Author: Bitrace

1. Background of the Investigation

Blockchain, based on distributed consensus and economic incentives, provides a new solution for the establishment, storage, and transfer of value in an open and permissionless network space. However, with the rapid development of the crypto ecosystem in recent years, cryptocurrencies are increasingly being used for various risky activities, providing a more concealed and convenient way for value transfer for activities such as online gambling, illicit online activities, and money laundering.

At the same time, as an important infrastructure in the crypto industry, a large number of web3 enterprises also use stablecoins such as USDT as the main method of fund collection and payment. However, these enterprises generally lack sound AML, KYT, KYC, and other risk control mechanisms, leading to unrestricted inflow of USDT previously used for risky activities into business addresses, causing contamination of funds for both the enterprises and their clients.

This report aims to disclose the methods and scale of cryptocurrency utilization in risky crypto activities and to elucidate the threat of risky crypto funds to web3 enterprises by tracing the flow of funds associated with risky activities through on-chain data.

2. Investigation Targets

The social harm caused by illegal activities in the online space is increasingly serious, including direct infringement on personal property and public safety, as well as the legal risks indirectly brought to individuals or corporate entities by upstream and downstream industries associated with illegal activities. In recent years, various countries have strengthened their efforts to combat illegal activities in the online space and have made some progress in criminal legislation and research on the online ecosystem. However, online crime remains a difficult problem to completely solve, especially with the emergence of new online spaces such as blockchain, traditional online gambling, illicit online activities, and money laundering have increasingly utilized cryptocurrencies or crypto infrastructure in risky activities, thereby hindering relevant legal determination and law enforcement supervision.

2.1 Online Gambling

Gambling refers to betting money or items of material value on an event with an uncertain outcome, with the primary purpose of winning more money or material value, while participants gain spiritual pleasure through financial gambling. Online gambling refers to gambling activities conducted over the internet, with a wide variety of types, essentially encompassing the main gambling methods in real life.

In China, establishing gambling websites for profit on the internet or acting as agents for gambling websites and accepting bets fall under the provision of "establishing gambling houses" in Article 303 of the Criminal Law. If Chinese citizens gather to gamble or establish gambling houses in peripheral areas outside the territory of China to attract Chinese citizens as the main client base, it constitutes the crime of gambling, and criminal liability can be pursued in accordance with the provisions of the Criminal Law.

However, in other countries or regions, the legal determination of gambling and the establishment of gambling houses varies:

According to the Gambling Ordinance of Hong Kong, apart from regulated horse racing, football betting, Mark Six lottery, and other licensed gambling venues (such as mahjong parlors), and gambling activities exempted by law, all other gambling activities are illegal.

According to the Unlawful Internet Gambling Enforcement Act of the United States, conducting transactions with financial institutions and online gambling websites is illegal. However, state legislation varies, and there are differences in the determination of online gambling law, illegal activities, and law enforcement direction.

According to the statement of the Gaming Inspection and Coordination Bureau of Macau, the Macau SAR government has never issued an online gambling license, so any information promoting online gambling activities in the name of the Macau SAR government and betting websites are false and illegal, and public betting on such websites is not protected by the laws of the Macau SAR.

It can be seen that online gambling is not illegal in all countries or regions. The gambling funds used by licensed online gambling platforms that are subject to local government regulation cannot be considered as risky funds. Therefore, Bitrace's investigation targets for online gambling activities are limited to unlicensed gambling platforms, agents accepting bets from users outside the scope of their operating permits, and payment institutions providing fund settlement services for the former two.

For traditional online gambling platforms and their agents, these organizations help gamblers with fund settlement through self-built centralized cryptocurrency recharge, transaction, and withdrawal systems or by integrating cryptocurrency payment tools, and due to the anonymous nature of cryptocurrencies, government departments will find it difficult to regulate or enforce such activities. As for new types of hash online gambling platforms, these platforms are deployed on the blockchain network, and the management of gambler bets, bet settlements, fund precipitation, and aggregation are all managed through smart contracts, with a wider reach and faster development changes.

2.2 Illicit Online Activities

Illicit online activities refer to the industrialization and chaining of illegal activities carried out or assisted through various technical means in the online space for the purpose of gaining illegitimate profits or disrupting the order of the online ecosystem. Currently, cryptocurrencies and some crypto industry infrastructure have been greatly integrated into the entire illicit online activities ecosystem.

