Exposing the Dark Industry Chain of Web3 Techniques, Exploitation Scale, and Security Threats

Revealing the Hidden Industry Chain of Web3 Techniques Understanding the Scope of Exploitation and Security Threats

Author: Bitrace

1. Background

Blockchain, based on distributed consensus and economic incentives, provides new solutions for the establishment, storage, and transfer of value in an open and permissionless network space. However, with the rapid development of the cryptocurrency ecosystem in recent years, cryptocurrencies are increasingly being used for various risky activities, providing a more concealed and convenient means for value transfer in online gambling, illicit online activities, money laundering, and more.

At the same time, as one of the important infrastructures in the crypto industry, many web3 companies use stablecoins such as USDT as their main payment method. However, these companies generally lack sound AML, KYT, KYC, and other risk control mechanisms, resulting in USDT that was previously used for risky activities flowing unrestricted into business addresses, causing contamination of funds in the addresses of the companies themselves and their clients.

This report aims to disclose the methods and scale of the use of cryptocurrencies in risky cryptographic activities, and to trace the flow of funds associated with risk activities through on-chain data, in order to shed light on the threat posed by risk cryptographic funds to web3 companies.

• In-depth analysis of BTC positions and price changes in the three major trading time zones of Asia, Europe, and the United States, and the short-term opportunities they bring.
• An in-depth analysis of blockchain gaming Is it a bubble or a new revolution?
• Flostream Project Analysis Innovative Decentralized Storage and Content Distribution Solution

2. Investigation Targets

The social harm caused by online illegal activities is becoming increasingly serious. This harm includes not only direct harm to personal property and public safety but also the legal risks brought indirectly to individuals or corporate entities by the upstream and downstream industries associated with illegal activities. In recent years, countries around the world have strengthened their efforts to combat online illegal activities and have made some progress in criminal legislation and research on the online ecosystem. However, cybercrime remains a problem that is difficult to solve completely, especially with the emergence of new online spaces such as blockchain, where traditional online gambling, illicit online activities, money laundering, and other activities are hindered by the use of cryptocurrencies or cryptographic infrastructure, posing obstacles to legal identification and law enforcement supervision.

2.1 Online Gambling

Gambling refers to betting money or something of material value on an event with an uncertain outcome, with the main purpose of winning more money or material value. Participants gain spiritual pleasure by engaging in financial games. Online gambling refers to gambling activities conducted using the Internet and encompasses various types of gambling, essentially including most of the gambling methods commonly used in real life.

In China, establishing gambling websites for profit on the internet or acting as agents for gambling websites and accepting bets falls under the provision of “setting up a gambling house” as stipulated in Article 303 of the Criminal Law. Chinese citizens who gather in areas outside the territory of the People’s Republic of China to engage in gambling activities or establish gambling houses to attract Chinese citizens as the main source of customers are also subject to criminal liability in accordance with the provisions of the Criminal Law.

However, the laws regarding gambling and the operation of casinos differ in other countries or regions:

According to the Gambling Ordinance of Hong Kong, all forms of gambling activities, except for regulated horse racing, football betting, and Mark Six Lottery, as well as licensed gambling establishments (such as mahjong parlors) and exempted gambling activities, are considered illegal;

Under the Unlawful Internet Gambling Enforcement Act of the United States, engaging in financial transactions with online gambling websites is considered illegal. However, the legislation and enforcement of online gambling laws vary from state to state;

According to the Macau Gaming Inspection and Coordination Bureau, the Macau Special Administrative Region government has never issued an online gambling license. Therefore, any information or betting website promoting online gambling activities under the name of the Macau government is fake and illegal. Bets made on such websites are not protected by Macau laws.

It can be seen that online gambling is not illegal in all countries or regions. The use of funds by licensed online gambling platforms regulated by local government authorities cannot be considered as risky investment. Therefore, Bitrace’s investigation into online gambling activities is limited to unlicensed gambling platforms, platforms that act as agents for users outside of their operational license scope, and payment institutions that provide fund settlement services for the former two.

