False Complaints: Criminals Working To Free Frozen Funds

Overview

Social media is a key tool towards freezing stolen funds at exchanges, instant exchangers, and other services. While the court order process can take weeks to complete, a Telegram or Slack message gets the illicit transaction information across in minutes. However, in the past year, investigators across the incident response space have observed that organized criminals in North Korea, China, and Russia will pressure services to lift temporary freezes with fake stories and threats to damage their reputation. We looked into the tactics these criminals are using and, more importantly, the responses from services who are repeatedly targeted.

What we know of organized laundering

The networks to launder North Korean and Russian exploits are (unsurprisingly) large. After the initial attack, different teams begin the laundering process. In many cases, a certain team has a specific stage that they work on before handing off to the next team. For example, there may be a team that only focuses on bridging the funds to Tron, another team to move the funds across private wallets on Tron, and then another team to actually get the funds off the blockchain and into fiat currency. 

These organized crime groups also hire third party middlemen that do not necessarily know what the exact sources of funds are, but are hired to move the funds to the next stage of the laundering process. In exchange, they receive a fee of often less than 10% of the volume moved. These middlemen do, however, know that they will not receive future business if the funds are stopped, and have been increasingly emboldened to make false claims to services to keep the laundering moving. 

Agents of “arbitrage”

We have observed public false complaints most often on Telegram, Discord, and X. These complaints are made in public support channels, or public tweets that tag the CEO of the exchange in question. Privately, many of these complaints are made to the exchange support team via email. In both cases, accounts appear to be throwaway fake accounts with a few telling characteristics:

1. Recently created profiles or email addresses without past activity

2. Reside in China, Southeast Asia, or Russia 

3. To explain their source of funds, they provide two main story lines

   1. buying crypto from a friend or unknown peer, then selling it to someone else for arbitrage

   2. Getting crypto from gambling

4. Evidence is often a video or a conversation or a screenshot of unrelated transactions to try to confuse the service customer support 

Here are a few examples of real cases where we have seen this occur, but with some details masked for anonymity.

Fuhao and Gambling

One of the most famous launderer services known for this tactic is @fuhao on Telegram. They run the channel “富豪上押公群” which literally translates to “The rich bet on the public group” and the related channel “天才交易员” (“talented trader”). Both groups allow people to advertise or ask for bids for a money transfer, among other services.

For stopped transactions of BTC to USDC for a DPRK hack, a burner Gmail account reached out to an instant exchanger to claim that the crypto was sourced from a friend. They provided proof via a screen recording of a Telegram chat. Of note, the BTC addresses in the video did not match the ones from the stopped transaction and they could not explain why that was the case when pressed. 

In another stopped order for the same hack, a different burner Gmail account reached out to the instant exchanger and claimed the BTC was sourced from Chainflip, a cross chain protocol that does not provide a fiat on-ramp or off-ramp. This bridge was also being heavily used in the hack. When the service asked what the source was beyond Chainflip, since it could not be fiat, the claimant clarified that the original source was a gambling bot. Again, this would not have an on or off ramp and they could not further explain the source.

Fake government documents

To further escalate pressure on the situation, the instant exchange reported receiving an email that included what appeared to be a law enforcement request document, urging an urgent review of the frozen transaction and recommending the release of funds if no concrete evidence was established.

However, following a thorough examination of the document and coordination with trusted contacts familiar with the issuing law enforcement agency, the document was determined to be fraudulent. This incident highlights the extent to which threat actors are willing to go, including fabricating official documents to manipulate services into unfreezing illicit funds.

Doctored images

In another case involving a stopped ETH deposit at an exchange, linked to a Russia-affiliated hack, a user operating through a burner @mail.ru email account has reached out to claim that the source of the funds originated from an instant exchanger. The user submitted fraudulent materials, including a fabricated transfer receipt screenshot and even a video recording showing a login attempt to the purported instant exchanger’s platform, as proof of the transaction’s legitimacy.

In reality, the funds were traced back to a large-scale hack, with assets originating from the Wasabi mixer and later bridged to BTC via Thorchain before reaching the exchange.

