Novel Scheme to Launder Tether on Tron Blockchain Using Mining

Key insights:

  • The Tron Phishing Scheme use mining to launder the gains obtained from the fraudulent scheme. 
  • The scheme relies on three primary wallets, responsible for generating new phishing addresses and conducting fraudulent transactions.
  • The Profit Collector wallet, the primary repository for the funds obtained from phishing attacks, exchanges USDT for TRX via the SunSwap exchange.
  • The TRON tokens received during the exchange on the SunSwap are then used for staking to confirm transactions carried out by phishing wallets. 
  • The Super Representatives for TRON, who usually include Binance, Huobi, TRONscan, and others, change frequently, and a representative named metaverse home was found to be potentially involved in the TRON Phishing Scheme.

In a previous publication, we examined the genesis and evolution of the Tron Phishing Scheme and elucidated how malicious actors were able to generate revenue exceeding $770,000 via this fraudulent scheme.

In this article, we’ll take a deep dive into exploring how the creators of this scheme use mining to launder the gains obtained from the TRON USDT phishing scam. Mining, which is the backbone of most cryptocurrencies, is typically a legitimate process used to validate transactions and add them to the blockchain. However, when criminals use stolen crypto funds to set up mining operations, it becomes a tool for money laundering.

As we discovered earlier, this TRON Phishing Scheme relies on 3 primary wallets, namely The Rod Wallet 1 (TEd8bfCniiWoZNrDnSCxKYS3aRyQuChy9Q), The Rod Wallet 2 (TE5M76ueVMUNpkVgVN2WKi2CiWKfpnQkCE), and The Profit Collector Wallet (TJqeuqZLkE5WLMD1de3bMbciw4s). The first two are responsible for generating new phishing addresses and conducting fraudulent transactions, while the latter serves as the main repository for the funds obtained from phishing attacks.

In general the flow of the process of laundering the funds received from TRON USDT Phishing Scheme looks like these steps

  1. The Profit Collector Wallet exchanges received USDT for TRX via SunSwap exchange. Fraudsters use TRX for staking to verify their transactions to cover transactions fees.
  1. When the staking volume exceeds 1-2 million, the remaining 12 are frozen to vote for the Tron validator metaverse home. Together with the wallet that collects the profit, approximately 100 phishing wallets participate in voting to help metaverse home be chosen as a validator. 
  1. When metaverse home is chosen as a validator, it receives the opportunity to create and validate transaction blocks and receive a reward of 16 TRX for each block. 
  2. The metaverse home as validator returns the full amount of the received TRX to those wallets that provided the Tron to vote for this candidate, and the process starts from the beginning.

However, let’s examine in detail how each stage of this process unfolds.
The Profit Collector wallet converts the received USDT to TRX using the SunSwap exchange.

Tokens of the TRON that were received during the exchange on the SunSwap are used for staking (Tron staking refers to the process of delegating TRX tokens to a Super Representative, Tron’s version of a validator node, a computer on the Tron network that assembles and validates blocks for the Tron blockchain. The process involves voting for one or more Super Representatives, which then earn rewards for validating blocks) to confirm transactions carried out by phishing wallets.

Starting from 12.14.2022, The Profit Collector Wallet started sending USDT to TNWHyMBKpvSawzzmDxBvqwcwn3GVERZ7Zw and TLVKsDGrmgKikroszUyrGCvMeyahwTRNix wallets.

TLVKsDGrmgKikroszUyrGCvMeyahwTRNix sends a small amount of USDT to the spam wallet for new scheme transactions of 0.02…USDT to avoid token spam marks from TRONscan.

TNWHyMBKpvSawzzmDxBvqwcwn3GVERZ7Zw sends the received funds to various wallets for storage and laundering (TXfJ1bGUEpvkN9q6LmhwGFK3kydo89mQY1, TVsmc2ezToWwGZUt2kH1Dgmky9wwvdpNAJ, TFBTR6vx4BN5w7weKynkP74zAA1ssNUjeE).

Here is the example of TFBTR6vx4BN5w7weKynkP74zAA1ssNUjeE wallet sharing the profit with other phishing wallets.

Starting from 12.28.2022, all TRX from The Profit Collector Wallet is distributed among 11 wallets:

So how is it possible that one of the TRON Validators could be a TRON USDT Phishing Scheme Participant?

As known, in the TRON Blockchain network, the mining process is carried out using the delegated proof of state (DPoS) method. The TRON Blockchain network includes 27 nodes that are considered Super Representatives. These nodes form an important part of the network and allow consensus to be reached. 

However, Super Representatives are not static or fixed, and they change frequently. Every 6 hours, new representatives are elected on the TRON Blockchain network, who then become super representatives. Those selected as superdelegates for the next six hours get the opportunity to earn network tokens throughout the time period and validate network transactions.

In the TRON network, such representatives or Super Representatives usually are: Binance, Huobi, TRONscan and others.

During the analysis of the use of the TRON Blockchain network by the main wallet TJqeuqZLkE5WLMD1de3bMbciw4szTg18, a pattern was noticed that other wallets that are also engaged in the staking of phishing addresses and voted for the same representative – metaverse home (TMafrJCuNoYq3mg9dDThfg7c9VP6enZN6). Unlike the majority, this representative does not have any link to the site or his page or mentions in Google and may be involved in TRON Phishing Scheme.
That is, such a scheme creates an unlimited number of opportunities for fraudulent wallets to be elected as Super Representatives and continue to validate phishing transactions and earn the commission in TRON. These tokens will not be associated with phishing transactions and create an opportunity to launder funds that proceed from this scheme through mining.

During his entire tenure as a Super Representative, he mined more than 401,000 blocks and earned 6.5 million TRX for mining.

Assuming that this representative was voted exclusively by fraudulent wallets, as used for phishing transactions, then despite the fact that the reward is sent to users, this Super representative could be part of a scheme to launder the stolen funds.

This TRON USDT phishing scam is just one of many crypto scams that have become increasingly prevalent in recent years. Mining, in this scheme, has unfortunately become a tool for money laundering in the hands of these fraudsters. Overall, the process of laundering crypto funds using mining is a complex and evolving issue, this case makes us think about the legitimacy of transactions and block data in the TRON network validated by this Super Representative and requires ongoing attention and awareness from crypto users and law enforcement agencies to reduce potential risks and financial losses from malicious actors’ activities.