Graphic tracking PlusToken running funds, 28,500 BTC changes, one of the magical trades left eggs

On June 29th, PlusToken, the largest block of funds in the blockchain, was unable to raise coins by users. Six founding team members were arrested in Vanuatu for alleged Internet fraud. In the previous article " Graphic Tracking PlusToken Asset Transfer Tracking (1) ", PeckShield initially tracked the statistics in the BTC section with 1,203 inflows.

Since August 12, 2019, Beijing time, the PeckShield Digital Asset Escrow System (AML) has detected a change in the address of the two major BTC wallets of PlusToken, and a total of 28,500 BTCs have been transferred. A major wallet address starting with 33FKcwFh is transferred from 22,922 BTCs to four new addresses, ranging from 4,922, 5,000, 6,000, and 7,000. This portion of the funds has not yet been further transferred, and it is not yet known that it has flowed into the exchange.

At the same time, PeckShield found that the transit address of another 1M1Tfsvb in the monitoring was transferred by multiple dispersions and small transfers. 5,575 BTCs are still uncertain whether to flow into the exchange. Other currency assets such as ETH, EOS, and XRP have not yet had abnormal trends.

The following is a further analysis of the flow of BTC assets. There is an egg at the end of the article. Don't miss it!

Confirmed by PeckShield, the three BTC asset aggregation addresses known by PlusToken:

Figure 1: BTC asset aggregation information

5,527 BTCs were repeatedly dispersed

At 19:27 on the evening of August 12, PeckShield monitored the transfer of a transfer address (starting at 1M1Tfsvb) of the 14BWH6Gm initial aggregation address. To give you a more intuitive understanding of this part of the flow of funds, the PeckShield Digital Asset Escrow System (AML) produced the following asset transfer path map:

Figure 2: 1M1Tfsvb opening address asset transfer diagram

Its asset transfer is divided into two phases:

1) After a large number of transfers, the large-value assets are finally dispersed from the beginning of 39fXUWCy. The number of new addresses BTC is around 1,000.

Figure 3: 1M1Tfsvb starting address funds are scattered out

2) The BTC on the new address is dispersed again and eventually transfers to multiple addresses at 50-200 BTC from August 23 to 24:00. Due to the nature of the BTC address, it is currently unclear that this portion of the funds has flowed into the exchange.

Figure 4: Funds transfer to multiple addresses ranging from 50-200 BTC

22,922 BTC transfers

At the same time, PeckShield security personnel found that the assets in the address of the other wallet aggregation address 33FKcwFh of PlusToken changed on August 13, and moved to the four addresses through the 14gKbB4A starting address at 11:54 on August 14th. The addresses are temporarily stored at 4,922, 5,000, 6,000, 7,000 BTC, and this portion of the funds has not been transferred yet.

Figure 5: 33FKcwFh start address asset changes


During the PeckShield security staff's follow-up analysis of the PlusToken asset transfer, an interesting transaction was discovered, which occurred at 00:08 on August 15th.

Figure 6: An interesting transaction

As shown in the above figure, the originator of the transaction is the address starting with 18888888, and the recipient is the main fund aggregation address of PlusToken. The amount transferred to BTC is very small, and the transaction note shows “Sorry, we have run”.

PeckShield analysis believes that this transaction marks the PlusToken fund aggregation address on the chain for two main purposes:

  • By sending a very small number of BTCs to these addresses, these addresses are "dusted" (Reference 1), and since each transaction in the BTC contains multiple UTXOs, the transaction using that part of the asset can be tracked.
  • When the above UTXO transactions are used together, the four PlusToken funds aggregation addresses are proven to be relevant and cannot be tampered with.

Based on the comprehensive mining and analysis of the major public chain ecological data, PeckShield Digital Asset Escort System (AML) has accumulated a large number of high-risk blacklist libraries, which can accurately extract the whereabouts of hackers from a large chain database and combine global transactions. The partners, community management units and other partners, the hacker money laundering, full-chain, full-time, anti-camouflage and other step by step tracking and real-time blocking.


[1] BINANCE-ACADEMY. What is a dust attack.