Binance and Huobi Helped Launder Billions From the PlusToken Scam

Cryptocurrency Exchanges Jan 23, 2021

The lead for this discovery actually comes from a really old tweet that was put up over a year ago (the tweet was short, sweet and concise, but it was just the lead that we needed to draw the connection that led to the headline that you see for this article).

However, before getting to that tweet, its important to first provide context around why anyone would be tweeting out information that could lead anyone to make the kind of discovery this report does re: Huobi and Binance's involvement in laundering funds from the PlusToken scam.

Specifically, we want to point out the following tweet by a user named , 'Dovey Wan' (owner of a Venture Capital firm, Primitive Ventures).

All Starts With 'Dovey Wan'

Within the blockchain community, there is a popular San Francisco-based investor and influencer that goes by the name, 'Dovey Wan'. Specifically, 'Dovey Wan' most well knonw for her role as one of the principal founders of the Venture Capital firm, 'Primitive Ventures'.

source: https://www.crunchbase.com/person/dovey-wan

Dovey Wan's string of tweets can be found here:

Curiously, it seems that Dovey Wan grossly understated the total number of bitcoins that were laundered though the 'PLUS' token scam by quite some margin.

This assertion is made on the basis of information contained within this very same thread by Dovey Wan.

Curiously, Dovey Wan was able to identify the passage of some of the funds (to Bittrex and Huobi), yet Binance was notably absent in her analysis:

This is being brought to attention because Dovey Wan omitted the fact that Binance was one of the locations where the funds from this prolific scam were liquidated.

There is a strong possibility that Dovey Wan omitted this information due to her conflict of interest (Binance indirectly funds her endeavors - specifically, Kadena through 'interchain.io', an entity which their ownership has complete ownership over ; this will be proven indisputably after the primary analysis in this report is completed.

Focal Point of This Report

The focal point of this report is this tweet by Dovey Wan (within the same thread linked above):

In it, Dovey Wan positively identifies two addresses that served integral roles in the 'PlusToken' scam money laundering pipeline :

In specific, we're going to focus in on the first address given by Dovey Wan here: 1Dd5VTCkRtMG8bpuHZrjkLf1TeZ8cwZGDe

Dovey Wan Forced to Acknowledge Binance's Role in Laundering (Peripherally)

Since the pipeline of funds from this address to Binance is so obvious, we do see a mild acknowledgment from Dovey Wayn in the following tweets:

Specifically, Dovey Wan states:

"YES they are moving their funds into small batches into exchanges, like 50-100BTC per batch"

Showing her refusal to identify the fact that Binancce is the only exchange that serves as the liquidation point for this wallet address.

The only mention of Binance comes in the following tweet:

Dovey Wan states:

"I couldn't find the chat but starting a few days ago, Chinese traders are saying someone has been dumping 100BTC non-stop on Binance, will post here once I find the chat detail."

The money can be tracked to Binance's hot wallet address with trivial ease (to such an extent that another user was able to identify this clear relationship without much effort involved or special software onhand like Chainalysis / Crystal / Elliptic / etc. )

The fact that Dovey Wan was able to curate in-depth research showing the liquidation of funds at both Huobi and Bittrex whilst resorting to alleged "rumors" that Binance may have received some of these funds in tranches of 50 / 100 bitcoins at a time is, in itself, enough to seriously question whether the purpose of her thread is to provide information or simple misdirection.

Unsurprisingly, we never saw a follow up or an update from Dovey Wan. The result of this report may shed a little light on what that is.

Other Individual Observations About the Wallet Transfers

Fortunately, another user that took the few minutes necessary to track the funds going from 1Dd5VTCkRtMG8bpuHZrjkLf1TeZ8cwZGDe.

That miniature thread on Twitter can be found here:

The tweet, which received 48 favorites and 28 retweets (at the time of writing), also tagged the owner of Binance, Changpeng Zhao (known colloquially as 'CZ'), as well as another popular influencer named 'loomdart'.

