1. Background of the Investigation

Blockchain, based on distributed consensus and economic incentives, provides a new solution for the establishment, storage, and transfer of value in an open and permissionless network space. However, with the rapid development of the crypto ecosystem in the past few years, cryptocurrencies are increasingly being used for various risky activities, providing a more concealed and convenient way for value transfer for activities such as online gambling, online illicit activities, and money laundering.

At the same time, as an important infrastructure in the crypto industry, a large number of web3 enterprises also use stablecoins such as USDT as the main method of fund collection and payment. However, these enterprises generally lack sound AML, KYT, KYC, and other risk control mechanisms, leading to unrestricted inflow of USDT previously used for risky activities into business addresses, causing contamination of funds for the enterprises and their clients.

This report aims to disclose the methods and scale of cryptocurrency utilization in risky crypto activities and to use on-chain data to track the circulation of funds related to risky activities, in order to illustrate the threat of risky crypto funds to web3 enterprises.

2. Investigative Targets

The social harm caused by illegal activities in the network is becoming increasingly serious, including direct infringement on personal property and public security, as well as the legal risks indirectly brought to individuals or corporate entities associated with upstream and downstream industries related to illegal activities. In recent years, various countries have strengthened their efforts to combat illegal activities in the network, making some progress in criminal legislation and research on the network ecosystem. However, cybercrime remains a difficult problem to solve, especially with the emergence of new network spaces such as blockchain, traditional online gambling, online illicit activities, and money laundering have increasingly utilized cryptocurrencies or crypto infrastructure in risky activities, thereby hindering relevant legal determination and law enforcement supervision.

2.1 Online Gambling

Gambling refers to betting money or items of material value on an event with an uncertain outcome, with the main purpose of winning more money or material value, while participants gain spiritual pleasure through financial gambling. Online gambling refers to gambling activities conducted over the internet, with a wide variety of types, essentially encompassing the main gambling methods in real life.

In China, establishing gambling websites for profit on the internet or acting as agents for gambling websites and accepting bets fall under the "establishment of gambling houses" as stipulated in Article 303 of the Criminal Law. If citizens of the People's Republic of China gather to gamble in peripheral areas outside the country and establish gambling houses to attract citizens of the People's Republic of China as the main client base, it constitutes the crime of gambling, and criminal responsibility can be pursued in accordance with the provisions of the Criminal Law.

However, in other countries or regions, the legal determination of gambling and the establishment of gambling houses varies:

• According to the Gambling Ordinance of Hong Kong, China, all gambling activities other than regulated horse racing, football betting, Mark Six lottery, or other licensed gambling venues (such as mahjong parlors), and exempted gambling activities under the law are considered illegal.
• According to the Unlawful Internet Gambling Enforcement Act of the United States, conducting transactions with financial institutions and online gambling websites is illegal. However, state legislation varies, and there are differences in the determination of online gambling law, illegal activities, and law enforcement direction.
• According to the statement of the Gaming Inspection and Coordination Bureau of Macau, the Macau SAR government has never issued an online gambling license, so any information promoting online gambling activities in the name of the Macau SAR government and betting websites are false and illegal, and public betting on such websites is not protected by Macau SAR law.

It can be seen that online gambling is not illegal in all countries or regions. The gambling funds used by licensed and regulated online gambling platforms and other gambling activities exempted by local government departments cannot be considered as risky funds. Therefore, Bitrace's investigation into online gambling activities is limited to unlicensed gambling platforms, agents accepting bets from users outside the scope of their operating permits, and payment institutions providing fund settlement services for the former two.

For traditional online gambling platforms and their agents, these organizations help gamblers with fund settlement through self-built centralized cryptocurrency recharge, transaction, and withdrawal systems or by accessing cryptocurrency payment tools, due to the anonymous nature of cryptocurrencies, government departments will find it difficult to regulate or enforce such activities. As for new hash online gambling platforms, these platforms are deployed on the blockchain network, managing gambler betting, bet settlement, fund precipitation, and collection through smart contracts, with a wider reach and faster development changes.

