Graphic Tracking PlusToken Asset Transfer Tracking (1): There are 1,203 inflows in the BTC section.

After analyzing the PlusTC's BTC main wallet address, PeckShield found that there are currently 72,708 BTCs temporarily in more than 20 major addresses, and there is a possibility of further inflows into the exchange; there are 540 BTCs known to flow into Bittrex transactions. The 663 BTCs flowed into the Fire Exchange and may be successfully laundered.

BTC articles

On June 29th, PlusToken was unable to withdraw coins by the user feedback, and the project side was also exposed by the media. The project is called the “first fund disk of the currency circle”, involving funds of more than 20 billion yuan and more than 3 million users. Therefore, the scope of the impact is very wide and the damage is huge.

In view of this, blockchain security company PeckShield (Pan Shield) involved in the tracking of PlusToken funds, began to lock monitoring tracking of several key addresses involved in the PlusToken wallet.

In detailing the flow of funds on the PlusToken chain, PeckShield security staff sorted out some of the mainstream currency wallet addresses and current balances supported by PlusToken:

The address starting with 14BWH is a major wallet address for PlusToken on the BTC.

PeckShield security personnel found the address active from March 14 to May 26, 2019. During this time, a total of 95,228 BTCs flowed to the address and were completely emptied.

The PeckShield Digital Asset Escrow System (AML) traces this address and draws the following flow chart:

It can be seen that the funds of the address are aggregated into a plurality of addresses, some of which are suspected to raise the money address; some are temporary transfer stop addresses; and a few are flowed to the exchange. The following focuses on the emergence of these types of addresses in BTC asset transfers:

First, the suspected coin address

  • 3LnMRYgaq8HDsFJXvPmSNA8xTvsdYHkGqp
  • 1B67M6ABnwJ6nrbWx7RyAEqZiu8qwUZgeV
  • 16eR17ubpWLkMXVJazwiSeKZdQwKQNSYSC
  • 3AsbtnHUqBDhg4d4FNkhgYn54NSabe71fg

From the transaction behavior, the address starting with the first 3LnMR conforms to the user's coin-raising characteristics. The transferred BTC is derived from the PlusToken main wallet address. Each time the transfer includes multiple payees, the number of BTCs received is basically 1 Below.

The BTC received by the second 1B67M address is mainly derived from the PlusToken main wallet, which is mostly an integer amount ranging from 100 to 1000 BTC, after which the address is transferred to the two addresses starting with 3LnMR and 3Asbt multiple times.

The two addresses starting with 16eR1 and 3Asbt are similar to the ones starting with 3LnMR. These four addresses have a commonality, basically from the address with a large balance, and the funds are distributed to a small number of addresses, and the scattered funds are also relatively small. Moreover, these transfer behaviors occurred before the suspension of the replenishment function on June 29, and the initial judgment was made as the user's coin address.

Second, the fund transfer stop address

  • 1CeaW7RwjgenBMX2LgToSBrXj5rH1RBoeh
  • 14YQzrmjrZDuEuc92nibGazcgvgTEtj8WG
  • ….. (more than 20 addresses remaining)

We found that among these temporary fund transfer addresses, there are two special addresses. Most of the funds of these addresses are divided into 100 BTCs for each new address, and multiple new addresses are used to aggregate the transferred BTCs. In another new address, up to a few hundred to thousands of BTCs at that address.

These addresses also have a commonality, and will transfer the same amount of funds to a number of new addresses irregularly, with the purpose of dispersing and summarizing to escape the asset tracking lock. However, most of the decentralized funds on such addresses are temporary stay addresses, and there is likely to be a possibility of further inflows into the exchange.

Third, transfer to the exchange address

  • 1C7Ar9WFrSuzSf4mDZL453PeJpTZmjxytz
  • 3D9heyWDwj7tmpD2mt1uhcC7UBS4wvzwSD
  • 34xjaE3xL8SN27omqbp1JzgKmvg4fBpErj

According to PeckShield security personnel, the address of the second-level address 1C7Ar to which the PlusToken wallet address starting with 14BWH belongs is transferred to the Bittrex exchange 540 BTC, while the other two addresses belonging to the secondary addresses 3D9he and 34xja are transferred to the fire currency transaction. 663 BTCs.

Such addresses have been linked to the exchange, and the general situation is money laundering. However, since these transactions occurred before the road was exposed on June 29, it is difficult to determine, but the funds flowing into the exchange are likely to have been Money laundering succeeded.


After analyzing the BTC main wallet address of PlusToken, PeckShield found that there are currently 72,708 BTCs temporarily in more than 20 major addresses, and there is a possibility of further inflows into the exchange; among them, 540 BTCs are known to flow into the Bittrex exchange. 663 BTCs have flowed into the Mars Exchange and may have been successfully laundered; some funds may have been picked up by the users before the PlusToken runs.

It is worth mentioning that PeckShield security personnel analysis found that the current more than 20 primary addresses for temporary storage of BTC are P2SH addresses starting with 3, and P2SH addresses are often used for multi-signature. The reason for the analysis is that this part of the address is in the hands of the core group of PlusToken. It requires multiple people to provide the private key at the same time, which means that there are more uncontrollable factors in this part of the funds, such as team disputes, etc. The cost is also relatively high.

Based on the comprehensive mining and analysis of the major public chain ecological data, PeckShield Digital Asset Escort System (AML) has accumulated a large number of high-risk blacklist libraries, which can accurately extract the whereabouts of hackers from a large chain database and combine global transactions. The partners, community management units and other partners, the hacker money laundering, full-chain, full-time, anti-camouflage and other step by step tracking and real-time blocking.