Uncovering a $10 Billion Scheme: BitOK Analysts Investigated Addresses Linked to Hezbollah and Quds Force

On June 27, 2023, the Defense Minister of Israel, Yoav Gallant, announced a significant achievement in stopping the financing of the Hezbollah group and the Quds Force using digital currencies. The operation aimed to seize millions of dollars. But is it really so? Let's delve into the details of this case.

Israel's National Bureau for Combating Terrorism Financing issued two Administrative Seizure Orders (ASO 29/23 and ASO 34/23). These contain information about account numbers on Binance, names, cryptocurrency addresses, emails, and IDs of individuals associated with Hezbollah and Iranian Quds force. Interestingly, all the addresses listed in the documents belong to the TRON network (TRC-20).

After thorough analysis of the addresses listed in ASO 29/23 (Fig. 1), we have discerned an intricate web of connections among them. These connections manifest either directly or through intermediary addresses.

Total turnover within the scheme: $7.7 billion.
Period of address activity: June 10, 2021 - present.

However, it's worth noting that among all the addresses encompassed by Administrative Seizure Order ASO 29/23, the sole address with direct links to each of the others is  TWBAPzpPiZarfVsY2BLXeaLhNHurn4wkWG (Fig. 2). This specific interrelation likely played a pivotal role in the decision to include the remaining addresses in the Seizure Order.

Of particular significance is the fact that the address  TWBAPzpPiZarfVsY2BLXeaLhNHurn4wkWG was blacklisted by Tether, along with three other addresses:

• TXfKFBPkZTjcjvZLpzZcXeTZVav1VBEmfu;
• TJqPocniAs5fyauqLgmRJXdKdfgFGjMTRA;
• TCvMMsShKX8vHUxx1GbZ7jf8TRbXDmVfMG.

As for the other addresses, they remain active. Moreover, despite the issuance of the Seizure Order, they have not been subjected to any form of blocking:

• TMmEYcSL4KhzJuYpRH16aLsG16YoFyYKUq. This address was subsequently included in ASO 34/23 issued on July 04, 2023. We will examine it in more detail in the second part of the investigation;
• TTiDzRuBU8vmHV1jKVxMhonMKKrchydXjb;
• TA9f6oyvsh2VzEB19hYk2Az4hZpHQjT18b;
• TFWTGjvwu1eziL9W4oSu7Jd6rxk4av7UNm;
• TEX2r8REzxQ9UvXCbzx2wkHfE6Vu7nDwte;
• TVboq8xBRBSzCQ8v9cXQCTeGZmpoUNhjC5;
• TYh5oEYa8hJhXtbkpqXDpfSYUg7udNJ8DY;
• TUDE8fd8iLHMt4r5C1ybpohCvyvM1vDYNU;
• TGmw6hyZ7fw4ySZji5QmjKVJWXFP8Kmddw;
• TJSUmTC6Jfyim9wSmrUPNPxJxnJXsGpvCU;
• TR2iVPD66Bm35X1JpEg5Uc8TAvw38iznVF;
• TDwxqs6Nn62mic4UPRaKzW6JUKM5wDW3WY;
• TYiJb2qhbtzSmSYWv7at2M7EGrH8EcgmJr;
• TG1xjFTUFYeDHQxvKoCUo7fZ9t6nxd1iys;
• TCydk24r1DAVkdvDzYhUQruT3aa9cFrGrV;
• TMWkK1qx5KR6cJ1jjSqQsNUik3bfPDmhpf;
• TKiBsUqd5ixPTqVWVp5BdDCHvoR7nwfMn3;
• TWQEKPhwtXk8XGfhfnQKHv6AU4Ce4qEEm4;
• TR3W6S94NLJ5yAs8c4ZZXTUsJeUmsZtS4A;
• TWeRNPzBjUroNfSuZPA8B9c2ipjQkYM5PL;
• TJyHmwD7DKSeaJgE5xKZmmt87cyvsbSAk9;
• TJdX83eW28zoiFgD3AH5WHN4k8XKBzY6JP.

