NuClide Research
Most recent
navigate open esc close Corpus index built 2026-06-07 23:58 UTC

K99 Pig Butchering Investigation

Live monitoring of a pig-butchering scam network with 100+ active operators and $1.3 billion traced to five exchanges.

Pig butchering is a long-con scam built around fake crypto investment platforms. The scammer builds a relationship first, sometimes over weeks or months. They are patient. When they finally bring up investing, the victim trusts them. The platform looks real. Early withdrawals work. That is intentional. Once the victim has put in enough money, the platform stops responding and the scammer disappears.

The name comes from a Chinese phrase, sha zhu pan, which translates roughly to "fattening the pig before slaughter." Losses from pig-butchering operations run into the billions annually. Most victims do not report it.

K99 is not one scammer. It is a platform that sells the infrastructure to other scammers. An operator pays for a slot on the K99 network, receives access to ready-made fake investment platforms, and then runs their own victims through them. K99 takes a percentage of every deposit. By the time a victim realizes something is wrong, the money has already moved through several layers and landed at a major exchange.

The U.S. Treasury sanctioned K99 in April 2026, making it illegal for American entities to process transactions for the network. Seven days after the sanction took effect, K99 operators built new wallets and kept going.

Every K99 operator gets set up the same way. A central wallet sends exactly 138,138 tokens to each new operator address before they go active. The tokens are camouflaged as gambling transactions, which causes most blockchain monitoring tools to ignore them. We identified that pattern and built a watcher around it. When the central wallet sends that specific token amount to a new address, the watcher logs it and checks whether victim funds have arrived. The feed below is that watcher running live.

Victim deposits land at OKX first. From there, money moves through a cluster of unlabeled intermediate accounts and exits at Binance ($1.09 billion traced) and Bitget ($27.5 million). That is the operator rail, the path victim money takes from the fake platform to a major exchange.

There is a second path. K99 collects a commission from every operator slot. That commission money pools separately, moves through a relay, and arrives at KuCoin, where we traced $225 million-plus. A fifth exchange, Bybit, sits at the end of another commission chain that was still receiving deposits on May 23, 2026.

The money moves in USDT, a cryptocurrency pegged one-to-one to the U.S. dollar and running on the TRON blockchain. Every account that received K99 funds did so at a regulated exchange with KYC verification. These are not anonymous accounts. The exchanges know who holds them.

Five exchanges, five prior DOJ settlements

Each exchange below holds verified account records for the wallets receiving K99 proceeds, and each reached a settlement with the Department of Justice before the K99 sanction took effect.

OKX $190M in operator deposits. TLaGjwhvA8X is OKX Hot Wallet 8, the direct deposit target for 100+ K99 operators. OKX settled with DOJ for $504M in 2024.
Binance $1.09B at Binance-Hot 7. The 14-wallet OTC cluster routes to TDqSquXBgUC (48M transactions). Post-OFAC, a 12-hop chain routes an additional $93M+ through TK2Fm29F. Binance settled with DOJ for $4.3B in 2023.
Bitget $27.5M at Bitget 9. TJ7hhYhVhax receives from the OTC cluster via TNQy7HLtqtv. 19.4M lifetime transactions on that address.
KuCoin $225M+ in leadership commissions. TUpHuDkiCC (KuCoin 4) receives from a relay created January 2026. KuCoin settled with DOJ for $297M in 2024.
Bybit $172M USDT on TU4vEruvZwLL. The K99 feeder TLKYW3 routes $20K–50K batches to this confirmed Bybit hot wallet. Feeder is active as of May 23.

When the Treasury sanctioned K99 in April 2026, each of the five exchanges holding K99 funds was already operating under a prior Department of Justice settlement. OKX settled for $504 million in 2024. Binance settled for $4.3 billion in 2023. KuCoin settled for $297 million in 2024. The legal obligations were already in place. The network kept running regardless.

After the sanction, K99 added layering. A 10-hop chain now routes funds from Binance through a series of intermediate wallets, using structured deposits of $99,990 paired with $10 to obscure the amounts. The money exits into the same designated K99 wallets at the end. On May 23, 2026, one of those wallets received $200,000.

Technical evidence

The following 22 findings document the K99 operation on-chain. Every wallet address, transaction chain, and exchange attribution below is independently verifiable on the TRON blockchain.

Money flow — two rails, five exchanges
Operator distributor TREysTVRxEAHD4
sends 138,138 tokens to each new operator slot · disguised as gambling traffic
100+ K99 operators
collect victim USDT · pay commissions to treasury
Operator rail — victim funds
OKX Hot Wallet 8
TLaGjwhvA8X · $190M USDT
14-wallet OTC cluster
deployed 2025-11-27 · 2.48M combined txns · all unlabeled
Binance-Hot 7
TDqSquXBgUC · $1.09B
Bitget 9
TJ7hhYhVhax · $27.5M
Post-OFAC: 12-hop chain also reaches Binance-Hot 7 via TK2Fm29F ($93M+, $33.5M in 48h ending May 22)
Leadership rail — commissions
Commission treasury
TSjYrKSiQM8 · 86,201 operator deposits
TL2D5 relay
created 2026-01-14
KuCoin 4
TUpHuDkiCC · $225M+
Commission sub-chain
TLKYW3 feeder
active as of May 23 · receiving deposits today
Bybit
TU4vEruvZwLL · $172M USDT live
Victim routing — separate system
Vigorish Viper TDS at certifierifball.xyz · 34.196.13.28 AWS us-east-1
Routes K99 victims, Canadian bank phishing, and crypto credential theft across 10 fraud tracks. Returns a 32-byte blank to bots. Cert issued April 9, 2026, fourteen days before the OFAC designation.

Key Addresses

Token distributorTREysTVRxEAHD4269SpUZzLHt2QFM2G9on
Commission treasuryTSjYrKSiQM8G4HtFoH8cKZ2YfqVBoKkVQu ($2.5M USDT)
OKX cashout wallet ⚠TLaGjwhvA8XQYSxFAcAXy7Dvuue9eGYitv OKX Hot Wallet 8
OTC intermediary ⚠TVgXg14BRCQdCz1KKToaSdjZA8EWJhkUss unlabeled · $1.62M
Binance terminalTDqSquXBgUCLYvYC4XZgrprLK589dkhSCf Binance-Hot 7 · $1.09B
Bitget terminalTJ7hhYhVhaxNx6BPyq7yFpqZrQULL3JSdb Bitget 9 · $27.5M
Cashout Rails Findings 1–4 — How victim USDT reaches the exchanges

Finding 1 — $190M USDT Treasury Identified

The cashout aggregator TLaGjwhvA8XQYSxFAcAXy7Dvuue9eGYitv holds $190,644,472 USDT — not a relay account. 2,230 transactions in from K99 operators. Fans out to 206 unique hop wallets in a classic layering pattern.

Balance$190,644,472.93 USDT
Inflows2,230 txns from K99 operators
Outflows206 unique destinations (layering)
Analysiscashout-aggregator-analysis.txt →

Finding 2 — Cashout Rail: OKX → Binance + Bitget

The $190M "treasury" is OKX Hot Wallet 8. K99 operators deposit victim USDT directly to OKX. OKX routes withdrawals through unlabeled OTC intermediaries to Binance-Hot 7 ($1.09B) and Bitget 9 ($27.5M). Three OFAC-compliant exchanges — all with KYC programs — are the cashout rail. OKX settled with DOJ for $504M in 2024. Binance for $4.3B in 2023. Both have legal obligations under the K99 designation.

K99 Operators (100+) · deposit victim USDT to OKX
TLaGjwhvA8X · OKX Hot Wallet 8 · $190M USDT · 206 withdrawal destinations
TEzPr2w2 · OKX withdrawal relay · $3.15M processed
TVgXg14B · unlabeled OTC desk · $1.62M live · $400K+/day
TTw2bdsmH · consolidation · routes 100% to Binance
TDqSquXBgUC · Binance-Hot 7 · $1,091,204,105 USDT · 48M txns
TLaGjwhvA8X (OKX) · parallel withdrawal path
TNQy7HLtqtv · pass-through · receives + immediately forwards
TJ7hhYhVhax · Bitget 9 · $27,530,818 USDT · 19.4M txns
OKX deposit walletTLaGjwhvA8XQYSxFAcAXy7Dvuue9eGYitv · OKX Hot Wallet 8
Binance terminalTDqSquXBgUCLYvYC4XZgrprLK589dkhSCf · Binance-Hot 7 · $1.09B
Bitget terminalTJ7hhYhVhaxNx6BPyq7yFpqZrQULL3JSdb · Bitget 9 · $27.5M
OTC intermediaryTVgXg14BRCQdCz1KKToaSdjZA8EWJhkUss · unlabeled · highest-value target for attribution
Full analysisexchange-attribution.txt →

Finding 3 — OTC Desk Identified: Pre-Existing Platform, Not K99-Specific

TVgXg14B is not a K99-purpose wallet. It was deployed on 2025-11-27 — five months before the K99 OFAC designation. It has processed 181,040 transactions total. A sister wallet, TATu34 (172,958 transactions), was deployed on the same day. They form a two-wallet OTC cluster that serves multiple criminal networks, not just K99.

An upstream collection aggregator, TKzjgap1y7, was established in March 2024 — 20 months before the OTC cluster. It aggregates small victim payments ($142–156 USDT from many sources) into bulk batches and forwards them upstream. It sent $8,200,000 to TATu34 in a single transaction.

TVgXg14B routes through three confirmed paths to the terminal exchanges. None of these are labeled by Chainalysis or TRM Labs.

Cluster — deployed 2025-11-27
OTC routing (primary)TVgXg14BRCQdCz1KKToaSdjZA8EWJhkUss · 181,040 txns · $400K+/day
OTC input aggregatorTATu34PFUE2vpnnNTt1HH8jc8DJX2ceA9G · 172,958 txns · sister wallet
Collection layer (2024)TKzjgap1y7MmSYnRgn9witmbR2MSg3VXz4 · $8.2M single batch to TATu34
Three routing paths — all unlabeled
Path 1 → BinanceTVgXg14B → TTw2bdsmH → Binance-Hot 7
Path 2 → BinanceTVgXg14B → TERAy2 → Binance-Hot 7 ($8M routed)
Path 3 → BitgetTVgXg14B → TNQy7HLtqtv → Bitget 9
Full analysisotc-desk-identification.txt →

Finding 4 — Leadership Rail: Commission Treasury Traces to KuCoin

K99 operates two completely separate cashout rails. Operators route victim funds through OKX and Binance. Leadership routes commission proceeds through a different chain entirely — terminating at KuCoin 4.

The commission treasury has received 86,201 inbound transactions from operator wallets. It routes outflows through a relay address created January 2026 directly to KuCoin's hot wallet. $225M+ traced through this path. KuCoin signed a DPA with DOJ in 2024 and paid $297M in penalties. KuCoin holds the KYC for the account receiving from TL2D5.

TSjYrKSiQM8 · K99 commission treasury · 86,201 operator deposits
↓ $402M
TL2D5ThXg1B · relay · created 2026-01-14
↓ $225M+
TUpHuDkiCC · KuCoin 4 · 25.2M txns · KuCoin DOJ DPA $297M (2024)
Full dual-rail architecture
Operator railOKX Hot Wallet 8 → TVgXg14B OTC → Binance-Hot 7 + Bitget 9
Leadership railCommission treasury → TL2D5 relay → KuCoin 4
Commission treasuryTSjYrKSiQM8G4HtFoH8cKZ2YfqVBoKkVQu · 86,201 inbound deposits
KuCoin terminalTUpHuDkiCCmwaTZBHZvQdwWzGNm5t8J2b9 · KuCoin 4 · $297M DOJ DPA
Full analysiscommission-treasury-analysis.txt →
Post-OFAC Evasion Finding 5 — Infrastructure built 7 days after designation

Finding 5 — Post-OFAC Evasion: New Infrastructure Built 7 Days After Designation

OFAC designated K99 on April 23, 2026. Seven days later, two new wallets appeared: TC7JDFLVgxLs63 and TL67Q8K. TL67Q8K has routed $15.2M through the commission chain since April 30. Last confirmed activity: May 20, 2026 — three days before this report.

Six operator/regional wallets sent structured $1M payments to TL67Q8K after the designation. TC7JDFLVgxLs63 ran a 27-minute round-trip test on April 30 ($344K: commission treasury → new wallet → collection relay → back to treasury), confirming the new infrastructure before deployment.

Post-OFAC wallet activity
Evasion aggregatorTL67Q8KNfqJSBUHDfipnDVdDXZxhKqXNwZ · created 2026-04-30 · $15.2M · last active 2026-05-20
Test walletTC7JDFLVgxLs63qbxpxGDBFs9LDcZHaB4V · created 2026-04-30 · $344K round-trip test
Structured feeders (post-designation)
$5.14M · last May 20TK5RPvAcsBbkSki4AAtjVKKirkkChuu26N
$2.47M · last May 18TYxVudbCffS4rqGjhQHLbQZ1ERLAbY5Upa
$1M each · May 20TYNDBSuQmCwG8wRDEXf5L5MY6MdhsaUnRy · TLKYW3ts4s2dbRWvVkz5jybUjSGKReeN9U
Full analysispost-ofac-evasion-analysis.txt →
OTC Infrastructure Findings 6–7 — 14-wallet cluster and shared criminal relay

Finding 6 — Full Infrastructure: 14-Wallet Cluster, 2.48M Transactions

The November 27, 2025 deployment was not two wallets. It was a coordinated buildout of at least 14 wallets, all created the same day, each accumulating 160,000–184,000 transactions. Every member routes to the same Binance consolidation hub (TTw2bdsmH). Combined transaction volume across the cluster: ~2.48 million. No blockchain analytics tool has labeled any of them.

The Binance hub (TTw2bdsmH) is active today. It receives from 12 Nov-27 cluster members, the Bitfinex exchange (interexchange settlement — not criminal involvement), and TN12qS4gM6 — now confirmed as the ha138.com Chinese hash gambling platform. Two independent criminal networks share the same Binance exit relay.

2025-11-27 cluster — confirmed members
14 wallets · all UNLABELEDTVgXg14B · TATu34 · TBEZczH6 · TMyHWfq8 · TKmeR7 · TPspK9 · TLW916 · TTk6TAh · TFA3aNg · TVx5xg · TSmjbC · TJq8utx · TG7dQD · TVVbiR
Avg txns per wallet~177,000 · cluster total ~2,480,000 transactions
All route toTTw2bdsmHhQ9YRLSsFanpHBvgGobGVoFni → Binance-Hot 7 · active today
Full analysisnov27-cluster-analysis.txt →

Finding 7 — Shared Criminal Infrastructure: TTw2bdsmH Serves Multiple Networks

The Binance consolidation hub (TTw2bdsmHhQ9YRLSsFanpHBvgGobGVoFni) is not K99-exclusive. At least two independent criminal operations route proceeds through it to Binance-Hot 7. The hub functions as a shared criminal utility — a neutral relay that aggregates from any source.

The second confirmed network is the ha138.com Chinese hash gambling platform, operating through wallet TN12qS4gM6. Created June 23, 2025 — five months before the Nov-27 K99 cluster. Over 4 million lifetime transactions. $2,539,836 into TTw2bdsmH in the last 200-transaction sample. Zero blockchain analytics coverage.

K99 pig-butchering (14-wallet Nov-27 cluster)
TTw2bdsmHhQ9YRLSsFanpHBvgGobGVoFni · consolidation hub · active today
ha138.com hash gambling · TN12qS4gM6 · 4M txns · $2.54M in last 200 TTw2bdsmH inflows
ha138.com wallet
Created2025-06-23
Transactions4,004,868 lifetime
Top depositorT9yc4kbp71VHq1D5dZoFNwpwZRhpTN7Vwc · $2,086,011 · 60,833 txns · UNLABELED
Routes toTTw2bdsmH → Binance-Hot 7 (same terminal as K99)
LabelUNLABELED — zero blockchain analytics coverage
Full analysisshared-infrastructure-analysis.txt →
Lure and Victim Routing Findings 8–12 — Vigorish Viper TDS, fake platforms, and multi-track phishing

Finding 8 — Vigorish Viper TDS Pre-Staged 14 Days Before OFAC Designation

certifierifball.xyz (34.196.13.28, AWS us-east-1) is a live Vigorish Viper Traffic Distribution System with a Let's Encrypt certificate issued April 9, 2026 — 14 days before OFAC designated K99 on April 23. New post-OFAC evasion wallets appeared April 30. K99 was pre-staging replacement infrastructure before the designation landed.

The TDS returns HTTP 200 with a 32-byte blank HTML body to all unauthenticated probes — bot-detection evasion. Real victims arriving via phishing links are fingerprinted and routed to credential-harvesting payloads. The predecessor domain poetmodificative.xyz shares the same TLS thumbprint (a44164aa73f232...) and was active from 2026-02-10. A second active domain, morosenesscontract.xyz, predates both — SSL cert issued 2025-11-19. All three are the same rotating TDS infrastructure.

Infrastructure timeline
2025-11TREysTVRxEAHD4 operator distributor created (4.4M lifetime txns)
2025-11-2714-wallet cluster deployed simultaneously (~2.48M combined txns)
2025-11-19morosenesscontract.xyz TDS cert issued (oldest confirmed predecessor)
2026-02-10poetmodificative.xyz TDS active (same thumbprint a44164aa · jingling.exe / FlowSpirit contacts this domain)
2026-04-09certifierifball.xyz TLS cert issued — 14 days before designation
2026-04-23OFAC designates K99
2026-04-30TL67Q8K + TC7JDFLVgxLs63 evasion wallets created (7 days post-designation)
2026-05-20Last confirmed activity through post-OFAC evasion chain
TDS fingerprint
Hostcertifierifball.xyz · 34.196.13.28 · AWS us-east-1
TLS certLet's Encrypt R13 · issued 2026-04-09 · expires 2026-07-08
Bot responseHTTP 200 · Content-Type: text/html · 32-byte blank · all paths · all methods
Route param?k=<md5>.<timestamp>.<params>.<base64_target> — target domain encoded per-victim
Full analysisshared-infrastructure-analysis.txt →

Finding 9 — Same TDS Routes Canadian Bank Phishing Alongside K99

The Vigorish Viper TDS at certifierifball.xyz routes multiple fraud campaigns simultaneously. Today (2026-05-23), 211 urlscan hits show it actively routing victims from Canadian financial institution lure domains through the TDS fingerprinting layer to credential harvesting payloads. These are not K99 pig-butchering targets — they are separate fraud tracks on shared TDS infrastructure.