2.2 Online Illicit Activities

Online illicit activities refer to the industrialization and chaining of illegal activities carried out or assisted in the network space for the purpose of making illegitimate profits or disrupting the order of the network ecosystem. Currently, cryptocurrencies and some crypto industry infrastructure have been greatly integrated into the entire online illicit activities ecosystem.

Traditional online illicit activities increase the deceit and destructiveness of certain illegal activities by introducing cryptocurrencies into illegal activities or using cryptographic tools to replace original technical means, reducing the chances of government departments perceiving or sanctioning upstream and downstream activities. New types of blockchain illicit activities directly target the cryptocurrency assets of cryptocurrency investors or institutions and are native illegal activities in the crypto industry.

This report only discloses some typical illicit activities using cryptocurrencies.

2.3 Money Laundering

Money laundering is the act of legitimizing illegal proceeds, mainly referring to disguising and concealing the source and nature of illegal proceeds and their generated profits through various means to make them appear legitimate. Its activities include but are not limited to providing fund accounts, assisting in converting property forms, assisting in fund transfers, or remittances abroad. Cryptocurrencies, especially stablecoins, have been utilized by money laundering activities due to their low transfer costs, geographical decentralization, and certain anti-inspection characteristics, which is one of the main reasons why cryptocurrencies have been criticized.

Traditional money laundering activities often use the over-the-counter cryptocurrency trading market to exchange between fiat and cryptocurrencies or cryptocurrencies and fiat. The laundering scenarios vary, and the forms are diverse, but the essence of these activities is to obstruct law enforcement officers from investigating the fund chain, including traditional financial institution accounts or cryptocurrency institution accounts.

Unlike traditional money laundering activities, the new type of cryptocurrency money laundering activities target the cryptocurrencies themselves, including wallets, cross-chain bridges, and decentralized trading platforms, all of which are illegally exploited within the crypto industry infrastructure.

3. Utilization of Cryptocurrencies in Online Gambling Activities

3.1 Forms of Cryptocurrency Utilization in Traditional Online Gambling Platforms

In recent years, the phenomenon of online gambling platforms and their agents accepting cryptocurrencies as chips has become very common, including:

• Some online gambling platforms have independently established a complete centralized management system for cryptocurrency recharge, transactions, and withdrawals. Gamblers need to purchase cryptocurrencies (mainly USDT) from third-party platforms and transfer them to the recharge addresses assigned to each gambler by the online gambling platform to obtain chips. After gamblers initiate withdrawal requests, the platform transfers from a unified hot wallet address to the target address, with its business logic consistent with mainstream cryptocurrency trading platforms.

• Some online gambling platforms provide deposit and withdrawal channels for gamblers through the integration of cryptocurrency payment tools. Gamblers do not directly recharge USDT to the online gambling platform but transfer funds to the payment platform account, and withdrawal requests are also fulfilled by the latter. Regular fund settlements are conducted between the online gambling platform and the payment platform, allowing for the exploration of their business details through fund association.

Taking a gambling platform utilizing USDT for betting as an example, the platform helps gamblers with USDT deposit and withdrawal through the integration of a certain cryptocurrency payment platform. Bitrace conducted fund audits on one of the hot wallet addresses. Between January 27, 2022, and February 25, 2022, this address processed over 1.332 million USDT in deposit and withdrawal orders from gamblers.

In the practice of fund analysis, it was found that large-scale online gambling platforms generally build their own cryptocurrency deposit and withdrawal function modules, while the majority of small and medium-sized online gambling platforms choose to integrate with cryptocurrency payment platforms. According to the DeTrust Address Fund Risk Audit Platform, between September 2021 and September 2023, a total of over 46.45 billion USDT flowed directly into traditional online gambling platforms or cryptocurrency payment platforms providing deposit and withdrawal services for online gambling platforms.

The changes in the scale of online gambling funds in 2021 correspond to the development of the cryptocurrency secondary market that year. The scale growth from November 2022 to January 2023 may be related to a large number of betting activities during the World Cup that year.