Each of these addresses remains actively engaged in sending and receiving cryptocurrencies through prominent exchanges and platforms (such as Binance, KuCoin, BTCTurk.com, Bybit.com, etc.), both directly and via intermediary addresses.

Furthermore, it's reasonable to infer that a subset of the addresses listed might be associated with unidentified cryptocurrency exchange services. For instance, consider the address TR3W6S94NLJ5yAs8c4ZZXTUsJeUmsZtS4A, which displays typical traits of exchange activities: substantial transaction frequency and volumes, a notable number of transaction counterparts, and a brief interval between deposit and withdrawal actions involving identical cryptocurrency sums.

As previously stated, funds from the previously mentioned addresses continue to be channeled into various cryptocurrency exchanges. To illustrate this, let's examine transaction 0244c105a81424924cc0c2f59f279662adede295dc0f019963c97330336614ab and the subsequent money movement (Fig. 3). Importantly, the entire fund transfer process from TWBAPzpPiZarfVsY2BLXeaLhNHurn4wkWG to Binance was completed over a span of 2 days, occurring between May 29, 2023, and May 30, 2023.

Initially, the funds were dispatched to the address  TN3FAiqhofwZZfPHnbJFZeVtucgEGPaUt9. At this address, the cryptocurrency is mixed with funds originating from significant cryptocurrency exchanges and platforms, including Binance, OKX, KuCoin, Pionex, and others.

Subsequently, these funds are transferred to TV2wfiurVwDpaNK5FKobfHm971hMmMbKUH (txID: 5a71304e8d6e51dd14bb0afc65cf33b59828ee2f158d5df387986113150f10df). Here, a mixing of funds also takes place, including those originating from Binance. From TV2wfiurVwDpaNK5FKobfHm971hMmMbKUH, the funds are directed to TAMkHhPRR4C4QCU7B8X6UNZo5uMUGRCPJi, and from there, they are distributed to three other addresses:

• TPR49qLrcxc4iq4QebmetrxPQW5p5XP7FS, associated with the Binance cryptocurrency exchange;
• TCS4G3TdpuCcLQuXbv9PvEVC7qaesCP2cy, associated with the OKX cryptocurrency exchange;
• TPgDHdF7vPmzf4Z25ZoxAT3q4xDw9eJ19D.

Proceeding from TPgDHdF7vPmzf4Z25ZoxAT3q4xDw9eJ19D, the funds are directed to the deposit address on Binance, namely TLrUZUL11xdfuKgQFE7BYWryUSHTggiP4k.

The remaining portion of the funds then makes its way from the address TPgDHdF7vPmzf4Z25ZoxAT3q4xDw9eJ19D to  TTVvA15DymzD6FFYVSVJcFBdpXv1oJMBkp (presumably another deposit address on Binance). Subsequently, the funds reach Binance hot wallet, TV6MuMXfmLbBqPZvBHdwFsDnQeVfnmiuSi. This scheme reveals that the perpetrators are using a chain of addresses and transactions to conceal their ties to terrorist financing.

As previously mentioned, the Administrative Seizure Order dated May 21, 2023, encompasses a roster of 39 addresses. Among these, several principal counterpart addresses, evidently implicated in the money laundering scheme, are interconnected with the addresses from ASO 29/23. Let's take a closer look at them:

• TNRmy9bkRuHcbgxgS6vNkcFPunW8xgXY9D (Fig. 4);

The addresses listed exhibit a significant volume of transactions and activities. Among these addresses, TTiHL3uRJksTDygxsaKJLMFuNmzHSvNXSc, TBa1gEwPMPbieSK4Zq2Rw5Wx2MTkhE3F2Y and TNRmy9bkRuHcbgxgS6vNkcFPunW8xgXY9D, are presumed to be deposit addresses, while TCpsC2K7tBBAPN8FQ9uqv6wAYS5esS4VR2 appears to function as an aggregation address.

Particularly noteworthy is the address TNRmy9bkRuHcbgxgS6vNkcFPunW8xgXY9D. This address has direct interections with TWBAPzpPiZarfVsY2BLXeaLhNHurn4wkWG, which, as previously established, has been blacklisted by Tether.

