Fake Hong Kong Health Tech Company Absconds with 1.6 Billion USDT, On-Chain Tracking Reveals Full Picture of the Scam

marsbitОпубліковано о 2026-04-09Востаннє оновлено о 2026-04-09

Анотація

BlockSec's on-chain investigation exposes VerilyHK, a fraudulent platform posing as a Hong Kong health-tech company, which processed approximately $1.6 billion USDT over 16 months via the TRON network. The scheme employed a sophisticated, multi-layered infrastructure: 8 generations of receiving hot wallets, 79 intermediate addresses, and 3 generations of paired withdrawal channels. Funds were systematically funneled through thousands of disposable addresses before converging into a single centralized exchange. The operation also revealed ties to the Cambodia-based Huione Group, sanctioned by FinCEN for money laundering. This industrial-scale routing structure highlights advanced evasion tactics, including timed wallet rotations and segregated transaction pathways, underscoring the need for enhanced compliance detection of structured crypto fraud.

Author: BlockSec

Compiled by: Deep Tide TechFlow

Deep Tide Introduction: Blockchain security company BlockSec conducted a complete on-chain fund tracking of VerilyHK, a Ponzi platform disguised as a Hong Kong health technology company. Over 16 months, the platform processed approximately $1.6 billion USDT cumulatively through the TRON network, using 8 generations of receiving hot wallets, 79 intermediate addresses, and 3 generations of paired withdrawal channels to build an industrial-grade fund routing infrastructure, ultimately funneling funds into the same centralized exchange. The fund flow chain also involves the Cambodia-based Huione Group, which is sanctioned by FinCEN.

Key Findings: A platform disguised as a Hong Kong health tech group cumulatively circulated approximately $1.6 billion USDT through the TRON network over 16 months. This is an upper-limit figure that includes potential internal fund recycling. On-chain analysis reveals an industrialized fund routing infrastructure: 8 generations of receiving hot wallets, 79 intermediate transit addresses, 3 generations of paired withdrawal channels (with second-level switching), and a shared exchange exit fed by tens of thousands of suspected deposit addresses. This article fully reconstructs the entire link topology from victim deposits to exchange withdrawals.

Background

VerilyHK presented itself externally as a legitimate Hong Kong health technology investment platform. The name itself is suspiciously similar to well-known entities: one is Verily Life Sciences, a precision health company under Alphabet, focusing on AI-driven healthcare and medical devices; the other is an A-share listed environmental engineering company (stock code: 300190), which has nothing to do with health tech or cryptocurrency. VerilyHK's website copy claimed expertise in AI health, big data analysis, and medical devices, almost directly copying the public positioning of the real Verily. Its marketing rhetoric also kept changing—from immune cell therapy and portable ECG devices to AI health, health credit systems, data asset tokenization, and even claiming to have obtained Hong Kong Securities and Futures Commission (SFC) Type 4 (securities advisory) and Type 9 (asset management) licenses.

Caption: A snapshot of verilyhk.com on Wayback Machine, showing the platform's "About Us" page, claiming to provide health management solutions through AI, big data, and medical devices

In April 2025, the Heshan District government issued a risk warning,明确指出该项目具有「明显的传销和非法集资特征」,并依赖「境外加密货币交易」 (clearly stating that the project had "obvious characteristics of pyramid selling and illegal fundraising" and relied on "overseas cryptocurrency transactions"). By the end of April 2025, multiple anti-fraud monitoring platforms issued crash warnings. The platform ceased operations in February 2026.

Based on the approximately $1.6 billion in on-chain transaction volume, VerilyHK's scale far exceeds other crypto Ponzi schemes that have been pursued by regulators, including Forsage ($300 million, sued by SEC) and NovaTech ($650 million, SEC lawsuit). But until now, there has been no public on-chain analysis dissecting this crypto criminal operation.

This article does not rely on the aforementioned public warnings to draw conclusions. All content below is based on on-chain data analysis of TRON USDT stablecoin flows related to this platform, layer by layer还原其内部基础设施的真实面貌 (restoring the true appearance of its internal infrastructure).

Starting Point

The investigation began with two TRON addresses provided by a victim: one deposit address and one withdrawal address. Tracing the connection between the two revealed not just a single path, but an entire multi-level, multi-generational fund routing network.

Receiving Layer: 8 Generations of Hot Wallets Rotated Over 16 Months

VerilyHK did not rely on fixed receiving addresses. It used at least 15 addresses, organized into 8 distinct generations, rotated in chronological order over a 16-month period from October 2024 to February 2026.

