Pig butchering (Sha Zhu Pan, 杀猪盘) is a multi-week confidence scam where operators build romantic or friendly relationships with victims on dating apps, WhatsApp, or through "accidental" text messages before directing them to fake investment platforms. The relationship phase can last months. By the time victims reach sites like earnandwithdraw.com, they trust their "friend" completely and the critical thinking is gone.
We found earnandwithdraw.com on a Shodan sweep of USDT investment platforms. Domain registered March 13, 2026 via IONOS SE, hosted on Cloudflare (185.56.150.143), professional frontend, three investment tiers promising 10-20% monthly returns. The backend was a mess.
The Fake Activity Feed
The homepage displays a live-scrolling feed labeled "Recent Activity" showing continuous deposits and withdrawals. Every 3-7 seconds, a new entry appears:
> User m*k deposited $2,500 — from Pakistan** • 3 min ago
> User s*a withdrew $890 — from India** • 1 min ago
The entire feed is client-side JavaScript. We pulled assets/js/index.js and found the guts:
Twenty hardcoded fake usernames. Ten target countries. Predetermined deposit and withdrawal amounts from arrays. The feed updates every 3-7 seconds with random combinations. No backend data. No real users. The entire "Recent Activity" section is a JavaScript random number generator.
The withdrawal feed is particularly effective: victims see "proof" that people successfully withdraw funds, which neutralizes skepticism when their own withdrawal attempts are later blocked. By that point, they have already sent $10,000-$50,000 in USDT.
## The Investment Plans
Three tiers, all mathematically impossible:
| Plan | Monthly Return | Annual Equivalent |
|------|---------------|-------------------|
| Silver | 10.00% | 120% |
| Gold | 20.00% | 240% |
| Platinum | [Undisclosed] | [300%+] |
Minimum deposit: $10 USDT. The platform promises "automated daily profits from crypto trading strategies." Warren Buffett's Berkshire Hathaway averages ~20% annually over decades. These platforms promise 240% returns through automated trading. The homepage claims "1,860+ investors worldwide" and "$311,000+ Paid Out." The domain was registered 28 days ago.
## The Backend Collapse
Every API endpoint returns `500 Internal Server Error`:
Error pages expose root@localhost as administrator email and /error_docs/ as the error document path. Technology stack: PHP/Apache with likely MySQL/MariaDB backend. The professional frontend is almost certainly a purchased template from "Pig Butchering as a Service" providers who sell ready-made platforms for $50-$5,000 with dashboards, branding, payment flows, and fake activity scripts included. No technical skill required to deploy. The operator bought the kit, configured the domain, and focused entirely on the social engineering.
How Victims Arrive Here
earnandwithdraw.com is not discovered through search engines. It is the destination in a 10-17 week operation:
Week 1: "Wrong number" text on WhatsApp. "Sorry, I think I texted the wrong person." Friendly conversation begins. No financial mentions.
Weeks 2-8: Daily messages. Voice notes. Photos. Building emotional connection. The scammer shares "personal" struggles and aspirations. The victim feels a genuine relationship forming. Some operations involve romantic interest. Others present as friendship or mentorship.
Weeks 8-10: Casual mention of successful crypto investments. "I made $5,000 this week from USDT trading." Screenshots of fake trading profits. "Would you like me to teach you?"
Week 10: Platform introduction. "Use earnandwithdraw.com - it's what I use." The victim registers. Collects: name, email, phone, password. Receives USDT deposit address.
Week 11: Initial deposit. Victim sends $100-$500 USDT. Platform shows immediate "profits" (+5% overnight). Scammer: "See? I told you it works!"
Week 12: Early withdrawal success. Victim withdraws $50 successfully. Proves the platform is "legitimate." The victim's trust is now complete.
Weeks 13-16: The fattening. Encourages larger deposits ($5K, $10K, $50K). "Market opportunity right now!" "You could quit your job!" Platform shows massive fake profits. Victim's balance appears to grow daily.
Week 17: The slaughter. Victim attempts to withdraw $20,000. Platform blocks access. Demands "10% tax payment first." Victim pays $2,000. Platform demands "withdrawal fee." Victim pays $1,000. Platform displays "Account frozen for verification." Website goes offline. Scammer blocks victim on all platforms. Total loss: $23,000+.
The relationship building phase is sophisticated. Many victims report daily communication for 2-3 months before any financial discussion. The scammer becomes a trusted friend or romantic partner. By the time earnandwithdraw.com appears in the conversation, rational skepticism has been systematically dismantled.