Now let’s examine instances of money laundering transactions involving funds sourced from the addresses detailed in the May 21, 2023, Order. In these cases, direct transactions occur between the addresses TNRmy9bkRuHcbgxgS6vNkcFPunW8xgXY9D and TWBAPzpPiZarfVsY2BLXeaLhNHurn4wkWG (txID: 7ffc3be5affd90106a6672b87e70f87b8e76b80f31cb41b95122e5b8e3c6b446 and txID: f899e9e12af41949b3601b246fffa2aa76f103c76247651f01ca6004d41f7437). Subsequently, the funds are consolidated within the balance of TNRmy9bkRuHcbgxgS6vNkcFPunW8xgXY9D and then transferred to the address TG2tzRjDHSnuVTq6Z44BAhWhpNvgE299sc (Fig. 8). To obfuscate these activities, funds are also rerouted through three intermediary addresses before reaching TNRmy9bkRuHcbgxgS6vNkcFPunW8xgXY9D specifically, TVdNM7KNez7EinXFkuc57FN6XnNELt4yVq, TE2Xphc9Zvo6stfaqra7wKFqCjbVtK496q and TJunpRjUdinfzgVfFxAwHC5EtZzEegzt5t.

Following this, the cryptocurrency from TG2tzRjDHSnuVTq6Z44BAhWhpNvgE299sc undergoes a sequence of transactions, ultimately arriving at the deposit addresses of significant cryptocurrency exchanges: Binance (TA1RrFRmoDnxGETNzV2gh26kVEzMHPHaYB) and Kraken (TNKGoyPvdaZpE68zawE5fFmvHVxmRpnaVb). Various addresses are involved in this sending process, including TJjY7vFq6Hohr8nAqLL4n9sQDdjKNAsHhv, TDgmVGhQs78XH127bzzXWXFGUdVutGoHkw, TTS1hYDqB8ZwBLTU3etrtSXy6yvjg1VWjM.

Importantly, the entire path of funds transfer from TWBAPzpPiZarfVsY2BLXeaLhNHurn4wkWG to the deposit addresses of Binance and Kraken spans a period of 2 days, occurring from May 22, 2023, to May 23, 2023.

Let’s now examine the Administrative Seizure Order ASO 34/23, issued on July 4, 2023, which includes 26 addresses. Interestingly, despite the more recent issuance date, a significant portion of the addresses listed had already ceased operations back in 2022. Nonetheless, in order to gain deeper insight into the situation, we have undertaken an analysis of the behavioral patterns exhibited by these addresses, scrutinized their interactions, and sought to ascertain the ultimate destinations of the cryptocurrency transfers.

In the figure below, you may find an illustration that elucidates the interconnections among the addresses featured in the aforementioned list. To facilitate a step-by-step examination of the addresses associated with Quds Force and Hezbollah, we have also incorporated a selection of addresses from the prior list that have become familiar to us
(TWBAPzpPiZarfVsY2BLXeaLhNHurn4wkWG, TR2iVPD66Bm35X1JpEg5Uc8TAvw38iznVF) (Fig. 9).

Total turnover within the scheme: $3.13 billion.
Period of address activity: October 26, 2020 - present.

The majority of addresses within this list exhibit active interconnections. However, three addresses draw attention due to their lack of links with the rest:

• TNT8WTuCoPwuYzScrHwbv5Wzw9XBwu9u3q;
• TY825nrM5GiztWFRQW3JpPUAGuZhWPisSA;
• TCWMveoWyAwkCthHC43nfgbtmAfPGXYhQD.

The first address (TNT8WTuCoPwuYzScrHwbv5Wzw9XBwu9u3q) directly engages with exchanges, bypassing other addresses on the list. The second address (TY825nrM5GiztWFRQW3JpPUAGuZhWPisSA) has only three transactions totaling $23 USD, which apperas quite insignificant. The third address (TCWMveoWyAwkCthHC43nfgbtmAfPGXYhQD), similarly, lacks direct connections to others on the list. However, a noteworthy point is that both aforementioned TY825nrM5GiztWFRQW3JpPUAGuZhWPisSA sent funds to a shared intermediary address (TWpXrN3aDibwAgZospcDhstcSvQuXaBYwJ), which, in turn, interacted with some addresses on the list.