These addresses did not operate in parallel. They formed a relay chain: the end date of one generation precisely matched the start date of the next. This day-precise handover pattern recurred across all 8 transitions. Beyond the handover timing, adjacent generations also shared most of the deposit address network, with an overlap rate exceeding 65%, confirming they were operated by the same entity, just rotating new wallets.

The transaction volume processed by each generation grew sharply over time. Early generations handled tens of millions of dollars monthly, but by the sixth generation, volumes had reached the hundreds of millions level. The final generation processed over $900 million in less than 4 months. The cumulative transaction volume across all generations was approximately $1.6 billion.

But these figures should be considered upper-bound references, not net user deposits. They come from complete graph aggregation,包含潜在的内部转账 (including potential internal transfers). In a Ponzi structure, "returns" paid to users might be reinvested, causing the same funds to be counted multiple times in the receiving layer. The transaction volume explosion in later stages likely reflects both real growth and increasingly intense internal fund recycling.

Caption: Receiving layer timeline, showing transaction volume climbing from $3 million to $906 million across 8 generations of hot wallets

Intermediate Layer: 79 Transit Addresses Converge to Known Hubs

Funds leaving the receiving hot wallets did not go directly to the withdrawal layer. They passed through 79 intermediate transit addresses, each with very few incoming sources, more outgoing targets, and a net retention close to zero. Over 80% of the transiting funds ultimately converged on a few identified withdrawal channel hubs.

Caption: Intermediate layer fund flow: from receiving hot wallets through transit addresses converging to identified withdrawal hubs

Most of these funds flowed towards the withdrawal layer, but one node stood out. A cross-generational hub received funds from 75% of the intermediate addresses, spanning 6 of the 8 receiving generations, accumulating about $240 million. But its downstream structure was明显不同 (clearly different) from the identified withdrawal channels.

On-chain tracking revealed direct fund connections between this hub and multiple wallet addresses of the Huione Group. Huione is a Cambodian financial group placed on the US FinCEN list prohibiting access to the US financial system. On the incoming side, at least 4 Huione Group hot wallets transferred about $4.6 million to this hub through a chain of intermediate addresses (minimum 5 hops). On the outgoing side, the hub directly transferred funds to at least 2 Huione Group deposit addresses, amounting to $4,200 and $1.5 million respectively.

The fund flow between this cross-generational hub and Huione indicates that VerilyHK's fund routing infrastructure may have utilized Huione's network as a money laundering channel. This aligns with FinCEN's designation of Huione as a "key node for laundering money from virtual currency investment scams".

Caption: Fund flow between the cross-generational hub and the sanctioned Huione Group's hot wallets and deposit addresses

Withdrawal Layer: From Paired Channels to Shared Exchange Exit

The generational structure on the withdrawal side mirrored the receiving side exactly. Three generations of withdrawal addresses were identified, with a total withdrawal volume of approximately $1.1 billion. Like the receiving layer, the切换精确到秒 (switching between generations was precise to the second): on-chain timestamps show the second-generation channel stopping and the third-generation channel starting at the exact same moment. This pattern is difficult to explain by anything other than a preset switching plan by the same operating team.

Within each generation, the architecture followed a consistent pattern: dedicated bridge addresses first aggregated funds from the intermediate layer, then forwarded them to a pair of parallel withdrawal channels—one primary, one secondary. The start times for each pair differed by minutes, the stop times by seconds, but one channel's processing volume was always significantly higher than the other's. This "bridge → paired withdrawal" structure recurred across all three generations, proving it was a designed infrastructure, not temporarily created wallets.

Caption: Withdrawal layer showing 3 generations of paired channels, each with largely independent downstream networks,最终汇聚于共享交易所出口 (ultimately converging on a shared exchange exit)

A closer look at the third-generation paired channels shows this separation more clearly. One channel's processing volume was about 2.6 times that of the other. Comparing the top 100 large downstream counterparts for both, the overlap rate was zero. Although supplied by the same upstream source and running concurrently, they operated completely independent downstream distribution networks.

What the two lines truly shared was the final exit. In their small downstream transfers, both lines showed the same pattern: funds flowed through tens of thousands of one-time addresses (each with almost only one incoming and one outgoing transaction),最终汇入同一个主要中心化交易所 (CEX) 的热钱包 (ultimately converging into the same primary centralized exchange (CEX) hot wallet). But even here, the two sets of deposit address intermediaries were almost completely independent—only 9 shared addresses out of approximately 60,000, like two separate pipelines feeding into the same exchange. On-chain data confirms the funds entered the exchange's processing pipeline, but cannot identify the specific user accounts behind these deposits.