Analysis of the sources of USDT transferred to online gambling platforms reveals that over 7.43 billion USDT directly came from centralized trading platforms, accounting for 16% of the total inflow scale. These funds are either directly deposited by gamblers from exchange addresses to online gambling platforms or circulated by the gambling platform and its agents through the trading platform. Considering that funds from secondary addresses also likely come from centralized trading platforms, this number is clearly an underestimate. This indicates that centralized cryptocurrency trading platforms are being used to serve the online gambling industry.

3.2 New Hash Online Gambling Cryptocurrency Utilization

Every transaction on the blockchain corresponds to a unique hash value, which is randomly generated and cannot be forged. Therefore, some online gambling platforms have developed hash guessing games based on this, where the rules involve guessing whether the last digit or digits of the transaction hash are odd or even, big or small, to determine the outcome of the guessing activity and allocate bets.

For example, in the typical "guess the last digit" game, gamblers need to transfer funds to the betting address. If the last digit of the hash value of the transfer matches a specific number or letter, the gambler wins, and the platform returns double the chips after deducting a portion of the points. If the last digit does not match, the gambler loses, and the chips are not returned.

Therefore, these types of online gambling addresses on the blockchain often exhibit high-frequency, fixed-amount fund transfers among multiple addresses, resulting in a large scale of fund interactions.

Finally, due to the fast pace and fairness of these hash online gambling games, they were once very popular, leading to a large number of variant games and platforms. However, due to the transparency of the games and the high susceptibility of funds to hacking and theft, the scale and market share of these games have greatly decreased.

4. Utilization of Cryptocurrencies in Traditional and New Types of Black and Grey Industry Activities

4.1 Traditional Black and Grey Industry Cryptocurrency Utilization

4.1.1 Investment and Financial Fraud

Investment and financial fraud is a type of online investment fraud where scammers often claim to be "experts in the industry" through social media and other channels, luring victims to invest in fake platforms (usually apps) and swindling investment funds. In recent years, this traditional online investment fraud has also begun to use cryptocurrencies or crypto tools, such as emotional fraud and illicit USDT arbitrage fraud.

4.1.1.1 Emotional Fraud

Emotional fraud is often combined with investment fraud but mainly targets non-crypto users. Fraudsters create a perfect online persona and use online dating to induce victims to purchase USDT for cryptocurrency investments, such as exchange arbitrage, derivative trading, liquidity mining, and more.

The victim's "investment" will earn a large profit in a short period, and they will be encouraged to increase their investment. However, the victim's USDT does not actually participate in the so-called arbitrage activities but is transferred out and laundered upon arrival at the platform. The victim's withdrawal requests are often rejected by the platform for various reasons, leading the victim to realize they have been deceived.

4.1.1.2 Illicit USDT Arbitrage Fraud

Illicit USDT arbitrage fraud disguises itself as a money laundering and arbitrage platform for USDT funds, but it is actually an investment scam. Once participants invest a large amount of USDT, the platform will refuse to return the funds for various reasons.

For example, a still-operating "illicit USDT arbitrage platform" allows users to exchange "clean USDT" for "illicit USDT" at a rate of 1:1.1 to 1.45. Users receive the illicit USDT and then transfer it to other platforms for sale, with the excess amount being the user's "arbitrage" profit.

To date, this fraudulent group has illegally obtained over 870,000 USDT using the same method. 784 independent addresses transferred USDT to the fraudulent address, but only 437 addresses received returns, with nearly half of the participants not succeeding in "arbitrage."

4.1.2 Fake Apps

Fake apps refer to illegal elements repackaging genuine apps through various means, combining cryptocurrency fake apps, mainly fake wallets and fake Telegram apps.

4.1.2.1 Fake Wallet Apps

Fake wallet apps for stealing cryptocurrency involve inducing others to download and install fake wallet apps with backdoors to steal wallet mnemonic phrases and illegally transfer others' assets. Scammers distribute links to fake wallet app downloads through search engines, unofficial mobile app stores, social platforms, and more. Victims download and install the app, create or sync wallet addresses, and the mnemonic phrases are sent to the scammers. Once victims transfer a large amount of cryptocurrency, the scammers will automatically or in batches transfer and collect the funds.

