Logo
Avatar
|
446Views

Investigation analytics on "Thodex" scam

On April 21, 2021, the Turkish crypto exchange Thodex, which had been operating on the market for 4 years, was closed, and its founder, 27-year-old Faruk Fatih Ozer, disappeared, along with the money of the exchange's clients.

The significance of losses can be evaluated by the indicators of the crypto exchange presented on the Internet:

  • Total amount of stolen funds: $2 000 000 000
  • Number of active users of the exchange: 390 000
  • The volume of trading on the exchange is $585 000 000.

The Russian-language portal BeInCrypto published an article in which it analyzed how the exchange collected funds and where they could be withdrawn (Where did the Thodex Crypto Exchange Bitcoins Go? - Best Crypto News).

The TokenScope team conducted its own investigation on the basis of the information, given in the article above, revealed the main withdrawal transaction chains and also found crypto addresses related to THODEX, with more than $150 000 000 of stolen funds held on them.

The main crypto addresses mentioned in the article are:

BTC

3MGdeqnS4h3hRWM5VqMLHFzwgJy6c1Zz9b – the main Thodex fundraising wallet, the total volume of transactions amounted to 4 660 BTC, (with 643 BTC received since the beginning of 2021, while the main transfers to it were made during 2020) the current balance of the address is 0 BTC.

The analysis of incoming transactions of the address shows that part of the funds were received from the address 17FBsEF3tZz2A3dWLJ6GyLpDcRqzSwqdCV (the turnover of the address was more than 21 000 BTC, the current balance of the address is 10 BTC). Based on the turnover, the specified address was one of the main addresses of Thodex. The study of the findings from the specified address allowed us to establish cold wallets where funds are currently stored: bc1qu8ehf0wpyrdugdj9u87mghn2trw2fd5ynezp9wwm39eerzmuue0qj5d5yz 3 000 BTC is currently stored on it (received on the address in August 2020).

Analysis of withdrawal transactions of 3MGdeqnS4h3hRWM5VqMLHFzwgJy6c1Zz9b shows that the withdrawal was made to wallets of the type (bc1q), in turn, multiple withdrawal transactions were conducted from them (from one address to several at once): part of the funds went to a wallet of the same type (bc1q), part for wallets starting with numbers "3" and "1".

Transactions are made with addresses from the Kraken cluster, and therefore it can be reasonably assumed that the funds were withdrawn in BTC through the indicated exchange. Among the links of 17FBsEF3tZz2A3dWLJ6GyLpDcRqzSwqdCV the address worth paying attention to is 3K8jNc88YA36ZdP7FdjhqnrLcaLoSnPtYo (The turnover of the address was 20 145 BTC, the current balance of the address is 0 BTC). The nature and volume of transactions indicates that this address also belongs to Thodex.

To see more detailed transaction graph click here.

ETH

0x214989c36c5fd378bcbb27f70315049e3d8aa74c – one of the THODEX wallets was found by the authors of the investigation as it's life-time period and bitcoin wallet alike. 3MGdeqnS4h3hRWM5VqMLHFzwgJy6c1Zz9b (the last operation was on April 22, 2021). The total volume of transactions of the address was 126 331.9 ETH, the current balance of the address is 0.01 ETH.

Replenishment of the ETH address was carried out through a chain of addresses leading to a wallet on the Binance exchange 0x0681d8db095565fe8a346fa0277bffde9c0edbbf and also mining pools:

  • Hiveon Pool 0x1aD91ee08f21bE3dE0BA2ba6918E714dA6B45836;

  • Ethermine 0xea674fdde714fd979de3edf0f56aa9716b898ec8;

  • 2Miners 0x1ad91ee08f21be3de0ba2ba6918e714da6b45836.

Analisys of ETH address 0x214989c36c5fd378bcbb27f70315049e3d8aa74c allows to state that the funds were withdrawn through a hot wallet on the Binance exchange 0x3f5ce5fbfe3e9af3971dd833d26ba9b5c936f0be. The specified address previously appeared in 2018 as the Binance address (МакАфи vs Binance. Чем закончилось публичное противостояние? (bitstat.top)).