Traditional illicit online activities introduce cryptocurrencies into illegal activities or use crypto tools to replace original technical means to increase the deceit and destructiveness of certain illegal activities, reducing the chances of detection or sanctions by government departments in upstream and downstream activities. New types of blockchain illicit activities directly target the crypto assets of cryptocurrency investors or institutions and are native illegal activities in the crypto industry.

This report only discloses some typical illicit activities using cryptocurrencies.

2.3 Money Laundering

Money laundering is the act of legitimizing illegal proceeds, mainly referring to disguising and concealing the source and nature of illegal proceeds and their generated profits through various means to make them appear legitimate. This includes but is not limited to providing fund accounts, assisting in converting the form of property, assisting in transferring funds, or remitting funds abroad. Cryptocurrencies, especially stablecoins, have been utilized by money laundering activities due to their low transfer costs, geographical decentralization, and certain anti-inspection characteristics, which is one of the main reasons why cryptocurrencies have been criticized.

Traditional money laundering activities often use over-the-counter cryptocurrency markets to exchange from fiat to cryptocurrency or from cryptocurrency to fiat. The laundering scenarios vary, and the forms are diverse, but the essence of these activities is to obstruct law enforcement officers from investigating the fund chain, including traditional financial institution accounts or crypto institution accounts.

Unlike traditional money laundering activities, the new type of cryptocurrency money laundering activities target the cryptocurrencies themselves, including wallets, cross-chain bridges, and decentralized trading platforms, all of which are exploited illegally within the crypto industry infrastructure.

3. Utilization of Cryptocurrencies in Online Gambling Activities

3.1 Forms of Cryptocurrency Utilization in Traditional Online Gambling Platforms

In recent years, the phenomenon of online gambling platforms and their agents accepting cryptocurrencies as chips has become very common, including:

Some online gambling platforms have independently established a complete centralized management system for cryptocurrency recharge, transactions, and withdrawals. Gamblers need to purchase cryptocurrencies (mainly USDT) from third-party platforms and transfer them to the recharge addresses assigned to each gambler by the online gambling platform to obtain chips. When gamblers request withdrawals, the platform transfers from a unified hot wallet address to the target address, with its business logic consistent with mainstream cryptocurrency trading platforms.

Some online gambling platforms provide deposit and withdrawal channels for gamblers by integrating cryptocurrency payment tools. Gamblers do not directly recharge USDT to the online gambling platform but transfer funds to the payment platform account, which also fulfills withdrawal requests. Regular fund settlements are conducted between the online gambling platform and the payment platform, allowing the exploration of their business details through fund associations.

Taking a gambling platform utilizing USDT for betting as an example, the platform helps gamblers with USDT deposit and withdrawal through the integration of a certain cryptocurrency payment platform. Bitrace conducted a fund audit on one of the hot wallet addresses. During the period from January 27, 2022, to February 25, 2022, this address processed a total of over 1.332 million USDT in deposit and withdrawal orders from gamblers.

In the practice of fund analysis, it has been found that large-scale online gambling platforms generally build their own cryptocurrency deposit and withdrawal function modules, while the majority of small and medium-sized online gambling platforms choose to integrate cryptocurrency payment platforms. According to the DeTrust Address Fund Risk Audit Platform, from September 2021 to September 2023, a total of over 46.45 billion USDT flowed directly into traditional online gambling platforms or into cryptocurrency payment platforms providing deposit and withdrawal services for online gambling platforms.

The changes in online gambling fund size in 2021 correspond to the development of the cryptocurrency secondary market that year, while the growth in size from November 2022 to January 2023 may be related to a large number of betting activities during the World Cup that year.

Analysis of the sources of USDT transferred to online gambling platforms reveals that over 7.43 billion USDT directly came from centralized trading platforms, accounting for 16% of the total inflow. These funds are either directly deposited by gamblers from exchange addresses to online gambling platforms or circulated by gambling platforms and their agents through trading platforms. Considering that funds from secondary addresses also likely come from centralized trading platforms, this number is clearly an underestimate. This indicates that centralized cryptocurrency trading platforms are being used to serve the online gambling industry.

3.2 New Types of Hash Online Gambling Cryptocurrency Utilization

Every transaction on the blockchain corresponds to a unique hash value, which is randomly generated and cannot be forged. Therefore, some online gambling platforms have developed hash guessing games based on this, where the rules involve guessing whether the last digit or digits of the transaction hash are odd or even, big or small, to determine the outcome of the guessing activity and allocate bets.