This method has now become highly industrialized, with the fake wallet development team and the operational promotion team completely separated. The former only participates in product development and maintenance, selling product solutions through recruiting agents worldwide, while the latter only needs to promote the fake wallet app, and may not even need to understand the principles of cryptocurrency technology.

Multi-signature theft is a variant of fake wallet theft. Multi-signature technology allows multiple users to sign a digital asset simultaneously. In simple terms, a wallet account has multiple people with signing and payment rights. If an address can only be signed and paid by one private key, it is represented as 1/1. In contrast, multi-signature is represented as m/n, meaning a total of n private keys can sign for an account, and when m addresses sign, a transaction can be made.

Traditional fake wallet theft essentially shares wallet control permissions with the victim, and the thief cannot prevent the victim from transferring assets. However, based on the principle of multi-signature technology, the thief will immediately add the victim's address to the multi-signature after the victim installs the fake wallet app. At this point, the wallet owner will be unable to transfer the assets out of the wallet and can only transfer in but not out. The thief, on the other hand, will be able to transfer the assets at any time, often depending on when the victim transfers a large amount of funds.

4.1.2.2 Fake Telegram App

A classic application of fake apps in the cryptocurrency-related black and grey industries is the malicious implantation of backdoors in the Telegram app, a social app commonly used by cryptocurrency investors for over-the-counter trading activities. Fraudsters use social engineering attack methods to induce target users to "download" or "update" the fake Telegram app. Once the target user pastes a blockchain address through the chat box, the malicious software will identify and replace the address with a malicious one, causing the counterparty to send funds to the malicious address without the victim's knowledge.

4.1.3 Third-Party Payment Guarantees in the Black and Grey Industries

Third-party payment guarantees refer to a type of online payment service where the buyer pays the funds to a third party, who temporarily holds the funds until the buyer receives and confirms the goods, at which point the third party pays the funds to the seller, completing the transaction. It essentially acts as a credit intermediary, temporarily holding the funds for both parties until the buyer confirms receipt of the goods. During this process, the third-party intermediary charges a certain percentage as a service fee.

Some black and grey industry third-party payment guarantee platforms have begun to widely use Tether (mainly TRC20-USDT) as collateral in addition to traditional fiat channels, providing payment guarantee services for transactions including illegal foreign exchange, illegal commodity trading, unauthorized collection and payment, and illicit cryptocurrency transactions. Despite the different types of transactions, the transaction process is consistent.

Typically, one of the buyers or sellers will pay to place an advertisement on the payment guarantee platform, either in a specific area of the website or in the official Telegram group. The advertisement will specify the type of transaction, transaction requirements, payment methods, and other transaction details.

After the buyer and seller have negotiated, they need to contact the customer service of the payment guarantee platform to establish a "special group," which is a non-public Telegram group used for transaction communication, including the buyer, seller, and the special group bot. In principle, one-to-many transactions are not allowed, and unrelated individuals are not allowed to join.

The buyer needs the seller to transfer the funds to the official account of the guarantee platform and provide proof, a process known as "depositing." After the trader confirms receipt, they notify the seller to ship the goods. The seller then receives the shipping notification from the trader and begins shipping, providing proof of shipment. The buyer then confirms receipt and notifies the trader to release the funds. Upon receiving confirmation of the buyer's receipt or release of funds, the trader deducts the commission and releases the funds to the seller, providing proof of release. Finally, the seller confirms receipt, and the transaction is completed.

The platform does not allocate separate addresses for fund isolation in each transaction but instead directs all deposits to the same deposit address for a period of time. This results in the address directly receiving a large amount of high-risk funds related to online gambling, black and grey industries, and money laundering. Additionally, due to its large fund scale, it also confuses the direction of funds to some extent, hindering the tracking activities of investigators.