Overall, these three addresses appear to have minimal significance within the scheme and warrant no further extensive investigation.

Shifting focus back to the remaining addresses, a noticeable pattern emerges where a majority serve as intermediaries. Within a concise timeframe, these addresses reroute received funds to aggregation addresses. These aggregation points then consolidate balances from intermediary addresses or directly from senders, engaging in the process of ‘cleaning’ acquired cryptocurrency through prominent exchanges like Binance, Whitebit, OKX, etc. A portion of the funds is also laundered via Iranian cryptocurrency services such as Nobitex.ir, Bit24.cash, Excoino.com, and others. The size of each circle reflects the turnover of the respective address.

Among the aggregation addresses, the following are particularly noteworthy:

• THBPKbkuVSxNG7cq8bAvicrTm2YpMMZVKQ;
• TMmEYcSL4KhzJuYpRH16aLsG16YoFyYKUq;
• TK8qQuPSCeQx6AKuqHLX4xycSVFNXGVWQy;
• TUtw7GQJssJ6WtBE1J2xKks7VimKP8m587;
• TPH78JPrRRDn9y3uCCW23PNYzJutpL3AKc;
• TDAegnxRRBVuRFJ1tkpmignshcu12nfoQF;
• TR2iVPD66Bm35X1JpEg5Uc8TAvw38iznVF.

To make things easier to understand, let's break down the overall scheme into several sections.

Let's begin by looking at the interaction between the following addresses (Fig. 10):

• TWvsfLNZrB8xPEeUE5Jzo94MzNYcCZ3ia8;
• TK8qQuPSCeQx6AKuqHLX4xycSVFNXGVWQy;
• TTxuaC7zJ5QbBhnUL2KEkQbFc5UEipE1fd;
• TUtw7GQJssJ6WtBE1J2xKks7VimKP8m587;
• TPH78JPrRRDn9y3uCCW23PNYzJutpL3AKc;
• TJXs786aim9pbYmBsYzibx4obAtiMTNyon.

It's worth noting that the last two addresses are not included in ASO 34/23 dated July 04, 2023, but they hold direct relevance to the discussed scheme.

Let's start examining the scheme from the address TWvsfLNZrB8xPEeUE5Jzo94MzNYcCZ3ia8. This address directly receives funds from exchanges and other cryptocurrency services (Fig. 11). Subsequently, it rapidly redirects these received funds to two primary addresses:

• TK8qQuPSCeQx6AKuqHLX4xycSVFNXGVWQy;
• TUtw7GQJssJ6WtBE1J2xKks7VimKP8m587.

Address TK8qQuPSCeQx6AKuqHLX4xycSVFNXGVWQy, besides aggregating funds from TWvsfLNZrB8xPEeUE5Jzo94MzNYcCZ3ia8, also receives cryptocurrency from various counterparts. The scheme for receiving cryptocurrency is particularly interesting (Fig. 12).

A more in-depth analysis of the address TK8qQuPSCeQx6AKuqHLX4xycSVFNXGVWQy reveals interesting behavioral patterns. We’ve observed that it receives cryptocurrency both through intermediary addresses (Fig. 13) and directly from exchanges. Unlike the previous address TWvsfLNZrB8xPEeUE5Jzo94MzNYcCZ3ia8 the distinguishing factor with TK8qQuPSCeQx6AKuqHLX4xycSVFNXGVWQy s that it accumulates balances from multiple preceding transactions before sending the funds to an aggregation address. As we recall, the previous intermediary address instantly forwarded received funds with each individual transaction.

