many distinct counterparties through Uniswap V3, Metamask, and wrapped ETH protocols
The relationship graph shows the shape directly. One dominant inbound source (the green inbound arrow on the left, 8 ETH from 0xa9d1) feeds the wallet, which fans funds back out through Uniswap V3 Positions NFT, Metamask, Uniswap, and Wrapped ETH protocols. Edge mix is 7 out to 1 in. Every counterparty in the path is recognizable, legitimate infrastructure. None carry adverse attribution. The shape is the signature, not the labels.

The detection that catches this

The DEX-routed pass-through pattern was added to the CredScore engine on 2026-06-20, the same day this case study was published. Before that update, the same wallet scored 100/Low/Proceed under the engine's prior rules, because three earlier laundering detectors structurally false-missed the shape: the inbound-concentration flag required a 0.80 single-source share, this wallet ran at 0.75; the fan-in collector pattern required an 85% inbound activity ratio, broken by every DEX swap creating an outbound leg to the router; and the global attribution coverage was 100% because every contract-mediated counterparty is "attributed" at the contract-type level, even when the actual upstream senders are unlabeled victim wallets.

The new flag closes that gap with a tighter compound trigger. It does not lower any existing threshold. It does not over-trigger on legitimate DEX power users (vitalik.eth scored unchanged at Low/72 after the update because his DEX usage share is essentially zero). It targets the specific composition of single-source dominant inbound + heavy swap routing + drained balance + not-a-known-treasury that distinguishes a laundering pass-through from a routine DeFi user.

Publishing this case study on the same day the detection ships is intentional. A scoring engine that does not evolve in response to evidence is a static product, not a live one. The roadmap for what gets added next is dictated by what real wallets surface when they run through the engine.

What this study does not claim

Four boundaries this analysis is explicit about.

This is retrospective, not a discovery. ZachXBT publicly named the wallet in his May 2026 investigation. CredScore did not identify the actor and did not catch the laundering first. The claim is narrower: the engine independently produces a Review verdict on observable behavior alone, with none of the off-chain context that established the attribution.

The engine does not assert criminal intent. ZachXBT's investigation describes the alleged actor as "allegedly" tied to the social-engineering thefts. The named individual has not, at time of publication, been the subject of a public criminal conviction tied to this specific address. CredScore observes the laundering-shape behavior on the wallet itself. The shape is consistent with social-engineering laundering. It can also be consistent with one-shot legitimate behavior, which is exactly why the verdict is Review rather than Escalate.

The verdict is decision support, not a legal conclusion. A Review posture is a review trigger, not proof of wrongdoing. It tells a compliance desk that the wallet's behavior is structurally inconsistent with routine DEX usage and that the inbound source provenance should be established before processing the wallet through any trust-bearing workflow.

The other wallets named in the ZachXBT investigation are not analyzed here. The May 2026 reporting names multiple Ethereum and Bitcoin addresses tied to the same alleged actor, with the broader case scoped at roughly $19M. This case study analyzes the single Ethereum address listed above. CredScore does not currently cover Bitcoin.

What this case study proves

A nearly five-year-old wallet with 100% mainstream entity attribution, zero sanctions exposure, zero mixer interactions, and 186 transfers passed through it. Publicly named by an on-chain investigator as a laundering address in an alleged $19M social-engineering scheme. The CredScore engine assigns it Medium Risk, score 62, Review at 84% confidence, on observable behavior alone, with a written briefing and a signal-by-signal breakdown, produced in seconds, with no machine learning anywhere in the pipeline.

Enterprise blockchain analytics tools can reach comparable conclusions on this wallet, behind a large annual contract and a multi-week procurement process. For a feature-by-feature comparison, see CredScore vs Chainalysis, CredScore vs TRM Labs, and CredScore vs Elliptic.

Run a wallet you already know

The best way to judge a deterministic risk engine is not to read a case study. It is to paste in a wallet whose risk profile you already know and see whether the verdict matches your read. If you work in this field, you have a list of wallets where you know the right answer. Run a few and find out.

Open the desk

Paste any Ethereum, Base, Arbitrum, Optimism, Polygon, or Tron wallet and see a full briefing in seconds: score, decision posture, signal breakdown, and entity context.

Try CredScore freeView the live verdictMore case studies

Frequently asked questions

What is pig butchering in crypto?

Pig butchering is a long-form social-engineering scam. The perpetrator builds a sustained relationship with the victim, often pretending to be a friend, romantic partner, or business contact, then directs the victim into a fraudulent investment. Small fake gains keep the victim invested. Eventually the victim is drained. The proceeds typically route through legitimate DeFi infrastructure (DEX swaps, aggregators, bridges) before cash-out, which is what makes them hard to catch with list-based screening.

What wallet is analyzed in this case study?

The Ethereum address 0xea9fccb3ea820f080f38e9c49fc1a201066010c7, publicly named by ZachXBT in May 2026 as one of multiple wallets tied to an alleged 18-year-old US-based crypto thief, in an investigation covering approximately $19M in social-engineering thefts.

Was the wallet on a sanctions list?

No. The wallet carried no OFAC designation, no Tornado Cash interactions, no mixer exposure, and no adverse entity attribution at analysis time. Every label CredScore observed was mainstream DeFi infrastructure (Metamask Swaps, Uniswap V3 Router, WETH Token). A list-based screen returns clean. CredScore flags it for review on the behavior.

Did CredScore identify this wallet first?

No. ZachXBT publicly named the address in May 2026. This is a retrospective analysis. CredScore independently reaches a Review verdict on observable behavior alone, with none of the off-chain context that established the attribution.

Why does CredScore now catch this when it did not before?

DEX-routed pass-through laundering was a known gap in CredScore's behavioral detection until 2026-06-20, when a new compound flag was shipped that targets the shape specifically: a wallet receiving a dominant share of inbound value from one source, routing through DEX or aggregator swaps, and draining rather than retaining. The earlier engine treated heavy Uniswap and Metamask Swaps interaction as offsetting context. The updated engine treats that same routing as the laundering signature it actually is, gated so legitimate DEX power users (vitalik.eth scored unchanged) do not false-positive.

Is the CredScore engine using machine learning?

No. The engine is fully deterministic. Every flag and score traces back to observable on-chain signals through a documented pipeline. The same wallet produces the same auditable verdict every time.

Sources and further reading

Published 2026-06-20. Last updated 2026-06-20.
Analysis produced by CredScore. The wallet address referenced was publicly identified by on-chain investigator ZachXBT in a May 2026 investigation. The named individual has not been the subject of a public criminal conviction tied to this specific address as of publication. This analysis is retrospective and is decision support, not a legal conclusion.