$110M in fraud proceeds walked straight through the world's top exchanges
A single 15,000 USDT Flash USDT scam payment opened a TRON laundering circuit that moved more than $110 million in 90 days — every step visible on a public ledger, in real time, while exchange monitoring flagged none of it.
01 — The failure firstExchanges have failed to monitor addresses properly
That is the conclusion we reached, and we want to state it before we show our work, because the work is what justifies it. Across this investigation we kept arriving at the same place: regulated, name-brand exchanges processed deposits and withdrawals for wallets whose on-chain behavior should have stopped them cold. The behavior was out in the open. It stayed visible in real time, on a public ledger, to anyone running the kind of monitoring these platforms are legally obligated to run.
The clearest example is a single wallet, TKBauHkGqBKVqBYqbEeovM6P1R2U5rSkHg. When we pulled its profile, it was four days old, activated on June 12, 2026. In those four days it had received deposits from six separate major exchanges — Bybit, HTX, Binance, MEXC, Gate and OKX — across nineteen pages of transfers. A wallet with no history, moving high volume at high velocity, sat simultaneously connected to half the major exchanges in the market. That is the textbook profile of a layering relay, and six compliance desks moved money through it anyway.
To explain why that matters, we have to walk backward from this wallet — tracing what it was connected to, and what those connections were doing.
02 — One hop backWhat the burner wallet was connected to
The burner did not exist in isolation. It sat one hop from an exchange-interface wallet, THyKViPHoUQNJQhztf438wQx4WfqACx2d6, settling with it on both sides of the ledger inside the same 24-hour window — the bilateral balancing that layering networks use to move value without touching a custodial account directly.
That interface wallet is the telling part. On the inbound side, 84% of its deposits came from 001K BOT, an automated crypto-cash service with links to the Russian financial system ($230,440 of $272,850). On the outbound side, 95% of its withdrawals went straight to Bybit ($623,980 of $655,080). A wallet pulling almost all of its funds from an OTC automation service was sending almost all of its money straight back into a regulated exchange. The exchange took it.
That dominant counterparty carried a label too. Bitquery's entity resolution flagged it as SHER888 — confirmed against OKLink and MetaSleuth. Sher888 LLC was incorporated in Georgia in May 2022 and runs exclusively through a Telegram bot targeting the Russian-speaking market. In November 2025, seven months before our investigation, the National Bank of Georgia fined it 465,000 GEL (~€160K) for multiple AML/CFT violations, including false reporting. The platform kept running.
03 — Confirmed on-chainThe exit, watched as it happened
We did not infer this. We found two transactions from the burner to a Sher888 deposit address, sent 45 seconds apart on June 15, 2026. Both confirmed on-chain. Both blocks verified on Tronscan.
04 — The machineThe circuit behind it
The burner and the interface were the visible mouth of something much larger. One more hop back stood a consolidator, TRvMeYqECKKVugPF8TXtvNv3qpRR8NDmCq — pure infrastructure. 807 transactions, 208 distinct inbound senders, $21.19M in, $21.19M out, net balance roughly $130. It collected from more than 200 sources and consolidated those flows into far larger outbound sweeps, holding nothing.
And it concentrated its outflows. It routed to four addresses, never more than one at a time — each handling a distinct time window before going quiet. Combined throughput across the four exceeded $110 million, with one relay alone moving $54.3M in twelve days of operation.
05 — The sourceWalking back to where the money came from
We did not start with the exchanges. We started with a single transaction posted in a Telegram group. The operator @ARCHY_USDT, who runs a service called "Flash USDT BTC Crypto," had pinned it as proof of a completed sale — a Tronscan link showing 15,000 USDT sent on-chain, alongside a message thanking the buyer for their trust. Standard scam-operator social proof. That "To" address was the consolidator.
The feeder that posted it, TM2sovPTeDqSoUkdcCwyAMtCjAAXPij1eB, ran 101 transactions — $402,869 in, $368,859 out over 13 days, average ticket around $7,000–8,000 — a small OTC aggregation node collecting payments from many clients and passing them upstream. The 208 wallets feeding the consolidator likely include many more victim payments from the same or related operators.
06 — Read backwardThe full circuit, end to end
07 — ContextWhy TRON, and why this keeps happening
TRON settled roughly $2 trillion in USDT in Q1 2026. Over 10.9 million transactions cross the network every day, driven largely by stablecoin movement. Fees are near-zero, settlement runs under three seconds, and there is essentially no friction in moving money across borders pseudonymously. That is exactly why monitoring failures at the exchange layer are so costly: when a circuit can move $110M in 90 days, the institutions positioned to interrupt it are the on/off ramps. When those ramps fail to screen counterparties against visible on-chain risk, the rest of the network has no chokepoint at all.
None of the addresses in this circuit carried an exchange tag or risk flag when we started. The signal was in the behavior: a four-day-old wallet pulling from six exchanges, a 95%-to-one-exchange withdrawal ratio, and a counterparty that was already a fined VASP. All of it stayed readable in real time.
Every query ran through Bitquery MCP
Dual wallet profiling, directional flow mapping, outbound recipient ranking, inbound sender ranking with volume aggregation, and cross-cluster edge detection — all through a single interface querying TRON transfer data in real time. The same data the exchanges had access to.
08 — Still liveOpen threads
Run the next investigation in minutes
Ask any question of the blockchain. Bitquery's AI Investigations agent traces funds, attributes wallets, and writes auditable reports across every major chain.
This article is provided for informational and educational purposes only and reflects analysis of publicly available on-chain data as of the dates indicated. It does not constitute legal, financial, compliance, or investment advice.
The findings describe patterns observed in blockchain transaction data and third-party attribution sources (including Bitquery, Arkham Intelligence, MetaSleuth, OKLink, and Tronscan). Wallet-to-entity attributions and exchange labels are based on these sources and on-chain behavioral analysis. They may be incomplete, may contain errors, or may change as additional data becomes available. Blockchain addresses are pseudonymous, and the presence of a transaction between two addresses does not by itself establish the identity, intent, or knowledge of any party.
References to specific exchanges, platforms, services, or companies — including any characterization of their monitoring, compliance, or anti-money-laundering controls — describe transaction flows observed on-chain and inferences drawn from them. They are not assertions that any named entity knowingly facilitated, participated in, or is legally liable for unlawful conduct, and should not be read as accusations of criminal or regulatory wrongdoing against any specific company or individual. Regulatory actions referenced (such as the National Bank of Georgia fine) are attributed to their original public source.
Nothing herein should be relied upon as a definitive determination of fact. Readers should conduct their own independent verification before taking any action. The authors and publisher accept no liability for any loss or damage arising from reliance on this material. All trademarks and company names are the property of their respective owners.