Example of research based on the investigation of activity of Russian money laundering telegram-service @FAST_CLEAN_BTC_BOT
by investigation team of Match Systems
1. GENERAL DESCRIPTION

Activity of Russian money laundering telegram-service @FAST_CLEAN_BTC_BOT (hereafter — ML-bot) started right after April 06, 2022 - day when HYDRA darkmarket servers were arrested by law enforcement agencies.

ML-bot started from the beginning aggressive advertising with a focus on money laundering functions of it. Counterparties (direct and indirect connections) of ML-bot are different Russian darkmarkets: OMG!OMG!, BlackSprut, MEGA and others.

The bitcoin-cluster of ML-bot (root-address 18oxDVbE9BDNn1LLdy5CGAP7HUr4fGVFBT) includes >200 addresses and it received >4100 transactions for total amount >180 BTC.
2. OUTCOMES OF THE RESEARCH

ML-bot uses mint-burn cycle on RenBTC DEX for laundering of criminal assets of users, after which laundered assets transfer to CEX and after it clean BTC transfer to users.

According to the description of ML-bot, assets are issued from previously laundered money and direct connections are obfuscated but cluster analytic gives an overall view.



Following crypto-exchanges deposit addresses involved in money laundering process have been identified as a result of research:
  • Binance: 16qT6urvhRmVARFVsV5sJKXjuW5ZiLrvG1 (25.34 BTC);
  • KuCoin: 3GgCzgj2qR8neutTkiyMeuVDVxHrfd8xe6 (9.24 BTC);
  • Huobi: 17DCLX55J3TTh58NsvdtkRmWWCBKjdcfaq (29.78 BTC);
  • FTX: 3ETFogh6AqY4t6ofjqQuNiQUifjeDypkGM (24.94 BTC);
  • Kraken: 3PHLr246vZ2GQRW2dAHE73Szm2wMShKiSG (22.37 BTC);
  • OKX: 3M27WCf8UTxpaHkuGiSvqKkJ6smeLAaLCX (2.33 BTC);
  • Gate: 1ac7ycZJt8CAfHhTpD2YHJwdVLBUHR3kT (22.52 BTC);
  • MEXC: 3NVjqGeJLn5JmmQjDaDoiZV98wY6MRsYm4 (3.41 BTC);
  • Wisenex: 34bBha2WgYQArXCdYyvprJjfBaxH8A4Xay (14.53 BTC).

Transactions from crypto-exchanges to these addresses can help to identify manager of ML-bot:
• 1N3NbYPSEhgy7A27P6d5wS5bXeCfWEXxka (BTC);
• TJQh8iEvZMj48p9atwmzB7F7aCySwpQSKW (TRC20).
3. PRIMARY DATA COLLECTION

Activity of Russian money laundering telegram-service @FAST_CLEAN_BTC_BOT (hereafter — ML-bot) started right after April 06, 2022 - day when HYDRA darkmarket servers were arrested by law enforcement agencies.

ML-bot started from the beginning aggressive advertising with a focus on money laundering functions of it. Counterparties (direct and indirect connections) of ML-bot are different Russian darkmarkets: OMG!OMG!, BlackSprut, MEGA and others.
The second phase:

investigation team of Match Systems sent BTC to the address
of ML- bot (1B1XnbaDUehX2B1hH77kBj9JFzW1g4Jn2P)
from the our address
(bc1q6efxz3q6w9983tqm7m6p3yhu59h062r6a53wc9)
via transaction ID:
0c04c2bcf32c56511bb020468fcb2a6e46ce010de293069c63afd4509697da7d
The third phase:

investigation team of MatchSystems traced assets at the address of ML- bot 1B1XnbaDUehX2B1hH77kBj9JFzW1g4Jn2P after our transaction.
All assets from the address 1B1XnbaDUehX2B1hH77kBj9JFzW1g4Jn2P sent to the cluster with root-address 18oxDVbE9BDNn1LLdy5CGAP7HUr4fGVFBT (includes >200 addresses and it received >4100 transactions for total amount >180 BTC).


The fourth phase:

receiving “cleaned” coins. The following transactions were received on the addresses entered to receive funds:
  • 9960308cd7ea7ab9dc3bfc5ccefa4d35733598f86d66d1b3fff07ebe921a898a (TRC20) — from the address TJQh8iEvZMj48p9atwmzB7F7aCySwpQSKW;
  • e971687765fc4edb2180d3e716ee73fa7af7fd5710fb7d5a0181e5c38ac9ba02 (BTC) — from the address 1N3NbYPSEhgy7A27P6d5wS5bXeCfWEXxka.
4. ANALYSIS

Due to payments to users from previously laundered funds and the dilution of assets, tracking specific transactions makes sense only before the funds enter the bot cluster. Further analytical work is carried out only with impersonal tools included in the ML-bot cluster.