For traditional online gambling platforms and their agents, these institutions assist gamblers with fund settlements through self-built centralized cryptocurrency recharge, transaction, and withdrawal systems or by using cryptocurrency payment tools. Due to the anonymous nature of cryptocurrency, government departments will find it difficult to regulate or enforce these activities. As for the new hash-based online gambling platforms, these platforms are built on blockchain networks, and the management of gambler’s bets, settlement of wagers, fund accumulation, and collection are all carried out through smart contracts. This provides a wider spread and faster development.

2.2 Cybercrime in the Online Dark and Gray Market

Cybercrime in the online dark and gray market refers to the industrial-scale, chain-like activities conducted or assisted by various technical means in the cyberspace, with the aim of seeking illegitimate profits or disrupting the order of the online ecosystem. At present, cryptocurrency and some basic infrastructure in the crypto industry have become deeply integrated into the entire online dark and gray market.

Traditional online dark and gray market activities increase the deceptive and destructive nature of certain illegal activities by introducing cryptocurrency into illegal activities or replacing traditional technical means with encryption tools. This reduces the chances of government awareness or intervention in upstream and downstream activities. On the other hand, the new blockchain-based dark and gray market directly targets the cryptocurrency assets of investors or institutions and involves native illegal activities in the crypto industry.

This report only discloses some typical black-gray production activities that utilize cryptocurrencies.

2.3 Money Laundering

Money laundering is the act of making illegally obtained money appear legal by disguising or concealing its source and nature, thereby making it appear legitimate. This includes but is not limited to providing fund accounts, assisting in converting property, assisting in transferring funds or remitting funds overseas. Cryptocurrencies, especially stablecoins, have been used for money laundering activities due to their low transaction costs, decentralized nature, and certain anti-surveillance features. This is one of the main reasons why cryptocurrencies have been criticized.

Traditional money laundering activities often utilize the off-exchange cryptocurrency market for exchanging fiat currencies to cryptocurrencies or vice versa. The laundering scenarios vary in form, but the essence of these activities is to obstruct law enforcement agencies’ investigation of the fund chain, including traditional financial institution accounts or cryptocurrency entity accounts.

Unlike traditional money laundering activities, the new form of cryptocurrency money laundering focuses on laundering the cryptocurrencies themselves. The illicit use includes cryptocurrency wallets, cross-chain bridges, decentralized trading platforms, and other infrastructure within the cryptocurrency industry.

III. Utilization of Cryptocurrencies in Online Gambling Activities

3.1 Utilization of Cryptocurrencies in Traditional Online Gambling Platforms

In recent years, the phenomenon of online gambling platforms and their agents accepting cryptocurrencies as chips has become widespread. Specifically:

Some online gambling platforms have independently established integrated centralized management systems for cryptocurrency deposits, transactions, and withdrawals. Gamblers need to purchase cryptocurrencies (mainly USDT) from third-party platforms and transfer them to the recharge addresses allocated to each gambler by the online gambling platforms to obtain chips. When a gambler requests a withdrawal, the platform transfers the funds from a unified hot wallet address to the target address, following the same operational logic as mainstream cryptocurrency exchanges.

Some online gambling platforms provide deposit and withdrawal channels to gamblers by integrating cryptocurrency payment tools. Instead of directly depositing USDT to the gambling platforms, gamblers transfer funds to payment platform accounts, and withdrawal requests are fulfilled by the payment platform. Regular fund settlement occurs between the gambling platform and the payment platform, allowing for the discovery of business details through fund correlations.

Using a certain gambling platform that accepts bets using USDT as an example, the platform helps gamblers deposit and withdraw USDT by integrating with a certain cryptocurrency payment platform. Bitrace conducted a fund audit on one of the hot wallet addresses. From January 27, 2022, to February 25, 2022, this address processed a total of over 1.332 million USDT in deposit and withdrawal orders from gamblers.

In the practice of fund analysis, it has been found that larger-scale online gambling platforms generally build their own cryptocurrency deposit and withdrawal functions, while the majority of small and medium-sized online gambling platforms choose to integrate with cryptocurrency payment platforms. According to DeTrust’s address fund risk audit platform, from September 2021 to September 2023, over 46.45 billion USDT directly flowed into traditional online gambling platforms or cryptocurrency payment platforms that provide deposit and withdrawal services for online gambling platforms.

