Recently, sources indicate that the speculated multi-level marketing scam project “PlusToken” is trying to cash out their 74k BTC investment fund. The on-chain data analysis company, CryptoQuant, has successfully tracked PlusToken’s money laundry process using its graph analysis solution. For detailed information of the incident, refer to Dovey Wan’s thread.
PlusToken uses ‘1Dd5VT’(first 6 characters of address for convenience) to receive BTC funds from users, and have already cashed out more than 90k through mixing service under the address ‘14BWH6’. Other origin addresses such as ‘1MMEA1’, ‘31ODN4’, and ‘33FKCW’, reported by media, are connected with ‘14BWH6’ by a couple of hops, so we didn’t have to investigate them.
CryptoQuant has graphed the BTC transaction data and applied recursive path query, multi-hop graph traversal, etc. to identify those important wallets such as ‘37Pe2U’, ‘1DrrYD’, ‘132MKF’ are linked with numerous wallets of total inflow below 20 BTC. Afterward, the company has analyzed transaction starting from ‘14BWH6’ by varying the number of hops and visualized the graph while excluding wallets with inflows below 100 BTC as the following.
Note that the grey circle indicates a wallet with no balance left. The size of the circle indicates the total outflow of the fund to another wallet address. Red circles are the wallets currently with more than 100 BTC, with the size also indicating the total outflow. The arrows connecting the wallets and the numbers indicate the direction of the transaction as well as the amount of BTC transferred.
Based on the company’s 2-hop graph analysis, it is estimated that 500 BTC (≈5.24M USD) has been transferred to Bittrex.
With 3-hop graph analysis, it was found that 39,814.17 BTC(≈416.29M USD) were transferred to Huobi, Bittrex, Kraken and many other exchange services using mixers. Thousands of small amounts of BTC were sent to user wallets for money laundry purposes, and mixing services other than exchange were used in order to mix their funds with other illegal funds to slow down the investigation.
4-hop and 5-hop were also tested, and ultimately reached wallets with leaf nodes except for mixing addresses. In conclusion, there were no money laundry wallet addresses found in exchange services other than Bittrex.
CryptoQuant has accurately detected the wallets that were reported by the media. Furthermore, by utilizing multi-hop analysis, additional wallets that are in need of close observation has been detected. Below are the wallet addresses that the media has reported, as well as the addresses the company has found. The number of transactions it took to cash out BTC from ‘14BWH6’ is also recorded.
‘1Dd5VTCkRtMG8bpuHZrjkLf1TeZ8cwZGDe’ (PlusToken investing address)
‘14BWH6GmVoL5nTwbVxQJKJDtzv4y5EbTVm’ (Mixer transfer address)
Addresses found by graph analysis, with high balances
‘1MFgcyJ7ZNSknbTBRaih6zWDE6V1A64tRY’ (1 hop, 1,865 BTC)
‘3ETAVt2scYBFkBFksuNDk1i5tDLQ2c4zWR’ (1 hop, 4,922 BTC)
‘3EYsru4LUcN258sENYPu5Py3S5WnqxEcnE’ (1 hop, 3,657 BTC)
‘3HKs1g7u5a1uU4pC5HaNooYMbL1Lao4mv4’ (1 hop, 3,928 BTC)
‘3ESakThMrdVVrbhhcpf9spicyjCg1Uk8Jm’ (1 hop, 3,289 BTC)
‘33LNws16Wfs12usWBNfa1MSX3YKY6Hdayf’ (1 hop, 3,270 BTC)
‘3HwY536CxznDxMjiRCFkpx5ykwJbJMZY4w’ (1 hop, 1,725 BTC)
‘35bCzX3RQEWdquqCPQkmdJdu2K4ut1roUZ’ (1 hop, 3,676 BTC)
‘31owhyALzzPEqUFwRbU5yQR4wNhYEjCiE5’ (1 hop, 749 BTC)
‘3PBN3MCpDcZKr7WdyY1ULq1NeGwLNjpkj7’ (1 hop, 12,000 BTC)
‘1Lpf2Km2gfTxDLyA7WS2eUByhJZAnaxH3k’ (5 hop, 2,000 BTC)
‘17cFPC2hYcD3Ykwv6DkQJJo2iCvVeXa2S9’ (5 hop, 2,800 BTC)
‘16GCvHKDZ3Bu1nmxKsZuyYQqPLCyjSJJUy’ (5 hop, 3,000 BTC)
‘17AVCgf1ZQb8kqzDuacVHkxQEBT7uoUozW’ (5 hop, 3,800 BTC)
‘14fse9ASNy8LCTihXFKG6JtupjGa5oGq7H’ (5 hop, 3,400 BTC)
We will do further research on mixing points that are distributed in the second hop layers.