In addition, we have found the WETH address mentioned in the investigation 0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2, to which, according to the authors of the article, 1 280 ETH were transferred (it is unclear in which currency). Highly likely the address is on the Binance exchange. In USDT currency, the replenishment of the specified wallet was made only 5 times since November 2019 before the exchange was closed, and 2 transfers of 852 USDT and 458 USDT were received from the Houbi exchange.

Our team went further and analyzed previously unknown addresses to determine ways of stolen assets withdrawal and to identify addresses where THODEX funds are still stored. So, we investigated the already known THODEX address in ETH 0x214989c36c5fd378bcbb27f70315049e3d8aa74c for other tokens (the main ones are HOLO and USDT), we tracked the withdrawal links using them.

Following this logic, the addresses below were identified:

In HOLO 0x214989c36c5fd378bcbb27f70315049e3d8aa74c the total volume of transactions of the address was 3 402 053 586 HOLO (equivalent of $88 500 000), the current balance is 0.15 HOLO, the last operation of the address is dated 22.04.2021.

In USDT 0x214989c36c5fd378bcbb27f70315049e3d8aa74c the total volume of transactions of the address amounted to 92 930 618 USDT (equivalent of $92 000 000) the current balance is 0.56 USDT, the last transaction of the address is dated 22.04.2021.

Transaction analysis showed that the withdrawal of funds from the HOLO address 0x214989c36c5fd378bcbb27f70315049e3d8aa74c was carried out through hot wallets on the Binance exchange in HOLO currency 0x28c6c06298d514db089934071355e5743bf21d60 and 0x3f5CE5FBFe3E9af3971dD833D26bA9b5C936f0bE.

Transaction analysis of address USDT 0x214989c36c5fd378bcbb27f70315049e3d8aa74c showed that some of the funds were also withdrawn through a chain of addresses 0x5fd4350a70af528b447d4308a23876699774190e to hot wallets on the Binance exchange 0xc333e80ef2dec2805f239e3f1e810612d294f771 and 0x28C6c06298d514Db089934071355E5743bf21d60.

Replenishment of the HOLO address through a chain of addresses was carried out including Binance addresses:

and also through the Turkish crypto exchange Parabu

Replenishment of the USDT address from Binance addresses:

The study of the requests of TokenScope platform users and of the complaints of the scam participants on Twitter revealed previously unknown addresses used by the THODEX group:

  1. BTC 3BG2G34SBHXwB9T7EEQGNWyt7YoGscLJru;
  2. BTC bc1qe4rj0pe6asrs440477u7mmyf052axqajgj6353;
  3. BTC 3Pn14peRp9WrMysVMY6c8pebRXkuVKTja3;
  4. BTC 35KVqtgUw3MGtgmTxLUEXKTk1cNnjgLY38;
  5. BTC 1FQrLk8GtRER4kDabuL8CTE7Lr5jtMf2t8;
  6. BTC 1E48d6SRCWPYywmL65voBxqQ9qjCPjNU5w;
  7. HOLO 0x6c6ee5e31d828de241282b9606c8e98ea48526e2 currently, 71 022 105 HOLO is located at the specified address (equivalent of $1 800 000), While only incoming transactions have been made to the wallet;
  8. XEM GBF7EG6UXXBG6HFQ7Z5VZMVVZ2XNW4GN67YBSAOGHMO3MVWOOWFDVF5H;
  9. BTC bc1qe4rj0pe6asrs440477u7mmyf052axqajgj6353;
  10. XEM GAHK7EEG2WWHVKDNT4CEQFZGKF2LGDSW2IVM4S5DP42RBW3K6BTODB4A;
  11. RIPLE ryBANkk28Mj71jRKAkt13U1X9ubztsGWZ;
  12. TRX TVawmhPXkGpiZtsRbDUVr53W1fYVb8S4ZM;
  13. TRX TGdfLVsr9gsVVCoGeAqzvBzzR97wkcAYDr;
  14. TRX TMK3AjzWxPeU8mBmfwDkgUv2K2w3iCzPDy;
  15. DOGE DEdSoSS8LV1VrbGWGSZU48ir6guoEkn94Q;
  16. ETH 0x8ef3a74a7b2f640fbd3264a1cefe2b6e3ac3fef9;
  17. ETH 0x214989c36c5fd378bcbb27f70315049e3d8aa74c;
  18. ETH 0x36C4D0dE83E1Db7559756F460d94B7e21c46b019;
  19. BTC 1GW1xjdQatnoud4Z5skRm54Bhs7jUm62AW;
  20. DOGE DDpPDWViBCw83si2uMNy3mm1679CQLF5bm.