For example, in the typical "guess the last digit" game, gamblers need to transfer funds to the betting address. If the last digit of the hash value of that transfer matches a specific number or letter, the gambler wins, and the platform returns double the chips after deducting a portion of the points. If the last digit does not match, the gambler loses, and the chips are not returned.

Therefore, these types of online gambling addresses on the blockchain often exhibit high-frequency, fixed-amount fund transfers among multiple addresses, resulting in a massive scale of fund interactions.

Finally, these hash online gambling games, due to their fast pace and fair gameplay, were once very popular and saw a large number of variant games and platforms. However, due to the transparency of the gameplay and the vulnerability of funds to hacking and theft, the scale and market share of these games have greatly decreased.

4. Utilization of Cryptocurrencies in Illicit Online Activities

4.1 Traditional Cryptocurrency Utilization in Illicit Online Activities

4.1.1 Investment Scam

Investment scams are a type of online investment fraud where scammers often claim to be "experts in the industry" through social media and other channels, and lure victims into false platforms (usually apps) for investment, deceiving them into investing money. These traditional online investment scams have also begun to use cryptocurrencies or crypto tools in recent years, such as emotional fraud and illicit USDT arbitrage scams.

4.1.1.1 Emotional Fraud

Emotional fraud is often combined with investment fraud but mainly targets non-crypto users. Fraudsters create a perfect online persona and use online relationships to induce victims to purchase USDT for cryptocurrency investments, such as exchange arbitrage, derivative trading, liquidity mining, and more.

Victims' "investments" yield large profits in a short period, and they are encouraged to increase their investments. However, the victims' USDT does not actually participate in the so-called arbitrage activities but is transferred out for laundering upon arrival at the platform. Additionally, the victims' withdrawal requests are rejected by the platform for various reasons, until the victims realize they have been deceived.

4.1.1.2 Illicit USDT Arbitrage Scam

The illicit USDT arbitrage scam disguises itself as a money laundering and arbitrage platform for USDT funds, but it is actually an investment scam. Once participants invest a large amount of USDT, the platform will refuse to return the funds for various reasons.

For example, a still-operating "black U arbitrage platform" allows users to exchange "clean U" for "black U" at a "rate" of 1:1.1 to 1.45, and users receive the black U and then transfer it to other platforms for sale, with the excess being the users' "arbitrage" profit.

As of now, this fraudulent group has illegally obtained over 870,000 USDT using the same method. 784 unique addresses transferred USDT to the fraudulent address, but only 437 addresses received returns, and nearly half of the participants did not successfully "arbitrage."

4.1.2 Fake Apps

Fake apps refer to illegal elements repackaging genuine apps through various means, combining cryptocurrency fake apps mainly in the form of fake wallets and fake Telegram apps.

4.1.2.1 Fake Wallet Apps

Fake wallet app theft is a method of stealing assets by inducing others to download and install fake wallet apps with backdoors, and then stealing wallet mnemonic phrases to illegally transfer assets. Fraudsters distribute links to fake wallet apps through search engines, unofficial mobile app stores, social platforms, and more. Once victims download and install the app and create or sync wallet addresses, the mnemonic phrases are sent to the fraudsters. Once victims transfer a large amount of cryptocurrency, the fraudsters will automatically or in batches transfer and collect the funds.

This method has now become highly industrialized, with the fake wallet development team and the operation and promotion team completely separated. The former only participates in product development and maintenance, selling product solutions through recruiting agents worldwide, while the latter only needs to promote the fake wallet app, and may not even need to understand the principles of cryptocurrency technology.

Multi-signature theft is a variant of fake wallet theft. Multi-signature technology allows multiple users to sign a digital asset simultaneously. In simple terms, a wallet account has multiple people with signing and payment rights. If an address can only be signed and paid by one private key, it is represented as 1/1. In contrast, multi-signature is represented as m/n, meaning a total of n private keys can sign for an account, and when m addresses sign, a transaction can be made.

Traditional fake wallet theft essentially shares wallet control permissions with the victim, and the thief cannot prevent the victim from transferring assets. However, based on the principle of multi-signature technology, the thief, after the victim installs the fake wallet app, immediately adds the victim's address to the multi-signature. At this point, the wallet owner will be unable to transfer the assets out of the wallet, only in but not out, while the thief will be able to transfer the assets at any time, often depending on when the victim transfers a large amount of funds.