The scale of online gambling funds in 2021 corresponds to the development of the cryptocurrency secondary market that year, and the growth in scale from November 2022 to January 2023 may be related to a large number of gambling activities during the World Cup that year.

An analysis of the source of USDT addresses transferred to online gambling platforms shows that over 7.43 billion USDT directly comes from centralized trading platforms, accounting for 16% of the total inflow. These funds either come directly from the exchange addresses to the online gambling platforms, or the casinos and their agents circulate funds through trading platforms. Considering that second-layer address funds from other addresses also have cases of coming from centralized trading platforms, this number is clearly an underestimation. This indicates that centralized cryptocurrency trading platforms are being utilized to serve the online gambling industry.

3.2 New Forms of Hash-Based Online Gambling Cryptocurrency Utilization

Each transaction on the blockchain corresponds to a unique hash value, which is randomly generated and cannot be forged. Therefore, some online gambling platforms have developed hash guessing games based on this, where the rules are to guess whether the last few digits of the transaction hash are odd or even, big or small, to determine the outcome of the guessing activity and divide the bet.

Using the typical “guess the last digit” gameplay as an example, gamblers need to transfer funds to the betting address. If the last digit of the transaction hash value is a specific number or letter, the gambler wins, and the platform returns double the chips after deducting some points. If the last digit does not match, the gambler loses, and the chips are not returned.

Therefore, such online gambling addresses often exhibit high-frequency, fixed-amount financial transactions among multiple addresses, resulting in a massive scale of fund interactions.

Lastly, this type of hash gambling gameplay was once popular due to its fast pace and fair rules. However, due to its transparency and vulnerability to hacking attacks, the scale and market share of this type of gameplay have greatly declined.

IV. Utilization of Cryptocurrencies in Illegal Activities

4.1 Traditional Illicit Uses of Cryptocurrencies

4.1.1 Investment and Financial Scams

Investment and financial scams are a type of online investment fraud where scammers often claim to be “industry experts” through social media channels. They gain the trust of victims and lure them into investing in fake platforms (typically apps) by showing concern and providing information. Once they have obtained the investment funds, the scammers disappear. In these fraudulent apps, investors engage in activities such as investment, gambling, buying and selling goods, and trading securities. They may initially receive small or even significant profits, but eventually, all funds become unrecoverable. When victims realize they cannot withdraw funds from the app and cannot contact the so-called “experts,” they finally realize they have been scammed.

In recent years, these traditional online investment scams have started to utilize cryptocurrencies or cryptographic tools for fraud, such as emotional fraud and illicit USDT distribution scams.

4.1.1.1 Emotional Fraud

Emotional fraud is often combined with investment fraud but mainly targets non-cryptocurrency users. Scammers create a perfect online persona and engage in online romantic relationships to convince their victims to buy USDT for cryptocurrency investments, such as arbitrage, derivatives trading, liquidity mining, etc.

The victim’s “investment” generates substantial returns within a short period, and they are encouraged to invest more. However, in reality, the victim’s USDT does not participate in any real arbitrage activities but is immediately transferred and laundered upon entering the platform. Meanwhile, their withdrawal requests are rejected by the platform for various reasons, until the victim realizes they have been scammed.

4.1.1.2 Black Gray USDT Score Running Scam

The Black Gray USDT score running scam is a fraudulent scheme that disguises itself as money laundering and score running. These platforms often claim to be order platforms used for laundering USDT funds, but in reality, it is an investment scam. Once participants invest a large amount of USDT, the platform will refuse to return the funds for various reasons.

Take the example of a “black U score running platform” that is still in operation. It allows users to exchange “clean U” for “black U” at a rate of 1:1.1 to 1.45. Users can then sell the acquired black U on other platforms, and the excess amount is considered the user’s score running profit.

So far, this fraudulent group has illegally obtained over 870,000 USDT using the same method. 784 unique addresses have transferred USDT to the fraudulent address, but only 437 addresses have received any refunds. Nearly half of the participants did not successfully profit from this scheme.

4.1.2 False Apps

False apps refer to illegal individuals repackaging legitimate apps and presenting them as genuine. Regarding cryptocurrency, false apps mainly exist in the form of fake wallets and fake Telegram apps.

