Report authors: Chen Meihui Miffy , You Zhiwei Yoyo
Note: A full version of this report has been submitted to the relevant law enforcement agencies.
Click to download the full report
Table of contents
Toggle1. Event background
The "Creative Private Room", known as the Taiwanese version of Room N, contains a large number of illegally filmed sexual images of minors. It has also received a lot of attention recently because artist Huang Zijiao was revealed to have purchased videos from the platform and was a premium member. Minister of Health and Welfare Xue Ruiyuan also stated in the Legislative Yuan on the 10th that he would send a document to the Ministry of Digital Information and Technology on the same day to block the domain of "creative private houses". But what about after the network is closed? Who are these people who profit from the exploitation and secret filming of children? And can they be brought to justice?
"Block Trend", which has long been engaged in blockchain and cryptocurrency-related content, posted on its Facebook fan page and used the URL to match the global information network's digital archive "Internet Time Machine" and obtained 4 "creative private rooms" in "Non-custodial" payment wallet addresses used in different periods:
XREX Exchange Blockchain Financial Crime Investigator Chen Meihui Miffy continued the above wallet information and further traced where these four wallets distributed the money after receiving the money to purchase the video. XREX publishes this on-chain cash flow report and technical analysis to more accurately target the recipients behind the "creative private rooms" , that is, those who actually gain income through secret photography and sexual violence in the real world.
2. What questions does the "Creative Private Room" on-chain cash flow report try to answer?
- How many people have paid to "Creative Private Room" to obtain membership? From their wallets, how can we deduce their true identity?
- Which wallets does "Creative Private Room" use to collect payments? Who could be the person holding these wallets?
- After the wallet of "Creative Private Room" received the money, to whom did it transfer the funds?
- Why does "Creative Private Room" transfer money to these wallets? What are the roles of these beneficiaries?
- How can these on-chain evidence assist law enforcement agencies in taking action?
- What is the relationship between the upstream and downstream financial flows of the entire criminal structure of "Creative Private House"?
- What tools and analysis can be used on the blockchain to provide clues to the case and find the network behind the criminal group?
3. Key conclusions of the “Creative Private House” on-chain cash flow report
4 wallet usage scenarios of "Creative Private Room"
Potential stakeholders in the upstream and downstream financial flows of "Creative Private House"
Remark:
- The reason why deposits to "Creative Private Room" are expressed by the number of transactions is because when users withdraw money from the exchange, it is sent from the exchange's hot wallet on the chain, rather than from a single user's exclusive wallet. To trace, the exchange needs to follow up with individual users. The number of transactions does not directly represent one user, but may also be multiple transactions by one user.
- The recharge wallet will be an exclusive recharge wallet that can be mapped to a single person. Each wallet will be a person, and subsequent detection and identification will be easier.
- The number of deposit transactions and the number of wallets receiving payments may overlap between the four wallets of "Creative Private Room".
The top ten “custodial wallets” that received the most “creative private” funds
The first "custodial wallet" to benefit from "creative private rooms"
The "custodial wallet" that receives the most money is TNFw ******************** 4 located on the Binance exchange . We use the wallet database OKLink tool to find the transactions of this wallet Information, you can find that this wallet has been active for 3 years, and then use the Misttrack tool to observe its source of funds. All 5 wallets are related to "Creative Private Room", and the wallet is from December 5, 2021 to April 29, 2023. I have been receiving funds from "Creative Private Room" for a long time. I have collected funds 73 times in total and received more than 66,000 USDT, worth more than NT$2 million, as shown in the figure below:
The latest developments of "Creative Private Room" wallet
Among the four public wallets of "Creative Private Room", the latest fund transfer was at 23:19:18 on April 10, 2024, from the OKX exchange to the fourth receiving wallet of "Creative Private Room" TA2G85LLXqtbcMwwZUKn4gDdQ9EkoHRp8V , that is It is said that this wallet is still used frequently and is in an active state.
4. Blockchain analysis tools used in this report
The on-chain analysis platform transforms transaction records, addresses, etc. on the blockchain into visual information, which facilitates "on-chain detectives" to track the flow of funds, and can also be used as a tool to track whale movements.
5. Prove the connection of the "Creative Private House" wallet and trace the actual holder
Transferring tokens on the blockchain will require a gas fee (Note 1) . You can trace the source of the gas fee, connect the wallets, and find the actual holder's information. To transfer TRC-20 USDT issued on the Tron chain, gas fees need to be paid in TRX. Use the blockchain analysis tool Arkham to observe the TRX transaction interaction between the payment wallet addresses used by the four "creative private rooms" in different periods obtained by "Block Trend" .