4.1.2.2 Fake Telegram Apps

Classic applications of fake apps in the cryptocurrency-related illicit industry include the malicious implantation of backdoors in Telegram apps, a social app commonly used by cryptocurrency investors for over-the-counter trading activities. Fraudsters use social engineering attack methods to induce target users to "download" or "update" fake Telegram apps. Once the target user pastes a blockchain address through the chat box, the malicious software identifies and replaces the address, causing the counterparty to send funds to the malicious address without the victim's knowledge.

4.1.3 Third-Party Payment Guarantees in the Illicit Industry

Third-party payment guarantees refer to a form of online payment service where the buyer pays the funds to a third party, who temporarily holds the funds until the buyer receives and verifies the goods, at which point the third party notifies the seller and completes the transaction. In this process, the third-party intermediary charges a certain percentage as a service fee.

Some third-party payment guarantee platforms in the illicit industry have begun to widely use Tether (mainly TRC20-USDT) as collateral funds, providing payment guarantee services for transactions including illegal foreign exchange, illegal commodity trading, unauthorized collection and payment, and illicit cryptocurrency transactions, in addition to traditional fiat channels. Although the types of transactions differ, the transaction process is consistent.

The platform does not allocate separate addresses for fund isolation in each transaction, but instead directs all deposits to the same collateral address over a period of time. This results in the address directly receiving a large amount of funds related to online gambling, illicit activities, and money laundering, and also confuses the direction of funds to some extent, hindering the tracking activities of investigators.

An audit of platform addresses known to provide guarantees for illegal transactions revealed that the scale of collateral funds has been continuously increasing over the past 12 months, including over 17.07 billion TRON network USDT and over 670 million Ethereum network USDT, indicating that most of the transactions guaranteed by these platforms occur on the TRON network.

4.2 New Forms of Cryptocurrency Utilization in the Illicit Industry

4.2.1 Authorization Theft

Authorization theft is a method of illegally transferring assets by stealing the management rights of a person's USDT address. Public blockchains such as TRON and Ethereum allow users to transfer the operational rights of a certain asset in their wallet to another address, which then gains partial or full management rights to the assets in the address and can call the contract to transfer the authorized assets at any time.

This malicious authorization request is often disguised as a payment link, airdrop claim entrance, or interactive contract, and once the victim is induced to interact, a certain asset—usually USDT—in the address is unlimitedly authorized to the thief's address and will be transferred out at a later time by calling the "TransferFrom" method.

Thieves often achieve this by deceiving the target victim into clicking on a phishing link and running a fraudulent smart contract. At this point, the victim's wallet mnemonic phrase has not been compromised, so timely revocation of the authorization can still recover some losses.

4.2.2 Zero-Transfer Phishing

Zero-Transfer Phishing

Zero-transfer phishing is a scam targeting cryptocurrency investors who use wallet applications improperly. By sending a large number of USDT transactions with an amount of 0 to unspecified blockchain addresses, it is possible to increase the interaction records of the target address without permission. If an unspecified party attempts to copy an address from existing transfer records on a smart device when initiating a transfer to a certain address, it may send funds to the wrong address, resulting in losses.

Bitrace has conducted a fund analysis of fraudulent addresses marked as phishing addresses in the TRON network, defining transactions with amounts lower than 1 USDT as phishing activities and transactions with amounts exceeding 10 USDT as fraudulent gains.

Our research indicates that the activity and scale of zero-transfer phishing activities have been expanding. As of now, over 451 million USDT funds have been lost due to phishing attacks in the TRON network.

Fake Platform Coin Arbitrage Scam

The common method of the fake platform coin arbitrage scam involves fraudsters falsely claiming to have developed a "smart arbitrage contract." Participants only need to invest a certain amount of cryptocurrency into the contract to receive an excess amount of another well-known cryptocurrency (such as Binance Coin, Huobi Token, OKB, etc.). After obtaining the "arbitrage gains," participants can cash out on a third-party trading platform to earn profits.

In the early stages of small-scale testing, real excess cryptocurrency would indeed be returned. However, once victims invest a large amount of funds, fake tokens would be returned, which have no market value. This fraudulent method, although old, is still active in various forms within the cryptocurrency investor community, causing financial losses to ordinary investors and negative damage to the brands being impersonated.