Full Picture: Four-Layer Funnel

Summarizing all findings, VerilyHK's on-chain fund routing architecture formed a clear four-stage funnel: extremely dispersed at the front end, highly concentrated in the middle, dispersed again at the withdrawal layer, and finally exiting through the exchange.

Caption: VerilyHK's four-layer funnel architecture—Deposit Layer, Receiving Layer, Intermediate Layer, Bridge Layer, Dual-Line Withdrawal, Exchange Exit

Most striking is the huge transaction volume (cumulative ~$1.6 billion on-chain fund flow) and the sophistication of the underlying infrastructure: day-precise generational handovers, paired withdrawal channels with基本独立的下游网络 (largely independent downstream networks), tens of thousands of one-time addresses converging into a shared exchange exit.

For exchange compliance teams, the structural features documented here constitute actionable detection heuristic indicators, especially the pattern of tens of thousands of one-time deposit addresses converging to the same hot wallet. For investigators and regulators, this layered architecture illustrates why tracking illicit funds requires going beyond single transactions to reconstruct the complete network topology.

All on-chain analysis in this article was completed using the MetaSleuth on-chain analysis tool, part of BlockSec's anti-money laundering and compliance suite. The analysis follows the Highest Value Path methodology, with all conclusions annotated for evidence strength and applicability boundaries.

Пов'язані питання

QWhat was the total amount of USDT processed by the VerilyHK platform over 16 months, and on which blockchain network?

AThe VerilyHK platform processed approximately 1.6 billion USDT over 16 months on the TRON network.

QHow many generations of hot wallets did VerilyHK use for receiving funds, and what was a key characteristic of their operation?

AVerilyHK used 8 generations of hot wallets for receiving funds, which were rotated in a strict, sequential order with precise day-level handover dates between generations.

QWhich sanctioned financial group was the VerilyHK platform's funds linked to through a cross-generational hub, and what was the nature of this link?

AFunds were linked to the Huione Group, a Cambodian financial group sanctioned by FinCEN. A cross-generational hub received funds from and sent funds to Huione Group wallets, indicating the platform's infrastructure potentially used Huione's network for money laundering.

QDescribe the structure of the withdrawal layer and its key feature for obfuscating the final destination of funds.

AThe withdrawal layer consisted of 3 generations of paired channels (a main and a secondary line). Each pair, fed by a dedicated bridge address, operated with largely independent downstream networks. However, both lines in a pair ultimately funneled funds through tens of thousands of one-time deposit addresses into the same centralised exchange (CEX) hot wallet, creating a shared final exit.

QWhat are the four main layers of VerilyHK's fund routing infrastructure as described in the 'Panorama: Four-Tier Funnel' section?

AThe four main layers are: 1) The充值层 (Deposit Layer) with numerous user addresses, 2) The收款层 (Receiving Layer) with generational hot wallets, 3) The中间层 (Middle Layer) with transit addresses, and 4) The桥接层/出金层 (Bridge/Withdrawal Layer) with paired channels leading to the shared CEX exit.

Пов'язані матеріали

The Largest Upgrade Since The Merge? How Glamsterdam Will Affect Ethereum and Regular Users?

The upcoming Glamsterdam upgrade, scheduled for late 2026, is considered Ethereum's most significant change since The Merge. It focuses on fundamentally restructuring Ethereum's block production, transaction execution, and gas pricing to enable major scalability improvements while preserving decentralization. The upgrade centers on three key innovations: * **Enshrined PBS (ePBS)**: Moves the Proposer-Builder Separation mechanism into the protocol's core, eliminating reliance on external relays. This reorganizes the block pipeline, extending the time window for processing execution payloads, which is crucial for safely increasing block capacity. * **Block-Level Access Lists (BALs)**: Attaches a "map" to each block, declaring in advance which state data its transactions will access. This enables potential parallel transaction processing and faster node synchronization, breaking a key performance bottleneck. * **Gas Repricing**: Introduces a more accurate resource pricing model by separating computation costs from state storage costs. This discourages uncontrolled state growth by making operations that create permanent data (like new accounts) more accurately reflect their long-term network burden. Together, these changes aim to solve the core challenges of increasing Ethereum's throughput (e.g., raising the Gas Limit) without overburdening node hardware or increasing centralization risks. They prepare the infrastructure for higher capacity, targeting a credible post-upgrade capacity of up to 200 million Gas. For users, the impact will be nuanced: * General transaction fees may become lower and more stable as block space increases. * Simple transfers could see cost reductions, while state-intensive operations (like contract deployment) may become relatively more expensive due to the new gas model. * Gas fee estimations by wallets will become more accurate. * L2 networks could benefit long-term from increased data blob capacity. * Standardized logs for all ETH transfers (EIP-7708) will improve tracking for wallets and exchanges. Ultimately, Glamsterdam represents a foundational shift, not a simple block size increase. It seeks to expand Ethereum's capacity by re-engineering its underlying mechanics, maintaining its commitment to decentralization while enabling significant performance gains.