Our investigation team traced the path of funds out of the cluster ML-bot and determined that most of the assets were transferred to RenBTC bridge.

To find the connections between the source transactions to the addresses of the RenBTC project and the subsequent converted assets in the form of RenBTC tokens, the analytical tool Drawbridge from MatchSystems was used.

The principle of operation of Drawbridge is reduced to a comparison of the combination of factors of the source assets and their analogue after passing through the RenBTC bridge.

As a result of the analysis of the ML-bot cluster, a scheme of its work was revealed, described in the diagram below.



Concrete example:

  1. Our funds: bc1q6efxz3q6w9983tqm7m6p3yhu59h062r6a53wc9;
  2. Transaction 0c04c2bcf32c56511bb020468fcb2a6e46ce010de293069c63afd4509697da7d to the address of ML-bot;
  3. One-time address of ML-bot: 1B1XnbaDUehX2B1hH77kBj9JFzW1g4Jn2P;
  4. Transaction 9eab1b7b609b7620cd7137804faad446a1ac630d4c4627d128c2b6dd3c598920 to the cluster of ML-bot;
  5. Recipient of assets in the cluster of ML-bot: 1H17AgGngwiUTnMjKvhzUxwzBLxphQMj88 (included in the cluster with root-address (18oxDVbE9BDNn1LLdy5CGAP7HUr4fGVFBT);
  6. One of many transactions of the cluster of ML-bot to RenBTC: 5c9a0d3cf7e4c8a51bd6560a5139c2ceab0f46c463981e0755ab544facea6d6a;
  7. RenBTC: 3LVVAj5cLjYRKsAWgSjn7pNKoDxT5XMa1L
  8. Matched by DrawBridge mint- transaction (BSC) with RenBTC tokens from RenBTC bridge: 0x4c512826228960 0cf3942345e4cc55446e1dce09e76f18f13 13f8eac44c2a28d;
  9. Matched by DrawBridge recipient of RenBTC tokens (BSC), address: 0x6e5f03731bc53debe3ad673ec9436053a500e22d;
  10. Matched by DrawBridge burn-transaction (BSC) with RenBTC tokens to RenBTC bridge: 0xed41e5941f0a46fac0ac032916a46abb951e24345b9e6cebb2e71b7bdbdb9400;
  11. RenBTC: 0x95de7b32e24b62c44a4c44521eff4493f1d1fe13
  12. Matched by DrawBridge transaction withdraw BTC from RenBTC: 36f5553753c68104f6be77de52518905e35096683865f742044ee9cada393504
  13. Matched by DrawBridge recipient of BTC: 3PHLr246vZ2GQRW2dAHE73Szm2wMShKiSG (in this case it is Kraken exchange deposit address).
14-17. It isn’t obviously possible from the technical point of view without information about these exchanges account activities. Due to no access to the information we applied reverse analysis, where the starting point was the address of the sender of the laundered funds to the ML-bot client.

The sender of funds in BTC to address bc1qnf6ztm0x04rt6ykfe4xg9pzutunz0khcenw6ra was address 1N3NbYPSEhgy7A27P6d5wS5bXeCfWEXxka.

The address 1N3NbYPSEhgy7A27P6d5wS5bXeCfWEXxka received >70 BTC in >95 incoming transactions, while direct transactions from exchanges received >50 BTC, namely (few examples):

The sender of USDT in TRC20 to address TJMvcabnCp46XoUveDCfAxyUDhmC8p6KPS was address TJQh8iEvZMj48p9atwmzB7F7aCySwpQSKW.

The address TJQh8iEvZMj48p9atwmzB7F7aCySwpQSKW received >380k USDT in >85 incoming transactions, while direct transactions from exchanges received >340k USDT, namely (few examples):
Particular attention should be paid to the receipt of TRX to this address, since it is necessary for making transactions in the TRC20. These assets came from two exchanges:
  • KuCoin: ac3cc2329e4afe08dd95516d397c466ec57a465b037ff771905e6099831c58ab;
  • Binance: 1c1e0cd1346596607ace16622abe5d6db0c9e3624b4d3e81bd6048583c941986.
The sender of these transactions may be directly related to the management of ML-bot.
Blog