Author: Sleepy.txt

In the history of commerce, wherever wealth surges, there will be a tug-of-war between law and order.

Looking back from the tail end of 2025, the issuance scale of global stablecoins has firmly crossed the $300 billion mark, nearly tripling from last year, with monthly trading volumes reaching an astonishing $4 to $5 trillion. Stablecoins, as a type of crypto asset, have shed the label of "geek toys" and have become the primary gateway for traditional finance to enter the digital world.

However, beneath the prosperity lies a shadow. According to the latest industry report, the estimated scale of funds received by illegal addresses globally in 2025 is expected to exceed $51.3 billion. When hundreds of billions of dollars can flow across borders in seconds, traditional regulatory measures often cannot keep up with this speed, making it difficult to discern which are legitimate businesses and which are criminal proceeds.

In this world where rules have yet to be fully defined, Professor Zhou Yajin is a unique entrepreneur.

Zhou Yajin's career path is a typical reflection of the deep collision between elite scholarship and industry. In 2010, he went to the United States to pursue a PhD, delving into mobile security for five years, and then joined Qihoo 360 with his mentor, Professor Jiang Xuxian, completing the first leap from the laboratory to the front line of industry. In 2018, he chose to return to Zhejiang University to take up teaching.

Three years later, he once again plunged into the industrial wave, founding the blockchain security company BlockSec.

Over the past four years, Zhou Yajin has led BlockSec through a shift in business focus. Initially starting with smart contract code auditing, the company gradually extended into deeper areas such as security monitoring, fund tracing, and anti-money laundering compliance.

Zhou Yajin and his team have long been engaged in specialized research on on-chain data, even using technical means to "infiltrate" black industry groups involved in online fraud in Southeast Asia, gaining a wealth of little-known insights into the underlying survival landscape. Through his perspective, we may gain a clearer understanding of the most genuine interest games in this new digital world.

The following is Zhou Yajin's account, edited and organized by the Beating editorial team after an exclusive interview.

From Code Auditing to the Anti-Money Laundering Battlefield

I pursued my PhD in the United States from 2010 to 2015, under the supervision of Professor Jiang Xuxian. At that time, we were working on mobile security, particularly in the area of Android malware detection, which was relatively early on a global scale. After graduating in 2015, I followed my mentor to Qihoo 360, aiming to industrialize our research results.

In 2018, I joined Zhejiang University, returning to academia from the industry. At that time, China was experiencing a small boom in ICOs in 2017 and 2018, which brought blockchain into the view of a small number of people, prompting me to start looking into blockchain security.

I observed that there were frequent on-chain security incidents at that time, and while the academic community had developed several good solutions, looking back at the industry, very few were paying attention to these issues.

Thus, in 2021, I co-founded BlockSec with Professor Wu Lei.

At first, people's understanding of a "blockchain security company" was extremely stereotypical: Aren't you just doing audits? Indeed, we started with smart contract auditing.

With our academic research background and a relatively elite team, we quickly established a foothold in the auditing business. However, my perspective in founding the company was that I did not want it to be merely a security service provider. Auditing addresses pre-launch security, but at that time, there were no particularly good solutions for post-launch protection.

So in 2022, while conducting audits, we also began developing an on-chain attack monitoring platform. Our initial product concept was to continuously monitor on-chain transactions and automatically block any attack transactions that occurred.

During this process, we found that although there were audits and monitoring, project parties could still be attacked. Coupled with numerous phishing and private key loss incidents affecting end users, where users lost money, this gave rise to new demands.

When project parties were robbed and users were phished, they had to report to the police and clarify to law enforcement where the money had flowed. Thus, starting in 2022, we developed a fund tracing product, which was entirely SaaS-based, allowing users to subscribe directly without adopting a To B sales model.

The result was that after launching this product, the user demographics surprised us. In addition to law enforcement agencies, media reporters were using it, financial institutions were using it, and even many private detectives taking on freelance work were using it.

These users from different backgrounds helped us refine the product during their usage, attracting even more users. Additionally, we already had attack detection engines, phishing detection engines, etc., and these labels and data gradually became our deepest moat.

The turning point occurred from late 2024 to early 2025.

