TS Run Road Funds Guardian Action: Graphic Tracking Asset Transfer Money Laundering (continuous update)

On June 10, Babbitt issued a message saying that a wealth management wallet called TokenStore was suspected of running. Blockchain security company PeckShield (transmission) immediately intervened to track the "running" funds.

In the past few days, PeckShield Digital Asset Escrow (AML) has found that it is related to over 2,100 investors and hundreds of millions of dollars in digital assets by tracking and tracking the key chain addresses involved in “running”. Encrypted assets are involved in: BTC, ETH, ETC, XRP, EOS, LTC, USDT and other mainstream cryptocurrencies.

As of now, PeckShield has tracked the “running” flow of some currencies and assisted victims to recover asset losses as much as possible with the assistance of ecological partners such as Babbitt Media and the Fire Exchange:

On the morning of June 11, PeckShield tracked the EOS assets in the running funds, with 25,803 EOS flows into the Mars Exchange, 1,581 EOS flows into the ZB Exchange, and 281,807 XRPs into the XRP Assets, 708,178 An XRP flows into the Mars Exchange.

On the evening of June 11, the Fire Coin and the ZB Exchange carried out emergency treatments such as “freezing” or “coin function restriction” on the suspicious accounts involved.

On June 12th, PeckShield tracked the ETH assets in the running funds. A total of approximately 36,271 ETHs were scattered among the four main addresses and were not found in the exchange.

On the afternoon of June 13, PeckShield tracked the ETC assets in the running funds, and there were already 5 totals of 42,746 ETCs flowing into the address of a suspected exchange.


At the same time, nearly a thousand "victims" have provided some relevant transaction addresses to PeckShield security personnel, which has greatly helped PeckShield security personnel to lock in the flow of running money.

Overall, the TokenStore wallet "running the road" incident, which affects the number of users, causes a large loss, involving a wide variety of cryptocurrency tokens, and the wide range of influences, the impact of the shock is shocking.

PeckShield is continuing to track the further flow of the money, and timely disclose it to the media, exchanges and other ecological partners, and work together to help the victims recover the loss of assets.

Regarding the TokenStore wallet, the official claims that it has the functions of “AlphaGo intelligent brick arbitrage”, “stable profit, stable income”, and attracts a large number of users in view of the use of referrals to obtain revenue.

In the general blockchain, the transfer/money laundering of assets will go through two stages: escape tracking and money laundering:

  • Distribute assets to different addresses and transfer them in batches to increase the difficulty of tracking;
  • Waiting for the right time, the money will be transferred to the exchange in batches for money laundering.

The cryptocurrencies involved in this TokenStore run event are BTC, ETH, ETC, XRP, EOS, LTC, USDT, etc.

PeckShield has tracked the flow of key digital assets such as BTC, ETH, EOS, XRP, ETC, etc., and will introduce it to several chapters.


Based on the feedback from the victim, users who tracked a portion of the TokenStore wallet frequently interacted with the following addresses for the last 20 days:


From the ETH blockchain browser, you can see that the address has changed on June 10, and 21,476 ETHs in the balance have been transferred to a new address 0x5d9f…. The following figure shows the trend of ETH transfer. Take the address 0x6634… as an example. The address only has 398 capital inflows on May 31, and this day is the day when TokenStore officially declared that the system is fully upgraded and maintained. So far, the TokenStore wallet has disappeared. Thousands of users have embarked on the road to rights protection.

PeckShield security personnel analyze several stages of the ETH asset transfer of the TokenStore run event:

  1. A large number of users withdraw ETH from the exchange to the user address generated by the user in TokenStore ;
  2. Around May 31, the addresses of these users existing in the TokenStore are transferred to the address 0x6634…
  3. On June 10, as many as 21,476 ETHs were transferred from the 0x6634xxx address to the 0x5d9f… address.

So many addresses generated in TokenStore are transferred to 0x6634… address in a short time? This behavior is very suspicious. PeckShield security personnel believe that the user has an address in the TokenStore. It is very likely that the private key is controlled by others. Who is doing it? I believe everyone will be on fire.

Since there is no cost to create an address on the Ethereum network, the address is not marked, and the user's funds have been transferred to multiple different addresses multiple times, which brings great difficulty to asset tracking. PeckShield security personnel repeatedly verified the address association and flow direction, and finally found that the user's assets were mainly aggregated to the following four suspicious addresses:


EOS articles

Earlier, on June 11th, PeckShield security personnel found that after capturing some key addresses,

  • 25,803 EOS transferred to the Fire Exchange,
  • 1,581 EOS flows into the ZB exchange,

The exchange has already taken measures such as freezing the relevant accounts.

In addition, according to in-depth tracking by PeckShield security personnel, there are currently 320,077 EOSs stored in 12 accounts and no transfers have taken place.

The following is the EOS asset transfer path map as of now:

Here, PeckShield security personnel restored several stages of EOS asset transfer in the TokenStore run event:

  1. After the TokenStore wallet runs, a large amount of money deposited by the user in the wallet is quickly transferred to the newaccountcc address;
  2. Newaccountcc transfers part of the funds to the stock exchange;
  3. After that, the remaining funds in newaccountcc were confusing multiple times to different addresses and exchanges.

In analyzing these address behaviors, the newaccountcc account attracted the attention of PeckShield security personnel, which was created on May 31, 2019, and the first funds were derived from TokenStore account transactions:

After that, TokenStore's coin-operated and coin-receiving accounts were transferred to the account multiple times, and the account was transferred to the Fire Exchange immediately after receiving the EOS:

At this point, PeckShield security personnel used ETH, EOS as an example to analyze the asset transfer situation after the TokenStore wallet running event. As a large number of unknown assets are still flowing, the tracking work of PeckShield security personnel is still going on, more assets. The transfer details of the PeckShield security staff will be continuously updated in subsequent articles.