An audit of known platforms providing guarantees for illegal transactions found that the scale of their guarantee funds has been continuously increasing over the past 12 months, including over 17.07 billion TRON network USDT and over 670 million Ethereum network USDT, indicating that most of the transactions guaranteed by these platforms occur on the TRON network.

4.2 New Types of Cryptocurrency Utilization in the Black and Grey Industries

4.2.1 Authorized Theft

Authorized theft is a method of illegally transferring others' assets by stealing the management permissions of their USDT addresses. Public blockchains like TRON and Ethereum allow users to transfer the operational permissions of a certain asset in their wallets to other addresses, granting the latter partial or full management permissions over the assets, enabling them to call the contract to transfer the authorized assets.

This malicious authorized theft request is often disguised as a payment link, airdrop claim entrance, or interactive contract trap. Once the victim is induced to interact, a certain asset in the victim's address—usually USDT—is unlimitedly authorized to the thief's address and will be transferred out at a later time by calling the "TransferFrom" method.

Thieves often achieve this by deceiving the target victim into clicking on a phishing link and running a fraudulent smart contract. At this point, the victim's wallet mnemonic phrase has not been compromised, so timely revocation of the authorization can still recover some losses.

4.2.2 Zero-Value Transfer Phishing

Zero-value transfer phishing is a scam targeting cryptocurrency investors who use wallet applications improperly. By sending a large number of USDT transactions with a value of 0 to unspecified blockchain addresses, it is possible to increase the interaction records of the target address without permission. If an unspecified party attempts to copy an address from existing transfer records on a smart device when initiating a transfer to a certain address, they may send funds to the wrong address, resulting in losses.

Bitrace has conducted a fund analysis of fraudulent addresses marked as phishing addresses in the TRON network, defining transactions with amounts lower than 1 USDT as phishing activities and transactions with receipts exceeding 10 USDT as fraudulent gains.

Our research indicates that the activity and scale of zero-value transfer phishing have been expanding. As of now, over 451 million USDT funds in the TRON network have been lost due to phishing attacks.

4.2.3 Fake Platform Coin Arbitrage Scam

The common method of the fake platform coin arbitrage scam involves fraudsters falsely claiming to have developed a "smart arbitrage contract." Participants only need to invest a certain amount of cryptocurrency into the contract to receive an excess amount of another well-known cryptocurrency (such as Binance Coin, Huobi Token, OKB, etc.). After obtaining the "arbitrage gains," participants can cash out on a third-party trading platform to earn profits.

In the early stages of small-scale testing, real excess cryptocurrencies were indeed returned. However, once victims invested a large amount of funds, fake tokens were returned, which have no market value. This fraudulent method is old but effective, and there are still many variants active in the cryptocurrency investor community, causing financial losses to ordinary investors and negative damage to the brands being impersonated.

4.2.4 TRON Fancy Address Trading

Similar to traditional black and grey activities, illicit actors in the cryptocurrency black and grey industries need to create or purchase virtual identities before engaging in illegal activities. In traditional black and grey activities, this involves bank accounts and identity information, while in cryptocurrency black and grey activities, it involves blockchain addresses. Typically, these addresses are customized and obtained from professional fancy address service providers.

In online gambling activities, operators of Hash gambling platforms often use TRON fancy addresses. They purchase fancy addresses in bulk from professional service providers and use these addresses for operational purposes, including fund collection, storage, circulation, accepting bets, fund settlement, and more.

In black and grey activities, fancy address customization has directly led to a more sophisticated variant of zero-value transfer phishing known as "same tail number" phishing. Compared to widespread zero USDT transfers targeting unspecified blockchain objects, "same tail number" phishing is often customized. Fraudsters mimic the head and tail numbers of the target's commonly used address and transfer a larger amount.

The cost of this phishing activity is not low. According to the price list of a TRON fancy address service provider, an eight-digit customized address takes 12 hours to deliver and costs 100 USDT, while the same eight-digit fancy address only costs 10 USDT.

In addition to TRON fancy address service providers, there are also similar cases of Telegram group chat bot service providers, website source code service providers, bulk transfer tool service providers, SEO fast ranking service providers, and other groups providing assistance to illegal participants and profiting from it. This article will not disclose further details.

V. Utilization of Cryptocurrencies in Money Laundering Activities

5.1 Traditional Utilization of Cryptocurrencies in Money Laundering Activities

The use of cryptocurrencies in traditional money laundering activities aims to transfer payments from high-risk users to accounts of low-risk users to evade risk control measures of payment institutions. This typically involves converting illicit fiat currency into cryptocurrency in the over-the-counter cryptocurrency market or converting illicit cryptocurrency into fiat currency to disrupt the fund trail and evade tracking and crackdown.

A typical money laundering scenario involves fraudsters quickly splitting funds into small amounts and making continuous transfers to multiple bank cards after defrauding victims of cash. They then organize "card farmers" to withdraw cash and transport the cash to the location of the money laundering group via personal or public transportation such as cars or airplanes. In the past, this cash was often used to purchase bulk commodities or exchanged for foreign currency to be taken out of the country. Now, it is more commonly used to purchase USDT offline. This batch of USDT is then either cashed out for fiat currency in the over-the-counter cryptocurrency market or directly sent abroad or to other money laundering groups for further processing. Throughout this process, off-exchange markets of run-U platforms, payment guarantee platforms, and centralized exchange platforms play important roles.

5.1.1 Run-U Platforms

Run-U platforms are a new type of money laundering method that combines cryptocurrency trading with traditional "run points" platforms. The basic model involves the platform organizers using a large purchase of USDT to transfer to overseas exchanges for profit from the price difference, recruiting USDT arbitrageurs, and then requiring the arbitrageurs to register for real-name accounts on cryptocurrency exchanges and link their personal bank cards. The arbitrageurs need to purchase a certain amount of USDT as a trading margin and pledge it to the "run points" platform. The platform organizers will mark the available USDT quantity and unit price for the arbitrageurs based on the amount of USDT pledged as a margin, along with the arbitrageurs' receiving bank account information. When overseas telecom fraud and other criminal groups need to receive stolen funds, they first place orders to purchase USDT from the "run points" platform and then instruct victims to transfer funds to the arbitrageurs' bank accounts reserved on the platform. Once the victims transfer the defrauded funds to the arbitrageurs' accounts, the arbitrageurs confirm the transactions on the platform, completing the first transfer of the fraudulently obtained funds. Subsequently, the arbitrageurs use the received funds to continue purchasing USDT from the exchange and withdrawing to the run points platform in a cycle, earning the price difference of USDT and platform commissions in the process.

This activity is referred to as "card connection to run-U" by money laundering groups, allowing upstream illicit actors and money laundering groups to completely evade the risks of stolen funds and real-name authentication of trading platforms.

5.1.2 Run Points Fleet

In addition to recruiting run-U personnel for money laundering, money launderers often use a more direct "run-U fleet" model for money laundering. The format is similar to the run-U model, but the difference is that the over-the-counter cryptocurrency transactions occur offline and are settled in cash. The fleet leader recruits a large number of real individuals to register real-name bank card accounts. When upstream illicit actors (referred to as "suppliers") illegally obtain stolen funds (referred to as "goods"), they contact the fleet leader through illegal third-party payment guarantee platforms to place orders. Subsequently, a large amount of funds is split and transferred to multiple bank cards under the control of the fleet. If the money is first-hand black money, it is called "first-hand goods"; if it is second-hand or third-hand black money, it is correspondingly called "second-hand goods" or "third-hand goods," with lower financial risk and lower commissions. The fleet leader then drives with the driver to the local ATMs to withdraw cash. After multiple withdrawals, the fleet leader continues to use personal or public transportation to transport the cash to a designated location for offline transactions. Finally, with the involvement of the third-party payment guarantee platform, the fleet leader transfers the cash to the target individual to earn a commission, and the recipient sends USDT to the guarantee address to complete the money laundering process.

This type of money laundering activity, through multiple layers of bank account transfers, ATM withdrawals, and offline cryptocurrency transactions, not only interrupts the fund tracking chain multiple times but also evades bank fund supervision.