marsbit2 год тому

The Largest Upgrade Since The Merge? How Glamsterdam Will Affect Ethereum and Regular Users?

marsbit2 год тому

Circle CEO Responds to the OUSD Challenge: Stablecoin is a Winner-Takes-All Business, and We Won't Slow Down

In response to questions about the OUSD stablecoin initiative, Circle CEO Jeremy Allaire argues that the stablecoin market is a "winner-take-most" platform business driven by powerful network effects, and Circle has no plans to slow down. He outlines three key drivers behind USDC's dominant position: 1. **Protocol/Software Layer Network Effects**: The value of a stablecoin network grows as more developers and services integrate it, creating compounding utility and user preference. Circle has spent nearly a decade building this ecosystem with USDC, now accelerated by mainstream adoption and enhanced by software stacks like CCTP and Gateway for interoperability. 2. **Liquidity Network Effects**: Liquidity begets more liquidity. USDC has achieved top-tier global liquidity—ranking among the top three digital assets alongside BTC and USDT—through nearly a decade of building deep primary and secondary market access across regions and venues. 3. **Regulatory and Policy Integration**: Establishing a global stablecoin requires deep regulatory engagement, licensing, and compliance across key markets—a significant, long-term investment where Circle is a leader. Allaire cites Artemis data showing USDC facilitated 80% of all dollar stablecoin on-chain transaction volume in Q1 2026, with USDT at 20% and all others negligible. He addresses OUSD's purported advantages: "free" minting/burning is often not sustainable in practice; redistributing all revenue can starve essential infrastructure investment; and large consortium models historically struggle with inefficiency and slow execution, unlike focused strategic partnerships. He reaffirms Circle's strong ongoing partnership with Coinbase on USDC and notes Circle collaborates with dozens of other stablecoin issuers through its expanding platform (Arc, CCTP, CPN, etc.). While welcoming OUSD to the ecosystem, Allaire asserts that Circle's vast, trusted network and continued investment make USDC the foundational digital dollar infrastructure for the world.

链捕手2 год тому

Circle CEO Responds to the OUSD Challenge: Stablecoin is a Winner-Takes-All Business, and We Won't Slow Down

链捕手2 год тому

Q2 Crypto Market Review: Did Bitcoin Rise for 'Nothing'? Did Money Flow to AI and On-Chain?

Q2 2026 Crypto Market Recap: Bitcoin's Gains Erased Amid Shift to AI and On-Chain Activity The second quarter of 2026 saw a significant reversal for the cryptocurrency market. Bitcoin gave back all its April gains, ending Q2 down approximately 11%, while major stock indices posted strong gains. This divergence was driven by a hawkish shift in Fed rate expectations, capital rotation into AI stocks, and weakening liquidity channels into crypto. Key demand pillars deteriorated simultaneously. Spot Bitcoin ETFs recorded net outflows of $4.08 billion for the quarter, with outflows dominating June. Crypto treasury entity Strategy's bitcoin accumulation slowed markedly, and the total stablecoin market cap contracted by ~$4.2 billion. This created a tighter liquidity environment. Exchange data reflected the downturn. Spot trading volumes fell 28% quarter-over-quarter. The market underwent significant deleveraging, with $8.35 billion in long liquidations for BTC and ETH, primarily in late May/early June. Open interest and order book liquidity also declined. Despite the bearish price action, structural developments point to an expanding on-chain ecosystem. These include the rise of tokenized stocks with full legal rights, the growth of RWA (real-world asset) perpetual contracts for trading stocks and commodities 24/7, and the use of crypto markets for price discovery ahead of major events like the SpaceX IPO. On-chain vaults are also emerging as a core layer for institutional capital allocation.

Foresight News2 год тому

Q2 Crypto Market Review: Did Bitcoin Rise for 'Nothing'? Did Money Flow to AI and On-Chain?

Foresight News2 год тому

Торгівля

Спот
活动图片