The Forced Labor Component
Many pig butchering operations run from compounds in Myanmar (KK Park), Cambodia (Sihanoukville), and Laos where trafficked workers are forced to execute these scams under threat of physical violence. US Treasury has sanctioned multiple entities: O-Solar Tech (linked to KK Park), Huione Pay (money laundering service), DKBA armed group (Myanmar). Operations run 24/7 with hundreds of concurrent scams managed by coerced workers using AI translation, deepfakes, and automated messaging scripts.
When you interact with earnandwithdraw.com's operators via WhatsApp, the person on the other end may be a trafficking victim forced to scam you.
Infrastructure
| Component | Value |
|---|
|-----------|-------|
| Domain | earnandwithdraw.com |
|---|---|
| IP | 185.56.150.143 |
| ASN | AS8560 (IONOS SE) |
| Hosting | 1&1 IONOS SE (Germany) |
| CDN | Cloudflare |
| Nameservers | chris.ns.cloudflare.com<br>pat.ns.cloudflare.com |
| SSL | Let's Encrypt R13 |
| SSL Validity | 2026-03-23 to 2026-06-21 (90 days) |
| Registered | 2026-03-13 (28 days old) |
The SSL certificate is free (Let's Encrypt), the domain commitment is one year only, and Cloudflare provides an anonymity layer. Typical pig butchering platform lifecycle: 6-12 months before exit scam. Platforms like this relaunch under new domains within days of takedown.
Target Demographics
SEO metadata and fake activity feed composition reveal the targets:
Primary: India, Pakistan, Bangladesh, Nepal, Sri Lanka
Secondary: Indonesia, Malaysia, Thailand, Philippines, Vietnam
Keywords: "online investment Pakistan", "usdt earning", "passive income crypto", "safe crypto investment", "earn money with crypto"
Victim profile: English-speaking individuals in South/Southeast Asia seeking crypto investment opportunities, limited technical knowledge to identify warning signs, vulnerable to social engineering (lonely, financially stressed), often contacted via dating apps or "wrong number" messages, age 25-55.
Scale
$17 billion was stolen in pig butchering scams globally in 2025. $370.3 million in January 2026 alone. Law enforcement actions demonstrate increasing coordination: Daren Li sentenced to 20 years in January 2026 for a $73M operation, DOJ seized $61M USDT from pig butchering networks, FBI recovered $15B Bitcoin in a separate case. But cross-border jurisdictional issues, encrypted communications (Signal, Telegram), cryptocurrency anonymization, shell companies, and operators in loosely regulated jurisdictions make takedowns difficult.
Victim recovery is rare. Once USDT is sent to a scammer-controlled wallet, recovery requires rapid blockchain forensics, exchange cooperation, and international law enforcement coordination. Victims typically recover 0-15% of losses.
What This Shows
The fake activity feed is not technically sophisticated, but it is psychologically effective. By the time victims see earnandwithdraw.com, they have spent weeks or months building trust with their scammer. The feed provides social proof ("others are making money") and withdrawal confidence ("people successfully withdraw"). When victims later encounter withdrawal problems, they assume it is a temporary technical issue rather than systemic fraud because they saw others withdraw successfully.
The misconfigured backend and 28-day-old domain provide clear technical red flags, but victims do not arrive through independent research. They arrive through trusted referral from someone they believe is a friend or romantic partner. Due diligence is unlikely.
The operation remains active. Takedown coordination with IONOS SE and Cloudflare is recommended, but even if this specific platform is shuttered, operators will relaunch under new domains within days. It is a persistent pattern in the pig butchering ecosystem.
IOC Summary
Network Indicators
| Indicator | Type |
|---|
|-----------|------|
| earnandwithdraw.com | Domain |
|---|---|
| *.earnandwithdraw.com | Domain wildcard |
| 185.56.150.143 | IP Address |
| AS8560 | ASN (IONOS SE) |
| chris.ns.cloudflare.com | Nameserver |
| pat.ns.cloudflare.com | Nameserver |
SSL Certificate
### Behavioral Indicators
- Promises 10-20%+ monthly returns on crypto deposits
- JavaScript-generated fake activity feed updating every 3-7 seconds
- Claims "guaranteed" or "automated" daily profits
- Accepts only cryptocurrency (USDT TRC20/ERC20)
- Domain registered within last 30 days
- Backend returns 500 errors on multiple API endpoints
- Often introduced through dating apps, "wrong number" texts, or WhatsApp
- Early small withdrawals succeed, large withdrawals blocked
- No regulatory registration or business license
- Homepage statistics ("1,860+ investors") inconsistent with recent domain registration