Bitrace conducted a fund audit of addresses in the TRON network that were marked as having money laundering risks and had a fund size exceeding 1 million USDT. The audit period was from September 2021 to March 2023, and the audit content was USDT inflows.

The data shows that from September 2021 to March 2023, a total of over 64.25 billion USDT with money laundering risks flowed into the TRON network, and the fund size was not affected by the bear market in the cryptocurrency secondary market. It is evident that the participants in this business are not genuine investors in the true sense.

5.2 New Forms of Cryptocurrency Utilization in Money Laundering Activities

For native network criminals in the cryptocurrency industry, anonymous exchange based on cryptocurrency infrastructure and on-chain obfuscation are the most commonly used methods for fund laundering.

5.2.1 On-Chain Fund Obfuscation

On-chain fund splitting and mixing platforms are the most common channels for fund obfuscation.

Fund splitting involves illicit actors using complex multi-layered transactions to mix and transfer virtual currency through different wallet addresses and accounts, ultimately reaching the wallet address of overseas accomplices, to achieve the purpose of severing the connection between fund inputs and outputs and blurring the virtual currency transaction chain. This method is also effective in cryptocurrency money laundering activities and is a common practice for black and grey industry practitioners.

Taking the address canvas of a certain investment and financial fraud case as an example, after collecting the victims' cryptocurrency funds, the case involved splitting the illegal gains through several fund channels and ultimately consolidating them into a few exchange account addresses for fund realization.

Coin mixing involves mixing a user's cryptocurrency with other users' currency, then transferring the mixed currency to a target address to conceal the original currency flow path, making it difficult to trace the source and destination of the cryptocurrency. As a result, several cryptocurrency mixing platforms have been sanctioned by various governments, including the well-known Tornado.cash, which was sanctioned by the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) on August 8, 2022. Some Ethereum addresses associated with it were listed on the U.S. Specially Designated Nationals List. Once added to this list, the property and property rights of individuals or related entities are at risk of being frozen.

However, despite this, since Tornado.Cash's mixing contracts are publicly accessible, other users can still engage in mixing activities by directly calling the contract. For example, in the attack on OnyxProtocol that occurred on November 1, 2023, the attacker obtained address fees through the mixing platform and further laundered the funds.

5.2.2 On-Chain Anonymous Exchange

No-KYC trading platforms and cross-chain bridges are the two primary channels for on-chain anonymous exchange.

So far, apart from a few sanctioned entity addresses, these cryptocurrency infrastructures have not implemented more risk controls for high-risk cryptocurrency funds or addresses, leading to illegal funds often being exchanged through these channels immediately after an attack.

For example, in the attack on Nirvana Finance on June 25, 2023, after illegally obtaining the victim organization's cryptocurrency funds, the attacker immediately transferred some of the funds to THORWallet DEX. The latter is a decentralized exchange platform that does not require permission and provides high privacy, allowing users to directly perform cross-chain exchanges between various blockchains without disclosing transaction information. Therefore, in many past cryptocurrency security incidents, THORWallet DEX has been involved in the money laundering process.

VI. Contamination of Web3 Enterprise Addresses by High-Risk Cryptocurrency Funds

6.1 Contamination of Centralized Exchange Platform Addresses

Centralized exchange platforms are one of the main places for laundering high-risk USDT funds. In this report, Bitrace conducted a thorough investigation of the inflow of high-risk USDT funds associated with online gambling, black and grey industries, and money laundering activities into 126 common hot wallet addresses of centralized exchange platforms from January 2021 to the present.

From January 2021 to September 2023, over 415.2 billion high-risk USDT flowed into some centralized exchange platforms in the TRON network, including 225.79 billion USDT associated with online gambling, 105.70 billion USDT associated with the black and grey industries, and 83.73 billion USDT associated with money laundering.

From January 2021 to September 2023, over 33.15 billion high-risk USDT flowed into some centralized exchange platforms in the Ethereum network, including 11 billion USDT associated with online gambling, 18.42 billion USDT associated with the black and grey industries, and 3.72 billion USDT associated with money laundering.