Analysis of funds received on the "cold" HOLO wallet 0x6c6ee5e31d828de241282b9606c8e98ea48526e2 during the period from 2018 to the present, allowed to identify the addresses of the largest senders of funds and by following them to understand the wallets of fundraising:

  1. 0x274f3c32c90517975e29dfc209a23f315c1e5fc7 transfers of 15 400 000 HOLO (3 transactions that totaled 9 000 000 HOLO, 4 500 000 HOLO and 1 900 000 HOLO) to the wallet on the Hotbit exchange, the last operations in HOLO were carried out on April 30, 2021, that is, immediately after the scam. Initial replenishment of the address 0x274f3c32c90517975e29dfc209a23f315c1e5fc7 was carried out from the IDEX decentralized exchange hot wallet 0x2a0c0DBEcC7E4D658f48E01e3fA353F44050c208 (The total turnover of the address is 90 000 000 000 HOLO, current balance is 538 000 000 HOLO, equivalent of $14 000 000). Subsequently, on June 17, 2018, 3 800 000 000 HOLO and on March 30, 2019, 100 000 000 HOLO were sent from the address 0x274f3c32c90517975e29dfc209a23f315c1e5fc7 to address 0x8533a0bd9310eb63e7cc8e1116c18a3d67b1976a (the current balance is 388 000 000 HOLO, equivalent of $10 000 000), and then during 2019 and until April 2021, almost all funds were withdrawn back to the specified address. Transfer of funds from the address 0x274f3c32c90517975e29dfc209a23f315c1e5fc7 in the amount of 45 000 000 HOLO was made to the address 0x2acdb44596e2b6ffbbf62614c9aad9cd04980248 from where the only operation of this address in the amount of 50 300 000 HOLO on May 16, 2021 was done to the wallet on the Hotbit exchange 0x562680a4dc50ed2f14d75bf31f494cfe0b8d10a1 (currently active). Part of the funds from the address 0x274f3c32c90517975e29dfc209a23f315c1e5fc7 was directed to the Binance wallet - 0x8f00d514ea1cda9c20fa4a5b09c3e1f44e329b45 (the last operation in HOLO was on November 30, 2021, the current balance of the address is 0 HOLO).

  2. 0xcfd981a3102ee4eee63b0241490758eb1aa01f7a transfer of 9 000 000 HOLO. The replenishment of the address was carried out through the Turkish crypto exchange Parabu 0xfb90501083a3b6af766c8da35d3dde01eb0d2a68 and 0x9acbb72cf67103a30333a32cd203459c6a9c3311. Withdrawal of funds from the address 0xcfd981a3102ee4eee63b0241490758eb1aa01f7a was carried out through wallets on the Binance exchange 0x28c6c06298d514db089934071355e5743bf21d60 (identified) and 0x3f5ce5fbfe3e9af3971dd833d26ba9b5c936f0be, 9 000 000 HOLO (equivalent of $234 000) were transferred for holding to the cold wallet 0x6c6ee5e31d828de241282b9606c8e98ea48526e2.

