Fleecing users of 3 billion USD worth of cryptocurrencies easily places the PlusToken Ponzi scheme on the top 10 of the largest schemes, ever. But is it over?

From 2018 to 2019, the PlusToken Ponzi collected digital assets from people with the promise of high-yield returns, but suddenly stopped paying interests and disappeared with a $3 billion profit.

According to the fintech media site Boxmining, what made the high-yield investment program was a mix of the illusion of investing in a sustainable business, bonuses for referrals, conference, and meetup presence. In June users started experiencing delays in fund withdrawals, but it abruptly stopped on June 30, 2019, when interest payments stopped, later confirmed by the infamous note, “Sorry, we have run.”

Already on June 29, 2019, South China Morning Post reported the arrest of six Chinese nationals involved in the Ponzi, while one of the ringleaders was prosecuted in May, 2020.

According to data from investigation firm Chainalysis, they tracked 180,000 BTC, 6,400,000 ETH, 111,000 USDT, and 53 OMG from victims to PlusToken wallets. According to other sources, also 26,000,000 EOS and 485,000,000 XRP was sent.

While it may end up being that law enforcement is selling seized assets, responses from the exchanges indicate that more could be going on, and the potential that the activity might affect trading prices most definitely demands increased transparency.

The Money Is Still Moving

Even with the early arrest of six members, money moved from PlusToken holdings to exchanges and over-the-counter services in October 2019, indicating that key members of the Ponzi could still be at large.

After a long quiet period, roughly 1 year after the “PlusToken exit”, the XRP holdings of PlusToken appear to be moving again, with 285,000,000 XRP being sent to a pool of accounts, shuffling the money – called a shuffle-pool – most likely to cover the tracks and make it difficult to trace.

By using data provided by xrplorer.com, I could investigate the more than 100,000 payments, separating the shuffle-pools inner activity from the deposits and withdrawals. The pool has been active since October 2019, with 100,000,000 XRP added in the first months, an additional 100,000,000 XRP added in March 2020 and the remaining 285,000,000 added on June 19, 2020.

Shuffle-Pool And Laundering

While the data is certainly suspicious, and merits further research by investigators, there’s also more than one way to interpret it. The following is my interpretation.

Adding funds to the shuffle-pool is like storing funds in a network of wallets, where it is moved around to make it harder to trace the funds. The pool that appears to be used by the PlusToken scammers consists of close to 7,500 accounts with 485,000,000 XRP sourced from the PlusToken wallet and 5,000,000 coming from other sources.

This can either indicate that the pool is not controlled by the PlusToken scammers, but a service provider mixing funds, or that the scammers had additional funds in other places. In either way, 99% of the money in the shuffle-pool was deposited from PlusToken directly.

Since the PlusToken exit, 60,000,000 XRP has found its way to exchanges or over-the-counter services, mainly OKEx and Huobi, or services closely related thereto. On June 17, 2020, the withdrawals started again, with close to 300,000,000 XRP withdrawn to exchanges over the next weeks (and still happening), mainly to HBTC, formerly known as BHEX or Blue Helix.

HBTC was launched in 2018, as BHEX, attracting 15 million USD in its equity from top institutions such as OKEx and Huobi according to BitcoinWiki. Strikingly, the more than 290,000,000 XRP received in the past few weeks alone, adds up to more than 85% of the total sum of XRP ever received since the exchange was established in 2018, leaving one big question: How is it possible to experience that big an increase of payments, and not stop it?

With only 136,000,000 XRP left in the shuffle-pool, and with the current rate of withdrawals, the pool will be empty before the end of July.

Comments From Exchanges

I have reached out to Singapore-based Huobi, Malta-based OKEx and Singapore-based HBTC for comments, but have not been able to get a comment from OKEx prior to publishing.

HBTC very briefly confirms the specific nature of the traffic:

“After verification, the law enforcement agency is selling the funds involved.”

I have not been able to verify this statement with law enforcement.

An email from Ciara Sun, an English spokesperson and vice-president for Huobi Group explained what she characterized as Huobi’s commitment to security and certain unspecified “limitations” of the original Chainalysis report. “As an exchange that works closely with regulators and government agencies in every country we operate in, we practice a zero-tolerance policy when it comes to illicit activities”, she said.

While not confirming the details of the suspicious transactions, Sun said the company would be improving its anti-money-laundering protections: “In response to the growing need for more integrity, transparency, and security in the industry, Huobi will continuously strive to improve our technology and work with relevant authorities to contribute positively to our community.”

A case like this, involving BTC, ETH, USDT, OMG, EOS, XRP and likely other assets too, demonstrates the importance of a public and private sector collaboration in both tools and intelligence.

Note: All XRP figures and statistics are from July 5, 2020.