PlusToken Scammers Didn’t Just Steal $2+ Billion Worth of Cryptocurrency. They May Also Be Driving Down the Price of Bitcoin. [UPDATED 3/12/2020]

Chat With Us
Thanks for your interest! We'll be in touch shortly.
Oops! Something went wrong while submitting the form.

This blog is an excerpt from the Chainalysis 2020 Crypto Crime Report. Click here to download the full document!

Scams are all too common in the cryptocurrency world, with our internal research suggesting bad actors bilked billions of dollars’ worth of funds from millions of victims in 2019. In addition to the monetary losses sustained by affected individuals, scams paint a negative picture of the industry and may scare off potential participants.

But in the case of one notable 2019 scam, the consequences may go beyond the direct victims. We believe that the criminals behind the PlusToken Ponzi scheme could be driving down the price of Bitcoin when they liquidate their stolen funds via OTC brokers.

3/12/2020 Update

This week, Bitcoin’s price fell sharply, dropping from over $9,100 on Friday, March 6 to a low of roughly $5,800 this morning on Thursday, March 12. This price movement coincided with reports of movements by funds associated with the PlusToken scam, prompting some to wonder if scammers’ liquidations are causing the price drop, as we concluded likely happened in September 2019 in our original blog post below.

However, in this case, we don’t believe PlusToken liquidations are responsible for Bitcoin’s price drop. While Bitcoin did move from PlusToken addresses over the weekend, very little has gone to exchanges. 

The graph above shows how much Bitcoin PlusToken has sent to exchanges on a daily basis since we published our original blog on December 16, 2019. In that time, PlusToken has sent a total of roughly 23,000 BTC to exchanges, most of it well before the price drop that began on Sunday, March 8. We therefore conclude that PlusToken liquidations are likely not the cause of the price drop. Interestingly PlusToken began sending substantial amounts of Bitcoin to addresses at OKEx in addition to Huobi, which was the recipient of nearly all of the scammers’ transfers previously. It’s unclear how many of the OKEx addresses receiving funds are associated with OTC brokers, as we found with the Huobi addresses in December. Our findings largely confirm those recently released by the OXT research team, whose work focuses in more detail on the scammers’ mixing activity.

We believe Bitcoin’s recent price fall can instead be explained by the same macro events driving down stocks and other assets — namely, the tumult caused by the COVID-19 virus. 

In the last couple of days, we’ve seen a huge increase in transfers to exchanges, as traders appear to be selling in response to recent market events. Exchange inflows are 80% higher than average, which translates to about 170,000 BTC more than usual hitting markets since Monday. These heightened inflows are overwhelming the relatively illiquid Bitcoin market, causing prices to fall, which in turn leads to further inflows, causing prices to drop further. 

So, while we can rule out PlusToken as the culprit, it’s unclear when the current chaos in the markets will end, both for cryptocurrency and traditional assets.

What is PlusToken?

Based in China, PlusToken presented itself as a cryptocurrency wallet that would reward users with high rates of return if they purchased the wallet’s associated PLUS cryptocurrency tokens with Bitcoin or Ethereum. The scammers claimed those returns would be generated by “exchange profit, mining income, and referral benefits.” PlusToken would go on to be listed on several Chinese exchanges and hit a peak price of $350 USD, raking in “investments” from millions of people. 

Chinese media reports that the scam attracted over $3 billion worth of cryptocurrency. We tracked a total of 180,000 BTC, 6,400,000 ETH, 111,000 USDT, and 53 OMG (OmiseGo) that went from scam victims to PlusToken wallets, equating to roughly $2 billion. Either figure would make PlusToken one of the largest Ponzi schemes ever. 

While six individuals connected to PlusToken were arrested in June, the stolen funds have continued to move through wallets and be cashed out through independent OTC brokers operating mostly on the Huobi platform, showing that one or more of the scammers are still at large. 

How the PlusToken scammers utilize mixers, OTC brokers, and more to launder and cash out funds

While we tracked $2 billion worth of various cryptocurrencies that victims sent to the PlusToken scammers, some of that money was paid out to early investors, presumably to maintain the illusion of high returns while PlusToken presented itself as a legitimate company. In many cases, it’s difficult to tell whether transfers made by the PlusToken scammers were going to those early investors or to addresses under their own control. Nonetheless, we’ve tracked roughly 800,000 ETH and 45,000 BTC we can definitively say the scammers transferred to their own addresses to launder. They’ve cashed out at least 10,000 of that initial 800,000 ETH, while the other 790,000 has been sitting untouched in a single Ethereum wallet for months.