As expected, neither of them acknowledged the tweet or responded. However, in light of the fact that they were mentioned in these tweets (which received a somewhat substantial amount of reaction in the form of 'favorites' / 'retweets' [which normally trigger additional notifications for the tagged individual]), it would not be unfair to assert that they should have been more than aware of what this user wrote regarding the presence of a customer address at their exchange found laundering a significant amount in funds through their exchange.

Since the tweets by both Dovey Wan and 'Dan Levine' were written in August 2019, this report serves as a 'follow up' to assess the identified wallets in the several months since they were originally identified.

Starting With the Source Address

The one address that was positively identified as being in connection with the PlusToken scam is 1Dd5VTCkRtMG8bpuHZrjkLf1TeZ8cwZGDe

In order to pursue the lead given to us by Dan Levine, we're going to use the 'BitQuery' tool, located at explorer.bitquery.io .

Our biggest challenge in this endeavor will be following the lead given to us by Twitter user 'Dan Levine', as he gave a supposed path between the identified main wallet for the 'PlusToken' scam but not the direct path to the other wallets that he identified on his way to Binance.

For convenience, the alleged path of wallets identified by Dan are as follows:

  1. source wallet = 1Dd5VTCkRtMG8bpuHZrjkLf1TeZ8cwZGDe
  2. 14mgSL6jyU6P8zmAV6SNQsD5Bp9R2dkgzW
  3. 1GYGMsDjaYsXaV277wpU9cSY4Xp5e3ypZU
  4. 128hQS9xeXgtVAFHvgQ6TZFxvqRkcT6q9z
  5. 19msUPsm7cHG8pGTavUr2AeZJsoRTNju1P

Proving the Second Wallet's Connection (14mgSL6jyU6P8zmAV6SNQsD5Bp9R2dkgzW)

Fortunately the connection between the first and second wallet wasn't too difficult to make (1Dd5VTCkRtMG8bpuHZrjkLf1TeZ8cwZGDe to 14mgSL6jyU6P8zmAV6SNQsD5Bp9R2dkgzW).

That can be seen through this graphical explorer here:

14mgSL6jyU6P8zmAV6SNQsD5Bp9R2dkgzW money flow in Bitcoin Mainnet
Money Flow by address 14mgSL6jyU6P8zmAV6SNQsD5Bp9R2dkgzW activity in Bitcoin Mainnet, statistics of token exchanges

Specifically the link can be seen here:

Great. Now we just need to establish the next connection from here.

Proving the Third Wallet's Connection (1GYGMsDjaYsXaV277wpU9cSY4Xp5e3ypZU)

In order to make this connection, we need to identify a transaction(s) between 14mgSL6jyU6P8zmAV6SNQsD5Bp9R2dkgzW (second wallet address) and 1GYGMsDjaYsXaV277wpU9cSY4Xp5e3ypZU (third wallet).

Unfortunately, Bitquery won't be solution for us this time. But it is worth noting that:

A) Money was sent into this address by Binance's hot wallet address. On a surface level, that means that the owner of this address also has an account at Binance and nothing more. That's fine.

B) Money was sent from this address to Huobi's cold wallet, which is really interesting...because there is absolutely zero reason for why any customer would ever be sending funds to an exchange cold wallet. Those wallets are specifically kept offline and only receive sends from the exchange itself in an attempt to mitigate their overall risk in the instance of hacks, outright theft, mistakes, etc.

C) Given the observation that we made in 'B', we must concede the fact that the owner of the wallet (potential customer at Binance) must be staff / administration at Huobi. It would be implausible to suggest someone accidentally sent 48.2 bitcoins to Huobi's cold wallet by mistake. Going by Bitcoin's current market rates, that would be a $1.7 million gaffe.

See below:

source: https://explorer.bitquery.io/bitcoin/address/1GYGMsDjaYsXaV277wpU9cSY4Xp5e3ypZU/graph

A more granular look shows us that there were actually 5 total transactions between 1GYGMsDjaYsXaV277wpU9cSY4Xp5e3ypZU and Huobi's cold wallet here:

Finally Identifying the Connecting Transactions

After a cursory search online, we were able to come across transactions such as this one: 2409b7c70d8d1f8be8df9462680b78a30a12acd6eed04fbe89286a5f890ce975

Below is a view of the inputs of the transaction from Bitquery:

The boxed transaction in the screenshot above represents the second address that was the subject of our investigation (14mgSL6jyU6P8zmAV6SNQsD5Bp9R2dkgzW).

Before moving forward though, let's check on that 'source transaction' that's displayed next to the second address in our transaction link:

That refers to the following transaction ID: c1c540a62afd6039e798525d4847ca77668de45db524bff64e4431f45e6cc1f8

Scrolling down the page hyperlinked with the transaction ID above, we'll find the inputs and outputs of the transaction.

There are a few interesting points of note here:

The 1Dd5VTCkRtMG8bpuHZrjkLf1TeZ8cwZGDe address is one of the inputs in this transaction, so we have established a direct chain to the third address with this transaction.

Bitquery states that the 14mgSL6jyU6P8zmAV6SNQsD5Bp9R2dkgzW address is "likely change", which is very interesting

Going off of this lead, we decided to look up the 14mgSL6jyU6P8zmAV6SNQsD5Bp9R2dkgzW address on https://walletexplorer.com

Why There?

Wallet Explorer provides cluster identities for Bitcoin, which are basically 'super wallets' where all affiliated / related addresses are lumped together under one entity.

Skepticism About Address Clustering

During the QuadrigaCX debacle, Librehash published a significant amount of research that ended up being cited in the Wall St. Journal, Washington Post and several other reputable publications.

See below:

  1. The Wall Street Journal  (https://www.wsj.com/articles/a-crypto-mystery-is-140-million-stuck-or-missing-11549449001)
  2. Vice News  (https://news.vice.com/en_us/article/zma4w3/quadriga-crypto-gerald-cotten-canada)
  3. CoinDesk  (https://www.coindesk.com/crypto-exchange-bitfinex-denies-accusation-of-insolvency)
  4. CoinTelegraph (https://www.wsj.com/articles/a-crypto-mystery-is-140-million-stuck-or-missing-11549449001)
  5. Bitcoin Wiki  (https://en.bitcoin.it/wiki/Privacy)
  6. The Washington Post  (https://www.washingtonpost.com/business/2019/02/04/cryptocurrency-company-owes-customers-million-it-cant-repay-because-owner-died-with-only-password/?utm_term=.89137bf01e75)
  7. Engadget  (https://www.engadget.com/2019/03/08/quadrigacx-bitcoin-missing-millions/)
  8. Investing (.com)  (https://m.investing.com/news/cryptocurrency-news/bitcoin-falls-report-finds-quadriga-stored-ethereum-on-other-exchanges-1796852)
  9. Yahoo! Finance  (https://finance.yahoo.com/news/bitcoin-falls-report-finds-quadrigacx-092000704.html)
  10. FXStreet  (https://www.fxstreet.com/cryptocurrencies/news/the-quadri1gacx-story-takes-another-strange-twist-201902042301)

Additionally, there are several academic publications that attest to the effectiveness of address clustering as a method of lumping together identities on the Bitcoin blockchain due to the ease upon which one can link transactions together with each other.

  1. Study From Princeton University Outlining a Tool That They Created That Effectively Clusters Entities All Around the Blockchain Space: https://www.cs.princeton.edu/~arvindn/teaching/spring-2014-privacy-technologies/btctrackr.pdf
  2. 'Report by the Waterford Institute of Technology and Elliptic Enterprises Ltd., titled, 'The Unreasonable Effectiveness of Clustering': https://www.cs.princeton.edu/~arvindn/teaching/spring-2014-privacy-technologies/btctrackr.pdf
  3. Tracing Cryptocurrency Scams: Clustering Replicated Advance-Fee and Phishing Website: https://arxiv.org/pdf/2005.14440.pdf

This method also proved quite effective in identifying all addresses that were related to Mt. Gox after the exchange's infamous implosion in 2014: https://petra.isenberg.cc/publications/papers/Kinkeldey_2019_VAA.pdf'

U.S. Federal Authorities Depend on Address Clustering to Identify Entities as Well

Perhaps the most important 'vouch' for the effectiveness of address clustering can be found in the fact that there is open testimony in court documents from the FBI stating that this is one of the the techniques that they use to identify certain entities that they are pursuing punitive measures against.

One such example can be found in United States v. Approximately 15,602 Ether (ETH) and .16 Bitcoin (BTC) seized by law enforcement on or about December 14, 2017 (3:20-cv-06482) [it says the U.S. vs. inanimate objects / possessions because this is a 'jurisdiction in rem' case, which is what asset seizures / forfeiture procedures initiated by the federal government are typically categorized under]

The relevant court filing for this case can be found here:

Within the filing it is specifically stated:

"Bitcoiin address clustering is a process that attempts to de-anonymize a user by identifying all of the addresses that they control."

Additionally:

"USSS [U.S. Secret Service] determined that BTC stolen from Poloniex accounts was deposited into the 1Q9UA BTC 'cluster'. the 1Q9UA BTC 'cluster' is the name given to a group of 558 BTC addresses that are likely controlled by the same individual..."

There are plenty of other mentions by the U.S. attorneys attesting to the clustering methods that they used in order to identify all of the addresses that were under a certain entity's possession.

Clustering is Not in Dispute - Conversation Over

Some disingenuous actors in the blockchain space (i.e., Peter Todd ; recently accused of raping and sexually harassing several women working for the Tor Project), insinuated that there was some doubt in the reliability of clustering addresses in 2019 shortly after the implosion of QuadrigaCX with the nefarious intent of casting doubt on hardlined research that showed the criminal activity of QuadrigaCX.

Ironically, it was later revealed that Jennifer Robertson was represented by Crypto Capital Co., but that's a digression.

Based on the evidence above, there should be no doubt as to the veracity of address clustering as a method of identifying entities on the Bitcoin blockchain.

Examining the Cluster Attached to the First Two Addresses

Specifically, we want to take a look at the clusters that are attached to the first two addresses that we examined here :

A) 1Dd5VTCkRtMG8bpuHZrjkLf1TeZ8cwZGDe

B) 14mgSL6jyU6P8zmAV6SNQsD5Bp9R2dkgzW

Using WalletExplorer

This is one of the better sources out there for concrete information on Bitcoin clusters.

The website has been in existence for quite sometime and the original developer of the site went on to work with the founder of Chainalysis on developing that platform too (apparently they feel that they're worth $100 million at this point in time, which is a bit surprising).

Let's take a look at the following website:

WalletExplorer.com: smart Bitcoin block explorer

When we look up the first address 1Dd5VTCkRtMG8bpuHZrjkLf1TeZ8cwZGDe , we end up with:

Interesting, HaoBTC.

Now let's look up the second address here (14mgSL6jyU6P8zmAV6SNQsD5Bp9R2dkgzW):

Unsurprisingly, this leads us to the exact same cluster with HaoBTC.

The identity and operations of HaoBTC will be discussed further in a supplementary article that is published following this one. But for now - let's continue forward with the knowledge that the origin transaction for our investigation (as well as the first wallet that it transacted with) are definitively attached to HaoBTC.

In addition, we have shown that Huobi has some sort of ownership / control over these addresses since we witnessed sends going direct from the 14mgSL address to Huobi's cold wallet (no customer funds are ever sent to the cold wallet for any reason...ever). To recap, there were five such transactions, totaling several million dollars - so the chances that this was done by mistake are little to none.

Back to the Third Connecting Address

The connection between the second and third address is found in this transaction: 2409b7c70d8d1f8be8df9462680b78a30a12acd6eed04fbe89286a5f890ce975

To reiterate, this third address is: 1GYGMsDjaYsXaV277wpU9cSY4Xp5e3ypZU

If we track this transaction to its source (i.e., look at where the funds from the 2409b7c transaction came from), then we'll see that our origin wallet that we were examining serves as the source for this transaction, making the link very explicit at this point:

The transaction ID here = c1c540a62afd6039e798525d4847ca77668de45db524bff64e4431f45e6cc1f8

Below is a visualization of the transaction flow between addresses:

Examining the Cluster Address That the Third Wallet is Connected to

When we plug in 1GYGMsDjaYsXaV277wpU9cSY4Xp5e3ypZU into 'WalletExplorer', here is the result that we end up with:

Judging by the labeling of this entity as well as the total # of funds that have entered into this wallet (thus far), it appears that the third wallet address in the chain belongs to Huobi.

This makes sense, since there are plenty of other indicators that Huobi has been involved in the transaction flow up to this point.

Thus, our next step is to either attach this third wallet to the 4th wallet in the chain or the 5th and final wallet (the latter would make any connections to the 4th wallet effectively moot).

So, thus far, we have HaoBTC funneling illicit funds from PlusToken directly to the Huobi cold wallet (at the time of writing).

Fourth Wallet Connection

This one should be seen as parallel to the third wallet here, since it, too, is part of the Huobi cluster (therefore, it is used as an input in transactions alongside the third wallet - 1GYGMsDjaYsXaV277wpU9cSY4Xp5e3ypZU)

An example of one such transaction can be found here:  c11816cceaf5673d26bd5d9834b56e5e4a5e6101708568812d0e03f0e717cdb3

The final link to the 19msUPsm7cHG8pGTavUr2AeZJsoRTNju1P wallet was admittedly very difficult to find.

Fortunately, the blockchain space is ripe with Bitcoin-based tools for on-chain dissections and analysis such as the one being performed in this report. One such tool that was perfect for the job was a site called 'btcsniffer.com'.

They specialize specifically in showing relationships between different wallet addresses in the blockchain sphere. Specifically, here we wanted to track the relationship between the 128hQS9xeXgtVAFHvgQ6TZFxvqRkcT6q9z address (Huobi) and the 19msUPsm7cHG8pGTavUr2AeZJsoRTNju1P address (which has sent well over 300k+ bitcoins over to Binance's hot wallet ).

A connection between these two wallet addresses would complete the link that we drew from our initial wallet (1Dd5VTCkRtMG8bpuHZrjkLf1TeZ8cwZGDe).

Fortunately, we were able to find one at the following link:

https://btcsniffer.com/index.php?source=results&address=128hQS9xeXgtVAFHvgQ6TZFxvqRkcT6q9z&cb=2

In the screenshot below we can see that our 128hQS9 address sent over $3 million dollars worth of Bitcoin (at the time of writing) to the notorious 19msUPsm7 address.

What this amounts to, of course, is Huobi essentially sending that money directly to an address functioning as a customer deposit address.

Its also worth noting that this address sent over $3 million worth of funds to Bittrex.com as well:

Since that's tangential to this analysis, we won't pursue that lead - but for those that are interested, the address in question (belonging to Bittrex.com) = 1AjY36YDrprdrcusoTAqzAvY6d93YwoNf8

Why We Describe the 19msUP Address as a 'Deposit Address'

Although its clear that there is probably no customer at Binance's exchange that has deposited over $12 billion worth of Bitcoin through the exchange (this reaches far beyond the realm of absurdity to suggest such a possibility), it is still worth mentioning the functional role that this address is mimicking.

If we take a look at the inputs (alone), we can see that each and every single outgoing transaction is to Binance's hot wallet address (1NDyJtNTjmwk5xPNhjgAMu4HDHigtobu1s); the identity of Binance's hot wallet is not in dispute anywhere and can be easily corroborated via a cursory search on  Google or any number of social media platforms.

Below are some screenshots from the Trezor block explorer that isolate the outgoing transactions from th e 19msUP address:

Above are just three screenshots showing consecutive outgoing transactions from the wallet  going to Binance's hot wallet address.

For those looking to peruse through the entire list, that can be viewed at this link: https://btc.exan.tech/address/19msUPsm7cHG8pGTavUr2AeZJsoRTNju1P?filter=inputs

Similarities With a Deposit Address

Typically, when customers create an account at a centralized exchange (i.e., Binance, Coinbase, Kraken, Bittrex, etc.), one of the first things that they will do is move their cryptocurrency funds onto the exchange so that they can trade with them on the open market.

In order to do so, they must first generate an addreess for the relevant cryptocurrency. So, for example, if someone created an account at Binance.com and they wanted to trade on their exchange market with Bitcoin, they would need to first create a Bitcoin address through the exchange site's interface first.

Unlike a wallet, the user does not possess the private keys to this address. This is instead managed by the exchange itself.

