Crypto Compliance Series: How funds are laundered without mixing platforms
There are different mixing platforms for different networks, such as Wasabi for Bitcoin and Tornadocash for Ethereum. These platforms are used by money launders to hide their funds from the public. However, not every network has these platforms. Today we will investigate how funds are laundered on the Tron network using a previous incident.
About TRON
TRON is a blockchain-based decentralized digital platform with its own cryptocurrency, called Tronix or TRX. TRON was founded in 2017 by a Singapore non-profit organization named the TRON Foundation, led by CEO Justin Sun. Their goal is to become a host for a global entertainment system that is cost-effective in sharing digital content. In 2019, USDT was introduced to the TRC-20 protocol on TRON, and TRC20-USDT was born.
Case Study
The unfortunate victim contacted us after realizing he imported his private key to a counterfeit wallet app and lost 5,326,747 in USDT or over $5.3 million.
Hackers Address:
TDs3USWcG5ua4jkGNMGgNZrXrPgw8UMMCt
We will begin this investigation by performing general analysis of the address using our anti-money laundering tracking tool, MistTrack.
Looking at the hackers’ accounts as a whole, we can see that they utilized them for both transfers and swaps. You’ll learn later that they even appear to have a strong preference for one particular exchange. At the same time, we can draw some judgments regarding their active time periods based on the transaction time frames.
Part I
Let’s look at some transactions. According to MistTrack, the hackers moved the stolen USDT to six different addresses and exchanged them using JustSwap (now renamed SunSwap).
They also used this address to directly exchange 73 USDT for 684.76 TRX.
There are six addresses that received funds from the hackers’ address, but we’ll focus on TGF…TA7 for now. After this address received 2,663,373.5 in USDT, it converted to TRX through JustSwap. It was then transferred to the address TUe…F7g in six separate transactions.
This process was repeated for the remaining five addresses that received funds from the hacker’s address.
Part II
Continuing our investigation, let’s focus on the address TAn…Fe7 for now. They transferred 75 TRX to TJa…5Zq and transferred 65.6 TRX from their to TQ8..Cv7.
The remaining 5,064,327.58 TRX was transferred to JustSwap and exchanged for 526,850.6 USDT before finally being transferred to the address TJa…5Zq.
Next, TJa…5Zq transfers USDT to the address TQ8…Cv 7 and it proceeds to transfer USDT to two new addresses.
After conducting a thorough investigation of the two new addresses, we discovered a whale wallet with a signification amount of funds as well as numerous transactions. Several transactions involved transfers to exchanges like Binance, Gateio, MEXC, ZB, Huobi, and OKX. We believe these addresses belong to professional money launderers based on our experience and the behaviors of these transactions.
Part III
After analyzing five addresses from Part I I , most of the funds was laundered the same way as above. However, the last address TUe…F7g was slightly different than before.
Instead of transferring to the same address after converting TRX back to USDT, they decided to break it up into six different addresses.
However, it wasn’t that much different than before. Take TRo…2EN from one of the receiving addresses as an example: This address converts USDT to TRX again, and transfers it to the address TXQ…oZm again. Sound familiar?
TXQ…oZm swaps TRX to USDT, transfers it to TEC…41q (yes, it was swapped again using JustSwap), and finally arrives as USDT to the whale address listed above. The same method was used for other addresses.
The hackers had continuously exchanged the stolen USDT back and forth with TRX to avoid tracking. Although they tried their best to hide their track, we can still trace the origin of the hacker’s account with the exchange address involved.
Summary
The purpose of this article is to expose techniques used by hackers to launder their illicit funds. During this incident, a hacker on the Tron network continuously swapped USDT and TRX back and forth to make it difficult to track. However, everything is recorded on the blockchain, all it took was some elbow grease.
It also helped that we were able to investigate this incident using MistTrack. MistTrack uses on-chain analytics to create transaction flow charts, making it easier to conduct investigations. It also contains a database of over 200 million addresses that’s been tagged. These tags included addresses belonging to top exchanges around the world, thousands of entity addresses, hundreds of thousands of threat intelligence data, and over 90 million addresses associated with malicious activity.
We decided to release MistTrack to the public recently, you can sign up at https://misttrack.io/ and use it for free.
