In the rural heartlands of China, farmers overfeed their pigs to keep them blissfully unaware of the blade and ensure harvest of the best quality meats. That logic has found an unsettling parallel online.
The concept of Shā Zhū Pán, Chinese for ‘pig butchering,’ has come to define a class of prolonged investment scams that now dominate Southeast Asia’s cybercriminal economy. In these schemes, victims are gradually “fattened” with trust, reassurance, and fabricated gains before their savings are taken in full by scammers. In 2024 alone, revenue from such scams rose by nearly 40% year-on-year, according to Chainalysis’ “2024 Crypto Crime Report”.
The method itself is not new. What has changed is its efficiency.
Once characterised by isolated scammers, pig butchering has developed its own economy, referred to as “pig butchering as a service” or PBaaS. Due to the personalised nature of these scams, it can be difficult to tackle the issue at scale, instead fighting each case as it arises. However, every one of these scams has something in common: each depends on the Domain Name System (DNS), the invisible layer that allows devices to find and communicate with each other online.
In this layer, the machinery of modern pig butchering reveals itself.
Fraud without friction
Previously, pig butchering required technical skill to set up fake investment schemes and charm to manipulate victims into investing. But today, industrialised pig butchering services significantly lower the barrier to entry.
Criminal service providers now offer pig butchering as a service. For as little as US$50, anyone can purchase a ready-made investment website complete with dashboards, branding, and payment flows. For a few thousand dollars more, “full-service” packages include hosting, cryptocurrency wallets, company incorporation, and even regulatory registrations designed to create the illusion of legitimacy.
The economics are stark. These small initial investments can generate a payoff in the range of 70,000% ROI, considering that successful pig butchering networks launder millions. With the scam infrastructure in place, illegal marketplaces offer databases with thousands of stolen personal profiles, which makes hunting for victims easy. Even scammers that lack creativity can automate this process using chatbots and deepfakes to create highly personalised lures.
Why do these scams keep slipping through?
Pig-butchering platforms persist not because they are invisible, but because they are designed to look ordinary.
Some masquerade as benign services (e.g., news apps, lifestyle tools) slipping through moderation processes on official app stores before revealing their true purpose. Others present polished trading dashboards that display real-time market data, reinforcing the impression that money is being actively invested, even when withdrawals are impossible.
Behind the scenes, communication shifts to encrypted messaging platforms, where identities are easily spoofed and conversations leave little trace. Domains are registered cheaply, used briefly, and discarded. Infrastructure is treated as expendable and is valuable only while it continues to extract value.
This churn overwhelms traditional defensive approaches. By the time a fraudulent site is identified and blocked, dozens of near-identical replacements may already be live. Yet for all their adaptability, these operations remain constrained by one fundamental requirement.
Every scam, no matter how fleeting, must still function on the internet. And every internet interaction begins with the same quiet exchange.
Follow the system, not the symptoms
DNS is the internet’s addressing layer. It translates human-readable names into the numerical locations that machines use to communicate. Most people never think about it. Most criminals barely notice it.
That’s exactly why it matters.
While individual scam websites come and go, their DNS patterns endure. Domains are reused. Hosting providers overlap. Naming conventions recur. Configuration choices repeat across hundreds of sites. When examined collectively, these traces reveal the contours of an entire criminal supply chain.
In a recent investigation, Infoblox researchers began with a single pig-butchering site reported in Taiwan. By analysing how its domains were registered, hosted, and briefly exposed before being shielded, they uncovered a sprawling network of more than 350 related domains, linked to shell companies across Hong Kong and the United Kingdom. The same website templates had been quietly reused for years.
Stop chasing bad farmers, dismantle the farm
Countering the pig butchering surge in Southeast Asia will require a shift in focus. Raids and arrests make for compelling headlines, but they leave the underlying system untouched. As long as the infrastructure providers, facilitators, and service brokers remain in place, production continues elsewhere.
DNS offers a way to move upstream: to identify shared infrastructure, disrupt supply chains, and block access to markets before scams reach scale. Instead of reacting after victims have been harmed, authorities can intervene at the systemic level, where replacement is slowest and costliest.
By tracing the farmers’ digital footprints, authorities can seize the land and block access to the market before a new farm even begins production, ensuring the next victim is never led to the trough.