It is evident from the total amount of high-risk funds and the proportion of high-risk funds that the scale of USDT being illegally utilized in the TRON network is larger than in the Ethereum network, and the proportion of high-risk funds associated with online gambling is higher. This is consistent with observations in practice—casino agents and regular gamblers tend to use TRON USDT to save on fees.

6.2 Contamination of Over-the-Counter Trading Market Addresses

In addition to the over-the-counter trading section of centralized exchange platforms, certain payment platforms, cryptocurrency investor groups, and acceptance merchant communities also establish a certain scale of over-the-counter trading markets. These places lack a complete KYC and KYT mechanism, making it difficult to assess the funding risks of counterparties and to restrict high proportions of high-risk USDT funds from flowing in.

Bitrace conducted a fund audit of addresses with typical over-the-counter trading market characteristics and a fund size exceeding 1 million USDT. The data shows that in the past two years, at least 3.439 billion USDT associated with high-risk activities has flowed into these addresses, with the inflow increasing over time and being largely unaffected by the cryptocurrency secondary market downturn.

6.3 Contamination of Cryptocurrency Payment Platform Addresses

As one of the infrastructure components in the decentralized finance sector, cryptocurrency payment tools provide fund settlement services for blockchain institutions and also offer certain cryptocurrency acceptance services for ordinary users, thereby facing the same risk of contamination by high-risk cryptocurrency funds.

Bitrace conducted a fund audit of the main cryptocurrency payment platform addresses serving Southeast Asia and East Asia customers. The data shows that between January 2021 and September 2023, over 40.51 billion high-risk USDT flowed into these addresses, with 334.6 billion USDT in the TRON network and 70.4 billion USDT in the Ethereum network. Throughout almost all periods, the contamination of high-risk USDT in the TRON network on cryptocurrency payment platforms was more severe than in the Ethereum network.

VII. Conclusion and Recommendations

Participants in online gambling, black and grey industries, and money laundering activities are extensively utilizing cryptocurrencies, including USDT, to enhance the anonymity of funds and evade tracking by regulatory and law enforcement agencies. As a direct result, Web3 enterprises operating compliant cryptocurrency businesses and ordinary cryptocurrency investors are passively receiving such high-risk associated cryptocurrency funds due to a lack of fund risk identification capabilities, leading to the contamination of their fund addresses and even involvement in cases.

Industry institutions should strengthen their awareness of fund risk control, actively collaborate with local law enforcement agencies, and integrate threat intelligence services provided by security vendors to detect, identify, prevent, and block high-risk cryptocurrency funds, protecting their own business addresses and user addresses from contamination.

7.1 Strengthen Awareness of Fund Risk Control

Industry institutions should not only conduct Know Your Customer (KYC) activities to verify the true identities of customers, transaction execution, and fund sources in accordance with the law but also fulfill their responsibilities for monitoring and managing abnormal customer transactions (KYT) and promptly report irregular transactions and risk situations. They should implement tiered management for users engaged in suspicious fund activities and take measures to restrict some or all platform functions.

7.2 Actively Understand Local Laws and Collaborate with Law Enforcement Agencies

Platforms need to establish or commission professional teams to comply with and review law enforcement requests from around the world, assist in identifying, combating, and preventing cryptocurrency-related criminal activities, reduce economic losses, and prevent the contamination of platform business addresses and user accounts.

7.3 Establish a Threat Intelligence Network and Information Sharing Mechanism

Industry institutions need to prioritize open-source network intelligence, keep track of addresses and funds related to ongoing cryptocurrency security incidents to ensure timely countermeasures against incoming illicit funds on the platform. They also need to access external threat intelligence sources, collaborate with cryptocurrency data and security companies to establish DID profiles for users, and implement appropriate risk control restrictions for addresses associated with high-risk activities and those lacking a good interaction history. Based on this, they should establish and maintain an open threat intelligence database for the entire industry to ensure overall security and trust.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。