TRON Fancy Address Trading

Similar to traditional illicit activities, illicit actors in the cryptocurrency illicit industry need to create or purchase virtual identities before engaging in criminal activities. In traditional illicit activities, this involves bank accounts and identity information, while in the cryptocurrency illicit industry, it involves blockchain addresses. Typically, these addresses are customized and obtained from professional fancy address service providers.

In online gambling activities, operators of hash gambling platforms often use TRON fancy addresses. They purchase fancy addresses in bulk from professional service providers and use these addresses for various functions such as fund collection, storage, circulation, accepting bets, and fund settlement.

In illicit activities, the customization of fancy addresses has directly led to a more sophisticated variant of zero-transfer phishing known as "same-tail number phishing." Compared to the widespread zero USDT transfers targeting unspecified blockchain objects, same-tail number phishing is often customized. Fraudsters mimic the head and tail numbers of the target's commonly used address and transfer a larger amount.

This type of phishing activity incurs non-trivial costs. According to a price list from a TRON fancy address service provider, an eight-digit customized address takes 12 hours to deliver and costs 100 USDT, while the same eight-digit fancy address only costs 10 USDT.

Apart from TRON fancy address service providers, there are also similar cases of assistance provided by Telegram group chat bot service providers, website source code service providers, bulk transfer tool service providers, and SEO rapid ranking service providers to illegal activity participants, from which they profit. This article will not disclose further details on this matter.

Five, Utilization of Cryptocurrency in Money Laundering Activities

5.1 Traditional Utilization of Cryptocurrency in Money Laundering Activities

The utilization of cryptocurrency in traditional money laundering activities aims to transfer payments from high-risk users to accounts of low-risk users to evade risk control measures of payment institutions. This typically involves converting illicit fiat currency into cryptocurrency in the over-the-counter cryptocurrency market, or converting illicit cryptocurrency into fiat currency to disrupt the fund trail and evade tracking and crackdown.

A typical money laundering scenario involves fraudsters quickly splitting funds into small amounts and making continuous transfers to multiple bank cards after defrauding victims of cash. They then organize "card farmers" to withdraw the funds. Subsequently, the cash is transported to the location of the money laundering group via personal or public transportation such as cars or airplanes. In the past, this cash was often used to purchase bulk commodities or exchanged for foreign currency to leave the country. However, now it is more commonly used to purchase USDT offline. This batch of USDT is then either cashed out for fiat currency in the over-the-counter cryptocurrency market or directly sent overseas or to other money laundering groups for further processing. In this process, off-exchange markets of running U platforms, payment guarantee platforms, and centralized exchange platforms play important roles.

5.1.1 Running U Platforms

Running U platforms are a new type of money laundering method that combines cryptocurrency trading with traditional "running points" platforms. The platform organizers use the lure of making profits by purchasing a large amount of USDT and transferring it to overseas exchanges to sell at a higher price. They recruit USDT arbitrage traders and require them to register with real names on cryptocurrency exchanges and link their personal bank accounts. The arbitrage traders need to deposit a certain amount of USDT as a trading margin into the "running points" platform. The platform organizers then mark the available USDT quantity and unit price for the arbitrage traders' accounts and provide details of the traders' receiving bank accounts. When criminal groups such as overseas telecom fraudsters need to receive stolen funds, they first place orders to purchase USDT from the arbitrage traders through the "running points" platform. They then instruct the victims to transfer the defrauded money to the bank accounts reserved by the arbitrage traders on the platform. Once the victims transfer the money to the traders' accounts, the traders confirm the transactions on the platform, completing the first transfer of the fraudulently obtained funds. Subsequently, the traders use the received funds to continue purchasing USDT from the exchange and withdraw it to the running points platform in a cycle, earning the price difference of USDT and platform commissions in the process.

This activity is referred to as "card connection to running U" by money laundering groups, as it helps upstream criminals and money laundering groups completely evade the risks of stolen funds and exchange platform real-name authentication.

