Dissecting a Multi-Billion Dollar Laundering Operation at HitBTC: Blockchain Analysis

Updated

We’re going to kick this one off by taking a look at HitBTC’s Bitcoin funds:













Brief Explanation





The picture above shows the inflow/outflow of Bitcoin for HitBTC.





It is important to note that the data above contains information about all addresses that are associated directly with HitBTC.





This includes all deposit addresses, cold & hot wallet addresses too. These are paired together via the clustering mechanism that you’ll find on walletexplorer.com.





Since the software that is being used in this report (Crystal Blockchain) is not publicly accessible, ‘WalletExplorer’ is the best choice to look at HitBTC’s cluster.





  1. Link to all addresses in HitBTC’s cluster: https://www.walletexplorer.com/wallet/HitBtc.com/addresses
  2. Link to transactions in the [new] HitBTC cluster: https://www.walletexplorer.com/wallet/HitBtc.com
  3. Link to transactions in the [old] HitBTC clusterhttps://www.walletexplorer.com/wallet/HitBtc.com-old




Users should note that most of the time, the website WalletExplorer will cluster the cold wallet in a separate cluster address.





Fortunately, Crystal does not do this. However, in this case, this is not what WalletExplorer did, so we are good to go.





Explanation For the Picture Itself





Obviously, what is most notable in the graphics above is that 99.8% of the funds went to a category titled, ‘Not defined’ by the software.





Even more interesting is the breakdown of funds flowing into the exchange.





As one can observe above, there is a category for ‘gambling’, which accounts for 39.9% of the inflow into HitBTC’s wallet.









By isolating this category, we can observe who the primary senders are. They are pictured below:









Gambling Outfits





As noted in the screenshot above, there are a significant number of gambling outfits that have sent funds directly to HitBTC.





In the picture above, a box was placed around ‘Coingaming.io’, because we can see that they have sent a remarkable 288k bitcions from 2014 to present day (literally).





This represents 41% of all coins that have been sent out from Coingaming.io (which has sent a whopping 690k bitcoins in total). This number also represents 40% of the total inflow of Bitcoin that HitBTC has received as well.





Brief Background On Coingaming.io





Coingaming.io is owned by ‘The Coingaming Group’.





Specifically, ‘The Coingaming Group’ is attached to bitcasino.io and sportsbet.io





The address that Coingaming.io has listed is:





mBet Solution N.V.
Wilhelminalaan 13
Willemstad
Curaçao





This address was located in the ‘Offshore Leaks Database’:









Two listed officers for the related address are:





  1. Antonius Andrianus Simonis
  2. Vivian V. Ersilia




Specifically, Antonius Simonis is attached to ‘CMS Management Ltd.’, which Vivian V. Ersilia is also attached to. They are both directors of this company.









As we expand the nodes, we start to find more interesting connections:









There is much to be said about the fact that these connections lead us back (almost directly) to Panama — which has been a hub for a significant amount of crime (gambling-related, in specific).





In addition, two of the casinos underneath ‘The Coingaming Group’, bitcasino.io and sportsbet.io, have been outed numerous times in media online for defrauding users.





One such publication covering these various frauds goes by the name, ‘Game Protect’:









Thus, the funds that are being sent from ‘Coingaming Group’ should be held in questionSignificantly so.





Origin of Funds is Questionable





While it is possible that all of the funds that have entered into the address (apart Coingaming.io) derive from legitimate customer deposits to the exchange, this should also be scrutinized and questioned.





Specifically, Coingaming.io warrants question not only for the reasons presented above, but also because of their reception of fraudulent funds in other notable hacks.













In both of the aforementioned hacks, funds eventually landed at Coingaming.io for some reason.





Examining the Outflow of Funds









We’ll begin by examining the first entity on the list, which is a cluster address that has received 488k bitcoins.





Examining the First Cluster Address Source





The walletexplorer address for this cluster https://www.walletexplorer.com/wallet/457b8ced800ee788





Address balances can be found here: https://www.walletexplorer.com/wallet/457b8ced800ee788/addresses





Below are the metrics for this cluster:













This cluster only contains 5 addresses, which are:





  1. 3JjPf13Rd8g6WAyvg8yiPnrsdjJt1NP4FC
  2. 378p3u4RN1HTEWFkiTK27zuBWbx6eLSX6p
  3. 3HMS9df28gpPkRggoGJuQ6sJ1GtKxeDMCb
  4. 3DLRBj8bqGMgB6vcKgWeQLqSV4eDUMvDGw
  5. 1N4LpcJrWgdW1iGjQstNGPLN1FZEj1bMsq




Thus, it could be posited that perhaps these were the cold wallet addresses for HitBTC (even though this has not been validated publicly).





When looking online, there are some interesting tidbits in relation to the first address on our list, such as the ones presented below:





https://bitcointalk.org/index.php?topic=2993610.0




Obviously, this isn’t a confirmed report, but there are some other ‘interesting’ reports about the addresses connected here, to say the least.





Inflow of Funds Reveals Potential Coingaming.io Ownership of HitBTC





This heading may be considered controversial to some, but it is a fairly supported conclusion when analyzing the inflow of funds into our second cluster address.





Let’s check out a picture below:









Let’s quickly summarize the wallet addresses that have sent funds to this second HitBTC wallet address.





They are:





  1. Changelly — Unfortunately, there isn’t much that we’ll be able to extract from this one because Changelly is a wallet swap service similar to ShapeShift. So there is no telling where these funds came from.
  2. HitBTC — The transaction with an orange box around it also stems from HitBTC. For whatever reason, HitBTC sent significant funds to another address before sending them here.
  3. Freewallet — This is a troubling connection because there is wealth of evidence to suggest that Freewallet was and is a fraudulent company that has stolen funds from customers.
  4. Coingaming.io — Again, we have another connection from Coingaming.io (whom sent the funds directly to the connected address before they were deposited into this final liquidation cluster for HitBTC).




Ownership of This Cluster





This is a cluster address that is clearly linked to HitBTC. However, there are no customers that were sending funds into this address — this is not attached to the HitBTC exchange directly.





Whatever source owns this address also has a significant stake in Coingaming.io. This entity must also be attached to the ‘Freewallet’ scam as well.





Notably, this was found online with regards to ‘Freewallet’:









https://www.reddit.com/r/Bitcoin/comments/6guas9/is_freewalletorg_legit_how_can_the_owners_be/




https://bitcointalk.org/index.php?topic=5094927.0




Outflow of Bitcoin Funds





Below, we can see the outflow of funds from the second cluster (where all of HitBTC’s bitcoin was sent):













As we can see in the figure above, funds went to:





  1. Bitfinex
  2. Binance
  3. Bitstamp
  4. Bittrex
  5. Poloniex
  6. Coingaming.io
  7. BitMEX
  8. OKEx
  9. Huobi
  10. Coinbase




Remaining Bitcoin Funds for HitBTC





  1. Cluster Address #1 (Main Cluster) = 191.60 bitcoins
  2. Cluster Address #2 = 166.3977 bitcoins
  3. Cluster Address #3 = 0 bitcoins (received 110k bitcoins from HitBTC; didn’t receive any after June 22nd, 2018)




These totals are as of May 17th, 2019.





The remaining clusters that received funds are empty.