Posted on 03-11-2020.
A Chinese pyramid scheme called PlusToken has managed to gain notoriety as a significant factor influencing Bitcoin’s price. Just recently, a hefty bunch of 11,999 BTC from its wallet started moving, putting the watchful members of the community on high alert: an en masse sell-off of this much Bitcoin wouldn’t be a good thing for its price. ForkLog Hub resident Pavel Gromov investigated the matter and suggested the explanation as to where did the money go, how it got laundered, and what does it mean for Bitcoin. Here is the translation of the original Russian-language article. On February 11th, 2020, reports about the 11,999 BTC moving from PlusToken’s wallet emerged. The money was sitting still since September 21st, 2019. https://twitter.com/whale_alert/status/1227159227426275329 According to ErgoBTC, the original wallet was a part of the PlusToken cluster and has been marked by all blockchain analysis tools. Balance dynamics for the original wallet. Source: Bitaps Then, the money moved again, catching the eye of Chiachih Wu, the vice-president of a blockchain-security firm PeckShields, and the rest of the community. Yet, the attention of the public didn’t last long. Primarily, the situation was being monitored by researchers and a small audience on social networks. https://twitter.com/chiachih_wu/status/1227155404171296768 Before mixing, the coins were split into small parts on different addresses, as mixing a large sum is difficult. The people behind these transactions were probably using wallets with built-in mixers and their respective liquidity pools. In order to launder this much money, such wallets don’t have sufficient liquidity, but the “split and mix” approach turned out to be effective. https://twitter.com/ErgoBTC/status/1227312091813556232 Notably, centralized exchanges use special tools to assign Risk Score to transactions. This score allows exchanges to see if the transaction is “clean” or “dirty.” If assets move from an address flagged as “dirty,” all the receiving addresses together with the original “dirty” are grouped into the same cluster. But it doesn’t happen instantaneously. Criminals have a small gap, during which they can mix and sell the coins before the platform notices. Since exchanges are typically interested in higher trading volumes, they often do nothing if the transaction isn’t flagged. The start of mixing. Source: KYCP In the case of the PlusToken cluster, the whole sum was split into batches of 1–5 BTC. Using KYCP, I’ve managed to track the output branches. After mixing, the coins were accumulated in groups of 300–400 BTC. For all instances, the algorithm was the same, which suggests there was a single owner. One of the output transaction branches, which can be considered the end of mixing the 11,999 BTC. Source: KYCP The coins aggregated into large sums were then sent to exchanges. KYCP shows how PlusToken’s coins were getting to OKEx exchange in groups of 20–50 BTC. For this particular case, the last batch of 55 BTC was sent to the exchange on February 28th. According to ErgoBTC, 50% of all the assets being moved by PlusToken went through OKEx. Meanwhile, Huobi exchange got only 25% directly and 45% indirectly. This means that the share of other exchanges amounted to about 5%. https://twitter.com/ErgoBTC/status/1229106184214503426