The bitcoin-cluster of ML-bot (root-address 18oxDVbE9BDNn1LLdy5CGAP7HUr4fGVFBT) includes >200 addresses and it received >4100 transactions for total amount >180 BTC.

ML-bot uses mint-burn cycle on RenBTC DEX for laundering of criminal assets of users, after which laundered assets transfer to CEX and after it clean BTC transfer to users.

According to the description of ML-bot, assets are issued from previously laundered money and direct connections are obfuscated but cluster analytic gives an overall view.



Following crypto-exchanges deposit addresses involved in money laundering process have been identified as a result of research:

• Binance: 16qT6urvhRmVARFVsV5sJKXjuW5ZiLrvG1 (25.34 BTC);
• KuCoin: 3GgCzgj2qR8neutTkiyMeuVDVxHrfd8xe6 (9.24 BTC);
• Huobi: 17DCLX55J3TTh58NsvdtkRmWWCBKjdcfaq (29.78 BTC);
• FTX: 3ETFogh6AqY4t6ofjqQuNiQUifjeDypkGM (24.94 BTC);
• Kraken: 3PHLr246vZ2GQRW2dAHE73Szm2wMShKiSG (22.37 BTC);
• OKX: 3M27WCf8UTxpaHkuGiSvqKkJ6smeLAaLCX (2.33 BTC);
• Gate: 1ac7ycZJt8CAfHhTpD2YHJwdVLBUHR3kT (22.52 BTC);
• MEXC: 3NVjqGeJLn5JmmQjDaDoiZV98wY6MRsYm4 (3.41 BTC);
• Wisenex: 34bBha2WgYQArXCdYyvprJjfBaxH8A4Xay (14.53 BTC).

Transactions from crypto-exchanges to these addresses can help to identify manager of ML-bot:
• 1N3NbYPSEhgy7A27P6d5wS5bXeCfWEXxka (BTC);
• TJQh8iEvZMj48p9atwmzB7F7aCySwpQSKW (TRC20).

The second phase:

investigation team of Match Systems sent BTC to the address
of ML- bot (1B1XnbaDUehX2B1hH77kBj9JFzW1g4Jn2P)
from the our address
(bc1q6efxz3q6w9983tqm7m6p3yhu59h062r6a53wc9)
via transaction ID:
0c04c2bcf32c56511bb020468fcb2a6e46ce010de293069c63afd4509697da7d

It is a development of the second generation, but some ways of filtering attack targets have been added.
Such filters include:
The balance on the address;
Frequency of target transactions,
Transaction time, etc.
Each developer of the attacking network forms such restrictions at his/her discretion. At this stage, there is a complication of the scheme of work by introducing analytics algorithms and it will require making more requests to the nodes of the network, which, in turn, can give technical capabilities for analyzing attackers.

Fourth generation

This algorithm of the attacker's network operation already significantly increases the effectiveness of the attack, but requires a higher level of execution of the attacking network modules. This attack generation selects addresses with an ending similar to the counterparty of the attacked address.
Using the mechanism of matching the end of the crypto address, it generates an address that has the maximum similarity in the last characters. This significantly increases the chance of a successful attack. This attack can combine various analytics methods available in the third generation.
At the same time, the choice of the attacked address and the generation of the attacker's address, similar to the address of the target's counterparty, makes it necessary to promptly replenish the attacker's addresses with assets and resources to complete the transaction. It makes the mechanism of supplying the attacking Energy network from staking little applicable. Most of the networks attacking this generation pay commissions for making transactions by burning TRX.

Fifth generation

This algorithm of the attacker's network operation already significantly increases the effectiveness of the attack, but requires a higher level of execution of the attacking network modules. This attack generation selects addresses with an ending similar to the counterparty of the attacked address.
Using the mechanism of matching the end of the crypto address, it generates an address that has the maximum similarity in the last characters. This significantly increases the chance of a successful attack. This attack can combine various analytics methods available in the third generation.
At the same time, the choice of the attacked address and the generation of the attacker's address, similar to the address of the target's counterparty, makes it necessary to promptly replenish the attacker's addresses with assets and resources to complete the transaction. It makes the mechanism of supplying the attacking Energy network from staking little applicable. Most of the networks attacking this generation pay commissions for making transactions by burning TRX.