Phishing targets routed through certifierifball.xyz TDS
Scotiabankscotiaonline-scotiabank.com → auth-scotiaonline-scotiabank.com · fake login harvester · active since 2020-09-20
Desjardinsdisnat-trade.com · "Desjardins Online Brokerage" · same payload server (91.215.85.196)
NetX360netx360-platform.net · Pershing/BNY Mellon investment platform phishing · same server
Sun Lifeauth.scotiaonline.sunlife-direct.net · also routed through certifierifball.xyz TDS

The lure domain scotiaonline-scotiabank.com resolves to the TDS IP (34.196.13.28). Arriving traffic is redirected to certifierifball.xyz/?k=<token>.<base64("auth-scotiaonline-scotiabank.com")>. The TDS routes verified human visitors to the payload server (91.215.85.196, nginx 1.22.1). Bots receive the 32-byte blank. The Scotiabank phishing page presents a full credential capture form: username/card number and password. The campaign has been running since September 2020. The TDS rotated to certifierifball.xyz in February 2026.

What this means

K99 pig-butchering and multi-institution Canadian bank phishing run on the same Vigorish Viper TDS. These are distinct fraud tracks, not the same campaign. The shared infrastructure confirms the K99–Vigorish Viper operational relationship documented in prior findings. The four OFAC-compliant exchanges holding K99 proceeds (OKX, Binance, Bitget, KuCoin) may also hold accounts for the banking credential buyers downstream.

Finding 10 — K99 Pig-Butchering Lure Domain Confirmed on Shared TDS Infrastructure

tytgalateafounding.com is a K99 pig-butchering lure domain. It shares the complete CNOBIN infrastructure fingerprint with all confirmed K99 domains: same registrar (CNOBIN INFORMATION TECHNOLOGY LIMITED, IANA 3254), same nameservers (NS1/NS2.PQL.NET), same IP (34.196.13.28 — the TDS host), and serves the identical Vigorish Viper TDS fingerprinting JavaScript. When a victim visits the lure, the page captures timezone, cookie state, and referrer, then routes them through certifierifball.xyz TDS for validation. The investment platform is gated — only TDS-authenticated human victims see it.

Infrastructure fingerprint (identical across all K99 domains)
RegistrarCNOBIN INFORMATION TECHNOLOGY LIMITED · IANA ID 3254 · abuse@ordertld.com · +852.30501810
NameserversNS1.PQL.NET · NS2.PQL.NET (identical to all K99 bank phishing lure domains)
Host IP34.196.13.28 (AWS us-east-1 — same IP as certifierifball.xyz TDS)
TDS redirectcertifierifball.xyz/?k=<md5>.<ts>.475.<cookie>.1.<base64("tytgalateafounding.com")>
TDS hits3 urlscan records (distinct from 39 Scotiabank hits — separate fraud track)

The FlowSpirit trojan (jingling.exe, 52/72 VT detections) contacts poetmodificative.xyz — the predecessor TDS domain sharing TLS thumbprint a44164aa73f232... with certifierifball.xyz. This malware is an ad fraud tool that clicks casino CPA campaigns via clickvova.com. Vigorish Viper TDS sells routing capacity to multiple criminal operators simultaneously: K99 pig-butchering, Canadian bank phishing, and ad fraud malware. The same 32-byte bot-detection response gates all three tracks.

Complete TDS domain family
morosenesscontract.xyz2025-11-19 · oldest confirmed predecessor · same IP cluster
poetmodificative.xyz2026-02-10 · thumbprint a44164aa · FlowSpirit malware check-in
certifierifball.xyz2026-04-09 cert · ACTIVE · 211 urlscan hits · routes K99, Canadian phishing, ad fraud
Full analysisvigorish-viper-tds-analysis.txt →

Finding 11 — Coinbase and Trust Wallet Credential Phishing on K99 TDS Infrastructure

Three Coinbase phishing domains and a Korean-language Trust Wallet clone are registered on the identical K99 infrastructure fingerprint: CNOBIN INFORMATION TECHNOLOGY LIMITED registrar, NS1/NS2.PQL.NET nameservers, and IP 34.196.13.28 — the Vigorish Viper TDS host. All route through certifierifball.xyz. The TDS validates real human victims before passing them to the phishing payloads, blocking all automated scanning.

Confirmed crypto phishing domains (CNOBIN / NS1.PQL.NET / 34.196.13.28)
1743920-coinbase.comCoinbase phishing · Cloudflare-proxied · urlscan hits 2026-02 through 2026-04
1864736-coinbase.comCoinbase phishing · Cloudflare-proxied · active 2026-02 through 2026-04
1837049-coinbase.comCoinbase phishing · Cloudflare-proxied · active 2026-01 through 2026-04
app-trustwebwallet.comTrust Wallet clone · Korean-language · full wallet UI · urlscan capture 2025-03-21
io-svvap.comhosts app-1inch.io-svvap.com · 1inch DeFi aggregator clone · active 2025-03
emirates-dealer.comEmirates Skywards phishing · 5 TDS hits · CNOBIN / NS1.PQL.NET / 34.196.13.28

The Trust Wallet clone served Korean-language content — wallet swap, staking, NFT, and security sections. Korean crypto users are the target demographic. Pig-butchering operations use the same Trust Wallet phishing playbook: build a relationship, push the victim toward "investment," have them connect or import a wallet to a cloned interface, drain it. The three Coinbase phishing domains use a numeric account-reference naming pattern (<7-digit>-coinbase.com) to make URLs appear legitimate. Cloudflare fronts the payload servers; the TDS acts as the authentication gate that keeps scanners out and victims in.

Infrastructure operator confirmed

Every domain in this finding shares the CNOBIN / NS1.PQL.NET / 34.196.13.28 fingerprint with all confirmed K99 lure domains. This is the same operator. Same registrar. Same nameservers. Same TDS host. Same routing system. Separate fraud tracks; one operator.