  3. 0x47bf43c4f2cbd10f9e35a986bf0f78d7a2bfe1af transfer of 8 000 000 HOLO. Fundraising was carried out from the hot wallets of the decentralized IDEX exchange 0x2a0c0DBEcC7E4D658f48E01e3fA353F44050c208 and 0x27735ae998bdaf0fa1f337845d250d6b0d1dc405, as well as a wallet on the Hotbit exchange 0x274f3c32c90517975e29dfc209a23f315c1e5fc7. Withdrawal of funds from the address 0x47bf43c4f2cbd10f9e35a986bf0f78d7a2bfe1af was carried out through a wallet on the Binance exchange 0x28c6c06298d514db089934071355e5743bf21d60 (identified).

  4. 0xae37e54c53323f81d996f2a90517a6abe61c3328 transfer of 7 000 000 HOLO. The replenishment of the address was carried out from the hot wallet of the decentralized IDEX exchange 0x2a0c0DBEcC7E4D658f48E01e3fA353F44050c208. Withdrawal of funds from the address was carried out through a wallet on the Binance exchange 0x3f5ce5fbfe3e9af3971dd833d26ba9b5c936f0be.

  5. 0x75e89d5979e4f6fba9f97c104c2f0afb3f1dcb88 transfer of 4 200 000 HOLO to the wallet on the MXT exchange. Withdrawal of funds from the address was carried out through a wallet on the Binance exchange 0x28c6c06298d514db089934071355e5743bf21d60 (identified). The receipt of funds to the wallet was from hot wallets on Binance 0x564286362092d8e7936f0549571a803b203aaced 0x708396f17127c42383e3b9014072679b2f60b82f 0x21a31ee1afc51d94c2efccaa2092ad1028285549, and also through the Turkish crypto exchange Parabu from 0x9acbb72cf67103a30333a32cd203459c6a9c3311.

  6. 0xf77af061772465c7491c07e9067f2d0aa2ab8d2e transfer of 5 500 000 HOLO, funds were received from a hot wallet on the Binance exchange 0x564286362092d8e7936f0549571a803b203aaced. There were no other withdrawals from the wallet except for cold wallet from the specified address.

  7. 0xfa746764a731c52c447470d39cfe45391ea1d69a transfer of 3 100 000 HOLO. Replenishment from the IDEX decentralized exchange hot wallet 0x2a0c0DBEcC7E4D658f48E01e3fA353F44050c208.

  8. 0xd4366db98182bb44ee6787cc290c1c678a4f5603 transfer of 1 400 000 HOLO, replenishment from the hot wallet of the decentralized IDEX exchange 0x2a0c0DBEcC7E4D658f48E01e3fA353F44050c208, there were no other withdrawals from the wallet except for cold storage from the specified address.

  9. 0x758716e7e12f2f8b9e9d76d1e066d6f0ff0e299b transfer of 2 800 000 HOLO, withdrawal of funds was carried out through the exchangers Gate.io_1, Exchange Wallet 0x0d0707963952f2fba59dd06f2b425ace40b492fe.

Thus, we can generalize that cryptocurrency funds in HOLO currency were transferred through addresses on the IDEX, Hotbit exchanges, through the Turkish crypto exchange Parabu, some part of the funds remained on the "cold" HOLO wallets (about $30 000 000), while the main amount of the funds was withdrawn through the wallets on the Binance exchange.

Moreover, analysis of the HOLO token exchange rate history shows that starting from mid-March to mid-April 2021, HOLO price reached its maximum, with the 3 times decrease right after with the fact that the peak of the coin value preceded (the difference is about 2 weeks) the THODEX scam, and the fact that part of the funds were withdrawn and collected in the HOLO coin. It is possible to make a reasonable assumption that the organizers of the pyramid deliberately held a "pump" of coins before the exchange closed in order to sell the coin at the peak and thus benefit from it.

Main conclusion, funds were collected in HOLO currency through IDEX, Hotbit, Parabu exchanges and subsequently were withdrawn through hot wallets on the Binance exchange. Fundraising in ETH was carried out through mining pools and lately funds were withdrawn through hot wallets on the Binance exchange. Funds in the BTC network were withdrawn through wallets on the KRAKEN exchange.

The TokenScope Team
#thodex #scam #cryptocurrency #thodex #analytics
More about TokenScope cryptocurrency risk assessment & investigation platform at: