This blog is an excerpt from the Chainalysis 2020 Crypto Crime Report, coming out in January 2020. Sign up here to claim your copy and we'll email it to you as soon as it's released!
Scams are all too common in the cryptocurrency world, with our internal research suggesting bad actors bilked billions of dollars’ worth of funds from millions of victims in 2019. In addition to the monetary losses sustained by affected individuals, scams paint a negative picture of the industry and may scare off potential participants.
But in the case of one notable 2019 scam, the consequences may go beyond the direct victims. We believe that the criminals behind the PlusToken Ponzi scheme could be driving down the price of Bitcoin when they liquidate their stolen funds via OTC brokers.
What is PlusToken?
Based in China, PlusToken presented itself as a cryptocurrency wallet that would reward users with high rates of return if they purchased the wallet’s associated PLUS cryptocurrency tokens with Bitcoin or Ethereum. The scammers claimed those returns would be generated by “exchange profit, mining income, and referral benefits.” PlusToken would go on to be listed on several Chinese exchanges and hit a peak price of $350 USD, raking in “investments” from millions of people.
Chinese media reports that the scam attracted over $3 billion worth of cryptocurrency. We tracked a total of 180,000 BTC, 6,400,000 ETH, 111,000 USDT, and 53 OMG (OmiseGo) that went from scam victims to PlusToken wallets, equating to roughly $2 billion. Either figure would make PlusToken one of the largest Ponzi schemes ever.
While six individuals connected to PlusToken were arrested in June, the stolen funds have continued to move through wallets and be cashed out through independent OTC brokers operating mostly on the Huobi platform, showing that one or more of the scammers are still at large.
How the PlusToken scammers utilize mixers, OTC brokers, and more to launder and cash out funds
While we tracked $2 billion worth of various cryptocurrencies that victims sent to the PlusToken scammers, some of that money was paid out to early investors, presumably to maintain the illusion of high returns while PlusToken presented itself as a legitimate company. In many cases, it’s difficult to tell whether transfers made by the PlusToken scammers were going to those early investors or to addresses under their own control. Nonetheless, we’ve tracked roughly 800,000 ETH and 45,000 BTC we can definitively say the scammers transferred to their own addresses to launder. They’ve cashed out at least 10,000 of that initial 800,000 ETH, while the other 790,000 has been sitting untouched in a single Ethereum wallet for months.
The flow of the 45,000 stolen Bitcoin is more complicated. So far, roughly 25,000 of it has been cashed out. The other 20,000 is currently spread out across more than 8,700 cryptocurrency addresses, which speaks to the high level of effort the scammers put into obfuscating the movement of funds. The scammers have transferred the Bitcoin more than 24,000 times, using more than 71,000 different addresses — and that’s not even counting cash outs or transfers to off-ramps such as exchanges.
Many of those transactions were conducted through mixers like Wasabi Wallet, which utilizes the CoinJoin protocol to make it more difficult to trace the path of funds. You can see an example in the Chainalysis Reactor graph below.
Here, we see that the funds are split off into large groups of new unique addresses, and re-consolidated later, which is activity typical of a mixer.
At other points, the scammers utilized peel chains and other complex movements to obfuscate the path of funds. Peel chains are strings of transactions commonly used for money laundering, in which entities send funds through several wallets in quick succession, usually breaking off small amounts to cash out at each step and sending the majority on to the next wallet.
The graph above is a great example of the PlusToken scammers’ obfuscation attempts. The funds start in the wallet in the upper left hand corner, and move to the right. Diagonal movements represent a change in address type, while vertical movements represent the use of a mixer.
In the end, the funds moved to the address of an OTC broker operating on Huobi to be liquidated — that’s how nearly all of the funds so far have been cashed out. For reference, OTC (Over The Counter) brokers facilitate trades between individual buyers and sellers who can’t or don’t want to transact on an open exchange. OTC brokers are typically associated with an exchange but operate independently. Traders often use OTC brokers if they want to liquidate a large amount of cryptocurrency for a set, negotiated price.
Some OTC brokers have significantly lower KYC requirements than most exchanges, which can make them attractive for criminals like the PlusToken scammers. Compliant exchanges monitor transactions and keep customer information on file so that they can report suspicious activity and comply with subpoenas from law enforcement. But OTC brokers play by different rules. While many are legitimate, others take advantage of lower KYC requirements to offer service to users with illicit funds. Some even specialize in the movement and laundering of criminal money.
And in this case, as we’ll examine below, these cashouts via OTC brokers may be driving down the market price of Bitcoin.
Are PlusToken scam liquidations driving down the price of Bitcoin?
So far, the PlusToken scammers have cashed out at least $185,000,000 worth of stolen Bitcoin via OTC brokers. Those who analyze cryptocurrency markets know that large liquidations generally tend to depress the price of Bitcoin, and others have asked if PlusToken-related cashouts are dragging down Bitcoin. We decided to run our own study of Bitcoin’s price in relation to PlusToken cashouts via Huobi OTC brokers to try and answer that question.
For this analysis, we started by plotting Bitcoin’s price listing on Huobi against two measures of PlusToken’s Bitcoin transfers:
- On-chain volume. On-chain volume is the amount of Bitcoin moving from wallets controlled by the PlusToken scammers to any of 26 prominent OTC brokers on Huobi that we’ve previously identified as dealing with illicit funds.
- Trade volume. Off-chain volume refers to the amount of Bitcoin for Tether traded on Huobi. We chose this metric because we know from our analysis that PlusToken scammers have consistently exchanged their stolen Bitcoin for Tether, possibly converting it to fiat currency later. However, because these transfers are recorded only in Huobi’s order books rather than on the blockchain, we have no way of knowing which of them are coming from the sale of Bitcoin from the PlusToken scammers as opposed to other users of the exchange.
Our hypothesis consists of two parts:
- We expect that any uptick in on-chain volume would be followed by an uptick in trade volume, as OTC traders receive Bitcoin from PlusToken wallets and subsequently exchange it for Tether.
- We expect Bitcoin’s price to fall soon after those upticks in on-chain and trade volume, as more Bitcoin is being unloaded onto the market.
Both parts of our hypothesis were proven true.
Above, we see that PlusToken wallets sent a steady flow of Bitcoin starting in mid-April and spiking just before the arrests in late June. After that, we see no movement until a few spikes in August, before transfers spike again and remain high throughout September. Then, we see a few more spikes in October. As we hypothesized, spikes in on-chain flow to OTC brokers correlate with drops in Bitcoin’s price. There can be a lag, as Bitcoin that is moved on-chain to an exchange is not immediately traded. We see the best example on September 20th, when PlusToken scammers made a large cash out of roughly $34 million worth of Bitcoin. Following that transfer, Bitcoin’s price drops steadily between September 24th and 26th, falling from just over $10,000 to about $8,000 and remaining there for roughly a month.
But what about trade volume? Check out the graph below.
Our hypothesis is proven correct here as well. As we expected, we see a rise in trades of Bitcoin for Tether starting on September 23rd, a few days after the PlusToken wallets sent a large volume of Bitcoin to Huobi OTC brokers. Shortly after on September 24th, the price of Bitcoin begins to drop.
From this analysis, we can conclude that PlusToken cashouts correlate with drops in Bitcoin’s price.
Can we prove causation?
We can’t say for sure that Bitcoin price drops are caused by PlusToken cashouts. It’s possible that price drops follow the cashouts by coincidence but are in fact caused by something else. In an attempt to settle the question of causation, we ran a regression analysis to test how the increase in trade volume between September 23rd and 28th impacted Bitcoin’s price volatility. Ordinarily, we’d test how trade volume impacts the price itself, but there’s only one large change in Bitcoin price for the time period we’re measuring (on September 24th). We need a measure with more variation to look for statistical causality and ensure results aren’t driven by outliers. Volatility, which measures the deviation from the average Bitcoin price at a given time, has enough variation to do that, while also giving us a sense of how the PlusToken cashouts impact Bitcoin’s price.
Our regression analysis shows a positive, albeit small, statistically significant relationship between PlusToken transfers to Huobi OTC brokers and Bitcoin price volatility for the period of time between September 23rd and 28th.
The cashouts likely caused increased volatility in one of two ways. They either cause it directly by increasing the supply of Bitcoin and changing market dynamics, or indirectly by affecting traders’ perception of the market. Keep in mind that PlusToken cashouts are just one of many potential influences on Bitcoin’s price. Media stories, concerted market manipulation efforts, algorithmic trading errors, or any number of other factors may have contributed to volatility as well. But none of those components on their own provides a compelling explanation for the large spike in volatility in the time period we studied absent the influence of PlusToken.
Unfortunately, because it’s not possible to distinguish between trades made by OTC brokers in possession of PlusToken funds and all other trades made on Huobi, we can’t say for sure that PlusToken cashouts caused Bitcoin’s price to drop. However, we can say that those cashouts cause increased volatility in Bitcoin’s price, and that they correlate significantly with Bitcoin price drops.
More reasons to fight fraud
As of now, at least 20,000 Bitcoin — nearly $150,000,000 USD worth — has yet to be cashed out. It’ll be interesting to observe whether the relationship between those cashouts and Bitcoin’s price continues. Given this analysis and the effects we’ve observed so far, liquidations of large amounts of illicitly obtained funds are likely to drive down the price of cryptocurrencies.
The PlusToken scam is a powerful example of how cryptocurrency scams harm the public, and should alarm exchanges, law enforcement, and regulators alike. In this case, millions of fraud victims will most likely never recover the funds they were tricked into giving up. Allowing OTC brokers to operate without scrutiny gives criminals a simple, obvious way to launder their ill-gotten funds, and exchanges should conduct KYC and monitor activity. Regulators around the world should recognize this as a consumer protection issue, and consider how they might apply anti-money laundering regulations to prevent scams like this from happening in the future.
Our 2020 Crypto Crime Report is full of more insights and case studies just like this. Sign up now and we'll email it to you as soon as it's released in January 2020!