At that time, the issuance of stablecoins began to surge, and this market was no longer just participated in by Crypto Native individuals. Many traditional finance professionals started entering the space, and the first virtual currency they encountered was stablecoins. These individuals had a strong compliance awareness, and as soon as they entered, they would ask: If I want to use stablecoins, how do I address AML (anti-money laundering) and CFT (counter-terrorism financing) issues?

There were no good compliance products on the market, and we happened to have accumulated three years of underlying label data, so we quickly launched our anti-money laundering product. The entire process was quite natural; we transformed from a purely security service provider into a comprehensive supplier of "security + compliance" in response to market demand changes.

Infiltration

To engage in anti-money laundering, one must first deeply understand how the black and gray industries use money.

From our research perspective, cryptocurrency crimes are typically divided into two categories: one is "crypto-native," such as code vulnerability attacks on DeFi protocols, private key theft, or phishing. Without blockchain, these crimes would not exist at all.

The other category is "crypto-driven," such as online fraud, extortion, and human trafficking. The emergence of cryptocurrency has greatly enhanced the efficiency and anonymity of their cross-border transactions. Among these scenarios, what shocked us the most was the human trafficking within the Southeast Asian online fraud industry.

Many people think online fraud is far removed from them, but if you look at their recruitment ads, the allure is extremely precise: starting monthly salary of 19,000 RMB, including airfare, meals, and accommodation, and even the seemingly serious promise of "must purchase Shenzhen social security." This type of scam, specifically targeting young people aged 18 to 37, has lured a large number of victims across borders into scam parks located in Myanmar, Cambodia, or Laos.

The current online fraud parks have organizational structures that are as tight as legitimate companies, with finance, technology, and call teams all in place. To maintain such a large operation, they need to continuously replenish "labor," and the parks (demand side) and traffickers (supply side) do not know each other, lacking any trust in online communication.

Thus, an intermediary specifically providing credit endorsement for illegal transactions has emerged, known as "labor guarantee platforms."

The operational logic of this system is quite similar to Taobao. The park first deposits a certain amount of USDT as a guarantee on the guarantee platform; the trafficker is responsible for luring the victim across the border and delivering them to a designated "inspection" location.

Once both parties confirm in a private Telegram group, the platform releases the deposit to the trafficker. This type of transaction adheres to the principle of "money follows the person"; if either party tries to default, the platform will freeze or confiscate the deposit according to the rules to compensate the other party.

To attract business, these platforms open numerous public channels on Telegram to "show off." For example, in the channels of Linghang Guarantee or Haowang Guarantee, system bots will publish transaction screenshots and on-chain transfer records in real-time. They even engage in promotions like legitimate e-commerce, such as collecting commissions or offering "buy 10, get 2 free" deals.

This is also the most direct entry point for us to observe the black industry.

From February to August 2025, we developed an automated system that continuously infiltrated these groups to gather intelligence. Because the chat in these groups was filled with jargon, we specifically trained a large language model for analysis.

In the language of the black industry, victims are referred to as "fish," and the scam tactics and victim information are called "materials." The materials are categorized in detail, including "three black materials," "mixed materials," "air ticket materials," etc. Based on the money laundering stages, they are further divided into "first-level materials," which involve directly receiving money from victims, and "second-level materials," which have undergone layered processing.

There is also a job called "mobile mouth," where accomplices in China use audio lines or specific apps to relay overseas scam calls to domestic phones, thereby bypassing the operators' anti-fraud interception, earning about 200 USDT per hour. They have recruited many young people from small towns for this task.

In these black industry groups, there are even openly circulated "Anti-Police Tutorials," meticulously teaching everyone how to calmly respond to investigations, such as insisting that their phone was lost and deleting scripts and encrypted communication apps in advance. The tutorial ends with a very ironic statement—"Salute to every hardworking person."

Through six months of automated monitoring, we identified a total of 634 addresses associated with human trafficking gangs linked to one of the guarantee platforms, with the total tracked illegal transaction amount approaching $12 million. At the peak, 10 people were sold into parks through this one guarantee platform every day. The actual situation may be even more severe due to the existence of other guarantee platforms.

When tracing the flow of funds, we found that the vast majority of this money was on the Tron blockchain, primarily using the stablecoin USDT. Because Tron has a low operational threshold and cheap transaction fees, it is very suitable for these technically limited criminal groups. Although transaction fees on Tron have increased now, they have already developed a habit of using it, making it difficult to switch to other methods.

We analyzed the cash flow of over 120 gangs and found that more than 34.9% of these illegal proceeds ultimately flowed to the hot wallets of OKX, 6.9% to Binance, and 14.4% to hot wallets related to Huobi.

When you can clearly see where this money comes from and how it flows, anti-money laundering is no longer an empty phrase. This real data captured from the grassroots groups is currently the core barrier to security compliance.

12 Seconds: "Intercepting" Hackers in the Mempool

In the security industry, there has always been a concern: audits can only ensure that the code is secure at the moment of launch. However, once a project is up and running, it faces global hackers monitoring it 24/7. If auditing is "static defense," can we find a way to implement "dynamic interception"?

In 2022, while conducting audits, we launched an on-chain attack monitoring platform. The underlying logic of this product is to monitor Ethereum's Mempool. You can think of the Mempool as a waiting room where all transactions queue up before being officially packaged into blocks and recorded in the ledger.

In this waiting room, we not only monitor ordinary users' transactions but also keep an eye on those with attack characteristics. Once a suspected attack transaction is detected, our system immediately initiates automatic analysis in a private chain environment: What is it trying to do? Is the logic sound? How much money will it steal?

The most thrilling game usually occurs within a mere 12 seconds.

After the Ethereum merge, the block time was fixed at 12 seconds. This means there is an extremely short window between when a hacker issues an attack command and when that transaction is actually packaged and confirmed. These few seconds are the golden rescue time for white hats.

After confirming an attack, our system automatically generates a "front-running" transaction. The content of this transaction is almost identical to the hacker's, but the key difference is that we modify the receiving address of the funds from the hacker's wallet to our pre-set secure address.

To outpace the hacker, we must gain packaging priority from the miners.

Hackers typically set a standard Gas Fee to maximize profits. We, however, adjust the Gas Fee algorithmically to be very high, even directly sharing a portion of this money with the miners. Driven by profit, miners will prioritize packaging our transaction. When our transaction is successfully executed, the hacker's transaction will automatically become invalid.

This capability has saved many projects in real combat.

The most typical instance was when we successfully intercepted an attack targeting a certain protocol in the mempool, rescuing 2,909 Ethereum for the project party in one go. At that time, the hacker had already triggered the vulnerability, and it seemed that tens of millions of dollars were about to be swept away. Our monitoring system instantly alarmed, and within seconds, we completed the attack simulation, transaction generation, and Gas bidding. Ultimately, that large sum was transferred to our secure address ahead of the hacker.

Previously, project parties could only turn to Twitter for help or negotiate with hackers to see if they could offer a bounty to get their money back. But now, through technical means, we forcibly intercepted the money just one second before the hacker succeeded.

Only if you understand the code better than the hacker and can run faster than the hacker can you hold the last line of defense in this "Code is law" dark forest.

Epilogue

If the past decade in the crypto world was a "gold rush," then standing at the 2025 juncture, what we see is a return to "certainty." As the scale of stablecoins surges toward $300 billion, and as a new digital financial system transitions from "wilderness" to "city-state," technology must no longer merely be a lever for wealth; it must first become a shield against the dark side of human nature.

The transformation experienced by Zhou Yajin and his team is essentially a reflection of this business logic. From code auditing to dynamic interception, and then to deep diving and dismantling the black industry chain, this is not the solitary bravery of an individual but a defensive mechanism that inevitably arises when technology evolves to a certain scale.

In this world where code is law, if we do not address the chronic issues of illegal fund flows and security defense failures, then the so-called "financial revolution" will forever remain a game for a select few.

In the history of commerce, any industry that has moved toward the mainstream has undergone the painful transition from chaos to rule of law. This may be a long and tedious process, but as Zhou Yajin said, the ultimate form of security is "imperceptible."

Only when security becomes as ubiquitous as air yet is overlooked by everyone can this once unpredictable digital wilderness truly complete its civilizational pioneering.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。