Fifth generation

It is the most effective due to a combination of several mechanisms:
Goal selection analysis;
Generating addresses similar to the counterparty
Transfer of the number of assets similar to the one sent by the counterparty as a test payment.
This generation is characterized by the most selective attacks with an attempt to duplicate a test payment between addresses. During the analysis, we identified cases of sending duplicate amounts up to 2 USDT, subject to a number of conditions, such as: the absence of transactions previously conducted between the parties + the presence of a significant amount on the target's balance + sending a test payment of no more than 2 USDT.
Advantages:
Extremely high effectiveness of the attack.

Sixth generation

Since mid-November 2023, there have been attacks when 0 USDT is sent from the victim's address to the attacker's address. This type of attack is possible due to the absence of any restrictions on sending 0 assets from any address on the Tron network, even in the absence of private keys from the sending address.
The logic of this attack differs in the fact that the attacker inserts his address, not into the list of senders to the victim's address but into the list of persons to whom the victim sent assets earlier. This feature of the attack makes it less noticeable and more effective for attackers. It can be combined with mechanisms for generating cryptocurrency addresses similar to counterparties under attack, which significantly increases the effectiveness of the attack.

The economy of "dandruff attacks"

The profitability of an attack is defined as the difference between the costs of network operation and the proceeds to the attacking addresses of assets from victims.

Profitability with the example of a separate network

The analysis of the effectiveness of the attack will be considered on the attacking network, where the supply of assets was carried out from the address TTFGc88GU8LXrXNnSPZFeeivSwaBZoJGk1.

The TTFGc88GU8LXrXNnSPZFeeivSwaBZoJGk1 address sent 721,054 TRX and 1,750 USDT to more than 60,000 addresses of the attacking network, while a commission of 90,443 TRX was paid. The total costs of crypto assets used in the framework of this network of addresses amounted to approximately $ 46,000. Combined with the costs listed below, the approximate amount of funds spent on launching the network was 50 000 - 55 000 $.
As a result of the functioning of the network under study, 153 receipts were established to the addresses of the attacking network after the transaction was made in the direction of the attacked one from such an address. The total amount of funds received in this way amounted to at least 1,941,484 USDT.
The profitability of the studied network was over 3800%.

The most effective counteraction measures

As a result of the analysis of "dandruff attacks", we consider it possible to reduce the risk of such an attack in the following ways:

1. The application developers of cryptocurrency wallets may introduce the ability to hide transactions of less than $ 1 by default, it will reduce the effectiveness of attacks of the first, fourth and sixth generations to almost zero.
2. In-depth analysis and de-anonymization of managers of staking addresses supplying. Energy to attacking networks will make this type of attack (for the second and third generations) more difficult and economically unprofitable.
3. Analysis of the sources of TRX receipt on the networks of attacking addresses will allow putting additional pressure on the administrators of the attacking networks of the first, fourth, and sixth generations.
4. Automatic blocking of Tether It. USDT assets at attacking addresses when amounts over a certain value are received on them after sending "dandruff" based on an automatic activity analysis algorithm (such an algorithm was implemented by our technical specialists in a few hours) will lead to the loss of the economic feasibility of this type of attack.
5. Studying the logs of requests to key services for providing information about transactions on the Tron network will allow you (if the attacker does not use his node) to identify possible administrators of attacking networks of all generations.
6. Identification of the authors of attacking algorithms is conducted at the debugging stage by searching for similar attacks in the test network. Many attacking networks are being tested on Tron test nets for debugging and tuning. Getting tokens in the Tron test net is possible only through the official community in Discord. An example of such an attack can be this transaction.

Information resources used
https://tronscan.org/
https://developers.tron.network/docs/resource-model
https://tronstation.io/calculator

The study was carried out: