Author: BlockSec
Compiled by: Deep Tide TechFlow
Deep Tide Introduction: Blockchain security company BlockSec conducted a complete on-chain fund tracking of VerilyHK, a Ponzi platform disguised as a Hong Kong health technology company. Over 16 months, the platform processed approximately $1.6 billion USDT cumulatively through the TRON network, using 8 generations of receiving hot wallets, 79 intermediate addresses, and 3 generations of paired withdrawal channels to build an industrial-grade fund routing infrastructure, ultimately funneling funds into the same centralized exchange. The fund flow chain also involves the Cambodia-based Huione Group, which is sanctioned by FinCEN.
Key Findings: A platform disguised as a Hong Kong health tech group cumulatively circulated approximately $1.6 billion USDT through the TRON network over 16 months. This is an upper-limit figure that includes potential internal fund recycling. On-chain analysis reveals an industrialized fund routing infrastructure: 8 generations of receiving hot wallets, 79 intermediate transit addresses, 3 generations of paired withdrawal channels (with second-level switching), and a shared exchange exit fed by tens of thousands of suspected deposit addresses. This article fully reconstructs the entire link topology from victim deposits to exchange withdrawals.
Background
VerilyHK presented itself externally as a legitimate Hong Kong health technology investment platform. The name itself is suspiciously similar to well-known entities: one is Verily Life Sciences, a precision health company under Alphabet, focusing on AI-driven healthcare and medical devices; the other is an A-share listed environmental engineering company (stock code: 300190), which has nothing to do with health tech or cryptocurrency. VerilyHK's website copy claimed expertise in AI health, big data analysis, and medical devices, almost directly copying the public positioning of the real Verily. Its marketing rhetoric also kept changing—from immune cell therapy and portable ECG devices to AI health, health credit systems, data asset tokenization, and even claiming to have obtained Hong Kong Securities and Futures Commission (SFC) Type 4 (securities advisory) and Type 9 (asset management) licenses.
Caption: A snapshot of verilyhk.com on Wayback Machine, showing the platform's "About Us" page, claiming to provide health management solutions through AI, big data, and medical devices
In April 2025, the Heshan District government issued a risk warning,明确指出该项目具有「明显的传销和非法集资特征」,并依赖「境外加密货币交易」 (clearly stating that the project had "obvious characteristics of pyramid selling and illegal fundraising" and relied on "overseas cryptocurrency transactions"). By the end of April 2025, multiple anti-fraud monitoring platforms issued crash warnings. The platform ceased operations in February 2026.
Based on the approximately $1.6 billion in on-chain transaction volume, VerilyHK's scale far exceeds other crypto Ponzi schemes that have been pursued by regulators, including Forsage ($300 million, sued by SEC) and NovaTech ($650 million, SEC lawsuit). But until now, there has been no public on-chain analysis dissecting this crypto criminal operation.
This article does not rely on the aforementioned public warnings to draw conclusions. All content below is based on on-chain data analysis of TRON USDT stablecoin flows related to this platform, layer by layer还原其内部基础设施的真实面貌 (restoring the true appearance of its internal infrastructure).
Starting Point
The investigation began with two TRON addresses provided by a victim: one deposit address and one withdrawal address. Tracing the connection between the two revealed not just a single path, but an entire multi-level, multi-generational fund routing network.
Receiving Layer: 8 Generations of Hot Wallets Rotated Over 16 Months
VerilyHK did not rely on fixed receiving addresses. It used at least 15 addresses, organized into 8 distinct generations, rotated in chronological order over a 16-month period from October 2024 to February 2026.
These addresses did not operate in parallel. They formed a relay chain: the end date of one generation precisely matched the start date of the next. This day-precise handover pattern recurred across all 8 transitions. Beyond the handover timing, adjacent generations also shared most of the deposit address network, with an overlap rate exceeding 65%, confirming they were operated by the same entity, just rotating new wallets.
The transaction volume processed by each generation grew sharply over time. Early generations handled tens of millions of dollars monthly, but by the sixth generation, volumes had reached the hundreds of millions level. The final generation processed over $900 million in less than 4 months. The cumulative transaction volume across all generations was approximately $1.6 billion.
But these figures should be considered upper-bound references, not net user deposits. They come from complete graph aggregation,包含潜在的内部转账 (including potential internal transfers). In a Ponzi structure, "returns" paid to users might be reinvested, causing the same funds to be counted multiple times in the receiving layer. The transaction volume explosion in later stages likely reflects both real growth and increasingly intense internal fund recycling.
Caption: Receiving layer timeline, showing transaction volume climbing from $3 million to $906 million across 8 generations of hot wallets
Intermediate Layer: 79 Transit Addresses Converge to Known Hubs
Funds leaving the receiving hot wallets did not go directly to the withdrawal layer. They passed through 79 intermediate transit addresses, each with very few incoming sources, more outgoing targets, and a net retention close to zero. Over 80% of the transiting funds ultimately converged on a few identified withdrawal channel hubs.
Caption: Intermediate layer fund flow: from receiving hot wallets through transit addresses converging to identified withdrawal hubs
Most of these funds flowed towards the withdrawal layer, but one node stood out. A cross-generational hub received funds from 75% of the intermediate addresses, spanning 6 of the 8 receiving generations, accumulating about $240 million. But its downstream structure was明显不同 (clearly different) from the identified withdrawal channels.
On-chain tracking revealed direct fund connections between this hub and multiple wallet addresses of the Huione Group. Huione is a Cambodian financial group placed on the US FinCEN list prohibiting access to the US financial system. On the incoming side, at least 4 Huione Group hot wallets transferred about $4.6 million to this hub through a chain of intermediate addresses (minimum 5 hops). On the outgoing side, the hub directly transferred funds to at least 2 Huione Group deposit addresses, amounting to $4,200 and $1.5 million respectively.
The fund flow between this cross-generational hub and Huione indicates that VerilyHK's fund routing infrastructure may have utilized Huione's network as a money laundering channel. This aligns with FinCEN's designation of Huione as a "key node for laundering money from virtual currency investment scams".
Caption: Fund flow between the cross-generational hub and the sanctioned Huione Group's hot wallets and deposit addresses
Withdrawal Layer: From Paired Channels to Shared Exchange Exit
The generational structure on the withdrawal side mirrored the receiving side exactly. Three generations of withdrawal addresses were identified, with a total withdrawal volume of approximately $1.1 billion. Like the receiving layer, the切换精确到秒 (switching between generations was precise to the second): on-chain timestamps show the second-generation channel stopping and the third-generation channel starting at the exact same moment. This pattern is difficult to explain by anything other than a preset switching plan by the same operating team.
Within each generation, the architecture followed a consistent pattern: dedicated bridge addresses first aggregated funds from the intermediate layer, then forwarded them to a pair of parallel withdrawal channels—one primary, one secondary. The start times for each pair differed by minutes, the stop times by seconds, but one channel's processing volume was always significantly higher than the other's. This "bridge → paired withdrawal" structure recurred across all three generations, proving it was a designed infrastructure, not temporarily created wallets.
Caption: Withdrawal layer showing 3 generations of paired channels, each with largely independent downstream networks,最终汇聚于共享交易所出口 (ultimately converging on a shared exchange exit)
A closer look at the third-generation paired channels shows this separation more clearly. One channel's processing volume was about 2.6 times that of the other. Comparing the top 100 large downstream counterparts for both, the overlap rate was zero. Although supplied by the same upstream source and running concurrently, they operated completely independent downstream distribution networks.
What the two lines truly shared was the final exit. In their small downstream transfers, both lines showed the same pattern: funds flowed through tens of thousands of one-time addresses (each with almost only one incoming and one outgoing transaction),最终汇入同一个主要中心化交易所 (CEX) 的热钱包 (ultimately converging into the same primary centralized exchange (CEX) hot wallet). But even here, the two sets of deposit address intermediaries were almost completely independent—only 9 shared addresses out of approximately 60,000, like two separate pipelines feeding into the same exchange. On-chain data confirms the funds entered the exchange's processing pipeline, but cannot identify the specific user accounts behind these deposits.
Full Picture: Four-Layer Funnel
Summarizing all findings, VerilyHK's on-chain fund routing architecture formed a clear four-stage funnel: extremely dispersed at the front end, highly concentrated in the middle, dispersed again at the withdrawal layer, and finally exiting through the exchange.
Caption: VerilyHK's four-layer funnel architecture—Deposit Layer, Receiving Layer, Intermediate Layer, Bridge Layer, Dual-Line Withdrawal, Exchange Exit
Most striking is the huge transaction volume (cumulative ~$1.6 billion on-chain fund flow) and the sophistication of the underlying infrastructure: day-precise generational handovers, paired withdrawal channels with基本独立的下游网络 (largely independent downstream networks), tens of thousands of one-time addresses converging into a shared exchange exit.
For exchange compliance teams, the structural features documented here constitute actionable detection heuristic indicators, especially the pattern of tens of thousands of one-time deposit addresses converging to the same hot wallet. For investigators and regulators, this layered architecture illustrates why tracking illicit funds requires going beyond single transactions to reconstruct the complete network topology.
All on-chain analysis in this article was completed using the MetaSleuth on-chain analysis tool, part of BlockSec's anti-money laundering and compliance suite. The analysis follows the Highest Value Path methodology, with all conclusions annotated for evidence strength and applicability boundaries.