There could be several reasons behind this behavior. It’s quite possible that we’re dealing with an unidentified cryptocurrency service, where intermediary addresses potentially function as deposit points. Nevertheless, not all transactions from cryptocurrency exchanges find their way through intermediary addresses before reaching TK8qQuPSCeQx6AKuqHLX4xycSVFNXGVWQy; there are direct transfers as well.

We also can’t rule out the possibility that these intermediary addresses are intentionally set up by the sender of funds. The execution of minor transactions through intermediary addresses could potentially confound blockchain analytics algorithms utilized by cryptocurrency services, as they only establish an indirect link to TK8qQuPSCeQx6AKuqHLX4xycSVFNXGVWQy.

It’s worth noting that roughly 15% of the incoming funds come from Iranian exchanges, which are subject to sanctions in most countries. Such funds can’t easily be deposited into major exchanges, as advanced blockchain analytics systems would quickly flag these transactions as high-risk.

Hence, the possessor of the address employs 'clean' funds acquired from prominent cryptocurrency exchanges. This strategy enables them to blend these resources with other assets, thereby diluting the percentage of high-risk assets in circulation. Consequently, approximately 85% of the funds in the balance of the address TK8qQuPSCeQx6AKuqHLX4xycSVFNXGVWQy were obtained from prominent platforms like Binance, Huobi, OKX, and others.

However, funds from this wallet are not immediately funneled to exchanges; they are instead aggregated at two main addresses:

• TUtw7GQJssJ6WtBE1J2xKks7VimKP8m587;
• TPH78JPrRRDn9y3uCCW23PNYzJutpL3AKc.

It’s crucial to underscore once again: even though the address TPH78JPrRRDn9y3uCCW23PNYzJutpL3AKc isn’t mentioned in ASO 34/23, it operates as a central point for aggregating funds received from the address TK8qQuPSCeQx6AKuqHLX4xycSVFNXGVWQy.

Furthermore, approximately 35% of the funds are directed to the address TJXs786aim9pbYmBsYzibx4obAtiMTNyon, which is also not mentioned in either ASO 34/23 or ASO 29/23. Funds from this address are subsequently routed to TN6tJv6hmzDxQSLfAgdJBqXudJWCTusen1, which further channels them to the address of unidentified service (TBM9rsth7dYNvrE9Yq9CsZQTTiea2njjPW).

The remaining 65% of the funds from these addresses are either directly or indirectly routed to major cryptocurrency exchanges.

This mixing strategy effectively ensures that the proportion of funds from Iranian exchanges within the overall risk profile does not surpass 1% for TUtw7GQJssJ6WtBE1J2xKks7VimKP8m587 and 7% for TPH78JPrRRDn9y3uCCW23PNYzJutpL3AKc.

The progression of this process subsequently moves towards redirecting these funds to various cryptocurrency services. This is undertaken to confound blockchain analytics algorithms, diminish associations with Hezbollah and the Iranian Quds Force, while also creating the facade of legitimate transactions. As a result, around 90% of the funds are channeled to the most prominent cryptocurrency exchanges. A portion of these funds is then redirected back to Iranian exchanges. To visually depict this process, we have crafted a dedicated illustration (Fig. 14).

Figure 15 illustrates the process of distributing substantial cryptocurrency balances through a series of minor-volume transactions across numerous intermediary addresses. It’s important to note that some of these intermediary addresses are likely deposit addresses for cryptocurrency services where the funds find their destination. This is supported by preceding transactions revealing the identification of deposit addresses (Fig. 16).

However, the usage of intermediary addresses by malicious entities also fulfills another objective. It allows them to sever direct connections with the initial addresses, enabling the indirect movement of substantial sums while evading the attention of automated compliance algorithms employed by cryptocurrency exchanges.

It’s worth mentioning that we cannot rule out the possibility that addresses
TK8qQu…, TUtw7…, TPH7… belong to an unidentified cryptocurrency service. In such a scenario, these addresses could serve as operational addresses of the service through which fund withdrawals on behalf of users were executed. Nonetheless, Israeli law enforcement agencies have designated these addresses as linked to the activities of Hezbollah and Quds Force. While the prospect of marking errors exists, for the purposes of our investigation, we will assume that all funds contained within these addresses are indeed connected to the aforementioned organizations.