4.1.2.1 Fake Wallet App

Wallet theft through fake wallet apps is a method in which thieves induce others to download and install fake wallet apps that contain backdoors. Through this method, they can steal wallet mnemonic phrases and illegally transfer other people’s assets. Thieves distribute download links for fake wallet apps through search engines, unofficial app stores, social platforms, etc. When victims download and install the apps and create or synchronize wallet addresses, their mnemonic phrases are sent to the thieves. Once victims transfer a large amount of cryptocurrency, the thieves will automatically or in batches transfer and consolidate the stolen funds.

This method has now become highly industrialized, with separate development and marketing teams for fake wallet apps. The development team solely focuses on product development and maintenance, while the marketing team promotes the fake wallet apps without needing to understand the underlying encryption technology.

Multi-signature theft is a variant technique of wallet theft. The multi-signature technology allows multiple users to simultaneously sign a digital asset. It can be simply understood that a wallet account can have multiple individuals with signing and payment rights. If an address can only be signed and paid by one private key, the representation is 1/1. The representation of multi-signature is m/n, which means that a total of n private keys can sign for an account, and when m addresses sign, a transaction can be made.

Essentially, traditional wallet theft involves sharing wallet control permissions with the victim. The thief cannot prevent the victim from transferring assets. However, based on the principle of multi-signature technology, after the thief installs a fake wallet app on the victim’s device, they immediately add the victim’s address to the multi-signature. At this time, the wallet owner can only transfer assets into the wallet but cannot withdraw them, while the thief can transfer the assets out at any time, which often depends on when the victim transfers a large amount of funds.

4.1.2.2 Fake Telegram App

A classic application of fake apps in the cryptocurrency-related black and gray industries is the malicious backdoor implantation in the Telegram app. Telegram is a social software commonly used by cryptocurrency investors, and many off-market trading activities rely on this app. Fraudsters will use social engineering attack methods to induce target users to “download” or “update” the fake Telegram app. Once the target user pastes a blockchain address in the chat box, the malicious software will identify and replace the address with a malicious one, causing the counterparty to send funds to the malicious address without the victim’s knowledge.

4.1.3 Third-party Payment Guarantees in the Black and Gray Industries

Third-party payment guarantees refer to a situation where, after the buyer and seller reach a transaction intent or agreement online, the buyer first pays the payment to a third party, who temporarily keeps it. After the buyer receives the goods and checks them without any issues, they notify the third-party intermediary, who then pays the payment to the seller, completing the entire transaction. It is essentially an online payment service where a third party acts as a credit intermediary to temporarily supervise the payment until the buyer confirms receipt of the goods. In this transaction process, the third-party intermediary charges a certain percentage of service fees.

Currently, some black-gray third-party payment guarantee platforms, in addition to traditional fiat channels, have also begun to use Tether (mainly trc20-USDT) as collateral funds, providing payment guarantee services for transactions including illegal currency exchange, illegal commodity trading, illegal collection and payment on behalf of others, and cryptocurrency transactions involved in cases. Although the types of transactions are different, the transaction process is consistent.

Usually, one party from the buyer and seller will pay to advertise on the guarantee platform in the advertising area, either in a specific area of the website or in the official Telegram group. The advertisement will specify transaction types, transaction requirements, payment methods, and other transaction details.

After the buyer and seller have negotiated, they need to contact the customer service of the guarantee platform to establish a “group”, which is a non-public Telegram group used only for transaction communication. The members include the buyer, seller, and group robot. In principle, one-to-many transactions are not allowed, nor are unrelated persons allowed to join.

The buyer needs the seller to transfer the payment to the official account of the guarantee platform and provide proof. This process is called “upward pledge” and the seller will be notified by the trader after the payment is confirmed, to initiate the shipment. Then, after receiving the delivery notification from the trader, the seller starts to ship and provides proof of shipment. Then, after the buyer confirms the receipt, the buyer notifies the trader to release the loan. After receiving the buyer’s confirmation of receipt or loan notification, the trader deducts the commission, releases the loan to the seller, and provides proof of loan. Finally, the seller confirms receipt, and the transaction is completed.