5.1.2 Running Points Fleet

In addition to recruiting running points personnel for money laundering, money launderers often use a more direct "running points fleet" model for laundering. The format is similar to the running U model, but the difference is that the cryptocurrency over-the-counter transactions occur offline and are settled in cash. The fleet leader first recruits a large number of real individuals to register named bank card accounts. When upstream criminals (referred to as "suppliers") illegally obtain stolen funds (referred to as "goods"), they contact the fleet leader through an illegal third-party payment guarantee platform to place orders. Subsequently, a large amount of funds is split and transferred to multiple bank cards under the control of the fleet. If the money is first-hand black money, it is called "first-hand goods"; if it is second-hand or third-hand black money, it is correspondingly called "second-hand goods" or "third-hand goods," with lower financial risk and lower commissions. The fleet leader then drives with the driver to the local ATMs to withdraw cash. After multiple withdrawals, the fleet leader continues to use personal or public transportation to transport the cash to a designated location for offline transactions. Finally, with the involvement of the third-party payment guarantee platform, the fleet leader transfers the cash to the target individual to earn a commission, and the recipient sends USDT to the guarantee address to complete the money laundering process.

This type of money laundering activity, through multiple layers of bank account transfers, ATM withdrawals, and offline cryptocurrency transactions, not only interrupts the fund tracking chain multiple times but also evades bank fund supervision.

Bitrace conducted a fund audit of addresses in the TRON network that were marked as having money laundering risks and had a fund scale exceeding 1 million USDT. The audit period was from September 2021 to March 2023, focusing on USDT inflows.

The data shows that from September 2021 to March 2023, there were a total of over 64.25 billion USDT inflows into addresses with money laundering risks in the TRON network. The fund scale was not affected by the bear market in the cryptocurrency secondary market, indicating that the participants in these activities were not genuine investors.

5.2 New Forms of Cryptocurrency Utilization in Money Laundering Activities

For native network criminals in the cryptocurrency industry, anonymous exchange based on cryptocurrency infrastructure and on-chain obfuscation are the most commonly used methods for fund laundering.

5.2.1 On-Chain Fund Obfuscation

On-chain fund splitting and mixing platforms are the most common channels for fund obfuscation.

Fund splitting involves complex multi-layered transactions by criminals to mix virtual currency through different wallet addresses and accounts, gradually transferring them to overseas accomplice wallet addresses to obscure the connection between fund inputs and outputs and blur the virtual currency transaction chain. This method is also effective in cryptocurrency money laundering activities and is a common practice for black and gray industry practitioners.

For example, in a case of investment and financial fraud, after collecting the victims' cryptocurrency funds, the illegal gains are split through several fund channels and eventually collected into a few exchange account addresses for fund realization.

Mixing involves blending a user's cryptocurrency with other users' currency, then transferring the mixed currency to a target address to conceal the original currency flow path, making it difficult to trace the origin and destination of the cryptocurrency. As a result, several cryptocurrency mixing platforms have been sanctioned by various governments, including the well-known Tornado.cash, which was sanctioned by the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) on August 8, 2022. Some Ethereum addresses associated with it were listed on the U.S. Specially Designated Nationals List. Once added to this list, the property and property rights of individuals or related entities are at risk of being frozen.

However, despite this, since Tornado.Cash's mixing contract is publicly accessible, other users can still engage in mixing activities by directly calling the contract. For example, in the OnyxProtocol attack incident on November 1, 2023, the attacker obtained address fees through a mixing platform and further laundered the funds.

5.2.2 On-Chain Anonymous Exchange

No-KYC trading platforms and cross-chain bridges are the two primary channels for on-chain anonymous exchange.

So far, apart from a few sanctioned entity addresses, these cryptocurrency infrastructures have not implemented more risk controls for high-risk cryptocurrency funds or addresses, allowing illegal funds to be exchanged through these channels immediately after an attack.

For example, in the NirvanaFinance attack incident on June 25, 2023, after illegally obtaining the victims' cryptocurrency funds, the attacker immediately transferred some funds to THORWalletDEX, a decentralized exchange platform with high privacy that allows users to directly exchange cryptocurrencies between different blockchains without publicly disclosing transaction information. Therefore, in many past cryptocurrency security incidents, THORWalletDEX has been involved in the money laundering process.

Six, Contamination of Web3 Enterprise Addresses by High-Risk Cryptocurrency Funds

6.1 Contamination of Centralized Exchange Platform Addresses

Centralized exchange platforms are one of the main places for laundering high-risk USDT funds. In this report, Bitrace audited 126 common hot wallet addresses of centralized exchange platforms and thoroughly examined the inflow of cryptocurrency funds associated with online gambling, black and gray industries, and money laundering activities from January 2021 to the present in the TRON network.