We have also investigated TSzUJkJjBJ7myGhtfGrAZYt6TS7JzV1cuL. This address is likely fulfilling the role of a deposit location for the Iranian service excoino.com. Our analysis of its transaction history reveals a predominant pattern where nearly all transactions (99.9%) are characterized by transfers originating from the CoinEx.com exchange and being directed towards the Iranian service excoino.com (Fig. 17). There’s just a single transaction that doesn’t fit this pattern, while being linked to the address TUtw7GQJssJ6WtBE1J2xKks7VimKP8m587 we’re investigating. This suggests that the account related to the sender’s address at CoinEx.com (TSzUJkJjBJ7myGhtfGrAZYt6TS7JzV1cuL) is closely connected to the larger money laundering framework.

Now let's examine the interaction of the following addresses (Fig. 18):

• TY3TUu4RwSDmUqQAbQ66vU3tRdkqPC19M4;
• TMmEYcSL4KhzJuYpRH16aLsG16YoFyYKUq;
• THBPKbkuVSxNG7cq8bAvicrTm2YpMMZVKQ.

Figure 18 - Interconnections between some addresses from ASO 34/23.

We'll start with the address TY3TUu4RwSDmUqQAbQ66vU3tRdkqPC19M4. This is the intermediary address from which funds are later directed to the addresses THBPKbkuVSxNG7cq8bAvicrTm2YpMMZVKQ and TMmEYcSL4KhzJuYpRH16aLsG16YoFyYKUq (Fig. 19). Most funds from THBPKbkuVSxNG7cq8bAvicrTm2YpMMZVKQ also end up on TMmEYcSL4KhzJuYpRH16aLsG16YoFyYKUq.

Figure 19 — Example of transactions involving TY3TUu4RwSDmUqQAbQ66vU3tRdkqPC19M4.

The address TMmEYcSL4KhzJuYpRH16aLsG16YoFyYKUq has been active since November 6, 2021, and keeps operating. Over time, it has used different addresses to gather funds.

The largest counterparties in terms of volume are TVPK634J7TSsB5mpv7wQuXB3uKHNBgYzfq and TBEvhxtcaCN1gzhGNpfoLCgeKRQckEsimR. While these addresses were previously used to send funds to cryptocurrency services, their peak activity was in 2022.

Currently, our primary interest lies in more recent addresses that are still active, yet not mentioned in the Orders ASO 34/23 and ASO 29/23. These addresses are TPP2NR1QxqKGwNHoki1svj2vC42Hsv7DS3 and TEgZr9tHVz1k1UxqPWkAN6XPnDa4yu7NB1. Both addresses aggregate funds from the aforementioned TMmEYcSL4KhzJuYpRH16aLsG16YoFyYKUq, as well as independently receive funds from other counterparts. Subsequently, they directly channel these funds to cryptocurrency services, as depicted on the right side of the scheme (Fig. 18).

In short, the funds aggregated on the addresses TPP2NR1QxqKGwNHoki1svj2vC42Hsv7DS3 and TEgZr9tHVz1k1UxqPWkAN6XPnDa4yu7NB1 are subsequently directed towards cryptocurrency exchanges (Fig. 20).

Figure 20 - How funds are sent to cryptocurrency exchanges.

Let's conduct a detailed analysis of a specific transaction, tracking its journey from its point of origin to its eventual destination address within the cryptocurrency platform. We're referring to the latest transfer from the address TMmEYcSL4KhzJuYpRH16aLsG16YoFyYKUq on July 30, 2023, for an amount of 1000 USDT (txID: 2e10ed3e4b6da5d3ec2790bad0f6e0e99596603fac6b17a88c52a074cec47833). Below is a visual scheme for better understanding (Fig. 21).

Figure 21 — Funds flow fromTMmEYcSL4KhzJuYpRH16aLsG16YoFyYKUq.

