The U.S. enforcement action against Southeast Asian scam centers and the public-private "Operation Atlantic" coalition each froze tens of millions of dollars in pig-butchering proceeds. Both used the same on-chain methodology: take known victim deposit addresses, find the first-hop withdrawal addresses where multiple victims overlap, and treat that overlap as a single named scam cluster.
This post is the practitioner version of that workflow.
Why pig-butchering is a graph problem
A pig-butchering operation typically:
- Runs 200–2,000 fake romance / investment Telegram or WhatsApp channels in parallel
- Each victim is given a unique deposit address (USDT TRC-20 is common, but ETH-based scams are rising fast)
- Funds get swept from per-victim deposits into a small number of consolidation wallets within hours
- From consolidation, funds bridge to a chain with a no-KYC ramp (BSC → Tron, ETH → BSC via canonical bridge, or Solana for the speed)
- The no-KYC exchange off-ramps to fiat in a non-MLAT jurisdiction
The attack surface for investigators is step 3 — the consolidation wallets, where independent victim funds visibly converge. Even if each victim only knows their own deposit address, joining across them surfaces the operation.
Step 1 — Surface candidate clusters from a seed address
Given a single victim-reported scam address, 1F's scam-network endpoint runs a BFS up to 2 hops and scores candidates by shared-funder + shared-receiver overlap within rolling 24-hour windows:
GET /api/forensics/scam-network/0xVictimReported
A candidate scoring above 0.7 is almost always part of the same operation. Below 0.4 is noise.
Step 2 — Merge into a named cluster
Once you have ≥3 confirmed first-hop addresses from independent victim reports, name the cluster as a single entity:
POST /api/clusters/merge
{
"name": "40% Return Scam (Hong Kong-based)",
"category": "scam",
"icon": "🎣", "color": "#f85149",
"addresses": ["0x...", "0x...", "0x..."],
"note": "Merged from victim reports #1042, #1118, #1244"
}
The cluster becomes a first-class entity. From this point on, every screen query that touches any member address surfaces the full cluster.
Step 3 — Reverse-sweep against the customer DB
This is the step Operation Atlantic accelerated. The cluster you just merged is a list of addresses. Run a reverse multi-hop exposure query (dir=in) to find every address that has sent funds INTO any cluster member:
GET /api/forensics/exposure-multihop/{clusterMember}?dir=in&hops=2
Run that for each cluster member, deduplicate, and you have the complete victim list — including the victims who haven't reported yet because they're still being romanced. Cross-reference against your exchange's customer DB and you have a list of accounts to proactively notify.
Step 4 — Share the cluster across exchanges
Per FATF guidance, exchanges can share scam-cluster attribution without disclosing PII (the wallet addresses themselves are public). 1F's cross-tenant community feed lets one customer publish the cluster and other customers auto-merge it into their local entity store with source="community:{publisherFingerprint}":
POST /api/community/share
{
"address": "0x...",
"category": "scam",
"name": "Pig butchering — Telegram group XYZ",
"evidenceUrl": "https://..."
}
GET /api/community/feed?since=2026-04-01T00:00:00Z
Within seconds, the cluster shows up on every other 1F customer's screen results. Operation Atlantic took six months of manual cross-exchange coordination to do what this primitive does in a single API call.
Step 5 — File the FinCEN SAR
Required when an exchange has reason to believe a customer's funds derive from criminal activity totaling over $5,000. 1F's FinCEN Form 111 adapter renders the case bundle:
GET /case/{caseId}/sar
Auto-derived typology checkboxes for pig butchering: Romance/Confidence Scheme, Investment Fraud / Ponzi, Computer Intrusion, Money Laundering — Layering. Cryptographic integrity section covers the full audit log with HMAC-SHA256.
Why this beats Reactor for this specific workflow
Chainalysis Reactor is excellent at retrospective tracing of a known incident. It is bad at the cross-customer attribution sharing that pig-butchering specifically requires — there's no community feed, no merge endpoint, no automated reverse-sweep. The Operation Atlantic work was made possible by people manually emailing CSV files between compliance teams.
1F closes that gap as a first-class product feature. If your team is processing more than five new scam reports per week, the time saved pays for the Pro plan in a day.
Try the worked example
There's a free dev key you can use to run the full sequence on a real Lazarus address (different category but same primitives):
curl https://1f.ai/api/forensics/scam-network/0x098B716B8Aaf21512996dC57EB0615e2383E2f96 \
-H "X-API-Key: dev-test-key-123"
The candidate list returns in well under a second across 14 EVM chains plus Solana and Bitcoin tail.