The platform does not allocate separate addresses for fund isolation in each transaction, but instead sends all the deposits to the same upward pledge address within a certain period of time. This causes this address to directly receive a large amount of risk funds related to online gambling, black-gray industries, money laundering, and other activities. At the same time, due to its huge fund scale, it also confuses the direction of funds to some extent, obstructing the tracking activities of investigators.

An audit of platforms that guarantee illegal transaction activities has revealed that the scale of guarantee funds has been steadily increasing over the past 12 months. This includes over 17.07 billion TRON USDT and over 670 million Ethereum USDT, indicating that most of the illegal transactions guaranteed by such platforms occur on the TRON network.

4.2 New Forms of Illicit Cryptocurrency Exploitation

4.2.1 Authorization Theft

Authorization theft is a method of stealing assets illegally by stealing the management rights of others’ addresses for USDT. Public blockchains such as TRON and Ethereum allow users to transfer the operational rights of a certain asset in their wallet to other addresses, which will then gain partial or complete management rights over the assets in that address and can transfer the authorized assets at any time by calling the contract.

This malicious authorization theft request is usually disguised as a payment link, airdrop claim entrance, or interactive contract, acting as a honey trap. Once the victim is lured into interacting, a certain asset in the address, usually USDT, will be unlimitedly authorized to the theft address and then transferred out by calling the “TransferFrom” method at a later time.

The thief often achieves this by deceiving the target victim into clicking on a phishing link and running a fraudulent smart contract. At this time, the victim’s wallet mnemonic is not leaked, so by promptly revoking the authorization, some losses can still be recovered.

4.2.2 Zero-Transfer Phishing

Zero-transfer phishing is a scam targeting cryptocurrency investors who improperly use wallet applications. By sending a large number of USDT transactions with an amount of 0 to unspecified blockchain addresses, it is possible to increase the interaction records of the target address without permission. If an unspecified party tries to copy the address from existing transfer records on a smart device when initiating a transfer to a certain address, it is possible to send funds to the wrong address, resulting in losses.

Bitrace has conducted a fund analysis on fraudulent addresses in a large number of TRON networks that have already been marked as phishing addresses. Transactions with transfer amounts less than 1 USDT are defined as phishing activities, while transactions with earnings exceeding 10 USDT are considered fraudulent gains.

Our research shows that the activity and scale of zero-transaction phishing attacks have been expanding. As of now, more than 451 million USDT funds have been lost due to phishing attacks on the Tron network.

4.2.3 Fake Platform Coin Arbitrage Scam

The common technique used in the fake platform coin arbitrage scam is for fraudsters to claim that they have developed a “smart arbitrage contract.” Participants only need to invest a certain amount of cryptocurrency into the contract to obtain an excessive amount of another well-known cryptocurrency (such as Binance Coin, Huobi Points, OK Coin, etc.). After obtaining the “arbitrage income,” participants can cash out on third-party exchange markets to earn profits.

During the early stages of small-scale testing, real excess cryptocurrency may indeed be returned. However, once victims invest large sums of money, fake tokens will be returned, which have no market value. This fraud technique is old but effective, and there are still many variants active in the cryptocurrency investor community. It not only causes financial losses to ordinary investors but also brings negative damage to the brand assets of those being impersonated.

4.2.4 Tron Fancy Address Transactions

Similar to traditional black and gray industry activities, illegal actors in the cryptocurrency black and gray industry also need to create or purchase virtual identities. In traditional black and gray industry activities, it is bank accounts and identity information, while in cryptocurrency black and gray industry activities, it is blockchain addresses. Typically, these addresses are customarily obtained from professional fancy address service providers.

In online gambling activities, the operators of hash gambling platforms are often users of Tron fancy addresses. They bulk purchase fancy addresses from professional fancy address service providers and use these addresses for business purposes, including fund payments, storage, circulation, receiving bets, and fund settlements.

In the activities of black and gray industries, the customization of fancy numbers directly gave birth to a more refined operation variant of zero-transfer phishing – same-tail phishing. Compared to the widespread zero USDT transfers targeting unspecified blockchain objects, same-tail phishing is often customized, and fraudsters will imitate the head and tail numbers of the commonly used opponent’s address of the target object and transfer a larger amount.