By tracing the dates and transaction amounts from the address TMmEYcSL4KhzJuYpRH16aLsG16YoFyYKUq we have discovered that shortly before the withdrawal, an equivalent amount was deposited from the address TVrCuogYvLPKfUUHoaLypo9sYh5sQPZvES. Clearly, the address TVrCuogYvLPKfUUHoaLypo9sYh5sQPZvES acts as an intermediary in this transaction (Fig. 22).

Figure 22 — Example of transactions involving TVrCuogYvLPKfUUHoaLypo9sYh5sQPZvES.

We can see that the funds were received from the KuCoin exchange (TUpHuDkiCCmwaTZBHZvQdwWzGNm5t8J2b9). Approximately 14,000 USDT still remain on this address without movement.

After determining the origin of the funds, the next step is to find out where the funds were ultimately sent. Through analysis of transaction dates and amounts, we successfully determined that the funds were directed to the address TNVGqbptZMogW5JHCkh49mmgrm9rvgoj83. We believe this address is a deposit address on the Binance exchange — that’s where the funds originated from two addresses (one of which was examined earlier). Later, the funds were aggregated on Binance’s hot wallet, TV6MuMXfmLbBqPZvBHdwFsDnQeVfnmiuSi (Fig. 23). Notably, this transaction occurred after the publication of ASO 34/23.

Figure 23 — Example of transactions involving TNVGqbptZMogW5JHCkh49mmgrm9rvgoj83.

Further examination of the intermediary address TNVGqbptZMogW5JHCkh49mmgrm9rvgoj83 has revealed more intriguing transactions. We’ve observed its interaction with two aggregation addresses discussed in the previous scheme (TPP2NR1QxqKGwNHoki1svj2vC42Hsv7DS3, TEgZr9tHVz1k1UxqPWkAN6XPnDa4yu7NB1). Moreover, this intermediary address has also engaged with TLCtpbmULLYVR6B6ztKpB5ZEZfuPiVdiSX — a previously unknown entity within our investigation (Fig. 24).

Figure 24 - Funds flow to cryptocurrency exchanges.

By examining the relationships between these addresses, intriguing connections come to light:

• For instance, the Binance deposit address (TNVGqbptZMogW5JHCkh49mmgrm9rvgoj83) receives transactions from multiple addresses displayed. All funds subsequently funnel into Binance's hot wallet (TV6MuMXfmLbBqPZvBHdwFsDnQeVfnmiuSi). In this case, the deposit address is utilized by a single entity, presumably having a direct affiliation with the cryptocurrency laundering scheme.

• Additionally, the address TLCtpbmULLYVR6B6ztKpB5ZEZfuPiVdiSX plays a crucial role in the cryptocurrency laundering scheme. It accepts cryptocurrency both directly from exchanges and from addresses we've previously identified (TMmEYcSL4KhzJuYpRH16aLsG16YoFyYKUq, TPP2NR1QxqKGwNHoki1svj2vC42Hsv7DS3, TEgZr9tHVz1k1UxqPWkAN6XPnDa4yu7NB1). Employing the aforementioned ‘dispersion’ technique, these funds are subsequently routed to deposit addresses of major cryptocurrency exchanges.

• Despite being part of Seizure Orders, these addresses continue to receive funds from exchanges, either directly or indirectly. This could be due to inadequate blockchain analytics systems used by cryptocurrency services, which might have failed to timely identify high-risk clusters. Alternatively, these services might intentionally accept high-risk assets into their accounts.

All these transactions are recent, and the majority of these addresses have not yet triggered red flags from Israeli law enforcement entities – they continue to actively engage in transactions with addresses listed within the Seizure Orders.

In the final scheme (Fig. 25), we will explore transactions linked to the address TVoJZwG6SZrpk2Y11w2WW54HyvJmKTkeqG. Interestingly, this address holds the highest percentage of cryptocurrency received from Iranian cryptocurrency platforms (approximately 25%) when compared to all other addresses encompassed within ASO 34/23 (Fig. 26).

Figure 26 - Receiving and sending exposure of TVoJZwG6SZrpk2Y11w2WW54HyvJmKTkeqG.

