Crypto Investigation with re:doubt and Maltego. Use-case: TON Depth of Market Storm.
Re:doubt Data Source for Maltego is a set of powerful tools for OSINT investigations on the TON blockchain. With the Maltego Transforms for TON, investigators can access advanced re:doubt Cryptocurrency Intelligence combining millions of attribution data points from open source and private intelligence into Maltego.
This enhanced platform enables investigators to de-anonymize transactions and obtain solid evidence on individuals who use cryptocurrencies to launder money, finance terrorism, or carry out drug dealing, extortion and other crimes. As such, it enables cryptocurrency forensics and intelligence providing detailed attribution, transaction risk scoring for cryptocurrency investigations and anti-money laundering (AML) compliance. re:doubt leverages open and closed source blockchain attribution, as well as machine learning and multi-input clustering algorithms in order to visualize actionable intelligence and help comply with cryptocurrency regulations.
Crypto fraud and scam investigations can be performed from different perspectives. The ultimate goal of online fraudsters is cashing out the stolen funds. Maltego is a powerful tool for link analysis and investigation, and in real-life cases, it can be used together with other specific tools (both free and proprietary) which help an investigator in obtaining additional data and building a complete picture.
Simple use-case: who sells off?
On 26–27 July 2023 our telegram bot “CEX Funding Alerts” started to signal the withdrawal of significant amounts in TON to exchanges like OKX, KuCoin, and Huobi. Transaction Examples: 1, 2, 3, 4, 5, 6.
You can find many useful bots here, and use our SDK to build your own.
We immediately wondered what would happen next, so we took a look at the TON/jUSDT chart (you can monitor the TON rate on the largest DEXes thanks to our ChartingView product).
Since the main transfers were to the OKX exchange, we took the chart from there for comparison.
We can see a clear drain of coins and a sharp change(dump) in the exchange rate from 1.35 to 1.28, and the volume of trading on the exchange is similar to the volume of coins sent. Our attention was attracted by two addresses, we will give them conditional names “Miner’s Friend” and “Dubai Cryptan”, later you will understand why.
The story of the “Miner’s Friend” is commonplace for the TON blockchain, so we won’t dwell on it for long.
This address mined about 28 million TON from large and small givers, through the intermediate address distributed to a number of related, in this case, 5 million TON went to follow address, consequently 3.5 million to this, and our “Miner’s Friend” got 1.25 million TON on the end. He spends it rather boringly, every month exactly 100k TON goes to OKX, probably for running costs, you can see it yourself in Explorer.
For those especially curious, who want to dig into the pockets of the validators, the full report is here.
As you see, the exact this “miner” has a lot of “friends”, but since the purpose of this article is not to investigate, but to show the capabilities of our tools, we will not show in-depth analytics, but you can always order them privately.
“Dubai Cryptan” is a much more interesting character, and he distributes coins actively. At first, it was interesting to look at his cache flow, from which drawer the coins come, and Maltego comes to our rescue.
Just how much did our “Dubai Cryptan” drain into the glass in those two days? Answer: 3.05 million TONs from this address alone.
+--------------+-------------+---------+---------------------+
| source | destination | amount | date |
+--------------+-------------+---------+---------------------+
| DubaiCryptan | OKX | 350.00K | 2023-07-26 06:18:43 |
| DubaiCryptan | Huobi | 350.00K | 2023-07-26 09:46:55 |
| DubaiCryptan | OKX | 200.00K | 2023-07-26 19:51:24 |
| DubaiCryptan | OKX | 500.00K | 2023-07-26 22:16:37 |
| DubaiCryptan | Huobi | 250.00K | 2023-07-26 22:17:24 |
| DubaiCryptan | KuCoin | 200.00K | 2023-07-27 10:22:39 |
| DubaiCryptan | OKX | 350.00K | 2023-07-27 19:03:27 |
| DubaiCryptan | OKX | 400.00K | 2023-07-27 21:18:09 |
| DubaiCryptan | KuCoin | 250.00K | 2023-07-27 21:20:38 |
| DubaiCryptan | Huobi | 200.00K | 2023-07-28 07:11:19 |
+--------------+-------------+---------+---------------------+
In reality, many more TONs were sold during this period of time, we tracked all related addresses, and also the transfers of coins to and from them to exchanges, we even traced the transfers between exchanges and the withdrawals from exchanges (and found a “rainy day” stash :) ). But since the purpose of this article is not to investigate but to demonstrate the capabilities of our tools, we will not show all the connections and in-depth analyses, but you can always order them privately. The connections are very interesting, from a superficial example or from @cryptotrade, if you know who I mean, to … intrigue …
So why is our cryptan “from Dubai”? For those who haven’t watched the full report, check it out:
PropertyFinder, NeomCity, OmanAir. It’s really interesting.
The system will now automatically monitor any movements at these addresses and prepare its reports….
What are the conclusions? And there won’t be any, make your own :)
P.S. Whilst writing this article, another 300k TONs have been sent to KuCoin (7/28/2023, 3:44:48 PM, UTC+4) and 350k to OKX (7/28/2023, 4:00:33 PM)