Such phishing activities are not cheap. According to the quotation of a TRON fancy number service provider, it can be seen that an eight-digit customized address takes 12 hours to deliver, at a price of 100 USDT, while the same eight-digit fancy number only costs 10 USDT.

In addition to TRON fancy number service providers, there are also certain Telegram group chat bot service providers, website source code service providers, batch transfer tool service providers, SEO fast ranking service providers, and other groups that provide help to illegal participants and profit from it. This article will not disclose too much.

5. Utilization of Cryptocurrencies in Money Laundering Activities

5.1 Traditional Cryptocurrency Money Laundering Utilization Forms

The use of cryptocurrencies in traditional money laundering activities aims to transfer payments from high-risk users to low-risk users’ accounts, thereby avoiding payment institutions’ risk control measures. This usually manifests as exchanging the involved fiat currency for encrypted funds or exchanging the involved encrypted funds for fiat currencies in the cryptocurrency OTC trading market to cut off the fund flow and evade tracking and crackdown.

A typical money laundering scenario is that fraudsters quickly split the funds into small continuous transfers to multiple bank accounts after tricking the victim into giving them cash. Then, they arrange “card farmers” to cash out, and then transport the cash to the location of the money laundering gang through personal or public transportation such as cars or planes. In the past, this cash was often used to purchase bulk commodities or exchanged for foreign currency to be sent out of the country, but now it is mostly used to offline purchase USDT. These USDTs will either be cashed into fiat currency in the cryptocurrency OTC market or directly flow out of the country or to other money laundering gangs for further processing. In this process, OTC trading platforms, payment guarantee platforms, and centralized trading platforms in the cryptocurrency OTC market all play important roles.

5.1.1 OTC Trading Platforms

OTC trading platforms are a new type of money laundering method that combines digital currency trading with traditional “score running” platforms. The basic model is that the platform organizers use the bait of buying a large amount of USDT and transferring it to overseas exchanges for sale to earn the price difference. They recruit USDT brick movers and require them to register and bind their personal bank accounts with real-name accounts on digital currency exchanges. Brick movers need to purchase a certain amount of USDT as transaction margin collateral, pledge it to the “score running” platform, and the platform organizers will mark the amount and unit price of USDT that can be sold for the brick movers on the platform according to the number of USDT margin collateral paid by the brick movers, while also noting the receiving bank account information of the brick movers. When overseas telecom fraud and other criminal groups need to receive illegal money, they will first place an order to buy USDT from the brick movers through the “score running” platform, and then instruct the victims to transfer the cheated money to the bank account reserved by the brick movers on the platform. Once the victims transfer the cheated money to the brick movers’ accounts, the brick movers confirm the transaction on the platform, thus completing the first transfer of the fraudulently obtained money. After that, the brick movers use the received illegal funds to continue purchasing USDT from the exchange and withdraw it to the “score running” platform in a cycle, earning the price difference of USDT and the platform’s commission in the process.

This type of activity is referred to as “card back U” by money laundering groups, which helps upstream criminals and money laundering groups completely evade the risks of stolen money and real-name authentication on trading platforms.

5.1.2 Score Running Fleet

In addition to recruiting score runners to launder stolen money, money launderers also frequently use a more direct method called the “score running fleet” to launder money. The format is similar to the U-form, but the difference is that the offline cryptocurrency transactions take place in the real world and are settled in cash. Firstly, the fleet leader recruits a large number of real individuals to register real-name bank card accounts. When the upstream criminals (referred to as “clients”) illegally obtain stolen money (referred to as “score”), they would contact the fleet leader through illegal third-party payment guarantee platforms. Subsequently, a large amount of funds would be split and transferred to multiple bank cards under the control of the fleet. If the money is fresh illegal funds, it is called the “first-hand score”, if it is second-hand or third-hand illegal funds, it is correspondingly called the “second-hand score” or “third-hand score”. The latter has lower fund risk and lower commission. Then the fleet leader would drive with the drivers to the local ATM to withdraw cash. After multiple withdrawals, the fleet leader would continue to use personal or public transportation to transport the cash to designated locations for offline transactions. Finally, with the involvement of the third-party payment guarantee platform, the fleet leader would hand over the cash to the target to earn a commission, and the target would send USDT to the guarantee address to complete the money laundering process.

This type of money laundering activity, through multiple transfers between bank accounts, ATM cash withdrawals, and offline cryptocurrency transactions, not only interrupts the tracing of funds multiple times, but also evades bank fund supervision.

Bitrace conducted a fund audit on addresses in the Tron network that were marked with money laundering risks and had a fund scale exceeding 1 million USDT. The audit period was from September 2021 to March 2023, and the audit content was the transfer of USDT.

The data shows that from September 2021 to March 2023, a total of over 64.25 billion USDT flowed into addresses with money laundering risks in the Tron network, and the fund scale was not affected by the bear market of the cryptocurrency secondary market. It is evident that the participants in this business are not genuine investors.

5.2 New Forms of Money Laundering Using Cryptocurrencies

For native network criminals in the cryptocurrency industry, anonymous exchange and on-chain obfuscation based on cryptocurrency infrastructure are the most commonly used methods for laundering funds.

5.2.1 On-Chain Fund Confusion

On-chain fund splitting and mixing platforms are the most common channels for fund confusion.

Fund splitting refers to the illegal practice where criminals use complex multi-layered transactions to gradually mix and transfer virtual currencies through different wallet addresses and accounts, finally pooling them into the wallet address of an overseas accomplice. The purpose is to sever the connection between fund inputs and outputs, and blur the transaction path of virtual currencies. This technique is also effective in cryptocurrency money laundering activities and is commonly used by participants in the black and gray industries for handling funds.

Using the canvas of a certain investment and financial fraud case as an example, after collecting encrypted funds from victims, the case splits the illegal gains through several fund channels and finally consolidates them into a few exchange account addresses for cashing out.

Coin mixing, on the other hand, involves blending a user’s cryptocurrency with other users’ currencies and then transferring the mixed currency to a target address, thereby concealing the original flow path of the currency and making it difficult to trace the source and destination of the cryptocurrency. Consequently, several cryptocurrency mixing platforms have already faced sanctions from governments worldwide, including the most well-known one, Tornado.cash. On August 8, 2022, the platform was sanctioned by the Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury, with some Ethereum addresses related to it being included on the U.S. Special Designated Nationals (SDN) list. Once added to this list, individuals or related entities’ assets and property rights will be at risk of freezing.

However, despite this fact, as Tornado.Cash’s coin mixing contract code is publicly accessible and does not require permission, other users can still engage in coin mixing activities by directly calling the contract. Taking the attack incident on OnyxProtocol on November 1, 2023, as an example, the attacker obtained address fees through a coin mixing platform and further laundered the funds.

5.2.2 On-Chain Anonymous Exchanges

No KYC trading platforms and cross-chain bridges are the two primary on-chain anonymous exchange channels.

So far, apart from a few sanctioned entity addresses, these types of crypto infrastructures have not implemented more risk controls for risky funds or high-risk crypto addresses. As a result, illegal funds often can be exchanged through these channels immediately after an attack event occurs.

Using the NirvanaFinance attack incident that occurred on June 25, 2023 as an example, after illegally obtaining encrypted funds from the victimized institution, the attacker immediately transferred some of the funds to THORWalletDEX. THORWalletDEX is a decentralized exchange platform that does not require permission and provides high levels of privacy. It allows users to perform cross-chain exchanges directly between different blockchains without disclosing transaction information. Therefore, in several past cryptocurrency security incidents, THORWalletDEX has been involved in the money laundering process.

Sixth, the risk of contaminated web3 enterprise addresses with encrypted funds

6.1 Contaminated centralized exchange platform addresses

Centralized exchange platforms are one of the main risk areas for USDT money laundering. In this report, Bitrace conducted an audit of 126 commonly used centralized exchange platform hot wallet addresses and thoroughly examined the inflow of encrypted funds associated with online gambling, illicit activities, and money laundering activities from January 2021 to the present.

From January 2021 to September 2023, over 41.52 billion risk USDT were flowed into certain centralized exchange platforms on the Tron network. This includes 22.579 billion USDT associated with online gambling, 10.57 billion USDT associated with illicit activities, and 8.373 billion USDT associated with money laundering.

