The first four months of 2026 produced more enforcement action against pig-butchering than the entire preceding decade. By April 29, when Dubai Police walked out of nine fortified compounds with 275 suspects in custody, the U.S. Department of Justice (DOJ) had already announced two other historic operations in the same quarter.
Together with October 2025’s $15 billion Bitcoin forfeiture from Cambodia’s Prince Group, these actions represent the largest sustained law enforcement push the industry has ever seen against romance-baiting investment fraud.
What is Pig-Butchering, and why does it thrive in crypto
“Pig-butchering”, a translation of the Chinese sha zhu pan, is no longer a series of isolated incidents; it is an industrialized psychological operation. Unlike traditional “smash-and-grab” cybercrimes, these scams are slow-burning financial executions designed to “fatten” a victim’s trust before the eventual slaughter.
In 2026, this follows a sophisticated, three-tier operational playbook:
- The Grooming (The Approach): Scammers deploy AI-enhanced personas across dating apps, LinkedIn, or encrypted messaging platforms. They don’t pitch immediately; they build emotional or professional leverage over weeks, often using deepfake audio or video to verify their “identity.”
- The Fattening (The Manipulation): The “trap” is a fraudulent investment platform that mimics real-time market data. Victims are encouraged to deposit crypto and are often shown massive, fabricated gains. To cement the illusion, syndicates often allow victims to withdraw small amounts of “profit” early on, triggering the psychological “sunk-cost” trap that leads to life-savings-level deposits.
- The Slaughter (The Exit): When a victim attempts to liquidate their position, the platform snaps shut. The organization demands “taxes,” “security fees,” or “KYC deposits” to release the funds, a final squeeze before the scammers vanish and the site goes dark.
What they reveal is a fraudulent economy that has industrialized faster than law enforcement can dismantle it.
This is the definitive map of 2026’s crackdowns, what was hit, what was missed, and what’s coming next.
March 16: Operation Atlantic and the approval-phishing pivot
The year’s first major action targeted a different scam vector entirely. On March 16, 2026, the U.S. Secret Service, the UK’s National Crime Agency, the Ontario Provincial Police, and the Ontario Securities Commission launched Operation Atlantic, a week-long initiative focused on identifying victims who had lost, or were at risk of losing, crypto assets through “approval phishing”.
Approval phishing is the technical evolution of pig-butchering’s endgame. Instead of convincing a victim to wire crypto to a fake exchange, scammers manipulate them into signing a wallet permission that grants spending control to the attacker. Once approved, the wallet can be drained at any time, often weeks after the victim has forgotten the interaction.
The numbers were significant. Investigators identified more than 20,000 cryptocurrency wallet addresses linked to fraud victims across more than 30 countries, froze $12 million in stolen funds, identified another $33 million linked to investment fraud, and disrupted more than 120 web domains. Chainalysis served as a blockchain intelligence partner, providing real-time on-chain tracing alongside operational teams at the NCA’s London headquarters.
Also Read: NCA Operation Atlantic Freezes $12M in Crypto Scam Cases
April 23: The Scam Center Strike Force hits Shunda
A month later, the DOJ unsealed the most operationally aggressive pig-butchering action to date. The Scam Center Strike Force, a unit established in 2025 by the DOJ, FBI, and Secret Service to target Southeast Asian cryptocurrency-related fraud, unsealed criminal complaints against two Chinese nationals: Huang Xingshan, also known as “Ah Zhe,” and Jiang Wen Jie, also known as “Jiang Nan,” for managing the Shunda compound in Min Let Pan, Burma.
The scale of evidence recovered exposed how industrial these operations had become. Investigators reviewed more than 8,000 phones and 1,500 computers seized from the Shunda compound after the Karen National Liberation Army took control of it in November 2025. Jiang led the team targeting Americans; under his supervision, one of his subordinates defrauded a single American victim of more than $3 million using a fraudulent investment platform, a theft celebrated within the organization as a paradigm of success.
The April 23 announcement was bigger than two arrests. Authorities seized 503 fake investment websites, restrained more than $701.96 million in cryptocurrency linked to money laundering, and conducted a first-of-its-kind seizure of a Telegram channel with more than 6,000 followers used to recruit forced-labor workers to Cambodia under false promises of high-paying employment.
April 29: The Dubai 276, and what the headline number misses
Six days after the Shunda announcement, the DOJ announced that unprecedented cooperation between the FBI, Dubai Police Department, and Chinese Ministry of Public Security had resulted in the arrest of at least 276 individuals and the dismantlement of at least nine scam centers. Dubai Police arrested 275; Thailand’s Royal Thai Police arrested one additional fugitive.
Six defendants, Burmese national Thet Min Nyi (also known as “Pixy”), Indonesian nationals Wiliang Awang, Andreas Chandra, and Lisa Mariam, and two fugitive co-conspirators, were charged in the Southern District of California with wire fraud and money laundering conspiracy tied to three scam organizations: Ko Thet Company, Sanduo Group, and Giant Company.
What’s more revealing is the longitudinal data behind the operation. Operation Level Up, the FBI–USSS proactive notification initiative established in January 2024, had, as of March 2026, notified 8,935 victims of cryptocurrency investment fraud, 77% of whom were unaware they were being scammed, saving an estimated $562 million. Ninety-three victims have been referred to an FBI victim specialist for suicide intervention due to the devastating nature of these scams.
That last number is the one that should appear in every coverage of pig-butchering and rarely does.
The laundering machine: Why arrests don’t stop flow of Pig Butchering scams
Here’s the structural problem these operations don’t solve.