From January 2021 to September 2023, over 415.2 billion high-risk USDT flowed into some centralized exchange platforms in the TRON network, including 225.79 billion USDT associated with online gambling, 105.70 billion USDT associated with black and gray industries, and 83.73 billion USDT associated with money laundering.

From January 2021 to September 2023, over 33.15 billion high-risk USDT flowed into some centralized exchange platforms in the Ethereum network, including 11 billion USDT associated with online gambling, 18.42 billion USDT associated with black and gray industries, and 3.72 billion USDT associated with money laundering.

From the total amount of risk funds and the proportion of risk funds, it is easy to see that the scale of illegal utilization of USDT in the TRON network is larger compared to the Ethereum network, and the proportion of risk funds in the online gambling category is higher. This is consistent with observations in practice - casino agents and regular gamblers tend to use TRON USDT to save on fees.

6.2 Contamination of Over-the-Counter Trading Market Addresses

In addition to centralized exchange platforms, certain payment platforms, cryptocurrency investor groups, and acceptance merchant communities establish over-the-counter trading markets of a certain scale. These places lack a complete KYC and KYT mechanism, making it difficult to assess the funding risk of counterparties and restrict risk funds afterward. As a result, a higher proportion of risk USDT often flows into these addresses.

Bitrace conducted a fund audit of addresses with typical over-the-counter trading market characteristics and a fund scale exceeding 1 million USDT. The data shows that in the past two years, at least 3.439 billion USDT associated with risk activities has flowed into these addresses, with the inflow increasing over time and being largely unaffected by the bear market in the secondary market.

6.3 Contamination of Cryptocurrency Payment Platform Addresses

As one of the infrastructure components in decentralized finance, cryptocurrency payment tools provide fund settlement services for blockchain institutions and also offer cryptocurrency acceptance services for regular users, thus facing the same risk of contamination by high-risk cryptocurrency funds.

Bitrace conducted a fund audit of major cryptocurrency payment platform addresses serving Southeast Asian and East Asian customers. The data shows that between January 2021 and September 2023, over 405.1 billion risk USDT flowed into these addresses, with 334.6 billion USDT in the TRON network and 70.4 billion USDT in the Ethereum network. In almost all periods, the contamination of risk USDT in the TRON network on cryptocurrency payment platforms is more severe than in the Ethereum network.

Seven, Conclusion and Recommendations

Participants in activities such as online gambling, black and gray industries, and money laundering are extensively utilizing cryptocurrencies, including USDT, to enhance the anonymity of funds and evade tracking by regulatory and law enforcement agencies. The direct result is that Web3 enterprises operating compliant cryptocurrency businesses and regular cryptocurrency investors passively receive such high-risk associated cryptocurrency funds due to a lack of fund risk identification capabilities, leading to the contamination of their fund addresses and even involvement in cases.

Industry institutions should strengthen their awareness of fund risk control, actively establish cooperation with local law enforcement agencies, and access threat intelligence services provided by security vendors to detect, identify, prevent, and block high-risk cryptocurrency funds, protecting their own business addresses and user addresses from contamination.

7.1 Strengthen Awareness of Fund Risk Control

Industry institutions should not only conduct Know Your Customer (KYC) activities to verify the true identity of customers, transaction execution, and fund sources in accordance with the law, but also fulfill the responsibility of monitoring and managing abnormal customer transactions (KYT) and promptly report irregular transactions and risk situations. They should implement tiered management for users involved in suspicious risk fund activities and take management measures to restrict some or all platform functions.

7.2 Actively Understand Local Laws and Regulations and Cooperate with Law Enforcement Agencies

Platforms need to establish or commission professional teams to comply with and review law enforcement requests from around the world, assist in identifying, combating, and preventing cryptocurrency-related criminal activities, reduce economic losses, and avoid the contamination of platform business addresses and user accounts by funds.

7.3 Establish a Threat Intelligence Network and Information Sharing Mechanism

Industry institutions need to prioritize open-source network intelligence, keep track of attack addresses and funds related to ongoing cryptocurrency security incidents to ensure timely countermeasures against funds flowing into platforms. They also need to access external threat intelligence sources, collaborate with cryptocurrency data and security companies to establish DID profiles for users, implement appropriate risk control restrictions for addresses associated with risk and lacking a good interaction history. Based on this, they should establish and maintain an open threat intelligence database for the entire industry to ensure overall security and trust.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。