In the last week of November, the saga of an alleged crypto Ponzi scheme that has been lingering for more than half a year took a new turn. A hobbyist blockchain researcher reported on Twitter that he’d tracked almost 200,000 BTC that had gone missing over the summer, when several million people invested in PlusToken — a South Korea-based exchange and a high-yield investment program — found themselves unable to withdraw their money.
The researcher suggested that the embezzled funds have been gradually dumped on crypto exchanges, potentially suppressing Bitcoin market price. Here’s what is known about the monumental scheme that has yet to be officially confirmed.
The greatest exit scam in history
The story of PlusToken is a testament to the fundamental disconnect in contact between the Asian and Western crypto spaces. The platform is believed to have been holding almost $3 billion worth of assets like Bitcoin, Ethereum and EOS when it essentially went bust in June 2019 — and yet, it was not until Aug. 13, when blockchain analytics firm Ciphertrace published its Q2 report, that the story caught the Western audience’s attention.
Even after the true scale of the scheme became evident, it seemed that the collective West was getting updates through a rather narrow bottleneck. Dovey Wan, founding partner of blockchain investment company Primitive Ventures, has become a key source of information on the alleged scam.
Related: What Are the Biggest Alleged Crypto Heists and How Much Was Stolen?
Launched in May 2018, PlusToken offered both a wallet service to store cryptocurrencies and an investment program promising high monthly returns on stored funds, between 8% and 16%. It was primarily marketed in China and South Korea, although Wan reported that the exchange’s customers were also located in Europe and even North America. While the operation boasted a user base of ten million, Ciphertrace estimates that up to 3 million people may have been invested.
The scheme reportedly targeted a mainstream audience of people not particularly savvy with crypto, emphasizing the “educational” component of the operation, which came down to teaching new members how to deposit funds via the PlusToken app.
A telltale sign of a Ponzi scheme was also present: The size of rewards was contingent on recruiting new investors. Members could progress through the internal hierarchy accordingly, earning honorable distinctions such as “Big Boy” and “Great God.” The aggressive expansion campaign also partly relied on lively offline gatherings.
In late June, customers learned that withdrawals via the app were frozen. Around the same time, law enforcement in Vanuatu took action to detain six people involved with the scheme. An announcement immediately appeared on the PlusToken website, stating that the arrested individuals were regular users and not co-founders.
While the six allegedly high-ranking members of the operation found themselves in custody, other purported PlusToken bosses, including a Korean and a Russian, remained at large. The whereabouts of almost $3 billion worth of cryptocurrency remained opaque as well.
Money on the move
On Aug. 14, news emerged that the funds associated with PlusToken were being moved to exchanges. Wan was the one to raise the alarm, citing research by security audit firm PeckShield. A few days later, crypto watchdog Whale Alert pointed to four transactions totaling almost 23,000 BTC that were likely PlusToken proceeds.
However, both claims lack conclusive evidence. Ciphertrace, for instance, refrained from publicly acknowledging that the addresses identified by PeckShield may have belonged to the operation.
On Aug. 23, blockchain research firm Elementus suggested that large sums of Ether associated with the alleged exit scam were also transferred to exchanges, predominantly Huobi. Yet, after this uptick in research and media attention, the issue seemed to have gradually faded from the spotlight.
Related: Criminal Activity in Crypto: The Fact, the Fiction and the Context
Three months later, what can be made out of the new wave of media attention to the matter? Granted, it was not until late November that members of the crypto community first came to suspect that the spoils from the PlusToken scheme could exert considerable selling pressure on the market. According to reports from sources versed in Chinese trader circles, the narrative of the swindled funds’ sell-off driving the Bitcoin price downward has been circulating since at least mid-August.
What’s new is a piece of solid-looking research that emerged in the wake of the latest downward turn in the BTC price cycle. Conducted by a crypto enthusiast who goes by Ergo on Twitter and Medium, the analysis connects some dots in the PlusToken plot by tracing the funds allegedly associated with it and estimating the average pace at which they get dumped into the market.
Coins poorly mixed
Although Ergo presented his recent findings as a series of tweets rather than a more formal writeup, the inquiry builds on the analyst’s previous work reported in a Medium post that appeared on Oct. 23.
The post is a record of the suspicious large-scale activity that the author observed between early August and mid-September. Someone had been depositing huge amounts of Bitcoin into the privacy-focused Wasabi wallet service, which allows several users to mix their digital funds in a single transaction, thus obfuscating the origin of individual coins. Some of the addresses could be traced to individuals already linked to PlusToken.
The analyst described what he saw as “Sybil behavior,” as opposed to a Sybil attack. In both cases, the basic mechanism is that one entity poses as many different ones. If malicious intent toward the service informs such actions, they qualify as an attack, but in this instance, the whale was merely using multiple mixing clients to create the appearance that the money came into a mixer from multiple users. In an attempt to further becloud transaction history, the people in control of the money flows also employed a distinct algorithmic technique known as “self-shuffling.”
According to Ergo, however, “self-shuffling” is actually a traceable process, and the Wasabi mixing was poorly performed, leaving identifiable trails in the form of recurring patterns of post-mix spending. By late October, the researcher was able to track some 54,000 out of the alleged 200,000 BTC linked to the PlusToken scheme that were mixed using these two techniques. The bulk of this sum then went to the Huobi exchange.
Further developments
The tweetstorm that came a month later reports the findings of the continued research effort. Ergo had tracked several more clusters of Bitcoin allegedly linked to PlusToken, bringing the uncovered money total to 187,000 BTC — a figure approaching the estimate of the filched funds.
Assuming early August as the starting point of the sell-off, he also estimated the consequent daily excess of Bitcoin at an average of 1,300 BTC — an amount that looks substantial enough to exert downward pressure on the cryptocurrency’s market price. A few days later, Ergo followed up with an observation that some of the alleged PlusToken-related coins were being further moved from Huobi to Gemini.
One thing that this remarkable investigation falls short of, however, is doing away with what is alleged and instead stating facts before any reference to PlusToken is made in relation to the tracked funds. The starting point of the analysis is a handful of addresses that are widely believed to belong to the PlusToken operation, yet there is neither conclusive evidence nor a firm consensus that this is the case.
Moving from the realm of the probable to a firmer factual ground would require a new piece of indisputable evidence coming to light, most likely originating from law enforcement. For now, the analysis conducted by a lone crypto enthusiast is likely the best the community has to offer in the way of understanding what really happened behind PlusToken’s shiny facade.