Finding 12 — CryptVista: K99 Pig-Butchering Investment Platform Identified

cryptvista.com is a K99 pig-butchering investment platform. It was served through the Vigorish Viper TDS (morosenesscontract.xyz predecessor) and confirmed active in early 2025. The platform presents as a professional crypto exchange with fake press coverage (Forbes, Bloomberg, TechCrunch, Wired, Business Insider), fabricated statistics (3M+ users, $173M+ daily turnover, 61M+ transactions), and a polished mobile interface showing unrealistic portfolio returns.

CryptVista platform features (confirmed via urlscan capture 2025-02-01)
Branding"Leading the Way in Crypto Trading Innovation" · dark crypto aesthetic
Fake metrics3M+ users · $173M+ daily turnover · 61M+ transactions
Fake pressForbes · Yahoo News · Bloomberg · Wired · TechCrunch · Business Insider logos
FeaturesTrade · Swap · P2P · Staking · Wallet · Support navigation
Mock appShows victim "Nora Johnson" with $143,421 balance · fake weekly profit 2.98%
TDS routemorosenesscontract.xyz (Nov 2025 predecessor) → certifierifball.xyz (active)

Additional DeFi and wallet platforms served on the same TDS infrastructure: web-mellowfinance.com (Mellow Finance DeFi clone, Cloudflare-gated), web-safepal.com (SafePal hardware wallet clone), web-solvfinance.com (Solv Finance DeFi clone), app-trustwebwallet.com (Trust Wallet Korean clone). These are parallel pig-butchering lure platforms or wallet drain endpoints on the same CNOBIN/Vigorish Viper infrastructure.

Blockchain: pre-OFAC feeder wallets still active today

Four structured feeder wallets routing to TL67Q8K (post-OFAC aggregator) were all built during 2025 — 154 to 443 days before OFAC designation. OFAC designation did not trigger wallet rotation at the feeder level. K99 only inserted one new aggregator layer (TL67Q8K, April 30, 2026). All four feeders continued operating:

TLKYW3created 2025-02-03 · 9,641 txns · $940K USDT · receiving deposits TODAY (2026-05-23)
TBcVStZfcreated 2025-11-19 (=morosenesscontract.xyz cert date) · 3,496 txns · $1.44M USDT
TJ8hrsBjcreated 2025-04-26 · 46 txns · $1.91M USDT · sent $1.1M to TL67Q8K on 2026-05-13
TYNDBSucreated 2025-05-06 · 298 txns · drained · sent $1M to TL67Q8K on 2026-05-20
Fifth Exchange Finding 13 — Bybit confirmed as cashout rail

Finding 13 — Bybit Confirmed as K99 Cashout Rail (Fifth Exchange)

The commission aggregator chain from TLKYW3 terminates at a confirmed Bybit hot wallet. TronScan public tag: Bybit. The path: TLKYW3 (K99 feeder, still active) routes $20K–50K payments every few days to an intermediate aggregator (TVuJJihhaVPvMVsD88mtdUsd1G9LGeCbvS), which routes 100% of its outflows to the Bybit hot wallet. $720K confirmed in a 20-transaction sample. Bybit holds $172M USDT + $67M TRX on this address as of 2026-05-23.

K99 → Bybit cashout chain (confirmed)
TLKYW3 (feeder)TLKYW3ts4s2dbRWvVkz5jybUjSGKReeN9U · K99 feeder · receiving deposits TODAY
↓ $20K–50K batchesTVuJJihhaVPvMVsD88mtdUsd1G9LGeCbvS · intermediate aggregator · 100% routed forward
↓ $720K confirmedTU4vEruvZwLLkSfV9bNw12EJTPvNr7Pvaa · Bybit hot wallet · $172M USDT · $67M TRX · TronScan tag confirmed
TLKYW3 path 2TLKYW3 → TLRds59bX7VgCvPpsBMQPRa3LMdSzM7GPY → Bybit · $50K weekly · $206K confirmed · second independent route
Complete K99 exchange exposure map (all confirmed)
OKX Hot Wallet 8TLaGjwhvA8XQYSxFAcAXy7Dvuue9eGYitv · $190M operator deposits
Binance Hot 7$1.09B downstream from OKX chain
Bitget 9$27.5M downstream from OKX chain
KuCoin 4$225M+ leadership commission chain
BybitTU4vEruvZwLLkSfV9bNw12EJTPvNr7Pvaa · $172M USDT live · commission sub-chain confirmed today
Binance Hot 4TNXoiAJ3dct8Fjg4M9fkLFh9S2v9TXc32G · upstream source in 10-hop post-OFAC layering chain → TLKYW3
Post-OFAC Layering Findings 14–18 — Multi-hop obfuscation chains built after designation

Finding 14 — Post-OFAC 10-Hop Layering Chain: Binance Hot 4 → TLKYW3

K99 operators withdrew funds from Binance through a 10-hop layering chain terminating at TLKYW3 (K99 OFAC-designated feeder). All wallets in the chain were created post-OFAC (2026-03 through 2026-05-15). The final layer uses structuring: $99,990 + $10 in paired deposits. Binance Hot 4 appears at two injection points in the cluster — direct relay injection and a separate second-path injection — consistent with a K99 operator cycling funds through Binance accounts.