Although the screenshot provided by the claimant correctly listed the recipient address at the exchange (the address where the funds were frozen), the transaction ID displayed could not be corroborated through the instant exchanger website. Further due diligence revealed that the instant exchanger in question had no record of the transaction or any connection to the suspect address, and they confirmed that the transfer and address were neither initiated nor owned by their platform.

When pressed for clarification, the user was unable to provide legitimate documentation and claimed they could no longer “find” the correct swap details, further reinforcing the fraudulent nature of the claim.

Reputational Pressure

Some false complaints don’t even bother with a story, and just hope that public reputational damage is enough to get their disputes resolved. In this message, a DPRK launderer complains to ThorChain about the time it is taking for their bridge from BTC to ETH to process. 

In all likelihood this transaction was not even frozen to begin with, but the launderers do not necessarily know that and will test to see if they can get someone to act. 

This is equally prevalent on X. While we do not know for certain that this is a money launderer, user @oolove56555 tagged the CEO of OKX @star_okx in multiple posts from September 2024, the time that they opened their X account, until December 2024 about a frozen account that was not being reopened. 

One of their only followers is an account that specializes in unblocking frozen accounts at multiple exchanges. Users like this one know that public complaints on X are an effective way to get accounts unblocked.

What services are doing

It is important to recognize that launderers are increasingly aware of the reputational risks faced by exchanges and other crypto services. These actors often exploit this vulnerability by threatening to publicly flag frozen transactions on social media platforms or public forums, framing themselves as victims in order to pressure the service into action.

In cases where transactions are initially blocked or restricted due to potential links to illicit activity, service providers often find themselves in a difficult position. Due to compliance obligations and anti-tipping-off rules, they are prohibited from disclosing the exact reason behind the freeze, even if the user publicly disputes the action. This limits their ability to publicly defend their actions or correct the narrative being pushed by the launderers.

This puts services in a time-sensitive bind where:

• On one hand, without a timely court order, they risk reputational damage and backlash from users or the broader community.

• On the other, prematurely releasing the funds could mean allowing illicit assets to flow out, undermining compliance with AML/CFT regulations.

As a result, services are often forced to choose between preserving their public image or upholding their legal obligations where both of which carry significant risk. 

Some of the services have sought further support from zeroShadow to assist in verifying the authenticity of user claims. Given zeroShadow’s access to on-chain forensic tools and relevant blockchain intelligence, the team is well-positioned to validate the provenance of funds and assess the legitimacy of the explanations provided by users.

In cases where launderers falsely claim that the source of funds originated from another service, zeroShadow is also able to engage with the alleged platforms to cross-reference and corroborate the transaction details. This collaborative approach helps services make informed decisions, mitigate risk, and respond more effectively under time-sensitive conditions, especially in situations involving reputational manipulation.

What services can do

To strengthen defenses against reputational manipulation and fraudulent unfreeze requests, here are some strategies that can be adopted:

1. Formalize Incident Response Playbooks

Internal protocols for handling claims related to frozen assets should be developed, including specific steps for verifying user-supplied “evidence,” identifying fake documents, and coordinating with forensic partners. 

2. Strengthen Public Communications 

Prepare templated, compliance-aligned responses for public disputes on Telegram, X, and forums. These should acknowledge the situation without revealing sensitive information, while emphasizing commitment to regulatory standards.

3. Engage in Industry Collaboration

Join cross-platform task forces or threat intel sharing groups that coordinate responses to organized laundering. Developing a culture to share warnings of shared burner accounts or laundering tactics improves resilience for every player in the industry. 

Direct lines of communication can be established between key exchanges and services to confirm or deny the legitimacy of user claims involving other platforms. This is particularly helpful when launderers attempt to attribute funds to another service.

4. Further “Reputation Shielding” Measures

Collaborate with third-party investigators who can independently vet claims. Their findings can provide private backing to uphold freezes when facing reputational threats. zeroShadow can assist with verifying these claims with an on-chain investigation of the source of funds through our Virtual Security Operations Center (VSOC) service. Please contact help@zeroshadow.io to learn more.

Original article by the zeroShadow team