Once customers send the relevant funds to the generated address, their account is typically credited with the equivalent amount of whatever currency they sent to the address.

So, if Joe Blow, for instance, generates a Bitcoin address on Binance.com, then sends 2 bitcoins to that address, he will be credited with 2 bitcoins on his exchange account (assuming everything goes as expected).

Address Sweeping

Rather than keeping those bitcoins in the wallet address that Joe Blow sent them to, Binance (and all other exchanges) have an automated mechanism called 'sweeping'.

What this does is automatically 'empty' out the wallet into the exchange's "hot wallet" (in Binance's case, that's the 1NDyJtNTjmwk5xPNhjgAMu4HDHigtobu1s address).

Reason For Sweeping

At some point in time, Joe Blow may want to withdraw his funds from the exchange. Let's assume that Joe Blow lost .5 bitcoins trading on Binance and now he only has 1.5 bitcoins left.

When Joe Blow makes the withdrawal request, Binance will simply send the funds to Joe from their hot wallet.

This is a lot easier than using the wallet that Joe sent his funds to originally because that would involve having to keep track of each and every single deposit address any and all customers generate on the platform (and there is no limit to how large that number may be).

So, to simplify things, exchanges keep track of user funds via an internal ledger on their website - so that when customers wish to withdraw their funds, they refer to their internal ledger system and allow users to withdraw their funds accordingly. By sending it all from one main wallet, exchanges are able to significantly streamline the process of ensuring that users receive their funds in an orderly fashion.

Examining the 19msUP Address

As stated above, the chances that this address is a genuine customer deposit address is zero.

Putting aside the fact that this address was already identified publicly by a random Twitter user as having nefarious origins (PlusToken scam) in a tweet where Changpeng Zhao (the owner of Binance) was directly tagged in said tweet - Binance also purports to have a robust compliance team in 'CipherTrace'.

source: (CipherTrace's own website)  https://ciphertrace.com/binance-partners-with-ciphertrace-to-further-strengthen-compliance-culture/ ; archived link

Below is another report from CoinDesk (issued around the same time as the first one):

source: https://www.coindesk.com/binance-partners-with-ciphertrace-in-latest-compliance-push

Curiously, it seems that despite all of the maneuvers Binance allegedly took to ensure they were in "compliance", they managed to miss over $12 billion in illicit funds being liquidated directly through their exchange in tranches of $3 million deposits (which sometimes occur with the frequency of multiple times in a given day).

Additionally, there should be serious questions posed to Huobi as well as HaoBTC (now known as 'Bixin' after undergoing a rebranding in 2017 following their ousting by the Chinese government during a cryptocurrency 'crackdown' around the same period).

It is clear that HaoBTC was, at the very least, a conduit for the laundering of these funds and Huobi was not only complicit but arguably an accessory and accomplice to the perpetrated fraud.

Remember, the source address that this investigation began with (the one that was positively identified by Dovey Wan, 'Peckshield' and several other chain analysis firms via independent reporting and tracking), belonged to HaoBTC [Bixin] (indisputably; proven via cluster analysis and cross referencing 'walletexplorer.com').

This report will be followed up with supplementary exploratory investigations into the nature of entities like 'Bixin' and their potential motivations for wanting to either perpetrate the PlusToken fraud directly or assist in the exfiltration and subsequent laundering of billions of dollars in funds. We'll also be looking into what relationship they have with Huobi as well (since there clearly is a relationship between the two).

As far as Huobi and Binance are concerned, this stands as just one more definitive piece of evidence to suggest that the two are deeply intertwined with one another. There's no need to rehash the fact that one of the co-founders of Huobi is a seed investor in Binance (per Binance's original whitepaper):

link to whitepaper: https://reqs.librehash.org/project/assets/7hs61g6t9y4g48ss (hosted on our servers due to the potential for this to get "lost" anywhere else on the internet)

What is written above is certainly just the very tip of the iceberg. There will be a lot more to come in the near future.

Tags

cryptomedication

Happy to serve and help wherever I'm needed in the blockchain space. #Education #EthicalContent #BringingLibretotheForefront

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.