If a wallet wants to transfer USDT frequently, it will top up a large amount of TRX. A structured and organized group, whether it is a fraud group or the wallet used by a platform like "Creative Private Room", will have such characteristics.
The figure below is a relationship diagram generated using the Arkham visualization tool. It can be seen that the TRX in the four "Creative Private Room" wallets in the middle all have a common source, and they also interact closely with TRX transactions, revealing that these four wallets are highly likely to be held by the same person or group. have.
As can be seen from the picture above, the fourth wallet of "Creative Private Room" TA2G85LLXqtbcMwwZUKn4gDdQ9EkoHRp8V has a recharge record of a total of 5,066 TRX from the MEXC exchange. This can help law enforcement agencies access the user's real-name verification information from the MEXC exchange based on the transaction hash ( Note 2) exclusive to this transaction , and know who is behind the scenes.
In addition to the aforementioned TRX transaction record, try to look up the source of the gas fee. The first wallet TJxBDgdAmD1NPy6ih4E6RBM4YQWZRACakZ is the earliest of the four wallets of "Creative Private Room". The first gas fee deposit was performed at 16:03:21 on November 30, 2021.
Next, we use the visualization tool Bitquery to observe the source and flow of TRX in the first wallet TJxBDgdAmD1NPy6ih4E6RBM4YQWZRACakZ of "Creative Private Room", as shown in the figure below:
From the diagram generated by the visualization tool Bitquery, we can find the "layered transfer" relationship between "Creative Private Room" and TRX transfer. Some wallets import TRX and immediately transfer it out. "Fast in and fast out" of funds is relatively rare in ordinary simple trading behavior, and is one of the characteristics that helps determine abnormal transactions.
A clearer table based on the image generated by Bitquery is as follows. The parts marked in orange are the 4 wallets of "Creative Private Room". This table is based on the first wallet TJxBDgdAmD1NPy6ih4E6RBM4YQWZRACakZ of "Creative Private Room" as a starting point to examine its upstream and downstream fund transfer relationships.
This table can not only see the hierarchical transfer relationship between wallets, but also find that the four wallets of "Creative Private Room" are highly correlated. At the same time, we also mark the characteristics of specific wallets below, such as: fast in and fast out, belonging to a specific exchange, the main TRX source or outflow wallet, etc.
As can be seen from the above table, there are a lot of TRX used to pay gas fees. They first jump to a decentralized "non-custodial wallet" from the Binance exchange, and then transfer to the first wallet TJxBDgdAmD1NPy6ih4E6RBM4YQWZRACakZ of "Creative Private Room" .
The following table summarizes these transaction hashes. Law enforcement agencies can obtain relevant real-name verification information through the Binance exchange to understand who provides the TRX handling fee required by "Creative Private Room" to transfer funds.
We selected three wallets that provide TRX sources and have "fast in and fast out" behaviors. Use the MistTrack tool to view them. As shown below, you can see that the 4 receiving wallets of "Creative Private Room" have been marked as "illegal services" ”, the green star is the layer transfer wallet, and on the far left is the hot wallet of the Binance exchange, which means that Binance users withdrew TRX to the “layer transfer” wallet, and then transferred it to the creative private collection wallet in a short period of time.
The transfer time of TRX between the following three wallets is marked in gray font above the arrow. It can be seen that after the TRX is withdrawn from the exchange, it is transferred within just a few minutes, showing an organized "fast" "Quick in and out" and "mass withdrawal and transfer of gas fees" behavioral characteristics.
"Layer transfer" wallet marked with a green star: TMv9PwYkekUeSXwKR5Vpek4uGcAkGMaaUg
"Layer transfer" wallet marked with a green star: TJnQv8rYMKTZEXzb8QgjTsGn9BRm2SPgjm
"Layer transfer" wallet marked with a green star: TJxKcEZ1czkYB285sUeJ1FgX8d8hkVu4WP
6. Does "Creative Private Room" continue to have new members? Getting started with USDT payments
We used the Internet time machine tool to view the posts of "Creative Private Room". Although it is the same post, the records of different periods can be observed. "Creative Private Room" constantly adjusts its membership payment methods, wallet addresses used, and USDT Exchange rates, etc. Organized using the wallet database OKLink, there were a total of 2,233 transactions involving withdrawals from exchange hot wallets, that is, deposits to 4 "Creative Private Room" collection wallets.
