If you haven’t heard of PlusToken, consider yourself among the lucky. The crypto wallet company is accused of scamming its users out of billions of dollars in crypto assets. The scheme was so high profile, in fact, that Chinese authorities flew to Vanuatu, a small island nation over 4,000 miles from the Chinese mainland, to arrest six Chinese nationals in connection with the scam.
The scam saw users’ funds, worth billions, moved to wallets controlled by only the scammers. To get a better idea of how the scammers moved this money, LongHash focused on two Ethereum wallet addresses, this one and this one, and analyzed the transactions they were involved in.
Together, these two wallets alone once held more than 800,000 in ETH. That’s worth more than US$140 million at current ETH prices, and would have been worth even more during the time this scam was playing out this summer, as ETH’s price was higher for most of July and August.
The first wallet is still holding more than 789,000 likely stolen ETH. But the second, which once held more than 20,000 ETH, has since transferred virtually all of it away. Analyzing that wallet, LongHash has visualized what the PlusToken scammers did with this money.
Each dot in the figure above represents an Ethereum wallet, and each line represents a transfer. Colors represent the number of outgoing transfers from each wallet. Black dots are endpoints — wallets into which tokens were transferred and have not been removed. Dot size reflects the balance of assets left in the wallets after these transfers.
All told, PlusToken initiated a total of 7,722 transfers involving 4,592 addresses. Based on our analysis, these transfers can be divided into four phases.
In the first phase, 20,008 ETH were transferred from the initial wallet into this one. This money was then scattered out to 199 additional wallets in the second phase of transfers. The third phase saw all of those addresses transfer their balances into an even larger swarm of wallets (that’s the thick outer “ring” cluster visible in the chart above).
Then, in the final phase, larger clusters of the money were brought back together with transfers to the black dots — endpoints that have not seen any outward transfers. There are 237 of these endpont wallets in total, and most of them are currently holding figures between 10-100 ETH.
The likely reason for all of this complexity was probably to obfuscate where the scammed funds were being moved. PlusToken used similar tactics to move some of its users Bitcoin into new wallets — some of which have since been cashed out.
According to our analysis, though, all of the ETH is still sitting there. None of the 4,592 addresses have connections to exchanges, so it’s likely that none of it has been cashed out.
Of course, an awful lot of the stolen Ether is still sitting in this wallet, and hasn’t been moved or run through any kind of obfuscation process like the transfers depicted above.
LongHash will continue to watch these wallets and follow where users’ funds are being sent.