10-hop layering chain (confirmed today, 2026-05-23)
L1: ExchangeTNXoiAJ3dct8Fjg4M9fkLFh9S2v9TXc32G · Binance Hot 4 · sends $704K (May 22) + $40K (May 23) into cluster
L2: Pass-through relayTYPHhRLorF6rEoCzHkBArgGwkYQGayqmrB · created 2026-04-07 · receives exact amounts, forwards within minutes
L3: AggregatorTSUeuFomdDHkghMqS8KkptJyqhot9nee2f · created 2026-03-30 · $5.3M USDT
L4: AggregatorTD7aEEmqTXLXDxwiCRe72irnNUTLHkUFTL · created 2026-04-18 (5 days pre-OFAC) · $3.25M USDT
L5–L7: Layering hopsTV2hrfN4z6Lx2JKGDPzZbdYEKfv11J1Kqk → TSucxgRJDawbWT4DUrEgy4XTj2mYbfmJhs → TJfbL1KAE7BPfopTcDkW56wzLRJ24snQgi (created 2026-04-26, 3 days post-OFAC)
L8: AggregatorTRWDLQTCWbqSL8VuVCj46uU4RaXpTJMqdy · created 2026-03-07
L9: StagingTGuve5qg4wj2hirLgi3EC4bVS1rZZvk7xh · created 2026-05-15 · received $1.184M today
L10: StructuringTYUAqQGmdyNzrUMSHXW82RJoiFL7KaAHeo · created 2026-05-12 · deposits $99,990 + $10 pairs to TLKYW3 · $200K deposited TODAY
Terminal: K99TLKYW3ts4s2dbRWvVkz5jybUjSGKReeN9U · OFAC-designated K99 feeder · still active · receiving deposits TODAY
Also: OKX Hot Wallet 8 in the structuring layer
OKX Hot Wallet 8TLaGjwhvA8XQYSxFAcAXy7Dvuue9eGYitv · sent dust ($4) to TYUAqQGmdyNzrUMSHXW82RJoiFL7KaAHeo · same address depositing structured pairs to TLKYW3 today

Finding 15 — TLKYW3 Wash Cycle: Confirmed Circular Money Loop

TLKYW3 (K99 OFAC-designated feeder) routes funds through an intermediate cluster and receives them back, creating a circular wash loop. This is a secondary laundering technique layered on top of the primary cashout chains — money circles the K99 infrastructure to inflate transaction volume and obscure origin.

Circular loop (confirmed, May 21–22, 2026)
Step 1TLKYW3ts4s2dbRWvVkz5jybUjSGKReeN9U → TErKndjCbUERqtynmeKBbABPKCYLJWHeFY · $150,000 · 2026-05-22 00:13
Step 2TErKndjCbUERqtynmeKBbABPKCYLJWHeFY accumulates from multiple sources ($2M from TGEMdkoxCs, $1M from TG2K3tPQ, etc.) · routes $4.7M to TF2VJDK7
Step 3TF2VJDK7LcfMoQp5YtS1jXdHMVs5CTR7r3 → TLKYW3ts4s2dbRWvVkz5jybUjSGKReeN9U · $150,000 on 2026-05-21 · $150,000 on 2026-05-22 · money returns to origin
Cluster statistics
TErKndjC agecreated 2026-01-30 · $500K USDT current balance · 20+ transactions in 2 days
TGEMdkoxCscreated 2026-04-13 (10 days pre-OFAC) · routes $2M into the loop · zero labeled inflows

Finding 16 — TSUeuFomdD: Central Batch Distribution Hub

TSUeuFomdDHkghMqS8KkptJyqhot9nee2f is a critical intermediary node receiving from 10+ sources simultaneously and batch-dispatching to 15 wallets in automated multi-output transactions. Created 2026-03-30. Receives from TYPHhRLorF6rEoCzHkBArgGwkYQGayqmrB (L2 in the Binance Hot 4 chain), plus five 2026-03-31 coordinated wallets (TWFuzypp, TF67F1u7, TVYvMbWj, TFwvbiAS, TTNdimQq), plus TVYvMbWj sending $1.37M across two transactions. On 2026-05-22 14:17 it dispatched five simultaneous $144K-$151K payments to different wallets in a single second — automated splitting. Two confirmed output branches: TD7aEEmqTXLXDxwiCRe72irnNUTLHkUFTL ($4.5M, the L4 hop in the 10-hop chain) and TKM3KK1xvFfmAPz1L1WBPHWEbjcbxyFkT2 ($13M+, which feeds TYufsGi → TRT827AV → TG2K3tPQ → TLKYW3/KuCoin rail).

Hub profile
Hub addressTSUeuFomdDHkghMqS8KkptJyqhot9nee2f · created 2026-03-30 · $5.3M USDT (L3 in 10-hop chain)
Inflow sources (2026-03-31 coordinated batch)
TWFuzypp batchTWFuzypp8yYNcta1ZC9922umsBgzVK2WU1 · $1.66M · created 2026-03-31 · zero USDT balance (pass-through)
TF67F1u7 batchTF67F1u7ErRe51hx1LCwB7Bv7rNbKZJEV3 · $1.61M · created 2026-03-31 · 180 txns
TVYvMbWj batchTVYvMbWj8C53QazhwkEZmpGjTSbs3AzsAd · $1.37M · created 2026-03-31 · two-txn deposit pattern
TYPHhRLor (L2)TYPHhRLorF6rEoCzHkBArgGwkYQGayqmrB · $640K · confirmed Binance Hot 4 relay (created 2026-04-07)
Output branches (automated batch dispatch)
Branch A (L4 hop)TD7aEEmqTXLXDxwiCRe72irnNUTLHkUFTL · $4.5M · created 2026-04-18 (5d pre-OFAC) · continues 10-hop chain to TLKYW3
Branch B (KuCoin rail)TKM3KK1xvFfmAPz1L1WBPHWEbjcbxyFkT2 · $13M+ · created 2026-04-20 (3d pre-OFAC) · feeds TYufsGi → TRT827AV → TG2K3tPQ → TLKYW3
Batch at 14:17 UTC5 simultaneous $144K-$151K payments dispatched in 1 second on 2026-05-22 · automated splitting confirmed

Finding 17 — TBcVStZf Post-OFAC Distribution Hub: $4M+ Routed to 12 Wallets

TBcVStZf3bhpeZFwYyRQR5jcDQiFTfADs3 (created 2025-11-19, 3,496 txns) is an older high-volume routing node that, post-OFAC, routes $4M+ through TSERwt5u2ikDgQZDkhoQbdNmwoVqhLSQrZ (created 2026-05-01, 2,739 txns). TSERwt5 then fans out to 12 simultaneous recipients in $400K-$1.17M batches. TRWhu3nZ4gtyzR73aYwRA8TF9cAtDoBZXp (created 2026-04-14, 9d pre-OFAC, 1,784 txns) alone received $1M from TSERwt5 and routes $1.65M to TVdQY6 in sequential $250K-$500K payments. TVdQY6 (created 2026-05-18, 5 days old) distributes to 9 wallets totaling $6M+.