The flow of the 45,000 stolen Bitcoin is more complicated. So far, roughly 25,000 of it has been cashed out. The other 20,000 is currently spread out across more than 8,700 cryptocurrency addresses, which speaks to the high level of effort the scammers put into obfuscating the movement of funds. The scammers have transferred the Bitcoin more than 24,000 times, using more than 71,000 different addresses — and that’s not even counting cash outs or transfers to off-ramps such as exchanges. 

Many of those transactions were conducted through mixers like Wasabi Wallet, which utilizes the CoinJoin protocol to make it more difficult to trace the path of funds. You can see an example in the Chainalysis Reactor graph below. 


Here, we see that the funds are split off into large groups of new unique addresses, and re-consolidated later, which is activity typical of a mixer.

At other points, the scammers utilized peel chains and other complex movements to obfuscate the path of funds. Peel chains are strings of transactions commonly used for money laundering, in which entities send funds through several wallets in quick succession, usually breaking off small amounts to cash out at each step and sending the majority on to the next wallet.


The graph above is a great example of the PlusToken scammers’ obfuscation attempts. The funds start in the wallet in the upper left hand corner, and move to the right. Diagonal movements represent a change in address type, while vertical movements represent the use of a mixer. 

In the end, the funds moved to the address of an OTC broker operating on Huobi to be liquidated — that’s how nearly all of the funds so far have been cashed out. For reference, OTC (Over The Counter) brokers facilitate trades between individual buyers and sellers who can’t or don’t want to transact on an open exchange. OTC brokers are typically associated with an exchange but operate independently. Traders often use OTC brokers if they want to liquidate a large amount of cryptocurrency for a set, negotiated price.  

Some OTC brokers have significantly lower KYC requirements than most exchanges, which can make them attractive for criminals like the PlusToken scammers. Compliant exchanges monitor transactions and keep customer information on file so that they can report suspicious activity and comply with subpoenas from law enforcement. But OTC brokers play by different rules. While many are legitimate, others take advantage of lower KYC requirements to offer service to users with illicit funds. Some even specialize in the movement and laundering of criminal money. 

And in this case, as we’ll examine below, these cashouts via OTC brokers may be driving down the market price of Bitcoin. 

Are PlusToken scam liquidations driving down the price of Bitcoin?

So far, the PlusToken scammers have cashed out at least $185,000,000 worth of stolen Bitcoin via OTC brokers. Those who analyze cryptocurrency markets know that large liquidations generally tend to depress the price of Bitcoin, and others have asked if PlusToken-related cashouts are dragging down Bitcoin. We decided to run our own study of Bitcoin’s price in relation to PlusToken cashouts via Huobi OTC brokers to try and answer that question.

For this analysis, we started by plotting Bitcoin’s price listing on Huobi against two measures of PlusToken’s Bitcoin transfers:

  1. On-chain volume. On-chain volume is the amount of Bitcoin moving from wallets controlled by the PlusToken scammers to any of 26 prominent OTC brokers on Huobi that we’ve previously identified as dealing with illicit funds.
  2. Trade volume. Off-chain volume refers to the amount of Bitcoin for Tether traded on Huobi. We chose this metric because we know from our analysis that PlusToken scammers have consistently exchanged their stolen Bitcoin for Tether, possibly converting it to fiat currency later. However, because these transfers are recorded only in Huobi’s order books rather than on the blockchain, we have no way of knowing which of them are coming from the sale of Bitcoin from the PlusToken scammers as opposed to other users of the exchange. 

Our hypothesis consists of two parts: 

  1. We expect that any uptick in on-chain volume would be followed by an uptick in trade volume, as OTC traders receive Bitcoin from PlusToken wallets and subsequently exchange it for Tether.
  2. We expect Bitcoin’s price to fall soon after those upticks in on-chain and trade volume, as more Bitcoin is being unloaded onto the market.

Both parts of our hypothesis were proven true.

Our results

Figure 1

Above, we see that PlusToken wallets sent a steady flow of Bitcoin starting in mid-April and spiking just before the arrests in late June. After that, we see no movement until a few spikes in August, before transfers spike again and remain high throughout September. Then, we see a few more spikes in October. As we hypothesized, spikes in on-chain flow to OTC brokers correlate with drops in Bitcoin’s price. There can be a lag, as Bitcoin that is moved on-chain to an exchange is not immediately traded. We see the best example on September 20th, when PlusToken scammers made a large cash out of roughly $34 million worth of Bitcoin. Following that transfer, Bitcoin’s price drops steadily between September 24th and 26th, falling from just over $10,000 to about $8,000 and remaining there for roughly a month.