• Approximately 81% of all funds are directed either directly or indirectly to major cryptocurrency exchanges (Binance, OKX, KuCoin, CoinEx, Huobi, etc.);
• Similarly, around 15% of all funds are channeled to Iranian cryptocurrency exchanges (Nobitex.ir, Bitpin.ir, AbanTethet.com, Wallex.ir, etc.).

Other addresses on the list either entirely mirror the behavioral patterns of addresses previously discussed or lack clearly structured patterns.

For instance, the following addresses fall into the first category:

• TVzsknku8cubpukTmUVn5Ro747Bgw3GS63;
• TQ4HeWsnzXexz2UKY3Ef94xg3rnWkawirR.

A portion of the balances of these addresses aggregates on TXtdCEdrMxTd8my6iT1fDzqwaDsHnu1mXY (an address not listed in ASO 34/23 and ASO 29/23). Subsequently, funds are directed either to exchanges using previously discussed techniques or forwarded to other addresses marked on the scheme.

The address TU3bxJ7FRpwsfwwc7bQLa9Jr89e7UzWB3m serves as an example of the second category. Such addresses aren't intermediary addresses and lack repeating behavior patterns. Instead, they directly interact with both exchange addresses and other addresses. Transactions on them are diverse. These addresses likely belong to unidentified cryptocurrency services that continue their operations even after being added to the Seizure Orders.

We should also note the following addresses:

• TQLoZxoAu2arL3jCyz5ToZf4gqkmvXxtTy,
• TFS7HvL8Y7zWoSR6FroD9SGiKCpWTZLLLX,
• TCG5LT8GZu9xedHbfwo2Mea2nJJbi5QGTv,
• TY825nrM5GiztWFRQW3JpPUAGuZhWPisSA.

These addresses have conducted only a small number of transactions (up to 3) involving modest amounts. These transactions involve the transfer of funds to addresses linked with cryptocurrency services. Therefore, they do not hold significance in our investigation.

After a thorough examination of the addresses listed in the Administrative Seizure Orders ASO 34/23 and ASO 29/23, the BitOK analytics team has successfully uncovered a cryptocurrency laundering scheme that effectively exploited vulnerabilities within blockchain analytics systems and utilized fund mixing techniques.

Despite the intention of Israeli authorities to seize the funds outlined in the Orders, indirect indications suggest that these assets might not have been frozen. Notably, numerous addresses listed in the Orders remain active, persistently engaging in transactions involving major cryptocurrency exchanges (OKX, Kraken, Binance, etc.). Another portion of the funds continues to traverse through addresses associated with Iranian cryptocurrency exchanges (Nobitex.ir, Bitpin.ir, AbanTethet.com, Wallex.ir, etc.). One might assume that the funds were frozen after arriving on the exchanges. However, considering that funds were repeatedly entering the same exchange addresses, we believe this is not the case.

To mislead the compliance services of cryptocurrency exchanges, malicious actors actively employed intermediary addresses for fund mixing. Subsequently, these mixed funds were dispersed across multiple addresses prior to being directed towards cryptocurrency exchange addresses.

Our findings demonstrate that a significant proportion of laundered assets eventually accumulates within addresses affiliated with Binance (TNVGqbptZMogW5JHCkh49mmgrm9rvgoj83, TPR49qLrcxc4iq4QebmetrxPQW5p5XP7FS, TLrUZUL11xdfuKgQFE7BYWryUSHTggiP4k, TTVvA15DymzD6FFYVSVJcFBdpXv1oJMBkp, TA1RrFRmoDnxGETNzV2gh26kVEzMHPHaYB).

We suspect that some of the utilized addresses may belong to various unidentified cryptocurrency exchange services, as they exhibit typical behavioral patterns associated with such services: high transactional activity and volumes, a large number of counterparties, and a short time gap between deposit and withdrawal of the same cryptocurrency amount.

These addresses are likely to continue their activities in the future. Hence, it's crucial to monitor them to prevent further money laundering. BitOK team will continue to oversee the situation and enhance monitoring systems to prevent similar incidents in the future.