TBcVStZf → TSERwt5 → TRWhu3nZ → TVdQY6 chain
OriginTBcVStZf3bhpeZFwYyRQR5jcDQiFTfADs3 · created 2025-11-19 · 3,496 txns · sends $516K-$1M batches to TSERwt5
TSERwt5 relayTSERwt5u2ikDgQZDkhoQbdNmwoVqhLSQrZ · created 2026-05-01 · $2M+ inflow from TBcVStZf · fans to 12 recipients simultaneously
TRWhu3nZ branchTRWhu3nZ4gtyzR73aYwRA8TF9cAtDoBZXp · created 2026-04-14 (9d pre-OFAC) · $1M from TSERwt5 → $1.65M to TVdQY6 (same-day routing)
TVdQY6 aggregatorTVdQY6Hxix3VW2U5q3c2U75vyJqDPHbKfQ · created 2026-05-18 · 257 txns · $6M+ distributed in 5 days · sends to 9 wallets
TASrdX5w endpointTASrdX5w5uqte7QULat1wRvZhwew6yGNVd · created 2025-02-24 · 8,334 txns · receives $1M from TQ9MsKH (TVdQY6 downstream)
TRZx3rZr endpointTRZx3rZr1vqjzTfY8NDpuW4FKwtn4ZJ4ef · created 2026-01-12 · 8,669 txns · appears in multiple branches · highest-volume unlabeled node

Finding 18 — Post-OFAC Chain Confirmed to Binance-Hot 7: 12-Hop OTC Gateway

Tracing the TVdQY6 post-OFAC distribution branch (Finding 17) forward through 12 intermediary hops confirms a direct connection to Binance-Hot 7 (TDqSquXBgUCLYvYC4XZgrprLK589dkhSCf). The gateway node TK2Fm29FRvmBvzTKyiYGHaeVi987sekdZg (created 2024-05-08, 2,119 txns) routes 100% of its outflows to Binance-Hot 7 — $93M+ total volume, with $33.5M+ deposited in the 48 hours before this session. The feeder TEP5yMfV1NgVPLS9JrXC1UYgyEqDRDnD8N (created 2025-09-21, 3,216 txns) deposited $9M + $3.1M to TK2Fm29F in recent days. The full hop chain: TBcVStZf (Finding 17 origin) → TSERwt5 (relay) → TVdQY6 (aggregator) → TQ9MsKH → TASrdX5w → [multiple OTC intermediaries] → TEP5yMfV1 → TK2Fm29F → Binance-Hot 7. This is the post-OFAC successor routing path replacing the pre-OFAC Binance Hot 7 direct flow. K99 continues depositing into the same exchange after OFAC designation through a purpose-built 12-layer obfuscation network.

TBcVStZf → TSERwt5 → TVdQY6 → ... → TEP5yMfV1 → TK2Fm29F → Binance-Hot 7 (12 hops)
OTC gatewayTK2Fm29FRvmBvzTKyiYGHaeVi987sekdZg · created 2024-05-08 · 2,119 txns · 100% outflows → Binance-Hot 7 · $93M+ total · $33.5M in 48h
OTC feederTEP5yMfV1NgVPLS9JrXC1UYgyEqDRDnD8N · created 2025-09-21 · 3,216 txns · $9.29M deposited to TK2Fm29F (May 21-22)
TLbj5HDK relayTLbj5HDKuoQQTVKaYSbm6eyvAfZuAu9iYF · created 2026-05-06 · 129 txns · $1.19M → TEP5yMfV1
TNArBgzk relayTNArBgzkrY9vMoMAPtWJ3hdd25iGfwUqG7 · created 2026-05-17 · 775 txns · $2.48M → TVetdsqP · $1.19M → TLbj5HDK
TK2DgD6S hubTK2DgD6S38QF5epLyPU5WB5AknqkSUrC1B · created 2026-02-02 · 4,151 txns · routes to 9 recipients including TNArBgzk ($1.74M)
TGDZ4hVGg relayTGDZ4hVGgonmYpuJ1Y7Xw5V5nEEy1SxzHL · created 2026-04-16 · 532 txns · $5.67M → TK2DgD6S (4 txns May 22-23)
TJiCX77g relayTJiCX77gVBmPC5qVtQH1RMYbidvE4gvw4U · created 2026-05-03 · 392 txns · $1.5M → TGDZ4hVGg
Binance-Hot 7TDqSquXBgUCLYvYC4XZgrprLK589dkhSCf · 48.47M txns · confirmed Binance-Hot 7 · sole destination for TK2Fm29F · $2.95B USDT balance
Capital Chain and Attribution Findings 19–22 — Origin, identity, and enforcement path

Finding 19 — OTC Capital Chain: Operator Pre-Staged Infrastructure Since 2021

Tracing backward from the 14-wallet OTC cluster (Finding 6) reveals a pre-existing capital pool that predates K99 by three years. The operator-level float pool TRVcYEBh7QaU9V7qoLk1iqzejNuYBpPx6n (created 2021-09-16, 6.26M transactions) distributed capital to K99 setup wallets in June 2024 and swept $163M USDT in June 2025. The OTC cluster was seeded on 2025-11-28 by TBEZczH6BeiGU41ApgtHq8oVQ2ryEcWTrR — a same-day purpose-built wallet that disbursed exactly $1,333,333.33 to each of 14 wallets in a single batch ($18.67M total). That seeder was funded by TKzjgap1y7MmSYnRgn9witmbR2MSg3VXz4 (created 2024-03-27, 300K txns) — the operator-level capital controller. K99's commission treasury (TSjYrKSiQM8, created 2025-06-06, dormant 7 months) received its first USDT on 2026-01-06 via same-day ephemeral relay wallets funded downstream of Binance's internal cold-to-hot chain, confirming operators withdrew from Binance to seed the treasury.