But what about trade volume? Check out the graph below.

Figure 2

Our hypothesis is proven correct here as well. As we expected, we see a rise in trades of Bitcoin for Tether starting on September 23rd, a few days after the PlusToken wallets sent a large volume of Bitcoin to Huobi OTC brokers. Shortly after on September 24th, the price of Bitcoin begins to drop.

From this analysis, we can conclude that PlusToken cashouts correlate with drops in Bitcoin’s price.

Can we prove causation?

We can’t say for sure that Bitcoin price drops are caused by PlusToken cashouts. It’s possible that price drops follow the cashouts by coincidence but are in fact caused by something else. In an attempt to settle the question of causation, we ran a regression analysis to test how the increase in trade volume between September 23rd and 28th impacted Bitcoin’s price volatility. Ordinarily, we’d test how trade volume impacts the price itself, but there’s only one large change in Bitcoin price for the time period we’re measuring (on September 24th). We need a measure with more variation to look for statistical causality and ensure results aren’t driven by outliers. Volatility, which measures the deviation from the average Bitcoin price at a given time, has enough variation to do that, while also giving us a sense of how the PlusToken cashouts impact Bitcoin’s price.

Figure 3

Our regression analysis shows a positive, albeit small, statistically significant relationship between PlusToken transfers to Huobi OTC brokers and Bitcoin price volatility for the period of time between September 23rd and 28th. 

The cashouts likely caused increased volatility in one of two ways. They either cause it directly by increasing the supply of Bitcoin and changing market dynamics, or indirectly by affecting traders’ perception of the market. Keep in mind that PlusToken cashouts are just one of many potential influences on Bitcoin’s price. Media stories, concerted market manipulation efforts, algorithmic trading errors, or any number of other factors may have contributed to volatility as well. But none of those components on their own provides a compelling explanation for the large spike in volatility in the time period we studied absent the influence of PlusToken. 

Unfortunately, because it’s not possible to distinguish between trades made by OTC brokers in possession of PlusToken funds and all other trades made on Huobi, we can’t say for sure that PlusToken cashouts caused Bitcoin’s price to drop. However, we can say that those cashouts cause increased volatility in Bitcoin’s price, and that they correlate significantly with Bitcoin price drops. 

More reasons to fight fraud

As of now, at least 20,000 Bitcoin — nearly $150,000,000 USD worth — has yet to be cashed out. It’ll be interesting to observe whether the relationship between those cashouts and Bitcoin’s price continues. Given this analysis and the effects we’ve observed so far, liquidations of large amounts of illicitly obtained funds are likely to drive down the price of cryptocurrencies. 

The PlusToken scam is a powerful example of how cryptocurrency scams harm the public, and should alarm exchanges, law enforcement, and regulators alike. In this case, millions of fraud victims will most likely never recover the funds they were tricked into giving up. Allowing OTC brokers to operate without scrutiny gives criminals a simple, obvious way to launder their ill-gotten funds, and exchanges should conduct KYC and monitor activity. Regulators around the world should recognize this as a consumer protection issue, and consider how they might apply anti-money laundering regulations to prevent scams like this from happening in the future.

This blog is an excerpt from the Chainalysis 2020 Crypto Crime Report. Click here to download the full document!

Read the Full Report

To see our full research on this topic, sign up to receive access to the complete Chainalysis Crypto Crime Report: Decoding hacks, darknet markets, and scams.

Get Access to the Report

Learn more about KYT for Stablecoins & Token Issuers

Monitor transactions across the token’s full lifecycle, from issuance to redemption—and any transaction in between.

Learn More
Thank you! We'll be in touch shortly.
Oops! Something went wrong while submitting the form.
Thank you! We'll be in touch shortly.
Oops! Something went wrong while submitting the form.

We’re growing! Check out our 25+ open roles >

Thank you! We'll be in touch shortly.
Oops! Something went wrong while submitting the form.
Oops! Something went wrong while submitting the form.
Please check your mailbox for a copy of the report.
Oops! Something went wrong while submitting the form.
Next article

Chainalysis Team

Watch Our Exclusive Webinar

Jan 31, 12PM ET

Chainalysis senior economist, Kim Grauer, answers audience questions on our latest research in a recorded webinar.

Watch Recording