The "Creative Private Room" wallet address and payment information saved in the online time machine , because old members are likely to store value in a variable amount, or upgrade to senior members with different amounts, or people behind the group are playing tricks on each other. Since there is no public information, it is difficult to estimate.
However, based on the existing information, we can try to summarize the number of new members that "Creative Private Room" has through these 4 collection wallets in different periods, because the amount of a single deposit should fall within a certain range.
The online time machine records the time when "Creative Private Room" posted: August 12, 2022
The online time machine records the time when "Creative Private Room" posted: January 28, 2023
The online time machine records the time when "Creative Private Room" posted: October 4, 2023
The online time machine records the time when "Creative Private Room" posted: April 9, 2024
Note: The latest records cannot contain the latest deposit wallet address. The website operator has changed to obtain the wallet address by email consultation. Therefore, this report uses the wallet address in the "Block Potential" post for statistics.
7. Who benefits from “Creative Private House”? Transfer investigation "downstream" from UDST
Why do the four receiving wallets of "Creative Private Room" send the received funds to other wallets? What is certain is that they have interests involved. By tracking the USDT whereabouts of the four receiving wallets of "Creative Private Room", we can help us find the main beneficiaries.
Who actually received the money from selling illegal candid and sexually exploitative videos? Their role may be website managers, staff, video providers, operators or people who purchase equipment, or they may be members' refunds. We don't know this, and we need to investigate and intervene for further investigation and analysis and take action.
It is worth noting that the exchange is the only unit that has users’ real-name verification information, so it is very important to find the “custodial wallet” of the centralized exchange. Through real-name verification and other identifiable information, it can be compared with the “creative private room” The group behind it.
In the figure below, we use the visualization tool Bitquery to overview the overall fund flow of the four receiving wallets of "Creative Private Room". With charts and tables organized, we can see the wallets that interact with them, and use this to determine the corresponding data of the benefiting wallets.
"Creative Private Room"'s first payment wallet: TJxBDgdAmD1NPy6ih4E6RBM4YQWZRACakZ
"Creative Private Room"'s second collection wallet: TUQbf1PgWvxKethbrYLFY842UL6Z41RiKC
"Creative Private Room"'s third collection wallet: TPbRDKYYi5qT3Ayutw6NV31bvNX9zGivZx
Through the visualization tool Bitquery, in addition to knowing which wallets the four wallets of "Creative Private Room" have upstream and downstream relationships, we can also observe that 3 of the four receiving wallets of "Creative Private Room" have a large amount of funds transferred. Go to a single wallet.
Use the blockchain analysis tool MistTrack to sort out the whereabouts of the funds in the 4 receiving wallets and 2 layer transfer wallets of "Creative Private Room", and you can know the possible main beneficiaries. The following list of beneficiary wallets only leaves the "custodial wallets" of centralized exchanges that can access real-name verification data, and is sorted by amount as shown in the table below:
8. Organizing of wallets related to “Creative Private Room” that can be traced
Provide transaction hash of "Creative Private Room" gas fee
About XREX Group
XREX is an international financial institution born in response to blockchain technology. It works closely with banks, governments and users to jointly rewrite the definition of finance. Founded in 2018, XREX provides one-stop services, including: digital asset custody, wallets, cross-border payments, legal currency and cryptocurrency conversion, cryptocurrency exchanges, diversified asset investments, legal currency deposit and withdrawal services, etc.
XREX was formerly known as Ama Technology, an information security software company. It has more than 15 years of practical experience in international information security and has both offensive and defensive technologies. XREX has obtained an in-principle license from the Major Payment Institution license in Singapore, and is also a qualified operator that has completed the Money Laundering Prevention Act Compliance Statement from the Taiwan Financial Supervisory Commission.
—
Note 1: Gas fee is the fuel consumed by users to pay miners to perform specific actions (such as cryptocurrency transfer, smart contract execution, etc.) during blockchain verification. Each transaction on the blockchain requires a large amount of computing power, and miners need to bear the costs of equipment, operations, and electricity. Therefore, in order to reward miners, transactions on the blockchain require users to pay fees, which is the so-called gas fee. .
Note 2: Every transaction on the blockchain will have a unique and encrypted transaction hash. The concept is a bit like the transaction order number, transaction record number, etc. in traditional finance. Each transaction hash is a string of alphanumeric codes, and the content of the transaction number can be found on the blockchain ledger, including the initiator, recipient, transaction amount or transmitted information, etc.