Operator capital chain (pre-K99 infrastructure)
OTC float poolTRVcYEBh7QaU9V7qoLk1iqzejNuYBpPx6n · created 2021-09-16 · 6.26M txns · K99 OTC capital reservoir · $163M swept Jun 2025
Capital controllerTKzjgap1y7MmSYnRgn9witmbR2MSg3VXz4 · created 2024-03-27 · 300K txns · funded OTC cluster seeder · no exchange tag
Cluster seederTBEZczH6BeiGU41ApgtHq8oVQ2ryEcWTrR · created 2025-11-27 · disbursed $1,333,333.33 x 14 wallets · $18.67M total · 2025-11-28 08:16 UTC
Automation controllerTGYtzBaDeKkdym9jcMmcUMNU53NpzbqCUS · created 2024-05-21 · 5.51M txns · micro-probe sends + large USDT moves

Finding 20 — Hosting Operator Identified: ARTUR VOVK, Ukrainian National

The K99 investment platforms (cryptvista.com, web-safepal.com, web-mellowfinance.com, web-solvfinance.com) were hosted on infrastructure operated by FEMO IT SOLUTIONS LIMITED (UK Companies House #15885164, incorporated 2024-08-08). The sole director and secretary is ARTUR VOVK, Ukrainian national, born March 2002, residing at 54/28 Khimikiv Street, Cherkasy, Ukraine 18000. HMRC-supervised identity verification was completed January 9, 2026. The registered office is a London virtual address (71-75 Shelton Street, Covent Garden, WC2H 9JQ). FEMOIT's ASN AS214351 also hosted TinyLoader v2.1 malware distribution (62.60.226.159), Steam phishing (62.60.226.105), and Comerica bank phishing (62.60.226.195) — confirming a full-service criminal hosting operation. The K99 investment platforms additionally ran crypto wallet drainers targeting DeFi users, not only pig-butchering lures. After takedown, web-mellowfinance.com migrated to OMEGATECH LTD (Seychelles, AS202412) at 178.16.53.184, which anchors the web-3.to wildcard drainer cluster (40+ DeFi impersonation subdomains).

Identified individual
DirectorARTUR VOVK · Ukrainian · born March 2002 · 54/28 Khimikiv St, Cherkasy, Ukraine 18000 · HMRC-verified 2026-01-09
UK companyFEMO IT SOLUTIONS LIMITED · Companies House 15885164 · incorporated 2024-08-08 · active · 71-75 Shelton Street London WC2H 9JQ
ASNAS214351 (FEMOIT) · IPs 62.60.226.78-79 · HK/DE infrastructure · K99 platforms + malware + phishing on same /24

Finding 21 — Du Operator Network: Scam Compound Infrastructure Supplier

The operator behind ha138.com (HX.DU blockchain gambling, shares K99's Binance exit relay TTw2bdsmH) runs a vertically integrated criminal support network under the [Du] brand. The network provides TRX energy rental (reducing TRON transaction costs for criminal operations), SIM card supply including Cambodia SIM cards, and global phone top-up services. Cambodia SIMs are a documented operational necessity for scam compounds: they allow trafficked workers to conduct fraud operations without traceable identities. The Du operator explicitly advertises Cambodia SIM supply (@dajuip) alongside UK, US, HK/Macau, and Chinese SIM cards. A co-located task-fraud platform (visi-nary.org, "VisionarFilm") targets Indonesian victims on the same 163.181.214.109 Alibaba Cloud cluster with a publicly exposed .env file containing live payment credentials. The original codebase (pvajob.top) was suspended by GoDaddy and was hosted by jabrahost.com, a Pakistani hosting provider operated by SURKHAIL RASOOL ("Surkhail Tech"), Multan, Punjab, Pakistan.

Du operator Telegram network (all active)
Customer service@ihaxi · rep "莱莱" · permanent CS for @trx107 energy rental + @ha138 gambling
SIM supplier@dajuip · Cambodia + CN + HK + UK + US SIM cards · explicit scam compound supply
Energy rental@trx107 / @trxtoo / @ip292 · TRX energy rental bots · reduces TRON tx costs for criminal operations
Gambling official@ha138com · @ha138qun · HX.DU USDT hash gambling · 6 TRON wallets holding $12.93M USDT
ha138 walletsTSvVvSaz · TNQsyUVU · TB4zSRUv · TUfnAkmv · TEZRz6rr · TKG8VnNX · total $12.93M USDT (2026-05-23)
Hosting operatorSURKHAIL RASOOL · "Surkhail Tech" · Multan Punjab Pakistan · jabrahost.com · +92-300-3333-978

Finding 22 — Blockchain Attribution Dead-End: K99 Capital Traces to Upbit Cold Storage

Full backward trace of the K99 capital chain reaches Upbit (South Korean exchange) as its terminal node. TDU1uJNxDND9zhzYjnn7ZunHj18jw7oAca is Upbit cold storage (confirmed: receives exclusively from TEgcicVxsWySrjCdoLJc9EuhvGYwXt6Cxe, tagged Upbit-Hot, in 100M TRX batches from July 2018 genesis). TA9FnQrLGdgLW6cwBKue9DyqSBz1UNzUMR is labeled "Upbit 1" by TronScan; all its 2021 TRX outflows go to TKpgraJp8fizVTveSrhSibKwc6QvgDWfoc and TWzMV62eycoJWFRfpmJoUdc4oUhtK6TvGV, both confirmed Upbit internal wallets (later swept to TASUAUKXCqvwYjesEWv22pFjRsCeF4NKot, labeled "Upbit Exchange Hot Wallet"). There is no external OTC counterparty visible on-chain. The K99 operator extracted capital from Upbit via exchange withdrawal, and those withdrawal accounts hold KYC records. TronGrid USDT contract-filtered queries confirm zero USDT outflows from TA9FnQ to external addresses — capital exits via TRX/SUN/JST sweeps through internal Upbit infrastructure. Upbit subpoena for 2021-2022 withdrawal accounts is the definitive on-chain attribution path.

Attribution chain terminal
Upbit cold storageTDU1uJNxDND9zhzYjnn7ZunHj18jw7oAca · created 2018-07-16 · 273K txns · genesis-funded by Upbit-Hot (TEgcic)
Upbit 1 hot walletTA9FnQrLGdgLW6cwBKue9DyqSBz1UNzUMR · labeled "Upbit 1" · 296K txns · all 2021 outflows = internal Upbit wallets
Subpoena targetUpbit (Dunamu Inc, Seoul KR) · compliance@upbit.com · KYC for 2021-2022 withdrawal accounts is the attribution key