Analyzing the Northern Myanmar Alliance Army’s “Ransom” Address from an On-Chain Perspective

SlowMist
9 min readJan 25, 2024

Background

On January 16, 2024, a blogger on a Chinese social media platform revealed that the Myanmar Alliance Army is allegedly forcing telecommunications fraud industry practitioners stranded in Myanmar to pay substantial amounts in cryptocurrency. The blogger also showcased a cryptocurrency address claimed to be used for receiving these payments. This revelation has since gained widespread attention online.

This article is a collaborative effort by Bitrace & MistTrack to analyze the disclosed cryptocurrency address, including its transaction patterns, the risk associated with the sources of address funds, and activities linked to associated addresses. The purpose is to disclose the relevant findings of this analysis.

Address Behavior Analysis

The original text mentions, “Chinese are being captured everywhere and then uniformly taken to the Qingshuihe Baisheng Hotel. They are asked if they want to pay for their own protection. The prerequisite for this protection is an upfront payment of 500,000, with the Alliance Army providing transportation to Wabang Nandeng. Later, the price was reduced to about 300,000.” Based on this information, researchers analyzed the disclosed receiving address TKFsCN, focusing on the USDT exchange rate. They attempted to deduce the underlying settlement units by examining specific amounts of USDT received.

The historical transaction records of the receiving address reveal that the USDT transactions it received often consist of non-rounded figures, such as 71,417 or 42,857. This is commonly seen in transactions where the settlement unit is not in US dollars. Upon analyzing these transactions using the exchange rates of various major fiat currencies against USDT, the researchers discovered that these transactions appear to be settled at an exchange rate of 1 USD to 7–7.2 RMB. Furthermore, there is a clustering of transactions in certain ranges, specifically in the amounts of 500,000 to 600,000 RMB, 1 million RMB, and even 1.5 million RMB.

After filtering out transactions of 100 USDT or less, an analysis of the TKFsCN address showed a total of 307 USDT incoming transactions, with 193 transactions corresponding to amounts in the RMB to USD exchange rate. This accounts for 62.86% of the total number of transactions and 45.29% of the total transaction amount. This indicates that more than half of the transactions received by this address were settled in RMB, with a significant portion being at the 500,000 RMB level. The party paying in USDT is likely to be Chinese individuals.

Funds Source Analysis

The original text states, “After occupying the old street, [the group] also captures Chinese individuals (note: telecommunications fraud industry practitioners), asking if they are willing to pay for their own protection. Those who pay can be sent away, while those who don’t are sent to China.” If true, the transaction history of TKFsCN should reveal a significant number of new transaction counterparties, and a portion of the funds should originate from grey or black market, money laundering, and fraud-related addresses.

The data indicates that between October 22, 2023, and January 2, 2024, the TKFsCN address received USDT transfers from 182 different direct counterparties. Among these, 117 addresses exhibited a pattern of making two consecutive transactions: a small amount followed by a larger amount. This pattern is a typical characteristic of transaction testing, where the payer conducts a small transfer first to confirm the accuracy of the address before transferring the large amount. This suggests that at least 62.29% of the counterparties were likely engaging in their first transaction with TKFsCN, implying that they were not regular trading partners of the address.

A more in-depth audit of the risk associated with funds directed to the TKFsCN address reveals a close connection between its counterparties and activities such as black and grey market operations, online gambling, fraud, money laundering, and risk payments. Among the 182 direct counterparties, a significant 42% are linked to risky activities. These addresses have transferred a total of $33,523,148 USD worth of USDT to TKFsCN.

Images from MistTrack and BitracePro

It’s worth noting that among these addresses associated with risky activities, investigators have identified 7 addresses explicitly linked to known criminal cases, including two money laundering cases, one fraud case, one online gambling case, and one telecommunication fraud case. The suspects’ geographical locations are all in northern Myanmar or Cambodia.

This suggests that the counterparties initiating payments to TKFsCN are not only involved in a significant amount of high-risk crypto activities but are also closely linked to illicit actors in the Southeast Asian region.

Another notable point is that investigators found a laundering address linked to a telecommunication fraud case among the outgoing addresses from TKFsCN. This indicates that some of the outgoing funds also present certain suspicions, which warrant further analysis. This aspect will be explored in a non-sensitive manner in the subsequent “Related Addresses Analysis” section.