From January 2021 to September 2023, over 3.315 billion risk USDT were flowed into certain centralized exchange platforms on the Ethereum network. This includes 1.1 billion USDT associated with online gambling, 1.842 billion USDT associated with illicit activities, and 0.372 billion USDT associated with money laundering.

From the total amount of risk funds and the percentage of risk funds, it is clear that the scale of USDT being misused on the Tron network is larger than on the Ethereum network. Additionally, the proportion of risk funds in the online gambling category is higher, which is consistent with observations in practice – gambling agents and regular gamblers tend to use Tron USDT to save on transaction fees.

6.2 Contaminated over-the-counter trading market addresses

In addition to the over-the-counter trading segment of centralized exchange platforms, certain payment platforms, cryptocurrency investor communities, and acceptance merchant communities also establish over-the-counter trading markets of a certain scale. These places lack proper KYC and KYT mechanisms, making it difficult to assess the risk of counterparty funds and impose restrictions on risk funds afterwards. As a result, a relatively higher proportion of risk USDT tends to flow into these markets.

Bitrace conducted a fund audit on addresses with typical off-exchange market characteristics and a fund scale exceeding 1 million USDT. The data shows that in the past two years, at least 3.439 billion USDT associated with risky activities has flowed into this batch of addresses. The inflow has been increasing over time and is not significantly affected by the bear market in the secondary market.

6.3 Encryption Payment Platform Address Contamination

As one of the infrastructures in the decentralized finance field, cryptocurrency payment tools provide fund settlement services for blockchain institutions and also provide certain cryptocurrency acceptance services for ordinary users. Therefore, they also face the same risk of cryptocurrency fund contamination.

Bitrace conducted a fund audit on the main encryption payment platform addresses serving customers in Southeast Asia and East Asia. The data shows that between January 2021 and September 2023, a total of over 40.51 billion risky USDT flowed into these addresses, with 33.46 billion USDT on the Tron network and 7.04 billion USDT on the Ethereum network. In almost all periods, the contamination of the encryption payment platform by risky USDT on the Tron network is more severe than that on the Ethereum network.

Seven, Conclusion and Recommendations

Participants in activities such as online gambling, black-gray industries, money laundering, etc., are heavily utilizing cryptocurrencies, including USDT, to enhance the anonymity of funds and evade tracking by regulatory and law enforcement agencies. As a direct result, Web3 companies operating compliant encryption businesses and ordinary cryptocurrency investors, due to their lack of capability to identify fund risks, passively receive such encrypted funds associated with risky activities, causing their fund addresses to be contaminated and even involved in cases.

Industry institutions should strengthen their awareness of fund risk control, actively cooperate with local law enforcement agencies, and access threat intelligence services provided by security vendors to perceive, identify, prevent, and block risky encrypted funds, protecting their own business addresses and user addresses from contamination.

7.1 Strengthen Awareness of Fund Risk Control

In addition to carrying out Know Your Customer (KYC) activities-basic understanding of your customers’ true identities, transaction execution, fund sources, etc., in compliance with the law-industry institutions should also fulfill their responsibilities for monitoring and managing abnormal customer transactions (KYT) and promptly report non-compliant transactions and risk situations. Implement layered management for users with suspicious risk fund activities and adopt management measures that restrict some or all platform functions.

7.2 Actively understand local laws and regulations and cooperate with law enforcement agencies

The platform needs to establish or appoint a professional team to handle and review law enforcement requests from around the world, assisting in identifying, combating, and preventing cryptocurrency-related criminal activities, reducing economic losses, and avoiding contamination of platform business addresses and user accounts.

7.3 Establish a threat intelligence network and information sharing mechanism

Industry organizations need to attach importance to open-source network intelligence, maintaining vigilance over addresses and funds related to ongoing encryption security incidents to ensure timely countermeasures against funds entering the platform; they also need to access external threat intelligence sources and cooperate with encryption data and security companies to establish DИD profiles for users, taking appropriate risk control measures for associated risk addresses and addresses with a lack of good interaction history. On this basis, an open and shared threat intelligence database for the entire industry should be established and maintained to ensure overall industry security and trust.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!