According to Chainalysis’s January 2026 Crypto Crime Report, Chinese-language money laundering networks (CMLNs) increased their share of known illicit laundering activity to approximately 20% in 2025, processing $16.1 billion, about $44 million per day across more than 1,799 active wallets. CMLNs now consistently launder over 10% of funds stolen in pig-butchering scams, coinciding with a steady decline in the use of centralized exchanges, potentially because exchanges can freeze funds.
The infrastructure these networks built is the actual engine. Huione Group, a Cambodia-based financial services conglomerate, processed over $98 billion in total cryptocurrency inflows over four-and-a-half years and laundered at least $4 billion in illicit proceeds, including $37 million from North Korean cyber heists, $36 million from crypto investment scams, and $300 million from other cyber scams, before FinCEN severed it from the U.S. financial system in October 2025 under Section 311 of the USA PATRIOT Act.
Severing Huione mattered. But as Chainalysis noted in the same report, vendors simply migrate. Following the Treasury sanctions, the removal of some Huione channels from Telegram, and Cambodia’s revocation of its license, the exchange’s vendors migrated to other platforms where they advertise their services.
The vendors are the network. The platforms are interchangeable.
The Prince Group precedent: $15 billion and still operating
The October 2025 Prince Group action, the longitudinal anchor for everything that followed in 2026, illustrates exactly how resilient this ecosystem is.
The DOJ filed the largest forfeiture action in department history against approximately $15 billion in Bitcoin currently in U.S. custody, alongside an indictment of Cambodian national Chen Zhi, the founder and chairman of Prince Holding Group, for wire fraud conspiracy and money laundering conspiracy tied to forced-labor scam compounds across Cambodia. At peak operation, Prince Group was earning more than $30 million per day from fraudulent crypto-investment schemes, with each call center generating hundreds of millions to billions annually.
The Bitcoin haul, 127,271 coins worth roughly $15 billion, largely dormant since December 2020, was extracted from 25 unhosted wallets the DOJ traced through what the indictment described as professional “money houses” that converted scam proceeds in BTC and stablecoins into fiat, then repurchased clean crypto to recycle through front companies, gambling operations, and mining ventures.
But Chen Zhi remains beyond U.S. reach. Cambodian police arrested him on January 6, 2026, and his Cambodian citizenship was revoked by royal decree before he was extradited to Beijing the following day, thwarting U.S. extradition efforts.
The compounds, meanwhile, kept running. Foreign Policy reported in December 2025 that more than 250 scam factories continue to operate across Cambodia, staffed by what the United Nations estimates to be more than 100,000 trafficked and forced laborers, raking in billions of dollars a year. The patronage system protecting them shows no sign of dismantling, and at least one U.S.-linked stablecoin project, World Liberty Financial, has already had to publicly defend a partnership with a network adjacent to the sanctioned Prince Group ecosystem.
The seized funds pipeline: Where the money goes next
One overlooked dimension of these takedowns is what happens after seizure. In January 2026, the U.S. government transferred $225 million in USDT seized from a pig-butchering scam directly to Tether, settled on Ethereum without involving any exchange, in one of the largest stablecoin transactions tied to federal enforcement activity to date.
The transaction model, direct-to-issuer rather than exchange-routed, is becoming the template for how seized stablecoins are administered. Expect more of this as the $701.96 million restrained in the April 23 action moves through the system.
The 2026 evolution: AI personas and decentralized off-ramps
The methodology has also changed. Chainalysis estimates crypto scams generated more than $17 billion in losses in 2025, with impersonation scams growing more than 1,400% year over year, driven in part by AI tools. AI-enabled scams generated 4.5 times more revenue per operation than traditional scams, and the average scam payment rose to $2,764 in 2025, up from $782 the previous year, a 253% increase.
The demographic shift is just as stark. According to the FBI’s IC3 2025 Annual Report, Americans lost $11.37 billion to cryptocurrency scams in 2025, a 22% increase over 2024, with people aged 60 and older accounting for $4.35 billion of those losses, roughly 38% of the total. Elder fraud across all internet crimes jumped 59% in a single year. AI-powered scams alone generated $893 million in losses across 22,364 complaints, with deepfake voice cloning, fake celebrity endorsements, and pig-butchering operations.
AI is now being deployed to bypass know-your-customer verification across cryptocurrency exchanges, with specialized services using AI to generate realistic synthetic identity documents, fabricate video verification footage, and conduct live KYC interviews using deepfake technology.
The off-ramps are also shifting. Impersonation scams are increasingly abandoning centralized exchanges for decentralized finance options like DEXs, DeFi bridges, and protocols, leveraging the permissionless nature of these tools to keep funds moving.
The bottom line for the industry
For exchanges, the regulatory implication of 2026’s crackdowns is unmistakable: the era of “we didn’t know” is over. The Operation Atlantic blueprint requires VASPs to act in real time on-chain intelligence, not retrospective reports. Exchanges that don’t build approval-phishing detection and CMLN-pattern flagging into their compliance stack are going to find themselves on the wrong side of subpoenas before this year is out.
For DeFi, the migration of impersonation scams to DEXs and bridges is going to invite a regulatory response that the industry is unprepared for. The next major action will almost certainly target a permissionless off-ramp.
And for users, the operational reality has not changed: 77% of pig-butchering victims notified by Operation Level Up were unaware they were being scammed. The compounds adapt. The platforms shift. The personas get more convincing. The only durable defense is the one that operates one level above any specific scam pattern, which means assuming any unsolicited investment pitch, however emotionally credible, is a scam until proven otherwise.
Also Read: Inside the Trump Crypto Machine: A $4.3B Retail Meltdown, the WLFI Lawsuit, and a 2027 Bitcoin Cliff