Related Addresses Analysis

Based on the clustering analysis of the TKFsCN address mentioned above, it appears to have a subject clustering relationship with nearly one hundred addresses. Some of these addresses not only exhibit fund transactions similar to TKFsCN but also reveal more information about the recipients. Taking the recipient address TKKj8G as an example:

- TKKj8G directly received a total of 6 transactions, exceeding 4.6 million USDT, from TKFsCN. It is one of the consolidation addresses in the subsequent fund flow.

- TKKj8G is one of the core receiving addresses. Out of 60 transactions receiving amounts exceeding 100 USDT, 50 transactions show patterns similar to TKFsCN, indicating small-amount testing behaviors.

- TKKj8G became active on August 18, 2023, much earlier than other addresses. During this period, it engaged in transactions with the Huiwang Guarantee, receiving 160,000 USDT. This behavior suggests that Huiwang Guarantee’s merchants may have withdrawn deposits from the Huwang Guarantee.

Images from MistTrack

This indicates that the mentioned “Financial Department address” in the original text may not actually exist. The addresses, including TKFsCN and TKKj8G, are likely to belong to a digital currency exchange located in northern Myanmar or Cambodia. For some reason, they act as intermediaries to collect these funds.

Anomalous Transactions

Based on the above findings, investigators have been able to sketch a typical profile of the payers — engaged in illicit activities in the Southeast Asian region who, for some reason, had to transfer 500,000 RMB worth of USDT to a designated collection address. As these were first-time transactions, a small amount was initially transferred to avoid errors before transferring larger transactions. The cryptocurrencies used for these payments likely originated from their illegal earnings or were purchased from other illicit entities.

However, not all payers fit this profile. The investigators also identified some addresses that do not completely conform to these characteristics. Taking the address TYU5acSGRwsYJfBhdpQc3broSpfsjs8QFF as an example, this address is one of the seven directly involved addresses mentioned earlier. The other six addresses transferred cryptocurrencies worth 500,000, 500,000, 1 million, 1 million, 2.7 million, and 550,000 RMB to TKFsCN, respectively. However, the amount transferred from TYU5ac, when converted at the same exchange rate, equates to 1.36 million RMB. This amount, although a round figure, is distinctly different from those transferred by the other addresses.

The investigators are not certain of the reason behind this unique amount. Given the presence of small-amount test transactions from this address, a plausible hypothesis is that the transfer from TYU5ac represents a consolidated payment of three separate transactions valued at 500,000 RMB each, with a 10% discount applied.

Summary

This article provides a detailed analysis of a publicly disclosed address, focusing on its transaction patterns, the risk associated with the sources of its funds, and activities linked to associated addresses. The main conclusions are as follows:

1. Over half of the transactions received by the analyzed target address are settled in RMB, with the predominant transaction amounts being 500,000, 1,000,000, and 1,500,000 RMB.

2. The counterparties transferring funds to this target address are closely associated with black and grey market operations, online gambling, fraud, money laundering, and high-risk payments.

3. The target address and its associated addresses already exhibited significant traces of high-risk activities even before they began receiving these funds. Cluster analysis of this address suggests that it may be associated with a merchant under the Huiwang Guarantee.

4. The counterparties initiating payments to the target address are closely connected with criminal elements in the Southeast Asia region.

In conclusion, the majority of the content disclosed by the blogger aligns with the factual situation as evidenced on the blockchain. Indeed, a significant number of Chinese telecommunications fraud industry practitioners in northern Myanmar or Cambodia collectively transferred USDT matching whole numbers in RMB to a specific address cluster. However, this group of addresses may not be the so-called “Financial Department address” but rather addresses of local digital currency exchanges, differing from what was described in the original article.

About Us

This investigation was jointly conducted by researchers from MistTrack and Bitrace.

MistTrack is an anti-money laundering tracking system developed by the blockchain security company SlowMist. It focuses on combating cryptocurrency laundering activities.

Bitrace is a blockchain data analytics company that offers leading cryptocurrency data analysis, risk management, and law enforcement collaboration tools and services. It provides support for compliance and regulatory tasks to Web3 enterprises, financial institutions, and regulatory and law enforcement agencies.

Disclaimer

The content of this article is based on data support from MistTrack and Bitrace. It aims to analyze public addresses on the Internet and disclose the analysis results. However, due to the characteristics of the blockchain, we cannot guarantee the absolute accuracy of all data here, and we cannot be responsible for errors, omissions, or losses caused by the use of the content of this article. At the same time, this article does not constitute the basis for any position or other analysis.

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.