Graphic Tracking PlusToken Asset Transfer Tracking BTC section has 1,203 inflows

Graphic Tracking PlusToken Asset Transfer Where there are 1,203 inflows in the BTC section

The address starting with 14BWH is a major wallet address for PlusToken on the BTC.

PeckShield security personnel found the address active from March 14 to May 26, 2019. During this time, a total of 95,228 BTCs flowed to the address and were completely emptied.

The PeckShield Digital Asset Escrow System (AML) traces this address and draws the following flow chart:

Graphic Tracking PlusToken Asset Transfer Where there are 1,203 inflows in the BTC section

It can be seen that the funds of the address are aggregated into a plurality of addresses, some of which are suspected to raise the money address; some are temporary transfer stop addresses; and a few are flowed to the exchange. The following focuses on the emergence of these types of addresses in BTC asset transfers:

First, the suspected coin address

3LnMRYgaq8HDsFJXvPmSNA8xTvsdYHkGqp

1B67M6ABnwJ6nrbWx7RyAEqZiu8qwUZgeV

16eR17ubpWLkMXVJazwiSeKZdQwKQNSYSC

3AsbtnHUqBDhg4d4FNkhgYn54NSabe71fg

From the transaction behavior, the address starting with the first 3LnMR conforms to the user's coin-raising characteristics. The transferred BTC is derived from the PlusToken main wallet address. Each time the transfer includes multiple payees, the number of BTCs received is basically 1 Below.

The BTC received by the second 1B67M address is mainly derived from the PlusToken main wallet, which is mostly an integer amount ranging from 100 to 1000 BTC, after which the address is transferred to the two addresses starting with 3LnMR and 3Asbt multiple times.

The two addresses starting with 16eR1 and 3Asbt are similar to the ones starting with 3LnMR. These four addresses have a commonality, basically from the address with a large balance, and the funds are distributed to a small number of addresses, and the scattered funds are also relatively small. Moreover, these transfer behaviors occurred before the suspension of the replenishment function on June 29, and the initial judgment was made as the user's coin address.

Second, the fund transfer stop address

1CeaW7RwjgenBMX2LgToSBrXj5rH1RBoeh

14YQzrmjrZDuEuc92nibGazcgvgTEtj8WG

….. (more than 20 addresses remaining)

We found that among these temporary fund transfer addresses, there are two special addresses. Most of the funds of these addresses are divided into 100 BTCs for each new address, and multiple new addresses are used to aggregate the transferred BTCs. In another new address, up to a few hundred to thousands of BTCs at that address.

These addresses also have a commonality, and will transfer the same amount of funds to a number of new addresses irregularly, with the purpose of dispersing and summarizing to escape the asset tracking lock. However, most of the decentralized funds on such addresses are temporary stay addresses, and there is likely to be a possibility of further inflows into the exchange.

Third, transfer to the exchange address

1C7Ar9WFrSuzSf4mDZL453PeJpTZmjxytz

3D9heyWDwj7tmpD2mt1uhcC7UBS4wvzwSD

34xjaE3xL8SN27omqbp1JzgKmvg4fBpErj

According to PeckShield security personnel, the address of the second-level address 1C7Ar to which the PlusToken wallet address starting with 14BWH belongs is transferred to the Bittrex exchange 540 BTC, while the other two addresses belonging to the secondary addresses 3D9he and 34xja are transferred to the fire currency transaction. 663 BTCs.

Such addresses have been linked to the exchange, and the general situation is money laundering. However, since these transactions occurred before the road was exposed on June 29, it is difficult to determine, but the funds flowing into the exchange are likely to have been Money laundering succeeded.

Overview

After analyzing the BTC main wallet address of PlusToken, PeckShield found that there are currently 72,708 BTCs temporarily in more than 20 major addresses, and there is a possibility of further inflows into the exchange; among them, 540 BTCs are known to flow into the Bittrex exchange. 663 BTCs have flowed into the Mars Exchange and may have been successfully laundered; some funds may have been picked up by the users before the PlusToken runs.

It is worth mentioning that PeckShield security personnel analysis found that the current more than 20 primary addresses for temporary storage of BTC are P2SH addresses starting with 3, and P2SH addresses are often used for multi-signature. The reason for the analysis is that this part of the address is in the hands of the core group of PlusToken. It requires multiple people to provide the private key at the same time, which means that there are more uncontrollable factors in this part of the funds, such as team disputes, etc. The cost is also relatively high.

Based on the comprehensive mining and analysis of the major public chain ecological data, PeckShield Digital Asset Escort System (AML) has accumulated a large number of high-risk blacklist libraries, which can accurately extract the whereabouts of hackers from a large chain database and combine global transactions. The partners, community management units and other partners, the hacker money laundering, full-chain, full-time, anti-camouflage and other step by step tracking and real-time blocking.